conduct-cli 0.4.57__tar.gz → 0.4.59__tar.gz

{conduct_cli-0.4.57 → conduct_cli-0.4.59}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: conduct-cli
-Version: 0.4.57
+Version: 0.4.59
 Summary: CLI for Conduct AI — install agents, manage projects, run tests
 Author-email: Conduct AI <hello@conductai.ai>
 License: MIT

{conduct_cli-0.4.57 → conduct_cli-0.4.59}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "conduct-cli"
-version = "0.4.57"
+version = "0.4.59"
 description = "CLI for Conduct AI — install agents, manage projects, run tests"
 readme = "README.md"
 license = { text = "MIT" }

{conduct_cli-0.4.57 → conduct_cli-0.4.59}/src/conduct_cli/guard.py

@@ -241,8 +241,78 @@ def _post_usage(session_id, tool_name, tokens_input, tokens_output, duration_ms)
     )
 
 
-def _maybe_emit_security_finding(tool_response, session_id, tool_name):
-    """Classify tool_response for security findings; POST to /security-findings if flag ON. Never raises."""
+SECRET_PATTERNS = [
+    (r"sk-[A-Za-z0-9]{20,}",          "secret-leak",    "high",     "Potential OpenAI/Anthropic API key"),
+    (r"ghp_[A-Za-z0-9]{36}",           "secret-leak",    "high",     "GitHub Personal Access Token"),
+    (r"AKIA[0-9A-Z]{16}",              "secret-leak",    "critical", "AWS Access Key ID"),
+    (r"Bearer\s+[A-Za-z0-9+/=]{20,}",  "secret-leak",    "high",     "Bearer token in output"),
+    (r"""password\s*=\s*['"][^'"]{4,}""","secret-leak",  "high",     "Hardcoded password"),
+    (r"""api[_-]?key\s*=\s*['"][^'"]{4,}""","secret-leak","high",    "Hardcoded API key"),
+    (r"\.\./\.\./\.\./",               "path-traversal", "medium",   "Path traversal sequence"),
+    (r"file://",                        "path-traversal", "medium",   "File URI scheme in output"),
+    (r"\beval\s*\(",                    "injection",      "high",     "eval() in output"),
+    (r"\bexec\s*\(",                    "injection",      "high",     "exec() in output"),
+    (r"\b__import__\s*\(",              "injection",      "high",     "__import__() in output"),
+    (r"ssl\.CERT_NONE",                 "crypto",         "high",     "SSL verification disabled"),
+    (r"verify\s*=\s*False",             "crypto",         "medium",   "TLS verification bypassed"),
+]
+OWASP_KEYWORDS = [
+    ("sql injection",    "injection",   "high",   "SQL injection mentioned in AI output"),
+    ("cross-site scripting","injection","high",   "XSS mentioned in AI output"),
+    (" xss ",            "injection",   "high",   "XSS mentioned in AI output"),
+    ("idor",             "injection",   "medium", "IDOR mentioned in AI output"),
+    ("ssrf",             "injection",   "high",   "SSRF mentioned in AI output"),
+    ("command injection","injection",   "high",   "Command injection mentioned in AI output"),
+    ("auth bypass",      "auth-bypass", "high",   "Auth bypass mentioned in AI output"),
+]
+
+
+def _classify_text(text):
+    """Return (finding_type, severity, description, matched_pattern) or (None,...) if clean."""
+    import re as _re
+    for pattern, ftype, sev, desc in SECRET_PATTERNS:
+        if _re.search(pattern, text, _re.IGNORECASE):
+            return ftype, sev, desc, pattern
+    lower = text.lower()
+    for kw, ftype, sev, desc in OWASP_KEYWORDS:
+        if kw in lower:
+            return ftype, sev, desc, kw
+    return None, None, None, None
+
+
+def _line_number_from_text(text, matched_pattern):
+    """Extract line number where pattern matched.
+
+    Handles two formats:
+    - Read tool output: '     N\\tcode line'  (cat -n style)
+    - Plain text: count newlines before match offset
+    """
+    import re as _re
+    if not matched_pattern:
+        return None
+    try:
+        # Try cat-n format first (Read tool)
+        for raw_line in text.split("\n"):
+            m = _re.match(r"^\s*(\d+)\t(.*)$", raw_line)
+            if m:
+                lineno, content = int(m.group(1)), m.group(2)
+                try:
+                    if _re.search(matched_pattern, content, _re.IGNORECASE):
+                        return lineno
+                except Exception:
+                    if matched_pattern.lower() in content.lower():
+                        return lineno
+        # Fallback: count newlines before the first match
+        m = _re.search(matched_pattern, text, _re.IGNORECASE)
+        if m:
+            return text[:m.start()].count("\n") + 1
+    except Exception:
+        pass
+    return None
+
+
+def _maybe_emit_security_finding(tool_response, session_id, tool_name, tool_input=None):
+    """Classify tool output + input for security findings; POST if flag ON. Never raises."""
     try:
         cfg = json.loads(CONFIG_PATH.read_text()) if CONFIG_PATH.exists() else {}
     except Exception:
@@ -255,49 +325,37 @@ def _maybe_emit_security_finding(tool_response, session_id, tool_name):
     if not workspace_id:
         return
 
-    import re as _re2
-    text = str(tool_response)
-
-    # Fast-path classifier
-    SECRET_PATTERNS = [
-        (r"sk-[A-Za-z0-9]{20,}", "secret-leak", "high", "Potential OpenAI/Anthropic API key"),
-        (r"ghp_[A-Za-z0-9]{36}", "secret-leak", "high", "GitHub Personal Access Token"),
-        (r"AKIA[0-9A-Z]{16}", "secret-leak", "critical", "AWS Access Key ID"),
-        (r"Bearer\s+[A-Za-z0-9+/=]{20,}", "secret-leak", "high", "Bearer token in output"),
-        (r"""password\s*=\s*['"][^'"]{4,}""", "secret-leak", "high", "Hardcoded password"),
-        (r"""api[_-]?key\s*=\s*['"][^'"]{4,}""", "secret-leak", "high", "Hardcoded API key"),
-        (r"\.\./\.\./\.\./", "path-traversal", "medium", "Path traversal sequence"),
-        (r"file://", "path-traversal", "medium", "File URI scheme in output"),
-        (r"\beval\s*\(", "injection", "high", "eval() in output"),
-        (r"\bexec\s*\(", "injection", "high", "exec() in output"),
-        (r"\b__import__\s*\(", "injection", "high", "__import__() in output"),
-        (r"ssl\.CERT_NONE", "crypto", "high", "SSL verification disabled"),
-        (r"verify\s*=\s*False", "crypto", "medium", "TLS verification bypassed"),
-    ]
-    OWASP_KEYWORDS = [
-        ("sql injection", "injection", "high", "SQL injection mentioned in AI output"),
-        ("cross-site scripting", "injection", "high", "XSS mentioned in AI output"),
-        (" xss ", "injection", "high", "XSS mentioned in AI output"),
-        ("idor", "injection", "medium", "IDOR mentioned in AI output"),
-        ("ssrf", "injection", "high", "SSRF mentioned in AI output"),
-        ("command injection", "injection", "high", "Command injection mentioned in AI output"),
-        ("auth bypass", "auth-bypass", "high", "Auth bypass mentioned in AI output"),
-    ]
-
-    finding_type = severity = description = None
-    for pattern, ftype, sev, desc in SECRET_PATTERNS:
-        if _re2.search(pattern, text, _re2.IGNORECASE):
-            finding_type, severity, description = ftype, sev, desc
+    ti = tool_input or {}
+
+    # Build scan candidates: (text_to_scan, source_label)
+    # Priority: tool_response first (Read), then written content (Edit/Write), then command (Bash)
+    candidates = [("response", str(tool_response))]
+    if tool_name in ("edit", "multiedit"):
+        candidates.append(("input", ti.get("new_string", "")))
+    elif tool_name == "write":
+        candidates.append(("input", ti.get("content", "")))
+    elif tool_name in ("bash", "terminal"):
+        candidates.append(("input", ti.get("command", "")))
+
+    finding_type = severity = description = matched_pattern = scan_text = None
+    for _src, text in candidates:
+        ft, sv, desc, pat = _classify_text(text)
+        if ft:
+            finding_type, severity, description, matched_pattern, scan_text = ft, sv, desc, pat, text
             break
-    if not finding_type:
-        lower = text.lower()
-        for kw, ftype, sev, desc in OWASP_KEYWORDS:
-            if kw in lower:
-                finding_type, severity, description = ftype, sev, desc
-                break
+
     if not finding_type:
         return
 
+    # File path
+    file_path = (
+        ti.get("file_path") or ti.get("path") or
+        (ti.get("command", "")[:120] if tool_name in ("bash", "terminal") else None)
+    ) or None
+
+    # Line number
+    line_no = _line_number_from_text(scan_text, matched_pattern) if scan_text else None
+
     payload = json.dumps({
         "tool": _detect_ai_tool(),
         "severity": severity,
@@ -305,6 +363,8 @@ def _maybe_emit_security_finding(tool_response, session_id, tool_name):
         "description": description,
         "source_run_id": session_id,
         "reporter_email": cfg.get("user_email") or "",
+        "file": file_path,
+        "line": line_no,
     })
     script = (
         "import urllib.request\\n"
@@ -489,7 +549,8 @@ def post_usage_main():
 
     # Security classifier runs regardless of transcript_path — scan every tool response
     tool_response = data.get("tool_response") or data.get("output") or ""
-    _maybe_emit_security_finding(str(tool_response), session_id, tool_name)
+    tool_input    = data.get("tool_input") or {}
+    _maybe_emit_security_finding(str(tool_response), session_id, tool_name, tool_input)
 
     sys.exit(0)
 

{conduct_cli-0.4.57 → conduct_cli-0.4.59}/src/conduct_cli/main.py

@@ -2217,7 +2217,7 @@ def cmd_run(args):
 # ── conduct sync / test-guard / test-security ────────────────────────────────
 
 def cmd_sync(args):
-    """Run guard sync + security policy sync in one shot."""
+    """Sync Guard policies (and Security Loop policies if installed)."""
     import conduct_cli.guard as _g
     print(f"\n{BOLD}▶ conduct sync{RESET}\n")
     _g.cmd_guard_sync(args)
@@ -2533,7 +2533,7 @@ def main():
     mcp_sub.add_parser("install", help="Register conduct-mcp in Claude Code and Codex")
 
     # conduct sync
-    sub.add_parser("sync", help="Sync Guard policies + Security Loop in one shot")
+    sub.add_parser("sync", help="Sync Guard policies (and Security Loop policies if installed)")
 
     # conduct test-guard / test-security
     sub.add_parser("test-guard",    help="Fire a synthetic event per guard policy rule and show decisions")

{conduct_cli-0.4.57 → conduct_cli-0.4.59}/src/conduct_cli.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: conduct-cli
-Version: 0.4.57
+Version: 0.4.59
 Summary: CLI for Conduct AI — install agents, manage projects, run tests
 Author-email: Conduct AI <hello@conductai.ai>
 License: MIT