agentsecure 0.1.0__py3-none-any.whl

agentsecure/__init__.py

@@ -0,0 +1,4 @@
+"""AgentSecure local-first security runtime."""
+
+__version__ = "0.1.0"
+

agentsecure/__main__.py

@@ -0,0 +1,5 @@
+from agentsecure.cli.main import main
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

agentsecure/api/__init__.py

@@ -0,0 +1 @@
+"""Community stub package for private/local API integrations."""

agentsecure/api/server.py

@@ -0,0 +1,8 @@
+class LocalApiServer:
+    def __init__(self, host, port, services):
+        self.host = host
+        self.port = port
+        self.services = services
+
+    def serve_forever(self):
+        raise RuntimeError("local API server is not included in AgentSecure Community")

agentsecure/api/services.py

@@ -0,0 +1,3 @@
+class ApiServices:
+    def __init__(self, *args, **kwargs):
+        raise RuntimeError("local API services are not included in AgentSecure Community")

agentsecure/cli/__init__.py

@@ -0,0 +1,2 @@
+"""AgentSecure CLI."""
+

agentsecure/cli/common.py

@@ -0,0 +1,116 @@
+import json
+import os
+import sys
+from typing import List
+
+from agentsecure.core.config import JsonConfigWriter
+from agentsecure.core.key_service import KeyManagementError
+from agentsecure.core.product import ProductService
+from agentsecure.discovery.dotenv_scanner import DotenvSecretScanner
+from agentsecure.discovery.env_scanner import EnvironmentSecretScanner
+from agentsecure.discovery.patterns import mask_secret
+from agentsecure.discovery.scanner import CompositeSecretScanner
+
+
+def scanner() -> CompositeSecretScanner:
+    return CompositeSecretScanner(
+        [
+            EnvironmentSecretScanner(),
+            DotenvSecretScanner(os.getcwd()),
+        ]
+    )
+
+
+def load_config_data(config_path: str):
+    if not os.path.exists(config_path):
+        ProductService(config_path, scanner()).init_project()
+    with open(config_path, "r") as handle:
+        return json.load(handle)
+
+
+def normalize_policy_path(path: str) -> str:
+    return os.path.normpath(path).lstrip(os.sep)
+
+
+def normalize_domain(domain: str) -> str:
+    return domain.strip().lower().rstrip(".")
+
+
+def print_discovered(discovered) -> None:
+    if not discovered:
+        print("No likely secrets found.", flush=True)
+        return
+    print("AgentSecure found possible secrets:", flush=True)
+    for index, secret in enumerate(discovered, 1):
+        print(
+            "[%s] %s from %s provider=%s value=%s"
+            % (index, secret.name, secret.source, secret.provider_hint, mask_secret(secret.value)),
+            flush=True,
+        )
+
+
+def selected_indexes(value: str, count: int) -> List[int]:
+    if value == "all":
+        return list(range(count))
+    indexes = []
+    for part in value.split(","):
+        part = part.strip()
+        if not part:
+            continue
+        number = int(part)
+        if number < 1 or number > count:
+            raise KeyManagementError("selection out of range: %s" % number)
+        indexes.append(number - 1)
+    return indexes
+
+
+def update_protected_files(config_path: str, paths: List[str], add: bool) -> int:
+    config = load_config_data(config_path)
+    files = config.setdefault("files", {})
+    protected = list(files.get("protect_write", []))
+    if add:
+        for path in paths:
+            normalized = normalize_policy_path(path)
+            if normalized not in protected:
+                protected.append(normalized)
+    else:
+        remove = set(normalize_policy_path(path) for path in paths)
+        protected = [path for path in protected if path not in remove]
+    files["protect_write"] = protected
+    JsonConfigWriter().save(config_path, config)
+    print("Protected write paths:")
+    for path in protected:
+        print("  %s" % path)
+    return 0
+
+
+def update_allowed_domains(config_path: str, domains: List[str], add: bool) -> int:
+    config = load_config_data(config_path)
+    network = config.setdefault("network", {})
+    allowed = list(network.get("allow_domains", []))
+    if add:
+        for domain in domains:
+            normalized = normalize_domain(domain)
+            if normalized and normalized not in allowed:
+                allowed.append(normalized)
+    else:
+        remove = set(normalize_domain(domain) for domain in domains)
+        allowed = [domain for domain in allowed if domain not in remove]
+    network["allow_domains"] = allowed
+    JsonConfigWriter().save(config_path, config)
+    print("Allowed credential domains:")
+    for domain in allowed:
+        print("  %s" % domain)
+    return 0
+
+
+def cloud_features_enabled() -> bool:
+    return os.environ.get("AGENTSECURE_ENABLE_CLOUD", "").strip() == "1"
+
+
+def cloud_features_disabled() -> int:
+    sys.stderr.write(
+        "agentsecure: cloud features are not enabled in community mode "
+        "(set AGENTSECURE_ENABLE_CLOUD=1 in private builds)\n"
+    )
+    return 2

