empathy-framework 4.8.0__py3-none-any.whl → 4.9.0__py3-none-any.whl

empathy_os/workflows/security_audit.py

@@ -342,29 +342,11 @@ class SecurityAuditWorkflow(BaseWorkflow):
                                     if self._is_detection_code(line_content, match.group()):
                                         continue
 
-                                    # Phase 2: Skip safe SQL parameterization patterns
-                                    if vuln_type == "sql_injection":
-                                        if self._is_safe_sql_parameterization(
-                                            line_content,
-                                            match.group(),
-                                            content,
-                                        ):
-                                            continue
-
                                     # Skip fake/test credentials
                                     if vuln_type == "hardcoded_secret":
                                         if self._is_fake_credential(match.group()):
                                             continue
 
-                                    # Phase 2: Skip safe random usage (tests, demos, documented)
-                                    if vuln_type == "insecure_random":
-                                        if self._is_safe_random_usage(
-                                            line_content,
-                                            file_name,
-                                            content,
-                                        ):
-                                            continue
-
                                     # Skip command_injection in documentation strings
                                     if vuln_type == "command_injection":
                                         if self._is_documentation_or_string(
@@ -398,29 +380,6 @@ class SecurityAuditWorkflow(BaseWorkflow):
                     except OSError:
                         continue
 
-        # Phase 3: Apply AST-based filtering for command injection
-        try:
-            from .security_audit_phase3 import apply_phase3_filtering
-
-            # Separate command injection findings
-            cmd_findings = [f for f in findings if f["type"] == "command_injection"]
-            other_findings = [f for f in findings if f["type"] != "command_injection"]
-
-            # Apply Phase 3 filtering to command injection
-            filtered_cmd = apply_phase3_filtering(cmd_findings)
-
-            # Combine back
-            findings = other_findings + filtered_cmd
-
-            logger.info(
-                f"Phase 3: Filtered command_injection from {len(cmd_findings)} to {len(filtered_cmd)} "
-                f"({len(cmd_findings) - len(filtered_cmd)} false positives removed)"
-            )
-        except ImportError:
-            logger.debug("Phase 3 module not available, skipping AST-based filtering")
-        except Exception as e:
-            logger.warning(f"Phase 3 filtering failed: {e}")
-
         input_tokens = len(str(input_data)) // 4
         output_tokens = len(str(findings)) // 4
 
@@ -582,154 +541,6 @@ class SecurityAuditWorkflow(BaseWorkflow):
 
