codesecure-core 1.0.0b10__tar.gz

codesecure_core-1.0.0b10/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 noviqtechnologies
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

codesecure_core-1.0.0b10/PKG-INFO

@@ -0,0 +1,101 @@
+Metadata-Version: 2.4
+Name: codesecure-core
+Version: 1.0.0b10
+Summary: Enterprise-grade security analysis core engine
+License: MIT
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: pydantic>=2.0.0
+Requires-Dist: jinja2>=3.1.0
+Requires-Dist: asyncio>=3.4.3
+Requires-Dist: rich>=13.0.0
+Requires-Dist: mermaid-py>=0.1.0
+Requires-Dist: markdown>=3.5.2
+Requires-Dist: pygments>=2.17.2
+Requires-Dist: packaging>=24.0
+Requires-Dist: bandit>=1.7.0
+Requires-Dist: semgrep>=1.0.0; sys_platform != "win32"
+Requires-Dist: checkov>=3.0.0
+Requires-Dist: detect-secrets>=1.4.0
+Requires-Dist: pip-audit>=2.0.0
+Requires-Dist: pip-licenses>=4.0.0
+Requires-Dist: pyyaml>=6.0
+Provides-Extra: google
+Requires-Dist: google-generativeai>=0.3.0; extra == "google"
+Provides-Extra: openai
+Requires-Dist: openai>=1.0.0; extra == "openai"
+Provides-Extra: aws
+Provides-Extra: all
+Requires-Dist: codesecure-core[aws,google,openai]; extra == "all"
+Dynamic: license-file
+
+# CodeSecure Core (`codesecure-core`)
+
+The `codesecure-core` package is the programmatic orchestration brain of the CodeSecure platform. It provides the centralized, stateless logic for executing security scanners, managing asynchronous jobs, and enriching findings with AI models.
+
+## 🎯 Module Purpose
+
+This package encapsulates the strict business logic of the platform, adhering to a "Thin Client" architecture. It does not export command-line (CLI) applications or MCP Transport interfaces directly. Instead, it provides a stable Python API (Singletons) designed to be consumed by other packages in the CodeSecure monorepo, such as `codesecure-cli` and `codesecure-mcp`.
+
+## 📦 Local Installation
+
+Because `core` has no dependency on the UI/CLI layer, it can be installed natively for programmatic API usage.
+
+```bash
+cd packages/core
+python -m venv .venv
+
+# Install the core logic with basic SAST scanners
+pip install -e .
+
+# [Optional] Install AI providers (Google Gemini or Kiro CLI dependencies)
+pip install -e .[google,aws]
+```
+
+## 🔌 Exported APIs & Features
+
+The Core package exposes Manager classes via the Singleton pattern:
+
+1. **`ScannerEngine`**: Orchestrates local/container execution for Bandit, Semgrep, Checkov, detect-secrets, npm-audit, pip-audit, etc.
+   ```python
+   from codesecure.scanners.engine import get_scanner_engine
+   ```
+2. **`JobManager`**: Async execution tracking, lock management, TTL limits, and progress percentages.
+   ```python
+   from codesecure.jobs.manager import get_job_manager
+   ```
+3. **`AIProviderManager`**: Abstracts batch prompting against Gemini and Kiro. Calculates False Positive tracking dynamically.
+   ```python
+   from codesecure.ai_providers.manager import get_ai_manager
+   ```
+
+## 🛠️ Integration Example
+
+Here is how a downstream module (like the MCP server) imports and utilizes the core library programmatically:
+
+```python
+import asyncio
+from pathlib import Path
+from codesecure.common.models import ScanMode, CloudProvider
+from codesecure.scanners.engine import get_scanner_engine
+
+async def programmatically_scan(target_dir: str):
+    scan_path = Path(target_dir).resolve()
+    engine = get_scanner_engine()
+    
+    # Check available scanners
+    available = engine.get_available_scanners(ScanMode.LOCAL)
+    print(f"Scanners ready: {available}")
+    
+    # Run a unified scan seamlessly combining multiple tools
+    result = await engine.run_scan(
+        path=scan_path,
+        mode=ScanMode.LOCAL,
+        cloud_provider=CloudProvider.NONE
+    )
+    
+    print(f"Total findings discovered: {len(result.findings)}")
+
+asyncio.run(programmatically_scan("./my_project"))
+```

