gdmcode 0.1.0__py3-none-any.whl

src/sdk/plugin_host.py

@@ -0,0 +1,100 @@
+"""
+Plugin host subprocess entry point.
+Run as: python -m src.sdk.plugin_host <plugin_package>
+Communicates with parent via JSON-RPC 2.0 over stdin/stdout.
+"""
+import sys
+import json
+import importlib
+import logging
+from src.sdk.plugin_base import GdmPlugin, PermissionManifest
+
+log = logging.getLogger(__name__)
+
+
+class PermissionError(Exception):
+    pass
+
+
+def _check_permission(manifest: PermissionManifest, tool_meta: dict) -> None:
+    required = tool_meta.get("permissions")
+    if required is None:
+        return
+    for perm in ("file_write", "network", "git_write"):
+        if getattr(required, perm, False) and not getattr(manifest, perm, False):
+            raise PermissionError(f"Tool requires '{perm}' but plugin manifest denies it")
+
+
+def main():
+    if len(sys.argv) < 2:
+        print(json.dumps({"error": "Usage: plugin_host <plugin_package>"}), flush=True)
+        sys.exit(1)
+
+    plugin_package = sys.argv[1]
+    try:
+        module = importlib.import_module(plugin_package)
+    except ImportError as e:
+        print(json.dumps({"error": f"Cannot import plugin: {e}"}), flush=True)
+        sys.exit(1)
+
+    plugin: GdmPlugin = getattr(module, "plugin", None)
+    if plugin is None:
+        print(json.dumps({"error": "Plugin module has no 'plugin' instance"}), flush=True)
+        sys.exit(1)
+
+    plugin.on_load(context={})
+
+    # Discover @tool-decorated methods
+    tools = {}
+    for attr_name in dir(type(plugin)):
+        fn = getattr(type(plugin), attr_name, None)
+        if callable(fn) and hasattr(fn, "_gdm_tool"):
+            tools[fn._gdm_tool["name"]] = fn
+
+    try:
+        for line in sys.stdin:
+            line = line.strip()
+            if not line:
+                continue
+            try:
+                request = json.loads(line)
+            except json.JSONDecodeError:
+                print(json.dumps({"id": None, "error": "Invalid JSON"}), flush=True)
+                continue
+
+            req_id = request.get("id")
+            method = request.get("method", "")
+
+            if method == "list_tools":
+                reply = {"id": req_id, "result": [t._gdm_tool for t in tools.values()]}
+            elif method == "call_tool":
+                params = request.get("params", {})
+                name = params.get("name", "")
+                args = params.get("args", {})
+                if name not in tools:
+                    reply = {"id": req_id, "error": f"Unknown tool: {name}"}
+                else:
+                    fn = tools[name]
+                    try:
+                        _check_permission(plugin.permissions, fn._gdm_tool)
+                        result = fn(plugin, args) if hasattr(fn, "__self__") else fn(args)
+                        reply = {"id": req_id, "result": result}
+                    except PermissionError as e:
+                        reply = {"id": req_id, "error": f"Permission denied: {e}"}
+                    except Exception as e:
+                        reply = {"id": req_id, "error": str(e)}
+            elif method == "shutdown":
+                plugin.on_unload()
+                reply = {"id": req_id, "result": "ok"}
+                print(json.dumps(reply), flush=True)
+                break
+            else:
+                reply = {"id": req_id, "error": f"Unknown method: {method}"}
+
+            print(json.dumps(reply), flush=True)
+    finally:
+        plugin.on_unload()
+
+
+if __name__ == "__main__":
+    main()

src/sdk/plugin_loader.py

@@ -0,0 +1,101 @@
+import json
+import subprocess
+import sys
+import threading
+from pathlib import Path
+from typing import Optional
+
+TRUST_STORE = Path.home() / ".config" / "gdm" / "trusted_plugins.json"
+LOCAL_PLUGIN_DIR = Path(".gdm_plugins")
+
+
