bootsec 0.8.0__py3-none-any.whl

bootsec/__init__.py

@@ -0,0 +1 @@
+__version__ = "0.7.0"

bootsec/checks.py

@@ -0,0 +1,174 @@
+"""Security checks for bootsec (free version).
+
+FAST mode only - for guard command.
+"""
+from __future__ import annotations
+
+import re
+from dataclasses import dataclass, field
+from pathlib import Path
+
+# Limits
+FILE_READ_CAP = 64 * 1024  # 64KB per file
+
+# Directories to always skip
+SKIP_DIRS = {".git", "node_modules", ".venv", "venv", "dist", "build", ".dart_tool", "__pycache__", ".next", ".nuxt"}
+
+# Signal files for fast mode
+SIGNAL_FILES = [
+    "package.json", "package-lock.json", "pnpm-lock.yaml", "yarn.lock",
+    "pyproject.toml", "requirements.txt", "poetry.lock",
+    "pubspec.yaml", "pubspec.lock",
+    "README.md",
+]
+
+# Risky patterns (conservative for fast mode)
+ENV_FILE_PATTERN = re.compile(r"^\.env(\..+)?$")
+PRIVATE_KEY_PATTERN = re.compile(r"-----BEGIN\s+(RSA|DSA|EC|OPENSSH|PGP|ENCRYPTED)?\s*PRIVATE\s+KEY-----")
+
+# Core secret patterns for fast mode
+SECRET_PATTERNS = [
+    # AWS
+    (re.compile(r"AKIA[0-9A-Z]{16}"), "AWS Access Key", "high", 25),
+    # GitHub
+    (re.compile(r"ghp_[a-zA-Z0-9]{36}"), "GitHub PAT", "high", 25),
+    (re.compile(r"github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}"), "GitHub PAT (fine-grained)", "high", 25),
+    # Stripe
+    (re.compile(r"sk_live_[a-zA-Z0-9]{24,}"), "Stripe Live Key", "high", 25),
+    # Slack
+    (re.compile(r"xox[baprs]-[0-9]{10,13}-[0-9]{10,13}[a-zA-Z0-9-]*"), "Slack Token", "high", 25),
+    # Database URLs
+    (re.compile(r"(?i)(mongodb(\+srv)?|postgres(ql)?|mysql|redis)://[^:\s]+:[^@\s]+@[^\s]+"), "Database URL with credentials", "high", 25),
+    # Private keys
+    (re.compile(r"-----BEGIN\s+(RSA|DSA|EC|OPENSSH)?\s*PRIVATE\s+KEY-----"), "Private Key", "high", 25),
+]
+
+# False positive contexts
+FALSE_POSITIVE_CONTEXTS = [
+    re.compile(r"(?i)(example|sample|test|dummy|fake|placeholder|your[_-]?|my[_-]?|xxx|replace[_-]?me)"),
+    re.compile(r"<[A-Z_]+>"),
+    re.compile(r"\$\{[^}]+\}"),
+    re.compile(r"\{\{[^}]+\}\}"),
+]
+
+
+@dataclass
+class Finding:
+    name: str
+    severity: str  # "high", "med", "low"
+    points: int
+    source: str = ""
+
+
+@dataclass
+class CheckResult:
+    mode: str  # "fast"
+    findings: list[Finding] = field(default_factory=list)
+    files_scanned: int = 0
+    bytes_scanned: int = 0
+
+    @property
+    def score(self) -> int:
+        total = sum(f.points for f in self.findings)
+        return max(0, min(100, 100 - total))
+
+    @property
+    def high_count(self) -> int:
+        return sum(1 for f in self.findings if f.severity == "high")
+
+    @property
+    def med_count(self) -> int:
+        return sum(1 for f in self.findings if f.severity == "med")
+
+    @property
+    def low_count(self) -> int:
+        return sum(1 for f in self.findings if f.severity == "low")
+
+
+def fast_checks(directory: Path) -> CheckResult:
+    """Fast mode: signal files only, high-confidence issues."""
+    result = CheckResult(mode="fast")
+
+    # Check for .env files in root
+    for item in directory.iterdir():
+        if item.is_file() and ENV_FILE_PATTERN.match(item.name):
+            if item.name != ".env.example":
+                result.findings.append(Finding(
+                    f".env file tracked: {item.name}",
+                    "high", 25, item.name
+                ))
+
+    # Check baseline docs
+    _check_baseline_docs(directory, result)
+
+    # Check staged files for secrets
+    _check_staged_secrets(directory, result)
+
+    return result
+
+
+def _check_baseline_docs(directory: Path, result: CheckResult) -> None:
+    """Check for missing baseline docs."""
+    checks = [
+        (".gitignore", "gitignore", "high", 20),
+        ("SECURITY.md", "security policy", "high", 20),
+        (".pre-commit-config.yaml", "commit guard", "med", 8),
+    ]
+
+    for path, name, severity, points in checks:
+        fpath = directory / path
+        if not fpath.exists():
+            result.findings.append(Finding(name, severity, points, path))
+
+
+def _check_staged_secrets(directory: Path, result: CheckResult) -> None:
+    """Check staged files for secrets."""
+    import subprocess
+
+    try:
+        proc = subprocess.run(
+            ["git", "diff", "--cached", "--name-only"],
+            cwd=directory,
+            capture_output=True,
+            text=True,
+            timeout=5,
+        )
+        if proc.returncode != 0:
+            return
+
+        staged_files = [f for f in proc.stdout.strip().split("\n") if f]
+    except Exception:
+        return
+
+    for relpath in staged_files:
+        fpath = directory / relpath
+        if not fpath.exists() or not fpath.is_file():
+            continue
+
+        try:
+            content = fpath.read_text(errors="ignore")[:FILE_READ_CAP]
+            _check_content_secrets(content, relpath, result)
+        except Exception:
+            pass
+
+
+def _check_content_secrets(content: str, filepath: str, result: CheckResult) -> None:
+    """Scan content for secrets."""
+    for pattern, name, severity, points in SECRET_PATTERNS:
+        matches = pattern.findall(content)
+        for match in matches:
+            match_str = match if isinstance(match, str) else match[0]
+
+            # Check for false positives
+            context_start = max(0, content.find(match_str) - 50)
+            context_end = min(len(content), content.find(match_str) + len(match_str) + 50)
+            context = content[context_start:context_end]
+
+            is_false_positive = any(fp.search(context) for fp in FALSE_POSITIVE_CONTEXTS)
+
+            if not is_false_positive:
+                result.findings.append(Finding(
+                    f"{name} in staged file",
+                    severity, points, filepath
+                ))
+                break  # One finding per pattern per file

