bizteamai-smcp 1.13.1__py3-none-any.whl

smcp/filters.py

@@ -0,0 +1,176 @@
+"""
+Input filtering and sanitization for prompts and parameters.
+"""
+
+import re
+from typing import Any, Dict, Union
+
+
+class InputValidationError(Exception):
+    """Raised when input fails validation."""
+    pass
+
+
+def sanitize_prompt(prompt: str, cfg: Dict[str, Union[str, int]]) -> None:
+    """
+    Sanitize and validate prompt input against configured rules.
+    
+    Args:
+        prompt: The prompt text to validate
+        cfg: Configuration dictionary containing validation rules
+        
+    Raises:
+        InputValidationError: If the prompt fails validation
+    """
+    # Length validation
+    max_len = cfg.get("MAX_LEN")
+    if max_len and len(prompt) > max_len:
+        raise InputValidationError(f"Prompt exceeds maximum length of {max_len}")
+    
+    # Pattern validation
+    safe_re = cfg.get("SAFE_RE")
+    if safe_re:
+        if not re.match(safe_re, prompt, re.DOTALL):
+            raise InputValidationError("Prompt contains invalid characters or patterns")
+    
+    # Blocked patterns check
+    blocked_patterns = cfg.get("BLOCKED_PATTERNS", [])
+    for pattern in blocked_patterns:
+        if re.search(pattern, prompt, re.IGNORECASE):
+            raise InputValidationError(f"Prompt contains blocked pattern")
+
+
+def sanitize_parameter(param_name: str, param_value: Any, cfg: Dict[str, Any]) -> Any:
+    """
+    Sanitize and validate a function parameter.
+    
+    Args:
+        param_name: Name of the parameter
+        param_value: Value of the parameter
+        cfg: Configuration dictionary containing validation rules
+        
+    Returns:
+        Sanitized parameter value
+        
+    Raises:
+        InputValidationError: If the parameter fails validation
+    """
+    # String parameter validation
+    if isinstance(param_value, str):
+        _validate_string_parameter(param_name, param_value, cfg)
+    
+    # Numeric parameter validation
+    elif isinstance(param_value, (int, float)):
+        _validate_numeric_parameter(param_name, param_value, cfg)
+    
+    # List parameter validation
+    elif isinstance(param_value, list):
+        _validate_list_parameter(param_name, param_value, cfg)
+    
+    return param_value
+
+
+def _validate_string_parameter(param_name: str, value: str, cfg: Dict[str, Any]) -> None:
+    """Validate string parameters."""
+    param_rules = cfg.get("PARAM_RULES", {}).get(param_name, {})
+    
+    # Length validation
+    max_len = param_rules.get("max_length", cfg.get("MAX_PARAM_LEN"))
+    if max_len and len(value) > max_len:
+        raise InputValidationError(f"Parameter '{param_name}' exceeds maximum length")
+    
+    # Pattern validation
+    pattern = param_rules.get("pattern", cfg.get("PARAM_SAFE_RE"))
+    if pattern and not re.match(pattern, value):
+        raise InputValidationError(f"Parameter '{param_name}' contains invalid characters")
+    
+    # Blocked content check
+    blocked = param_rules.get("blocked", cfg.get("BLOCKED_PARAM_PATTERNS", []))
+    for block_pattern in blocked:
+        if re.search(block_pattern, value, re.IGNORECASE):
+            raise InputValidationError(f"Parameter '{param_name}' contains blocked content")
+
+
+def _validate_numeric_parameter(param_name: str, value: Union[int, float], cfg: Dict[str, Any]) -> None:
+    """Validate numeric parameters."""
+    param_rules = cfg.get("PARAM_RULES", {}).get(param_name, {})
+    
+    # Range validation
+    min_val = param_rules.get("min_value")
+    max_val = param_rules.get("max_value")
+    
+    if min_val is not None and value < min_val:
+        raise InputValidationError(f"Parameter '{param_name}' below minimum value {min_val}")
+    
+    if max_val is not None and value > max_val:
+        raise InputValidationError(f"Parameter '{param_name}' exceeds maximum value {max_val}")
+
+
+def _validate_list_parameter(param_name: str, value: list, cfg: Dict[str, Any]) -> None:
+    """Validate list parameters."""
+    param_rules = cfg.get("PARAM_RULES", {}).get(param_name, {})
+    
+    # Length validation
+    max_items = param_rules.get("max_items", cfg.get("MAX_LIST_ITEMS"))
+    if max_items and len(value) > max_items:
+        raise InputValidationError(f"Parameter '{param_name}' has too many items")
+    
+    # Validate each item in the list
+    for i, item in enumerate(value):
+        try:
+            if isinstance(item, str):
+                _validate_string_parameter(f"{param_name}[{i}]", item, cfg)
+            elif isinstance(item, (int, float)):
+                _validate_numeric_parameter(f"{param_name}[{i}]", item, cfg)
+        except InputValidationError as e:
+            raise InputValidationError(f"List item validation failed: {e}")
+
+
+def create_safe_regex(allowed_chars: str = None) -> str:
+    """
+    Create a safe regex pattern for input validation.
