gac 0.17.2__py3-none-any.whl → 3.6.0__py3-none-any.whl

gac/providers/replicate.py

@@ -0,0 +1,98 @@
+"""Replicate API provider for gac."""
+
+import os
+
+import httpx
+
+from gac.errors import AIError
+
+
+def call_replicate_api(model: str, messages: list[dict], temperature: float, max_tokens: int) -> str:
+    """Call Replicate API directly."""
+    api_key = os.getenv("REPLICATE_API_TOKEN")
+    if not api_key:
+        raise AIError.authentication_error("REPLICATE_API_TOKEN not found in environment variables")
+
+    # Replicate uses a different endpoint for language models
+    url = "https://api.replicate.com/v1/predictions"
+    headers = {"Authorization": f"Token {api_key}", "Content-Type": "application/json"}
+
+    # Convert messages to a single prompt for Replicate
+    prompt_parts = []
+    system_message = None
+
+    for message in messages:
+        role = message.get("role")
+        content = message.get("content", "")
+
+        if role == "system":
+            system_message = content
+        elif role == "user":
+            prompt_parts.append(f"Human: {content}")
+        elif role == "assistant":
+            prompt_parts.append(f"Assistant: {content}")
+
+    # Add system message at the beginning if present
+    if system_message:
+        prompt_parts.insert(0, f"System: {system_message}")
+
+    # Add final assistant prompt
+    prompt_parts.append("Assistant:")
+    full_prompt = "\n\n".join(prompt_parts)
+
+    # Replicate prediction payload
+    data = {
+        "version": model,  # Replicate uses version string as model identifier
+        "input": {
+            "prompt": full_prompt,
+            "temperature": temperature,
+            "max_tokens": max_tokens,
+        },
+    }
+
+    try:
+        # Create prediction
+        response = httpx.post(url, headers=headers, json=data, timeout=120)
+        response.raise_for_status()
+        prediction_data = response.json()
+
+        # Get the prediction URL to check status
+        get_url = f"https://api.replicate.com/v1/predictions/{prediction_data['id']}"
+
+        # Poll for completion (Replicate predictions are async)
+        max_wait_time = 120
+        wait_interval = 2
+        elapsed_time = 0
+
+        while elapsed_time < max_wait_time:
+            get_response = httpx.get(get_url, headers=headers, timeout=120)
+            get_response.raise_for_status()
+            status_data = get_response.json()
+
+            if status_data["status"] == "succeeded":
+                content = status_data["output"]
+                if not content:
+                    raise AIError.model_error("Replicate API returned empty content")
+                return content
+            elif status_data["status"] == "failed":
+                raise AIError.model_error(f"Replicate prediction failed: {status_data.get('error', 'Unknown error')}")
+            elif status_data["status"] in ["starting", "processing"]:
+                import time
+
+                time.sleep(wait_interval)
+                elapsed_time += wait_interval
+            else:
+                raise AIError.model_error(f"Replicate API returned unknown status: {status_data['status']}")
+
+        raise AIError.timeout_error("Replicate API prediction timed out")
+
+    except httpx.HTTPStatusError as e:
+        if e.response.status_code == 429:
+            raise AIError.rate_limit_error(f"Replicate API rate limit exceeded: {e.response.text}") from e
+        elif e.response.status_code == 401:
+            raise AIError.authentication_error(f"Replicate API authentication failed: {e.response.text}") from e
+        raise AIError.model_error(f"Replicate API error: {e.response.status_code} - {e.response.text}") from e
+    except httpx.TimeoutException as e:
+        raise AIError.timeout_error(f"Replicate API request timed out: {str(e)}") from e
+    except Exception as e:
+        raise AIError.model_error(f"Error calling Replicate API: {str(e)}") from e

