empathy-framework 5.3.0__py3-none-any.whl → 5.4.0__py3-none-any.whl

empathy_os/workflows/security_audit.py

@@ -1,1329 +0,0 @@
-"""Security Audit Workflow
-
-OWASP-focused security scan with intelligent vulnerability assessment.
-Integrates with team security decisions to filter known false positives.
-
-Stages:
-1. triage (CHEAP) - Quick scan for common vulnerability patterns
-2. analyze (CAPABLE) - Deep analysis of flagged areas
-3. assess (CAPABLE) - Risk scoring and severity classification
-4. remediate (PREMIUM) - Generate remediation plan (conditional)
-
-Copyright 2025 Smart-AI-Memory
-Licensed under Fair Source License 0.9
-"""
-
-import json
-import logging
-import re
-from pathlib import Path
-from typing import Any
-
-from .base import BaseWorkflow, ModelTier
-from .step_config import WorkflowStepConfig
-
-logger = logging.getLogger(__name__)
-
-# Define step configurations for executor-based execution
-SECURITY_STEPS = {
-    "remediate": WorkflowStepConfig(
-        name="remediate",
-        task_type="final_review",  # Premium tier task
-        tier_hint="premium",
-        description="Generate remediation plan for security vulnerabilities",
-        max_tokens=3000,
-    ),
-}
-
-# Directories to skip during scanning (build artifacts, third-party code)
-SKIP_DIRECTORIES = {
-    ".git",
-    "node_modules",
-    "__pycache__",
-    "venv",
-    ".venv",
-    "env",
-    ".next",  # Next.js build output
-    "dist",
-    "build",
-    ".tox",
-    "site",  # MkDocs output
-    "ebook-site",
-    "website",  # Website build artifacts
-    "anthropic-cookbook",  # Third-party examples
-    ".eggs",
-    "*.egg-info",
-    "htmlcov",  # Coverage report artifacts
-    "htmlcov_logging",  # Coverage report artifacts
-    ".coverage",  # Coverage data
-    "vscode-extension",  # VSCode extension code (separate security review)
-    "vscode-memory-panel",  # VSCode panel code
-    "workflow-dashboard",  # Dashboard build
-}
-
-# Patterns that indicate a line is DETECTION code, not vulnerable code
-# These help avoid false positives when scanning security tools
-DETECTION_PATTERNS = [
-    r'["\']eval\s*\(["\']',  # String literal like "eval(" (detection, not execution)
-    r'["\']exec\s*\(["\']',  # String literal like "exec(" (detection, not execution)
-    r"in\s+content",  # Pattern detection like "eval(" in content
-    r"re\.compile",  # Regex compilation for detection
-    r"\.finditer\(",  # Regex matching for detection
-    r"\.search\(",  # Regex searching for detection
-]
-
-# Known fake/test credential patterns to ignore
-FAKE_CREDENTIAL_PATTERNS = [
-    r"EXAMPLE",  # AWS example keys
-    r"FAKE",
-    r"TEST",
-    r"your-.*-here",
-    r'"your-key"',  # Placeholder key
-    r"abc123xyz",
-    r"\.\.\.",  # Placeholder with ellipsis
-    r"test-key",
-    r"mock",
-    r'"hardcoded_secret"',  # Literal example text
-    r'"secret"$',  # Generic "secret" as value
-    r'"secret123"',  # Test password
-    r'"password"$',  # Generic password as value
-    r"_PATTERN",  # Pattern constants
-    r"_EXAMPLE",  # Example constants
-]
-
-# Files/paths that contain security examples/tests (not vulnerabilities)
-SECURITY_EXAMPLE_PATHS = [
-    "owasp_patterns.py",
-    "vulnerability_scanner.py",
-    "test_security",
-    "test_secrets",
-    "test_owasp",
-    "secrets_detector.py",  # Security tool with pattern definitions
-    "pii_scrubber.py",  # Privacy tool
-    "secure_memdocs",  # Secure storage module
-    "/security/",  # Security modules
-    "/benchmarks/",  # Benchmark files with test fixtures
-    "benchmark_",  # Benchmark files (e.g., benchmark_caching.py)
-    "phase_2_setup.py",  # Setup file with educational patterns
-]
-
-# Patterns indicating test fixture data (code written to temp files for testing)
-TEST_FIXTURE_PATTERNS = [
-    r"SECURITY_TEST_FILES\s*=",  # Dict of test fixture code
-    r"write_text\s*\(",  # Writing test data to temp files
-    r"# UNSAFE - DO NOT USE",  # Educational comments showing bad patterns
-    r"# SAFE -",  # Educational comments showing good patterns
-    r"# INJECTION RISK",  # Educational markers
-    r"pragma:\s*allowlist\s*secret",  # Explicit allowlist marker
-]
-
-# Test file patterns - findings here are informational, not critical
-TEST_FILE_PATTERNS = [
-    r"/tests/",
-    r"/test_",
-    r"_test\.py$",
-    r"_demo\.py$",
-    r"_example\.py$",
-    r"/examples/",
-    r"/demo",
-    r"coach/vscode-extension",  # Example VSCode extension
-]
-
-# Common security vulnerability patterns (OWASP Top 10 inspired)
-SECURITY_PATTERNS = {
-    "sql_injection": {
-        "patterns": [
-            r'execute\s*\(\s*["\'].*%s',
-            r'cursor\.execute\s*\(\s*f["\']',
-            r"\.format\s*\(.*\).*execute",
-        ],
-        "severity": "critical",
-        "owasp": "A03:2021 Injection",
-    },
-    "xss": {
-        "patterns": [
-            r"innerHTML\s*=",
-            r"dangerouslySetInnerHTML",
-            r"document\.write\s*\(",
-        ],
-        "severity": "high",
-        "owasp": "A03:2021 Injection",
-    },
-    "hardcoded_secret": {
-        "patterns": [
-            r'password\s*=\s*["\'][^"\']+["\']',
-            r'api_key\s*=\s*["\'][^"\']+["\']',
-            r'secret\s*=\s*["\'][^"\']+["\']',
-            r'token\s*=\s*["\'][A-Za-z0-9]{20,}["\']',
-        ],
-        "severity": "critical",
-        "owasp": "A02:2021 Cryptographic Failures",
-    },
-    "insecure_random": {
-        "patterns": [
-            r"random\.\w+\s*\(",
-            r"Math\.random\s*\(",
-        ],
-        "severity": "medium",
-        "owasp": "A02:2021 Cryptographic Failures",
-    },
-    "path_traversal": {
-        "patterns": [
-            r"open\s*\([^)]*\+[^)]*\)",
-            r"readFile\s*\([^)]*\+[^)]*\)",
-        ],
-        "severity": "high",
-        "owasp": "A01:2021 Broken Access Control",
-    },
-    "command_injection": {
-        "patterns": [
-            r"subprocess\.\w+\s*\([^)]*shell\s*=\s*True",
-            r"os\.system\s*\(",
-            r"eval\s*\(",
-            r"exec\s*\(",
-        ],
-        "severity": "critical",
-        "owasp": "A03:2021 Injection",
-    },
-}
-
-
-class SecurityAuditWorkflow(BaseWorkflow):
-    """OWASP-focused security audit with team decision integration.
