agentobs 1.0.0__tar.gz

agentobs-1.0.0/.gitattributes

@@ -0,0 +1,2 @@
+# Auto detect text files and perform LF normalization
+* text=auto

agentobs-1.0.0/.github/workflows/ci.yml

@@ -0,0 +1,147 @@
+name: CI
+
+on:
+  push:
+    branches: ["main", "develop"]
+  pull_request:
+    branches: ["main", "develop"]
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  PYTHONUNBUFFERED: "1"
+  FORCE_COLOR: "1"
+  PIP_DISABLE_PIP_VERSION_CHECK: "1"
+
+jobs:
+  # ──────────────────────────────────────────────────────────────────────────
+  # Lint & type-check (fast gate — runs on one Python version only)
+  # ──────────────────────────────────────────────────────────────────────────
+  lint:
+    name: Lint & type-check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python 3.12
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+          cache: pip
+
+      - name: Install dev dependencies
+        run: pip install -e ".[dev]"
+
+      - name: Run ruff (lint)
+        run: ruff check --output-format=github .
+
+      - name: Run ruff (format check)
+        run: ruff format --check .
+
+      - name: Run mypy (strict)
+        run: mypy llm_toolkit_schema tests
+
+  # ──────────────────────────────────────────────────────────────────────────
+  # Test matrix (3.9 → 3.12)
+  # ──────────────────────────────────────────────────────────────────────────
+  test:
+    name: "Python ${{ matrix.python-version }} / ${{ matrix.os }}"
+    needs: lint
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, windows-latest]
+        python-version: ["3.9", "3.10", "3.11", "3.12"]
+        exclude:
+          # Reduce Windows CI load — only test oldest and newest
+          - os: windows-latest
+            python-version: "3.10"
+          - os: windows-latest
+            python-version: "3.11"
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: pip
+
+      - name: Install package + dev extras
+        run: pip install -e ".[dev]"
+
+      - name: Run unit & integration tests with coverage
+        run: >
+          pytest
+          --tb=short
+          --strict-markers
+          -v
+          --cov=llm_toolkit_schema
+          --cov-report=term-missing
+          --cov-report=xml:coverage.xml
+          --cov-fail-under=100
+          -m "not perf"
+
+      - name: Upload coverage to Codecov
+        if: matrix.python-version == '3.12' && matrix.os == 'ubuntu-latest'
+        uses: codecov/codecov-action@v4
+        with:
+          files: coverage.xml
+          fail_ci_if_error: false
+
+  # ──────────────────────────────────────────────────────────────────────────
+  # Performance benchmarks (single run on Python 3.12 / ubuntu)
+  # ──────────────────────────────────────────────────────────────────────────
+  perf:
+    name: Performance benchmarks
+    needs: test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python 3.12
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+          cache: pip
+
+      - name: Install package + dev extras
+        run: pip install -e ".[dev]"
+
+      - name: Run performance tests
+        run: >
+          pytest
+          -m "perf"
+          --tb=short
+          -v
+
+  # ──────────────────────────────────────────────────────────────────────────
+  # Security scan via pip-audit
+  # ──────────────────────────────────────────────────────────────────────────
+  security:
+    name: pip-audit
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python 3.12
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+          cache: pip
+
+      - name: Install pip-audit
+        run: pip install pip-audit
+
+      - name: Audit dependencies
+        run: pip-audit --require-hashes -r <(pip install -e ".[dev]" --dry-run --report json | python -c "
+import json, sys
+data = json.load(sys.stdin)
+for item in data.get('install', []):
+    print(item['metadata']['name'] + '==' + item['metadata']['version'])
+" || echo "skipped") 2>/dev/null || pip-audit

agentobs-1.0.0/.gitignore

@@ -0,0 +1,181 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# UV
+#   Similar to Pipfile.lock, it is generally recommended to include uv.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#uv.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#pdm.lock
+#   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
+#   in version control.
+#   https://pdm.fming.dev/latest/usage/project/#working-with-version-control
+.pdm.toml
+.pdm-python
+.pdm-build/
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#  and can be added to the global gitignore or merged into this file.  For a more nuclear
+#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
+#.idea/
+
+# Ruff stuff:
+.ruff_cache/
+
+# PyPI configuration file
+.pypirc
+
+# Cursor  
+#  Cursor is an AI-powered code editor.`.cursorignore` specifies files/directories to 
+#  exclude from AI features like autocomplete and code analysis. Recommended for sensitive data
+#  refer to https://docs.cursor.com/context/ignore-files
+.cursorignore
+.cursorindexingignore