gac/providers/streamlake.py

@@ -0,0 +1,51 @@
+"""StreamLake (Vanchin) API provider for gac."""
+
+import os
+
+import httpx
+
+from gac.errors import AIError
+
+
+def call_streamlake_api(model: str, messages: list[dict], temperature: float, max_tokens: int) -> str:
+    """Call StreamLake (Vanchin) chat completions API."""
+    api_key = os.getenv("STREAMLAKE_API_KEY") or os.getenv("VC_API_KEY")
+    if not api_key:
+        raise AIError.authentication_error(
+            "STREAMLAKE_API_KEY not found in environment variables (VC_API_KEY alias also not set)"
+        )
+
+    url = "https://vanchin.streamlake.ai/api/gateway/v1/endpoints/chat/completions"
+    headers = {"Authorization": f"Bearer {api_key}", "Content-Type": "application/json"}
+
+    data = {
+        "model": model,
+        "messages": messages,
+        "temperature": temperature,
+        "max_tokens": max_tokens,
+    }
+
+    try:
+        response = httpx.post(url, headers=headers, json=data, timeout=120)
+        response.raise_for_status()
+        response_data = response.json()
+        choices = response_data.get("choices")
+        if not choices:
+            raise AIError.model_error("StreamLake API returned no choices")
+
+        message = choices[0].get("message", {})
+        content = message.get("content")
+        if content is None:
+            raise AIError.model_error("StreamLake API returned null content")
+        if content == "":
+            raise AIError.model_error("StreamLake API returned empty content")
+
+        return content
+    except httpx.HTTPStatusError as e:
+        if e.response.status_code == 429:
+            raise AIError.rate_limit_error(f"StreamLake API rate limit exceeded: {e.response.text}") from e
+        raise AIError.model_error(f"StreamLake API error: {e.response.status_code} - {e.response.text}") from e
+    except httpx.TimeoutException as e:
+        raise AIError.timeout_error(f"StreamLake API request timed out: {str(e)}") from e
+    except Exception as e:  # noqa: BLE001 - convert to AIError
+        raise AIError.model_error(f"Error calling StreamLake API: {str(e)}") from e

gac/providers/synthetic.py

@@ -0,0 +1,42 @@
+"""Synthetic.new API provider for gac."""
+
+import os
+
+import httpx
+
+from gac.errors import AIError
+
+
+def call_synthetic_api(model: str, messages: list[dict], temperature: float, max_tokens: int) -> str:
+    """Call Synthetic API directly."""
+    # Handle model names without hf: prefix
+    if not model.startswith("hf:"):
+        model = f"hf:{model}"
+
+    api_key = os.getenv("SYNTHETIC_API_KEY") or os.getenv("SYN_API_KEY")
+    if not api_key:
+        raise AIError.authentication_error("SYNTHETIC_API_KEY or SYN_API_KEY not found in environment variables")
+
+    url = "https://api.synthetic.new/openai/v1/chat/completions"
+    headers = {"Authorization": f"Bearer {api_key}", "Content-Type": "application/json"}
+
+    data = {"model": model, "messages": messages, "temperature": temperature, "max_completion_tokens": max_tokens}
+
+    try:
+        response = httpx.post(url, headers=headers, json=data, timeout=120)
+        response.raise_for_status()
+        response_data = response.json()
+        content = response_data["choices"][0]["message"]["content"]
+        if content is None:
+            raise AIError.model_error("Synthetic.new API returned null content")
+        if content == "":
+            raise AIError.model_error("Synthetic.new API returned empty content")
+        return content
+    except httpx.HTTPStatusError as e:
+        if e.response.status_code == 429:
+            raise AIError.rate_limit_error(f"Synthetic.new API rate limit exceeded: {e.response.text}") from e
+        raise AIError.model_error(f"Synthetic.new API error: {e.response.status_code} - {e.response.text}") from e
+    except httpx.TimeoutException as e:
+        raise AIError.timeout_error(f"Synthetic.new API request timed out: {str(e)}") from e
+    except Exception as e:
+        raise AIError.model_error(f"Error calling Synthetic.new API: {str(e)}") from e

