codeshield-ai 0.1.0__py3-none-any.whl

codeshield/trustgate/sandbox.py

@@ -0,0 +1,101 @@
+"""
+TrustGate Sandbox - Daytona integration for code execution
+
+Executes verified code in secure sandbox to confirm it actually runs.
+"""
+
+from typing import Optional
+from dataclasses import dataclass
+
+from codeshield.utils.daytona import get_daytona_client, ExecutionResult
+
+
+@dataclass
+class SandboxVerification:
+    """Result of sandbox verification"""
+    executed: bool
+    runs_successfully: bool
+    output: str
+    error: Optional[str] = None
+    execution_time_ms: int = 0
+    
+    def to_dict(self) -> dict:
+        return {
+            "executed": self.executed,
+            "runs_successfully": self.runs_successfully,
+            "output": self.output[:500] if self.output else "",  # Truncate long output
+            "error": self.error,
+            "execution_time_ms": self.execution_time_ms,
+        }
+
+
+def verify_in_sandbox(
+    code: str,
+    timeout_seconds: int = 10,
+) -> SandboxVerification:
+    """
+    Verify code runs successfully in sandbox.
+    
+    Args:
+        code: Python code to verify
+        timeout_seconds: Maximum execution time
+    
+    Returns:
+        SandboxVerification with execution details
+    """
+    client = get_daytona_client()
+    
+    # Execute code
+    result = client.execute_code(
+        code=code,
+        language="python",
+        timeout_seconds=timeout_seconds,
+    )
+    
+    return SandboxVerification(
+        executed=True,
+        runs_successfully=result.success,
+        output=result.stdout,
+        error=result.stderr if not result.success else None,
+        execution_time_ms=result.execution_time_ms,
+    )
+
+
+def full_verification(code: str) -> dict:
+    """
+    Complete verification: syntax + imports + execution.
+    
+    Returns comprehensive verification report.
+    """
+    from codeshield.trustgate.checker import verify_code
+    
+    # Step 1: Static analysis
+    static_result = verify_code(code, auto_fix=True)
+    
+    # Use fixed code if available
+    code_to_run = static_result.fixed_code or code
+    
+    # Step 2: Sandbox execution (only if static checks pass)
+    sandbox_result = None
+    if static_result.is_valid or static_result.fixed_code:
+        sandbox_result = verify_in_sandbox(code_to_run)
+    
+    # Build comprehensive report
+    report = {
+        "overall_valid": (
+            static_result.is_valid and 
+            (sandbox_result is None or sandbox_result.runs_successfully)
+        ),
+        "static_analysis": static_result.to_dict(),
+        "sandbox_execution": sandbox_result.to_dict() if sandbox_result else None,
+        "confidence_score": static_result.confidence_score,
+        "fixed_code": static_result.fixed_code,
+    }
+    
+    # Adjust confidence based on sandbox result
+    if sandbox_result and sandbox_result.runs_successfully:
+        report["confidence_score"] = min(1.0, report["confidence_score"] + 0.1)
+    elif sandbox_result and not sandbox_result.runs_successfully:
+        report["confidence_score"] = max(0.0, report["confidence_score"] - 0.2)
+    
+    return report

codeshield/utils/__init__.py

@@ -0,0 +1,9 @@
+"""Utility modules"""
+
+from codeshield.utils.llm import LLMClient, LLMResponse, get_llm_client, get_provider_stats
+from codeshield.utils.leanmcp import LeanMCPClient, get_leanmcp_client, track_mcp_call
+
+__all__ = [
+    "LLMClient", "LLMResponse", "get_llm_client", "get_provider_stats",
+    "LeanMCPClient", "get_leanmcp_client", "track_mcp_call"
+]

