clinicsentry 0.3.0__tar.gz

clinicsentry-0.3.0/.dockerignore

@@ -0,0 +1,25 @@
+.git
+.github
+.venv
+__pycache__
+*.pyc
+*.pyo
+*.pyd
+.pytest_cache
+.mypy_cache
+.ruff_cache
+htmlcov
+coverage.xml
+.coverage
+.coverage.*
+.DS_Store
+_tmp
+node_modules
+*.log
+*.sqlite
+*.db
+.idea
+.vscode
+deploy/grafana/dashboards-generated
+docs/_build
+site

clinicsentry-0.3.0/.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,29 @@
+---
+name: Bug report
+about: Something behaves incorrectly (for PHI-detection bypasses, see SECURITY.md instead)
+labels: bug
+---
+
+**⚠️ If this is a PHI-detection bypass or any security issue, do NOT file it
+here — follow [SECURITY.md](../../SECURITY.md) for private reporting.**
+
+## What happened
+
+A clear description of the bug.
+
+## Minimal reproduction
+
+```python
+# Smallest snippet that reproduces the issue.
+# NEVER paste real PHI — use synthetic identifiers (e.g. SSN 123-45-6789).
+```
+
+## Expected behavior
+
+## Environment
+
+- clinicsentry version:
+- Python version:
+- OS:
+- Installed extras (e.g. `[phi]`, `[postgres]`):
+- Agent framework + version (if adapter-related):

clinicsentry-0.3.0/.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: true
+contact_links:
+  - name: Security vulnerability (private)
+    url: https://github.com/aakash1411/clinicsentry/security/advisories/new
+    about: PHI-detection bypasses and other vulnerabilities — never file these as public issues.

clinicsentry-0.3.0/.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Propose a new capability or improvement
+labels: enhancement
+---
+
+## Problem
+
+What clinical-AI compliance problem does this solve? Reference the relevant
+regulation clause (HIPAA / FDA TPLC / IEC 62304 / EU AI Act) if applicable.
+
+## Proposed solution
+
+## Alternatives considered
+
+## Constraints
+
+ClinicSentry is latency-budgeted middleware (≤50 ms p95 total overhead, no
+additional LLM calls on the hot path). Note any expected latency or
+dependency impact.

clinicsentry-0.3.0/.github/pull_request_template.md

@@ -0,0 +1,29 @@
+## Summary
+
+What and why (one paragraph).
+
+## ADR reference
+
+ADR-NNNN (link to `docs/adr/`).
+
+## Changes
+
+- Bullet list of concrete changes.
+
+## Testing
+
+- `pytest -q tests/test_<module>.py`
+- Manual verification steps (if applicable).
+
+## Risk / Compliance
+
+Any HIPAA / FDA / IEC 62304 implications? Reference the rule.
+
+## Checklist
+
+- [ ] Tests added / updated.
+- [ ] Coverage ≥ 85%.
+- [ ] `ruff check`, `ruff format --check`, `mypy --strict` clean.
+- [ ] `CHANGELOG.md` updated under `## [Unreleased]`.
+- [ ] `CHANGELOG.md` updated if this advances a feature.
+- [ ] Any breaking change documented in PR title with `[breaking]`.

