coreason-manifest 0.6.0__py3-none-any.whl → 0.9.0__py3-none-any.whl

coreason_manifest/loader.py

@@ -1,271 +0,0 @@
-# Prosperity-3.0
-"""Manifest Loader.
-
-This module is responsible for loading the agent manifest from YAML files or
-dictionaries, normalizing the data, and converting it into Pydantic models.
-"""
-
-from __future__ import annotations
-
-import inspect
-from pathlib import Path
-from typing import Any, Callable, Dict, List, Union, get_type_hints
-
-try:
-    from typing import get_args, get_origin
-except ImportError:  # pragma: no cover
-    # For Python < 3.8, though project requires 3.12+
-    from typing_extensions import get_args, get_origin  # type: ignore
-
-import aiofiles
-import yaml
-from coreason_identity import UserContext
-from pydantic import ValidationError, create_model
-
-from coreason_manifest.errors import ManifestSyntaxError
-from coreason_manifest.models import AgentDefinition, AgentInterface
-
-
-class ManifestLoader:
-    """Component A: ManifestLoader (The Parser).
-
-    Responsibility:
-      - Load YAML safely.
-      - Convert raw data into a Pydantic AgentDefinition model.
-      - Normalization: Ensure all version strings follow SemVer and all IDs are canonical UUIDs.
-    """
-
-    @staticmethod
-    def load_raw_from_file(path: Union[str, Path]) -> dict[str, Any]:
-        """Loads the raw dict from a YAML file.
-
-        Args:
-            path: The path to the agent.yaml file.
-
-        Returns:
-            dict: The raw dictionary content.
-
-        Raises:
-            ManifestSyntaxError: If YAML is invalid.
-            FileNotFoundError: If the file does not exist.
-        """
-        try:
-            path_obj = Path(path)
-            if not path_obj.exists():
-                raise FileNotFoundError(f"Manifest file not found: {path}")
-
-            with open(path_obj, "r", encoding="utf-8") as f:
-                # safe_load is recommended for untrusted input
-                data = yaml.safe_load(f)
-
-            if not isinstance(data, dict):
-                raise ManifestSyntaxError(f"Invalid YAML content in {path}: must be a dictionary.")
-
-            ManifestLoader._normalize_data(data)
-
-            return data
-
-        except yaml.YAMLError as e:
-            raise ManifestSyntaxError(f"Failed to parse YAML file {path}: {str(e)}") from e
-        except OSError as e:
-            if isinstance(e, FileNotFoundError):
-                raise
-            raise ManifestSyntaxError(f"Error reading file {path}: {str(e)}") from e
-
-    @staticmethod
-    async def load_raw_from_file_async(path: Union[str, Path]) -> dict[str, Any]:
-        """Loads the raw dict from a YAML file asynchronously.
-
-        Args:
-            path: The path to the agent.yaml file.
-
-        Returns:
-            dict: The raw dictionary content.
-
-        Raises:
-            ManifestSyntaxError: If YAML is invalid.
-            FileNotFoundError: If the file does not exist.
-        """
-        try:
-            path_obj = Path(path)
-            if not path_obj.exists():
-                raise FileNotFoundError(f"Manifest file not found: {path}")
-
-            async with aiofiles.open(path_obj, "r", encoding="utf-8") as f:
-                content = await f.read()
-                data = yaml.safe_load(content)
-
-            if not isinstance(data, dict):
-                raise ManifestSyntaxError(f"Invalid YAML content in {path}: must be a dictionary.")
-
-            ManifestLoader._normalize_data(data)
-
-            return data
-
-        except yaml.YAMLError as e:
-            raise ManifestSyntaxError(f"Failed to parse YAML file {path}: {str(e)}") from e
-        except OSError as e:
-            if isinstance(e, FileNotFoundError):
-                raise
-            raise ManifestSyntaxError(f"Error reading file {path}: {str(e)}") from e
-
-    @staticmethod
-    def load_from_file(path: Union[str, Path]) -> AgentDefinition:
-        """Loads the agent manifest from a YAML file.
-
-        Args:
-            path: The path to the agent.yaml file.
-
-        Returns:
-            AgentDefinition: The validated Pydantic model.
-
-        Raises:
-            ManifestSyntaxError: If YAML is invalid or Pydantic validation fails.
-            FileNotFoundError: If the file does not exist.
-        """
-        data = ManifestLoader.load_raw_from_file(path)
-        return ManifestLoader.load_from_dict(data)
-
-    @staticmethod
-    def load_from_dict(data: dict[str, Any]) -> AgentDefinition:
-        """Converts a dictionary into an AgentDefinition model.
-
-        Args:
-            data: The raw dictionary.
-
-        Returns:
-            AgentDefinition: The validated Pydantic model.
-
-        Raises:
-            ManifestSyntaxError: If Pydantic validation fails.
-        """
-        try:
-            # Ensure normalization happens before Pydantic validation
-            # We work on a copy to avoid side effects if possible, but deep copy is expensive.
-            # The input 'data' might be modified in place.
-            ManifestLoader._normalize_data(data)
-
-            return AgentDefinition.model_validate(data)
-        except ValidationError as e:
-            # Convert Pydantic ValidationError to ManifestSyntaxError
-            # We assume "normalization" happens via Pydantic validators (e.g. UUID, SemVer checks)