+class UntrustedPluginError(Exception):
+    pass
+
+
+class IpcPluginHandle:
+    def __init__(self, plugin_name: str, proc: subprocess.Popen):
+        self.name = plugin_name
+        self._proc = proc
+        self._lock = threading.Lock()
+        self._req_id = 0
+
+    def call(self, method: str, params: dict = None) -> dict:
+        with self._lock:
+            self._req_id += 1
+            req = {"id": self._req_id, "method": method, "params": params or {}}
+            self._proc.stdin.write(json.dumps(req) + "\n")
+            self._proc.stdin.flush()
+            line = self._proc.stdout.readline()
+            return json.loads(line)
+
+    def list_tools(self) -> list[dict]:
+        resp = self.call("list_tools")
+        return resp.get("result", [])
+
+    def call_tool(self, name: str, args: dict) -> dict:
+        return self.call("call_tool", {"name": name, "args": args})
+
+    def shutdown(self) -> None:
+        try:
+            self.call("shutdown")
+            self._proc.wait(timeout=5)
+        except Exception:
+            self._proc.kill()
+
+
+def is_trusted(plugin_name: str, trust_store_path: Path = None) -> bool:
+    path = trust_store_path or TRUST_STORE
+    if not path.exists():
+        return False
+    try:
+        trusted = json.loads(path.read_text())
+        return plugin_name in trusted.get("plugins", [])
+    except Exception:
+        return False
+
+
+def trust_plugin(plugin_name: str, trust_store_path: Path = None) -> None:
+    path = trust_store_path or TRUST_STORE
+    path.parent.mkdir(parents=True, exist_ok=True)
+    trusted = {"plugins": []}
+    if path.exists():
+        try:
+            trusted = json.loads(path.read_text())
+        except Exception:
+            pass
+    if plugin_name not in trusted["plugins"]:
+        trusted["plugins"].append(plugin_name)
+    path.write_text(json.dumps(trusted, indent=2))
+
+
+def discover_local_plugins() -> list[Path]:
+    if not LOCAL_PLUGIN_DIR.exists():
+        return []
+    return [p for p in LOCAL_PLUGIN_DIR.iterdir()
+            if p.is_dir() and (p / "gdm_plugin.py").exists()]
+
+
+def discover_entry_point_plugins() -> list[str]:
+    """Discover plugins registered via [project.entry-points.'gdm.plugins']."""
+    try:
+        from importlib.metadata import entry_points
+        eps = entry_points(group="gdm.plugins")
+        return [ep.name for ep in eps]
+    except Exception:
+        return []
+
+
+def load_plugin(plugin_name: str, plugin_path: str,
+                trust_store_path: Path = None) -> IpcPluginHandle:
+    if not is_trusted(plugin_name, trust_store_path):
+        raise UntrustedPluginError(
+            f"Plugin '{plugin_name}' is not in the trust store. "
+            f"Run `gdm plugin trust {plugin_name}` to grant access."
+        )
+    proc = subprocess.Popen(
+        [sys.executable, "-m", "src.sdk.plugin_host", plugin_path],
+        stdin=subprocess.PIPE, stdout=subprocess.PIPE,
+        text=True, bufsize=1
+    )
+    return IpcPluginHandle(plugin_name, proc)

src/security.py

@@ -0,0 +1,409 @@
+"""Security module — prompt injection defense, context tagging, audit logging.
+
+The single most critical non-functional concern in an agentic coding assistant.
+OWASP #1 for AI agents: prompt injection via file content.
+
+Four layers:
+  1. tag_untrusted()         — wraps file content so the model knows it is data, not instruction
+  2. check_file_injection()  — high-sensitivity structural scan for file content (redact on hit)
+  3. check_user_injection()  — low-sensitivity structural-only scan for user-typed messages
+  4. AuditLogger             — writes every tool call to gdm.db audit_log (immutable record)
+
+Legacy:
+  check_injection()  — kept for backward compatibility; delegates to check_file_injection()
+                        and raises InjectionDetectedError on high severity.
