empathy-framework 4.8.0__py3-none-any.whl → 4.9.1__py3-none-any.whl

empathy_os/workflows/progress.py

@@ -11,35 +11,12 @@ from __future__ import annotations
 
 import asyncio
 import json
-import logging
-import sys
-import uuid
-from collections.abc import Callable, Coroutine, Generator
-from contextlib import contextmanager
+from collections.abc import Callable, Coroutine
 from dataclasses import dataclass, field
 from datetime import datetime
 from enum import Enum
 from typing import Any, Protocol
 
-logger = logging.getLogger(__name__)
-
-# Rich imports with fallback
-try:
-    from rich.console import Console, Group
-    from rich.live import Live
-    from rich.panel import Panel
-    from rich.progress import BarColumn, Progress, SpinnerColumn, TaskID, TextColumn
-    from rich.table import Table
-    from rich.text import Text
-
-    RICH_AVAILABLE = True
-except ImportError:
-    RICH_AVAILABLE = False
-    Console = None  # type: ignore
-    Live = None  # type: ignore
-    Panel = None  # type: ignore
-    Progress = None  # type: ignore
-
 
 class ProgressStatus(Enum):
     """Status of a workflow or stage."""
@@ -384,9 +361,9 @@ class ProgressTracker:
         for callback in self._callbacks:
             try:
                 callback(update)
-            except Exception:  # noqa: BLE001
-                # INTENTIONAL: Callbacks are optional - never fail workflow on callback error
-                logger.warning("Progress callback error", exc_info=True)
+            except Exception as e:
+                # Log but don't fail on callback errors
+                print(f"Progress callback error: {e}")
 
         # Call async callbacks
         for async_callback in self._async_callbacks:
@@ -410,111 +387,39 @@ class ProgressReporter(Protocol):
 
 
 class ConsoleProgressReporter:
-    """Console-based progress reporter optimized for IDE environments.
+    """Simple console-based progress reporter for CLI usage."""
 
-    Provides clear, readable progress output that works reliably in:
-    - VSCode integrated terminal
-    - VSCode output panel
-    - IDE debug consoles
-    - Standard terminals
-
-    Uses Unicode symbols that render correctly in most environments.
-    """
-
-    def __init__(self, verbose: bool = False, show_tokens: bool = False):
-        """Initialize console progress reporter.
-
-        Args:
-            verbose: Show additional details (fallback info, errors)
-            show_tokens: Include token counts in output
-        """
+    def __init__(self, verbose: bool = False):
         self.verbose = verbose
-        self.show_tokens = show_tokens
-        self._start_time: datetime | None = None
-        self._stage_times: dict[str, int] = {}
 
     def report(self, update: ProgressUpdate) -> None:
-        """Print progress to console.
-
-        Args:
-            update: Progress update from the tracker
-        """
-        # Track start time for elapsed calculation
-        if self._start_time is None:
-            self._start_time = datetime.now()
-
-        percent = f"{update.percent_complete:3.0f}%"
+        """Print progress to console."""
+        percent = f"{update.percent_complete:.0f}%"
         cost = f"${update.cost_so_far:.4f}"
-
-        # Status icons that work in most environments
         status_icon = {
             ProgressStatus.PENDING: "○",
-            ProgressStatus.RUNNING: "►",
-            ProgressStatus.COMPLETED: "✓",
+            ProgressStatus.RUNNING: "◐",
+            ProgressStatus.COMPLETED: "●",
             ProgressStatus.FAILED: "✗",
-            ProgressStatus.SKIPPED: "–",
-            ProgressStatus.FALLBACK: "↻",
+            ProgressStatus.SKIPPED: "◌",
+            ProgressStatus.FALLBACK: "↩",
             ProgressStatus.RETRYING: "↻",
         }.get(update.status, "?")
 
