ctrlcode 0.1.0__py3-none-any.whl

ctrlcode/config.py

@@ -0,0 +1,380 @@
+"""Configuration management for ctrl-code."""
+
+import os
+import secrets
+import sys
+from pathlib import Path
+from dataclasses import dataclass, field
+from typing import Optional
+
+from ctrlcode.paths import get_cache_dir, get_config_dir
+
+try:
+    import tomllib
+except ImportError:
+    import tomli as tomllib  # type: ignore # Python < 3.11
+
+
+@dataclass
+class ServerConfig:
+    """Server configuration."""
+
+    host: str = "127.0.0.1"
+    port: int = 8765
+    api_key: str | None = None  # API key for authentication (generated if not set)
+
+
+@dataclass
+class ProviderConfig:
+    """Provider configuration."""
+
+    api_key: str
+    model: str
+    base_url: str | None = None
+
+
+@dataclass
+class EmbeddingsConfig:
+    """Embeddings configuration."""
+
+    api_key: str
+    base_url: str
+    model: str = "text-embedding-3-small"
+
+
+@dataclass
+class ContextConfig:
+    """Context window management configuration."""
+
+    prune_protect: int = 40000
+    default_limit: int = 200000
+
+
+@dataclass
+class FuzzingConfig:
+    """Differential fuzzing configuration (derived context architecture)."""
+
+    enabled: bool = True
+    max_iterations: int = 10
+    budget_tokens: int = 100000
+    budget_seconds: int = 30
+
+    # Test distribution
+    input_fuzz_ratio: float = 0.3
+    environment_fuzz_ratio: float = 0.4
+    combined_fuzz_ratio: float = 0.2
+    invariant_fuzz_ratio: float = 0.1
+
+    # Oracle settings
+    oracle_confidence_threshold: float = 0.8  # Min confidence to apply oracle corrections
+    context_re_derivation_on_mismatch: bool = True
+
+    # Skip fuzzing conditions
+    simple_edits: bool = True
+    under_lines: int = 10
+
+
+@dataclass
+class SecurityConfig:
+    """Security configuration."""
+
+    # Input validation
+    max_input_length: int = 200000  # 200K chars (roughly matches context window), -1 = unlimited
+
+    # Rate limiting
+    rate_limit_enabled: bool = True
+    rate_limit_window_seconds: float = 60.0  # 1 minute
+    rate_limit_max_requests: int = 30  # Requests per window
+
+
+@dataclass
+class MCPServerConfig:
+    """MCP server configuration."""
+
+    name: str
+    command: list[str]
+    env: dict[str, str] = field(default_factory=dict)
+
+
+@dataclass
+class Config:
+    """Main configuration."""
+
+    server: ServerConfig = field(default_factory=ServerConfig)
+    anthropic: Optional[ProviderConfig] = None
+    openai: Optional[ProviderConfig] = None
+    embeddings: Optional[EmbeddingsConfig] = None
+    context: ContextConfig = field(default_factory=ContextConfig)
+    fuzzing: FuzzingConfig = field(default_factory=FuzzingConfig)
+    security: SecurityConfig = field(default_factory=SecurityConfig)
+    mcp_servers: list[MCPServerConfig] = field(default_factory=list)
+    skills_directory: Optional[Path] = None
+    storage_path: Optional[Path] = None
+    workspace_root: Optional[Path] = None
+
+    @staticmethod
+    def _validate_config_permissions(config_path: Path) -> None:
+        """
+        Validate config file has secure permissions.
+
+        Args:
+            config_path: Path to config file
+
+        Raises:
+            ValueError: If permissions are insecure
+        """
+        import stat
+
+        # Check file permissions
+        file_stat = config_path.stat()
+        mode = file_stat.st_mode
+
+        # Check if world-writable or group-writable
+        if mode & stat.S_IWOTH:
+            raise ValueError(
+                f"Config file {config_path} is world-writable (insecure). "
+                f"Run: chmod 600 {config_path}"
+            )
+        if mode & stat.S_IWGRP:
+            raise ValueError(
+                f"Config file {config_path} is group-writable (insecure). "
+                f"Run: chmod 600 {config_path}"
+            )
+
+    @classmethod
+    def load(cls, config_path: Optional[Path] = None) -> "Config":
+        """
+        Load configuration from TOML file.