-
-    Scans code for security vulnerabilities while respecting
-    team decisions about false positives and accepted risks.
-    """
-
-    name = "security-audit"
-    description = "OWASP-focused security scan with vulnerability assessment"
-    stages = ["triage", "analyze", "assess", "remediate"]
-    tier_map = {
-        "triage": ModelTier.CHEAP,
-        "analyze": ModelTier.CAPABLE,
-        "assess": ModelTier.CAPABLE,
-        "remediate": ModelTier.PREMIUM,
-    }
-
-    def __init__(
-        self,
-        patterns_dir: str = "./patterns",
-        skip_remediate_if_clean: bool = True,
-        use_crew_for_assessment: bool = True,
-        use_crew_for_remediation: bool = False,
-        crew_config: dict | None = None,
-        enable_auth_strategy: bool = True,
-        **kwargs: Any,
-    ):
-        """Initialize security audit workflow.
-
-        Args:
-            patterns_dir: Directory containing security decisions
-            skip_remediate_if_clean: Skip remediation if no high/critical findings
-            use_crew_for_assessment: Use SecurityAuditCrew for vulnerability assessment (default: True)
-            use_crew_for_remediation: Use SecurityAuditCrew for enhanced remediation (default: True)
-            crew_config: Configuration dict for SecurityAuditCrew
-            enable_auth_strategy: If True, use intelligent subscription vs API routing
-                based on codebase size (default: True)
-            **kwargs: Additional arguments passed to BaseWorkflow
-
-        """
-        super().__init__(**kwargs)
-        self.patterns_dir = patterns_dir
-        self.skip_remediate_if_clean = skip_remediate_if_clean
-        self.use_crew_for_assessment = use_crew_for_assessment
-        self.use_crew_for_remediation = use_crew_for_remediation
-        self.crew_config = crew_config or {}
-        self.enable_auth_strategy = enable_auth_strategy
-        self._has_critical: bool = False
-        self._team_decisions: dict[str, dict] = {}
-        self._crew: Any = None
-        self._crew_available = False
-        self._auth_mode_used: str | None = None  # Track which auth was recommended
-        self._load_team_decisions()
-
-    def _load_team_decisions(self) -> None:
-        """Load team security decisions for false positive filtering."""
-        decisions_file = Path(self.patterns_dir) / "security" / "team_decisions.json"
-        if decisions_file.exists():
-            try:
-                with open(decisions_file) as f:
-                    data = json.load(f)
-                    for decision in data.get("decisions", []):
-                        key = decision.get("finding_hash", "")
-                        self._team_decisions[key] = decision
-            except (json.JSONDecodeError, OSError):
-                pass
-
-    async def _initialize_crew(self) -> None:
-        """Initialize the SecurityAuditCrew."""
-        if self._crew is not None:
-            return
-
-        try:
-            from empathy_llm_toolkit.agent_factory.crews.security_audit import SecurityAuditCrew
-
-            self._crew = SecurityAuditCrew()
-            self._crew_available = True
-            logger.info("SecurityAuditCrew initialized successfully")
-        except ImportError as e:
-            logger.warning(f"SecurityAuditCrew not available: {e}")
-            self._crew_available = False
-
-    def should_skip_stage(self, stage_name: str, input_data: Any) -> tuple[bool, str | None]:
-        """Skip remediation stage if no critical/high findings.
-
-        Args:
-            stage_name: Name of the stage to check
-            input_data: Current workflow data
-
-        Returns:
-            Tuple of (should_skip, reason)
-
-        """
-        if stage_name == "remediate" and self.skip_remediate_if_clean:
-            if not self._has_critical:
-                return True, "No high/critical findings requiring remediation"
-        return False, None
-
-    async def run_stage(
-        self,
-        stage_name: str,
-        tier: ModelTier,
-        input_data: Any,
-    ) -> tuple[Any, int, int]:
-        """Route to specific stage implementation."""
-        if stage_name == "triage":
-            return await self._triage(input_data, tier)
-        if stage_name == "analyze":
-            return await self._analyze(input_data, tier)
-        if stage_name == "assess":
-            return await self._assess(input_data, tier)
-        if stage_name == "remediate":
-            return await self._remediate(input_data, tier)
-        raise ValueError(f"Unknown stage: {stage_name}")
-
-    async def _triage(self, input_data: dict, tier: ModelTier) -> tuple[dict, int, int]:
-        """Quick scan for common vulnerability patterns.
-
-        Uses regex patterns to identify potential security issues
-        across the codebase for further analysis.
-        """
-        target_path = input_data.get("path", ".")
