clonebox 1.1.18__py3-none-any.whl → 1.1.20__py3-none-any.whl

clonebox/health/probes.py

@@ -8,6 +8,7 @@ from abc import ABC, abstractmethod
 from datetime import datetime
 from typing import Optional
 
+from clonebox.policies import PolicyEngine, PolicyViolationError
 from .models import HealthCheckResult, HealthStatus, ProbeConfig
 
 try:
@@ -57,6 +58,19 @@ class HTTPProbe(HealthProbe):
 
         start = time.time()
         try:
+            policy = PolicyEngine.load_effective()
+            if policy is not None:
+                try:
+                    policy.assert_url_allowed(config.url)
+                except PolicyViolationError as e:
+                    duration_ms = (time.time() - start) * 1000
+                    return self._create_result(
+                        config,
+                        HealthStatus.UNHEALTHY,
+                        duration_ms,
+                        error=str(e),
+                    )
+
             req = urllib.request.Request(
                 config.url,
                 method=config.method,

clonebox/policies/__init__.py

@@ -0,0 +1,13 @@
+from .engine import PolicyEngine, PolicyValidationError, PolicyViolationError
+from .models import PolicyFile, PolicySet, NetworkPolicy, OperationsPolicy, ResourcesPolicy
+
+__all__ = [
+    "PolicyEngine",
+    "PolicyValidationError",
+    "PolicyViolationError",
+    "PolicyFile",
+    "PolicySet",
+    "NetworkPolicy",
+    "OperationsPolicy",
+    "ResourcesPolicy",
+]

clonebox/policies/engine.py

@@ -0,0 +1,112 @@
+from __future__ import annotations
+
+import fnmatch
+from dataclasses import dataclass
+from pathlib import Path
+from typing import List, Optional
+
+import yaml
+
+from .models import PolicyFile
+from .validators import extract_hostname, is_host_allowed
+
+
+class PolicyValidationError(ValueError):
+    pass
+
+
+class PolicyViolationError(PermissionError):
+    pass
+
+
+DEFAULT_PROJECT_POLICY_FILES = (".clonebox-policy.yaml", ".clonebox-policy.yml")
+DEFAULT_GLOBAL_POLICY_FILE = Path.home() / ".clonebox.d" / "policy.yaml"
+
+
+@dataclass(frozen=True)
+class PolicyEngine:
+    policy: PolicyFile
+    source: Path
+
+    @classmethod
+    def load(cls, path: Path) -> "PolicyEngine":
+        try:
+            raw = yaml.safe_load(path.read_text())
+        except Exception as e:
+            raise PolicyValidationError(f"Failed to read policy file {path}: {e}")
+
+        if not isinstance(raw, dict):
+            raise PolicyValidationError("Policy file must be a YAML mapping")
+
+        try:
+            policy = PolicyFile.model_validate(raw)
+        except Exception as e:
+            raise PolicyValidationError(str(e))
+
+        return cls(policy=policy, source=path)
+
+    @classmethod
+    def find_policy_file(cls, start: Optional[Path] = None) -> Optional[Path]:
+        start_path = (start or Path.cwd()).expanduser().resolve()
+        if start_path.is_file():
+            start_path = start_path.parent
+
+        current = start_path
+        while True:
+            for name in DEFAULT_PROJECT_POLICY_FILES:
+                candidate = current / name
+                if candidate.exists() and candidate.is_file():
+                    return candidate
+
+            if current.parent == current:
+                break
+            current = current.parent
+
+        if DEFAULT_GLOBAL_POLICY_FILE.exists() and DEFAULT_GLOBAL_POLICY_FILE.is_file():
+            return DEFAULT_GLOBAL_POLICY_FILE
+
+        return None
+
+    @classmethod
+    def load_effective(cls, start: Optional[Path] = None) -> Optional["PolicyEngine"]:
+        policy_path = cls.find_policy_file(start=start)
+        if not policy_path:
+            return None
+        return cls.load(policy_path)
+
+    def assert_url_allowed(self, url: str) -> None:
+        network = self.policy.policies.network
+        if network is None:
+            return
+
+        hostname = extract_hostname(url)
+        if not hostname:
+            raise PolicyViolationError(f"URL has no hostname: {url}")
+
+        if not is_host_allowed(hostname, network.allowlist, network.blocklist):
+            raise PolicyViolationError(f"Network access denied by policy: {hostname}")
+
+    @staticmethod
+    def _operation_matches(operation: str, pattern: str) -> bool:
+        operation = (operation or "").strip().lower()
+        pattern = (pattern or "").strip().lower()
+        if not operation or not pattern:
+            return False
+        return fnmatch.fnmatch(operation, pattern)
+
+    def requires_approval(self, operation: str) -> bool:
+        ops = self.policy.policies.operations
+        if ops is None:
+            return False
+
+        if any(self._operation_matches(operation, p) for p in ops.auto_approve or []):
+            return False
+        return any(
+            self._operation_matches(operation, p) for p in ops.require_approval or []
+        )
+
+    def assert_operation_approved(self, operation: str, approved: bool) -> None:
+        if self.requires_approval(operation) and not approved:
+            raise PolicyViolationError(
+                f"Operation requires approval by policy: {operation} (pass --approve)"
+            )