+    
+    Args:
+        allowed_chars: Additional characters to allow beyond basic alphanumeric
+        
+    Returns:
+        Regex pattern string for safe input validation
+    """
+    base_chars = r"\w\s"  # alphanumeric and whitespace
+    
+    if allowed_chars:
+        # Escape special regex characters
+        escaped_chars = re.escape(allowed_chars)
+        base_chars += escaped_chars
+    
+    return f"^[{base_chars}]*$"
+
+
+def strip_dangerous_content(text: str, cfg: Dict[str, Any]) -> str:
+    """
+    Strip potentially dangerous content from text.
+    
+    Args:
+        text: Text to sanitize
+        cfg: Configuration dictionary
+        
+    Returns:
+        Sanitized text with dangerous content removed
+    """
+    # Remove common injection patterns
+    dangerous_patterns = [
+        r'<script[^>]*>.*?</script>',  # Script tags
+        r'javascript:',                # JavaScript URLs
+        r'data:',                     # Data URLs
+        r'vbscript:',                 # VBScript URLs
+    ]
+    
+    # Add custom dangerous patterns from config
+    custom_patterns = cfg.get("DANGEROUS_PATTERNS", [])
+    dangerous_patterns.extend(custom_patterns)
+    
+    sanitized = text
+    for pattern in dangerous_patterns:
+        sanitized = re.sub(pattern, '', sanitized, flags=re.IGNORECASE)
+    
+    return sanitized

smcp/license.py

@@ -0,0 +1,113 @@
+"""
+License verification and core limit enforcement for SMCP Business Edition.
+"""
+import os
+import hmac
+import hashlib
+import logging
+from datetime import datetime, timezone
+from typing import Optional, Tuple
+
+logger = logging.getLogger(__name__)
+
+class LicenseError(Exception):
+    """Base exception for license-related errors."""
+    pass
+
+class LicenseExpiredError(LicenseError):
+    """Raised when license has expired."""
+    pass
+
+class LicenseInvalidError(LicenseError):
+    """Raised when license is invalid or corrupted."""
+    pass
+
+class CoreLimitExceededError(LicenseError):
+    """Raised when CPU core limit is exceeded."""
+    pass
+
+def parse_license_key(key: str) -> dict:
+    """Parse and validate license key format."""
+    parts = key.strip().split('.')
+    if len(parts) != 6 or parts[0] != 'BZT':
+        raise LicenseInvalidError("Invalid license key format")
+    
+    return {
+        'prefix': parts[0],
+        'customer_id': parts[1],
+        'cores': int(parts[2]),
+        'expiry_utc': parts[3],
+        'nonce': parts[4],
+        'signature': parts[5]
+    }
+
+def verify_license_signature(key_data: dict, secret: str) -> bool:
+    """Verify HMAC-SHA256 signature of license key."""
+    payload = f"{key_data['prefix']}.{key_data['customer_id']}.{key_data['cores']}.{key_data['expiry_utc']}.{key_data['nonce']}"
+    expected_sig = hmac.new(
+        secret.encode('utf-8'),
+        payload.encode('utf-8'),
+        hashlib.sha256
+    ).hexdigest()
+    return hmac.compare_digest(expected_sig, key_data['signature'])
+
+def check_license_expiry(expiry_str: str) -> bool:
+    """Check if license has expired (24h grace period)."""
+    try:
+        expiry_date = datetime.strptime(expiry_str, '%Y%m%d').replace(tzinfo=timezone.utc)
+        # Add 24 hour grace period
+        grace_expiry = expiry_date.replace(hour=23, minute=59, second=59)
+        return datetime.now(timezone.utc) > grace_expiry
+    except ValueError:
+        raise LicenseInvalidError("Invalid expiry date format")
+
+def load_license_key() -> Optional[str]:
+    """Load license key from file or environment variable."""
+    # Check environment variable first
+    key = os.getenv('BIZTEAM_LICENSE_KEY')
+    if key:
+        return key
+    
+    # Check license file
+    license_file = os.getenv('BIZTEAM_LICENSE_FILE', '/etc/bizteam/license.txt')
+    try:
+        with open(license_file, 'r') as f:
+            return f.read().strip()
+    except FileNotFoundError:
+        return None
+
+def verify_license(secret: str) -> Tuple[bool, dict]:
+    """
+    Verify license and return validity status and license data.