-        file_types = input_data.get("file_types", [".py", ".ts", ".tsx", ".js", ".jsx"])
-
-        findings: list[dict] = []
-        files_scanned = 0
-
-        target = Path(target_path)
-        if target.exists():
-            # Handle both file and directory targets
-            files_to_scan: list[Path] = []
-            if target.is_file():
-                # Single file - check if it matches file_types
-                if any(str(target).endswith(ext) for ext in file_types):
-                    files_to_scan = [target]
-            else:
-                # Directory - recursively find all matching files
-                for ext in file_types:
-                    for file_path in target.rglob(f"*{ext}"):
-                        # Skip excluded directories
-                        if any(skip in str(file_path) for skip in SKIP_DIRECTORIES):
-                            continue
-                        files_to_scan.append(file_path)
-
-            for file_path in files_to_scan:
-                try:
-                    content = file_path.read_text(errors="ignore")
-                    lines = content.split("\n")
-                    files_scanned += 1
-
-                    for vuln_type, vuln_info in SECURITY_PATTERNS.items():
-                        for pattern in vuln_info["patterns"]:
-                            matches = list(re.finditer(pattern, content, re.IGNORECASE))
-                            for match in matches:
-                                # Find line number and get the line content
-                                line_num = content[: match.start()].count("\n") + 1
-                                line_content = (
-                                    lines[line_num - 1] if line_num <= len(lines) else ""
-                                )
-
-                                # Skip if file is a security example/test file
-                                file_name = str(file_path)
-                                if any(exp in file_name for exp in SECURITY_EXAMPLE_PATHS):
-                                    continue
-
-                                # Skip if this looks like detection/scanning code
-                                if self._is_detection_code(line_content, match.group()):
-                                    continue
-
-                                # Phase 2: Skip safe SQL parameterization patterns
-                                if vuln_type == "sql_injection":
-                                    if self._is_safe_sql_parameterization(
-                                        line_content,
-                                        match.group(),
-                                        content,
-                                    ):
-                                        continue
-
-                                # Skip fake/test credentials
-                                if vuln_type == "hardcoded_secret":
-                                    if self._is_fake_credential(match.group()):
-                                        continue
-
-                                # Phase 2: Skip safe random usage (tests, demos, documented)
-                                if vuln_type == "insecure_random":
-                                    if self._is_safe_random_usage(
-                                        line_content,
-                                        file_name,
-                                        content,
-                                    ):
-                                        continue
-
-                                # Skip command_injection in documentation strings
-                                if vuln_type == "command_injection":
-                                    if self._is_documentation_or_string(
-                                        line_content,
-                                        match.group(),
-                                    ):
-                                        continue
-
-                                # Check if this is a test file - downgrade to informational
-                                is_test_file = any(
-                                    re.search(pat, file_name) for pat in TEST_FILE_PATTERNS
-                                )
-
-                                # Skip test file findings for hardcoded_secret (expected in tests)
-                                if is_test_file and vuln_type == "hardcoded_secret":
-                                    continue
-
-                                findings.append(
-                                    {
-                                        "type": vuln_type,
-                                        "file": str(file_path),
-                                        "line": line_num,
-                                        "match": match.group()[:100],
-                                        "severity": (
-                                            "low" if is_test_file else vuln_info["severity"]
-                                        ),
-                                        "owasp": vuln_info["owasp"],
-                                        "is_test": is_test_file,
-                                    },
-                                )
-                except OSError:
-                    continue
-
-        # Phase 3: Apply AST-based filtering for command injection
-        try:
-            from .security_audit_phase3 import apply_phase3_filtering
-
-            # Separate command injection findings
-            cmd_findings = [f for f in findings if f["type"] == "command_injection"]
-            other_findings = [f for f in findings if f["type"] != "command_injection"]
-
-            # Apply Phase 3 filtering to command injection
-            filtered_cmd = apply_phase3_filtering(cmd_findings)
-
-            # Combine back
-            findings = other_findings + filtered_cmd
-
-            logger.info(
-                f"Phase 3: Filtered command_injection from {len(cmd_findings)} to {len(filtered_cmd)} "
-                f"({len(cmd_findings) - len(filtered_cmd)} false positives removed)"
-            )
-        except ImportError:
-            logger.debug("Phase 3 module not available, skipping AST-based filtering")
-        except Exception as e:
-            logger.warning(f"Phase 3 filtering failed: {e}")
-
-        # === AUTH STRATEGY INTEGRATION ===
-        # Detect codebase size and recommend auth mode (first stage only)
-        if self.enable_auth_strategy:
-            try:
-                from empathy_os.models import (
-                    count_lines_of_code,
-                    get_auth_strategy,
-                    get_module_size_category,
-                )
-
-                # Calculate codebase size
-                codebase_lines = 0
-                if target.exists():
-                    if target.is_file():
-                        codebase_lines = count_lines_of_code(target)
-                    elif target.is_dir():
-                        # Sum lines across all Python files
-                        for py_file in target.rglob("*.py"):
-                            try:
-                                codebase_lines += count_lines_of_code(py_file)
-                            except Exception:
-                                pass
-
-                if codebase_lines > 0:
-                    # Get auth strategy (first-time setup if needed)
-                    strategy = get_auth_strategy()
-
-                    # Get recommended auth mode
-                    recommended_mode = strategy.get_recommended_mode(codebase_lines)
-                    self._auth_mode_used = recommended_mode.value
-
-                    # Get size category
-                    size_category = get_module_size_category(codebase_lines)
-
-                    # Log recommendation
-                    logger.info(
-                        f"Codebase: {target} ({codebase_lines} LOC, {size_category})"
-                    )
-                    logger.info(f"Recommended auth mode: {recommended_mode.value}")
-
-                    # Get cost estimate
-                    cost_estimate = strategy.estimate_cost(codebase_lines, recommended_mode)
-
-                    if recommended_mode.value == "subscription":
-                        logger.info(
-                            f"Cost: {cost_estimate['quota_cost']} "
-                            f"(fits in {cost_estimate['fits_in_context']} context)"
-                        )
-                    else:  # API
-                        logger.info(
-                            f"Cost: ~${cost_estimate['monetary_cost']:.4f} "
-                            f"(1M context window)"
-                        )
-
-            except Exception as e:
-                # Don't fail workflow if auth strategy fails
-                logger.warning(f"Auth strategy detection failed: {e}")
-
-        input_tokens = len(str(input_data)) // 4
-        output_tokens = len(str(findings)) // 4
-
-        return (
-            {
-                "findings": findings,
-                "files_scanned": files_scanned,
-                "finding_count": len(findings),
-                **input_data,
-            },
-            input_tokens,
-            output_tokens,
-        )
-
-    async def _analyze(self, input_data: dict, tier: ModelTier) -> tuple[dict, int, int]:
-        """Deep analysis of flagged areas.
