cybersecured-agent-cli 2.0.0__py3-none-any.whl

cybersecured_agent/__init__.py

@@ -0,0 +1,12 @@
+"""Cybersecured (厚锋科技) Agent CLI - 龙行无忧 AI智能体风险管家服务命令行工具。
+
+A cross-platform CLI tool for AI智能体 risk assessment and advisory services.
+Supports Windows, Linux, macOS, cloud platforms, and Docker containers.
+
+License: GPL-3.0-or-later
+"""
+
+__version__ = "2.0.0"
+__author__ = "Cybersecured Technology (厚锋科技)"
+__email__ = "developer@cybersecured.cn"
+__license__ = "GPL-3.0-or-later"

cybersecured_agent/__main__.py

@@ -0,0 +1,6 @@
+"""Entry point for python -m cybersecured_agent."""
+
+from .cli import main
+
+if __name__ == "__main__":
+    main()

cybersecured_agent/agent_frameworks/__init__.py

@@ -0,0 +1,23 @@
+"""Agent framework modules registry.
+
+Related design: docs/41.tools-designs/design-cybersecured-agent-cli.md
+"""
+
+from . import openclaw, hermes, kimi_cli, opencode
+from ..fingerprint.versions import FP_CURRENT_VERSION
+
+# Order = detection priority (highest first)
+SUPPORTED_FRAMEWORKS = (openclaw, hermes, kimi_cli, opencode)
+
+_REQUIRED_ATTRS = ("NAME", "detect", "collect_environment", "STABLE_IDENTITY_BY_VERSION")
+
+for _mod in SUPPORTED_FRAMEWORKS:
+    for _attr in _REQUIRED_ATTRS:
+        if not hasattr(_mod, _attr):
+            raise ImportError(
+                f"agent_frameworks/{_mod.__name__} missing required attribute '{_attr}'"
+            )
+    if FP_CURRENT_VERSION not in _mod.STABLE_IDENTITY_BY_VERSION:
+        raise ImportError(
+            f"{_mod.__name__} must implement fp version {FP_CURRENT_VERSION}"
+        )

cybersecured_agent/agent_frameworks/_types.py

@@ -0,0 +1,17 @@
+"""Shared types for agent framework modules.
+
+Related design: docs/41.tools-designs/design-cybersecured-agent-cli.md
+"""
+
+from typing import Any, Dict, NamedTuple
+
+
+class DetectionResult(NamedTuple):
+    matched: bool
+    evidence: Dict[str, Any]
+
+
+class ProcessInfo(NamedTuple):
+    pid: int
+    ppid: int
+    args: str

cybersecured_agent/agent_frameworks/hermes.py

@@ -0,0 +1,108 @@
+"""Hermes framework detection and identity extraction.
+
+Related design: docs/41.tools-designs/design-cybersecured-agent-cli.md
+"""
+
+import os
+from pathlib import Path
+from typing import Any, Dict, Mapping
+
+from ..infra.config_files import read_json, read_with_desensitize
+from ._types import DetectionResult, ProcessInfo
+
+NAME = "hermes"
+
+_ENV_VARS = ["HERMES_HOME"]
+_CONFIG_DIRS = [Path.home() / ".hermes"]
+_CONFIG_FILENAMES = ["config.json"]
+
+
+def detect(env: Mapping[str, str], proc_chain: list[ProcessInfo]) -> DetectionResult:
+    evidence: Dict[str, Any] = {}
+
+    for var in _ENV_VARS:
+        val = env.get(var)
+        evidence[f"env_var_{var}"] = "present" if val else "absent"
+        if val:
+            return DetectionResult(matched=True, evidence=evidence)
+
+    for info in proc_chain:
+        if "hermes" in info.args.lower():
+            evidence["process_match"] = "hermes-runtime"
+            return DetectionResult(matched=True, evidence=evidence)
+    evidence["process_match"] = "none"
+
+    # Config dir existence alone does NOT mean "currently running hermes".
+    for cfg_dir in _CONFIG_DIRS:
+        if cfg_dir.exists():
+            evidence["config_dir"] = str(cfg_dir)
+            break
+    else:
+        evidence["config_dir"] = "not found"
+
+    return DetectionResult(matched=False, evidence=evidence)
+
+
+def collect_environment(env: Mapping[str, str],
+                        proc_chain: list[ProcessInfo],
+                        workspace: Path) -> Dict[str, Any]:
+    data: Dict[str, Any] = {
+        "env_vars": {},
+        "config_files": {},
+        "version": None,
+    }
+
+    for var in _ENV_VARS:
+        if var in env:
+            data["env_vars"][var] = env[var]
+
+    for cfg_dir in _CONFIG_DIRS:
+        if not cfg_dir.exists():
+            continue
+        for filename in _CONFIG_FILENAMES:
+            path = cfg_dir / filename
+            if path.exists():
+                data["config_files"][filename] = read_with_desensitize(path)
+        version_path = cfg_dir / "config.json"
+        if version_path.exists():
+            cfg = read_json(version_path)
+            if isinstance(cfg, dict):
+                data["version"] = cfg.get("version")
+        break
+
+    return data
+
+
+def _resolve_config_path(env: Mapping[str, str], workspace: Path) -> str:
+    hermes_home = env.get("HERMES_HOME")
+    if hermes_home:
+        return str(Path(hermes_home).resolve()).replace("\\", "/")
+
+    for cfg_dir in _CONFIG_DIRS:
+        if cfg_dir.exists():
+            for filename in _CONFIG_FILENAMES:
+                path = cfg_dir / filename
+                if path.exists():
+                    return str(path.resolve()).replace("\\", "/")
+            return str(cfg_dir.resolve()).replace("\\", "/")
+
+    return str(workspace.resolve()).replace("\\", "/")
+
+
+def _identity_legacy(env: Mapping[str, str],
+                     proc_chain: list[ProcessInfo],
+                     workspace: Path) -> Dict[str, str]:
+    return {"config_path": _resolve_config_path(env, workspace)}
+
+
+def _identity_v1(env: Mapping[str, str],
+                 proc_chain: list[ProcessInfo],
+                 workspace: Path) -> Dict[str, str]:
+    return _identity_legacy(env, proc_chain, workspace)
+
+
+STABLE_IDENTITY_BY_VERSION = {
+    "sha256": _identity_legacy,
+    "v0": _identity_legacy,
+    "v1": _identity_v1,
+}

