ekmire 1.0.0__tar.gz

ekmire-1.0.0/PKG-INFO

@@ -0,0 +1,12 @@
+Metadata-Version: 2.4
+Name: ekmire
+Version: 1.0.0
+Summary: Developer security platform — write-time, commit-time, and runtime protection
+Author-email: Flux8Labs <team@flux8labs.com>
+License: Proprietary
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+Requires-Dist: click>=8.1
+Requires-Dist: requests>=2.31
+Requires-Dist: rich>=13.0
+Requires-Dist: pathspec>=0.12

ekmire-1.0.0/ekmire/__init__.py

@@ -0,0 +1,2 @@
+__version__ = "1.0.0"
+__author__ = "Flux8Labs"

ekmire-1.0.0/ekmire/__main__.py

@@ -0,0 +1,532 @@
+"""ekmire CLI — main entry point.
+
+Every command prints `ekmire v{version} by Flux8Labs`. No flag suppresses this.
+"""
+
+import sys
+from pathlib import Path
+
+import click
+from rich.console import Console
+
+from . import __version__
+from . import config as cfg
+from . import bundle, hook, output, scanner
+from .engines import mcp_audit
+
+console = Console()
+
+
+def _header() -> None:
+    console.print(f"[bold]ekmire v{__version__} by Flux8Labs[/bold]")
+    console.print()
+
+
+@click.group()
+def cli() -> None:
+    """ekmire developer security platform."""
+    pass
+
+
+# ── auth ──────────────────────────────────────────────────────────────────────
+
+@cli.group()
+def auth() -> None:
+    """Authentication commands."""
+    pass
+
+
+@auth.command("login")
+def auth_login() -> None:
+    """Authenticate with ekmire Cloud (saves API key to ~/.ekmire/config)."""
+    _header()
+    import webbrowser
+    import secrets
+
+    token = secrets.token_urlsafe(16)
+    login_url = f"{cfg.get_cloud_url()}/cli-auth?token={token}"
+
+    console.print(f"Open this URL in your browser (auto-opening):\n  [link={login_url}]{login_url}[/link]")
+    try:
+        webbrowser.open(login_url)
+    except Exception:
+        pass
+
+    console.print("\n[dim]Waiting for authentication...[/dim]")
+    api_key = _poll_cli_auth(token)
+    if api_key:
+        cfg.save({"api_key": api_key, "cloud_url": cfg.get_cloud_url()})
+        console.print("\n[green]✓ Authenticated[/green]")
+    else:
+        console.print("[red]Authentication timed out. Try again.[/red]")
+        sys.exit(1)
+
+
+@auth.command("status")
+def auth_status() -> None:
+    """Show current authentication state."""
+    _header()
+    data = cfg.load()
+    if data.get("api_key"):
+        masked = data["api_key"][:8] + "..." + data["api_key"][-4:]
+        console.print(f"[green]✓ Authenticated[/green]  API key: {masked}")
+        console.print(f"  Cloud: {cfg.get_cloud_url()}")
+    else:
+        console.print("[yellow]Not authenticated[/yellow] — run `ekmire auth login`")
+
+
+# ── scan ──────────────────────────────────────────────────────────────────────
+
+@cli.command()
+@click.argument("path", default=".", required=False)
+@click.option("--all", "scan_all", is_flag=True, help="Scan all files in working directory")
+@click.option(
+    "--deep",
+    is_flag=True,
+    help="Recursive scan of any directory (no git context required)",
+)
+@click.option("--output", "output_format", type=click.Choice(["text", "json", "sarif"]), default="text")
+@click.option(
+    "--fail-on",
+    type=click.Choice(["critical", "high", "medium", "low"]),
+    default=None,
+    help="Exit 1 if findings at or above this severity exist",
+)
+def scan(path: str, scan_all: bool, deep: bool, output_format: str, fail_on: str | None) -> None:
+    """Run Build Guard on staged files, a path, or recursively (--deep)."""