bootsec/cli.py

@@ -0,0 +1,371 @@
+"""Bootsec CLI - Free version.
+
+Security baseline for your project. One command, you're set.
+"""
+from __future__ import annotations
+
+import json
+import random
+import subprocess
+import sys
+from pathlib import Path
+
+from bootsec.checks import fast_checks
+from bootsec.profiles import Profile, get_profile
+from bootsec.renderer import detect_project_type, generate_files
+from bootsec.packs import suggest_packs, select_packs_by_layer, list_packs
+
+VERSION = "0.8.0"
+BOOTSEC_DIR = ".bootsec"
+
+# UI
+BAR_WIDTH = 24
+CHICK_SPLASH = "🐤"
+
+
+def score_bar(score: int) -> str:
+    """Generate ASCII progress bar."""
+    filled = int((score / 100) * BAR_WIDTH)
+    filled = max(0, min(BAR_WIDTH, filled))
+    empty = BAR_WIDTH - filled
+    return "█" * filled + "░" * empty
+
+
+def omar_comment(score: int) -> str:
+    """Quick feedback based on score."""
+    if score >= 90:
+        return "Beast mode."
+    elif score >= 75:
+        return "Solid."
+    elif score >= 60:
+        return "Decent. Fix the highs."
+    elif score >= 40:
+        return "Needs work."
+    else:
+        return "Fix the red items first."
+
+
+def print_splash():
+    """Print minimal splash."""
+    print(f"\n  {CHICK_SPLASH} bootsec v{VERSION}\n")
+
+
+def print_seal():
+    """Print success seal."""
+    print(f"  {CHICK_SPLASH}")
+
+
+def print_header(cmd: str):
+    """Print minimal header."""
+    print(f"\n  -- {cmd} --\n")
+
+
+def print_help():
+    """Print help."""
+    print(f"""
+  bootsec v{VERSION} — security baseline for your project
+
+  Commands:
+    go        Apply baseline docs + commit guard
+    guard     Block commits with issues (pre-commit, <1s)
+    peek      Preview what go would create
+    review    Preview coverage layers
+    packs     List all available packs
+
+  Flags:
+    --full    Allow extra packs
+    --ci      Include GitHub Actions
+
+  Examples:
+    bootsec go
+    bootsec go --ci
+    bootsec peek
+
+  ─────────────────────────────────────────────────
+  Want more? Deep scans, vulnerability checks, AI fixes
+
+  → Get bootsec Pro: https://bootsec.dev
+  ─────────────────────────────────────────────────
+""")
+
+
+def print_upsell():
+    """Show upsell message."""
+    print("""
+  ─
+  🔓 Unlock: deep scans, vuln checks, SBOM, AI fixes
+  → bootsec Pro: https://bootsec.dev
+""")
+
+
+def maybe_show_upsell():
+    """Show upsell 1 in 3 times."""
+    if random.randint(1, 3) == 1:
+        print_upsell()
+
+
+def write_manifest(directory: Path, pack_names: list[str], project_type: str, reasons: list[str]) -> None:
+    """Write manifest file."""
+    baseline_dir = directory / "docs" / "baseline"
+    baseline_dir.mkdir(parents=True, exist_ok=True)
+
+    manifest = {
+        "version": VERSION,
+        "project_type": project_type,
+        "packs": pack_names,
+        "reasons": reasons,
+    }
+
+    manifest_path = baseline_dir / "manifest.json"
+    manifest_path.write_text(json.dumps(manifest, indent=2))
+
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Commands
+# ─────────────────────────────────────────────────────────────────────────────
+
+def cmd_go(args: list[str]) -> int:
+    """Full setup: docs + commit guard."""
+    directory = Path.cwd()
+    full_mode = "--full" in args
+    include_ci = "--ci" in args
+
+    print_splash()
+
+    # Detect project type
+    project_type = detect_project_type(directory)
+    print(f"  • Detected: {project_type}")
+
+    # Select packs
+    suggestions = suggest_packs(directory)
+    selection = select_packs_by_layer(suggestions, full_mode=full_mode)
+    pack_names = selection.all_packs()
+    reasons = []
+    for s in suggestions:
+        if s.pack_name in pack_names:
+            reasons.append(f"{s.reason} → {s.pack_name}")
+    print(f"  • Packs: {', '.join(pack_names)}")
+
+    # Create profile
+    profile = Profile(
+        name="startup",
+        gitignore=True,
+        env_example=True,
+        security_md=True,
+        checklist=True,
+        pre_commit=True,
+        github_actions=include_ci,
+        with_secret_scanner=False,
+    )
+
+    # Generate files
+    results = generate_files(directory, profile, project_type, dry_run=False, pack_names=pack_names)
+    print(f"  • Files: {len(results)} ready")
+
+    # Write manifest
+    write_manifest(directory, pack_names, project_type, reasons)
+
+    # Count actions
+    created = sum(1 for r in results if r.action == "create")
+    updated = sum(1 for r in results if r.action == "update")
+
+    # Install pre-commit
+    precommit_config = directory / ".pre-commit-config.yaml"
+    if precommit_config.exists():
+        try:
+            subprocess.run(