codeshield/utils/daytona.py

@@ -0,0 +1,233 @@
+"""
+Daytona SDK Wrapper - Sandboxed code execution
+
+Uses Daytona's secure sandbox environment to:
+- Execute untrusted/AI-generated code safely
+- Verify code actually runs without side effects
+- Capture execution results and errors
+"""
+
+import os
+from typing import Optional
+from dataclasses import dataclass
+
+
+@dataclass
+class ExecutionResult:
+    """Result of code execution in sandbox"""
+    success: bool
+    stdout: str
+    stderr: str
+    exit_code: int
+    execution_time_ms: int = 0
+    error: Optional[str] = None
+    
+    def to_dict(self) -> dict:
+        return {
+            "success": self.success,
+            "stdout": self.stdout,
+            "stderr": self.stderr,
+            "exit_code": self.exit_code,
+            "execution_time_ms": self.execution_time_ms,
+            "error": self.error,
+        }
+
+
+class DaytonaClient:
+    """Client for Daytona sandbox execution"""
+    
+    def __init__(self, api_key: Optional[str] = None, api_url: Optional[str] = None):
+        self.api_key = api_key or os.getenv("DAYTONA_API_KEY")
+        self.api_url = api_url or os.getenv("DAYTONA_API_URL", "https://app.daytona.io/api")
+        self._client = None
+        self._sandbox = None
+    
+    def _ensure_sdk(self):
+        """Ensure Daytona SDK is available"""
+        try:
+            # Official SDK import (pip install daytona)
+            from daytona import Daytona, DaytonaConfig
+            return Daytona, DaytonaConfig
+        except ImportError:
+            try:
+                # Alternative import (pip install daytona-sdk)
+                from daytona_sdk import Daytona, DaytonaConfig
+                return Daytona, DaytonaConfig
+            except ImportError:
+                return None, None
+    
+    def is_available(self) -> bool:
+        """Check if Daytona is available and configured"""
+        Daytona, _ = self._ensure_sdk()
+        return Daytona is not None and self.api_key is not None
+    
+    def execute_code(
+        self,
+        code: str,
+        language: str = "python",
+        timeout_seconds: int = 30,
+    ) -> ExecutionResult:
+        """
+        Execute code in Daytona sandbox.
+        
+        Args:
+            code: Code to execute
+            language: Programming language (python, javascript, etc.)
+            timeout_seconds: Maximum execution time
+        
+        Returns:
+            ExecutionResult with stdout, stderr, and status
+        """
+        Daytona, SandboxConfig = self._ensure_sdk()
+        
+        if Daytona is None:
+            # Fallback to local execution with safety measures
+            return self._local_execute(code, language, timeout_seconds)
+        
+        if not self.api_key:
+            return ExecutionResult(
+                success=False,
+                stdout="",
+                stderr="",
+                exit_code=-1,
+                error="DAYTONA_API_KEY not configured",
+            )
+        
+        try:
+            # Get SDK classes
+            Daytona, DaytonaConfig = self._ensure_sdk()
+            
+            if Daytona is None:
+                return self._local_execute(code, language, timeout_seconds)
+            
+            # Initialize Daytona client with config (official SDK pattern)
+            config = DaytonaConfig(api_key=self.api_key)
+            daytona = Daytona(config)
+            
+            # Create sandbox
+            sandbox = daytona.create()
+            
+            try:
+                # Execute code in sandbox
+                response = sandbox.process.code_run(code)
+                
+                return ExecutionResult(
+                    success=response.exit_code == 0,
+                    stdout=response.result or "",
+                    stderr="",
+                    exit_code=response.exit_code,
+                    execution_time_ms=0,
+                )
+            finally:
+                # Clean up sandbox
+                daytona.delete(sandbox)
+                
+        except Exception as e:
+            # Fall back to local execution if Daytona fails
+            print(f"Daytona error: {e}, falling back to local execution")
+            return self._local_execute(code, language, timeout_seconds)
+    
+    def _local_execute(
+        self,
+        code: str,
+        language: str,
+        timeout_seconds: int,
+    ) -> ExecutionResult:
+        """
+        Fallback local execution with safety measures.
+        
+        WARNING: This is less safe than Daytona. Use only for demo/testing.
+        """
+        import subprocess
+        import tempfile
+        import time
+        
+        if language != "python":
+            return ExecutionResult(
+                success=False,
+                stdout="",
+                stderr="",
+                exit_code=-1,
+                error=f"Local execution only supports Python, got: {language}",
+            )
+        
+        # Write code to temp file
+        with tempfile.NamedTemporaryFile(
+            mode='w',
+            suffix='.py',
+            delete=False,
+            encoding='utf-8'
+        ) as f:
+            f.write(code)
+            temp_path = f.name
+        
+        try:
+            start_time = time.time()
+            
+            # Execute with timeout
+            result = subprocess.run(
+                ["python", temp_path],
+                capture_output=True,
+                text=True,
+                timeout=timeout_seconds,
+            )
+            
+            execution_time = int((time.time() - start_time) * 1000)
+            
+            return ExecutionResult(
+                success=result.returncode == 0,
+                stdout=result.stdout,
+                stderr=result.stderr,
+                exit_code=result.returncode,
+                execution_time_ms=execution_time,
+            )
+            
+        except subprocess.TimeoutExpired:
+            return ExecutionResult(
+                success=False,
+                stdout="",
+                stderr="",
+                exit_code=-1,
+                error=f"Execution timed out after {timeout_seconds}s",
+            )
+        except Exception as e:
+            return ExecutionResult(
+                success=False,
+                stdout="",
+                stderr=str(e),
+                exit_code=-1,
+                error=f"Local execution failed: {e}",
+            )
+        finally:
+            # Clean up temp file
+            try:
+                os.unlink(temp_path)
+            except:
+                pass
+    
+    def verify_code_runs(self, code: str) -> tuple[bool, str]:
+        """
+        Quick verification that code runs without error.
+        
+        Returns:
+            Tuple of (success, message)
+        """
+        result = self.execute_code(code, timeout_seconds=10)
+        
+        if result.success:
+            return True, "Code executed successfully"
+        else:
+            error_msg = result.stderr or result.error or "Unknown error"
+            return False, f"Execution failed: {error_msg}"
+
+
+# Singleton instance
+_daytona_client: Optional[DaytonaClient] = None
+
+
+def get_daytona_client() -> DaytonaClient:
+    """Get or create Daytona client singleton"""
+    global _daytona_client
+    if _daytona_client is None:
+        _daytona_client = DaytonaClient()
+    return _daytona_client