agentobs-1.0.0/.pre-commit-config.yaml

@@ -0,0 +1,62 @@
+repos:
+  # ── Core file hygiene ─────────────────────────────────────────────────────
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-toml
+      - id: check-json
+      - id: check-added-large-files
+        args: [--maxkb=500]
+      - id: check-merge-conflict
+      - id: debug-statements
+      - id: detect-private-key
+      - id: mixed-line-ending
+        args: [--fix=lf]
+      - id: no-commit-to-branch
+        args: [--branch, main]
+
+  # ── Ruff (lint + format) ──────────────────────────────────────────────────
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.4.10
+    hooks:
+      - id: ruff
+        args: [--fix, --exit-non-zero-on-fix]
+      - id: ruff-format
+
+  # ── mypy ─────────────────────────────────────────────────────────────────
+  - repo: https://github.com/pre-commit/mirrors-mypy
+    rev: v1.10.1
+    hooks:
+      - id: mypy
+        additional_dependencies:
+          - pytest>=8.0
+        args: [--strict]
+        pass_filenames: false
+        entry: mypy llm_toolkit_schema tests
+
+  # ── Validate pyproject.toml structure ─────────────────────────────────────
+  - repo: https://github.com/abravalheri/validate-pyproject
+    rev: v0.18
+    hooks:
+      - id: validate-pyproject
+
+  # ── Commit message linting (Conventional Commits) ─────────────────────────
+  - repo: https://github.com/compilerla/conventional-pre-commit
+    rev: v3.2.0
+    hooks:
+      - id: conventional-pre-commit
+        stages: [commit-msg]
+        args: [feat, fix, docs, style, refactor, perf, test, chore, ci, build, revert]
+
+default_install_hook_types:
+  - pre-commit
+  - commit-msg
+
+ci:
+  autofix_prs: true
+  autoupdate_schedule: monthly
+  skip:
+    - mypy  # mypy requires the package installed; only run in CI matrix

agentobs-1.0.0/.readthedocs.yaml

@@ -0,0 +1,18 @@
+# Read the Docs configuration file — https://docs.readthedocs.io/en/stable/config-file/v2.html
+version: 2
+
+build:
+  os: ubuntu-24.04
+  tools:
+    python: "3.13"
+
+sphinx:
+  configuration: docs/conf.py
+  fail_on_warning: false
+
+python:
+  install:
+    - method: pip
+      path: .
+      extra_requirements:
+        - docs