cybersecured_agent/agent_frameworks/kimi_cli.py

@@ -0,0 +1,108 @@
+"""Kimi CLI framework detection and identity extraction.
+
+Related design: docs/41.tools-designs/design-cybersecured-agent-cli.md
+"""
+
+import os
+from pathlib import Path
+from typing import Any, Dict, Mapping
+
+from ..infra.config_files import read_json, read_with_desensitize
+from ._types import DetectionResult, ProcessInfo
+
+NAME = "kimi-cli"
+
+_ENV_VARS = ["KIMI_WORK_DIR", "KIMI_SHARE_DIR", "KIMI_CONFIG_PATH"]
+_CONFIG_DIRS = [Path.home() / ".kimi"]
+_CONFIG_FILENAMES = ["config.json", "config.toml"]
+
+
+def detect(env: Mapping[str, str], proc_chain: list[ProcessInfo]) -> DetectionResult:
+    evidence: Dict[str, Any] = {}
+
+    for var in _ENV_VARS:
+        val = env.get(var)
+        evidence[f"env_var_{var}"] = "present" if val else "absent"
+        if val:
+            return DetectionResult(matched=True, evidence=evidence)
+
+    for info in proc_chain:
+        if "kimi" in info.args.lower():
+            evidence["process_match"] = "kimi-runtime"
+            return DetectionResult(matched=True, evidence=evidence)
+    evidence["process_match"] = "none"
+
+    # Config dir existence alone does NOT mean "currently running kimi-cli".
+    for cfg_dir in _CONFIG_DIRS:
+        if cfg_dir.exists():
+            evidence["config_dir"] = str(cfg_dir)
+            break
+    else:
+        evidence["config_dir"] = "not found"
+
+    return DetectionResult(matched=False, evidence=evidence)
+
+
+def collect_environment(env: Mapping[str, str],
+                        proc_chain: list[ProcessInfo],
+                        workspace: Path) -> Dict[str, Any]:
+    data: Dict[str, Any] = {
+        "env_vars": {},
+        "config_files": {},
+        "version": None,
+    }
+
+    for var in _ENV_VARS:
+        if var in env:
+            data["env_vars"][var] = env[var]
+
+    for cfg_dir in _CONFIG_DIRS:
+        if not cfg_dir.exists():
+            continue
+        for filename in _CONFIG_FILENAMES:
+            path = cfg_dir / filename
+            if path.exists():
+                data["config_files"][filename] = read_with_desensitize(path)
+        version_path = cfg_dir / "config.json"
+        if version_path.exists():
+            cfg = read_json(version_path)
+            if isinstance(cfg, dict):
+                data["version"] = cfg.get("version")
+        break
+
+    return data
+
+
+def _resolve_config_path(env: Mapping[str, str], workspace: Path) -> str:
+    config_path = env.get("KIMI_CONFIG_PATH")
+    if config_path:
+        return str(Path(config_path).resolve()).replace("\\", "/")
+
+    for cfg_dir in _CONFIG_DIRS:
+        if cfg_dir.exists():
+            for filename in _CONFIG_FILENAMES:
+                path = cfg_dir / filename
+                if path.exists():
+                    return str(path.resolve()).replace("\\", "/")
+            return str(cfg_dir.resolve()).replace("\\", "/")
+
+    return str(workspace.resolve()).replace("\\", "/")
+
+
+def _identity_legacy(env: Mapping[str, str],
+                     proc_chain: list[ProcessInfo],
+                     workspace: Path) -> Dict[str, str]:
+    return {"config_path": _resolve_config_path(env, workspace)}
+
+
+def _identity_v1(env: Mapping[str, str],
+                 proc_chain: list[ProcessInfo],
+                 workspace: Path) -> Dict[str, str]:
+    return _identity_legacy(env, proc_chain, workspace)
+
+
+STABLE_IDENTITY_BY_VERSION = {
+    "sha256": _identity_legacy,
+    "v0": _identity_legacy,
+    "v1": _identity_v1,
+}