+"""
+from __future__ import annotations
+
+import dataclasses
+import logging
+import re
+from typing import Literal
+
+from src._internal.constants import (
+    _INJECTION_PATTERNS,
+    _UNTRUSTED_TAG_PREFIX,
+    _UNTRUSTED_TAG_SUFFIX,
+    _USER_INSTRUCTIONS_TAG,
+)
+from src.exceptions import InjectionDetectedError
+
+__all__ = [
+    "tag_untrusted",
+    "tag_user_instructions",
+    "check_file_injection",
+    "check_user_injection",
+    "check_injection",
+    "InjectionResult",
+    "AuditLogger",
+    "clear_flagged_files",
+    "redact",
+    "redact_dict",
+    "redact_json",
+    "RedactionEngine",
+    "SafeForRemote",
+    "SafeForExport",
+    "InternalOnly",
+]
+
+log = logging.getLogger(__name__)
+
+# ---------------------------------------------------------------------------
+# InjectionResult
+# ---------------------------------------------------------------------------
+
+@dataclasses.dataclass(frozen=True)
+class InjectionResult:
+    """Result of an injection scan.
+
+    Attributes:
+        is_injected: True if an injection pattern was found.
+        pattern:     The matching pattern string, or None.
+        severity:    "high" | "medium" | "low"
+    """
+    is_injected: bool
+    pattern: str | None
+    severity: Literal["high", "medium", "low"]
+
+
+# ---------------------------------------------------------------------------
+# File-content injection patterns (HIGH sensitivity)
+#
+# These match structural injection: role overrides, token stuffing, embedded
+# system prompt headers.  Real attack surface — file content injected into the
+# model prompt.  Action on hit: redact + log WARNING.
+# ---------------------------------------------------------------------------
+
+_FILE_HIGH_PATTERNS: list[tuple[re.Pattern[str], str]] = [
+    # Role injection at line start
+    (re.compile(r"^\s*SYSTEM\s*:", re.IGNORECASE | re.MULTILINE), "role-injection:SYSTEM"),
+    (re.compile(r"^\s*ASSISTANT\s*:", re.IGNORECASE | re.MULTILINE), "role-injection:ASSISTANT"),
+    # Common override phrases (multi-line, anywhere)
+    (re.compile(r"IGNORE\s+PREVIOUS\s+INSTRUCTIONS", re.IGNORECASE), "override:ignore-prev"),
+    (re.compile(r"IGNORE\s+ALL\s+PREVIOUS", re.IGNORECASE), "override:ignore-all"),
+    (re.compile(r"FORGET\s+YOUR\s+INSTRUCTIONS", re.IGNORECASE), "override:forget"),
+    (re.compile(r"DISREGARD\s+(ALL\s+)?YOUR\s+(PREVIOUS\s+)?INSTRUCTIONS", re.IGNORECASE), "override:disregard"),
+    # HTML/markdown comment injection
+    (re.compile(r"<!--\s*IGNORE\s+PREVIOUS", re.IGNORECASE), "html-comment-inject"),
+    # ChatML / tokenizer-level injection
+    (re.compile(r"<\|im_start\|>\s*system", re.IGNORECASE), "chatml:im_start"),
+    (re.compile(r"<\|endoftext\|>", re.IGNORECASE), "chatml:endoftext"),
+    (re.compile(r"<\|pad\|>", re.IGNORECASE), "chatml:pad"),
+    (re.compile(r"<\|system\|>", re.IGNORECASE), "chatml:system"),
+    (re.compile(r"<\|user\|>", re.IGNORECASE), "chatml:user"),
+    (re.compile(r"<\|assistant\|>", re.IGNORECASE), "chatml:assistant"),
+    # JSON/YAML key injection
+    (re.compile(r'"_system"\s*:', re.IGNORECASE), "json-key:_system"),
+    (re.compile(r'"_instructions"\s*:', re.IGNORECASE), "json-key:_instructions"),
+    (re.compile(r'"_override"\s*:', re.IGNORECASE), "json-key:_override"),
+    (re.compile(r'_system\s*:', re.IGNORECASE), "yaml-key:_system"),
+    # Docstring hijacking with instruction verbs
+    (re.compile(r'"""\s*(IGNORE|OVERRIDE|FORGET|DISREGARD)\s', re.IGNORECASE), "docstring-inject"),
+]
+
+_FILE_MEDIUM_PATTERNS: list[tuple[re.Pattern[str], str]] = [
+    # Softer override phrases — higher false-positive risk
+    (re.compile(r"\bNEW\s+INSTRUCTIONS\b\s*:", re.IGNORECASE), "soft:new-instructions"),
+    (re.compile(r"\bSYSTEM\s+PROMPT\b\s*:", re.IGNORECASE), "soft:system-prompt"),
+    (re.compile(r"\bYOU\s+ARE\s+NOW\b", re.IGNORECASE), "soft:you-are-now"),
+    (re.compile(r"\bACT\s+AS\s+IF\b", re.IGNORECASE), "soft:act-as-if"),
+    (re.compile(r"###\s*INSTRUCTION", re.IGNORECASE), "soft:instruction-heading"),
+]
+
+# ---------------------------------------------------------------------------
+# User-message injection patterns (LOW sensitivity, structural-only)
+#
+# Legitimate developer messages ("ignore the lint errors") must NOT trigger.