agentobs-1.0.0/CNAME

@@ -0,0 +1 @@
+llmtoolkitschema.getspanforege.com

agentobs-1.0.0/CODE_AUDIT_REPORT_2026-03-01.md

@@ -0,0 +1,251 @@
+# Code Audit Report
+
+Date: 2026-03-01  
+Repository: `llm-toolkit-schema`  
+Scope: Coding standards, performance, security, hallucination controls, and observability
+
+## Executive Summary
+
+- The codebase is generally high quality with strong typing, clear module boundaries, and extensive tests.
+- Functional tests pass (`1214 passed`), but CI currently fails due to strict coverage gate (`97.71%` vs required `100%`).
+- Highest-impact issues are: mutable event payload despite immutability claims, validation/signature format drift, partially implemented governance behavior, and exporter hardening/performance gaps.
+
+## Verification Performed
+
+- Static inspection of core modules:
+  - `llm_toolkit_schema/event.py`
+  - `llm_toolkit_schema/validate.py`
+  - `llm_toolkit_schema/signing.py`
+  - `llm_toolkit_schema/governance.py`
+  - `llm_toolkit_schema/stream.py`
+  - `llm_toolkit_schema/export/*.py`
+  - `llm_toolkit_schema/namespaces/*.py`
+  - `llm_toolkit_schema/_cli.py`
+- Grep-based scans for broad exception handling and risky patterns.
+- Test run: `python -m pytest -q` in project venv.
+
+## Findings by Category
+
+### 1) Coding Standards & Correctness
+
+#### 1.1 Event immutability contract is violated (High)
+
+**Observation**
+- The documentation promises immutability after creation, but `Event.payload` returns the internal mutable dict directly.
+
+**Risk**
+- Consumers can mutate payloads post-validation/signing, leading to data integrity bugs and confusing behavior.
+
+**Evidence**
+- `llm_toolkit_schema/event.py` (`payload` property returns `_payload` directly).
+
+**Recommended Fix**
+- Return a defensive copy or read-only mapping (`MappingProxyType`) in `payload` property.
+- Optionally deep-freeze nested structures at construction if strict immutability is required.
+- Add tests that verify mutation attempts do not alter internal event state.
+
+#### 1.2 Governance `strict_unknown` field is unused (Medium)
+
+**Observation**
+- `strict_unknown` exists in `EventGovernancePolicy`, but no logic uses it in `check_event`.
+
+**Risk**
+- Misleading API: users assume strict unknown handling exists when it does not.
+
+**Evidence**
+- `llm_toolkit_schema/governance.py` (field present, no behavior branch).
+
+**Recommended Fix**
+- Implement strict behavior: block/warn unknown event types when `strict_unknown=True`.
+- Or remove the field/docs until behavior is fully implemented.
+
+#### 1.3 Broad exception handling in user-facing ingestion paths (Medium)
+
+**Observation**
+- Broad `except Exception` blocks are used in CLI and stream parsing paths.
+
+**Risk**
+- Can mask root causes and leak low-level/internal exception text into user output.
+
+**Evidence**
+- `llm_toolkit_schema/_cli.py`
+- `llm_toolkit_schema/stream.py`
+
+**Recommended Fix**
+- Catch typed exceptions (`JSONDecodeError`, `DeserializationError`, etc.).
+- Preserve structured diagnostics internally while providing sanitized user messages.
+
+### 2) Security
+
+#### 2.1 Validation/signature format mismatch (High)
+
+**Observation**
+- Signing code emits prefixed values:
+  - checksum: `sha256:<hex>`
+  - signature: `hmac-sha256:<hex>`
+- Stdlib fallback validator currently validates both fields as bare 64-hex.
+
+**Risk**
+- Signed valid events may fail schema validation in fallback path.
+- Security/validation logic drift can cause reject/accept inconsistencies.
+
+**Evidence**
+- `llm_toolkit_schema/signing.py`
+- `llm_toolkit_schema/validate.py`
+
+**Recommended Fix**
+- Use dedicated patterns:
+  - checksum: `^sha256:[0-9a-f]{64}$`
+  - signature: `^hmac-sha256:[0-9a-f]{64}$`
+- Align with published JSON schema and model validators.
+
+#### 2.2 Exporter endpoint hardening gaps (Medium)
+
+**Observation**
+- Webhook/OTLP/Grafana URLs and Datadog site are accepted with minimal validation.
+
+**Risk**
+- SSRF-like misconfiguration, accidental local-network targeting, or malformed host injection in operational setups.
+
+**Evidence**
+- `llm_toolkit_schema/export/webhook.py`
+- `llm_toolkit_schema/export/otlp.py`
+- `llm_toolkit_schema/export/grafana.py`
+- `llm_toolkit_schema/export/datadog.py`
+
+**Recommended Fix**
+- Parse and validate URLs at construction:
+  - Enforce allowed schemes (`https` by default; configurable `http` for local dev).