+
+        Args:
+            config_path: Path to config file (default: ~/.config/ctrlcode/config.toml)
+
+        Returns:
+            Config instance
+        """
+        if config_path is None:
+            config_path = get_config_dir() / "config.toml"
+
+        if not config_path.exists():
+            # Return default config
+            return cls()
+
+        # Security: validate file permissions before loading
+        cls._validate_config_permissions(config_path)
+
+        with open(config_path, "rb") as f:
+            data = tomllib.load(f)
+
+        # Parse server config
+        server_data = data.get("server", {})
+
+        # Generate API key if not present
+        if "api_key" not in server_data or not server_data["api_key"]:
+            server_data["api_key"] = secrets.token_urlsafe(32)
+            # Save generated key back to config
+            if config_path:
+                cls._save_api_key(config_path, server_data["api_key"])
+
+        server = ServerConfig(**server_data)
+
+        # Parse provider configs
+        anthropic = None
+        if "providers" in data and "anthropic" in data["providers"]:
+            anthropic_data = data["providers"]["anthropic"]
+            # Get API key from env or config
+            api_key = os.environ.get("ANTHROPIC_API_KEY", anthropic_data.get("api_key"))
+            if api_key:
+                anthropic = ProviderConfig(
+                    api_key=api_key,
+                    model=anthropic_data.get("model", "claude-sonnet-4-5-20250929"),
+                    base_url=anthropic_data.get("base_url")
+                )
+
+        openai = None
+        if "providers" in data and "openai" in data["providers"]:
+            openai_data = data["providers"]["openai"]
+            # Get API key from env or config
+            api_key = os.environ.get("OPENAI_API_KEY", openai_data.get("api_key"))
+            if api_key:
+                openai = ProviderConfig(
+                    api_key=api_key,
+                    model=openai_data.get("model", "gpt-4"),
+                    base_url=openai_data.get("base_url")
+                )
+
+        # Parse embeddings config
+        embeddings = None
+        if "embeddings" in data:
+            embeddings_data = data["embeddings"]
+            # Get API key from env or config
+            api_key = os.environ.get("EMBEDDINGS_API_KEY", embeddings_data.get("api_key"))
+            base_url = embeddings_data.get("base_url")
+            if api_key and base_url:
+                embeddings = EmbeddingsConfig(
+                    api_key=api_key,
+                    base_url=base_url,
+                    model=embeddings_data.get("model", "text-embedding-3-small")
+                )
+
+        # Parse context config
+        context = ContextConfig(**data.get("context", {}))
+
+        # Parse security config
+        security = SecurityConfig(**data.get("security", {}))
+
+        # Parse fuzzing config
+        fuzzing_data = data.get("fuzzing", {})
+        fuzzing = FuzzingConfig(
+            enabled=fuzzing_data.get("enabled", True),
+            max_iterations=fuzzing_data.get("max_iterations", 10),
+            budget_tokens=fuzzing_data.get("budget_tokens", 100000),
+            budget_seconds=fuzzing_data.get("budget_seconds", 30),
+            input_fuzz_ratio=fuzzing_data.get("distribution", {}).get("input_fuzz_ratio", 0.3),
+            environment_fuzz_ratio=fuzzing_data.get("distribution", {}).get("environment_fuzz_ratio", 0.4),
+            combined_fuzz_ratio=fuzzing_data.get("distribution", {}).get("combined_fuzz_ratio", 0.2),
+            invariant_fuzz_ratio=fuzzing_data.get("distribution", {}).get("invariant_fuzz_ratio", 0.1),
+            oracle_confidence_threshold=fuzzing_data.get("oracle", {}).get("confidence_threshold", 0.8),
+            context_re_derivation_on_mismatch=fuzzing_data.get("oracle", {}).get("re_derivation_on_mismatch", True),
+            simple_edits=fuzzing_data.get("skip", {}).get("simple_edits", True),
+            under_lines=fuzzing_data.get("skip", {}).get("under_lines", 10),
+        )
+
+        # Parse MCP servers with security validation
+        mcp_servers = []
+        for server_data in data.get("mcp", {}).get("servers", []):
+            # Security: validate MCP server executable
+            command = server_data["command"]
+            if not command:
+                raise ValueError(f"MCP server '{server_data['name']}' has empty command")
+
+            # IMPORTANT: Expand all paths FIRST, then validate the expanded result
+            # This prevents TOCTOU (Time of Check Time of Use) vulnerabilities
+            expanded_command = [
+                str(Path(part).expanduser()) if part.startswith("~") else part
+                for part in command
+            ]
+
+            executable = expanded_command[0]
+
+            # Resolve to absolute path (follows symlinks, removes ..)