agentsecure/cli/demo.py

@@ -0,0 +1,97 @@
+import argparse
+import os
+import shutil
+import subprocess
+import tempfile
+
+from agentsecure.cli.common import load_config_data, scanner
+from agentsecure.core.config import JsonConfigWriter
+from agentsecure.core.key_service import KeyManagementService
+from agentsecure.core.product import ProductService
+from agentsecure.guard.sanitizer import SecretOutputSanitizer
+from agentsecure.implementations.audit import JsonLineAuditLogger
+from agentsecure.implementations.grant_store import LocalJsonGrantStore
+from agentsecure.implementations.secret_store_factory import encrypted_secret_store_for_config
+from agentsecure.workspace.materializer import make_tree_writable
+
+
+def run_demo(args: argparse.Namespace) -> int:
+    demo_dir = tempfile.mkdtemp(prefix="agentsecure-demo-")
+    current = os.getcwd()
+    try:
+        os.chdir(demo_dir)
+        config_path = os.path.join(demo_dir, "agentsecure.json")
+        env_path = os.path.join(demo_dir, ".env")
+        openai_secret = "sk-demo-local-secret-do-not-use"
+        database_secret = "postgres://demo:demo-password@production.example/app"
+        with open(env_path, "w") as handle:
+            handle.write("OPENAI_API_KEY=%s\n" % openai_secret)
+            handle.write("DATABASE_URL_PROD=%s\n" % database_secret)
+
+        ProductService(config_path, scanner()).init_project(force=True)
+        service = KeyManagementService(
+            config_path,
+            encrypted_secret_store_for_config(config_path),
+            LocalJsonGrantStore(os.path.join(demo_dir, ".agentsecure", "grants.json")),
+            JsonLineAuditLogger(os.path.join(demo_dir, ".agentsecure", "audit.log")),
+        )
+        openai_result = service.create_key(
+            env_name="OPENAI_API_KEY",
+            real_secret=openai_secret,
+            provider="openai",
+            ttl="2h",
+        )
+        service.create_key(
+            env_name="DATABASE_URL_PROD",
+            real_secret=database_secret,
+            provider="database",
+            ttl="2h",
+        )
+        config = load_config_data(config_path)
+        config.setdefault("env_policy", {})["DATABASE_URL_PROD"] = {
+            "mode": "deny",
+            "environment": "production",
+            "risk": "high",
+            "reason": "production database credentials are not exposed to local agents",
+        }
+        JsonConfigWriter().save(config_path, config)
+
+        raw_output = _demo_read_dotenv(demo_dir)
+        sanitizer = SecretOutputSanitizer.from_config_path(config_path)
+        agent_visible = sanitizer.sanitize_text(raw_output)
+
+        print("AgentSecure community demo (local only)")
+        print("Project: %s" % demo_dir)
+        print("Command: cat .env")
+        print("Decision: mask OPENAI_API_KEY and block DATABASE_URL_PROD")
+        print("")
+        print("Agent-visible output:")
+        print(agent_visible, end="" if agent_visible.endswith("\n") else "\n")
+        print("")
+        print("Why:")
+        print("  OPENAI_API_KEY was replaced with %s" % openai_result["virtual_token"])
+        print("  DATABASE_URL_PROD was removed because env_policy sets mode=deny")
+        print("  Real secret values stayed local in the demo project")
+        print("  No cloud service, billing service, or enterprise policy sync was used")
+        if args.keep:
+            print("")
+            print("Kept demo project: %s" % demo_dir)
+        return 0
+    finally:
+        os.chdir(current)
+        if not args.keep:
+            make_tree_writable(demo_dir)
+            shutil.rmtree(demo_dir, ignore_errors=True)
+
+
+def _demo_read_dotenv(demo_dir: str) -> str:
+    try:
+        return subprocess.check_output(
+            ["cat", ".env"],
+            cwd=demo_dir,
+            stderr=subprocess.STDOUT,
+            universal_newlines=True,
+        )
+    except (OSError, subprocess.SubprocessError):
+        with open(os.path.join(demo_dir, ".env"), "r") as handle:
+            return handle.read()