gac/providers/together.py

@@ -0,0 +1,38 @@
+"""Together AI API provider for gac."""
+
+import os
+
+import httpx
+
+from gac.errors import AIError
+
+
+def call_together_api(model: str, messages: list[dict], temperature: float, max_tokens: int) -> str:
+    """Call Together AI API directly."""
+    api_key = os.getenv("TOGETHER_API_KEY")
+    if not api_key:
+        raise AIError.authentication_error("TOGETHER_API_KEY not found in environment variables")
+
+    url = "https://api.together.xyz/v1/chat/completions"
+    headers = {"Authorization": f"Bearer {api_key}", "Content-Type": "application/json"}
+
+    data = {"model": model, "messages": messages, "temperature": temperature, "max_tokens": max_tokens}
+
+    try:
+        response = httpx.post(url, headers=headers, json=data, timeout=120)
+        response.raise_for_status()
+        response_data = response.json()
+        content = response_data["choices"][0]["message"]["content"]
+        if content is None:
+            raise AIError.model_error("Together AI API returned null content")
+        if content == "":
+            raise AIError.model_error("Together AI API returned empty content")
+        return content
+    except httpx.HTTPStatusError as e:
+        if e.response.status_code == 429:
+            raise AIError.rate_limit_error(f"Together AI API rate limit exceeded: {e.response.text}") from e
+        raise AIError.model_error(f"Together AI API error: {e.response.status_code} - {e.response.text}") from e
+    except httpx.TimeoutException as e:
+        raise AIError.timeout_error(f"Together AI API request timed out: {str(e)}") from e
+    except Exception as e:
+        raise AIError.model_error(f"Error calling Together AI API: {str(e)}") from e

gac/providers/zai.py

@@ -0,0 +1,59 @@
+"""Z.AI API provider for gac."""
+
+import os
+
+import httpx
+
+from gac.errors import AIError
+
+
+def _call_zai_api_impl(
+    url: str, api_name: str, model: str, messages: list[dict], temperature: float, max_tokens: int
+) -> str:
+    """Internal implementation for Z.AI API calls."""
+    api_key = os.getenv("ZAI_API_KEY")
+    if not api_key:
+        raise AIError.authentication_error("ZAI_API_KEY not found in environment variables")
+
+    headers = {"Authorization": f"Bearer {api_key}", "Content-Type": "application/json"}
+    data = {"model": model, "messages": messages, "temperature": temperature, "max_tokens": max_tokens}
+
+    try:
+        response = httpx.post(url, headers=headers, json=data, timeout=120)
+        response.raise_for_status()
+        response_data = response.json()
+
+        # Handle different possible response structures
+        if "choices" in response_data and len(response_data["choices"]) > 0:
+            choice = response_data["choices"][0]
+            if "message" in choice and "content" in choice["message"]:
+                content = choice["message"]["content"]
+                if content is None:
+                    raise AIError.model_error(f"{api_name} API returned null content")
+                if content == "":
+                    raise AIError.model_error(f"{api_name} API returned empty content")
+                return content
+            else:
+                raise AIError.model_error(f"{api_name} API response missing content: {response_data}")
+        else:
+            raise AIError.model_error(f"{api_name} API unexpected response structure: {response_data}")
+    except httpx.HTTPStatusError as e:
+        if e.response.status_code == 429:
+            raise AIError.rate_limit_error(f"{api_name} API rate limit exceeded: {e.response.text}") from e
+        raise AIError.model_error(f"{api_name} API error: {e.response.status_code} - {e.response.text}") from e
+    except httpx.TimeoutException as e:
+        raise AIError.timeout_error(f"{api_name} API request timed out: {str(e)}") from e
+    except Exception as e:
+        raise AIError.model_error(f"Error calling {api_name} API: {str(e)}") from e
+
+
+def call_zai_api(model: str, messages: list[dict], temperature: float, max_tokens: int) -> str:
+    """Call Z.AI regular API directly."""
+    url = "https://api.z.ai/api/paas/v4/chat/completions"
+    return _call_zai_api_impl(url, "Z.AI", model, messages, temperature, max_tokens)
+
+
+def call_zai_coding_api(model: str, messages: list[dict], temperature: float, max_tokens: int) -> str:
+    """Call Z.AI coding API directly."""
+    url = "https://api.z.ai/api/coding/paas/v4/chat/completions"
+    return _call_zai_api_impl(url, "Z.AI coding", model, messages, temperature, max_tokens)