+    _header()
+
+    api_key = cfg.get_api_key()
+    cloud_url = cfg.get_cloud_url()
+    rules_bundle = bundle.get_bundle(cloud_url, api_key)
+    rules = rules_bundle.get("rules", [])
+
+    root = Path(path).resolve()
+    mireignore = scanner.load_mireignore(root if root.is_dir() else root.parent)
+
+    if deep or scan_all or path != ".":
+        if output_format == "text":
+            console.print(f"Deep scan: {root} ", end="")
+        result = scanner.scan_path(root, rules, mireignore)
+    else:
+        # Default: staged files only (git pre-commit context)
+        if output_format == "text":
+            console.print("Scanning staged files...")
+        result = scanner.scan_staged(rules)
+
+    source = "device_scanner" if deep or scan_all else "cli"
+    _emit_findings(result, root, output_format, fail_on, source)
+
+
+def _emit_findings(
+    result: scanner.ScanResult,
+    root: Path,
+    fmt: str,
+    fail_on: str | None,
+    source: str = "cli",
+) -> None:
+    findings = result.findings
+
+    if fmt == "json":
+        # JSON output: only active (non-suppressed) findings
+        print(output.to_json([f for f in findings if not getattr(f, "suppressed", False)]))
+    elif fmt == "sarif":
+        print(output.to_sarif([f for f in findings if not getattr(f, "suppressed", False)], root))
+    else:
+        severity_order = ["critical", "high", "medium", "low", "info"]
+        findings.sort(key=lambda f: severity_order.index(f.severity) if f.severity in severity_order else 99)
+        # Only non-suppressed findings block the build
+        blocked = any(not getattr(f, "suppressed", False) for f in findings)
+        output.print_findings(findings, result.files_scanned, result.elapsed_s, blocked)
+
+    # Post telemetry (all findings, including suppressed) if authenticated
+    if findings and cfg.is_authenticated():
+        _post_findings_telemetry(findings, source=source)
+        _post_suppressions(findings)
+
+    # Only active (non-suppressed) findings block the build
+    active_findings = [f for f in findings if not getattr(f, "suppressed", False)]
+
+    if fail_on:
+        order = ["critical", "high", "medium", "low"]
+        threshold = order.index(fail_on) if fail_on in order else 99
+        worst = min(
+            (order.index(f.severity) for f in active_findings if f.severity in order),
+            default=99,
+        )
+        if worst <= threshold:
+            sys.exit(1)
+    elif active_findings:
+        sys.exit(1)
+
+
+# ── hook ──────────────────────────────────────────────────────────────────────
+
+@cli.group()
+def hook_cmd() -> None:
+    """Git hook management."""
+    pass
+
+
+# Rename group to avoid shadowing the hook module
+cli.add_command(hook_cmd, name="hook")
+
+
+@hook_cmd.command("install")
+@click.option("--ai", is_flag=True, help="Also run AI dev-audit on staged diff")
+def hook_install(ai: bool) -> None:
+    """Install git pre-commit hook."""
+    _header()
+    try:
+        path = hook.install(ai=ai)
+        mode = " (with AI dev-audit)" if ai else ""
+        console.print(f"[green]✓ Hook installed{mode} at {path}[/green]")
+    except Exception as e:
+        console.print(f"[red]Hook install failed: {e}[/red]")
+        sys.exit(1)
+
+
+@hook_cmd.command("uninstall")
+def hook_uninstall() -> None:
+    """Remove the ekmire git pre-commit hook."""
+    _header()
+    if hook.uninstall():
+        console.print("[green]✓ Hook removed[/green]")
+    else:
+        console.print("[yellow]No ekmire hook found[/yellow]")
+
+
+# ── mcp ───────────────────────────────────────────────────────────────────────
+
+@cli.group()
+def mcp() -> None:
+    """MCP server commands."""
+    pass
+
+
+@mcp.command("audit")
+def mcp_audit_cmd() -> None:
+    """Full MCP ecosystem audit — scans all IDE MCP configs system-wide."""