         # Get current tier from running stage
         tier_info = ""
-        model_info = ""
         if update.current_stage and update.stages:
             for stage in update.stages:
-                if stage.name == update.current_stage:
-                    if stage.status == ProgressStatus.RUNNING:
-                        tier_info = f" [{stage.tier.upper()}]"
-                        if stage.model:
-                            model_info = f" ({stage.model})"
-                    # Track stage duration
-                    if stage.duration_ms > 0:
-                        self._stage_times[stage.name] = stage.duration_ms
+                if stage.name == update.current_stage and stage.status == ProgressStatus.RUNNING:
+                    tier_info = f" [{stage.tier.upper()}]"
                     break
 
-        # Build output line
-        elapsed = ""
-        if self._start_time:
-            elapsed_sec = (datetime.now() - self._start_time).total_seconds()
-            if elapsed_sec >= 1:
-                elapsed = f" [{elapsed_sec:.1f}s]"
-
-        tokens_str = ""
-        if self.show_tokens and update.tokens_so_far > 0:
-            tokens_str = f" | {update.tokens_so_far:,} tokens"
-
-        # Format: [100%] ✓ Completed optimize [PREMIUM] ($0.0279) [12.3s]
-        output = f"[{percent}] {status_icon} {update.message}{tier_info} ({cost}{tokens_str}){elapsed}"
-        print(output)
-
-        # Verbose output
-        if self.verbose:
-            if update.fallback_info:
-                print(f"         ↳ Fallback: {update.fallback_info}")
-            if update.error:
-                print(f"         ↳ Error: {update.error}")
-
-        # Print summary only on final workflow completion (not stage completion)
-        if update.status == ProgressStatus.COMPLETED and "workflow" in update.message.lower():
-            self._print_summary(update)
-
-    def _print_summary(self, update: ProgressUpdate) -> None:
-        """Print workflow completion summary."""
-        if not self._stage_times:
-            return
-
-        print("")
-        print("─" * 50)
-        print("Stage Summary:")
-        for stage in update.stages:
-            if stage.status == ProgressStatus.COMPLETED:
-                duration_ms = stage.duration_ms or self._stage_times.get(stage.name, 0)
-                duration_str = f"{duration_ms}ms" if duration_ms < 1000 else f"{duration_ms/1000:.1f}s"
-                cost_str = f"${stage.cost:.4f}" if stage.cost > 0 else "—"
-                print(f"  {stage.name}: {duration_str} | {cost_str}")
-            elif stage.status == ProgressStatus.SKIPPED:
-                print(f"  {stage.name}: skipped")
-        print("─" * 50)
+        print(f"[{percent}] {status_icon} {update.message}{tier_info} ({cost})")
+
+        if self.verbose and update.fallback_info:
+            print(f"       Fallback: {update.fallback_info}")
+        if self.verbose and update.error:
+            print(f"       Error: {update.error}")
 
     async def report_async(self, update: ProgressUpdate) -> None:
         """Async version just calls sync."""
@@ -558,6 +463,8 @@ def create_progress_tracker(
         Configured ProgressTracker instance
 
     """
+    import uuid
+
     tracker = ProgressTracker(
         workflow_name=workflow_name,
         workflow_id=uuid.uuid4().hex[:12],
@@ -568,212 +475,3 @@ def create_progress_tracker(
         tracker.add_callback(reporter.report)
 