gac/security.py

@@ -0,0 +1,293 @@
+#!/usr/bin/env python3
+"""Security utilities for detecting secrets and API keys in git diffs.
+
+This module provides functions to scan staged changes for potential secrets,
+API keys, and other sensitive information that should not be committed.
+"""
+
+import logging
+import re
+from dataclasses import dataclass
+
+logger = logging.getLogger(__name__)
+
+
+@dataclass
+class DetectedSecret:
+    """Represents a detected secret in a file."""
+
+    file_path: str
+    line_number: int | None
+    secret_type: str
+    matched_text: str
+    context: str | None = None
+
+
+class SecretPatterns:
+    """Regex patterns for detecting various types of secrets and API keys."""
+
+    # AWS Access Keys
+    AWS_ACCESS_KEY_ID = re.compile(r"(?:AWS_ACCESS_KEY_ID|aws_access_key_id)[\s:=\"']+([A-Z0-9]{20})", re.IGNORECASE)
+    AWS_SECRET_ACCESS_KEY = re.compile(
+        r"(?:AWS_SECRET_ACCESS_KEY|aws_secret_access_key)[\s:=\"']+([A-Za-z0-9/+=]{40})", re.IGNORECASE
+    )
+    AWS_SESSION_TOKEN = re.compile(r"(?:AWS_SESSION_TOKEN|aws_session_token)[\s:=\"']+([A-Za-z0-9/+=]+)", re.IGNORECASE)
+
+    # Generic API Keys
+    GENERIC_API_KEY = re.compile(
+        r"(?:api[-_]?key|api[-_]?secret|access[-_]?key|secret[-_]?key)[\s:=\"']+([A-Za-z0-9_\-]{20,})", re.IGNORECASE
+    )
+
+    # GitHub Tokens
+    GITHUB_TOKEN = re.compile(r"(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9]{36,}")
+
+    # OpenAI API Keys
+    OPENAI_API_KEY = re.compile(r"sk-[A-Za-z0-9]{20,}")
+
+    # Anthropic API Keys
+    ANTHROPIC_API_KEY = re.compile(r"sk-ant-[A-Za-z0-9\-_]{95,}")
+
+    # Stripe Keys
+    STRIPE_KEY = re.compile(r"(?:sk|pk|rk)_(?:live|test)_[A-Za-z0-9]{24,}")
+
+    # Private Keys (PEM format)
+    PRIVATE_KEY = re.compile(r"-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----")
+
+    # Bearer Tokens (require actual token with specific characteristics)
+    BEARER_TOKEN = re.compile(r"Bearer\s+[A-Za-z0-9]{20,}[/=]*(?:\s|$)", re.IGNORECASE)
+
+    # JWT Tokens
+    JWT_TOKEN = re.compile(r"eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+")
+
+    # Database URLs with credentials
+    DATABASE_URL = re.compile(
+        r"(?:postgresql|mysql|mongodb|redis)://[A-Za-z0-9_-]+:[A-Za-z0-9_@!#$%^&*()+-=]+@[A-Za-z0-9.-]+",
+        re.IGNORECASE,
+    )
+
+    # SSH Private Keys
+    SSH_PRIVATE_KEY = re.compile(r"-----BEGIN (?:RSA|DSA|EC|OPENSSH) PRIVATE KEY-----")
+
+    # Slack Tokens
+    SLACK_TOKEN = re.compile(r"xox[baprs]-[A-Za-z0-9-]+")
+
+    # Google API Keys
+    GOOGLE_API_KEY = re.compile(r"AIza[0-9A-Za-z_-]{35}")
+
+    # Twilio API Keys
+    TWILIO_API_KEY = re.compile(r"SK[a-f0-9]{32}")
+
+    # Generic Password Fields
+    PASSWORD = re.compile(r"(?:password|passwd|pwd)[\s:=\"']+([^\s\"']{8,})", re.IGNORECASE)
+
+    # Excluded patterns (common false positives)
+    EXCLUDED_PATTERNS = [
+        re.compile(r"(?:example|sample|dummy|placeholder|your[-_]?api[-_]?key)", re.IGNORECASE),
+        re.compile(r"(?:xxx+|yyy+|zzz+)", re.IGNORECASE),
+        re.compile(r"\b(?:123456|password|changeme|secret|testpass|admin)\b", re.IGNORECASE),  # Word boundaries
+        re.compile(r"ghp_[a-f0-9]{16}", re.IGNORECASE),  # Short GitHub tokens (examples)
+        re.compile(r"sk-[a-f0-9]{16}", re.IGNORECASE),  # Short OpenAI keys (examples)
+        re.compile(r"Bearer Token", re.IGNORECASE),  # Documentation text