clonebox/policies/models.py

@@ -0,0 +1,55 @@
+from __future__ import annotations
+
+from typing import List, Optional
+
+from pydantic import BaseModel, Field, field_validator
+
+
+class NetworkPolicy(BaseModel):
+    allowlist: List[str] = Field(default_factory=list)
+    blocklist: List[str] = Field(default_factory=list)
+
+    @field_validator("allowlist", "blocklist")
+    @classmethod
+    def _validate_patterns(cls, v: List[str]) -> List[str]:
+        if v is None:
+            return []
+        if not isinstance(v, list):
+            raise TypeError("must be a list")
+        for item in v:
+            if not isinstance(item, str) or not item.strip():
+                raise ValueError("patterns must be non-empty strings")
+        return v
+
+
+class OperationsPolicy(BaseModel):
+    require_approval: List[str] = Field(default_factory=list)
+    auto_approve: List[str] = Field(default_factory=list)
+
+    @field_validator("require_approval", "auto_approve")
+    @classmethod
+    def _validate_ops(cls, v: List[str]) -> List[str]:
+        if v is None:
+            return []
+        if not isinstance(v, list):
+            raise TypeError("must be a list")
+        for item in v:
+            if not isinstance(item, str) or not item.strip():
+                raise ValueError("operation names must be non-empty strings")
+        return v
+
+
+class ResourcesPolicy(BaseModel):
+    max_vms_per_user: Optional[int] = None
+    max_disk_gb: Optional[int] = None
+
+
+class PolicySet(BaseModel):
+    network: Optional[NetworkPolicy] = None
+    operations: Optional[OperationsPolicy] = None
+    resources: Optional[ResourcesPolicy] = None
+
+
+class PolicyFile(BaseModel):
+    version: str
+    policies: PolicySet

clonebox/policies/validators.py

@@ -0,0 +1,26 @@
+from __future__ import annotations
+
+import fnmatch
+from typing import List
+from urllib.parse import urlparse
+
+
+def extract_hostname(url: str) -> str:
+    parsed = urlparse(url)
+    return (parsed.hostname or "").strip().lower()
+
+
+def host_matches(hostname: str, pattern: str) -> bool:
+    hostname = (hostname or "").strip().lower()
+    pattern = (pattern or "").strip().lower()
+    if not hostname or not pattern:
+        return False
+    return fnmatch.fnmatch(hostname, pattern)
+
+
+def is_host_allowed(hostname: str, allowlist: List[str], blocklist: List[str]) -> bool:
+    if any(host_matches(hostname, p) for p in blocklist or []):
+        return False
+    if allowlist:
+        return any(host_matches(hostname, p) for p in allowlist)
+    return True