-            raise ManifestSyntaxError(f"Manifest validation failed: {str(e)}") from e
-
-    @staticmethod
-    def _normalize_data(data: dict[str, Any]) -> None:
-        """Normalizes the data dictionary in place.
-
-        Specifically strips 'v' or 'V' from version strings recursively until clean.
-        """
-        if "metadata" in data and isinstance(data["metadata"], dict):
-            version = data["metadata"].get("version")
-            if isinstance(version, str):
-                # Recursively strip leading 'v' or 'V'
-                while version and version[0] in ("v", "V"):
-                    version = version[1:]
-                data["metadata"]["version"] = version
-
-    @staticmethod
-    def inspect_function(func: Callable[..., Any]) -> AgentInterface:
-        """Generates an AgentInterface from a Python function.
-
-        Scans the function signature. If `user_context` (by name) or UserContext (by type)
-        is found, it is marked as injected and excluded from the public schema.
-
-        Args:
-            func: The function to inspect.
-
-        Returns:
-            AgentInterface: The generated interface definition.
-
-        Raises:
-            ManifestSyntaxError: If forbidden arguments are found.
-        """
-        sig = inspect.signature(func)
-        try:
-            type_hints = get_type_hints(func)
-        except Exception:
-            # Fallback if get_type_hints fails (e.g. forward refs issues)
-            type_hints = {}
-
-        field_definitions: Dict[str, Any] = {}
-        injected: List[str] = []
-
-        for param_name, param in sig.parameters.items():
-            if param_name in ("self", "cls"):
-                continue
-
-            # Determine type annotation
-            annotation = type_hints.get(param_name, param.annotation)
-            if annotation is inspect.Parameter.empty:
-                annotation = Any
-
-            # Check for forbidden arguments
-            if param_name in ("api_key", "token"):
-                raise ManifestSyntaxError(f"Function argument '{param_name}' is forbidden. Use UserContext for auth.")
-
-            # Check for injection
-            is_injected = False
-            if param_name == "user_context":
-                is_injected = True
-            else:
-                # Check direct type
-                if annotation is UserContext:
-                    is_injected = True
-                else:
-                    # Check for Optional[UserContext], Annotated[UserContext, ...], Union[UserContext, ...]
-                    origin = get_origin(annotation)
-                    args = get_args(annotation)
-                    if origin is not None:
-                        # Recursively check if UserContext is in args (handles Optional/Union)
-                        # or if this is Annotated (UserContext might be the first arg)
-                        # We do a shallow check on args.
-                        for arg in args:
-                            if arg is UserContext:
-                                is_injected = True
-                                break
-
-            if is_injected:
-                if "user_context" not in injected:
-                    injected.append("user_context")
-                continue
-
-            # Prepare for Pydantic model creation
-            default = param.default
-            if default is inspect.Parameter.empty:
-                default = ...
-
-            field_definitions[param_name] = (annotation, default)
-
-        # Create dynamic model to generate JSON Schema for inputs
-        # We assume strict mode or similar is handled by the consumer, here we just describe it.
-        try:
-            InputsModel = create_model("Inputs", **field_definitions)
-            inputs_schema = InputsModel.model_json_schema()
-        except Exception as e:
-            raise ManifestSyntaxError(f"Failed to generate schema from function signature: {e}") from e
-
-        # Handle return type for outputs
-        return_annotation = type_hints.get("return", sig.return_annotation)
-        outputs_schema = {}
-        if (
-            return_annotation is not inspect.Parameter.empty
-            and return_annotation is not None
-            and return_annotation is not type(None)
-        ):
-            try:
-                # If return annotation is a Pydantic model, use its schema
-                if hasattr(return_annotation, "model_json_schema"):
-                    outputs_schema = return_annotation.model_json_schema()
-                else:
-                    # Wrap in a model
-                    OutputsModel = create_model("Outputs", result=(return_annotation, ...))
-                    outputs_schema = OutputsModel.model_json_schema()
-            except Exception:
-                pass
-
-        return AgentInterface(
-            inputs=inputs_schema,
-            outputs=outputs_schema,
-            injected_params=injected,
-        )

coreason_manifest/main.py

@@ -1,17 +0,0 @@
-# Prosperity-3.0
-"""Main module for coreason_manifest.
-
-This module is primarily used for testing and demonstration purposes.
-"""
-
-from coreason_manifest.utils.logger import logger
-
-
-def hello_world() -> str:
-    """Returns a hello world string.
-
-    Returns:
-        "Hello World!" string.
-    """
-    logger.info("Hello World!")
-    return "Hello World!"

coreason_manifest/policies/compliance.rego

@@ -1,81 +0,0 @@
-package coreason.compliance
-
-import rego.v1
-
-# Do not import data.tbom to avoid namespace confusion, access via data.tbom directly if needed or via helper.
-
-default allow := false
-
-# Deny if 'pickle' is in libraries (matches "pickle", "pickle==1.0", "pickle>=2.0")
-deny contains msg if {
-    some i
-    lib_str := input.dependencies.libraries[i]
-    # Check if the library name starts with 'pickle' followed by end of string or version specifier
-    regex.match("^pickle([<>=!@\\[].*)?$", lib_str)
-    msg := "Security Risk: 'pickle' library is strictly forbidden."
-}
-
-# Deny if 'os' is in libraries
-deny contains msg if {
-    some i
-    lib_str := input.dependencies.libraries[i]
-    regex.match("^os([<>=!@\\[].*)?$", lib_str)
-    msg := "Security Risk: 'os' library is strictly forbidden."
-}
-
-# Deny if description is too short (Business Rule example)
-# Iterates over ALL steps to ensure compliance.
-deny contains msg if {
-    some step in input.topology.steps
-    count(step.description) < 5
-    msg := "Step description is too short."
-}
-
-# Rule 1 (Dependency Pinning): All library dependencies must have explicit version pins.
-# Strictly enforces "name==version" (with optional extras).
-# Rejects "name>=version", "name==version,>=other", etc.
-deny contains msg if {
-    some i
-    lib := input.dependencies.libraries[i]
-
-    # Regex Explanation:
-    # ^                         Start
-    # [a-zA-Z0-9_\-\.]+         Package name (alphanum, _, -, .)
-    # (\[[a-zA-Z0-9_\-\.,]+\])? Optional extras in brackets (e.g. [security,fast])
-    # ==                        Must be strictly '=='
-    # [a-zA-Z0-9_\-\.\+]+       Version string (alphanum, _, -, ., + for metadata)
-    # $                         End (No trailing constraints like ,>=2.0)
-
-    not regex.match("^[a-zA-Z0-9_\\-\\.]+(\\[[a-zA-Z0-9_\\-\\.,]+\\])?==[a-zA-Z0-9_\\-\\.\\+]+$", lib)
-    msg := sprintf("Compliance Violation: Library '%v' must be strictly pinned with '==' (e.g., 'pandas==2.0.1').", [lib])
-}
-
-# Rule 2 (Allowlist Enforcement): Libraries must be in TBOM
-deny contains msg if {
-    some i
-    lib_str := input.dependencies.libraries[i]
-
-    # Extract library name using regex
-    # Pattern must support dots (for namespace packages) and stop before extras brackets or version specifiers.
-    parts := regex.find_all_string_submatch_n("^[a-zA-Z0-9_\\-\\.]+", lib_str, 1)
-    count(parts) > 0
-    lib_name := parts[0][0]
-
-    # Check if lib_name is in tbom (case-insensitive)
-    not is_in_tbom(lib_name)
-
-    msg := sprintf("Compliance Violation: Library '%v' is not in the Trusted Bill of Materials (TBOM).", [lib_name])
-}
-
-# Helper to safely check if lib is in TBOM
-# Returns true if data.tbom exists AND contains the lib (case-insensitive)
-is_in_tbom(lib) if {
-    # Lowercase the input library name
-    lower_lib := lower(lib)
-
-    # Check against TBOM
-    # If data.tbom is undefined, this rule body is undefined (false).
-    # Iterate through TBOM and compare lowercased versions
-    some tbom_lib in data.tbom
-    lower(tbom_lib) == lower_lib
-}

coreason_manifest/policies/tbom.json

@@ -1,14 +0,0 @@
-{
-  "tbom": [
-    "requests",
-    "pydantic",
-    "httpx",
-    "pandas",
-    "numpy",
-    "scipy",
-    "scikit-learn",
-    "torch",
-    "fastapi",
-    "uvicorn"
-  ]
-}

coreason_manifest/policy.py

@@ -1,138 +0,0 @@
-# Prosperity-3.0
-"""Policy enforcement functionality using Open Policy Agent (OPA).
-
-This module provides the `PolicyEnforcer` class, which interacts with OPA to
-evaluate agent definitions against compliance policies defined in Rego.
-"""
-
-from __future__ import annotations
-
-import json
-import shutil
-import subprocess
-from pathlib import Path
-from typing import Any, List, Optional
-
-from coreason_manifest.errors import PolicyViolationError
-
-
-class PolicyEnforcer:
-    """Component C: PolicyEnforcer (The Compliance Officer).
-
-    Responsibility:
-      - Evaluate the agent against the compliance.rego policy file using OPA.
-    """
-
-    def __init__(
-        self,
-        policy_path: str | Path,
-        opa_path: str = "opa",
-        data_paths: Optional[List[str | Path]] = None,
-    ) -> None:
-        """Initialize the PolicyEnforcer.
-
-        Args:
-            policy_path: Path to the Rego policy file.
-            opa_path: Path to the OPA executable. Defaults to "opa" (expected in PATH).
-            data_paths: List of paths to data files (e.g. JSON/YAML) to be loaded by OPA.
-
-        Raises:
-            FileNotFoundError: If OPA, policy file, or data files are not found.
-        """
-        self.policy_path = Path(policy_path)
-        self.data_paths = [Path(p) for p in data_paths] if data_paths else []
-
-        # Validate OPA executable
-        # If opa_path is a simple name (like "opa"), use shutil.which to find it
-        if "/" not in str(opa_path) and "\\" not in str(opa_path):
-            resolved_opa: Optional[str] = shutil.which(opa_path)
-            if not resolved_opa:
-                raise FileNotFoundError(f"OPA executable not found in PATH: {opa_path}")
-            self.opa_path: str = resolved_opa
-        else:
-            # If it's a path, check existence
-            if not Path(opa_path).exists():
-                raise FileNotFoundError(f"OPA executable not found at: {opa_path}")
-            self.opa_path = str(opa_path)
-
-        if not self.policy_path.exists():
-            raise FileNotFoundError(f"Policy file not found: {self.policy_path}")
-
-        for path in self.data_paths:
-            if not path.exists():
-                raise FileNotFoundError(f"Data file not found: {path}")
-
-    def evaluate(self, agent_data: dict[str, Any]) -> None:
-        """Evaluates the agent data against the policy.
-
-        Args:
-            agent_data: The dictionary representation of the AgentDefinition.
-
-        Raises:
-            PolicyViolationError: If there are any policy violations.
-            RuntimeError: If OPA execution fails.
-        """
-        # Prepare input for OPA
-        # We invoke OPA via subprocess: opa eval -d <policy> -d <data> ... -I <input> "data.coreason.compliance.deny"
-        # We pass input via stdin to avoid temp files
-
-        try:
-            # We use 'data.coreason.compliance.deny' as the query
-            query = "data.coreason.compliance.deny"
-
-            # Serialize input to JSON
-            input_json = json.dumps(agent_data)
-
-            cmd = [
-                self.opa_path,
-                "eval",
-                "-d",
-                str(self.policy_path),
-            ]
-
-            # Add data paths
-            for data_path in self.data_paths:
-                cmd.extend(["-d", str(data_path)])
-
-            cmd.extend(
-                [
-                    "-I",  # Read input from stdin
-                    query,
-                    "--format",
-                    "json",
-                ]
-            )
-
-            process = subprocess.run(
-                cmd,
-                input=input_json,
-                capture_output=True,
-                text=True,
-                check=False,  # We handle return code manually
-            )
-
-            if process.returncode != 0:
-                # Include stdout in error message if stderr is empty or insufficient
-                error_msg = process.stderr.strip()
-                if not error_msg:
-                    error_msg = process.stdout.strip() or "Unknown error (empty stdout/stderr)"
-                raise RuntimeError(f"OPA execution failed: {error_msg}")
-
-            # Parse OPA output
-            # Format: {"result": [{"expressions": [{"value": ["violation1", "violation2"]}]}]}
-            result = json.loads(process.stdout)
-
-            violations: List[str] = []
-            if "result" in result and len(result["result"]) > 0:
-                # Assuming the query returns a set/list of strings
-                expressions = result["result"][0].get("expressions", [])
-                if expressions:
-                    violations = expressions[0].get("value", [])
-
-            if violations:
-                raise PolicyViolationError("Policy violations found.", violations=violations)
-
-        except FileNotFoundError as e:
-            raise RuntimeError(f"OPA executable not found at: {self.opa_path}") from e
-        except json.JSONDecodeError as e:
-            raise RuntimeError(f"Failed to parse OPA output: {e}") from e