         return False
 
-    def _is_safe_sql_parameterization(self, line_content: str, match_text: str, file_content: str) -> bool:
-        """Check if SQL query uses safe parameterization despite f-string usage.
-
-        Phase 2 Enhancement: Detects safe patterns like:
-        - placeholders = ",".join("?" * len(ids))
-        - cursor.execute(f"... IN ({placeholders})", ids)
-
-        This prevents false positives for the SQLite-recommended pattern
-        of building dynamic placeholder strings.
-
-        Args:
-            line_content: The line containing the match (may be incomplete for multi-line)
-            match_text: The matched text
-            file_content: Full file content for context analysis
-
-        Returns:
-            True if this is safe parameterized SQL, False otherwise
-        """
-        # Get the position of the match in the full file content
-        match_pos = file_content.find(match_text)
-        if match_pos == -1:
-            # Try to find cursor.execute
-            match_pos = file_content.find("cursor.execute")
-            if match_pos == -1:
-                return False
-
-        # Extract a larger context (next 200 chars after match)
-        context = file_content[match_pos:match_pos + 200]
-
-        # Also get lines before the match for placeholder detection
-        lines_before = file_content[:match_pos].split("\n")
-        recent_lines = lines_before[-10:] if len(lines_before) > 10 else lines_before
-
-        # Pattern 1: Check if this is a placeholder-based parameterized query
-        # Look for: cursor.execute(f"... IN ({placeholders})", params)
-        if "placeholders" in context or any("placeholders" in line for line in recent_lines[-5:]):
-            # Check if context has both f-string and separate parameters
-            # Pattern: f"...{placeholders}..." followed by comma and params
-            if re.search(r'f["\'][^"\']*\{placeholders\}[^"\']*["\']\s*,\s*\w+', context):
-                return True  # Safe - has separate parameters
-
-            # Also check if recent lines built the placeholders
-            for prev_line in reversed(recent_lines):
-                if "placeholders" in prev_line and '"?"' in prev_line and "join" in prev_line:
-                    # Found placeholder construction
-                    # Now check if the execute has separate parameters
-                    if "," in context and any(param in context for param in ["run_ids", "ids", "params", "values", ")"]):
-                        return True
-
-        # Pattern 2: Check if f-string only builds SQL structure with constants
-        # Example: f"SELECT * FROM {TABLE_NAME}" where TABLE_NAME is a constant
-        f_string_vars = re.findall(r'\{(\w+)\}', context)
-        if f_string_vars:
-            # Check if all variables are constants (UPPERCASE or table/column names)
-            all_constants = all(
-                var.isupper() or "TABLE" in var.upper() or "COLUMN" in var.upper()
-                for var in f_string_vars
-            )
-            if all_constants:
-                return True  # Safe - using constants, not user data
-
-        # Pattern 3: Check for security note comments nearby
-        # If developers added security notes, it's likely safe
-        for prev_line in reversed(recent_lines[-3:]):
-            if "security note" in prev_line.lower() and "safe" in prev_line.lower():
-                return True
-
-        return False
-
-    def _is_safe_random_usage(self, line_content: str, file_path: str, file_content: str) -> bool:
-        """Check if random usage is in a safe context (tests, simulations, non-crypto).
-
-        Phase 2 Enhancement: Reduces false positives for random module usage
-        in test fixtures, A/B testing simulations, and demo code.
-
-        Args:
-            line_content: The line containing the match
-            file_path: Path to the file being scanned
-            file_content: Full file content for context analysis
-
-        Returns:
-            True if random usage is safe/documented, False if potentially insecure
-        """
-        # Check if file is a test file
-        is_test = any(pattern in file_path.lower() for pattern in ["/test", "test_", "conftest"])
-
-        # Check for explicit security notes nearby
-        lines = file_content.split("\n")
-        line_index = None
-        for i, line in enumerate(lines):
-            if line_content.strip() in line:
-                line_index = i
-                break
-
-        if line_index is not None:
-            # Check 5 lines before and after for security notes
-            context_start = max(0, line_index - 5)
-            context_end = min(len(lines), line_index + 5)
-            context = "\n".join(lines[context_start:context_end]).lower()
-
-            # Look for clarifying comments
-            safe_indicators = [
-                "security note",
-                "not cryptographic",
-                "not for crypto",
-                "test data",
-                "demo data",
-                "simulation",
-                "reproducible",
-                "deterministic",
-                "fixed seed",
-                "not used for security",
-                "not used for secrets",
-                "not used for tokens",
-            ]
-
-            if any(indicator in context for indicator in safe_indicators):
-                return True  # Documented as safe
-
-        # Check for common safe random patterns
-        line_lower = line_content.lower()
-
-        # Pattern 1: Fixed seed (reproducible tests)
-        if "random.seed(" in line_lower:
-            return True  # Fixed seed is for reproducibility, not security
-
-        # Pattern 2: A/B testing, simulations, demos
-        safe_contexts = [
-            "simulation",
-            "demo",
-            "a/b test",
-            "ab_test",
-            "fixture",
-            "mock",
-            "example",
-            "sample",
-        ]
-        if any(context in file_path.lower() for context in safe_contexts):
-            return True
-
-        # If it's a test file without crypto indicators, it's probably safe
-        if is_test:
-            crypto_indicators = ["password", "secret", "token", "key", "crypto", "auth"]
-            if not any(indicator in file_path.lower() for indicator in crypto_indicators):
-                return True
-
-        return False
-
     async def _assess(self, input_data: dict, tier: ModelTier) -> tuple[dict, int, int]:
         """Risk scoring and severity classification.
 

empathy_os/workflows/security_audit_phase3.py

@@ -222,11 +222,31 @@ def enhanced_command_injection_detection(
     if is_scanner_implementation_file(file_path):
         return []  # Scanner files are allowed to mention eval/exec
 