-
-        Filters findings against team decisions and performs
-        deeper analysis of genuine security concerns.
-        """
-        findings = input_data.get("findings", [])
-        analyzed: list[dict] = []
-
-        for finding in findings:
-            finding_key = finding.get("type", "")
-
-            # Check team decisions
-            decision = self._team_decisions.get(finding_key)
-            if decision:
-                if decision.get("decision") == "false_positive":
-                    finding["status"] = "false_positive"
-                    finding["decision_reason"] = decision.get("reason", "")
-                    finding["decided_by"] = decision.get("decided_by", "")
-                elif decision.get("decision") == "accepted":
-                    finding["status"] = "accepted_risk"
-                    finding["decision_reason"] = decision.get("reason", "")
-                elif decision.get("decision") == "deferred":
-                    finding["status"] = "deferred"
-                    finding["decision_reason"] = decision.get("reason", "")
-                else:
-                    finding["status"] = "needs_review"
-            else:
-                finding["status"] = "needs_review"
-
-            # Add context analysis
-            if finding["status"] == "needs_review":
-                finding["analysis"] = self._analyze_finding(finding)
-
-            analyzed.append(finding)
-
-        # Separate by status
-        needs_review = [f for f in analyzed if f["status"] == "needs_review"]
-        false_positives = [f for f in analyzed if f["status"] == "false_positive"]
-        accepted = [f for f in analyzed if f["status"] == "accepted_risk"]
-
-        input_tokens = len(str(input_data)) // 4
-        output_tokens = len(str(analyzed)) // 4
-
-        return (
-            {
-                "analyzed_findings": analyzed,
-                "needs_review": needs_review,
-                "false_positives": false_positives,
-                "accepted_risks": accepted,
-                "review_count": len(needs_review),
-                **input_data,
-            },
-            input_tokens,
-            output_tokens,
-        )
-
-    def _analyze_finding(self, finding: dict) -> str:
-        """Generate analysis context for a finding."""
-        vuln_type = finding.get("type", "")
-        analyses = {
-            "sql_injection": "Potential SQL injection. Verify parameterized input.",
-            "xss": "Potential XSS vulnerability. Check output escaping.",
-            "hardcoded_secret": "Hardcoded credential. Use env vars or secrets manager.",
-            "insecure_random": "Insecure random. Use secrets module instead.",
-            "path_traversal": "Potential path traversal. Validate file paths.",
-            "command_injection": "Potential command injection. Avoid shell=True.",
-        }
-        return analyses.get(vuln_type, "Review for security implications.")
-
-    def _is_detection_code(self, line_content: str, match_text: str) -> bool:
-        """Check if a match is actually detection/scanning code, not a vulnerability.
-
-        This prevents false positives when scanning security tools that contain
-        patterns like 'if "eval(" in content:' which are detecting vulnerabilities,
-        not introducing them.
-        """
-        # Check if the line contains detection patterns
-        for pattern in DETECTION_PATTERNS:
-            if re.search(pattern, line_content, re.IGNORECASE):
-                return True
-
-        # Check if the match is inside a string literal used for comparison
-        # e.g., 'if "eval(" in content:' or 'pattern = r"eval\("'
-        if f'"{match_text.strip()}"' in line_content or f"'{match_text.strip()}'" in line_content:
-            return True
-
-        return False
-
-    def _is_fake_credential(self, match_text: str) -> bool:
-        """Check if a matched credential is obviously fake/for testing.
-
-        This prevents false positives for test fixtures using patterns like
-        'AKIAIOSFODNN7EXAMPLE' (AWS official example) or 'test-key-not-real'.
-        """
-        for pattern in FAKE_CREDENTIAL_PATTERNS:
-            if re.search(pattern, match_text, re.IGNORECASE):
-                return True
-        return False
-
-    def _is_documentation_or_string(self, line_content: str, match_text: str) -> bool:
-        """Check if a command injection match is in documentation or string literals.
-
-        This prevents false positives for:
-        - Docstrings describing security issues
-        - String literals containing example vulnerable code
-        - Comments explaining vulnerabilities
-        """
-        line = line_content.strip()
-
-        # Check if line is a comment or documentation
-        if line.startswith("#") or line.startswith("//") or line.startswith("*") or line.startswith("-"):
-            return True
-
-        # Check if inside a docstring (triple quotes)
-        if '"""' in line or "'''" in line:
-            return True
-
-        # Check if the match is inside a string literal being defined
-        # e.g., 'pattern = r"eval\("' or '"eval(" in content'
-        string_patterns = [
-            r'["\'].*' + re.escape(match_text.strip()[:10]) + r'.*["\']',  # Inside quotes
-            r'r["\'].*' + re.escape(match_text.strip()[:10]),  # Raw string
-            r'=\s*["\']',  # String assignment
-        ]
-        for pattern in string_patterns:
-            if re.search(pattern, line):
-                return True
-
-        # Check for common documentation patterns
-        doc_indicators = [
-            "example",
-            "vulnerable",
-            "insecure",
-            "dangerous",
-            "pattern",
-            "detect",
-            "scan",
-            "check for",
-            "look for",
-        ]
-        line_lower = line.lower()
-        if any(ind in line_lower for ind in doc_indicators):
-            return True
-
-        return False
-
-    def _is_safe_sql_parameterization(self, line_content: str, match_text: str, file_content: str) -> bool:
-        """Check if SQL query uses safe parameterization despite f-string usage.