+    
+    Returns:
+        Tuple of (is_valid, license_data)
+    """
+    license_key = load_license_key()
+    if not license_key:
+        return False, {}
+    
+    try:
+        key_data = parse_license_key(license_key)
+        
+        # Verify signature
+        if not verify_license_signature(key_data, secret):
+            raise LicenseInvalidError("Invalid license signature")
+        
+        # Check expiry
+        if check_license_expiry(key_data['expiry_utc']):
+            raise LicenseExpiredError("License has expired")
+        
+        logger.info(f"License verified for customer {key_data['customer_id']}, cores: {key_data['cores']}")
+        return True, key_data
+        
+    except (LicenseError, ValueError) as e:
+        logger.error(f"License verification failed: {e}")
+        return False, {}
+
+def get_licensed_cores() -> int:
+    """Get the number of licensed cores, or 0 if no valid license."""
+    # In production, this would use a proper server secret
+    server_secret = os.getenv('BIZTEAM_SERVER_SECRET', 'dev-secret-key')
+    is_valid, license_data = verify_license(server_secret)
+    return license_data.get('cores', 0) if is_valid else 0

smcp/logchain.py

@@ -0,0 +1,270 @@
+"""
+Tamper-proof logging with SHA-256 chaining for audit trails.
+"""
+
+import hashlib
+import json
+import time
+from pathlib import Path
+from typing import Any, Dict, List, Optional, Tuple
+
+
+class LogChain:
+    """
+    Append-only logger with SHA-256 chaining for tamper detection.
+    
+    Each log entry contains a hash of the previous entry, creating
+    a chain that can detect tampering anywhere in the log.
+    """
+    
+    def __init__(self, log_path: str):
+        """
+        Initialize the log chain.
+        
+        Args:
+            log_path: Path to the log file
+        """
+        self.log_path = Path(log_path)
+        self.log_path.parent.mkdir(parents=True, exist_ok=True)
+        self._initialize_log()
+    
+    def _initialize_log(self) -> None:
+        """Initialize the log file if it doesn't exist."""
+        if not self.log_path.exists():
+            # Create genesis entry
+            genesis_entry = {
+                "sequence": 0,
+                "timestamp": time.time(),
+                "event_type": "genesis",
+                "data": "Log chain initialized",
+                "previous_hash": "0" * 64,  # Genesis has no previous hash
+            }
+            genesis_entry["hash"] = self._calculate_hash(genesis_entry)
+            
+            with open(self.log_path, 'w') as f:
+                json.dump([genesis_entry], f, indent=2)
+    
+    def _calculate_hash(self, entry: Dict[str, Any]) -> str:
+        """Calculate SHA-256 hash for a log entry."""
+        # Create a copy without the hash field for calculation
+        entry_copy = {k: v for k, v in entry.items() if k != "hash"}
+        entry_json = json.dumps(entry_copy, sort_keys=True, separators=(',', ':'))
+        return hashlib.sha256(entry_json.encode()).hexdigest()
+    
+    def _load_log(self) -> List[Dict[str, Any]]:
+        """Load the current log entries."""
+        try:
+            with open(self.log_path, 'r') as f:
+                return json.load(f)
+        except (FileNotFoundError, json.JSONDecodeError):
+            return []
+    
+    def _save_log(self, entries: List[Dict[str, Any]]) -> None:
+        """Save log entries to disk."""
+        with open(self.log_path, 'w') as f:
+            json.dump(entries, f, indent=2, default=str)
+    
+    def _get_last_hash(self) -> str:
+        """Get the hash of the last log entry."""
+        entries = self._load_log()
+        return entries[-1]["hash"] if entries else "0" * 64
+    
+    def append(self, event_type: str, data: Any) -> str:
+        """
+        Append a new entry to the log chain.
+        
+        Args:
+            event_type: Type of event being logged
+            data: Event data to log
+            
+        Returns:
+            Hash of the new entry
+        """
+        entries = self._load_log()
+        sequence = len(entries)
+        previous_hash = self._get_last_hash()
+        
+        entry = {
+            "sequence": sequence,
+            "timestamp": time.time(),
+            "event_type": event_type,
+            "data": data,
+            "previous_hash": previous_hash,
+        }
+        entry["hash"] = self._calculate_hash(entry)
+        
+        entries.append(entry)
+        self._save_log(entries)
+        
+        return entry["hash"]
+    
+    def verify_chain(self) -> Tuple[bool, Optional[int]]:
+        """
+        Verify the integrity of the log chain.