-    # Step 2: For Python files, use AST-based detection
+    # Step 2: For Python files, use AST-based detection for eval/exec only
+    # Keep subprocess findings from regex detection
     if file_path.endswith(".py"):
         try:
+            # Separate eval/exec findings from subprocess/os.system findings
+            # Eval/exec findings will be replaced with AST-based findings
+            # Subprocess/os.system findings will be kept from regex detection
+            eval_exec_findings = []
+            subprocess_findings = []
+
+            for finding in original_findings:
+                match_text = finding.get("match", "").lower()
+                if "eval" in match_text or "exec" in match_text:
+                    eval_exec_findings.append(finding)
+                else:
+                    # subprocess, os.system, or other command injection patterns
+                    subprocess_findings.append(finding)
+
+            # Use AST to validate eval/exec findings (reduces false positives)
             ast_findings = analyze_file_for_eval_exec(file_path)
 
+            # Check if this is a test file (downgrade severity)
+            from .security_audit import TEST_FILE_PATTERNS
+            is_test_file = any(re.search(pat, file_path) for pat in TEST_FILE_PATTERNS)
+
             # Convert AST findings to format compatible with original
             filtered = []
             for finding in ast_findings:
@@ -235,11 +255,15 @@ def enhanced_command_injection_detection(
                     "file": file_path,
                     "line": finding["line"],
                     "match": f"{finding['function']}(",
-                    "severity": "critical",
+                    "severity": "low" if is_test_file else "critical",
                     "owasp": "A03:2021 Injection",
                     "context": finding.get("context", ""),
+                    "is_test": is_test_file,
                 })
 
+            # Keep subprocess/os.system findings (not filtered by AST)
+            filtered.extend(subprocess_findings)
+
             return filtered
 
         except Exception as e:

empathy_os/workflows/test_gen.py

@@ -597,8 +597,8 @@ class TestGenerationWorkflow(BaseWorkflow):
             {
                 "candidates": candidates[:max_candidates],
                 "total_candidates": len(candidates),
-                "hotspot_count": len([c for c in candidates if c["is_hotspot"]]),
-                "untested_count": len([c for c in candidates if not c["has_tests"]]),
+                "hotspot_count": sum(1 for c in candidates if c["is_hotspot"]),
+                "untested_count": sum(1 for c in candidates if not c["has_tests"]),
                 # Scope awareness fields for enterprise reporting
                 "total_source_files": total_source_files,
                 "existing_test_files": existing_test_files,
@@ -1503,13 +1503,13 @@ END OF REQUIRED FORMAT - output nothing after recommendations."""
         lines.append(f"| **Total Test Functions** | {total_test_count} |")
         lines.append(f"| **Files Covered** | {len(generated_tests)} |")
 
-        # Count classes and functions
+        # Count classes and functions (generator expressions for memory efficiency)
         total_classes = sum(
-            len([t for t in item.get("tests", []) if t.get("type") == "class"])
+            sum(1 for t in item.get("tests", []) if t.get("type") == "class")
             for item in generated_tests
         )
         total_functions = sum(
-            len([t for t in item.get("tests", []) if t.get("type") == "function"])
+            sum(1 for t in item.get("tests", []) if t.get("type") == "function")
             for item in generated_tests
         )
         lines.append(f"| **Classes Tested** | {total_classes} |")
@@ -1799,8 +1799,8 @@ def format_test_gen_report(result: dict, input_data: dict) -> str:
     lines.append("NEXT STEPS")
     lines.append("-" * 60)
 
-    high_findings = len([f for f in xml_findings if f["severity"] == "high"])
-    medium_findings = len([f for f in xml_findings if f["severity"] == "medium"])
+    high_findings = sum(1 for f in xml_findings if f["severity"] == "high")
+    medium_findings = sum(1 for f in xml_findings if f["severity"] == "medium")
 
     if high_findings > 0:
         lines.append(f"  🔴 Address {high_findings} high-priority finding(s) first")