+    _header()
+    console.print("MCP Ecosystem Audit — scanning all IDE configs...\n")
+
+    results, total_servers = mcp_audit.audit_all()
+
+    all_findings: list[mcp_audit.McpFinding] = []
+    for config_file, findings in results:
+        console.print(f"  [dim]{config_file}[/dim]")
+        if not findings:
+            console.print("    [green]✓ No issues found[/green]")
+        else:
+            for f in findings:
+                sev_colour = output._SEVERITY_COLOURS.get(f.severity, "white")
+                console.print(
+                    f"    server: [bold]{f.server_name}[/bold]"
+                    f"  [{sev_colour}][{f.severity.upper()}][/{sev_colour}] {f.rule_id}"
+                )
+                console.print(f"      {f.description}")
+                console.print(f"      [dim]Fix:[/dim] {f.fix}")
+            all_findings.extend(findings)
+        console.print()
+
+    critical = sum(1 for f in all_findings if f.severity == "critical")
+    high = sum(1 for f in all_findings if f.severity == "high")
+
+    console.print("─" * 46)
+    if cfg.is_authenticated():
+        cloud_url = cfg.get_cloud_url()
+        report_url = cloud_url.replace("api.", "app.").rstrip("/") + "/events?source=mcp_audit"
+        console.print(
+            f"  {total_servers} MCP servers scanned · {len(all_findings)} findings "
+            f"({critical} critical, {high} high)"
+        )
+        console.print(f"  Full report: {report_url}")
+    else:
+        console.print(
+            f"  {total_servers} MCP servers scanned · {len(all_findings)} findings "
+            f"({critical} critical, {high} high)"
+        )
+    console.print("─" * 46)
+
+    if all_findings:
+        sys.exit(1)
+
+
+@mcp.command("start")
+def mcp_start() -> None:
+    """Start MCP server in stdio mode (for IDE integration)."""
+    from .mcp_server import run_stdio
+    run_stdio()
+
+
+# ── init ──────────────────────────────────────────────────────────────────────
+
+@cli.command()
+def init() -> None:
+    """First-run wizard: auth → deep scan → hook install → summary."""
+    _header()
+
+    # Step 1 — Auth
+    if cfg.is_authenticated():
+        console.print("Step 1/3  Authenticating...")
+        console.print("  [green]✓ Already authenticated[/green]")
+    else:
+        console.print("Step 1/3  Authenticating...")
+        import webbrowser
+        import secrets
+
+        token = secrets.token_urlsafe(16)
+        login_url = f"{cfg.get_cloud_url()}/cli-auth?token={token}"
+        console.print(f"  Open [link={login_url}]{login_url}[/link] in your browser (auto-opening)")
+        try:
+            webbrowser.open(login_url)
+        except Exception:
+            pass
+
+        api_key = _poll_cli_auth(token)
+        if api_key:
+            cfg.save({"api_key": api_key, "cloud_url": cfg.get_cloud_url()})
+            console.print("  [green]✓ Authenticated[/green]")
+        else:
+            console.print("  [red]Auth timed out — skipping auth step[/red]")
+
+    console.print()
+
+    # Step 2 — Deep scan current directory
+    console.print("Step 2/3  Scanning current directory for existing issues...")
+    api_key = cfg.get_api_key()
+    rules_bundle = bundle.get_bundle(cfg.get_cloud_url(), api_key)
+    rules = rules_bundle.get("rules", [])
+    root = Path(".")