+# Only clearly malicious token-level or structural abuse patterns are here.
+# ---------------------------------------------------------------------------
+
+_USER_STRUCTURAL_PATTERNS: list[tuple[re.Pattern[str], str]] = [
+    (re.compile(r"\[SYSTEM\s+OVERRIDE\]", re.IGNORECASE), "user:system-override"),
+    (re.compile(r"<\|im_start\|>\s*system", re.IGNORECASE), "user:chatml-im_start"),
+    (re.compile(r"<\|endoftext\|>", re.IGNORECASE), "user:chatml-endoftext"),
+    (re.compile(r"<\|system\|>", re.IGNORECASE), "user:chatml-system"),
+    (re.compile(r"<<<\s*SYSTEM\s*>>>", re.IGNORECASE), "user:triple-lt-system"),
+    (re.compile(r"\[INST\]\s*\[SYS\]", re.IGNORECASE), "user:llama-sys"),
+    (re.compile(r"<s>\s*\[INST\]", re.IGNORECASE), "user:llama-bos"),
+]
+
+# ---------------------------------------------------------------------------
+# Per-session dedup — same file flagged at most once to avoid log floods
+# ---------------------------------------------------------------------------
+
+_flagged_files: set[str] = set()
+
+
+def clear_flagged_files() -> None:
+    """Reset the per-session dedup set (call at session start/between sessions)."""
+    _flagged_files.clear()
+
+
+# ---------------------------------------------------------------------------
+# Legacy compiled patterns (used only by check_injection() backward compat)
+# ---------------------------------------------------------------------------
+_COMPILED_PATTERNS: list[re.Pattern[str]] = [
+    re.compile(p, re.IGNORECASE) for p in _INJECTION_PATTERNS
+]
+
+
+# ---------------------------------------------------------------------------
+# Public API
+# ---------------------------------------------------------------------------
+
+def check_file_injection(content: str, filename: str) -> InjectionResult:
+    """Scan file content for prompt injection patterns.
+
+    Uses HIGH-sensitivity patterns for direct structural injection, then
+    MEDIUM patterns for softer overrides.  Only logs each unique filename
+    once per session (dedup).
+
+    Args:
+        content:  Raw text content of the file.
+        filename: Display name of the file (used in logs and redaction prefix).
+
+    Returns:
+        InjectionResult.  Caller should inspect `is_injected` and `severity`
+        and redact or block if severity == "high".
+    """
+    for pattern, label in _FILE_HIGH_PATTERNS:
+        if pattern.search(content):
+            if filename not in _flagged_files:
+                _flagged_files.add(filename)
+                log.warning(
+                    "Injection pattern detected in '%s' (high severity): '%s' — content will be redacted",
+                    filename, label,
+                )
+            return InjectionResult(is_injected=True, pattern=label, severity="high")
+
+    for pattern, label in _FILE_MEDIUM_PATTERNS:
+        if pattern.search(content):
+            if filename not in _flagged_files:
+                _flagged_files.add(filename)
+                log.warning(
+                    "Injection pattern detected in '%s' (medium severity): '%s'",
+                    filename, label,
+                )
+            return InjectionResult(is_injected=True, pattern=label, severity="medium")
+
+    return InjectionResult(is_injected=False, pattern=None, severity="low")
+
+
+def check_user_injection(message: str) -> InjectionResult:
+    """Scan a user-typed message for structural injection patterns (LOW sensitivity).