empathy_os/vscode_bridge 2.py

@@ -1,173 +0,0 @@
-"""VS Code Extension Bridge
-
-Provides functions to write data that the VS Code extension can pick up.
-Enables Claude Code CLI output to appear in VS Code webview panels.
-
-Copyright 2026 Smart-AI-Memory
-Licensed under Fair Source License 0.9
-"""
-
-import json
-from dataclasses import asdict, dataclass
-from datetime import datetime
-from pathlib import Path
-from typing import Any
-
-
-@dataclass
-class ReviewFinding:
-    """A code review finding."""
-
-    id: str
-    file: str
-    line: int
-    severity: str  # 'critical' | 'high' | 'medium' | 'low' | 'info'
-    category: str  # 'security' | 'performance' | 'maintainability' | 'style' | 'correctness'
-    message: str
-    column: int = 1
-    details: str | None = None
-    recommendation: str | None = None
-
-
-@dataclass
-class CodeReviewResult:
-    """Code review results for VS Code bridge."""
-
-    findings: list[dict[str, Any]]
-    summary: dict[str, Any]
-    verdict: str  # 'approve' | 'approve_with_suggestions' | 'request_changes' | 'reject'
-    security_score: int
-    formatted_report: str
-    model_tier_used: str
-    timestamp: str
-
-
-def get_empathy_dir() -> Path:
-    """Get the .empathy directory, creating if needed."""
-    empathy_dir = Path(".empathy")
-    empathy_dir.mkdir(exist_ok=True)
-    return empathy_dir
-
-
-def write_code_review_results(
-    findings: list[dict[str, Any]] | None = None,
-    summary: dict[str, Any] | None = None,
-    verdict: str = "approve_with_suggestions",
-    security_score: int = 85,
-    formatted_report: str = "",
-    model_tier_used: str = "capable",
-) -> Path:
-    """Write code review results for VS Code extension to pick up.
-
-    Args:
-        findings: List of finding dicts with keys: id, file, line, severity, category, message
-        summary: Summary dict with keys: total_findings, by_severity, by_category, files_affected
-        verdict: One of 'approve', 'approve_with_suggestions', 'request_changes', 'reject'
-        security_score: 0-100 score
-        formatted_report: Markdown formatted report
-        model_tier_used: 'cheap', 'capable', or 'premium'
-
-    Returns:
-        Path to the written file
-    """
-    findings = findings or []
-
-    # Build summary if not provided
-    if summary is None:
-        by_severity: dict[str, int] = {}
-        by_category: dict[str, int] = {}
-        files_affected: set[str] = set()
-
-        for f in findings:
-            sev = f.get("severity", "info")
-            cat = f.get("category", "correctness")
-            by_severity[sev] = by_severity.get(sev, 0) + 1
-            by_category[cat] = by_category.get(cat, 0) + 1
-            if f.get("file"):
-                files_affected.add(f["file"])
-
-        summary = {
-            "total_findings": len(findings),
-            "by_severity": by_severity,
-            "by_category": by_category,
-            "files_affected": list(files_affected),
-        }
-
-    result = CodeReviewResult(
-        findings=findings,
-        summary=summary,
-        verdict=verdict,
-        security_score=security_score,
-        formatted_report=formatted_report,
-        model_tier_used=model_tier_used,
-        timestamp=datetime.now().isoformat(),
-    )
-
-    output_path = get_empathy_dir() / "code-review-results.json"
-
-    with open(output_path, "w") as f:
-        json.dump(asdict(result), f, indent=2)
-
-    return output_path
-
-
-def write_pr_review_results(
-    pr_number: int | str,
-    title: str,
-    findings: list[dict[str, Any]],
-    verdict: str = "approve_with_suggestions",
-    summary_text: str = "",
-) -> Path:
-    """Write PR review results for VS Code extension.
-
-    Convenience wrapper for PR reviews from GitHub.
-
-    Args:
-        pr_number: The PR number
-        title: PR title
-        findings: List of review findings
-        verdict: Review verdict
-        summary_text: Summary of the review
-
-    Returns:
-        Path to the written file
-    """
-    formatted_report = f"""## PR #{pr_number}: {title}
-
-{summary_text}
-
-### Findings ({len(findings)})
-
-"""
-    for f in findings:
-        formatted_report += f"- **{f.get('severity', 'info').upper()}** [{f.get('file', 'unknown')}:{f.get('line', 0)}]: {f.get('message', '')}\n"
-
-    return write_code_review_results(
-        findings=findings,
-        verdict=verdict,
-        formatted_report=formatted_report,
-        model_tier_used="capable",
-    )
-
-
-# Quick helper for Claude Code to call
-def send_to_vscode(
-    message: str,
-    findings: list[dict[str, Any]] | None = None,
-    verdict: str = "approve_with_suggestions",
-) -> str:
-    """Quick helper to send review results to VS Code.
-
-    Usage in Claude Code:
-        from empathy_os.vscode_bridge import send_to_vscode
-        send_to_vscode("Review complete", findings=[...])
-
-    Returns:
-        Confirmation message
-    """
-    path = write_code_review_results(
-        findings=findings or [],
-        formatted_report=message,
-        verdict=verdict,
-    )
-    return f"Results written to {path} - VS Code will update automatically"