     return tracker
-
-
-class RichProgressReporter:
-    """Rich-based live progress display with spinner, progress bar, and metrics.
-
-    Provides real-time visual feedback during workflow execution:
-    - Progress bar showing stage completion (1/3, 2/3, etc.)
-    - Spinner during active LLM API calls
-    - Real-time cost and token display
-    - In-place updates (no terminal scrolling)
-
-    Requires Rich library. Falls back gracefully if unavailable.
-    """
-
-    def __init__(self, workflow_name: str, stage_names: list[str]) -> None:
-        """Initialize the Rich progress reporter.
-
-        Args:
-            workflow_name: Name of the workflow for display
-            stage_names: List of stage names for progress tracking
-        """
-        if not RICH_AVAILABLE:
-            raise RuntimeError("Rich library required for RichProgressReporter")
-
-        self.workflow_name = workflow_name
-        self.stage_names = stage_names
-        self.console = Console()
-        self._live: Live | None = None
-        self._progress: Progress | None = None
-        self._task_id: TaskID | None = None
-        self._current_stage = ""
-        self._cost = 0.0
-        self._tokens = 0
-        self._status = ProgressStatus.PENDING
-
-    def start(self) -> None:
-        """Start the live progress display."""
-        if not RICH_AVAILABLE or Progress is None or Live is None:
-            return
-
-        self._progress = Progress(
-            SpinnerColumn(),
-            TextColumn("[bold blue]{task.description}"),
-            BarColumn(bar_width=30),
-            TextColumn("[progress.percentage]{task.percentage:>3.0f}%"),
-            TextColumn("({task.completed}/{task.total})"),
-            console=self.console,
-            transient=False,
-        )
-
-        self._task_id = self._progress.add_task(
-            self.workflow_name,
-            total=len(self.stage_names),
-        )
-
-        self._live = Live(
-            self._create_display(),
-            console=self.console,
-            refresh_per_second=4,
-            transient=False,
-        )
-        self._live.start()
-
-    def stop(self) -> None:
-        """Stop the live progress display."""
-        if self._live:
-            self._live.stop()
-            self._live = None
-
-    def report(self, update: ProgressUpdate) -> None:
-        """Handle a progress update.
-
-        Args:
-            update: Progress update from the tracker
-        """
-        self._current_stage = update.current_stage
-        self._cost = update.cost_so_far
-        self._tokens = update.tokens_so_far
-        self._status = update.status
-
-        # Update progress bar
-        if self._progress is not None and self._task_id is not None:
-            completed = sum(
-                1 for s in update.stages if s.status == ProgressStatus.COMPLETED
-            )
-            self._progress.update(
-                self._task_id,
-                completed=completed,
-                description=f"{self.workflow_name}: {update.current_stage}",
-            )
-
-        # Refresh display
-        if self._live:
-            self._live.update(self._create_display())
-
-    async def report_async(self, update: ProgressUpdate) -> None:
-        """Async version of report."""
-        self.report(update)
-
-    def _create_display(self) -> Panel:
-        """Create the Rich display panel.
-
-        Returns:
-            Rich Panel containing progress information
-        """
-        if not RICH_AVAILABLE or Panel is None or Table is None:
-            raise RuntimeError("Rich not available")
-
-        # Build metrics table
-        metrics = Table(show_header=False, box=None, padding=(0, 2))
-        metrics.add_column("Label", style="dim")
-        metrics.add_column("Value", style="bold")
-
-        metrics.add_row("Cost:", f"${self._cost:.4f}")
-        metrics.add_row("Tokens:", f"{self._tokens:,}")
-        metrics.add_row("Stage:", self._current_stage or "Starting...")
-
-        # Status indicator
-        status_style = {
-            ProgressStatus.PENDING: "dim",
-            ProgressStatus.RUNNING: "blue",
-            ProgressStatus.COMPLETED: "green",
-            ProgressStatus.FAILED: "red",
-            ProgressStatus.FALLBACK: "yellow",
-            ProgressStatus.RETRYING: "yellow",
-        }.get(self._status, "white")
-
-        status_text = Text(self._status.value.upper(), style=status_style)
-
-        # Combine into panel
-        if self._progress is not None:
-            content = Group(self._progress, metrics)
-        else:
-            content = metrics
-
-        return Panel(
-            content,
-            title=f"[bold]{self.workflow_name}[/bold]",
-            subtitle=status_text,
-            border_style=status_style,
-        )
-
-    def __enter__(self) -> RichProgressReporter:
-        """Context manager entry."""
-        self.start()
-        return self
-
-    def __exit__(self, exc_type, exc_val, exc_tb) -> None:
-        """Context manager exit."""
-        self.stop()
-
-
-@contextmanager
-def live_progress(
-    workflow_name: str,
-    stage_names: list[str],
-    console: Console | None = None,
-) -> Generator[tuple[ProgressTracker, RichProgressReporter | None], None, None]:
-    """Context manager for live progress display during workflow execution.
-
-    Provides a ProgressTracker with optional Rich-based live display.
-    Falls back gracefully when Rich is unavailable or output is not a TTY.
-
-    Args:
-        workflow_name: Name of the workflow
-        stage_names: List of stage names in order
-        console: Optional Rich Console (creates new one if not provided)
-
-    Yields:
-        Tuple of (ProgressTracker, RichProgressReporter or None)
-
-    Example:
-        with live_progress("Code Review", ["analyze", "review", "summarize"]) as (tracker, _):
-            tracker.start_workflow()
-            for stage in stages:
-                tracker.start_stage(stage)
-                # ... do work ...
-                tracker.complete_stage(stage, cost=0.01, tokens_in=100, tokens_out=50)
-            tracker.complete_workflow()
-    """
-    tracker = ProgressTracker(
-        workflow_name=workflow_name,
-        workflow_id=uuid.uuid4().hex[:12],
-        stage_names=stage_names,
-    )
-
-    reporter: RichProgressReporter | None = None
-
-    # Use Rich if available and output is a TTY
-    if RICH_AVAILABLE and sys.stdout.isatty():
-        try:
-            reporter = RichProgressReporter(workflow_name, stage_names)
-            tracker.add_callback(reporter.report)
-            reporter.start()
-        except Exception:  # noqa: BLE001
-            # INTENTIONAL: Rich display is optional - fall back to console output
-            reporter = None
-            simple_reporter = ConsoleProgressReporter(verbose=False)
-            tracker.add_callback(simple_reporter.report)
-    else:
-        # No Rich or not a TTY - use simple console reporter
-        simple_reporter = ConsoleProgressReporter(verbose=False)
-        tracker.add_callback(simple_reporter.report)
-
-    try:
-        yield tracker, reporter
-    finally:
-        if reporter:
-            reporter.stop()