+        re.compile(r"Add Bearer Token", re.IGNORECASE),  # Documentation text
+        re.compile(r"Test Bearer Token", re.IGNORECASE),  # Documentation text
+    ]
+
+    @classmethod
+    def get_all_patterns(cls) -> dict[str, re.Pattern]:
+        """Get all secret detection patterns.
+
+        Returns:
+            Dictionary mapping pattern names to compiled regex patterns
+        """
+        patterns = {}
+        for name, value in vars(cls).items():
+            if isinstance(value, re.Pattern) and not name.startswith("EXCLUDED"):
+                # Convert pattern name to human-readable format
+                readable_name = name.replace("_", " ").title()
+                patterns[readable_name] = value
+        return patterns
+
+
+def is_false_positive(matched_text: str, file_path: str = "") -> bool:
+    """Check if a matched secret is likely a false positive.
+
+    Args:
+        matched_text: The text that matched a secret pattern
+        file_path: The file path where the match was found (for context-based filtering)
+
+    Returns:
+        True if the match is likely a false positive
+    """
+    # Check against excluded patterns
+    for pattern in SecretPatterns.EXCLUDED_PATTERNS:
+        if pattern.search(matched_text):
+            return True
+
+    # Check for all-same characters (e.g., "xxxxxxxxxxxxxxxx")
+    if len(set(matched_text.lower())) <= 3 and len(matched_text) > 10:
+        return True
+
+    # Special handling for .env.example, .env.template, .env.sample files
+    if any(example_file in file_path for example_file in [".env.example", ".env.template", ".env.sample"]):
+        return True
+
+    return False
+
+
+def extract_file_path_from_diff_section(section: str) -> str | None:
+    """Extract the file path from a git diff section.
+
+    Args:
+        section: A git diff section
+
+    Returns:
+        The file path or None if not found
+    """
+    match = re.search(r"diff --git a/(.*?) b/", section)
+    if match:
+        return match.group(1)
+    return None
+
+
+def extract_line_number_from_hunk(line: str, hunk_header: str | None) -> int | None:
+    """Extract the line number from a diff hunk.
+
+    Args:
+        line: The diff line containing the secret
+        hunk_header: The most recent hunk header (e.g., "@@ -1,4 +1,5 @@")
+
+    Returns:
+        The line number or None if not determinable
+    """
+    if not hunk_header:
+        return None
+
+    # Parse hunk header to get starting line number: @@ -old_start,old_count +new_start,new_count @@
+    match = re.search(r"@@ -\d+(?:,\d+)? \+(\d+)", hunk_header)
+    if not match:
+        return None
+
+    return int(match.group(1))
+
+
+def scan_diff_section(section: str) -> list[DetectedSecret]:
+    """Scan a single git diff section for secrets.
+
+    Args:
+        section: A git diff section to scan
+
+    Returns:
+        List of detected secrets
+    """
+    secrets: list[DetectedSecret] = []
+    file_path = extract_file_path_from_diff_section(section)
+
+    if not file_path:
+        return secrets
+
+    patterns = SecretPatterns.get_all_patterns()
+    lines = section.split("\n")
+    line_counter = 0
+
+    for line in lines:
+        # Track hunk headers for line number extraction
+        if line.startswith("@@"):
+            # Reset line counter based on hunk header (this is the starting line number in the new file)