+                ["pre-commit", "install"],
+                cwd=directory,
+                capture_output=True,
+                timeout=30,
+            )
+            print("  • pre-commit installed")
+        except Exception:
+            pass
+
+    print()
+    print(f"  Done. {created} created, {updated} updated.")
+    print_seal()
+    maybe_show_upsell()
+    return 0
+
+
+def cmd_guard(args: list[str]) -> int:
+    """Pre-commit guard check."""
+    directory = Path.cwd()
+
+    result = fast_checks(directory)
+
+    if result.high_count > 0:
+        bar = score_bar(result.score)
+
+        print(f"\n  ✗ Guard failed  [{bar}] {result.score}")
+        print()
+
+        for f in result.findings[:5]:
+            severity_mark = "!" if f.severity == "high" else "~"
+            print(f"  {severity_mark} {f.name}")
+
+        if len(result.findings) > 5:
+            print(f"  ... and {len(result.findings) - 5} more")
+
+        print()
+        return 1
+    else:
+        print_seal()
+        return 0
+
+
+def cmd_peek(args: list[str]) -> int:
+    """Preview what go would create."""
+    directory = Path.cwd()
+    full_mode = "--full" in args
+    include_ci = "--ci" in args
+
+    print_splash()
+
+    project_type = detect_project_type(directory)
+    print(f"  • Stack: {project_type}")
+
+    suggestions = suggest_packs(directory)
+    selection = select_packs_by_layer(suggestions, full_mode=full_mode)
+    pack_names = selection.all_packs()
+    print(f"  • Packs: {', '.join(pack_names)}")
+    print()
+
+    profile = Profile(
+        name="startup",
+        gitignore=True,
+        env_example=True,
+        security_md=True,
+        checklist=True,
+        pre_commit=True,
+        github_actions=include_ci,
+        with_secret_scanner=False,
+    )
+
+    results = generate_files(directory, profile, project_type, dry_run=True, pack_names=pack_names)
+
+    print("  Would create/update:")
+    for r in results:
+        print(f"    [{r.action}] {r.path}")
+
+    print()
+    print(f"  Total: {len(results)} files")
+    print()
+    maybe_show_upsell()
+    return 0
+
+
+def cmd_review(args: list[str]) -> int:
+    """Preview coverage layers."""
+    directory = Path.cwd()
+    full_mode = "--full" in args
+
+    print_splash()
+
+    suggestions = suggest_packs(directory)
+    selection = select_packs_by_layer(suggestions, full_mode=full_mode)
+    pack_names = selection.all_packs()
+
+    print("  Coverage layers:\n")
+    for s in suggestions:
+        if s.pack_name in pack_names:
+            print(f"  • {s.pack_name}")
+            print(f"    {s.reason}")
+            print()
+
+    maybe_show_upsell()
+    return 0
+
+
+def cmd_packs(args: list[str]) -> int:
+    """List all available packs."""
+    print_splash()
+    print("  Available packs:\n")
+
+    for pack in list_packs():
+        print(f"  • {pack.name}")
+        if pack.description:
+            print(f"    {pack.description}")
+
+    print()
+    maybe_show_upsell()
+    return 0
+
+
+def cmd_version(args: list[str]) -> int:
+    """Show version."""
+    print(f"bootsec {VERSION}")
+    return 0
+
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Main
+# ─────────────────────────────────────────────────────────────────────────────
+
+COMMANDS = {
+    "go": cmd_go,
+    "guard": cmd_guard,
+    "peek": cmd_peek,
+    "review": cmd_review,
+    "packs": cmd_packs,
+    "version": cmd_version,
+    # Aliases
+    "init": cmd_go,
+}
+
+# Pro commands that show upsell
+PRO_COMMANDS = {"check", "scan", "deps", "sbom", "ai", "audit", "deep"}
+
+
+def main() -> int:
+    """Main entry point."""
+    args = sys.argv[1:]
+
+    # Handle flags
+    if not args or args[0] in ("--help", "-h", "help", "hey"):
+        print_help()
+        return 0
+
+    if args[0] in ("--version", "-v", "-V"):
+        return cmd_version(args)
+
+    cmd = args[0].lower()
+    cmd_args = args[1:]
+
+    # Check for Pro command
+    if cmd in PRO_COMMANDS:
+        print(f"""
+  '{cmd}' is a Pro feature.
+
+  Get bootsec Pro for:
+  • Deep security scans
+  • Vulnerability detection (OSV)
+  • Dependency audits
+  • SBOM generation
+  • AI-powered fix suggestions
+
+  → https://bootsec.dev
+""")
+        return 0
+
+    # Run command
+    if cmd in COMMANDS:
+        try:
+            return COMMANDS[cmd](cmd_args)
+        except KeyboardInterrupt:
+            print("\n  Cancelled.")
+            return 130
+        except Exception as e:
+            print(f"  Error: {e}")
+            return 1
+
+    # Unknown command
+    print(f"  Unknown command: {cmd}")
+    print("  Run 'bootsec help' for usage.")
+    return 1
+
+
+if __name__ == "__main__":
+    sys.exit(main())