clonebox/validator.py

@@ -32,8 +32,8 @@ class VMValidator:
         self.require_running_apps = require_running_apps
         self.smoke_test = smoke_test
         self.results = {
-            "mounts": {"passed": 0, "failed": 0, "total": 0, "details": []},
-            "packages": {"passed": 0, "failed": 0, "total": 0, "details": []},
+            "mounts": {"passed": 0, "failed": 0, "skipped": 0, "total": 0, "details": []},
+            "packages": {"passed": 0, "failed": 0, "skipped": 0, "total": 0, "details": []},
             "snap_packages": {
                 "passed": 0,
                 "failed": 0,
@@ -41,7 +41,8 @@ class VMValidator:
                 "total": 0,
                 "details": [],
             },
-            "services": {"passed": 0, "failed": 0, "total": 0, "details": []},
+            "services": {"passed": 0, "failed": 0, "skipped": 0, "total": 0, "details": []},
+            "disk": {"usage_pct": 0, "avail": "0", "total": "0"},
             "apps": {"passed": 0, "failed": 0, "skipped": 0, "total": 0, "details": []},
             "smoke": {"passed": 0, "failed": 0, "skipped": 0, "total": 0, "details": []},
             "overall": "unknown",
@@ -129,6 +130,7 @@ class VMValidator:
 
     def validate_mounts(self) -> Dict:
         """Validate all mount points and copied data paths."""
+        setup_in_progress = self._setup_in_progress_cache is True
         self.console.print("\n[bold]💾 Validating Mounts & Data...[/]")
 
         paths = self.config.get("paths", {})
@@ -145,7 +147,13 @@ class VMValidator:
         mount_output = self._exec_in_vm("mount | grep 9p")
         mounted_paths = []
         if mount_output:
-            mounted_paths = [line.split()[2] for line in mount_output.split("\n") if line.strip()]
+            for line in mount_output.split("\n"):
+                line = line.strip()
+                if not line:
+                    continue
+                parts = line.split()
+                if len(parts) >= 3:
+                    mounted_paths.append(parts[2])
 
         mount_table = Table(title="Data Validation", border_style="cyan")
         mount_table.add_column("Guest Path", style="bold")
@@ -154,7 +162,6 @@ class VMValidator:
         mount_table.add_column("Files", justify="right")
 
         # Validate bind mounts (paths)
-        setup_in_progress = self._setup_in_progress() is True
         for host_path, guest_path in paths.items():
             self.results["mounts"]["total"] += 1
             
@@ -185,6 +192,7 @@ class VMValidator:
             elif setup_in_progress:
                 status_icon = "[yellow]⏳ Pending[/]"
                 status = "pending"
+                self.results["mounts"]["skipped"] += 1
             else:
                 status_icon = "[red]❌ Not Mounted[/]"
                 self.results["mounts"]["failed"] += 1
@@ -225,6 +233,7 @@ class VMValidator:
             elif setup_in_progress:
                 status_icon = "[yellow]⏳ Pending[/]"
                 status = "pending"
+                self.results["mounts"]["skipped"] += 1
             else:
                 status_icon = "[red]❌ Missing[/]"
                 self.results["mounts"]["failed"] += 1
@@ -249,6 +258,7 @@ class VMValidator:
 
     def validate_packages(self) -> Dict:
         """Validate APT packages are installed."""
+        setup_in_progress = self._setup_in_progress() is True
         self.console.print("\n[bold]📦 Validating APT Packages...[/]")
 
         packages = self.config.get("packages", [])
@@ -256,14 +266,17 @@ class VMValidator:
             self.console.print("[dim]No APT packages configured[/]")
             return self.results["packages"]
 
+        total_pkgs = len(packages)
+        self.console.print(f"[dim]Checking {total_pkgs} packages via QGA...[/]")
+
         pkg_table = Table(title="Package Validation", border_style="cyan")
         pkg_table.add_column("Package", style="bold")
         pkg_table.add_column("Status", justify="center")
         pkg_table.add_column("Version", style="dim")
 
-        setup_in_progress = self._setup_in_progress() is True
-
-        for package in packages:
+        for idx, package in enumerate(packages, 1):
+            if idx == 1 or idx % 25 == 0 or idx == total_pkgs:
+                self.console.print(f"[dim]   ...packages progress: {idx}/{total_pkgs}[/]")
             self.results["packages"]["total"] += 1
 