empathy_os/workflows/routing.py

@@ -136,12 +136,7 @@ class BalancedRouting(TierRoutingStrategy):
 
         Args:
             total_budget: Total budget in USD for this workflow execution
-
-        Raises:
-            ValueError: If total_budget is not positive
         """
-        if total_budget <= 0:
-            raise ValueError("total_budget must be positive")
         self.total_budget = total_budget
 
     def route(self, context: RoutingContext) -> ModelTier:

empathy_os/workflows/security_audit.py

@@ -342,29 +342,11 @@ class SecurityAuditWorkflow(BaseWorkflow):
                                     if self._is_detection_code(line_content, match.group()):
                                         continue
 
-                                    # Phase 2: Skip safe SQL parameterization patterns
-                                    if vuln_type == "sql_injection":
-                                        if self._is_safe_sql_parameterization(
-                                            line_content,
-                                            match.group(),
-                                            content,
-                                        ):
-                                            continue
-
                                     # Skip fake/test credentials
                                     if vuln_type == "hardcoded_secret":
                                         if self._is_fake_credential(match.group()):
                                             continue
 
-                                    # Phase 2: Skip safe random usage (tests, demos, documented)
-                                    if vuln_type == "insecure_random":
-                                        if self._is_safe_random_usage(
-                                            line_content,
-                                            file_name,
-                                            content,
-                                        ):
-                                            continue
-
                                     # Skip command_injection in documentation strings
                                     if vuln_type == "command_injection":
                                         if self._is_documentation_or_string(
@@ -398,29 +380,6 @@ class SecurityAuditWorkflow(BaseWorkflow):
                     except OSError:
                         continue
 
-        # Phase 3: Apply AST-based filtering for command injection
-        try:
-            from .security_audit_phase3 import apply_phase3_filtering
-
-            # Separate command injection findings
-            cmd_findings = [f for f in findings if f["type"] == "command_injection"]
-            other_findings = [f for f in findings if f["type"] != "command_injection"]
-
-            # Apply Phase 3 filtering to command injection
-            filtered_cmd = apply_phase3_filtering(cmd_findings)
-
-            # Combine back
-            findings = other_findings + filtered_cmd
-
-            logger.info(
-                f"Phase 3: Filtered command_injection from {len(cmd_findings)} to {len(filtered_cmd)} "
-                f"({len(cmd_findings) - len(filtered_cmd)} false positives removed)"
-            )
-        except ImportError:
-            logger.debug("Phase 3 module not available, skipping AST-based filtering")
-        except Exception as e:
-            logger.warning(f"Phase 3 filtering failed: {e}")
-
         input_tokens = len(str(input_data)) // 4
         output_tokens = len(str(findings)) // 4
 
