empathy-framework 4.7.0__py3-none-any.whl → 4.8.0__py3-none-any.whl

empathy_os/workflows/routing.py

@@ -0,0 +1,168 @@
+"""Tier routing strategies for workflow execution.
+
+Provides pluggable routing algorithms to determine which model tier
+should handle each workflow stage.
+
+Copyright 2025 Smart-AI-Memory
+Licensed under Fair Source License 0.9
+"""
+
+from __future__ import annotations
+
+from abc import ABC, abstractmethod
+from dataclasses import dataclass
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+    from empathy_os.workflows.base import ModelTier
+
+
+@dataclass
+class RoutingContext:
+    """Context information for routing decisions.
+
+    Attributes:
+        task_type: Type of task (analyze, generate, review, etc.)
+        input_size: Estimated input tokens
+        complexity: Task complexity (simple, moderate, complex)
+        budget_remaining: Remaining budget in USD
+        latency_sensitivity: Latency requirements (low, medium, high)
+    """
+
+    task_type: str
+    input_size: int
+    complexity: str  # "simple" | "moderate" | "complex"
+    budget_remaining: float
+    latency_sensitivity: str  # "low" | "medium" | "high"
+
+
+class TierRoutingStrategy(ABC):
+    """Abstract base class for tier routing strategies.
+
+    Subclasses implement different routing algorithms:
+    - CostOptimizedRouting: Minimize cost
+    - PerformanceOptimizedRouting: Minimize latency
+    - BalancedRouting: Balance cost and performance
+    - HybridRouting: User-configured tier mappings
+    """
+
+    @abstractmethod
+    def route(self, context: RoutingContext) -> ModelTier:
+        """Route task to appropriate tier.
+
+        Args:
+            context: Routing context with task information
+
+        Returns:
+            ModelTier to use for this task
+        """
+        pass
+
+    @abstractmethod
+    def can_fallback(self, tier: ModelTier) -> bool:
+        """Whether fallback to cheaper tier is allowed.
+
+        Args:
+            tier: The tier that failed or exceeded budget
+
+        Returns:
+            True if fallback is allowed, False otherwise
+        """
+        pass
+
+
+class CostOptimizedRouting(TierRoutingStrategy):
+    """Route to cheapest tier that can handle the task.
+
+    Default strategy. Prioritizes cost savings over speed.
+
+    Example:
+        >>> strategy = CostOptimizedRouting()
+        >>> tier = strategy.route(context)  # CHEAP for simple tasks
+    """
+
+    def route(self, context: RoutingContext) -> ModelTier:
+        """Route based on task complexity, preferring cheaper tiers."""
+        from empathy_os.workflows.base import ModelTier
+
+        if context.complexity == "simple":
+            return ModelTier.CHEAP
+        elif context.complexity == "complex":
+            return ModelTier.PREMIUM
+        return ModelTier.CAPABLE
+
+    def can_fallback(self, tier: ModelTier) -> bool:
+        """Allow fallback except for CHEAP tier."""
+        from empathy_os.workflows.base import ModelTier
+
+        return tier != ModelTier.CHEAP
+
+
+class PerformanceOptimizedRouting(TierRoutingStrategy):
+    """Route to fastest tier regardless of cost.
+
+    Use for latency-sensitive workflows like interactive tools.
+
+    Example:
+        >>> strategy = PerformanceOptimizedRouting()
+        >>> tier = strategy.route(context)  # PREMIUM for high latency sensitivity
+    """
+
+    def route(self, context: RoutingContext) -> ModelTier:
+        """Route based on latency requirements."""
+        from empathy_os.workflows.base import ModelTier
+
+        if context.latency_sensitivity == "high":
+            return ModelTier.PREMIUM
+        return ModelTier.CAPABLE
+
+    def can_fallback(self, tier: ModelTier) -> bool:
+        """Never fallback - performance is priority."""
+        return False
+
+
+class BalancedRouting(TierRoutingStrategy):
+    """Balance cost and performance with budget awareness.
+
+    Adjusts tier selection based on remaining budget and task complexity.
+
+    Example:
+        >>> strategy = BalancedRouting(total_budget=50.0)
+        >>> tier = strategy.route(context)  # Adapts based on budget
+    """
+
+    def __init__(self, total_budget: float):
+        """Initialize with total budget.
+
+        Args:
+            total_budget: Total budget in USD for this workflow execution
+
+        Raises:
+            ValueError: If total_budget is not positive
+        """
+        if total_budget <= 0:
+            raise ValueError("total_budget must be positive")
+        self.total_budget = total_budget
+
+    def route(self, context: RoutingContext) -> ModelTier:
+        """Route based on budget ratio and complexity."""
+        from empathy_os.workflows.base import ModelTier
+
+        budget_ratio = context.budget_remaining / self.total_budget
+
+        # Low budget - use cheap tier
+        if budget_ratio < 0.2:
+            return ModelTier.CHEAP
+
+        # High budget + complex task - use premium
+        if budget_ratio > 0.7 and context.complexity == "complex":
+            return ModelTier.PREMIUM
+
+        # Default to capable
+        return ModelTier.CAPABLE
+
+    def can_fallback(self, tier: ModelTier) -> bool:
+        """Allow fallback when budget-constrained."""
+        return True
+
+