clinicsentry-0.3.0/.github/workflows/ci.yml

@@ -0,0 +1,248 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+  workflow_dispatch:
+
+concurrency:
+  group: ci-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+          cache: "pip"
+      - run: pip install -e '.[dev]'
+      - run: ruff format --check .
+      - run: ruff check .
+
+  typecheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+          cache: "pip"
+      - run: pip install -e '.[dev]'
+      - run: mypy
+
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.11", "3.12", "3.13"]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: "pip"
+      - run: pip install -e '.[dev,all]'
+      - run: pytest --cov=clinicsentry --cov-report=xml --cov-report=term -q
+      - name: Upload coverage
+        if: matrix.python-version == '3.11'
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage
+          path: coverage.xml
+
+  import-safety:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - run: pip install -e .
+      - name: Import every public module in a subprocess
+        run: |
+          python - <<'PY'
+          import importlib
+          import pkgutil
+          import sys
+          import clinicsentry
+
+          failed = []
+          for mod in pkgutil.walk_packages(clinicsentry.__path__, prefix="clinicsentry."):
+              if "dashboard" in mod.name or "cli" in mod.name:
+                  continue
+              try:
+                  importlib.import_module(mod.name)
+              except Exception as e:
+                  failed.append((mod.name, repr(e)))
+
+          for name, err in failed:
+              print(f"FAIL: {name}: {err}", file=sys.stderr)
+          sys.exit(1 if failed else 0)
+          PY
+
+  license-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - run: pip install -e '.[dev]' pip-licenses
+      - run: |
+          pip-licenses --format=markdown --order=license \
+            --allow-only="Apache Software License;Apache License 2.0;Apache-2.0;Apache-2.0 OR BSD-2-Clause;Apache-2.0 OR BSD-3-Clause;MIT License;MIT;BSD License;BSD 3-Clause;BSD 2-Clause;BSD-3-Clause;BSD-2-Clause;ISC;ISC License (ISCL);Mozilla Public License 2.0 (MPL 2.0);MPL-2.0;Python Software Foundation License;PSF-2.0;Freely Distributable;The Unlicense (Unlicense);Public Domain"
+
+  security-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - run: pip install -e '.[dev]'
+      - run: pip-audit --strict || true   # advisory until baseline established
+      - run: bandit -r src/clinicsentry -ll -ii
+
+  api-stability:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - run: pip install -e .
+      - name: Check public __all__ surface is non-empty
+        run: |
+          python - <<'PY'
+          import clinicsentry
+          assert clinicsentry.__all__, "clinicsentry.__all__ must not be empty"
+          assert "ClinicSentry" in clinicsentry.__all__
+          print("public surface:", sorted(clinicsentry.__all__))
+          PY
+
+  package-data:
+    # Verifies the compliance YAML rule files are included in both wheel and
+    # sdist artifacts. Without this, `load_default_rulesets()` silently returns
+    # zero rules at runtime, producing empty regulatory reports.
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+          cache: "pip"
+      - run: pip install build
+      - run: python -m build
+      - name: Verify rules YAML in wheel
+        run: |
+          python -m zipfile -l dist/*.whl | grep "compliance/rules/.*\.yaml" | tee /tmp/wheel-yaml.txt
+          test $(wc -l < /tmp/wheel-yaml.txt) -ge 4
+      - name: Verify rules YAML in sdist
+        run: |
+          tar -tzf dist/*.tar.gz | grep "compliance/rules/.*\.yaml" | tee /tmp/sdist-yaml.txt
+          test $(wc -l < /tmp/sdist-yaml.txt) -ge 4