             # Check if installed
@@ -279,6 +292,7 @@ class VMValidator:
             else:
                 if setup_in_progress:
                     pkg_table.add_row(package, "[yellow]⏳ Pending[/]", "")
+                    self.results["packages"]["skipped"] += 1
                     self.results["packages"]["details"].append(
                         {"package": package, "installed": False, "version": None, "pending": True}
                     )
@@ -298,6 +312,7 @@ class VMValidator:
 
     def validate_snap_packages(self) -> Dict:
         """Validate snap packages are installed."""
+        setup_in_progress = self._setup_in_progress() is True
         self.console.print("\n[bold]📦 Validating Snap Packages...[/]")
 
         snap_packages = self.config.get("snap_packages", [])
@@ -305,14 +320,17 @@ class VMValidator:
             self.console.print("[dim]No snap packages configured[/]")
             return self.results["snap_packages"]
 
+        total_snaps = len(snap_packages)
+        self.console.print(f"[dim]Checking {total_snaps} snap packages via QGA...[/]")
+
         snap_table = Table(title="Snap Package Validation", border_style="cyan")
         snap_table.add_column("Package", style="bold")
         snap_table.add_column("Status", justify="center")
         snap_table.add_column("Version", style="dim")
 
-        setup_in_progress = self._setup_in_progress() is True
-
-        for package in snap_packages:
+        for idx, package in enumerate(snap_packages, 1):
+            if idx == 1 or idx % 25 == 0 or idx == total_snaps:
+                self.console.print(f"[dim]   ...snap progress: {idx}/{total_snaps}[/]")
             self.results["snap_packages"]["total"] += 1
 
             # Check if installed
@@ -379,6 +397,7 @@ class VMValidator:
 
     def validate_services(self) -> Dict:
         """Validate services are enabled and running."""
+        setup_in_progress = self._setup_in_progress() is True
         self.console.print("\n[bold]⚙️  Validating Services...[/]")
 
         services = self.config.get("services", [])
@@ -386,6 +405,9 @@ class VMValidator:
             self.console.print("[dim]No services configured[/]")
             return self.results["services"]
 
+        total_svcs = len(services)
+        self.console.print(f"[dim]Checking {total_svcs} services via QGA...[/]")
+
         if "skipped" not in self.results["services"]:
             self.results["services"]["skipped"] = 0
 
@@ -396,9 +418,9 @@ class VMValidator:
         svc_table.add_column("PID", justify="right", style="dim")
         svc_table.add_column("Note", style="dim")
 
-        setup_in_progress = self._setup_in_progress() is True
-
-        for service in services:
+        for idx, service in enumerate(services, 1):
+            if idx == 1 or idx % 25 == 0 or idx == total_svcs:
+                self.console.print(f"[dim]   ...services progress: {idx}/{total_svcs}[/]")
             if service in self.VM_EXCLUDED_SERVICES:
                 svc_table.add_row(service, "[dim]—[/]", "[dim]—[/]", "[dim]—[/]", "host-only")
                 self.results["services"]["skipped"] += 1
@@ -414,7 +436,6 @@ class VMValidator:
                 continue
 
             self.results["services"]["total"] += 1
-            setup_in_progress = self._setup_in_progress() is True
 
             enabled_cmd = f"systemctl is-enabled {service} 2>/dev/null"
             enabled_status = self._exec_in_vm(enabled_cmd)
@@ -443,7 +464,9 @@ class VMValidator:
 
             if is_enabled and is_running:
                 self.results["services"]["passed"] += 1
-            elif not setup_in_progress:
+            elif setup_in_progress:
+                self.results["services"]["skipped"] += 1
+            else:
                 self.results["services"]["failed"] += 1
 
             self.results["services"]["details"].append(
@@ -466,6 +489,7 @@ class VMValidator:
         return self.results["services"]
 
     def validate_apps(self) -> Dict:
+        setup_in_progress = self._setup_in_progress() is True
         packages = self.config.get("packages", [])
         snap_packages = self.config.get("snap_packages", [])
         # Support both v1 (app_data_paths) and v2 (copy_paths) config formats
@@ -651,8 +675,6 @@ class VMValidator:
             note = ""
             pending = False
 