coreason_manifest/server.py

@@ -1,123 +0,0 @@
-from contextlib import asynccontextmanager
-from importlib import resources
-from pathlib import Path
-from typing import AsyncIterator, List, Optional, Union
-
-from fastapi import FastAPI, HTTPException, Request, status
-from fastapi.responses import JSONResponse
-from pydantic import BaseModel, Field
-
-from coreason_manifest.engine import ManifestConfig, ManifestEngineAsync
-from coreason_manifest.errors import ManifestSyntaxError, PolicyViolationError
-
-
-# Response Model
-class ValidationResponse(BaseModel):
-    valid: bool
-    agent_id: Optional[str] = None
-    version: Optional[str] = None
-    policy_violations: List[str] = Field(default_factory=list)
-
-
-@asynccontextmanager
-async def lifespan(app: FastAPI) -> AsyncIterator[None]:
-    # Locate policies
-    policy_path: Optional[Path] = None
-    tbom_path: Optional[Path] = None
-
-    # 1. Check local directory (Docker runtime with COPY or relative dev path)
-    # In Docker we will COPY to /app/policies/ or ./policies/ relative to WORKDIR
-    # We'll check common locations.
-    possible_dirs = [
-        Path("policies"),
-        Path("/app/policies"),
-        Path("src/coreason_manifest/policies"),  # Dev from root
-    ]
-
-    for d in possible_dirs:
-        if (d / "compliance.rego").exists():
-            policy_path = d / "compliance.rego"
-            if (d / "tbom.json").exists():
-                tbom_path = d / "tbom.json"
-            break
-
-    # 2. Fallback to package resources
-    resource_context = None
-    if not policy_path:
-        try:
-            # Check if it exists as a resource
-            ref = resources.files("coreason_manifest.policies").joinpath("compliance.rego")
-            if ref.is_file():
-                resource_context = resources.as_file(ref)
-                policy_path = resource_context.__enter__()
-                # Check for TBOM in same dir if possible, or ignore for fallback
-        except Exception:
-            pass
-
-    # If still not found, fail.
-    if not policy_path:
-        raise RuntimeError("Could not locate compliance.rego policy file.")
-
-    config = ManifestConfig(
-        policy_path=policy_path,
-        tbom_path=tbom_path,
-        opa_path="opa",  # Assumes OPA is in PATH (installed via Dockerfile)
-    )
-
-    engine = ManifestEngineAsync(config)
-
-    try:
-        async with engine:
-            app.state.engine = engine
-            yield
-    finally:
-        if resource_context:
-            resource_context.__exit__(None, None, None)
-
-
-app = FastAPI(lifespan=lifespan)
-
-
-@app.post("/validate", response_model=ValidationResponse)  # type: ignore[misc]
-async def validate_manifest(request: Request) -> Union[ValidationResponse, JSONResponse]:
-    engine: ManifestEngineAsync = app.state.engine
-
-    try:
-        raw_body = await request.json()
-    except Exception:
-        raise HTTPException(status_code=400, detail="Invalid JSON body") from None
-
-    try:
-        agent_def = await engine.validate_manifest_dict(raw_body)
-        return ValidationResponse(
-            valid=True,
-            agent_id=str(agent_def.metadata.id),
-            version=agent_def.metadata.version,
-            policy_violations=[],
-        )
-    except ManifestSyntaxError as e:
-        # Return 422 with the error
-        resp = ValidationResponse(valid=False, policy_violations=[f"Syntax Error: {str(e)}"])
-        return JSONResponse(status_code=status.HTTP_422_UNPROCESSABLE_CONTENT, content=resp.model_dump())
-    except PolicyViolationError as e:
-        resp = ValidationResponse(valid=False, policy_violations=e.violations)
-        return JSONResponse(status_code=status.HTTP_422_UNPROCESSABLE_CONTENT, content=resp.model_dump())
-
-
-@app.get("/health")  # type: ignore[misc]
-async def health_check() -> dict[str, str]:
-    engine: ManifestEngineAsync = app.state.engine
-    policy_version = "unknown"
-    try:
-        import hashlib
-
-        # policy_path is guaranteed to exist by lifespan check
-        policy_path = Path(engine.config.policy_path)
-        if policy_path.exists():
-            with open(policy_path, "rb") as f:
-                digest = hashlib.sha256(f.read()).hexdigest()[:8]
-            policy_version = digest
-    except Exception:
-        pass
-
-    return {"status": "active", "policy_version": policy_version}