-
-        Phase 2 Enhancement: Detects safe patterns like:
-        - placeholders = ",".join("?" * len(ids))
-        - cursor.execute(f"... IN ({placeholders})", ids)
-
-        This prevents false positives for the SQLite-recommended pattern
-        of building dynamic placeholder strings.
-
-        Args:
-            line_content: The line containing the match (may be incomplete for multi-line)
-            match_text: The matched text
-            file_content: Full file content for context analysis
-
-        Returns:
-            True if this is safe parameterized SQL, False otherwise
-        """
-        # Get the position of the match in the full file content
-        match_pos = file_content.find(match_text)
-        if match_pos == -1:
-            # Try to find cursor.execute
-            match_pos = file_content.find("cursor.execute")
-            if match_pos == -1:
-                return False
-
-        # Extract a larger context (next 200 chars after match)
-        context = file_content[match_pos:match_pos + 200]
-
-        # Also get lines before the match for placeholder detection
-        lines_before = file_content[:match_pos].split("\n")
-        recent_lines = lines_before[-10:] if len(lines_before) > 10 else lines_before
-
-        # Pattern 1: Check if this is a placeholder-based parameterized query
-        # Look for: cursor.execute(f"... IN ({placeholders})", params)
-        if "placeholders" in context or any("placeholders" in line for line in recent_lines[-5:]):
-            # Check if context has both f-string and separate parameters
-            # Pattern: f"...{placeholders}..." followed by comma and params
-            if re.search(r'f["\'][^"\']*\{placeholders\}[^"\']*["\']\s*,\s*\w+', context):
-                return True  # Safe - has separate parameters
-
-            # Also check if recent lines built the placeholders
-            for prev_line in reversed(recent_lines):
-                if "placeholders" in prev_line and '"?"' in prev_line and "join" in prev_line:
-                    # Found placeholder construction
-                    # Now check if the execute has separate parameters
-                    if "," in context and any(param in context for param in ["run_ids", "ids", "params", "values", ")"]):
-                        return True
-
-        # Pattern 2: Check if f-string only builds SQL structure with constants
-        # Example: f"SELECT * FROM {TABLE_NAME}" where TABLE_NAME is a constant
-        f_string_vars = re.findall(r'\{(\w+)\}', context)
-        if f_string_vars:
-            # Check if all variables are constants (UPPERCASE or table/column names)
-            all_constants = all(
-                var.isupper() or "TABLE" in var.upper() or "COLUMN" in var.upper()
-                for var in f_string_vars
-            )
-            if all_constants:
-                return True  # Safe - using constants, not user data
-
-        # Pattern 3: Check for security note comments nearby
-        # If developers added security notes, it's likely safe
-        for prev_line in reversed(recent_lines[-3:]):
-            if "security note" in prev_line.lower() and "safe" in prev_line.lower():
-                return True
-
-        return False
-
-    def _is_safe_random_usage(self, line_content: str, file_path: str, file_content: str) -> bool:
-        """Check if random usage is in a safe context (tests, simulations, non-crypto).
-
-        Phase 2 Enhancement: Reduces false positives for random module usage
-        in test fixtures, A/B testing simulations, and demo code.
-
-        Args:
-            line_content: The line containing the match
-            file_path: Path to the file being scanned
-            file_content: Full file content for context analysis
-
-        Returns:
-            True if random usage is safe/documented, False if potentially insecure
-        """
-        # Check if file is a test file
-        is_test = any(pattern in file_path.lower() for pattern in ["/test", "test_", "conftest"])
-
-        # Check for explicit security notes nearby
-        lines = file_content.split("\n")
-        line_index = None
-        for i, line in enumerate(lines):
-            if line_content.strip() in line:
-                line_index = i
-                break
-
-        if line_index is not None:
-            # Check 5 lines before and after for security notes
-            context_start = max(0, line_index - 5)
-            context_end = min(len(lines), line_index + 5)
-            context = "\n".join(lines[context_start:context_end]).lower()
-
-            # Look for clarifying comments
-            safe_indicators = [
-                "security note",
-                "not cryptographic",
-                "not for crypto",
-                "test data",
-                "demo data",
-                "simulation",
-                "reproducible",
-                "deterministic",
-                "fixed seed",
-                "not used for security",
-                "not used for secrets",
-                "not used for tokens",
-            ]
-
-            if any(indicator in context for indicator in safe_indicators):
-                return True  # Documented as safe
-
-        # Check for common safe random patterns
-        line_lower = line_content.lower()
-
-        # Pattern 1: Fixed seed (reproducible tests)
-        if "random.seed(" in line_lower:
-            return True  # Fixed seed is for reproducibility, not security
-
-        # Pattern 2: A/B testing, simulations, demos
-        safe_contexts = [
-            "simulation",
-            "demo",
-            "a/b test",
-            "ab_test",
-            "fixture",
-            "mock",
-            "example",
-            "sample",
-        ]
-        if any(context in file_path.lower() for context in safe_contexts):
-            return True
-
-        # If it's a test file without crypto indicators, it's probably safe
-        if is_test:
-            crypto_indicators = ["password", "secret", "token", "key", "crypto", "auth"]
-            if not any(indicator in file_path.lower() for indicator in crypto_indicators):
-                return True
-
-        return False
-
-    async def _assess(self, input_data: dict, tier: ModelTier) -> tuple[dict, int, int]:
-        """Risk scoring and severity classification.
-
-        Calculates overall security risk score and identifies
-        critical issues requiring immediate attention.
-
-        When use_crew_for_assessment=True, uses SecurityAuditCrew's
-        comprehensive analysis for enhanced vulnerability detection.
