conduct-cli 0.4.56__tar.gz → 0.4.58__tar.gz

{conduct_cli-0.4.56 → conduct_cli-0.4.58}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: conduct-cli
-Version: 0.4.56
+Version: 0.4.58
 Summary: CLI for Conduct AI — install agents, manage projects, run tests
 Author-email: Conduct AI <hello@conductai.ai>
 License: MIT

{conduct_cli-0.4.56 → conduct_cli-0.4.58}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "conduct-cli"
-version = "0.4.56"
+version = "0.4.58"
 description = "CLI for Conduct AI — install agents, manage projects, run tests"
 readme = "README.md"
 license = { text = "MIT" }

{conduct_cli-0.4.56 → conduct_cli-0.4.58}/src/conduct_cli/guard.py

@@ -241,7 +241,7 @@ def _post_usage(session_id, tool_name, tokens_input, tokens_output, duration_ms)
     )
 
 
-def _maybe_emit_security_finding(tool_response, session_id, tool_name):
+def _maybe_emit_security_finding(tool_response, session_id, tool_name, tool_input=None):
     """Classify tool_response for security findings; POST to /security-findings if flag ON. Never raises."""
     try:
         cfg = json.loads(CONFIG_PATH.read_text()) if CONFIG_PATH.exists() else {}
@@ -298,6 +298,12 @@ def _maybe_emit_security_finding(tool_response, session_id, tool_name):
     if not finding_type:
         return
 
+    ti = tool_input or {}
+    file_path = (
+        ti.get("file_path") or ti.get("path") or
+        (ti.get("command", "")[:120] if tool_name in ("bash", "terminal") else None)
+    ) or None
+
     payload = json.dumps({
         "tool": _detect_ai_tool(),
         "severity": severity,
@@ -305,6 +311,7 @@ def _maybe_emit_security_finding(tool_response, session_id, tool_name):
         "description": description,
         "source_run_id": session_id,
         "reporter_email": cfg.get("user_email") or "",
+        "file": file_path,
     })
     script = (
         "import urllib.request\\n"
@@ -489,7 +496,8 @@ def post_usage_main():
 
     # Security classifier runs regardless of transcript_path — scan every tool response
     tool_response = data.get("tool_response") or data.get("output") or ""
-    _maybe_emit_security_finding(str(tool_response), session_id, tool_name)
+    tool_input    = data.get("tool_input") or {}
+    _maybe_emit_security_finding(str(tool_response), session_id, tool_name, tool_input)
 
     sys.exit(0)
 

{conduct_cli-0.4.56 → conduct_cli-0.4.58}/src/conduct_cli/main.py

@@ -2214,6 +2214,182 @@ def cmd_run(args):
     _stream_run(server, workflow_id, run["id"], workspace_id, token, api_key)
 
 
+# ── conduct sync / test-guard / test-security ────────────────────────────────
+
+def cmd_sync(args):
+    """Sync Guard policies (and Security Loop policies if installed)."""
+    import conduct_cli.guard as _g
+    print(f"\n{BOLD}▶ conduct sync{RESET}\n")
+    _g.cmd_guard_sync(args)
+    print(f"\n{GREEN}Sync complete.{RESET}\n")
+
+
+_SECURITY_TEST_CASES = [
+    ("AWS Access Key",       "secret-leak",     "critical", "AKIA1234567890ABCDEF found in output"),
+    ("OpenAI API Key",       "secret-leak",     "high",     "sk-abcdefghijklmnopqrstuvwx1234567890 in response"),
+    ("GitHub PAT",           "secret-leak",     "high",     "ghp_" + "A" * 36 + " token present"),
+    ("Bearer Token",         "secret-leak",     "high",     "Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.test.sig"),
+    ("Hardcoded Password",   "secret-leak",     "high",     "password = 'hardcoded_secret_here'"),
+    ("Hardcoded API Key",    "secret-leak",     "high",     "api_key = 'abc123def456ghi789'"),
+    ("Path Traversal",       "path-traversal",  "medium",   "../../etc/passwd accessed"),
+    ("File URI",             "path-traversal",  "medium",   "file:///etc/passwd read"),
+    ("eval() Injection",     "injection",       "high",     "eval(user_input) called in output"),
+    ("exec() Injection",     "injection",       "high",     "exec(command) called in output"),
+    ("SSL Disabled",         "crypto",          "high",     "ssl.CERT_NONE used — verification disabled"),
+    ("TLS Bypass",           "crypto",          "medium",   "verify=False passed to requests"),
+    ("SQL Injection",        "injection",       "high",     "sql injection vulnerability in query"),
+    ("XSS",                  "injection",       "high",     "cross-site scripting detected in output"),
+    ("Auth Bypass",          "auth-bypass",     "high",     "auth bypass possible via missing check"),
+]
+
+
+def cmd_test_security(args):
+    """Fire synthetic security findings for every classifier pattern."""
+    from conduct_cli.guard import CONFIG_PATH
+    try:
+        import json as _json
+        cfg = _json.loads(CONFIG_PATH.read_text()) if CONFIG_PATH.exists() else {}
+    except Exception:
+        cfg = {}
+
+    workspace_id = cfg.get("workspace_id")
+    api_key      = cfg.get("api_key", "")
+    user_email   = cfg.get("user_email", "")
+    api_url      = cfg.get("api_url", "https://api.conductai.ai").rstrip("/")
+
+    if not workspace_id:
+        print(f"{RED}Not configured. Run: conduct guard setup{RESET}")
+        sys.exit(1)
+
+    import urllib.request
+    import json as _json
+
+    print(f"\n{BOLD}▶ conduct test-security — {len(_SECURITY_TEST_CASES)} patterns{RESET}\n")
+
+    passed = 0
+    failed = 0
+    for name, vtype, severity, description in _SECURITY_TEST_CASES:
+        payload = _json.dumps({
+            "tool": "claude-code",
+            "severity": severity,
+            "type": vtype,
+            "description": f"[TEST] {description}",
+            "reporter_email": user_email,
+            "source_run_id": "conduct-test-security",
+        }).encode()
+        try:
+            req = urllib.request.Request(
+                f"{api_url}/security-findings?workspace_id={workspace_id}",
+                data=payload,
+                headers={"Content-Type": "application/json", "X-Api-Key": api_key},
+                method="POST",
+            )
+            with urllib.request.urlopen(req, timeout=8) as resp:
+                r = _json.loads(resp.read())
+                fid = r.get("id", "")[:8]
+                sev_color = RED if severity == "critical" else (YELLOW if severity == "high" else CYAN)
+                print(f"  {GREEN}✓{RESET}  {name:<22} {sev_color}{severity:<8}{RESET}  {GRAY}{fid}{RESET}")
+                passed += 1
+        except Exception as e:
+            print(f"  {RED}✕{RESET}  {name:<22} {RED}FAILED — {e}{RESET}")
+            failed += 1
+
+    print(f"\n  {passed} posted · {failed} failed")
+    print(f"\n  {CYAN}→ View findings: {api_url.replace('api.', 'app.')}/secure/activity{RESET}\n")
+
+
+def cmd_test_guard(args):
+    """Test each guard policy rule with a matching synthetic tool call."""
+    import json as _json
+    import re as _re
+    from conduct_cli.guard import CONFIG_PATH, POLICY_PATH
+
+    try:
+        cfg = _json.loads(CONFIG_PATH.read_text()) if CONFIG_PATH.exists() else {}
+    except Exception:
+        cfg = {}
+
+    if not POLICY_PATH.exists():
+        print(f"{RED}No policy file found. Run: conduct guard sync{RESET}")
+        sys.exit(1)
+
+    try:
+        policy = _json.loads(POLICY_PATH.read_text())
+    except Exception as e:
+        print(f"{RED}Could not load policy: {e}{RESET}")
+        sys.exit(1)
+
+    rules = policy.get("rules", [])
+    if not rules:
+        print(f"{YELLOW}No rules in local policy. Run: conduct guard sync{RESET}")
+        sys.exit(0)
+
+    workspace_id = cfg.get("workspace_id")
+    api_key      = cfg.get("api_key", "")
+    api_url      = cfg.get("api_url", "https://api.conductai.ai").rstrip("/")
+
+    print(f"\n{BOLD}▶ conduct test-guard — {len(rules)} rule(s){RESET}\n")
+
+    import urllib.request
+
+    blocked = 0
+    allowed = 0
+    errors  = 0
+    for rule in rules:
+        rule_id  = rule.get("rule_id", "unknown")
+        action   = rule.get("action", "audit")
+        message  = rule.get("message") or rule_id
+        tool     = (rule.get("match_tool") or "bash").split(",")[0].strip()
+        pattern  = rule.get("match_pattern") or rule.get("match_path_pattern") or ""
+
+        # Build a synthetic input that satisfies the rule's pattern
+        if pattern:
+            try:
+                # Use the pattern itself as a test input fragment where possible
+                test_input = _re.sub(r"[\\^$.*+?()\[\]{}|]", "", pattern)[:80] or rule_id
+            except Exception:
+                test_input = rule_id
+        else:
+            test_input = rule_id
+
+        payload = _json.dumps({
+            "ai_tool": "claude-code",
+            "tool_call": tool,
+            "input_summary": f"[TEST] {test_input}",
+            "decision": action if action in ("blocked", "warn") else "blocked",
+            "rule_id": rule_id,
+            "rule_message": f"[TEST] {message}",
+        }).encode()
+
+        action_color = RED if action == "blocked" else (YELLOW if action == "warn" else CYAN)
+        action_label = action.upper()
+
+        if workspace_id:
+            try:
+                req = urllib.request.Request(
+                    f"{api_url}/guard/events/test?workspace_id={workspace_id}",
+                    data=payload,
+                    headers={"Content-Type": "application/json", "X-Api-Key": api_key},
+                    method="POST",
+                )
+                with urllib.request.urlopen(req, timeout=5):
+                    pass
+                posted = f"{GRAY}posted{RESET}"
+            except Exception:
+                posted = f"{GRAY}local only{RESET}"
+        else:
+            posted = f"{GRAY}no workspace{RESET}"
+
+        print(f"  {action_color}{action_label:<8}{RESET}  {rule_id:<35}  {GRAY}{message[:50]}{RESET}  {posted}")
+        if action == "blocked":
+            blocked += 1
+        else:
+            allowed += 1
+
+    print(f"\n  {blocked} would block · {allowed} audit/allow")
+    print(f"\n  {CYAN}→ View events: {api_url.replace('api.', 'app.')}/guard/activity{RESET}\n")
+
+
 # ── Entry point ───────────────────────────────────────────────────────────────
 
 def main():
@@ -2356,6 +2532,13 @@ def main():
     mcp_sub = mcp_p.add_subparsers(dest="mcp_command")
     mcp_sub.add_parser("install", help="Register conduct-mcp in Claude Code and Codex")
 
+    # conduct sync
+    sub.add_parser("sync", help="Sync Guard policies (and Security Loop policies if installed)")
+
+    # conduct test-guard / test-security
+    sub.add_parser("test-guard",    help="Fire a synthetic event per guard policy rule and show decisions")
+    sub.add_parser("test-security", help="Post a synthetic finding per security classifier pattern")
+
     args = parser.parse_args()
 
     if args.command == "login":
@@ -2423,6 +2606,12 @@ def main():
             cmd_mcp_install(args)
         else:
             mcp_p.print_help()
+    elif args.command == "sync":
+        cmd_sync(args)
+    elif args.command == "test-guard":
+        cmd_test_guard(args)
+    elif args.command == "test-security":
+        cmd_test_security(args)
     else:
         parser.print_help()
 

{conduct_cli-0.4.56 → conduct_cli-0.4.58}/src/conduct_cli.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: conduct-cli
-Version: 0.4.56
+Version: 0.4.58
 Summary: CLI for Conduct AI — install agents, manage projects, run tests
 Author-email: Conduct AI <hello@conductai.ai>
 License: MIT