@@ -582,154 +541,6 @@ class SecurityAuditWorkflow(BaseWorkflow):
 
         return False
 
-    def _is_safe_sql_parameterization(self, line_content: str, match_text: str, file_content: str) -> bool:
-        """Check if SQL query uses safe parameterization despite f-string usage.
-
-        Phase 2 Enhancement: Detects safe patterns like:
-        - placeholders = ",".join("?" * len(ids))
-        - cursor.execute(f"... IN ({placeholders})", ids)
-
-        This prevents false positives for the SQLite-recommended pattern
-        of building dynamic placeholder strings.
-
-        Args:
-            line_content: The line containing the match (may be incomplete for multi-line)
-            match_text: The matched text
-            file_content: Full file content for context analysis
-
-        Returns:
-            True if this is safe parameterized SQL, False otherwise
-        """
-        # Get the position of the match in the full file content
-        match_pos = file_content.find(match_text)
-        if match_pos == -1:
-            # Try to find cursor.execute
-            match_pos = file_content.find("cursor.execute")
-            if match_pos == -1:
-                return False
-
-        # Extract a larger context (next 200 chars after match)
-        context = file_content[match_pos:match_pos + 200]
-
-        # Also get lines before the match for placeholder detection
-        lines_before = file_content[:match_pos].split("\n")
-        recent_lines = lines_before[-10:] if len(lines_before) > 10 else lines_before
-
-        # Pattern 1: Check if this is a placeholder-based parameterized query
-        # Look for: cursor.execute(f"... IN ({placeholders})", params)
-        if "placeholders" in context or any("placeholders" in line for line in recent_lines[-5:]):
-            # Check if context has both f-string and separate parameters
-            # Pattern: f"...{placeholders}..." followed by comma and params
-            if re.search(r'f["\'][^"\']*\{placeholders\}[^"\']*["\']\s*,\s*\w+', context):
-                return True  # Safe - has separate parameters
-
-            # Also check if recent lines built the placeholders
-            for prev_line in reversed(recent_lines):
-                if "placeholders" in prev_line and '"?"' in prev_line and "join" in prev_line:
-                    # Found placeholder construction
-                    # Now check if the execute has separate parameters
-                    if "," in context and any(param in context for param in ["run_ids", "ids", "params", "values", ")"]):
-                        return True
-
-        # Pattern 2: Check if f-string only builds SQL structure with constants
-        # Example: f"SELECT * FROM {TABLE_NAME}" where TABLE_NAME is a constant
-        f_string_vars = re.findall(r'\{(\w+)\}', context)
-        if f_string_vars:
-            # Check if all variables are constants (UPPERCASE or table/column names)
-            all_constants = all(
-                var.isupper() or "TABLE" in var.upper() or "COLUMN" in var.upper()
-                for var in f_string_vars
-            )
-            if all_constants:
-                return True  # Safe - using constants, not user data
-
-        # Pattern 3: Check for security note comments nearby
-        # If developers added security notes, it's likely safe
-        for prev_line in reversed(recent_lines[-3:]):
-            if "security note" in prev_line.lower() and "safe" in prev_line.lower():
-                return True
-
-        return False
-
-    def _is_safe_random_usage(self, line_content: str, file_path: str, file_content: str) -> bool:
-        """Check if random usage is in a safe context (tests, simulations, non-crypto).
-
-        Phase 2 Enhancement: Reduces false positives for random module usage
-        in test fixtures, A/B testing simulations, and demo code.
-
-        Args:
-            line_content: The line containing the match
-            file_path: Path to the file being scanned
-            file_content: Full file content for context analysis
-
-        Returns:
-            True if random usage is safe/documented, False if potentially insecure
-        """
-        # Check if file is a test file
-        is_test = any(pattern in file_path.lower() for pattern in ["/test", "test_", "conftest"])
-
-        # Check for explicit security notes nearby
-        lines = file_content.split("\n")
-        line_index = None
-        for i, line in enumerate(lines):
-            if line_content.strip() in line:
-                line_index = i
-                break
-
-        if line_index is not None:
-            # Check 5 lines before and after for security notes
-            context_start = max(0, line_index - 5)
-            context_end = min(len(lines), line_index + 5)
-            context = "\n".join(lines[context_start:context_end]).lower()
-
-            # Look for clarifying comments
-            safe_indicators = [
-                "security note",
-                "not cryptographic",
-                "not for crypto",
-                "test data",
-                "demo data",
-                "simulation",
-                "reproducible",
-                "deterministic",
-                "fixed seed",
-                "not used for security",
-                "not used for secrets",
-                "not used for tokens",
-            ]
-
-            if any(indicator in context for indicator in safe_indicators):
-                return True  # Documented as safe
-
-        # Check for common safe random patterns
-        line_lower = line_content.lower()
-
-        # Pattern 1: Fixed seed (reproducible tests)
-        if "random.seed(" in line_lower:
-            return True  # Fixed seed is for reproducibility, not security
-
-        # Pattern 2: A/B testing, simulations, demos
-        safe_contexts = [
-            "simulation",
-            "demo",
-            "a/b test",
-            "ab_test",
-            "fixture",
-            "mock",
-            "example",
-            "sample",
-        ]
-        if any(context in file_path.lower() for context in safe_contexts):
-            return True
-
-        # If it's a test file without crypto indicators, it's probably safe
-        if is_test:
-            crypto_indicators = ["password", "secret", "token", "key", "crypto", "auth"]
-            if not any(indicator in file_path.lower() for indicator in crypto_indicators):
-                return True
-
-        return False
-
     async def _assess(self, input_data: dict, tier: ModelTier) -> tuple[dict, int, int]:
         """Risk scoring and severity classification.
 