+    mireignore = scanner.load_mireignore(root)
+    result = scanner.scan_path(root, rules, mireignore)
+
+    if not result.findings:
+        console.print("  [green]✓ No issues found[/green]")
+    else:
+        sev_order = ["critical", "high", "medium", "low"]
+        for f in sorted(result.findings, key=lambda x: sev_order.index(x.severity) if x.severity in sev_order else 99):
+            sev_colour = output._SEVERITY_COLOURS.get(f.severity, "white")
+            console.print(
+                f"  [dim]{f.file}:{getattr(f, 'line', '?')}[/dim]  "
+                f"[{sev_colour}][{f.severity.upper()}][/{sev_colour}] {f.rule_id}"
+            )
+        if api_key:
+            console.print(
+                f"\n  Full report: {cfg.get_cloud_url().replace('api.', 'app.')}/events?source=device_scanner"
+            )
+
+    console.print()
+
+    # Step 3 — Install hook (if in a git repo)
+    console.print("Step 3/3  Installing git pre-commit hook...")
+    try:
+        hook_path = hook.install()
+        console.print(f"  [green]✓ Hook installed at {hook_path}[/green]")
+    except Exception:
+        console.print("  [yellow]Skipped (not in a git repository)[/yellow]")
+
+    console.print()
+    console.print("─" * 46)
+    summary_parts = []
+    if result.findings:
+        summary_parts.append(f"{len(result.findings)} issues to review in your dashboard")
+    console.print("  ekmire is active." + (" " + ", ".join(summary_parts) + "." if summary_parts else ""))
+    console.print("  Docs: https://ekmire.com/docs/quick-start")
+    console.print("─" * 46)
+
+
+# ── dev-audit ─────────────────────────────────────────────────────────────────
+
+@cli.command("dev-audit")
+@click.argument("target", default=".")
+@click.option("--diff", is_flag=True, help="Audit current git staged diff")
+def dev_audit(target: str, diff: bool) -> None:
+    """AI security review of a file, directory, or staged diff."""
+    _header()
+
+    if not cfg.is_authenticated():
+        console.print("[red]Not authenticated — run `ekmire auth login` first[/red]")
+        sys.exit(1)
+
+    console.print("[dim]AI security analysis in progress...[/dim]")
+    import requests
+
+    api_key = cfg.get_api_key()
+    cloud_url = cfg.get_cloud_url()
+
+    if diff:
+        import subprocess
+        try:
+            content = subprocess.check_output(
+                ["git", "diff", "--cached"], text=True
+            )
+            filename = "<staged diff>"
+        except Exception as e:
+            console.print(f"[red]Could not get staged diff: {e}[/red]")
+            sys.exit(1)
+    else:
+        p = Path(target)
+        if p.is_file():
+            content = p.read_text(errors="ignore")
+            filename = str(p)
+        elif p.is_dir():
+            # Concatenate all text files up to a reasonable limit
+            parts = []
+            for f in p.rglob("*"):
+                if f.is_file() and f.suffix in (".py", ".js", ".ts", ".go", ".rb", ".java"):
+                    try:
+                        parts.append(f"# {f}\n" + f.read_text(errors="ignore"))
+                    except OSError:
+                        pass
+                    if len(parts) >= 20:
+                        break
+            content = "\n\n".join(parts)
+            filename = str(p)
+        else:
+            console.print(f"[red]Path not found: {target}[/red]")
+            sys.exit(1)
+
+    try:
+        resp = requests.post(
+            f"{cloud_url}/v1/llm/route",
+            json={"task": "dev_audit", "content": content, "filename": filename},
+            headers={"Authorization": f"Bearer {api_key}"},
+            timeout=30,
+        )
+        resp.raise_for_status()
+        findings = resp.json()
+    except Exception as e:
+        console.print(f"[red]AI audit failed: {e}[/red]")
+        sys.exit(1)
+
+    if not findings:
+        console.print("[green]✓ No issues found[/green]")
+        return
+
+    for f in findings:
+        sev = f.get("severity", "info")
+        sev_colour = output._SEVERITY_COLOURS.get(sev, "white")
+        console.print(
+            f"  Line {f.get('line', '?')}  [{sev_colour}][{sev.upper()}][/{sev_colour}] {f.get('category', '?')}"
+        )
+        console.print(f"  {f.get('description', '')}")
+        if f.get("remediation_prompt"):
+            console.print(f"  [dim]Fix:[/dim] {f['remediation_prompt']}")
+        console.print()
+
+
+# ── device-scan ───────────────────────────────────────────────────────────────
+
+@cli.command("device-scan")
+@click.argument("path", default=".", required=False)
+@click.option("--output", "output_format", type=click.Choice(["text", "json", "sarif"]), default="text")
+@click.option(
+    "--fail-on",
+    type=click.Choice(["critical", "high", "medium", "low"]),
+    default=None,
+    help="Exit 1 if findings at or above this severity exist",
+)
+def device_scan(path: str, output_format: str, fail_on: str | None) -> None:
+    """Full device scan — recursively scans a path and reports as device_scanner source.