+  - Optional denylist for localhost/private CIDRs unless explicitly enabled.
+  - Strict hostname validation for `dd_site`.
+
+#### 2.3 Datadog fallback IDs are not deterministic across runs (Medium)
+
+**Observation**
+- Uses `hash()` fallback for trace/span IDs.
+
+**Risk**
+- Python hash randomization yields unstable IDs across processes; trace correlation can break.
+
+**Evidence**
+- `llm_toolkit_schema/export/datadog.py`
+
+**Recommended Fix**
+- Replace fallback with stable derivation (e.g., SHA-256 truncation).
+
+### 3) Performance & Scalability
+
+#### 3.1 OTLP `batch_size` is configured but not enforced (Medium)
+
+**Observation**
+- `batch_size` is stored and documented, but `export_batch` does not chunk by it.
+
+**Risk**
+- Large batches may cause oversized payloads, memory spikes, and network backpressure issues.
+
+**Evidence**
+- `llm_toolkit_schema/export/otlp.py`
+
+**Recommended Fix**
+- Implement chunking in `export_batch` using `self._batch_size` and send per chunk.
+
+#### 3.2 In-memory accumulation for ingestion constructors (Medium)
+
+**Observation**
+- `from_file`, `from_queue`, `from_async_queue`, `from_async_iter`, and `from_kafka` collect all events into lists.
+
+**Risk**
+- High memory use for long streams or large files.
+
+**Evidence**
+- `llm_toolkit_schema/stream.py`
+
+**Recommended Fix**
+- Provide iterator/async-iterator streaming alternatives and bounded/limit options.
+
+#### 3.3 Datadog exporter uses current wall clock instead of event timestamp (Low-Medium)
+
+**Observation**
+- Span start time/metric timestamps are based on `time.time()` rather than event timestamp.
+
+**Risk**
+- Distorted observability timelines and inaccurate replay analysis.
+
+**Evidence**
+- `llm_toolkit_schema/export/datadog.py`
+
+**Recommended Fix**
+- Parse and use `event.timestamp` for temporal fidelity.
+
+### 4) Hallucination & Agentic Safety Controls
+
+#### 4.1 Guard/fence modules are schema-only, not enforcement (Medium)
+
+**Observation**
+- Namespaces provide payload data classes for guard/fence events, but no runtime policy engine exists here.
+
+**Risk**
+- Teams may assume these modules enforce anti-hallucination behavior by default.
+
+**Evidence**
+- `llm_toolkit_schema/namespaces/guard.py`
+- `llm_toolkit_schema/namespaces/fence.py`
+- `llm_toolkit_schema/namespaces/template.py`
+
+**Recommended Fix**
+- Add explicit runtime policy hooks (or a companion enforcement module):
+  - pre-generation input guard checks
+  - post-generation output validation and retry policy
+  - citation/grounding validation hooks
+  - configurable fail-open/fail-closed behavior
+
+## Observability Posture
+
+### Strengths
+
+- Strong event envelope model with trace/org/team/session metadata.
+- Dedicated exporters for OTLP, Datadog, Grafana, webhook, and JSONL.
+- Signing/audit-chain support for tamper evidence.
+- Comprehensive tests and high effective coverage.
+
+### Gaps
+
+- Timestamp normalization inconsistency across exporters.
+- Some documented behavior not fully implemented (`strict_unknown`, `batch_size`).
+- Hardening guards for egress endpoints should be stronger for production use.
+
+## Prioritized Remediation Plan
+
+### P0 (Immediate)
+
+1. Fix validator/signature format alignment in `validate.py`.
+2. Enforce event payload immutability contract in `event.py`.
+
+### P1 (Next)
+
+3. Implement `strict_unknown` governance behavior (or remove option).
+4. Enforce OTLP exporter chunking by configured `batch_size`.
+5. Replace Datadog `hash()` fallback IDs with deterministic cryptographic derivation.
+
+### P2 (Hardening)
+
+6. Add URL/site validation and safe egress options in exporters.
+7. Add streaming ingestion APIs to avoid full-memory accumulation.
+8. Introduce explicit runtime guardrail/fence enforcement hooks and docs.
+
+## Suggested Acceptance Criteria for Fixes
+
+- New unit tests for each fix path and regression scenario.
+- No behavioral drift in existing passing tests.
+- Compatibility docs updated where behavior changes are user-visible.
+- Security-sensitive changes reviewed with threat-model checklist.
+
+## Test Status (at time of audit)
+
+- Command: `python -m pytest -q`
+- Result: Functional tests passed (`1214 passed`), process exited non-zero due to coverage gate.
+- Coverage gate failure: total coverage below required threshold (`97.71%` vs `100%`).
+
+---
+
+If needed, I can generate a follow-up implementation patch set that addresses P0 + P1 items with tests.