-        """
-        await self._initialize_crew()
-
-        needs_review = input_data.get("needs_review", [])
-
-        # Count by severity
-        severity_counts = {"critical": 0, "high": 0, "medium": 0, "low": 0}
-        for finding in needs_review:
-            sev = finding.get("severity", "low")
-            severity_counts[sev] = severity_counts.get(sev, 0) + 1
-
-        # Calculate risk score (0-100)
-        risk_score = (
-            severity_counts["critical"] * 25
-            + severity_counts["high"] * 10
-            + severity_counts["medium"] * 3
-            + severity_counts["low"] * 1
-        )
-        risk_score = min(100, risk_score)
-
-        # Set flag for skip logic
-        self._has_critical = severity_counts["critical"] > 0 or severity_counts["high"] > 0
-
-        # Group findings by OWASP category
-        by_owasp: dict[str, list] = {}
-        for finding in needs_review:
-            owasp = finding.get("owasp", "Unknown")
-            if owasp not in by_owasp:
-                by_owasp[owasp] = []
-            by_owasp[owasp].append(finding)
-
-        # Use crew for enhanced assessment if available
-        crew_enhanced = False
-        crew_findings = []
-        if self.use_crew_for_assessment and self._crew_available:
-            target = input_data.get("path", ".")
-            try:
-                crew_report = await self._crew.audit(target=target)
-                if crew_report and crew_report.findings:
-                    crew_enhanced = True
-                    # Convert crew findings to workflow format
-                    for finding in crew_report.findings:
-                        crew_findings.append(
-                            {
-                                "type": finding.category.value,
-                                "title": finding.title,
-                                "description": finding.description,
-                                "severity": finding.severity.value,
-                                "file": finding.file_path or "",
-                                "line": finding.line_number or 0,
-                                "owasp": finding.category.value,
-                                "remediation": finding.remediation or "",
-                                "cwe_id": finding.cwe_id or "",
-                                "cvss_score": finding.cvss_score or 0.0,
-                                "source": "crew",
-                            }
-                        )
-                    # Update severity counts with crew findings
-                    for finding in crew_findings:
-                        sev = finding.get("severity", "low")
-                        severity_counts[sev] = severity_counts.get(sev, 0) + 1
-                    # Recalculate risk score with crew findings
-                    risk_score = (
-                        severity_counts["critical"] * 25
-                        + severity_counts["high"] * 10
-                        + severity_counts["medium"] * 3
-                        + severity_counts["low"] * 1
-                    )
-                    risk_score = min(100, risk_score)
-            except Exception as e:
-                logger.warning(f"Crew assessment failed: {e}")
-
-        # Merge crew findings with pattern-based findings
-        all_critical = [f for f in needs_review if f.get("severity") == "critical"]
-        all_high = [f for f in needs_review if f.get("severity") == "high"]
-        if crew_enhanced:
-            all_critical.extend([f for f in crew_findings if f.get("severity") == "critical"])
-            all_high.extend([f for f in crew_findings if f.get("severity") == "high"])
-
-        assessment = {
-            "risk_score": risk_score,
-            "risk_level": (
-                "critical"
-                if risk_score >= 75
-                else "high" if risk_score >= 50 else "medium" if risk_score >= 25 else "low"
-            ),
-            "severity_breakdown": severity_counts,
-            "by_owasp_category": {k: len(v) for k, v in by_owasp.items()},
-            "critical_findings": all_critical,
-            "high_findings": all_high,
-            "crew_enhanced": crew_enhanced,
-            "crew_findings_count": len(crew_findings) if crew_enhanced else 0,
-        }
-
-        input_tokens = len(str(input_data)) // 4
-        output_tokens = len(str(assessment)) // 4
-
-        # Build output with assessment
-        output = {
-            "assessment": assessment,
-            **input_data,
-        }
-
-        # Add formatted report for human readability
-        output["formatted_report"] = format_security_report(output)
-
-        return (
-            output,
-            input_tokens,
-            output_tokens,
-        )
-
-    async def _remediate(self, input_data: dict, tier: ModelTier) -> tuple[dict, int, int]:
-        """Generate remediation plan for security issues.
-
-        Creates actionable remediation steps prioritized by
-        severity and grouped by OWASP category.
-
-        When use_crew_for_remediation=True, uses SecurityAuditCrew's
-        Remediation Expert agent for enhanced recommendations.
-
-        Supports XML-enhanced prompts when enabled in workflow config.
-        """
-        try:
-            from .security_adapters import _check_crew_available
-
-            adapters_available = True
-        except ImportError:
-            adapters_available = False
-            _check_crew_available = lambda: False
-
-        assessment = input_data.get("assessment", {})
-        critical = assessment.get("critical_findings", [])
-        high = assessment.get("high_findings", [])
-        target = input_data.get("target", input_data.get("path", ""))
-
-        crew_remediation = None
-        crew_enhanced = False
-
-        # Try crew-based remediation first if enabled
-        if self.use_crew_for_remediation and adapters_available and _check_crew_available():
-            crew_remediation = await self._get_crew_remediation(target, critical + high, assessment)
-            if crew_remediation:
-                crew_enhanced = True
-
-        # Build findings summary for LLM
-        findings_summary = []
-        for f in critical:
-            findings_summary.append(
-                f"CRITICAL: {f.get('type')} in {f.get('file')}:{f.get('line')} - {f.get('owasp')}",
-            )
-        for f in high:
-            findings_summary.append(
-                f"HIGH: {f.get('type')} in {f.get('file')}:{f.get('line')} - {f.get('owasp')}",
-            )
-
-        # Build input payload for prompt
-        input_payload = f"""Target: {target or "codebase"}
-
-Findings:
-{chr(10).join(findings_summary) if findings_summary else "No critical or high findings"}
-
-Risk Score: {assessment.get("risk_score", 0)}/100
-Risk Level: {assessment.get("risk_level", "unknown")}
-
-Severity Breakdown: {json.dumps(assessment.get("severity_breakdown", {}), indent=2)}"""
-
-        # Check if XML prompts are enabled
-        if self._is_xml_enabled():
-            # Use XML-enhanced prompt
-            user_message = self._render_xml_prompt(
-                role="application security engineer",
-                goal="Generate a comprehensive remediation plan for security vulnerabilities",
-                instructions=[
-                    "Explain each vulnerability and its potential impact",
-                    "Provide specific remediation steps with code examples",
-                    "Suggest preventive measures to avoid similar issues",
-                    "Reference relevant OWASP guidelines",
-                    "Prioritize by severity (critical first, then high)",
-                ],
-                constraints=[
-                    "Be specific and actionable",
-                    "Include code examples where helpful",
-                    "Group fixes by severity",
-                ],
-                input_type="security_findings",
-                input_payload=input_payload,
-                extra={
-                    "risk_score": assessment.get("risk_score", 0),
-                    "risk_level": assessment.get("risk_level", "unknown"),
-                },
-            )
-            system = None  # XML prompt includes all context
-        else:
-            # Use legacy plain text prompts
-            system = """You are a security expert in application security and OWASP.
