empathy-framework 4.6.2__py3-none-any.whl → 4.6.5__py3-none-any.whl

empathy_os/workflow_commands.py

@@ -16,6 +16,7 @@ from datetime import datetime, timedelta
 from pathlib import Path
 from typing import Any
 
+from empathy_os.config import _validate_file_path
 from empathy_os.logging_config import get_logger
 
 logger = get_logger(__name__)
@@ -33,10 +34,11 @@ def _load_patterns(patterns_dir: str = "./patterns") -> dict[str, list]:
         file_path = patterns_path / f"{pattern_type}.json"
         if file_path.exists():
             try:
-                with open(file_path) as f:
+                validated_path = _validate_file_path(str(file_path))
+                with open(validated_path) as f:
                     data = json.load(f)
                     patterns[pattern_type] = data.get("patterns", data.get("items", []))
-            except (OSError, json.JSONDecodeError):
+            except (OSError, json.JSONDecodeError, ValueError):
                 pass
 
     return patterns
@@ -47,10 +49,11 @@ def _load_stats(empathy_dir: str = ".empathy") -> dict[str, Any]:
     stats_file = Path(empathy_dir) / "stats.json"
     if stats_file.exists():
         try:
-            with open(stats_file) as f:
+            validated_path = _validate_file_path(str(stats_file))
+            with open(validated_path) as f:
                 result: dict[str, Any] = json.load(f)
                 return result
-        except (OSError, json.JSONDecodeError):
+        except (OSError, json.JSONDecodeError, ValueError):
             pass
     return {"commands": {}, "last_session": None, "patterns_learned": 0}
 
@@ -60,7 +63,8 @@ def _save_stats(stats: dict, empathy_dir: str = ".empathy") -> None:
     stats_dir = Path(empathy_dir)
     stats_dir.mkdir(parents=True, exist_ok=True)
 
-    with open(stats_dir / "stats.json", "w") as f:
+    validated_path = _validate_file_path(str(stats_dir / "stats.json"))
+    with open(validated_path, "w") as f:
         json.dump(stats, f, indent=2, default=str)
 
 
@@ -84,7 +88,8 @@ def _get_tech_debt_trend(patterns_dir: str = "./patterns") -> str:
         return "unknown"
 
     try:
-        with open(tech_debt_file) as f:
+        validated_path = _validate_file_path(str(tech_debt_file))
+        with open(validated_path) as f:
             data = json.load(f)
 
         snapshots = data.get("snapshots", [])

empathy_os/workflows/base.py

@@ -277,7 +277,7 @@ def _save_workflow_run(
     history.append(run)
     history = history[-max_history:]
 
-    validated_path = _validate_file_path(path)
+    validated_path = _validate_file_path(str(path))
     with open(validated_path, "w") as f:
         json.dump(history, f, indent=2)
 

empathy_os/workflows/bug_predict.py

@@ -235,6 +235,8 @@ def _is_dangerous_eval_usage(content: str, file_path: str) -> bool:
     - Pattern definitions for security scanners
     - Test fixtures: code written via write_text() or similar for testing
     - Scanner test files that deliberately contain example bad patterns
+    - Docstrings documenting security policies (e.g., "No eval() or exec() usage")
+    - Security policy documentation in comments
 
     Returns:
         True if dangerous eval/exec usage is found, False otherwise.
@@ -292,14 +294,22 @@ def _is_dangerous_eval_usage(content: str, file_path: str) -> bool:
         if "eval(" not in content_without_regex_exec and "exec(" not in content_without_regex_exec:
             return False
 
+    # Remove docstrings before line-by-line analysis
+    # This prevents false positives from documentation that mentions eval/exec
+    content_without_docstrings = _remove_docstrings(content)
+
     # Check each line for real dangerous usage
-    lines = content.splitlines()
+    lines = content_without_docstrings.splitlines()
     for line in lines:
         # Skip comment lines
         stripped = line.strip()
         if stripped.startswith("#") or stripped.startswith("//") or stripped.startswith("*"):
             continue
 
+        # Skip security policy documentation (e.g., "- No eval() or exec()")
+        if _is_security_policy_line(stripped):
+            continue
+
         # Check for eval( or exec( in this line
         if "eval(" not in line and "exec(" not in line:
             continue
@@ -348,6 +358,65 @@ def _is_dangerous_eval_usage(content: str, file_path: str) -> bool:
     return False
 