empathy_os/workflows/secure_release.py

@@ -166,6 +166,7 @@ class SecureReleasePipeline:
                 _get_crew_audit,
                 crew_report_to_workflow_format,
             )
+
             adapters_available = True
         except ImportError:
             adapters_available = False

empathy_os/workflows/security_audit.py

@@ -342,11 +342,29 @@ class SecurityAuditWorkflow(BaseWorkflow):
                                     if self._is_detection_code(line_content, match.group()):
                                         continue
 
+                                    # Phase 2: Skip safe SQL parameterization patterns
+                                    if vuln_type == "sql_injection":
+                                        if self._is_safe_sql_parameterization(
+                                            line_content,
+                                            match.group(),
+                                            content,
+                                        ):
+                                            continue
+
                                     # Skip fake/test credentials
                                     if vuln_type == "hardcoded_secret":
                                         if self._is_fake_credential(match.group()):
                                             continue
 
+                                    # Phase 2: Skip safe random usage (tests, demos, documented)
+                                    if vuln_type == "insecure_random":
+                                        if self._is_safe_random_usage(
+                                            line_content,
+                                            file_name,
+                                            content,
+                                        ):
+                                            continue
+
                                     # Skip command_injection in documentation strings
                                     if vuln_type == "command_injection":
                                         if self._is_documentation_or_string(
@@ -380,6 +398,29 @@ class SecurityAuditWorkflow(BaseWorkflow):
                     except OSError:
                         continue
 
+        # Phase 3: Apply AST-based filtering for command injection
+        try:
+            from .security_audit_phase3 import apply_phase3_filtering
+
+            # Separate command injection findings
+            cmd_findings = [f for f in findings if f["type"] == "command_injection"]
+            other_findings = [f for f in findings if f["type"] != "command_injection"]
+
+            # Apply Phase 3 filtering to command injection
+            filtered_cmd = apply_phase3_filtering(cmd_findings)
+
+            # Combine back
+            findings = other_findings + filtered_cmd
+
+            logger.info(
+                f"Phase 3: Filtered command_injection from {len(cmd_findings)} to {len(filtered_cmd)} "
+                f"({len(cmd_findings) - len(filtered_cmd)} false positives removed)"
+            )
+        except ImportError:
+            logger.debug("Phase 3 module not available, skipping AST-based filtering")
+        except Exception as e:
+            logger.warning(f"Phase 3 filtering failed: {e}")
+
         input_tokens = len(str(input_data)) // 4
         output_tokens = len(str(findings)) // 4
 
@@ -541,6 +582,154 @@ class SecurityAuditWorkflow(BaseWorkflow):
 
         return False
 
+    def _is_safe_sql_parameterization(self, line_content: str, match_text: str, file_content: str) -> bool:
+        """Check if SQL query uses safe parameterization despite f-string usage.
+
+        Phase 2 Enhancement: Detects safe patterns like:
+        - placeholders = ",".join("?" * len(ids))
+        - cursor.execute(f"... IN ({placeholders})", ids)
+
+        This prevents false positives for the SQLite-recommended pattern
+        of building dynamic placeholder strings.
+
+        Args:
+            line_content: The line containing the match (may be incomplete for multi-line)
+            match_text: The matched text
+            file_content: Full file content for context analysis
+
+        Returns:
+            True if this is safe parameterized SQL, False otherwise
+        """
+        # Get the position of the match in the full file content
+        match_pos = file_content.find(match_text)
+        if match_pos == -1:
+            # Try to find cursor.execute
+            match_pos = file_content.find("cursor.execute")
+            if match_pos == -1:
+                return False
+
+        # Extract a larger context (next 200 chars after match)
+        context = file_content[match_pos:match_pos + 200]
+
+        # Also get lines before the match for placeholder detection
+        lines_before = file_content[:match_pos].split("\n")
+        recent_lines = lines_before[-10:] if len(lines_before) > 10 else lines_before
+
+        # Pattern 1: Check if this is a placeholder-based parameterized query
+        # Look for: cursor.execute(f"... IN ({placeholders})", params)
+        if "placeholders" in context or any("placeholders" in line for line in recent_lines[-5:]):
+            # Check if context has both f-string and separate parameters
+            # Pattern: f"...{placeholders}..." followed by comma and params
+            if re.search(r'f["\'][^"\']*\{placeholders\}[^"\']*["\']\s*,\s*\w+', context):
+                return True  # Safe - has separate parameters
+
+            # Also check if recent lines built the placeholders
+            for prev_line in reversed(recent_lines):
+                if "placeholders" in prev_line and '"?"' in prev_line and "join" in prev_line:
+                    # Found placeholder construction
+                    # Now check if the execute has separate parameters
+                    if "," in context and any(param in context for param in ["run_ids", "ids", "params", "values", ")"]):
+                        return True
+
+        # Pattern 2: Check if f-string only builds SQL structure with constants
+        # Example: f"SELECT * FROM {TABLE_NAME}" where TABLE_NAME is a constant
+        f_string_vars = re.findall(r'\{(\w+)\}', context)
+        if f_string_vars:
+            # Check if all variables are constants (UPPERCASE or table/column names)
+            all_constants = all(
+                var.isupper() or "TABLE" in var.upper() or "COLUMN" in var.upper()
+                for var in f_string_vars
+            )
+            if all_constants:
+                return True  # Safe - using constants, not user data
+
+        # Pattern 3: Check for security note comments nearby
+        # If developers added security notes, it's likely safe
+        for prev_line in reversed(recent_lines[-3:]):
+            if "security note" in prev_line.lower() and "safe" in prev_line.lower():
+                return True
+
+        return False
+
+    def _is_safe_random_usage(self, line_content: str, file_path: str, file_content: str) -> bool:
+        """Check if random usage is in a safe context (tests, simulations, non-crypto).
+
+        Phase 2 Enhancement: Reduces false positives for random module usage
+        in test fixtures, A/B testing simulations, and demo code.
+
+        Args:
+            line_content: The line containing the match
+            file_path: Path to the file being scanned
+            file_content: Full file content for context analysis
+
+        Returns:
+            True if random usage is safe/documented, False if potentially insecure
+        """
+        # Check if file is a test file
+        is_test = any(pattern in file_path.lower() for pattern in ["/test", "test_", "conftest"])
+
+        # Check for explicit security notes nearby
+        lines = file_content.split("\n")
+        line_index = None
+        for i, line in enumerate(lines):
+            if line_content.strip() in line:
+                line_index = i
+                break
+
+        if line_index is not None:
+            # Check 5 lines before and after for security notes
+            context_start = max(0, line_index - 5)
+            context_end = min(len(lines), line_index + 5)
+            context = "\n".join(lines[context_start:context_end]).lower()
+
+            # Look for clarifying comments
+            safe_indicators = [
+                "security note",
+                "not cryptographic",
+                "not for crypto",
+                "test data",
+                "demo data",
+                "simulation",
+                "reproducible",
+                "deterministic",
+                "fixed seed",
+                "not used for security",
+                "not used for secrets",
+                "not used for tokens",
+            ]
+
+            if any(indicator in context for indicator in safe_indicators):
+                return True  # Documented as safe
+
+        # Check for common safe random patterns
+        line_lower = line_content.lower()
+
+        # Pattern 1: Fixed seed (reproducible tests)
+        if "random.seed(" in line_lower:
+            return True  # Fixed seed is for reproducibility, not security
+
+        # Pattern 2: A/B testing, simulations, demos
+        safe_contexts = [
+            "simulation",
+            "demo",
+            "a/b test",
+            "ab_test",
+            "fixture",
+            "mock",
+            "example",
+            "sample",
+        ]
+        if any(context in file_path.lower() for context in safe_contexts):
+            return True
+
+        # If it's a test file without crypto indicators, it's probably safe
+        if is_test:
+            crypto_indicators = ["password", "secret", "token", "key", "crypto", "auth"]
+            if not any(indicator in file_path.lower() for indicator in crypto_indicators):
+                return True
+
+        return False
+
     async def _assess(self, input_data: dict, tier: ModelTier) -> tuple[dict, int, int]:
         """Risk scoring and severity classification.
 
@@ -674,6 +863,7 @@ class SecurityAuditWorkflow(BaseWorkflow):
         """
         try:
             from .security_adapters import _check_crew_available
+
             adapters_available = True
         except ImportError:
             adapters_available = False