-Generate a comprehensive remediation plan for the security findings.
-
-For each finding:
-1. Explain the vulnerability and its potential impact
-2. Provide specific remediation steps with code examples
-3. Suggest preventive measures to avoid similar issues
-4. Reference relevant OWASP guidelines
-
-Prioritize by severity (critical first, then high).
-Be specific and actionable."""
-
-            user_message = f"""Generate a remediation plan for these security findings:
-
-{input_payload}
-
-Provide a detailed remediation plan with specific fixes."""
-
-        # Try executor-based execution first (Phase 3 pattern)
-        if self._executor is not None or self._api_key:
-            try:
-                step = SECURITY_STEPS["remediate"]
-                response, input_tokens, output_tokens, cost = await self.run_step_with_executor(
-                    step=step,
-                    prompt=user_message,
-                    system=system,
-                )
-            except Exception:
-                # Fall back to legacy _call_llm if executor fails
-                response, input_tokens, output_tokens = await self._call_llm(
-                    tier,
-                    system or "",
-                    user_message,
-                    max_tokens=3000,
-                )
-        else:
-            # Legacy path for backward compatibility
-            response, input_tokens, output_tokens = await self._call_llm(
-                tier,
-                system or "",
-                user_message,
-                max_tokens=3000,
-            )
-
-        # Parse XML response if enforcement is enabled
-        parsed_data = self._parse_xml_response(response)
-
-        # Merge crew remediation if available
-        if crew_enhanced and crew_remediation:
-            response = self._merge_crew_remediation(response, crew_remediation)
-
-        result = {
-            "remediation_plan": response,
-            "remediation_count": len(critical) + len(high),
-            "risk_score": assessment.get("risk_score", 0),
-            "risk_level": assessment.get("risk_level", "unknown"),
-            "model_tier_used": tier.value,
-            "crew_enhanced": crew_enhanced,
-            "auth_mode_used": self._auth_mode_used,  # Track recommended auth mode
-            **input_data,  # Merge all previous stage data
-        }
-
-        # Add crew-specific fields if enhanced
-        if crew_enhanced and crew_remediation:
-            result["crew_findings"] = crew_remediation.get("findings", [])
-            result["crew_agents_used"] = crew_remediation.get("agents_used", [])
-
-        # Merge parsed XML data if available
-        if parsed_data.get("xml_parsed"):
-            result.update(
-                {
-                    "xml_parsed": True,
-                    "summary": parsed_data.get("summary"),
-                    "findings": parsed_data.get("findings", []),
-                    "checklist": parsed_data.get("checklist", []),
-                },
-            )
-
-        return (result, input_tokens, output_tokens)
-
-    async def _get_crew_remediation(
-        self,
-        target: str,
-        findings: list,
-        assessment: dict,
-    ) -> dict | None:
-        """Get remediation recommendations from SecurityAuditCrew.
-
-        Args:
-            target: Path to codebase
-            findings: List of findings needing remediation
-            assessment: Current assessment dict
-
-        Returns:
-            Crew results dict or None if failed
-
-        """
-        try:
-            from empathy_llm_toolkit.agent_factory.crews import (
-                SecurityAuditConfig,
-                SecurityAuditCrew,
-            )
-
-            from .security_adapters import (
-                crew_report_to_workflow_format,
-                workflow_findings_to_crew_format,
-            )
-
-            # Configure crew for focused remediation
-            config = SecurityAuditConfig(
-                scan_depth="quick",  # Skip deep scan, focus on remediation
-                **self.crew_config,
-            )
-            crew = SecurityAuditCrew(config=config)
-
-            # Convert findings to crew format for context
-            crew_findings = workflow_findings_to_crew_format(findings)
-
-            # Run audit with remediation focus
-            context = {
-                "focus_areas": ["remediation"],
-                "existing_findings": crew_findings,
-                "skip_detection": True,  # We already have findings
-                "risk_score": assessment.get("risk_score", 0),
-            }
-
-            report = await crew.audit(target, context=context)
-
-            if report:
-                return crew_report_to_workflow_format(report)
-            return None
-
-        except Exception as e:
-            import logging
-
-            logging.getLogger(__name__).warning(f"Crew remediation failed: {e}")
-            return None
-
-    def _merge_crew_remediation(self, llm_response: str, crew_remediation: dict) -> str:
-        """Merge crew remediation recommendations with LLM response.
-
-        Args:
-            llm_response: LLM-generated remediation plan
-            crew_remediation: Crew results in workflow format
-
-        Returns:
-            Merged response with crew enhancements
-
-        """
-        crew_findings = crew_remediation.get("findings", [])
-
-        if not crew_findings:
-            return llm_response
-
-        # Build crew section efficiently (avoid O(n²) string concat)
-        parts = [
-            "\n\n## Enhanced Remediation (SecurityAuditCrew)\n\n",
-            f"**Agents Used**: {', '.join(crew_remediation.get('agents_used', []))}\n\n",
-        ]
-
-        for finding in crew_findings:
-            if finding.get("remediation"):
-                parts.append(f"### {finding.get('title', 'Finding')}\n")
-                parts.append(f"**Severity**: {finding.get('severity', 'unknown').upper()}\n")
-                if finding.get("cwe_id"):
-                    parts.append(f"**CWE**: {finding.get('cwe_id')}\n")
-                if finding.get("cvss_score"):
-                    parts.append(f"**CVSS Score**: {finding.get('cvss_score')}\n")
-                parts.append(f"\n**Remediation**:\n{finding.get('remediation')}\n\n")
-
-        return llm_response + "".join(parts)
-
-    def _get_remediation_action(self, finding: dict) -> str:
-        """Generate specific remediation action for a finding."""