 
+def _remove_docstrings(content: str) -> str:
+    """Remove docstrings from Python content to avoid false positives.
+
+    Docstrings often document security policies (e.g., "No eval() usage")
+    which should not trigger the scanner.
+
+    Args:
+        content: Python source code
+
+    Returns:
+        Content with docstrings replaced by placeholder comments.
+    """
+    # Remove triple-quoted strings (docstrings)
+    # Match """ ... """ and ''' ... ''' including multiline
+    content = re.sub(r'"""[\s\S]*?"""', '# [docstring removed]', content)
+    content = re.sub(r"'''[\s\S]*?'''", "# [docstring removed]", content)
+    return content
+
+
+def _is_security_policy_line(line: str) -> bool:
+    """Check if a line is documenting security policy rather than using eval/exec.
+
+    Args:
+        line: Stripped line of code
+
+    Returns:
+        True if this appears to be security documentation.
+    """
+    line_lower = line.lower()
+
+    # Patterns indicating security policy documentation
+    policy_patterns = [
+        r"no\s+eval",  # "No eval" or "no eval()"
+        r"no\s+exec",  # "No exec" or "no exec()"
+        r"never\s+use\s+eval",
+        r"never\s+use\s+exec",
+        r"avoid\s+eval",
+        r"avoid\s+exec",
+        r"don'?t\s+use\s+eval",
+        r"don'?t\s+use\s+exec",
+        r"prohibited.*eval",
+        r"prohibited.*exec",
+        r"security.*eval",
+        r"security.*exec",
+    ]
+
+    for pattern in policy_patterns:
+        if re.search(pattern, line_lower):
+            return True
+
+    # Check for list item documentation (e.g., "- No eval() or exec() usage")
+    if line.startswith("-") and ("eval" in line_lower or "exec" in line_lower):
+        # If it contains "no", "never", "avoid", it's policy documentation
+        if any(word in line_lower for word in ["no ", "never", "avoid", "don't", "prohibited"]):
+            return True
+
+    return False
+
+
 # Define step configurations for executor-based execution
 BUG_PREDICT_STEPS = {
     "recommend": WorkflowStepConfig(

empathy_os/workflows/pr_review.py

@@ -126,6 +126,7 @@ class PRReviewWorkflow:
         diff: str | None = None,
         files_changed: list[str] | None = None,
         target_path: str = ".",
+        target: str | None = None,  # Alias for target_path (compatibility)
         context: dict | None = None,
     ) -> PRReviewResult:
         """Execute comprehensive PR review with both crews.
@@ -134,6 +135,7 @@ class PRReviewWorkflow:
             diff: PR diff content (auto-generated from git if not provided)
             files_changed: List of changed files
             target_path: Path to codebase for security audit
+            target: Alias for target_path (for CLI compatibility)
             context: Additional context
 
         Returns:
@@ -144,6 +146,10 @@ class PRReviewWorkflow:
         files_changed = files_changed or []
         context = context or {}
 
+        # Support 'target' as alias for 'target_path'
+        if target and target_path == ".":
+            target_path = target
+
         # Auto-generate diff from git if not provided
         if not diff:
             import subprocess

empathy_os/workflows/security_audit.py

@@ -102,6 +102,19 @@ SECURITY_EXAMPLE_PATHS = [
     "pii_scrubber.py",  # Privacy tool
     "secure_memdocs",  # Secure storage module
     "/security/",  # Security modules
+    "/benchmarks/",  # Benchmark files with test fixtures
+    "benchmark_",  # Benchmark files (e.g., benchmark_caching.py)
+    "phase_2_setup.py",  # Setup file with educational patterns
+]
+
+# Patterns indicating test fixture data (code written to temp files for testing)
+TEST_FIXTURE_PATTERNS = [
+    r"SECURITY_TEST_FILES\s*=",  # Dict of test fixture code
+    r"write_text\s*\(",  # Writing test data to temp files
+    r"# UNSAFE - DO NOT USE",  # Educational comments showing bad patterns
+    r"# SAFE -",  # Educational comments showing good patterns
+    r"# INJECTION RISK",  # Educational markers
+    r"pragma:\s*allowlist\s*secret",  # Explicit allowlist marker
 ]
 
 # Test file patterns - findings here are informational, not critical

empathy_os/workflows/test_maintenance.py

@@ -16,6 +16,7 @@ Copyright 2025 Smart AI Memory, LLC
 Licensed under Fair Source 0.9
 """
 
+import heapq
 import logging
 from dataclasses import dataclass, field
 from datetime import datetime
@@ -598,7 +599,7 @@ class TestMaintenanceWorkflow:
                 "lines_of_code": f.lines_of_code,
                 "language": f.language,
             }
-            for f in sorted(files, key=lambda x: -x.impact_score)[:limit]
+            for f in heapq.nlargest(limit, files, key=lambda x: x.impact_score)
         ]
 
     def get_stale_tests(self, limit: int = 20) -> list[dict[str, Any]]:
@@ -610,7 +611,7 @@ class TestMaintenanceWorkflow:
                 "test_file": f.test_file_path,
                 "staleness_days": f.staleness_days,
             }
-            for f in sorted(files, key=lambda x: -x.staleness_days)[:limit]
+            for f in heapq.nlargest(limit, files, key=lambda x: x.staleness_days)
         ]
 
     def get_test_health_summary(self) -> dict[str, Any]:

empathy_os/workflows/tier_tracking.py

@@ -86,6 +86,11 @@ class WorkflowTierTracker:
         "premium": 0.450,
     }
 
+    # Retention policy: keep only this many workflow files
+    MAX_WORKFLOW_FILES = 100
+    # Only run cleanup every N saves to avoid overhead
+    CLEANUP_FREQUENCY = 10
+
     def __init__(
         self,
         workflow_name: str,
@@ -302,6 +307,11 @@ class WorkflowTierTracker:
             # Also update consolidated patterns file
             self._update_consolidated_patterns(progression)
 