-            setup_in_progress = self._setup_in_progress() is True
-
             if app == "firefox":
                 installed = (
                     self._exec_in_vm("command -v firefox >/dev/null 2>&1 && echo yes || echo no")
@@ -718,6 +740,9 @@ class VMValidator:
             if setup_in_progress and not installed:
                 pending = True
                 note = note or "setup in progress"
+            elif setup_in_progress and not profile_ok:
+                pending = True
+                note = note or "profile import in progress"
 
             running_icon = (
                 "[dim]—[/]"
@@ -768,6 +793,7 @@ class VMValidator:
         return self.results["apps"]
 
     def validate_smoke_tests(self) -> Dict:
+        setup_in_progress = self._setup_in_progress() is True
         packages = self.config.get("packages", [])
         snap_packages = self.config.get("snap_packages", [])
         # Support both v1 (app_data_paths) and v2 (copy_paths) config formats
@@ -890,7 +916,6 @@ class VMValidator:
         table.add_column("Launch", justify="center")
         table.add_column("Note", style="dim")
 
-        setup_in_progress = self._setup_in_progress() is True
         for app in expected:
             self.results["smoke"]["total"] += 1
             installed = _installed(app)
@@ -974,6 +999,7 @@ class VMValidator:
 
     def validate_disk_space(self) -> Dict:
         """Validate disk space on root filesystem."""
+        setup_in_progress = self._setup_in_progress() is True
         self.console.print("\n[bold]💾 Validating Disk Space...[/]")
         
         df_output = self._exec_in_vm("df -h / --output=pcent,avail,size | tail -n 1", timeout=20)
@@ -995,10 +1021,10 @@ class VMValidator:
                 "total": total
             }
 
-            if usage_pct > 95:
+            if usage_pct > 90:
                 self.console.print(f"[red]❌ Disk nearly full: {usage_pct}% used ({avail} available of {total})[/]")
                 status = "fail"
-            elif usage_pct > 80:
+            elif usage_pct > 85:
                 self.console.print(f"[yellow]⚠️  Disk usage high: {usage_pct}% used ({avail} available of {total})[/]")
                 status = "warning"
             else:
@@ -1106,6 +1132,7 @@ class VMValidator:
 
     def validate_all(self) -> Dict:
         """Run all validations and return comprehensive results."""
+        setup_in_progress = self._setup_in_progress() is True
         self.console.print("[bold cyan]🔍 Running Full Validation...[/]")
 
         # Check if VM is running
@@ -1129,6 +1156,19 @@ class VMValidator:
             return self.results
 
         # Check QEMU Guest Agent
+        if not self._check_qga_ready():
+            wait_deadline = time.time() + 180
+            self.console.print("[yellow]⏳ Waiting for QEMU Guest Agent (up to 180s)...[/]")
+            last_log = 0
+            while time.time() < wait_deadline:
+                time.sleep(5)
+                if self._check_qga_ready():
+                    break
+                elapsed = int(180 - (wait_deadline - time.time()))
+                if elapsed - last_log >= 15:
+                    self.console.print(f"[dim]   ...still waiting for QGA ({elapsed}s elapsed)[/]")
+                    last_log = elapsed
+
         if not self._check_qga_ready():
             self.console.print("[red]❌ QEMU Guest Agent not responding[/]")
             self.console.print("\n[bold]🔧 Troubleshooting QGA:[/]")
@@ -1143,7 +1183,6 @@ class VMValidator:
             return self.results
 
         ci_status = self._exec_in_vm("cloud-init status --long 2>/dev/null || cloud-init status 2>/dev/null || true", timeout=20)
-        setup_in_progress = False
         if ci_status:
             ci_lower = ci_status.lower()
             if "running" in ci_lower:
@@ -1180,8 +1219,10 @@ class VMValidator:
                 )
 