codesecure_core-1.0.0b10/README.md

@@ -0,0 +1,69 @@
+# CodeSecure Core (`codesecure-core`)
+
+The `codesecure-core` package is the programmatic orchestration brain of the CodeSecure platform. It provides the centralized, stateless logic for executing security scanners, managing asynchronous jobs, and enriching findings with AI models.
+
+## 🎯 Module Purpose
+
+This package encapsulates the strict business logic of the platform, adhering to a "Thin Client" architecture. It does not export command-line (CLI) applications or MCP Transport interfaces directly. Instead, it provides a stable Python API (Singletons) designed to be consumed by other packages in the CodeSecure monorepo, such as `codesecure-cli` and `codesecure-mcp`.
+
+## 📦 Local Installation
+
+Because `core` has no dependency on the UI/CLI layer, it can be installed natively for programmatic API usage.
+
+```bash
+cd packages/core
+python -m venv .venv
+
+# Install the core logic with basic SAST scanners
+pip install -e .
+
+# [Optional] Install AI providers (Google Gemini or Kiro CLI dependencies)
+pip install -e .[google,aws]
+```
+
+## 🔌 Exported APIs & Features
+
+The Core package exposes Manager classes via the Singleton pattern:
+
+1. **`ScannerEngine`**: Orchestrates local/container execution for Bandit, Semgrep, Checkov, detect-secrets, npm-audit, pip-audit, etc.
+   ```python
+   from codesecure.scanners.engine import get_scanner_engine
+   ```
+2. **`JobManager`**: Async execution tracking, lock management, TTL limits, and progress percentages.
+   ```python
+   from codesecure.jobs.manager import get_job_manager
+   ```
+3. **`AIProviderManager`**: Abstracts batch prompting against Gemini and Kiro. Calculates False Positive tracking dynamically.
+   ```python
+   from codesecure.ai_providers.manager import get_ai_manager
+   ```
+
+## 🛠️ Integration Example
+
+Here is how a downstream module (like the MCP server) imports and utilizes the core library programmatically:
+
+```python
+import asyncio
+from pathlib import Path
+from codesecure.common.models import ScanMode, CloudProvider
+from codesecure.scanners.engine import get_scanner_engine
+
+async def programmatically_scan(target_dir: str):
+    scan_path = Path(target_dir).resolve()
+    engine = get_scanner_engine()
+    
+    # Check available scanners
+    available = engine.get_available_scanners(ScanMode.LOCAL)
+    print(f"Scanners ready: {available}")
+    
+    # Run a unified scan seamlessly combining multiple tools
+    result = await engine.run_scan(
+        path=scan_path,
+        mode=ScanMode.LOCAL,
+        cloud_provider=CloudProvider.NONE
+    )
+    
+    print(f"Total findings discovered: {len(result.findings)}")
+
+asyncio.run(programmatically_scan("./my_project"))
+```

codesecure_core-1.0.0b10/pyproject.toml

@@ -0,0 +1,40 @@
+[build-system]
+requires = ["setuptools>=61.0", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "codesecure-core"
+version = "1.0.0b10"
+description = "Enterprise-grade security analysis core engine"
+readme = "README.md"
+requires-python = ">=3.10"
+license = {text = "MIT"}
+dependencies = [
+    "pydantic>=2.0.0",
+    "jinja2>=3.1.0",
+    "asyncio>=3.4.3",
+    "rich>=13.0.0",
+    "mermaid-py>=0.1.0",
+    "markdown>=3.5.2",
+    "pygments>=2.17.2",
+    "packaging>=24.0",
+    # Scanners
+    "bandit>=1.7.0",
+    "semgrep>=1.0.0; sys_platform != 'win32'",
+    "checkov>=3.0.0",
+    "detect-secrets>=1.4.0",
+    "pip-audit>=2.0.0",
+    "pip-licenses>=4.0.0",
+    "pyyaml>=6.0",
+]
+
+[project.optional-dependencies]
+google = ["google-generativeai>=0.3.0"]
+openai = ["openai>=1.0.0"]
+# aws = ["kiro-cli>=1.0.0"] # Dependency not found on PyPI, needs custom registry or verification
+aws = []
+all = ["codesecure-core[google,openai,aws]"]
+
+[tool.setuptools.packages.find]
+where = ["src"]
+include = ["codesecure*"]

codesecure_core-1.0.0b10/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

codesecure_core-1.0.0b10/setup.py

@@ -0,0 +1,5 @@
+from setuptools import setup
+
+# Delegate to pyproject.toml
+if __name__ == "__main__":
+    setup()

codesecure_core-1.0.0b10/src/codesecure/__init__.py

@@ -0,0 +1,19 @@
+"""
+CodeSecure - Enterprise Security Analysis Platform.
+"""
+
+try:
+    from importlib.metadata import version, PackageNotFoundError
+except ImportError:
+    # Fallback for Python < 3.8
+    try:
+        from importlib_metadata import version, PackageNotFoundError
+    except ImportError:
+        version = lambda _: "unknown"
+        PackageNotFoundError = Exception
+
+try:
+    __version__ = version("codesecure-core")
+except (PackageNotFoundError, NameError):
+    # Fallback for development where the package is not installed
+    __version__ = "1.0.0b9"