+            match = re.search(r"@@ -\d+(?:,\d+)? \+(\d+)", line)
+            if match:
+                line_counter = int(match.group(1)) - 1  # Start one line before, will increment correctly
+            continue
+
+        # Skip metadata lines
+        if line.startswith("+++") or line.startswith("---"):
+            continue
+
+        # Increment line counter for both added and context lines
+        if line.startswith("+") or line.startswith(" "):
+            line_counter += 1
+
+        # Only scan added lines (starting with '+')
+        if line.startswith("+") and not line.startswith("+++"):
+            # Check each pattern
+            content = line[1:]  # Remove the '+' prefix for pattern matching
+            for pattern_name, pattern in patterns.items():
+                matches = pattern.finditer(content)
+                for match in matches:
+                    matched_text = match.group(0)
+
+                    # Skip false positives
+                    if is_false_positive(matched_text, file_path):
+                        logger.debug(f"Skipping false positive: {matched_text}")
+                        continue
+
+                    # Truncate matched text for display (avoid showing full secrets)
+                    from gac.constants import Utility
+
+                    display_text = (
+                        matched_text[: Utility.MAX_DISPLAYED_SECRET_LENGTH] + "..."
+                        if len(matched_text) > Utility.MAX_DISPLAYED_SECRET_LENGTH
+                        else matched_text
+                    )
+
+                    secrets.append(
+                        DetectedSecret(
+                            file_path=file_path,
+                            line_number=line_counter,
+                            secret_type=pattern_name,
+                            matched_text=display_text,
+                            context=content.strip(),
+                        )
+                    )
+
+    return secrets
+
+
+def scan_staged_diff(diff: str) -> list[DetectedSecret]:
+    """Scan staged git diff for secrets and API keys.
+
+    Args:
+        diff: The staged git diff to scan
+
+    Returns:
+        List of detected secrets
+    """
+    if not diff:
+        return []
+
+    # Split diff into sections (one per file)
+    sections = re.split(r"(?=^diff --git )", diff, flags=re.MULTILINE)
+    all_secrets = []
+
+    for section in sections:
+        if not section.strip():
+            continue
+
+        # Validate that this is a real git diff section
+        # Real diff sections must have diff --git header followed by --- and +++ lines
+        if not re.search(r"^diff --git ", section, flags=re.MULTILINE):
+            continue
+
+        if not re.search(r"^--- ", section, flags=re.MULTILINE):
+            continue
+
+        if not re.search(r"^\+\+\+ ", section, flags=re.MULTILINE):
+            continue
+
+        secrets = scan_diff_section(section)
+        all_secrets.extend(secrets)
+
+    logger.info(f"Secret scan complete: found {len(all_secrets)} potential secrets")
+    return all_secrets
+
+
+def get_affected_files(secrets: list[DetectedSecret]) -> list[str]:
+    """Get unique list of files containing detected secrets.
+
+    Args:
+        secrets: List of detected secrets
+
+    Returns:
+        Sorted list of unique file paths
+    """
+    files = {secret.file_path for secret in secrets}
+    return sorted(files)