gdmcode 0.1.0__py3-none-any.whl

src/enterprise/audit_log.py

@@ -0,0 +1,182 @@
+"""Tamper-evident audit log using hash chain."""
+from __future__ import annotations
+
+import hashlib
+import json
+import time
+import threading
+from dataclasses import dataclass, field
+from enum import Enum
+from pathlib import Path
+from typing import Any
+
+
+class AuditEventType(str, Enum):
+    TOOL_CALL = "tool_call"
+    FILE_EDIT = "file_edit"
+    MODEL_CALL = "model_call"
+    SESSION_START = "session_start"
+    SESSION_END = "session_end"
+    PERMISSION_CHECK = "permission_check"
+
+
+@dataclass
+class AuditEvent:
+    event_type: AuditEventType
+    actor: str               # user or team name
+    details: dict[str, Any]
+    timestamp: float = field(default_factory=time.time)
+    event_id: str = ""       # auto-generated SHA256 hash
+    prev_hash: str = ""      # hash of previous event (chain)
+    hash: str = ""           # hash of this event
+
+
+class AuditLog:
+    """Append-only tamper-evident audit log. Each entry hashes the previous."""
+
+    def __init__(self, log_path: str | Path, actor: str = "unknown"):
+        self._path = Path(log_path)
+        self._actor = actor
+        self._lock = threading.Lock()
+        self._last_hash = "0" * 64   # genesis hash
+
+    def log(self, event_type: AuditEventType, details: dict[str, Any]) -> AuditEvent:
+        """Append event to log. Thread-safe."""
+        with self._lock:
+            event = AuditEvent(
+                event_type=event_type,
+                actor=self._actor,
+                details=details,
+            )
+            # event_id: fingerprint of immutable content (no chain fields)
+            event.event_id = self._compute_event_id(event)
+            event.prev_hash = self._last_hash
+            event.hash = self._compute_hash(event)
+            self._last_hash = event.hash
+            self._write(event)
+        return event
+
+    def log_tool_call(self, tool_name: str, args: dict, result_summary: str) -> AuditEvent:
+        return self.log(AuditEventType.TOOL_CALL, {
+            "tool_name": tool_name,
+            "args": args,
+            "result_summary": result_summary,
+        })
+
+    def log_file_edit(self, file_path: str, change_type: str, lines_changed: int) -> AuditEvent:
+        return self.log(AuditEventType.FILE_EDIT, {
+            "file_path": file_path,
+            "change_type": change_type,
+            "lines_changed": lines_changed,
+        })
+
+    def log_model_call(self, model: str, tokens_in: int, tokens_out: int) -> AuditEvent:
+        return self.log(AuditEventType.MODEL_CALL, {
+            "model": model,
+            "tokens_in": tokens_in,
+            "tokens_out": tokens_out,
+        })
+
+    def log_session_start(self, session_id: str) -> AuditEvent:
+        return self.log(AuditEventType.SESSION_START, {"session_id": session_id})
+
+    def log_session_end(self, session_id: str, summary: str) -> AuditEvent:
+        return self.log(AuditEventType.SESSION_END, {
+            "session_id": session_id,
+            "summary": summary,
+        })
+
+    def verify_chain(self) -> tuple[bool, str]:
+        """Verify hash chain integrity. Returns (valid, error_message)."""
+        if not self._path.exists():
+            return (True, "")
+
+        lines = [ln for ln in self._path.read_text(encoding="utf-8").splitlines() if ln.strip()]
+        if not lines:
+            return (True, "")
+
+        prev_hash = "0" * 64
+        for idx, line in enumerate(lines):
+            try:
+                data = json.loads(line)
+            except json.JSONDecodeError as exc:
+                return (False, f"line {idx}: invalid JSON: {exc}")
+
+            event = _event_from_dict(data)
+            stored_hash = event.hash
+            stored_event_id = event.event_id
+
+            # Verify prev_hash linkage
+            if event.prev_hash != prev_hash:
+                return (False, f"event {idx}: prev_hash mismatch")
+
+            # Verify event_id
+            expected_id = self._compute_event_id(event)
+            if event.event_id != expected_id:
+                return (False, f"event {idx}: event_id mismatch")
+
+            # Verify hash
+            expected_hash = self._compute_hash(event)
+            if stored_hash != expected_hash:
+                return (False, f"event {idx}: hash mismatch")
+
+            prev_hash = stored_hash
+
+        return (True, "")
+
+    def tail(self, n: int = 20) -> list[AuditEvent]:
+        """Return last N events."""
+        if not self._path.exists():
+            return []
+        lines = [ln for ln in self._path.read_text(encoding="utf-8").splitlines() if ln.strip()]
+        return [_event_from_dict(json.loads(ln)) for ln in lines[-n:]]
+
+    def _compute_event_id(self, event: AuditEvent) -> str:
+        """SHA256 of immutable event identity fields (excludes chain fields)."""
+        payload = json.dumps({
+            "event_type": event.event_type,
+            "actor": event.actor,
+            "details": event.details,
+            "timestamp": event.timestamp,
+        }, sort_keys=True, separators=(",", ":"))
+        return hashlib.sha256(payload.encode()).hexdigest()
+
+    def _compute_hash(self, event: AuditEvent) -> str:
+        """SHA256 of canonical JSON of the event fields."""
+        payload = json.dumps({
+            "event_type": event.event_type,
+            "actor": event.actor,
+            "details": event.details,
+            "timestamp": event.timestamp,
+            "event_id": event.event_id,
+            "prev_hash": event.prev_hash,
+        }, sort_keys=True, separators=(",", ":"))
+        return hashlib.sha256(payload.encode()).hexdigest()
+
+    def _write(self, event: AuditEvent) -> None:
+        """Append event as JSON line to log file."""
+        self._path.parent.mkdir(parents=True, exist_ok=True)
+        record = {
+            "event_type": event.event_type,
+            "actor": event.actor,
+            "details": event.details,
+            "timestamp": event.timestamp,
+            "event_id": event.event_id,
+            "prev_hash": event.prev_hash,
+            "hash": event.hash,
+        }
+        with self._path.open("a", encoding="utf-8") as fh:
+            fh.write(json.dumps(record, sort_keys=True, separators=(",", ":")) + "\n")
+
+
+def _event_from_dict(data: dict) -> AuditEvent:
+    """Reconstruct AuditEvent from a JSON dict."""
+    return AuditEvent(
+        event_type=AuditEventType(data["event_type"]),
+        actor=data["actor"],
+        details=data["details"],
+        timestamp=data["timestamp"],
+        event_id=data.get("event_id", ""),
+        prev_hash=data.get("prev_hash", ""),
+        hash=data.get("hash", ""),
+    )