bootsec/i18n.py

@@ -0,0 +1,114 @@
+"""Internationalization for Bootsec CLI output.
+
+Omar voice: 27-year-old builder, nerdy, confident, friendly.
+80% clear + direct, 20% humor (max 1 line per section).
+"""
+from __future__ import annotations
+
+import os
+
+LANG_AR = "ar"
+LANG_EN = "en"
+
+# Phrasing library - consistent voice across all output
+MESSAGES = {
+    # Success/status - only place for emojis
+    "all_good": {"en": "All good", "ar": "يا قوت"},
+    "almost_there": {"en": "Almost there", "ar": "قريب"},
+    "fix_and_retry": {"en": "Fix and try again", "ar": "أصلح وحاول مرة ثانية"},
+
+    # Score comments (Omar style - one per score range)
+    "score_90": {"en": "Beast mode. This is clean.", "ar": "يا وحش… هذا اسمه شغل."},
+    "score_75": {"en": "Solid. A couple tweaks and you're set.", "ar": "ممتاز… باقي كم لمسة وتكمل."},
+    "score_60": {"en": "Decent. Fix the items below.", "ar": "زين… بس سوّ اللي تحت."},
+    "score_40": {"en": "Needs work. We're not here to panic, just fix it.", "ar": "نحتاج نرتّب… بس لا تقلق."},
+    "score_0": {"en": "Hold up. We stopped you for a reason.", "ar": "وقف… وقفناك لسبب."},
+
+    # Section markers (◉ prefix)
+    "scan": {"en": "scan", "ar": "فحص"},
+    "plan": {"en": "plan", "ar": "خطة"},
+    "apply": {"en": "apply", "ar": "تطبيق"},
+    "guard": {"en": "guard", "ar": "حماية"},
+
+    # Action markers
+    "created": {"en": "created", "ar": "تم"},
+    "updated": {"en": "updated", "ar": "تحديث"},
+    "skipped": {"en": "skipped", "ar": "تخطّي"},
+
+    # Status messages
+    "commit_guard_enabled": {"en": "commit guard enabled", "ar": "حماية الكوميت مفعّلة"},
+    "install_failed": {"en": "install failed", "ar": "فشل التثبيت"},
+    "not_initialized": {"en": "Not initialized", "ar": "غير مهيّأ"},
+
+    # Labels
+    "detected": {"en": "Detected", "ar": "اكتشف"},
+    "packs": {"en": "Packs", "ar": "حزم"},
+    "why": {"en": "why", "ar": "لماذا"},
+    "suggested": {"en": "suggested", "ar": "مقترح"},
+    "issues": {"en": "issue(s)", "ar": "مشكلة"},
+    "file_s": {"en": "file(s)", "ar": "ملف"},
+
+    # Hint prefixes
+    "fix": {"en": "Fix", "ar": "الحل"},
+    "run": {"en": "Run", "ar": "شغّل"},
+    "warning": {"en": "heads up", "ar": "تنبيه"},
+
+    # Scan modes
+    "mode": {"en": "mode", "ar": "الوضع"},
+    "mode_fast": {"en": "fast", "ar": "سريع"},
+    "mode_deep": {"en": "deep", "ar": "عميق"},
+}
+
+
+_current_lang: str | None = None
+
+
+def detect_lang() -> str:
+    """Detect language from environment. Priority: BOOTSEC_LANG > LANG/LC_ALL > en."""
+    # Check explicit setting
+    bootsec_lang = os.environ.get("BOOTSEC_LANG", "").lower()
+    if bootsec_lang in (LANG_AR, LANG_EN):
+        return bootsec_lang
+
+    # Check system locale
+    for var in ("LANG", "LC_ALL", "LC_MESSAGES"):
+        val = os.environ.get(var, "").lower()
+        if val.startswith("ar"):
+            return LANG_AR
+
+    return LANG_EN
+
+
+def set_lang(lang: str) -> None:
+    """Override the detected language."""
+    global _current_lang
+    if lang in (LANG_AR, LANG_EN, "auto"):
+        _current_lang = None if lang == "auto" else lang
+
+
+def get_lang() -> str:
+    """Get current language."""
+    if _current_lang is not None:
+        return _current_lang
+    return detect_lang()
+
+
+def t(key: str) -> str:
+    """Translate a message key to current language."""
+    lang = get_lang()
+    msg = MESSAGES.get(key, {})
+    return msg.get(lang, msg.get("en", key))
+
+
+def parse_lang_arg(args: list[str]) -> list[str]:
+    """Parse --lang flag from args and set language. Returns args without --lang."""
+    result = []
+    i = 0
+    while i < len(args):
+        if args[i] == "--lang" and i + 1 < len(args):
+            set_lang(args[i + 1].lower())
+            i += 2
+        else:
+            result.append(args[i])
+            i += 1
+    return result

bootsec/loader.py

@@ -0,0 +1,27 @@
+from importlib import resources
+
+
+def get_template(category: str, name: str) -> str:
+    try:
+        return resources.files("bootsec.templates").joinpath(category, name).read_text()
+    except FileNotFoundError:
+        pass
+
+    try:
+        return resources.files("bootsec.templates").joinpath("common", name).read_text()
+    except FileNotFoundError:
+        return ""
+
+
+def render(template: str, **variables: str) -> str:
+    result = template
+    for key, value in variables.items():
+        result = result.replace(f"{{{{{key}}}}}", str(value))
+    return result
+
+
+def get_pack_template(pack_name: str, name: str) -> str:
+    try:
+        return resources.files("bootsec.templates").joinpath("packs", pack_name, name).read_text()
+    except (FileNotFoundError, TypeError):
+        return ""