empathy_os/workflows/security_audit_phase3.py

@@ -222,11 +222,31 @@ def enhanced_command_injection_detection(
     if is_scanner_implementation_file(file_path):
         return []  # Scanner files are allowed to mention eval/exec
 
-    # Step 2: For Python files, use AST-based detection
+    # Step 2: For Python files, use AST-based detection for eval/exec only
+    # Keep subprocess findings from regex detection
     if file_path.endswith(".py"):
         try:
+            # Separate eval/exec findings from subprocess/os.system findings
+            # Eval/exec findings will be replaced with AST-based findings
+            # Subprocess/os.system findings will be kept from regex detection
+            eval_exec_findings = []
+            subprocess_findings = []
+
+            for finding in original_findings:
+                match_text = finding.get("match", "").lower()
+                if "eval" in match_text or "exec" in match_text:
+                    eval_exec_findings.append(finding)
+                else:
+                    # subprocess, os.system, or other command injection patterns
+                    subprocess_findings.append(finding)
+
+            # Use AST to validate eval/exec findings (reduces false positives)
             ast_findings = analyze_file_for_eval_exec(file_path)
 
+            # Check if this is a test file (downgrade severity)
+            from .security_audit import TEST_FILE_PATTERNS
+            is_test_file = any(re.search(pat, file_path) for pat in TEST_FILE_PATTERNS)
+
             # Convert AST findings to format compatible with original
             filtered = []
             for finding in ast_findings:
@@ -235,11 +255,15 @@ def enhanced_command_injection_detection(
                     "file": file_path,
                     "line": finding["line"],
                     "match": f"{finding['function']}(",
-                    "severity": "critical",
+                    "severity": "low" if is_test_file else "critical",
                     "owasp": "A03:2021 Injection",
                     "context": finding.get("context", ""),
+                    "is_test": is_test_file,
                 })
 
+            # Keep subprocess/os.system findings (not filtered by AST)
+            filtered.extend(subprocess_findings)
+
             return filtered
 
         except Exception as e: