devloop 0.2.1__tar.gz → 0.3.0__tar.gz

{devloop-0.2.1 → devloop-0.3.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: devloop
-Version: 0.2.1
+Version: 0.3.0
 Summary: Intelligent background agents for development workflow automation
 License: MIT
 License-File: LICENSE
@@ -21,6 +21,10 @@ Classifier: Topic :: Software Development :: Build Tools
 Classifier: Topic :: Software Development :: Libraries :: Python Modules
 Classifier: Topic :: Software Development :: Quality Assurance
 Classifier: Topic :: Utilities
+Provides-Extra: all-optional
+Provides-Extra: ci-monitor
+Provides-Extra: code-rabbit
+Provides-Extra: snyk
 Requires-Dist: aiofiles (>=23.2,<24.0)
 Requires-Dist: psutil (>=5.9,<6.0)
 Requires-Dist: pydantic (>=2.5,<3.0)
@@ -38,12 +42,32 @@ Description-Content-Type: text/markdown
 
 [![Python 3.11+](https://img.shields.io/badge/python-3.11+-blue.svg)](https://www.python.org/downloads/)
 [![Tests Passing](https://img.shields.io/badge/tests-167%20passing-green.svg)](#testing)
-[![Production Ready](https://img.shields.io/badge/status-production%20ready-brightgreen.svg)](#status)
+[![Alpha Release](https://img.shields.io/badge/status-alpha-orange.svg)](#status)
 [![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
 
+## ⚠️ ALPHA SOFTWARE - NOT FOR PRODUCTION
+
+**DevLoop is currently in active development and is not recommended for production use.**
+
+This is **research-quality software**. Use at your own risk. See [Known Limitations & Risks](./history/RISK_ASSESSMENT.md) for details on:
+
+- ✗ Subprocess execution not sandboxed (security risk)
+- ✗ Auto-fix may corrupt code (enable only if willing to review changes)
+- ✗ Race conditions possible in file operations (concurrent agent modifications)
+- ✗ Limited error recovery (daemon may not restart automatically)
+- ✗ Configuration migrations not yet supported
+- ✗ No process supervision (manual daemon management)
+
+**Suitable for:** Development on side projects, testing automation, research  
+**Not suitable for:** Critical code, production systems, untrusted projects
+
+[View complete risk assessment →](./history/RISK_ASSESSMENT.md)
+
+---
+
 ## Status
 
-✅ **PRODUCTION READY** — Full-featured development automation system. [View detailed implementation status →](./IMPLEMENTATION_STATUS.md)
+🔬 **ALPHA** — Full-featured development automation system in active development. [View detailed implementation status →](./IMPLEMENTATION_STATUS.md)
 
 ---
 
@@ -68,6 +92,15 @@ All agents run **non-intrusively in the background**, respecting your workflow.
 
 ## Quick Start
 
+### ⚠️ Before You Start
+
+**ALPHA SOFTWARE DISCLAIMER:**
+- This is research-quality code. Data loss is possible.
+- Only use on projects you can afford to lose or easily recover.
+- Make sure to commit your code to git before enabling DevLoop.
+- Do not enable auto-fix on important code.
+- Some agents may fail silently (see logs for details).
+
 ### Installation
 
 **Prerequisites:** Python 3.11+
@@ -75,9 +108,31 @@ All agents run **non-intrusively in the background**, respecting your workflow.
 #### Option 1: From PyPI (Recommended)
 
 ```bash
+# Basic installation (all default agents)
 pip install devloop
+
+# With optional agents (Snyk security scanning)
+pip install devloop[snyk]
+
+# With multiple optional agents
+pip install devloop[snyk,code-rabbit]
+
+# With all optional agents
+pip install devloop[all-optional]
 ```
 
+**Available extras:**
+- `snyk` — Dependency vulnerability scanning via Snyk CLI
+- `code-rabbit` — AI-powered code analysis
+- `ci-monitor` — CI/CD pipeline monitoring
+- `all-optional` — All of the above
+
+**Optional sandbox enhancements:**
+- **Pyodide WASM Sandbox** (cross-platform Python sandboxing)
+  - Requires: Node.js 18+ (system dependency)
+  - Install: See [Pyodide Installation Guide](./docs/PYODIDE_INSTALLATION.md)
+  - Works in POC mode without installation for testing
+
 #### Option 2: From Source
 
 ```bash
@@ -98,17 +153,24 @@ poetry shell
 ### Initialize & Run (Fully Automated)
 
 ```bash
-# 1. Initialize in your project (handles everything automatically)
+# 1. Initialize in your project (interactive setup)
 devloop init /path/to/your/project
 ```
 
-The `init` command automatically:
-- ✅ Sets up .devloop directory and configuration
-- ✅ Creates AGENTS.md and CODING_RULES.md
-- ✅ Sets up git hooks (if git repo)
+The `init` command will:
+- ✅ Set up .devloop directory with default agents
+- ✅ Ask which optional agents you want to enable:
+  - **Snyk** — Scan dependencies for vulnerabilities
+  - **Code Rabbit** — AI-powered code analysis
+  - **CI Monitor** — Track CI/CD pipeline status
+- ✅ Create configuration file with your selections
+- ✅ Set up git hooks (if git repo)
 - ✅ Registers Amp integration (if in Amp)
-- ✅ Configures commit/push discipline enforcement
-- ✅ Verifies everything works
+
+```bash
+# 1a. Alternative: Non-interactive setup (skip optional agent prompts)
+devloop init /path/to/your/project --non-interactive
+```
 
 Then just:
 ```bash
@@ -324,7 +386,7 @@ Configure agent behavior in `.devloop/agents.json`:
 {
   "global": {
     "autonomousFixes": {
-      "enabled": true,
+      "enabled": false,
       "safetyLevel": "safe_only"
     },
     "maxConcurrentAgents": 5,
@@ -346,11 +408,13 @@ Configure agent behavior in `.devloop/agents.json`:
 }
 ```
 
-**Safety levels:**
-- `safe_only` — Only fix whitespace/indentation
+**Safety levels (Auto-fix):**
+- `safe_only` — Only fix whitespace/indentation (default, recommended)
 - `medium_risk` — Include import/formatting fixes
 - `all` — Apply all fixes (use with caution)
 
+⚠️ **Auto-fix Warning:** Currently auto-fixes run without backups or review. **DO NOT enable auto-fix in production** or on critical code. Track [secure auto-fix with backups issue](https://github.com/wioota/devloop/issues/emc).
+
 [Full configuration reference →](./docs/configuration.md)
 
 ---
@@ -560,17 +624,26 @@ DevLoop follows these core principles:
 
 ## Troubleshooting
 
+### ⚠️ If Something Goes Wrong
+
+**Recovery steps:**
+1. Stop the daemon: `devloop stop .`
+2. Check the logs: `tail -100 .devloop/devloop.log`
+3. Verify your code in git: `git status`
+4. Recover from git if files were modified: `git checkout <file>`
+5. Report the issue: [GitHub Issues](https://github.com/wioota/devloop/issues)
+
 ### Agents not running
 
 ```bash
 # Check status
 devloop status
 
-# View logs
-tail -f .devloop/agent.log
+# View logs (useful for debugging)
+tail -f .devloop/devloop.log
 
-# Enable verbose mode
-devloop watch . --verbose
+# Enable verbose mode for more details
+devloop watch . --foreground --verbose
 ```
 
 ### Performance issues
@@ -599,6 +672,13 @@ devloop custom-list
 ls -la .devloop/custom_agents/
 ```
 
+### Agent modified my files unexpectedly
+
+1. Check git diff: `git diff`
+2. Revert changes: `git checkout -- .`
+3. Disable the problematic agent in `.devloop/agents.json`
+4. Report issue with: `git show HEAD:.devloop/agents.json`
+
 [Full troubleshooting guide →](./docs/troubleshooting.md)
 
 ---

{devloop-0.2.1 → devloop-0.3.0}/README.md

@@ -4,12 +4,32 @@
 
 [![Python 3.11+](https://img.shields.io/badge/python-3.11+-blue.svg)](https://www.python.org/downloads/)
 [![Tests Passing](https://img.shields.io/badge/tests-167%20passing-green.svg)](#testing)
-[![Production Ready](https://img.shields.io/badge/status-production%20ready-brightgreen.svg)](#status)
+[![Alpha Release](https://img.shields.io/badge/status-alpha-orange.svg)](#status)
 [![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
 
+## ⚠️ ALPHA SOFTWARE - NOT FOR PRODUCTION
+
+**DevLoop is currently in active development and is not recommended for production use.**
+
+This is **research-quality software**. Use at your own risk. See [Known Limitations & Risks](./history/RISK_ASSESSMENT.md) for details on:
+
+- ✗ Subprocess execution not sandboxed (security risk)
+- ✗ Auto-fix may corrupt code (enable only if willing to review changes)
+- ✗ Race conditions possible in file operations (concurrent agent modifications)
+- ✗ Limited error recovery (daemon may not restart automatically)
+- ✗ Configuration migrations not yet supported
+- ✗ No process supervision (manual daemon management)
+
+**Suitable for:** Development on side projects, testing automation, research  
+**Not suitable for:** Critical code, production systems, untrusted projects
+
+[View complete risk assessment →](./history/RISK_ASSESSMENT.md)
+
+---
+
 ## Status
 
-✅ **PRODUCTION READY** — Full-featured development automation system. [View detailed implementation status →](./IMPLEMENTATION_STATUS.md)
+🔬 **ALPHA** — Full-featured development automation system in active development. [View detailed implementation status →](./IMPLEMENTATION_STATUS.md)
 
 ---
 
@@ -34,6 +54,15 @@ All agents run **non-intrusively in the background**, respecting your workflow.
 
 ## Quick Start
 
+### ⚠️ Before You Start
+
+**ALPHA SOFTWARE DISCLAIMER:**
+- This is research-quality code. Data loss is possible.
+- Only use on projects you can afford to lose or easily recover.
+- Make sure to commit your code to git before enabling DevLoop.
+- Do not enable auto-fix on important code.
+- Some agents may fail silently (see logs for details).
+
 ### Installation
 
 **Prerequisites:** Python 3.11+
@@ -41,9 +70,31 @@ All agents run **non-intrusively in the background**, respecting your workflow.
 #### Option 1: From PyPI (Recommended)
 
 ```bash
+# Basic installation (all default agents)
 pip install devloop
+
+# With optional agents (Snyk security scanning)
+pip install devloop[snyk]
+
+# With multiple optional agents
+pip install devloop[snyk,code-rabbit]
+
+# With all optional agents
+pip install devloop[all-optional]
 ```
 
+**Available extras:**
+- `snyk` — Dependency vulnerability scanning via Snyk CLI
+- `code-rabbit` — AI-powered code analysis
+- `ci-monitor` — CI/CD pipeline monitoring
+- `all-optional` — All of the above
+
+**Optional sandbox enhancements:**
+- **Pyodide WASM Sandbox** (cross-platform Python sandboxing)
+  - Requires: Node.js 18+ (system dependency)
+  - Install: See [Pyodide Installation Guide](./docs/PYODIDE_INSTALLATION.md)
+  - Works in POC mode without installation for testing
+
 #### Option 2: From Source
 
 ```bash
@@ -64,17 +115,24 @@ poetry shell
 ### Initialize & Run (Fully Automated)
 
 ```bash
-# 1. Initialize in your project (handles everything automatically)
+# 1. Initialize in your project (interactive setup)
 devloop init /path/to/your/project
 ```
 
-The `init` command automatically:
-- ✅ Sets up .devloop directory and configuration
-- ✅ Creates AGENTS.md and CODING_RULES.md
-- ✅ Sets up git hooks (if git repo)
+The `init` command will:
+- ✅ Set up .devloop directory with default agents
+- ✅ Ask which optional agents you want to enable:
+  - **Snyk** — Scan dependencies for vulnerabilities
+  - **Code Rabbit** — AI-powered code analysis
+  - **CI Monitor** — Track CI/CD pipeline status
+- ✅ Create configuration file with your selections
+- ✅ Set up git hooks (if git repo)
 - ✅ Registers Amp integration (if in Amp)
-- ✅ Configures commit/push discipline enforcement
-- ✅ Verifies everything works
+
+```bash
+# 1a. Alternative: Non-interactive setup (skip optional agent prompts)
+devloop init /path/to/your/project --non-interactive
+```
 
 Then just:
 ```bash
@@ -290,7 +348,7 @@ Configure agent behavior in `.devloop/agents.json`:
 {
   "global": {
     "autonomousFixes": {
-      "enabled": true,
+      "enabled": false,
       "safetyLevel": "safe_only"
     },
     "maxConcurrentAgents": 5,
@@ -312,11 +370,13 @@ Configure agent behavior in `.devloop/agents.json`:
 }
 ```
 
-**Safety levels:**
-- `safe_only` — Only fix whitespace/indentation
+**Safety levels (Auto-fix):**
+- `safe_only` — Only fix whitespace/indentation (default, recommended)
 - `medium_risk` — Include import/formatting fixes
 - `all` — Apply all fixes (use with caution)
 
+⚠️ **Auto-fix Warning:** Currently auto-fixes run without backups or review. **DO NOT enable auto-fix in production** or on critical code. Track [secure auto-fix with backups issue](https://github.com/wioota/devloop/issues/emc).
+
 [Full configuration reference →](./docs/configuration.md)
 
 ---
@@ -526,17 +586,26 @@ DevLoop follows these core principles:
 
 ## Troubleshooting
 
+### ⚠️ If Something Goes Wrong
+
+**Recovery steps:**
+1. Stop the daemon: `devloop stop .`
+2. Check the logs: `tail -100 .devloop/devloop.log`
+3. Verify your code in git: `git status`
+4. Recover from git if files were modified: `git checkout <file>`
+5. Report the issue: [GitHub Issues](https://github.com/wioota/devloop/issues)
+
 ### Agents not running
 
 ```bash
 # Check status
 devloop status
 
-# View logs
-tail -f .devloop/agent.log
+# View logs (useful for debugging)
+tail -f .devloop/devloop.log
 
-# Enable verbose mode
-devloop watch . --verbose
+# Enable verbose mode for more details
+devloop watch . --foreground --verbose
 ```
 
 ### Performance issues
@@ -565,6 +634,13 @@ devloop custom-list
 ls -la .devloop/custom_agents/
 ```
 
+### Agent modified my files unexpectedly
+
+1. Check git diff: `git diff`
+2. Revert changes: `git checkout -- .`
+3. Disable the problematic agent in `.devloop/agents.json`
+4. Report issue with: `git show HEAD:.devloop/agents.json`
+
 [Full troubleshooting guide →](./docs/troubleshooting.md)
 
 ---

{devloop-0.2.1 → devloop-0.3.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "devloop"
-version = "0.2.1"
+version = "0.3.0"
 description = "Intelligent background agents for development workflow automation"
 authors = ["DevLoop Contributors <devloop@example.com>"]
 license = "MIT"
@@ -33,6 +33,10 @@ classifiers = [
     "Topic :: Utilities"
 ]
 packages = [{include = "devloop", from = "src"}]
+include = [
+    "src/devloop/security/package.json",
+    "src/devloop/security/pyodide_runner.js",
+]
 
 [tool.poetry.dependencies]
 python = "^3.11"
@@ -53,6 +57,12 @@ bandit = "^1.7"
 radon = "^6.0"
 types-aiofiles = "^23.2"
 
+[tool.poetry.extras]
+snyk = []
+code-rabbit = []
+ci-monitor = []
+all-optional = []
+
 [tool.poetry.scripts]
 devloop = "devloop.cli.main:app"
 

{devloop-0.2.1 → devloop-0.3.0}/src/devloop/__init__.py

@@ -1,3 +1,3 @@
 """DevLoop - Background agents for development workflow automation."""
 
-__version__ = "0.2.0"
+__version__ = "0.2.2"

{devloop-0.2.1 → devloop-0.3.0}/src/devloop/agents/linter.py

@@ -1,14 +1,15 @@
 """Linter agent - runs linters on file changes."""
 