-        actions = {
-            "sql_injection": "Use parameterized queries or ORM. Never interpolate user input.",
-            "xss": "Use framework's auto-escaping. Sanitize user input.",
-            "hardcoded_secret": "Move to env vars or use a secrets manager.",
-            "insecure_random": "Use secrets.token_hex() or secrets.randbelow().",
-            "path_traversal": "Use os.path.realpath() and validate paths.",
-            "command_injection": "Use subprocess with shell=False and argument lists.",
-        }
-        return actions.get(finding.get("type", ""), "Apply security best practices.")
-
-
-def format_security_report(output: dict) -> str:
-    """Format security audit output as a human-readable report.
-
-    This format is designed to be:
-    - Easy for humans to read and understand
-    - Easy to copy/paste to an AI assistant for remediation help
-    - Actionable with clear severity levels and file locations
-
-    Args:
-        output: The workflow output dictionary
-
-    Returns:
-        Formatted report string
-
-    """
-    lines = []
-
-    # Header
-    assessment = output.get("assessment", {})
-    risk_level = assessment.get("risk_level", "unknown").upper()
-    risk_score = assessment.get("risk_score", 0)
-
-    lines.append("=" * 60)
-    lines.append("SECURITY AUDIT REPORT")
-    lines.append("=" * 60)
-    lines.append("")
-    lines.append(f"Risk Level: {risk_level}")
-    lines.append(f"Risk Score: {risk_score}/100")
-    lines.append("")
-
-    # Severity breakdown
-    breakdown = assessment.get("severity_breakdown", {})
-    lines.append("Severity Summary:")
-    for sev in ["critical", "high", "medium", "low"]:
-        count = breakdown.get(sev, 0)
-        icon = {"critical": "🔴", "high": "🟠", "medium": "🟡", "low": "🟢"}.get(sev, "⚪")
-        lines.append(f"  {icon} {sev.capitalize()}: {count}")
-    lines.append("")
-
-    # Files scanned
-    files_scanned = output.get("files_scanned", 0)
-    lines.append(f"Files Scanned: {files_scanned}")
-    lines.append("")
-
-    # Findings requiring review
-    needs_review = output.get("needs_review", [])
-    if needs_review:
-        lines.append("-" * 60)
-        lines.append("FINDINGS REQUIRING REVIEW")
-        lines.append("-" * 60)
-        lines.append("")
-
-        for i, finding in enumerate(needs_review, 1):
-            severity = finding.get("severity", "unknown").upper()
-            vuln_type = finding.get("type", "unknown")
-            file_path = finding.get("file", "").split("Empathy-framework/")[-1]
-            line_num = finding.get("line", 0)
-            match = finding.get("match", "")[:50]
-            owasp = finding.get("owasp", "")
-            is_test = finding.get("is_test", False)
-            analysis = finding.get("analysis", "")
-
-            test_marker = " [TEST FILE]" if is_test else ""
-            lines.append(f"{i}. [{severity}]{test_marker} {vuln_type}")
-            lines.append(f"   File: {file_path}:{line_num}")
-            lines.append(f"   Match: {match}")
-            lines.append(f"   OWASP: {owasp}")
-            if analysis:
-                lines.append(f"   Analysis: {analysis}")
-            lines.append("")
-
-    # Accepted risks
-    accepted = output.get("accepted_risks", [])
-    if accepted:
-        lines.append("-" * 60)
-        lines.append("ACCEPTED RISKS (No Action Required)")
-        lines.append("-" * 60)
-        lines.append("")
-
-        for finding in accepted:
-            vuln_type = finding.get("type", "unknown")
-            file_path = finding.get("file", "").split("Empathy-framework/")[-1]
-            line_num = finding.get("line", 0)
-            reason = finding.get("decision_reason", "")
-
-            lines.append(f"  - {vuln_type} in {file_path}:{line_num}")
-            if reason:
-                lines.append(f"    Reason: {reason}")
-        lines.append("")
-
-    # Remediation plan if present
-    remediation = output.get("remediation_plan", "")
-    if remediation and remediation.strip():
-        lines.append("-" * 60)
-        lines.append("REMEDIATION PLAN")
-        lines.append("-" * 60)
-        lines.append("")
-        lines.append(remediation)
-        lines.append("")
-
-    # Footer with action items
-    lines.append("=" * 60)
-    if needs_review:
-        lines.append("ACTION REQUIRED:")
-        lines.append(f"  Review {len(needs_review)} finding(s) above")
-        lines.append("  Copy this report to Claude Code for remediation help")
-    else:
-        lines.append("STATUS: All clear - no critical or high findings")
-    lines.append("=" * 60)
-
-    return "\n".join(lines)
-
-
-def main():
-    """CLI entry point for security audit workflow."""
-    import asyncio
-
-    async def run():
-        workflow = SecurityAuditWorkflow()
-        result = await workflow.execute(path=".", file_types=[".py"])
-
-        # Use the new formatted report
-        report = format_security_report(result.final_output)
-        print(report)
-
-        print("\nCost Report:")
-        print(f"  Total Cost: ${result.cost_report.total_cost:.4f}")
-        savings = result.cost_report.savings
-        pct = result.cost_report.savings_percent
-        print(f"  Savings: ${savings:.4f} ({pct:.1f}%)")
-
-    asyncio.run(run())
-
-
-if __name__ == "__main__":
-    main()