         # Calculate overall status
+        disk_failed = 1 if self.results.get("disk", {}).get("usage_pct", 0) > 90 else 0
         total_checks = (
-            self.results["mounts"]["total"]
+            1 # Disk space check
+            + self.results["mounts"]["total"]
             + self.results["packages"]["total"]
             + self.results["snap_packages"]["total"]
             + self.results["services"]["total"]
@@ -1190,7 +1231,8 @@ class VMValidator:
         )
 
         total_passed = (
-            self.results["mounts"]["passed"]
+            (1 - disk_failed)
+            + self.results["mounts"]["passed"]
             + self.results["packages"]["passed"]
             + self.results["snap_packages"]["passed"]
             + self.results["services"]["passed"]
@@ -1199,7 +1241,8 @@ class VMValidator:
         )
 
         total_failed = (
-            self.results["mounts"]["failed"]
+            disk_failed
+            + self.results["mounts"]["failed"]
             + self.results["packages"]["failed"]
             + self.results["snap_packages"]["failed"]
             + self.results["services"]["failed"]
@@ -1207,12 +1250,14 @@ class VMValidator:
             + (self.results["smoke"]["failed"] if self.smoke_test else 0)
         )
 
-        # Get skipped services count
+        # Get skipped counts
+        skipped_mounts = self.results["mounts"].get("skipped", 0)
+        skipped_packages = self.results["packages"].get("skipped", 0)
         skipped_services = self.results["services"].get("skipped", 0)
         skipped_snaps = self.results["snap_packages"].get("skipped", 0)
         skipped_apps = self.results["apps"].get("skipped", 0)
         skipped_smoke = self.results["smoke"].get("skipped", 0) if self.smoke_test else 0
-        total_skipped = skipped_services + skipped_snaps + skipped_apps + skipped_smoke
+        total_skipped = skipped_mounts + skipped_packages + skipped_services + skipped_snaps + skipped_apps + skipped_smoke
 
         # Print summary
         self.console.print("\n[bold]📊 Validation Summary[/]")
@@ -1220,21 +1265,38 @@ class VMValidator:
         summary_table.add_column("Category", style="bold")
         summary_table.add_column("Passed", justify="right", style="green")
         summary_table.add_column("Failed", justify="right", style="red")
-        summary_table.add_column("Skipped", justify="right", style="dim")
+        summary_table.add_column("Skipped/Pending", justify="right", style="dim")
         summary_table.add_column("Total", justify="right")
 
+        # Add Disk Space row
+        disk_usage_pct = self.results.get("disk", {}).get("usage_pct", 0)
+        disk_avail = self.results.get("disk", {}).get("avail", "?")
+        disk_total = self.results.get("disk", {}).get("total", "?")
+        
+        # Calculate used space if possible
+        disk_status_passed = "[green]OK[/]" if disk_usage_pct <= 90 else "—"
+        disk_status_failed = "—" if disk_usage_pct <= 90 else f"[red]FULL ({disk_usage_pct}%)[/]"
+
+        summary_table.add_row(
+            "Disk Space",
+            disk_status_passed,
+            disk_status_failed,
+            "—",
+            f"{disk_usage_pct}% of {disk_total} ({disk_avail} free)",
+        )
+        
         summary_table.add_row(
             "Mounts",
             str(self.results["mounts"]["passed"]),
             str(self.results["mounts"]["failed"]),
-            "—",
+            str(skipped_mounts) if skipped_mounts else "—",
             str(self.results["mounts"]["total"]),
         )
         summary_table.add_row(
             "APT Packages",
             str(self.results["packages"]["passed"]),
             str(self.results["packages"]["failed"]),
-            "—",
+            str(skipped_packages) if skipped_packages else "—",
             str(self.results["packages"]["total"]),
         )
         summary_table.add_row(
@@ -1248,7 +1310,7 @@ class VMValidator:
             "Services",
             str(self.results["services"]["passed"]),
             str(self.results["services"]["failed"]),
-            str(skipped_services),
+            str(skipped_services) if skipped_services else "—",
             str(self.results["services"]["total"]),
         )
         summary_table.add_row(

{clonebox-1.1.18.dist-info → clonebox-1.1.20.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: clonebox
-Version: 1.1.18
+Version: 1.1.20
 Summary: Clone your workstation environment to an isolated VM with selective apps, paths and services
 Author: CloneBox Team
 License: Apache-2.0