+        
+        Returns:
+            Tuple of (is_valid, first_invalid_sequence)
+            is_valid is False if tampering is detected
+            first_invalid_sequence is the sequence number of the first invalid entry
+        """
+        entries = self._load_log()
+        
+        if not entries:
+            return True, None
+        
+        # Verify genesis entry
+        if entries[0]["previous_hash"] != "0" * 64:
+            return False, 0
+        
+        # Verify each entry's hash and chain
+        for i, entry in enumerate(entries):
+            # Verify the entry's own hash
+            calculated_hash = self._calculate_hash(entry)
+            if calculated_hash != entry["hash"]:
+                return False, i
+            
+            # Verify the chain (except for genesis)
+            if i > 0:
+                if entry["previous_hash"] != entries[i-1]["hash"]:
+                    return False, i
+        
+        return True, None
+    
+    def get_entries(self, start_sequence: int = 0, end_sequence: Optional[int] = None) -> List[Dict[str, Any]]:
+        """
+        Get log entries in a range.
+        
+        Args:
+            start_sequence: Starting sequence number (inclusive)
+            end_sequence: Ending sequence number (inclusive, None for all)
+            
+        Returns:
+            List of log entries in the specified range
+        """
+        entries = self._load_log()
+        
+        if end_sequence is None:
+            end_sequence = len(entries) - 1
+        
+        return [entry for entry in entries 
+                if start_sequence <= entry["sequence"] <= end_sequence]
+    
+    def get_stats(self) -> Dict[str, Any]:
+        """Get statistics about the log chain."""
+        entries = self._load_log()
+        
+        if not entries:
+            return {"total_entries": 0, "chain_valid": True}
+        
+        is_valid, invalid_seq = self.verify_chain()
+        
+        event_types = {}
+        for entry in entries:
+            event_type = entry["event_type"]
+            event_types[event_type] = event_types.get(event_type, 0) + 1
+        
+        return {
+            "total_entries": len(entries),
+            "chain_valid": is_valid,
+            "first_invalid_sequence": invalid_seq,
+            "first_entry_time": entries[0]["timestamp"] if entries else None,
+            "last_entry_time": entries[-1]["timestamp"] if entries else None,
+            "event_type_counts": event_types,
+        }
+
+
+# Global logger instance
+_logger = None
+
+
+def get_logger(cfg: Dict[str, Any]) -> Optional[LogChain]:
+    """Get or create the global logger if logging is enabled."""
+    global _logger
+    
+    log_path = cfg.get("LOG_PATH")
+    if not log_path:
+        return None
+    
+    if _logger is None:
+        _logger = LogChain(log_path)
+    
+    return _logger
+
+
+def log_event(function_name: str, args: Tuple, kwargs: Dict[str, Any], result: Any, cfg: Dict[str, Any]) -> None:
+    """
+    Log a function execution event.
+    
+    Args:
+        function_name: Name of the executed function
+        args: Function arguments
+        kwargs: Function keyword arguments
+        result: Function result
+        cfg: Configuration dictionary
+    """
+    logger = get_logger(cfg)
+    if not logger:
+        return
+    
+    # Remove sensitive data from kwargs for logging
+    safe_kwargs = {k: v for k, v in kwargs.items() if not k.startswith("_")}
+    
+    event_data = {
+        "function": function_name,
+        "args": args,
+        "kwargs": safe_kwargs,
+        "result_type": type(result).__name__,
+        "result_size": len(str(result)) if result is not None else 0,
+        "success": True,
+    }
+    
+    logger.append("function_execution", event_data)
+
+
+def log_security_event(event_type: str, details: Dict[str, Any], cfg: Dict[str, Any]) -> None:
+    """
+    Log a security-related event.
+    
+    Args:
+        event_type: Type of security event
+        details: Event details
+        cfg: Configuration dictionary
+    """
+    logger = get_logger(cfg)
+    if not logger:
+        return
+    
+    event_data = {
+        "security_event_type": event_type,
+        "details": details,
+    }
+    
+    logger.append("security_event", event_data)
+
+
+def log_error(function_name: str, error: Exception, args: Tuple, kwargs: Dict[str, Any], cfg: Dict[str, Any]) -> None:
+    """
+    Log an error event.
+    
+    Args:
+        function_name: Name of the function that errored
+        error: The exception that occurred
+        args: Function arguments
+        kwargs: Function keyword arguments
+        cfg: Configuration dictionary
+    """
+    logger = get_logger(cfg)
+    if not logger:
+        return
+    
+    safe_kwargs = {k: v for k, v in kwargs.items() if not k.startswith("_")}
+    
+    event_data = {
+        "function": function_name,
+        "error_type": type(error).__name__,
+        "error_message": str(error),
+        "args": args,
+        "kwargs": safe_kwargs,
+    }
+    
+    logger.append("function_error", event_data)