cybersecured_agent/agent_frameworks/openclaw.py

@@ -0,0 +1,117 @@
+"""OpenClaw framework detection and identity extraction.
+
+Related design: docs/41.tools-designs/design-cybersecured-agent-cli.md
+"""
+
+import os
+from pathlib import Path
+from typing import Any, Dict, Mapping
+
+from ..infra.config_files import read_json, read_with_desensitize
+from ._types import DetectionResult, ProcessInfo
+
+NAME = "openclaw"
+
+_ENV_VARS = ["OPENCLAW_WORKSPACE", "OPENCLAW_WORKSPACE_DIR"]
+_CONFIG_DIRS = [Path.home() / ".openclaw"]
+_CONFIG_FILENAMES = ["config.json", "agents.json"]
+
+
+def detect(env: Mapping[str, str], proc_chain: list[ProcessInfo]) -> DetectionResult:
+    evidence: Dict[str, Any] = {}
+
+    for var in _ENV_VARS:
+        val = env.get(var)
+        evidence[f"env_var_{var}"] = "present" if val else "absent"
+        if val:
+            return DetectionResult(matched=True, evidence=evidence)
+
+    for info in proc_chain:
+        if "openclaw" in info.args.lower():
+            evidence["process_match"] = "openclaw-runtime"
+            return DetectionResult(matched=True, evidence=evidence)
+    evidence["process_match"] = "none"
+
+    # Config dir existence alone does NOT mean "currently running openclaw".
+    # It only indicates the user has installed it. Record for diagnostics only.
+    for cfg_dir in _CONFIG_DIRS:
+        if cfg_dir.exists():
+            evidence["config_dir"] = str(cfg_dir)
+            break
+    else:
+        evidence["config_dir"] = "not found"
+
+    return DetectionResult(matched=False, evidence=evidence)
+
+
+def collect_environment(env: Mapping[str, str],
+                        proc_chain: list[ProcessInfo],
+                        workspace: Path) -> Dict[str, Any]:
+    data: Dict[str, Any] = {
+        "env_vars": {},
+        "config_files": {},
+        "version": None,
+    }
+
+    for var in _ENV_VARS:
+        if var in env:
+            data["env_vars"][var] = env[var]
+
+    for cfg_dir in _CONFIG_DIRS:
+        if not cfg_dir.exists():
+            continue
+        for filename in _CONFIG_FILENAMES:
+            path = cfg_dir / filename
+            if path.exists():
+                data["config_files"][filename] = read_with_desensitize(path)
+        # Try to extract version from config.json
+        version_path = cfg_dir / "config.json"
+        if version_path.exists():
+            cfg = read_json(version_path)
+            if isinstance(cfg, dict):
+                data["version"] = cfg.get("version")
+        break
+
+    return data
+
+
+def _resolve_config_path(env: Mapping[str, str], workspace: Path) -> str:
+    """Resolve the stable config path for legacy fingerprint generation."""
+    config_path = env.get("OPENCLAW_CONFIG")
+    if config_path:
+        return str(Path(config_path).resolve()).replace("\\", "/")
+
+    for cfg_dir in _CONFIG_DIRS:
+        if cfg_dir.exists():
+            for filename in _CONFIG_FILENAMES:
+                path = cfg_dir / filename
+                if path.exists():
+                    return str(path.resolve()).replace("\\", "/")
+            return str(cfg_dir.resolve()).replace("\\", "/")
+
+    return str(workspace.resolve()).replace("\\", "/")
+
+
+def _identity_legacy(env: Mapping[str, str],
+                     proc_chain: list[ProcessInfo],
+                     workspace: Path) -> Dict[str, str]:
+    """Legacy fingerprint fields (sha256 + v0). Frozen — never change."""
+    return {"config_path": _resolve_config_path(env, workspace)}
+
+
+def _identity_v1(env: Mapping[str, str],
+                 proc_chain: list[ProcessInfo],
+                 workspace: Path) -> Dict[str, str]:
+    """v1 fingerprint fields. Placeholder — will be refined in Phase B
+    after real environment sampling via diagnose.
+    """
+    # For Phase A, v1 uses the same stable field as legacy to avoid
+    # fp changes before we are ready to bump FP_CURRENT_VERSION.
+    return _identity_legacy(env, proc_chain, workspace)
+
+
+STABLE_IDENTITY_BY_VERSION = {
+    "sha256": _identity_legacy,
+    "v0": _identity_legacy,
+    "v1": _identity_v1,
+}