+            exe_path = Path(executable).resolve()
+
+            # Security: Check for path traversal attempts
+            # After resolve(), if path still contains .., something is wrong
+            if ".." in exe_path.parts:
+                raise ValueError(
+                    f"MCP server '{server_data['name']}' executable contains path traversal: {executable}"
+                )
+
+            # Allow executables from trusted locations
+            trusted_prefixes = [
+                Path(sys.prefix).resolve() / "bin",  # Virtual environment
+                Path(sys.prefix).resolve() / "Scripts",  # Windows venv
+                (Path.home() / ".local" / "bin").resolve(),  # User installs
+                Path("/usr/local/bin").resolve(),  # System-wide
+                Path("/usr/bin").resolve(),  # System
+                (Path(get_config_dir()) / "mcp-servers").resolve(),  # User MCP servers directory
+            ]
+
+            # Check if resolved path is within any trusted prefix
+            is_trusted = any(
+                exe_path.is_relative_to(prefix)
+                for prefix in trusted_prefixes
+                if prefix.exists()
+            )
+
+            if not is_trusted:
+                raise ValueError(
+                    f"MCP server '{server_data['name']}' executable '{exe_path}' "
+                    f"is not in a trusted location. Expected in: "
+                    f"{', '.join(str(p) for p in trusted_prefixes if p.exists())}"
+                )
+
+            # Verify it's an executable file
+            if not exe_path.is_file():
+                raise ValueError(f"MCP server '{server_data['name']}' executable '{exe_path}' is not a file")
+
+            if not os.access(exe_path, os.X_OK):
+                raise ValueError(f"MCP server '{server_data['name']}' executable '{exe_path}' is not executable")
+
+            # Update command with resolved absolute path (prevents symlink attacks)
+            expanded_command[0] = str(exe_path)
+
+            mcp_servers.append(MCPServerConfig(
+                name=server_data["name"],
+                command=expanded_command,
+                env=server_data.get("env", {})
+            ))
+
+        # Parse skills directory
+        skills_dir = None
+        if "skills" in data and "directory" in data["skills"]:
+            skills_dir = Path(data["skills"]["directory"]).expanduser()
+
+        # Storage path
+        storage_path = get_cache_dir() / "conversations"
+
+        # Workspace root (default to cwd, can be overridden in config)
+        workspace_root = Path.cwd()
+        if "workspace" in data and "root" in data["workspace"]:
+            workspace_root = Path(data["workspace"]["root"]).expanduser()
+
+        return cls(
+            server=server,
+            anthropic=anthropic,
+            openai=openai,
+            embeddings=embeddings,
+            context=context,
+            fuzzing=fuzzing,
+            security=security,
+            mcp_servers=mcp_servers,
+            skills_directory=skills_dir,
+            storage_path=storage_path,
+            workspace_root=workspace_root,
+        )
+
+    @staticmethod
+    def _save_api_key(config_path: Path, api_key: str) -> None:
+        """
+        Save generated API key to config file.