+            # Periodic cleanup of old workflow files (every CLEANUP_FREQUENCY saves)
+            workflow_count = len(list(self.patterns_dir.glob("workflow_*.json")))
+            if workflow_count > self.MAX_WORKFLOW_FILES + self.CLEANUP_FREQUENCY:
+                self._cleanup_old_workflow_files()
+
             return pattern_file
 
         except Exception as e:
@@ -439,7 +449,7 @@ class WorkflowTierTracker:
         return actual_cost * 5  # Conservative multiplier
 
     def _update_consolidated_patterns(self, progression: dict[str, Any]):
-        """Update the consolidated patterns.json file."""
+        """Update the consolidated patterns.json file with retention policy."""
         consolidated_file = self.patterns_dir / "all_patterns.json"
 
         try:
@@ -454,13 +464,51 @@ class WorkflowTierTracker:
             # Add new progression
             data["patterns"].append(progression)
 
+            # Apply retention policy: keep only MAX_WORKFLOW_FILES patterns
+            if len(data["patterns"]) > self.MAX_WORKFLOW_FILES:
+                data["patterns"] = data["patterns"][-self.MAX_WORKFLOW_FILES :]
+
             # Save updated file
             validated_consolidated = _validate_file_path(str(consolidated_file))
             with open(validated_consolidated, "w") as f:
                 json.dump(data, f, indent=2)
 
-        except (OSError, ValueError) as e:
+        except (OSError, ValueError, json.JSONDecodeError) as e:
             logger.warning(f"Could not update consolidated patterns: {e}")
+            # If file is corrupted, start fresh
+            try:
+                data = {"patterns": [progression]}
+                validated_consolidated = _validate_file_path(str(consolidated_file))
+                with open(validated_consolidated, "w") as f:
+                    json.dump(data, f, indent=2)
+                logger.info("Recreated consolidated patterns file")
+            except (OSError, ValueError) as e2:
+                logger.warning(f"Could not recreate consolidated patterns: {e2}")
+
+    def _cleanup_old_workflow_files(self):
+        """Remove old workflow files to prevent unbounded growth.
+
+        Called periodically during save_progression to keep disk usage bounded.
+        Keeps only the most recent MAX_WORKFLOW_FILES workflow files.
+        """
+        try:
+            workflow_files = sorted(
+                self.patterns_dir.glob("workflow_*.json"),
+                key=lambda p: p.stat().st_mtime,
+                reverse=True,
+            )
+
+            # Delete files beyond retention limit
+            files_to_delete = workflow_files[self.MAX_WORKFLOW_FILES :]
+            if files_to_delete:
+                for f in files_to_delete:
+                    try:
+                        f.unlink()
+                    except OSError:
+                        pass  # Best effort cleanup
+                logger.debug(f"Cleaned up {len(files_to_delete)} old workflow files")
+        except OSError as e:
+            logger.debug(f"Workflow file cleanup skipped: {e}")
 
 
 def auto_recommend_tier(

wizards/discharge_summary_wizard.py

@@ -157,7 +157,8 @@ async def _store_wizard_session(wizard_id: str, session_data: dict[str, Any]) ->
                     json.dumps(session_data),  # FIXED: use JSON
                 )
                 return True
-    except Exception:
+    except Exception:  # noqa: BLE001
+        # INTENTIONAL: Graceful degradation - fall back to in-memory storage if Redis fails
         pass
     _wizard_sessions[wizard_id] = session_data
     return True
@@ -174,7 +175,8 @@ async def _get_wizard_session(wizard_id: str) -> dict[str, Any] | None:
                 if session_str:
                     # SECURITY FIX: Use json.loads() instead of ast.literal_eval()
                     return json.loads(session_str)
-    except Exception:
+    except Exception:  # noqa: BLE001
+        # INTENTIONAL: Graceful degradation - fall back to in-memory storage if Redis fails
         pass
     return _wizard_sessions.get(wizard_id)
 

wizards/incident_report_wizard.py

@@ -143,7 +143,8 @@ async def _store_wizard_session(wizard_id: str, session_data: dict[str, Any]) ->
                     json.dumps(session_data),  # FIXED: use JSON
                 )
                 return True
-    except Exception:
+    except Exception:  # noqa: BLE001
+        # INTENTIONAL: Graceful degradation - fall back to in-memory storage if Redis fails
         pass
     _wizard_sessions[wizard_id] = session_data
     return True
@@ -160,7 +161,8 @@ async def _get_wizard_session(wizard_id: str) -> dict[str, Any] | None:
                 if session_str:
                     # SECURITY FIX: Use json.loads() instead of ast.literal_eval()
                     return json.loads(session_str)
-    except Exception:
+    except Exception:  # noqa: BLE001
+        # INTENTIONAL: Graceful degradation - fall back to in-memory storage if Redis fails
         pass
     return _wizard_sessions.get(wizard_id)