+      - name: Verify default rulesets load from installed wheel
+        run: |
+          python -m venv /tmp/wheelvenv
+          /tmp/wheelvenv/bin/pip install dist/*.whl
+          /tmp/wheelvenv/bin/python -c "
+          from clinicsentry.compliance import load_default_rulesets
+          sets = load_default_rulesets()
+          assert len(sets) == 4, sets
+          assert sum(len(s.rules) for s in sets) >= 14
+          print('OK:', len(sets), 'rulesets')
+          "
+
+  postgres-integration:
+    # Postgres audit backend integration tests via testcontainers. The
+    # ubuntu-latest runner ships a running Docker daemon, so testcontainers
+    # talks to it over the default socket — no docker-in-docker service needed.
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+          cache: "pip"
+      - run: pip install -e '.[dev,postgres]' 'testcontainers[postgres]>=4.0' 'psycopg[binary]>=3.1'
+      - run: pytest tests/test_postgres_integration.py -q
+
+  adapter-sdks:
+    # Real-SDK compatibility tests for each adapter. Each adapter test file
+    # auto-skips when its SDK is not installed, so a fan-out matrix lets each
+    # SDK be installed in its own clean job and tested independently.
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - extra: "langgraph"
+            test: "tests/adapters/test_langgraph_integration.py"
+          - extra: "crewai"
+            test: "tests/adapters/test_crewai_integration.py"
+          - extra: "adk"
+            test: "tests/adapters/test_google_adk_integration.py"
+          - extra: "openai-agents"
+            test: "tests/adapters/test_openai_agents_integration.py"
+          - extra: "claude"
+            test: "tests/adapters/test_claude_sdk_integration.py"
+          - extra: "mcp"
+            test: "tests/adapters/test_mcp_proxy_integration.py"
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+          cache: "pip"
+      - run: pip install -e ".[dev,${{ matrix.extra }}]"
+      - run: pytest ${{ matrix.test }} -q
+
+  heavy-deps:
+    # Heavy PHI detection happy-path runs. Manual / on-demand only because
+    # spaCy model wheels and Tesseract binary inflate runtime significantly
+    # and we don't want them on every PR.
+    if: ${{ contains(github.event.head_commit.message, '[heavy-deps]') || github.event_name == 'workflow_dispatch' }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+          cache: "pip"
+      - name: Install Tesseract
+        run: sudo apt-get update && sudo apt-get install -y tesseract-ocr
+      - run: pip install -e '.[dev,phi,nlp-medical,ocr]'
+      - name: Install spaCy clinical model
+        run: |
+          pip install https://s3-us-west-2.amazonaws.com/ai2-s2-scispacy/releases/v0.5.4/en_core_sci_sm-0.5.4.tar.gz || echo "scispacy model unavailable"
+      - run: pytest tests/test_phi_heavy_deps.py -q
+
+  mutation:
+    # Mutation testing against the four novelty modules. Manually triggered
+    # only — full runs cost ~10 minutes and aren't useful on every PR.
+    if: ${{ contains(github.event.head_commit.message, '[mutation]') || github.event_name == 'workflow_dispatch' }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+          cache: "pip"
+      - run: pip install -e '.[dev]'
+      - name: Run mutmut on each novelty module
+        run: |
+          set -e
+          for module in \
+              src/clinicsentry/phi/propagation.py \
+              src/clinicsentry/audit/chain.py \
+              src/clinicsentry/escalation/confidence.py \
+              src/clinicsentry/meddevice/mode.py; do
+            echo "=== mutmut: $module ==="
+            rm -rf .mutmut-cache
+            mutmut run --paths-to-mutate="$module" --simple-output || true
+            mutmut results
+          done