+
+        Args:
+            config_path: Path to config file
+            api_key: Generated API key
+        """
+        import tomllib
+
+        # Read existing config
+        if config_path.exists():
+            with open(config_path, "rb") as f:
+                data = tomllib.load(f)
+        else:
+            data = {}
+
+        # Add API key to server section
+        if "server" not in data:
+            data["server"] = {}
+        data["server"]["api_key"] = api_key
+
+        # Write back as TOML
+        with open(config_path, "w") as f:
+            f.write("# Ctrl+Code Configuration\n\n")
+            f.write("[server]\n")
+            for key, value in data.get("server", {}).items():
+                if isinstance(value, str):
+                    f.write(f'{key} = "{value}"\n')
+                else:
+                    f.write(f'{key} = {value}\n')
+
+            # Write other sections if they exist
+            for section, content in data.items():
+                if section != "server" and isinstance(content, dict):
+                    f.write(f"\n[{section}]\n")
+                    for key, value in content.items():
+                        if isinstance(value, str):
+                            f.write(f'{key} = "{value}"\n')
+                        else:
+                            f.write(f'{key} = {value}\n')
+
+        # Set secure file permissions (user read/write only)
+        config_path.chmod(0o600)

ctrlcode/embeddings/__init__.py

@@ -0,0 +1,6 @@
+"""Embedding infrastructure for semantic code analysis and historical learning."""
+
+from ctrlcode.embeddings.embedder import CodeEmbedder
+from ctrlcode.embeddings.vector_store import VectorStore
+
+__all__ = ["CodeEmbedder", "VectorStore"]

ctrlcode/embeddings/embedder.py

@@ -0,0 +1,192 @@
+"""Code embedding generation using provider's OpenAI-compatible embeddings endpoint."""
+
+import logging
+from typing import Optional, Literal
+
+import numpy as np
+
+logger = logging.getLogger(__name__)
+
+
+class CodeEmbedder:
+    """Generate semantic embeddings for code, oracles, tests, and bug patterns.
+
+    Uses OpenAI-compatible embeddings endpoint (/v1/embeddings).
+    Works with any OpenAI-compatible server (vLLM, LM Studio, Ollama, etc.).
+    """
+
+    def __init__(
+        self,
+        api_key: str,
+        base_url: str,
+        model_name: str = "text-embedding-3-small",
+        normalize: bool = True,
+    ):
+        """Initialize embedder with embeddings endpoint configuration.
+
+        Args:
+            api_key: API key for embeddings endpoint
+            base_url: Base URL for OpenAI-compatible embeddings API
+            model_name: Embedding model name (default: text-embedding-3-small)
+            normalize: L2-normalize embeddings for cosine similarity
+        """
+        if not api_key or not base_url:
+            raise ValueError("api_key and base_url required for embeddings")
+
+        self.api_key = api_key
+        self.base_url = base_url
+        self.model_name = model_name
+        self.normalize = normalize
+        self._embedding_dim: Optional[int] = None
+        self.backend = "api"
+
+    @property
+    def embedding_dim(self) -> int:
+        """Dimension of embedding vectors."""
+        if self._embedding_dim is None:
+            # text-embedding-3-small: 1536 dimensions
+            # text-embedding-ada-002: 1536 dimensions
+            # Most OpenAI-compatible endpoints use 1536
+            self._embedding_dim = 1536
+        return self._embedding_dim
+
+    def embed_code(self, code: str) -> np.ndarray:
+        """Embed source code into semantic vector.
+
+        Args:
+            code: Source code string
+
+        Returns:
+            Normalized embedding vector (numpy array)
+        """
+        return self._embed_single(code)
+
+    def embed_oracle(self, oracle: str) -> np.ndarray:
+        """Embed behavioral oracle/invariants.
