chimera-api 0.1.1__tar.gz

chimera_api-0.1.1/.gitignore

@@ -0,0 +1,194 @@
+# Dependencies
+node_modules/
+
+# Build output
+dist/
+build/
+dist-*/
+
+# Python
+__pycache__/
+*.pyc
+*.pyo
+.venv/
+*.egg-info/
+.eggs/
+htmlcov/
+.coverage
+.pytest_cache/
+
+# IDE
+.idea/
+.vscode/
+*.swp
+*.swo
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Nx
+.nx/cache
+.nx/workspace-data
+
+# Misc
+*.log
+reports/
+
+# ---- Node ----
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+
+# Diagnostic reports (https://nodejs.org/api/report.html)
+report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+*.lcov
+
+# nyc test coverage
+.nyc_output
+
+# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+bower_components
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (https://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directories
+node_modules/
+jspm_packages/
+
+# Snowpack dependency directory (https://snowpack.dev/)
+web_modules/
+
+# TypeScript cache
+*.tsbuildinfo
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# Optional stylelint cache
+.stylelintcache
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz
+
+# Yarn Integrity file
+.yarn-integrity
+
+# dotenv environment variable files
+.env
+.env.*
+!.env.example
+
+# direnv
+.envrc
+
+# parcel-bundler cache (https://parceljs.org/)
+.cache
+.parcel-cache
+
+# Next.js build output
+.next
+out
+
+# Nuxt.js build / generate output
+.nuxt
+dist
+.output
+
+# Gatsby files
+.cache/
+# Comment in the public line in if your project uses Gatsby and not Next.js
+# https://nextjs.org/blog/next-9-1#public-directory-support
+# public
+
+# vuepress build output
+.vuepress/dist
+
+# vuepress v2.x temp and cache directory
+.temp
+.cache
+
+# Sveltekit cache directory
+.svelte-kit/
+
+# vitepress build output
+**/.vitepress/dist
+
+# vitepress cache directory
+**/.vitepress/cache
+
+# Docusaurus cache and generated files
+.docusaurus
+
+# Serverless directories
+.serverless/
+
+# FuseBox cache
+.fusebox/
+
+# DynamoDB Local files
+.dynamodb/
+
+# Firebase cache directory
+.firebase/
+
+# TernJS port file
+.tern-port
+
+# Stores VSCode versions used for testing VSCode extensions
+.vscode-test
+
+# pnpm
+.pnpm-store
+
+# yarn v3
+.pnp.*
+.yarn/*
+!.yarn/patches
+!.yarn/plugins
+!.yarn/releases
+!.yarn/sdks
+!.yarn/versions
+
+# Vite files
+vite.config.js.timestamp-*
+vite.config.ts.timestamp-*
+.vite/
+
+
+# Bundled web frontend (built by vite into Flask package)
+apps/vuln-api/app/web_dist/*
+!apps/vuln-api/app/web_dist/.gitkeep
+
+# Agents
+**/reviews/
+backlog/

chimera_api-0.1.1/AGENTS.md

@@ -0,0 +1,38 @@
+# Repository Guidelines
+
+## Project Structure & Ownership
+- `app/`: Flask code split by blueprint domains (`blueprints/`), data layer (`models/`), and helpers (`utils/`).
+- `tests/`: Unit (`tests/unit`), integration (`tests/integration`), and security/vulnerability suites (`tests/vulnerability`, `tests/smoke`).
+- `docs/` and `API-DOCUMENTATION.md`: Endpoint reference and contributor notes; update when adding routes or payload examples.
+- `static/`: Demo assets served by Flask; keep large files out of git.
+- Entrypoints: `app.py` for local dev, `wsgi.py`/`gunicorn.conf.py` for deployment.
+
+## Build, Run, and Dev Workflow
+- `uv sync --extra dev --frozen`: Install Python 3.12 deps into `.venv` (preferred, matches Docker).
+- `uv run python app.py`: Launch locally in vulnerable mode; visit `http://localhost:5000`.
+- `USE_DATABASE=true uv run python app.py`: Enable SQLite-backed SQLi scenarios.
+- `make run` / `make run-vulnerable`: Gunicorn with `DEMO_MODE=full` (intentionally unsafe).
+- `make run-secure`: Hardened mode (`DEMO_MODE=strict`) for control comparisons.
+- Docker: `docker build -t demo-api .` then `docker run -p 8080:80 demo-api` (honors `USE_DATABASE` env var).
+
+## Testing Guidelines
+- Default: `make test` (delegates to `./run_tests.sh all`).
+- Fast feedback: `make test-quick` or `make test-unit`.
+- Security focus: `make test-vulnerability` (pytest `-m vulnerability`), smoke checks via `make test-smoke`.
+- Coverage: `make test-coverage` (fails <80%); HTML report via `make test-report` → `reports/test_report.html`.
+- Naming: use `test_<feature>.py` and pytest-style functions; place fixtures near consuming tests or under `tests/conftest.py`.
+
+## Coding Style & Tooling
+- Formatting: `make format` (black, 120-char lines). Linting: `make lint` (flake8 + pylint; docstring warnings disabled). Fix style before pushing.
+- Prefer explicit imports, typed function signatures where feasible, and small, isolated fixtures for new vulnerabilities.
+- Configuration via env vars: `DEMO_MODE` (`full` vs `strict`), `USE_DATABASE` (enable SQLi), plus feature toggles in `security.py`.
+
+## Commit & PR Expectations
+- Follow Conventional Commits seen in history, e.g., `feat(api)`, `refactor(load-testing)`, `docs(readme)` with scope where meaningful.
+- PRs should include: problem statement, summary of changes, relevant `make`/`uv run` commands executed, and screenshots or curl samples for new endpoints.
+- Keep changes small and grouped by domain blueprint; update docs and tests in the same PR.
+
+## Security & Safe Handling
+- This app is intentionally vulnerable; never point at production data or networks.
+- Run demos in isolated environments, and explicitly set `DEMO_MODE=strict` when showcasing mitigations.
+- Rotate and avoid committing secrets; prefer env vars and keep `.env` files out of version control.