+
+    Findings appear in the dashboard under Events → Source: device_scanner.
+    Requires authentication (`mire auth login`).
+    """
+    _header()
+
+    if not cfg.is_authenticated():
+        console.print("[yellow]Not authenticated — findings won't appear in dashboard.[/yellow]")
+        console.print("[dim]Run `ekmire auth login` to connect to ekmire Cloud.[/dim]\n")
+
+    api_key = cfg.get_api_key()
+    cloud_url = cfg.get_cloud_url()
+    rules_bundle = bundle.get_bundle(cloud_url, api_key)
+    rules = rules_bundle.get("rules", [])
+
+    root = Path(path).resolve()
+    mireignore = scanner.load_mireignore(root if root.is_dir() else root.parent)
+
+    if output_format == "text":
+        console.print(f"Device scan: {root} ", end="")
+
+    result = scanner.scan_path(root, rules, mireignore)
+    _emit_findings(result, root, output_format, fail_on, source="device_scanner")
+
+
+# ── version ───────────────────────────────────────────────────────────────────
+
+@cli.command()
+def version() -> None:
+    """Print version and Flux8Labs attribution."""
+    print(f"ekmire v{__version__} by Flux8Labs")
+    print("Copyright © Flux8Labs. All rights reserved.")
+    print("https://ekmire.com")
+
+
+# ── Helpers ───────────────────────────────────────────────────────────────────
+
+def _poll_cli_auth(token: str, timeout_s: int = 120) -> str | None:
+    import time
+    import requests
+
+    cloud_url = cfg.get_cloud_url()
+    deadline = time.time() + timeout_s
+    while time.time() < deadline:
+        try:
+            resp = requests.get(
+                f"{cloud_url}/v1/auth/cli-poll",
+                params={"token": token},
+                timeout=5,
+            )
+            if resp.status_code == 200:
+                return resp.json().get("api_key")
+        except Exception:
+            pass
+        time.sleep(2)
+    return None
+
+
+def _post_findings_telemetry(findings: list, source: str = "cli") -> None:
+    import requests
+    from .telemetry import build_telemetry_events
+
+    api_key = cfg.get_api_key()
+    cloud_url = cfg.get_cloud_url()
+    events = build_telemetry_events(findings, source=source)
+    try:
+        requests.post(
+            f"{cloud_url}/v1/events",
+            json={"events": events},
+            headers={"Authorization": f"Bearer {api_key}"},
+            timeout=5,
+        )
+    except Exception:
+        pass  # telemetry is best-effort
+
+
+def _post_suppressions(findings: list) -> None:
+    """Post suppressed findings to rule_suppressions endpoint (best-effort)."""
+    from .telemetry import build_suppression_records
+
+    records = build_suppression_records(findings)
+    if not records:
+        return
+
+    import requests
+
+    api_key = cfg.get_api_key()
+    cloud_url = cfg.get_cloud_url()
+    try:
+        requests.post(
+            f"{cloud_url}/v1/events/suppressions",
+            json={"suppressions": records},
+            headers={"Authorization": f"Bearer {api_key}"},
+            timeout=5,
+        )
+    except Exception:
+        pass  # best-effort
+
+
+if __name__ == "__main__":
+    cli()