cybersecured_agent/agent_frameworks/opencode.py

@@ -0,0 +1,111 @@
+"""Opencode framework detection and identity extraction.
+
+Related design: docs/41.tools-designs/design-cybersecured-agent-cli.md
+
+Detection signals (from diagnose sampling on macOS):
+- Process chain contains "opencode" keyword
+- Config dir ~/.config/opencode/ with opencode.json / oh-my-openagent.json
+- No known env vars as of 2026-05-10
+"""
+
+import os
+from pathlib import Path
+from typing import Any, Dict, Mapping
+
+from ..infra.config_files import read_json, read_with_desensitize
+from ._types import DetectionResult, ProcessInfo
+
+NAME = "opencode"
+
+_ENV_VARS: list[str] = ['OPENCODE', 'OPENCODE_RUN_ID', 'OPENCODE_PID', 'OPENCODE_PROCESS_ROLE']
+_CONFIG_DIRS = [Path.home() / ".config" / "opencode"]
+_CONFIG_FILENAMES = ["opencode.json"]
+
+
+def detect(env: Mapping[str, str], proc_chain: list[ProcessInfo]) -> DetectionResult:
+    evidence: Dict[str, Any] = {}
+
+    for var in _ENV_VARS:
+        val = env.get(var)
+        evidence[f"env_var_{var}"] = "present" if val else "absent"
+        if val:
+            return DetectionResult(matched=True, evidence=evidence)
+
+    for info in proc_chain:
+        if "opencode" in info.args.lower():
+            evidence["process_match"] = "opencode-runtime"
+            return DetectionResult(matched=True, evidence=evidence)
+    evidence["process_match"] = "none"
+
+    # Config dir existence alone does NOT mean "currently running opencode".
+    for cfg_dir in _CONFIG_DIRS:
+        if cfg_dir.exists():
+            evidence["config_dir"] = str(cfg_dir)
+            break
+    else:
+        evidence["config_dir"] = "not found"
+
+    return DetectionResult(matched=False, evidence=evidence)
+
+
+def collect_environment(env: Mapping[str, str],
+                        proc_chain: list[ProcessInfo],
+                        workspace: Path) -> Dict[str, Any]:
+    data: Dict[str, Any] = {
+        "env_vars": {},
+        "config_files": {},
+        "version": None,
+    }
+
+    for var in _ENV_VARS:
+        if var in env:
+            data["env_vars"][var] = env[var]
+
+    for cfg_dir in _CONFIG_DIRS:
+        if not cfg_dir.exists():
+            continue
+        for filename in _CONFIG_FILENAMES:
+            path = cfg_dir / filename
+            if path.exists():
+                data["config_files"][filename] = read_with_desensitize(path)
+        version_path = cfg_dir / "opencode.json"
+        if version_path.exists():
+            cfg = read_json(version_path)
+            if isinstance(cfg, dict):
+                data["version"] = cfg.get("version")
+        break
+
+    return data
+
+
+def _resolve_config_path(env: Mapping[str, str], workspace: Path) -> str:
+    for cfg_dir in _CONFIG_DIRS:
+        if cfg_dir.exists():
+            for filename in _CONFIG_FILENAMES:
+                path = cfg_dir / filename
+                if path.exists():
+                    return str(path.resolve()).replace("\\", "/")
+            return str(cfg_dir.resolve()).replace("\\", "/")
+
+    return str(workspace.resolve()).replace("\\", "/")
+
+
+def _identity_legacy(env: Mapping[str, str],
+                     proc_chain: list[ProcessInfo],
+                     workspace: Path) -> Dict[str, str]:
+    """Legacy fingerprint fields (sha256 + v0). Frozen — never change."""
+    return {"config_path": _resolve_config_path(env, workspace)}
+
+
+def _identity_v1(env: Mapping[str, str],
+                 proc_chain: list[ProcessInfo],
+                 workspace: Path) -> Dict[str, str]:
+    """v1 fingerprint fields. Placeholder — will be refined in Phase B."""
+    return _identity_legacy(env, proc_chain, workspace)
+
+
+STABLE_IDENTITY_BY_VERSION = {
+    "sha256": _identity_legacy,
+    "v0": _identity_legacy,
+    "v1": _identity_v1,
+}