-import asyncio
 import json
 from datetime import datetime
 from pathlib import Path
 from typing import Any, Dict, List, Optional
 
+from devloop.agents.sandbox_helper import create_agent_sandbox_helper
 from devloop.core.agent import Agent, AgentResult
 from devloop.core.context_store import Finding, Severity
 from devloop.core.event import Event
+from devloop.security.sandbox import CommandNotAllowedError, SandboxTimeoutError
 
 
 class LinterConfig:
@@ -70,6 +71,11 @@ class LinterAgent(Agent):
         )
         self.config = LinterConfig(config or {})
         self._last_run: Dict[str, float] = {}  # path -> timestamp for debouncing
+        # Initialize sandbox helper for secure command execution
+        self.sandbox = create_agent_sandbox_helper(
+            agent_name=name,
+            agent_type="linter",
+        )
 
     async def handle(self, event: Event) -> AgentResult:
         """Handle file change event by running linter."""
@@ -198,45 +204,32 @@ class LinterAgent(Agent):
     async def _run_ruff(self, path: Path) -> LinterResult:
         """Run ruff on a Python file."""
         try:
-            # Get updated environment with venv bin in PATH
-            import os
-
-            env = os.environ.copy()
-            venv_bin = Path(__file__).parent.parent.parent.parent / ".venv" / "bin"
-            if venv_bin.exists():
-                env["PATH"] = f"{venv_bin}:{env.get('PATH', '')}"
-
-            # Check if ruff is installed
-            check = await asyncio.create_subprocess_exec(
-                "ruff",
-                "--version",
-                stdout=asyncio.subprocess.PIPE,
-                stderr=asyncio.subprocess.PIPE,
-                env=env,
-            )
-            await check.communicate()
-
-            if check.returncode != 0:
-                return LinterResult(success=False, error="ruff not installed")
-
-            # Run ruff with JSON output
-            proc = await asyncio.create_subprocess_exec(
-                "ruff",
-                "check",
-                "--output-format",
-                "json",
-                str(path),
-                stdout=asyncio.subprocess.PIPE,
-                stderr=asyncio.subprocess.PIPE,
-                env=env,
-            )
+            # Get venv path
+            venv_path = Path(__file__).parent.parent.parent.parent / ".venv"
 
-            stdout, stderr = await proc.communicate()
+            # Check if ruff is available in the sandbox
+            if not await self.sandbox.check_tool_available("ruff"):
+                return LinterResult(
+                    success=False, error="ruff not installed or not allowed"
+                )
+
+            # Run ruff with JSON output in sandbox
+            if venv_path.exists():
+                result = await self.sandbox.run_sandboxed_with_venv(
+                    ["ruff", "check", "--output-format", "json", str(path)],
+                    venv_path=venv_path,
+                    cwd=path.parent,
+                )
+            else:
+                result = await self.sandbox.run_sandboxed(
+                    ["ruff", "check", "--output-format", "json", str(path)],
+                    cwd=path.parent,
+                )
 
             # ruff returns non-zero if issues found, but that's expected
-            if stdout:
+            if result.stdout:
                 try:
-                    issues = json.loads(stdout.decode())
+                    issues = json.loads(result.stdout)
                     return LinterResult(success=True, issues=issues)
                 except json.JSONDecodeError:
                     # No issues found or invalid JSON
@@ -245,39 +238,33 @@ class LinterAgent(Agent):
                 # No output = no issues
                 return LinterResult(success=True, issues=[])
 
-        except FileNotFoundError:
-            return LinterResult(success=False, error="ruff command not found")
+        except CommandNotAllowedError as e:
+            self.logger.error(f"ruff command not allowed in sandbox: {e}")
+            return LinterResult(success=False, error="ruff command not allowed")
+        except SandboxTimeoutError:
+            return LinterResult(success=False, error="ruff execution timeout")
+        except Exception as e:
+            self.logger.error(f"Error running ruff in sandbox: {e}")
+            return LinterResult(success=False, error=str(e))
 
     async def _run_eslint(self, path: Path) -> LinterResult:
         """Run eslint on a JavaScript/TypeScript file."""
         try:
-            # Check if eslint is installed
-            check = await asyncio.create_subprocess_exec(
-                "eslint",
-                "--version",
-                stdout=asyncio.subprocess.PIPE,
-                stderr=asyncio.subprocess.PIPE,
-            )
-            await check.communicate()
-
-            if check.returncode != 0:
-                return LinterResult(success=False, error="eslint not installed")
-
-            # Run eslint with JSON output
-            proc = await asyncio.create_subprocess_exec(
-                "eslint",
-                "--format",
-                "json",
-                str(path),
-                stdout=asyncio.subprocess.PIPE,
-                stderr=asyncio.subprocess.PIPE,
-            )
+            # Check if eslint is available in the sandbox
+            if not await self.sandbox.check_tool_available("eslint"):
+                return LinterResult(
+                    success=False, error="eslint not installed or not allowed"
+                )
 