clinicsentry-0.3.0/.github/workflows/docs.yml

@@ -0,0 +1,27 @@
+name: Docs
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  docstring-check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - run: pip install -e '.[dev]'
+      - run: ruff check --select D --extend-ignore D203,D213,D104,D105,D107 src/clinicsentry
+
+  build-mkdocs:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - run: pip install -e '.[docs]'
+      - run: mkdocs build --strict

clinicsentry-0.3.0/.github/workflows/release.yml

@@ -0,0 +1,109 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*.*.*"
+
+permissions:
+  contents: write
+  id-token: write   # cosign keyless signing + PyPI trusted publishing
+  packages: write
+
+jobs:
+  build-and-sign:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+          cache: "pip"
+
+      - name: Install build tooling
+        run: pip install --upgrade build twine
+
+      - name: Verify tag matches package version
+        run: |
+          PKG_VERSION=$(python -c "import tomllib; print(tomllib.load(open('pyproject.toml','rb'))['project']['version'])")
+          TAG_VERSION="${GITHUB_REF_NAME#v}"
+          if [ "$PKG_VERSION" != "$TAG_VERSION" ]; then
+            echo "Tag $GITHUB_REF_NAME does not match pyproject version $PKG_VERSION" >&2
+            exit 1
+          fi
+
+      - name: Build wheel + sdist
+        run: python -m build
+
+      - name: Validate distribution metadata
+        run: twine check --strict dist/*
+
+      - name: Smoke-test wheel in a clean venv
+        run: |
+          python -m venv /tmp/smoke
+          /tmp/smoke/bin/pip install dist/*.whl
+          /tmp/smoke/bin/python -c "import clinicsentry; print(clinicsentry.__version__)"
+          /tmp/smoke/bin/clinicsentry scan "SSN 123-45-6789" | grep -q "REDACTED"
+
+      - name: Install Syft (SBOM)
+        uses: anchore/sbom-action/download-syft@v0.17.7
+
+      - name: Generate CycloneDX SBOM
+        run: |
+          syft dir:. -o cyclonedx-json=sbom.cyclonedx.json
+          syft dir:. -o spdx-json=sbom.spdx.json
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.7.0
+
+      - name: Sign SBOM (keyless)
+        env:
+          COSIGN_EXPERIMENTAL: "1"
+        run: cosign sign-blob --yes --output-signature sbom.cyclonedx.json.sig sbom.cyclonedx.json
+
+      - name: Build container image
+        run: docker build -t clinicsentry:${{ github.ref_name }} .
+
+      - name: Sign container image (keyless)
+        env:
+          COSIGN_EXPERIMENTAL: "1"
+        run: |
+          docker save clinicsentry:${{ github.ref_name }} -o image.tar
+          cosign sign-blob --yes --output-signature image.tar.sig image.tar
+
+      - name: Upload release artifacts
+        uses: softprops/action-gh-release@v2
+        with:
+          files: |
+            dist/*
+            sbom.cyclonedx.json
+            sbom.spdx.json
+            sbom.cyclonedx.json.sig
+            image.tar.sig
+
+      - name: Store dists for publish job
+        uses: actions/upload-artifact@v4
+        with:
+          name: python-dists
+          path: dist/
+
+  publish-pypi:
+    # Requires a PyPI "trusted publisher" configured for this repo + workflow.
+    # The `pypi` environment gates the publish behind any protection rules you
+    # configure (e.g. required reviewers).
+    needs: build-and-sign
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+    permissions:
+      id-token: write
+    steps:
+      - name: Download dists
+        uses: actions/download-artifact@v4
+        with:
+          name: python-dists
+          path: dist/
+
+      - name: Publish to PyPI (trusted publishing)
+        uses: pypa/gh-action-pypi-publish@release/v1

clinicsentry-0.3.0/.gitignore

@@ -0,0 +1,43 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# Distribution / packaging
+build/
+dist/
+*.egg-info/
+*.egg
+
+# Virtual environments
+.venv/
+venv/
+env/
+
+# IDE
+.idea/
+.vscode/
+*.swp
+*.swo
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Testing / coverage
+.pytest_cache/
+.coverage
+htmlcov/
+.mypy_cache/
+.ruff_cache/
+
+# Temp / scratch
+_tmp/
+
+# Audit files created by demos
+*.sqlite
+*.sqlite3
+clinicsentry_audit.log
+
+# Local agent settings
+.claude/

clinicsentry-0.3.0/.pre-commit-config.yaml

@@ -0,0 +1,36 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.6.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+        exclude: ^deploy/helm/.*/templates/
+      - id: check-toml
+      - id: check-merge-conflict
+      - id: detect-private-key
+      - id: mixed-line-ending
+
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.4.10
+    hooks:
+      - id: ruff
+        args: [--fix, --exit-non-zero-on-fix]
+      - id: ruff-format
+
+  - repo: https://github.com/pre-commit/mirrors-mypy
+    rev: v1.10.0
+    hooks:
+      - id: mypy
+        additional_dependencies:
+          - pydantic>=2.0
+          - types-PyYAML
+        args: [--config-file=pyproject.toml]
+        files: ^src/clinicsentry/
+
+  - repo: https://github.com/PyCQA/bandit
+    rev: 1.7.9
+    hooks:
+      - id: bandit
+        args: [-ll, -ii, -r]
+        files: ^src/clinicsentry/