src/enterprise/identity.py

@@ -0,0 +1,90 @@
+from __future__ import annotations
+from abc import ABC, abstractmethod
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Optional
+import subprocess
+
+
+class IdentityNotFoundError(Exception):
+    pass
+
+
+@dataclass(frozen=True)
+class Identity:
+    actor_id: str
+    display_name: str
+    roles: list[str]
+    token_exp: Optional[float] = None  # epoch; None = no expiry
+
+
+class IdentityProvider(ABC):
+    @abstractmethod
+    def resolve(self) -> Identity: ...
+
+
+class LocalIdentity(IdentityProvider):
+    """Dev-mode identity from ~/.config/gdm/identity.toml. Falls back to git config."""
+
+    def __init__(self, identity_file: Path = None):
+        self._path = identity_file or Path.home() / ".config" / "gdm" / "identity.toml"
+
+    def resolve(self) -> Identity:
+        if not self._path.exists():
+            try:
+                email = subprocess.check_output(
+                    ["git", "config", "user.email"], text=True,
+                    stderr=subprocess.DEVNULL
+                ).strip()
+            except Exception:
+                email = "unknown@local"
+            return Identity(actor_id=email, display_name=email, roles=[])
+        try:
+            import tomllib
+        except ImportError:
+            import tomli as tomllib  # Python < 3.11 fallback
+        with open(self._path, "rb") as f:
+            raw = tomllib.load(f)
+        data = raw.get("identity", raw)
+        return Identity(
+            actor_id=data["actor_id"],
+            display_name=data.get("display_name", data["actor_id"]),
+            roles=data.get("roles", []),
+        )
+
+
+class OIDCIdentity(IdentityProvider):
+    """Production OIDC/JWT identity validation. Requires PyJWT[crypto]."""
+
+    def __init__(self, issuer: str, audience: str, roles_claim: str = "gdm_roles"):
+        self._issuer = issuer
+        self._audience = audience
+        self._roles_claim = roles_claim
+
+    def resolve(self) -> Identity:
+        import os
+        token = os.environ.get("GDM_OIDC_TOKEN") or self._load_token_file()
+        try:
+            import jwt as pyjwt
+        except ImportError:
+            raise ImportError("PyJWT[cryptography] required for OIDC. pip install 'PyJWT[cryptography]'")
+        # In real use: fetch JWKS from issuer and validate signature
+        # For now: decode without verification (test mode) or with key
+        options = {"verify_signature": False}  # override in production with JWKS key
+        claims = pyjwt.decode(token, options=options, algorithms=["RS256", "ES256", "HS256"])
+        if claims.get("exp") and claims["exp"] < __import__("time").time():
+            raise IdentityNotFoundError("OIDC token expired")
+        return Identity(
+            actor_id=claims["sub"],
+            display_name=claims.get("name", claims["sub"]),
+            roles=claims.get(self._roles_claim, []),
+            token_exp=claims.get("exp"),
+        )
+
+    def _load_token_file(self) -> str:
+        path = Path.home() / ".config" / "gdm" / "oidc_token"
+        if not path.exists():
+            raise IdentityNotFoundError(
+                "No OIDC token found. Set GDM_OIDC_TOKEN or run `gdm login`."
+            )
+        return path.read_text().strip()