-            stdout, stderr = await proc.communicate()
+            # Run eslint with JSON output in sandbox
+            result = await self.sandbox.run_sandboxed(
+                ["eslint", "--format", "json", str(path)],
+                cwd=path.parent,
+            )
 
-            if stdout:
+            if result.stdout:
                 try:
-                    results = json.loads(stdout.decode())
+                    results = json.loads(result.stdout)
                     # ESLint returns array of file results
                     if results and len(results) > 0:
                         issues = results[0].get("messages", [])
@@ -287,48 +274,51 @@ class LinterAgent(Agent):
 
             return LinterResult(success=True, issues=[])
 
-        except FileNotFoundError:
-            return LinterResult(success=False, error="eslint command not found")
+        except CommandNotAllowedError as e:
+            self.logger.error(f"eslint command not allowed in sandbox: {e}")
+            return LinterResult(success=False, error="eslint command not allowed")
+        except SandboxTimeoutError:
+            return LinterResult(success=False, error="eslint execution timeout")
+        except Exception as e:
+            self.logger.error(f"Error running eslint in sandbox: {e}")
+            return LinterResult(success=False, error=str(e))
 
     async def _auto_fix(self, linter: str, path: Path) -> LinterResult:
         """Attempt to auto-fix issues."""
         try:
-            # Get updated environment with venv bin in PATH
-            import os
-
-            env = os.environ.copy()
-            venv_bin = Path(__file__).parent.parent.parent.parent / ".venv" / "bin"
-            if venv_bin.exists():
-                env["PATH"] = f"{venv_bin}:{env.get('PATH', '')}"
+            # Get venv path
+            venv_path = Path(__file__).parent.parent.parent.parent / ".venv"
 
             if linter == "ruff":
-                proc = await asyncio.create_subprocess_exec(
-                    "ruff",
-                    "check",
-                    "--fix",
-                    str(path),
-                    stdout=asyncio.subprocess.PIPE,
-                    stderr=asyncio.subprocess.PIPE,
-                    env=env,
-                )
-                await proc.communicate()
+                if venv_path.exists():
+                    await self.sandbox.run_sandboxed_with_venv(
+                        ["ruff", "check", "--fix", str(path)],
+                        venv_path=venv_path,
+                        cwd=path.parent,
+                    )
+                else:
+                    await self.sandbox.run_sandboxed(
+                        ["ruff", "check", "--fix", str(path)],
+                        cwd=path.parent,
+                    )
                 return LinterResult(success=True)
 
             elif linter == "eslint":
-                proc = await asyncio.create_subprocess_exec(
-                    "eslint",
-                    "--fix",
-                    str(path),
-                    stdout=asyncio.subprocess.PIPE,
-                    stderr=asyncio.subprocess.PIPE,
-                    env=env,
+                await self.sandbox.run_sandboxed(
+                    ["eslint", "--fix", str(path)],
+                    cwd=path.parent,
                 )
-                await proc.communicate()
                 return LinterResult(success=True)
 
             return LinterResult(success=False, error="Auto-fix not supported")
 
+        except CommandNotAllowedError as e:
+            self.logger.error(f"Auto-fix command not allowed in sandbox: {e}")
+            return LinterResult(success=False, error="Auto-fix command not allowed")
+        except SandboxTimeoutError:
+            return LinterResult(success=False, error="Auto-fix execution timeout")
         except Exception as e:
+            self.logger.error(f"Error during auto-fix in sandbox: {e}")
             return LinterResult(success=False, error=str(e))
 
     async def _write_findings_to_context(