codesecure_core-1.0.0b10/src/codesecure/ai_providers/anthropic_provider.py

@@ -0,0 +1,144 @@
+import asyncio
+from typing import List, Dict, Any, Optional
+
+from codesecure.common.models import Finding, EnhancedFinding
+from codesecure.common.logging import get_logger
+from codesecure.ai_providers.base import (
+    BaseAIProvider, 
+    AIProviderType, 
+    AIProviderStatus,
+)
+from codesecure.ai_providers.prompts import GenericPromptBuilder, GenericMarkdownParser
+from codesecure.common.config import get_env
+
+logger = get_logger(__name__)
+
+
+class AnthropicWrapper(BaseAIProvider):
+    """Anthropic Provider Implementation"""
+    
+    PROVIDER_TYPE = AIProviderType.AWS  # Currently aliased/planned for AWS Bedrock or direct Anthropic
+    
+    def __init__(self):
+        self.prompt_builder = GenericPromptBuilder()
+        self.parser = GenericMarkdownParser()
+        self._api_key = get_env("CODESECURE_ANTHROPIC_API_KEY", "")
+        self._model = get_env("CODESECURE_ANTHROPIC_MODEL", "claude-3-5-sonnet-20241022")
+        
+    def _get_client(self):
+        try:
+             import anthropic
+             return anthropic.AsyncAnthropic(api_key=self._api_key)
+        except ImportError:
+             raise RuntimeError("anthropic SDK not installed")
+
+    def set_api_key(self, api_key: str):
+        self._api_key = api_key
+
+    def set_model(self, model: str):
+        self._model = model
+             
+    @property
+    def is_available(self) -> bool:
+        try:
+            import anthropic
+            return bool(self._api_key)
+        except ImportError:
+            return False
+            
+    async def check_availability(self) -> tuple[AIProviderStatus, str]:
+        try:
+            import anthropic
+        except ImportError:
+            return AIProviderStatus.UNAVAILABLE, "Anthropic SDK not found (install with 'pip install anthropic')"
+            
+        if not self._api_key:
+             return AIProviderStatus.UNAVAILABLE, "CODESECURE_ANTHROPIC_API_KEY is not set"
+             
+        return AIProviderStatus.AVAILABLE, "Ready"
+
+    def _classify_error(self, err_msg: str, status_code: Optional[int] = None) -> str:
+        err_lower = err_msg.lower()
+        if status_code in (401, 403) or any(w in err_lower for w in ["invalid x-api-key", "authentication"]):
+             return "auth"
+        if status_code == 429 or any(w in err_lower for w in ["rate_limit", "too many requests"]):
+             return "rate_limit"
+        return "other"
+
+    async def test_connection(self) -> tuple[AIProviderStatus, str]:
+        status, msg = await self.check_availability()
+        if status != AIProviderStatus.AVAILABLE:
+             return status, msg
+             
+        try:
+            client = self._get_client()
+            logger.info("Validating Anthropic API key with model %s...", self._model)
+            await client.messages.create(
+                model=self._model,
+                messages=[{"role": "user", "content": "Reply with 'ok'"}],
+                max_tokens=5,
+            )
+            return AIProviderStatus.AVAILABLE, "Ready"
+        except Exception as e:
+            err_type = self._classify_error(str(e), getattr(e, "status_code", None))
+            if err_type == "auth":
+                 return AIProviderStatus.ERROR, f"Anthropic Auth Error: {e}"
+            if err_type == "rate_limit":
+                 return AIProviderStatus.ERROR, f"Anthropic Rate Limit Error: {e}"
+            return AIProviderStatus.ERROR, f"Anthropic Connection Failed: {str(e)}"
+
+    async def analyze_findings_batch(
+        self, 
+        findings: List[Finding], 
+        code_contexts: Dict[str, str],
+        batch_size: int = 10,
+        app_context: Optional[Dict[str, Any]] = None,
+        is_workspace_scan: bool = False
+    ) -> List[EnhancedFinding]:
+        
+        if not findings:
+            return []
+            
+        client = self._get_client()
+        prompt = self.prompt_builder.build_batch_prompt(findings, app_context=app_context, is_workspace_scan=is_workspace_scan)
+        
+        system_prompt = (
+            "You are CodeSecure, an expert AI security assistant. "
+            "Analyze security findings and provide remediation in Markdown format. "
+            "Follow the ZERO-CHATTER RULE: remediation code blocks must contain "
+            "ONLY pure source code, no explanations."
+        )
+        
+        try:
+            logger.info("Sending batch of %d findings to Anthropic (%s)...", len(findings), self._model)
+            
+            response = await client.messages.create(
+                model=self._model,
+                system=system_prompt,
+                messages=[
+                    {"role": "user", "content": prompt}
+                ],
+                temperature=0.2,
+                max_tokens=4096,
+            )
+            
+            text = response.content[0].text if response.content else ""
+            logger.debug("Received AI response length: %d characters", len(text))
+            
+            return self.parser.parse(text, findings)
+            
+        except Exception as e:
+            err_type = self._classify_error(str(e), getattr(e, "status_code", None))
+            if err_type == "rate_limit":
+                 raise RuntimeError(f"Anthropic Rate Limit Exceeded: {e}")
+            logger.exception("Anthropic Analysis failed: %s", e)
+            raise e
+
+    def enhance_finding(self, finding: Finding, analysis: Any) -> EnhancedFinding:
+        pass
+        
+    async def generate_stride_analysis(self, repo_path: Any, category: str) -> Dict[str, Any]:
+        return {"error": "Not implemented"}
+
+def get_anthropic_wrapper() -> AnthropicWrapper:
+    return AnthropicWrapper()