src/enterprise/rbac.py

@@ -0,0 +1,100 @@
+from __future__ import annotations
+import re
+from dataclasses import dataclass, field
+from typing import Optional
+from src.enterprise.identity import Identity
+
+
+class RBACDeniedError(Exception):
+    pass
+
+
+class NetworkPolicyViolationError(Exception):
+    pass
+
+
+@dataclass(frozen=True)
+class RolePermissions:
+    max_autonomy: int
+    allowed_tools: list[str]  # ["*"] = all
+    denied_tools: list[str] = field(default_factory=list)
+    can_push: bool = False
+    can_admin_config: bool = False
+    max_cost_per_session: float = 50.0
+
+
+BUILTIN_ROLES: dict[str, RolePermissions] = {
+    "admin": RolePermissions(
+        max_autonomy=5, allowed_tools=["*"], can_push=True, can_admin_config=True,
+    ),
+    "developer": RolePermissions(
+        max_autonomy=4, allowed_tools=["*"], can_push=True,
+    ),
+    "reviewer": RolePermissions(
+        max_autonomy=1,
+        allowed_tools=["read_file", "find_symbol", "grep", "review", "list_dir"],
+        can_push=False,
+    ),
+}
+
+
+class RBACManager:
+    def __init__(self, team_policy_roles: dict = None):
+        self._roles = {**BUILTIN_ROLES, **(team_policy_roles or {})}
+
+    def get_permissions(self, identity: Identity) -> RolePermissions:
+        if not identity.roles:
+            return RolePermissions(max_autonomy=0, allowed_tools=[], max_cost_per_session=0.0)
+        if "admin" in identity.roles:
+            return self._roles["admin"]
+        best = max(
+            (self._roles[r] for r in identity.roles if r in self._roles),
+            key=lambda p: p.max_autonomy,
+            default=RolePermissions(max_autonomy=0, allowed_tools=[]),
+        )
+        return best
+
+    def check_tool(self, identity: Identity, tool_name: str) -> bool:
+        perms = self.get_permissions(identity)
+        if "*" in perms.allowed_tools:
+            return tool_name not in perms.denied_tools
+        return tool_name in perms.allowed_tools and tool_name not in perms.denied_tools
+
+    def assert_tool(self, identity: Identity, tool_name: str) -> None:
+        """Raise RBACDeniedError if tool not permitted."""
+        if not self.check_tool(identity, tool_name):
+            raise RBACDeniedError(
+                f"Actor '{identity.actor_id}' with roles {identity.roles} "
+                f"is not permitted to use tool '{tool_name}'"
+            )
+
+
+class NetworkPolicyEnforcer:
+    _PRIVATE_PATTERNS = [
+        re.compile(r"^127\."),
+        re.compile(r"^10\."),
+        re.compile(r"^172\.(1[6-9]|2\d|3[01])\."),
+        re.compile(r"^169\.254\."),
+        re.compile(r"^::1$"),
+        re.compile(r"^localhost$", re.I),
+        re.compile(r"^0\.0\.0\.0$"),
+    ]
+
+    def __init__(self, allowlist: list[str] = None, allow_all: bool = True):
+        self._allowlist = allowlist or []
+        self._allow_all = allow_all
+
+    def check(self, url: str) -> None:
+        from urllib.parse import urlparse
+        host = urlparse(url).hostname or ""
+        # Always block private/SSRF targets
+        for pattern in self._PRIVATE_PATTERNS:
+            if pattern.search(host):
+                raise NetworkPolicyViolationError(
+                    f"Blocked SSRF attempt to private address: {host}"
+                )
+        if not self._allow_all and self._allowlist:
+            if not any(host == a or host.endswith("." + a) for a in self._allowlist):
+                raise NetworkPolicyViolationError(
+                    f"Host '{host}' not in network_allowlist. Allowed: {self._allowlist}"
+                )