codeshield/utils/leanmcp.py

@@ -0,0 +1,258 @@
+"""
+LeanMCP Integration - MCP Server Observability & Analytics
+
+LeanMCP provides production-grade MCP infrastructure.
+This module integrates CodeShield with LeanMCP's observability platform
+to track MCP tool usage, performance metrics, and health status.
+
+Docs: https://docs.leanmcp.com/
+"""
+
+import os
+import httpx
+from typing import Optional, Dict, Any
+from dataclasses import dataclass, field
+from datetime import datetime
+import json
+
+
+@dataclass
+class MCPEvent:
+    """Represents an MCP tool invocation event for analytics"""
+    tool_name: str
+    timestamp: str = field(default_factory=lambda: datetime.utcnow().isoformat())
+    duration_ms: Optional[int] = None
+    success: bool = True
+    error_message: Optional[str] = None
+    metadata: Dict[str, Any] = field(default_factory=dict)
+
+
+class LeanMCPClient:
+    """
+    LeanMCP observability client for tracking MCP server metrics.
+    
+    Features:
+    - Tool invocation tracking
+    - Performance metrics
+    - Health reporting
+    - Usage analytics
+    """
+    
+    def __init__(self):
+        self.api_key = os.getenv("LEANMCP_KEY")
+        self.api_url = os.getenv("LEANMCP_API_URL", "https://api.leanmcp.com")
+        self.enabled = bool(self.api_key)
+        self._client = httpx.Client(timeout=10.0) if self.enabled else None
+        self._events_buffer: list[MCPEvent] = []
+        self._buffer_size = 10  # Flush after 10 events
+        
+        # Local metrics tracking (always available)
+        self._metrics = {
+            "total_calls": 0,
+            "successful_calls": 0,
+            "failed_calls": 0,
+            "tools": {},
+            "start_time": datetime.utcnow().isoformat(),
+        }
+    
+    def is_configured(self) -> bool:
+        """Check if LeanMCP is properly configured"""
+        return self.enabled and self.api_key is not None
+    
+    def get_status(self) -> Dict[str, Any]:
+        """Get LeanMCP integration status"""
+        return {
+            "configured": self.is_configured(),
+            "api_url": self.api_url,
+            "events_buffered": len(self._events_buffer),
+            "local_metrics": self._metrics,
+        }
+    
+    def track_tool_call(
+        self,
+        tool_name: str,
+        duration_ms: Optional[int] = None,
+        success: bool = True,
+        error_message: Optional[str] = None,
+        metadata: Optional[Dict[str, Any]] = None
+    ) -> None:
+        """
+        Track an MCP tool invocation for analytics.
+        
+        Args:
+            tool_name: Name of the MCP tool (e.g., "verify_code", "check_style")
+            duration_ms: Execution time in milliseconds
+            success: Whether the call succeeded
+            error_message: Error message if failed
+            metadata: Additional context
+        """
+        # Update local metrics
+        self._metrics["total_calls"] += 1
+        if success:
+            self._metrics["successful_calls"] += 1
+        else:
+            self._metrics["failed_calls"] += 1
+        
+        if tool_name not in self._metrics["tools"]:
+            self._metrics["tools"][tool_name] = {"calls": 0, "errors": 0, "total_duration_ms": 0}
+        
+        self._metrics["tools"][tool_name]["calls"] += 1
+        if not success:
+            self._metrics["tools"][tool_name]["errors"] += 1
+        if duration_ms:
+            self._metrics["tools"][tool_name]["total_duration_ms"] += duration_ms
+        
+        # Create event for LeanMCP
+        event = MCPEvent(
+            tool_name=tool_name,
+            duration_ms=duration_ms,
+            success=success,
+            error_message=error_message,
+            metadata=metadata or {}
+        )
+        
+        self._events_buffer.append(event)
+        
+        # Auto-flush if buffer is full
+        if len(self._events_buffer) >= self._buffer_size:
+            self.flush_events()
+    
+    def flush_events(self) -> bool:
+        """
+        Send buffered events to LeanMCP platform.
+        Returns True if successful or LeanMCP not configured.
+        """
+        if not self._events_buffer:
+            return True
+        
+        if not self.is_configured() or self._client is None:
+            # Clear buffer if not configured (events are still tracked locally)
+            self._events_buffer.clear()
+            return True
+        
+        try:
+            events_data = [
+                {
+                    "tool_name": e.tool_name,
+                    "timestamp": e.timestamp,
+                    "duration_ms": e.duration_ms,
+                    "success": e.success,
+                    "error_message": e.error_message,
+                    "metadata": e.metadata,
+                }
+                for e in self._events_buffer
+            ]
+            
+            response = self._client.post(
+                f"{self.api_url}/v1/events",
+                headers={
+                    "Authorization": f"Bearer {self.api_key}",
+                    "Content-Type": "application/json",
+                },
+                json={
+                    "server_name": "CodeShield",
+                    "events": events_data,
+                }
+            )
+            
+            if response.status_code == 200:
+                self._events_buffer.clear()
+                return True
+            else:
+                print(f"LeanMCP event flush failed: {response.status_code}")
+                return False
+                
+        except Exception as e:
+            print(f"LeanMCP error: {e}")
+            return False
+    
+    def report_health(self) -> Dict[str, Any]:
+        """
+        Report server health to LeanMCP and return health status.
+        """
+        health_data = {
+            "server_name": "CodeShield",
+            "status": "healthy",
+            "version": "1.0.0",
+            "metrics": self._metrics,
+            "timestamp": datetime.utcnow().isoformat(),
+        }
+        
+        if self.is_configured() and self._client is not None:
+            try:
+                self._client.post(
+                    f"{self.api_url}/v1/health",
+                    headers={
+                        "Authorization": f"Bearer {self.api_key}",
+                        "Content-Type": "application/json",
+                    },
+                    json=health_data
+                )
+            except Exception as e:
+                print(f"LeanMCP health report error: {e}")
+        
+        return health_data
+    
+    def get_metrics(self) -> Dict[str, Any]:
+        """Get current metrics summary"""
+        metrics = self._metrics.copy()
+        
+        # Calculate averages
+        for tool_name, tool_data in metrics["tools"].items():
+            if tool_data["calls"] > 0 and tool_data["total_duration_ms"] > 0:
+                tool_data["avg_duration_ms"] = tool_data["total_duration_ms"] / tool_data["calls"]
+        
+        return metrics
+
+
+# Singleton instance
+_leanmcp_client: Optional[LeanMCPClient] = None
+
+
+def get_leanmcp_client() -> LeanMCPClient:
+    """Get or create LeanMCP client singleton"""
+    global _leanmcp_client
+    if _leanmcp_client is None:
+        _leanmcp_client = LeanMCPClient()
+    return _leanmcp_client
+
+
+def track_mcp_call(tool_name: str):
+    """
+    Decorator to automatically track MCP tool calls with LeanMCP.
+    
+    Usage:
+        @track_mcp_call("verify_code")
+        def verify_code(code: str) -> dict:
+            ...
+    """
+    import functools
+    import time
+    
+    def decorator(func):
+        @functools.wraps(func)
+        def wrapper(*args, **kwargs):
+            client = get_leanmcp_client()
+            start_time = time.time()
+            
+            try:
+                result = func(*args, **kwargs)
+                duration_ms = int((time.time() - start_time) * 1000)
+                client.track_tool_call(
+                    tool_name=tool_name,
+                    duration_ms=duration_ms,
+                    success=True
+                )
+                return result
+            except Exception as e:
+                duration_ms = int((time.time() - start_time) * 1000)
+                client.track_tool_call(
+                    tool_name=tool_name,
+                    duration_ms=duration_ms,
+                    success=False,
+                    error_message=str(e)
+                )
+                raise
+        
+        return wrapper
+    return decorator