+
+        Args:
+            oracle: Oracle specification text
+
+        Returns:
+            Normalized embedding vector
+        """
+        return self._embed_single(oracle)
+
+    def embed_test_case(self, test_case: str) -> np.ndarray:
+        """Embed test case code.
+
+        Args:
+            test_case: Test code string
+
+        Returns:
+            Normalized embedding vector
+        """
+        return self._embed_single(test_case)
+
+    def embed_bug_pattern(self, bug_description: str) -> np.ndarray:
+        """Embed bug pattern description.
+
+        Args:
+            bug_description: Bug description and context
+
+        Returns:
+            Normalized embedding vector
+        """
+        return self._embed_single(bug_description)
+
+    def embed_batch(self, texts: list[str]) -> np.ndarray:
+        """Embed multiple texts efficiently.
+
+        Args:
+            texts: List of text strings to embed
+
+        Returns:
+            Array of embeddings (shape: [len(texts), embedding_dim])
+        """
+        if not texts:
+            return np.array([])
+
+        return self._embed_batch_api(texts)
+
+    def _embed_single(self, text: str) -> np.ndarray:
+        """Internal method to embed single text."""
+        return self._embed_single_api(text)
+
+    def _embed_single_api(self, text: str) -> np.ndarray:
+        """Embed using OpenAI-compatible API endpoint."""
+        import openai
+
+        client = openai.OpenAI(api_key=self.api_key, base_url=self.base_url)
+
+        try:
+            response = client.embeddings.create(
+                input=text,
+                model=self.model_name
+            )
+
+            # Check if response has data
+            if not hasattr(response, 'data') or not response.data:
+                logger.error(f"No embedding data received. Response: {response}")
+                raise ValueError("No embedding data received")
+
+            # Extract embedding
+            embedding = np.array(response.data[0].embedding, dtype=np.float32)
+
+            # Normalize if requested
+            if self.normalize:
+                norm = np.linalg.norm(embedding)
+                if norm > 0:
+                    embedding = embedding / norm
+
+            return embedding
+
+        except Exception as e:
+            logger.error(f"Embedding API error: {e}")
+            # Return zero vector as fallback
+            return np.zeros(self.embedding_dim, dtype=np.float32)
+
+    def _embed_batch_api(self, texts: list[str]) -> np.ndarray:
+        """Embed batch using OpenAI-compatible API endpoint."""
+        import openai
+
+        client = openai.OpenAI(api_key=self.api_key, base_url=self.base_url)
+
+        try:
+            response = client.embeddings.create(
+                input=texts,
+                model=self.model_name
+            )
+
+            # Check if response has data
+            if not hasattr(response, 'data') or not response.data:
+                logger.error(f"No embedding data received. Response: {response}")
+                raise ValueError("No embedding data received")
+
+            # Extract embeddings in order
+            embeddings = [np.array(item.embedding, dtype=np.float32) for item in response.data]
+            embeddings = np.array(embeddings)
+
+            # Normalize if requested
+            if self.normalize:
+                norms = np.linalg.norm(embeddings, axis=1, keepdims=True)
+                embeddings = np.where(norms > 0, embeddings / norms, embeddings)
+
+            return embeddings
+
+        except Exception as e:
+            logger.error(f"Batch embedding API error: {e}")
+            # Return zero vectors as fallback
+            return np.zeros((len(texts), self.embedding_dim), dtype=np.float32)
+
+    def cosine_similarity(self, emb1: np.ndarray, emb2: np.ndarray) -> float:
+        """Calculate cosine similarity between two embeddings.
+
+        Args:
+            emb1: First embedding (normalized)
+            emb2: Second embedding (normalized)
+
+        Returns:
+            Similarity score in [0, 1] (assumes normalized embeddings)
+        """
+        # For normalized vectors, cosine similarity = dot product
+        return float(np.dot(emb1, emb2))