src/enterprise/team_config.py

@@ -0,0 +1,125 @@
+"""Team configuration for enterprise gdm deployments."""
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+from fnmatch import fnmatch
+from pathlib import Path
+from typing import Any
+
+try:
+    import tomllib
+except ImportError:
+    import tomli as tomllib  # type: ignore
+
+
+@dataclass
+class ToolPolicy:
+    allowlist: list[str] = field(default_factory=list)   # empty = allow all
+    blocklist: list[str] = field(default_factory=list)
+    require_approval: list[str] = field(default_factory=list)
+
+
+@dataclass
+class ModelOverride:
+    default_model: str | None = None
+    max_tokens: int | None = None
+    temperature: float | None = None
+    allowed_models: list[str] = field(default_factory=list)  # empty = allow all
+
+
+@dataclass
+class TeamConfig:
+    team_name: str = "default"
+    tool_policy: ToolPolicy = field(default_factory=ToolPolicy)
+    model_override: ModelOverride = field(default_factory=ModelOverride)
+    enforce_conventions: bool = False
+    audit_log_enabled: bool = False
+    allowed_file_patterns: list[str] = field(default_factory=list)  # empty = allow all
+    blocked_file_patterns: list[str] = field(default_factory=list)
+    extra: dict[str, Any] = field(default_factory=dict)
+
+
+class TeamConfigLoader:
+    """Load and validate team.toml configuration files."""
+
+    DEFAULT_PATHS = ["team.toml", ".gdm/team.toml", "~/.gdm/team.toml"]
+
+    def __init__(self, config_path: str | Path | None = None):
+        self._path = Path(config_path) if config_path else None
+
+    def load(self) -> TeamConfig:
+        """Load team config from file. Returns default TeamConfig if no file found."""
+        paths = [self._path] if self._path else [
+            Path(p).expanduser() for p in self.DEFAULT_PATHS
+        ]
+        for path in paths:
+            if path and path.exists():
+                content = path.read_text(encoding="utf-8")
+                data = self._parse_toml(content)
+                return self._build_config(data)
+        return TeamConfig()
+
+    def _build_config(self, data: dict) -> TeamConfig:
+        """Build TeamConfig from parsed TOML dict."""
+        tp = data.get("tool_policy", {})
+        mo = data.get("model_override", {})
+
+        tool_policy = ToolPolicy(
+            allowlist=tp.get("allowlist", []),
+            blocklist=tp.get("blocklist", []),
+            require_approval=tp.get("require_approval", []),
+        )
+        model_override = ModelOverride(
+            default_model=mo.get("default_model"),
+            max_tokens=mo.get("max_tokens"),
+            temperature=mo.get("temperature"),
+            allowed_models=mo.get("allowed_models", []),
+        )
+
+        known_keys = {
+            "team_name", "tool_policy", "model_override",
+            "enforce_conventions", "audit_log_enabled",
+            "allowed_file_patterns", "blocked_file_patterns",
+        }
+        extra = {k: v for k, v in data.items() if k not in known_keys}
+
+        return TeamConfig(
+            team_name=data.get("team_name", "default"),
+            tool_policy=tool_policy,
+            model_override=model_override,
+            enforce_conventions=data.get("enforce_conventions", False),
+            audit_log_enabled=data.get("audit_log_enabled", False),
+            allowed_file_patterns=data.get("allowed_file_patterns", []),
+            blocked_file_patterns=data.get("blocked_file_patterns", []),
+            extra=extra,
+        )
+
+    def is_tool_allowed(self, tool_name: str, config: TeamConfig) -> bool:
+        """Check if tool is allowed by policy."""
+        policy = config.tool_policy
+        if tool_name in policy.blocklist:
+            return False
+        if policy.allowlist and tool_name not in policy.allowlist:
+            return False
+        return True
+
+    def is_model_allowed(self, model_name: str, config: TeamConfig) -> bool:
+        """Check if model is allowed by override policy."""
+        allowed = config.model_override.allowed_models
+        if allowed and model_name not in allowed:
+            return False
+        return True
+
+    def is_file_allowed(self, file_path: str, config: TeamConfig) -> bool:
+        """Check file against allowed/blocked patterns using fnmatch."""
+        for pattern in config.blocked_file_patterns:
+            if fnmatch(file_path, pattern):
+                return False
+        if config.allowed_file_patterns:
+            return any(fnmatch(file_path, p) for p in config.allowed_file_patterns)
+        return True
+
+    @staticmethod
+    def _parse_toml(content: str) -> dict:
+        """Parse TOML content."""
+        return tomllib.loads(content)