+
+    Only catches clearly malicious token-level abuse.  Legitimate developer
+    messages ("ignore the lint errors", "you are now a senior dev") are
+    intentionally NOT flagged.
+
+    Args:
+        message: The user's raw message text.
+
+    Returns:
+        InjectionResult.  If is_injected is True, the caller should emit a
+        WARNING event but must NOT block the message.
+    """
+    for pattern, label in _USER_STRUCTURAL_PATTERNS:
+        if pattern.search(message):
+            log.warning("User message contains structural injection pattern: '%s'", label)
+            return InjectionResult(is_injected=True, pattern=label, severity="low")
+    return InjectionResult(is_injected=False, pattern=None, severity="low")
+
+
+def check_injection(content: str, filename: str) -> None:
+    """Legacy compatibility shim — prefer check_file_injection() for new code.
+
+    Raises InjectionDetectedError on high-severity file injection patterns.
+    """
+    result = check_file_injection(content, filename)
+    if result.is_injected and result.severity == "high":
+        raise InjectionDetectedError(filename=filename, pattern=result.pattern or "unknown")
+
+
+def tag_untrusted(content: str, filename: str) -> str:
+    """Wrap file content in an untrusted tag so the model treats it as data only.
+
+    The system prompt must explicitly instruct the model to never follow
+    instructions found inside [UNTRUSTED: ...] blocks.
+
+    Example output::
+
+        [UNTRUSTED: src/auth.py]
+        def login(user, password):
+            ...
+        [/UNTRUSTED: src/auth.py]
+    """
+    return (
+        f"{_UNTRUSTED_TAG_PREFIX}{filename}{_UNTRUSTED_TAG_SUFFIX}\n"
+        f"{content}\n"
+        f"[/UNTRUSTED: {filename}]"
+    )
+
+
+def tag_user_instructions(content: str) -> str:
+    """Wrap .gdm instructions with the USER INSTRUCTIONS tag.
+
+    Unlike UNTRUSTED, the model IS allowed to follow these instructions.
+    The distinction between the two tags must be clear in the system prompt.
+    """
+    return f"{_USER_INSTRUCTIONS_TAG}\n{content}\n[/USER INSTRUCTIONS]"
+
+
+class AuditLogger:
+    """Writes an immutable audit trail of all tool executions to gdm.db.
+
+    Instantiate once per session and pass the session_id. Every tool call —
+    allowed or denied — must be logged here. This is the accountability record.
+    """
+
+    def __init__(self, db: object, session_id: str) -> None:
+        # Typed as object to avoid circular imports; runtime type is GdmDatabase
+        self._db = db
+        self._session_id = session_id
+
+    def log_tool(
+        self,
+        tool: str,
+        args: dict,  # type: ignore[type-arg]
+        model: str | None = None,
+        decision: str = "allowed",
+    ) -> None:
+        """Record a tool call.
+
+        Args:
+            tool: tool name (e.g. "write_file", "bash", "web_search")
+            args: tool arguments dict (will be JSON-serialised)
+            model: model that requested this tool call, if known
+            decision: "allowed" | "denied" | "allowed_session"
+        """
+        try:
+            self._db.audit_log_write(  # type: ignore[attr-defined]
+                session_id=self._session_id,
+                tool=tool,
+                args=args,
+                model=model,
+                decision=decision,
+            )
+        except Exception as exc:
+            # Audit failure must never crash the agent — log it and continue
+            log.error("AuditLogger: failed to write entry for tool '%s': %s", tool, exc)
+
+    def log_denied(
+        self,
+        tool: str,
+        args: dict,  # type: ignore[type-arg]
+        reason: str,
+        model: str | None = None,
+    ) -> None:
+        """Convenience method for denied tool calls."""
+        log.warning("Tool '%s' DENIED — %s", tool, reason)
+        self.log_tool(tool=tool, args=args, model=model, decision="denied")
+
+
+# ---------------------------------------------------------------------------
+# Redaction Engine (security-001)
+# ---------------------------------------------------------------------------
+
+import json as _json
+from typing import Any as _Any, Annotated as _Annotated
+
+_SECRET_PATTERNS_REDACT: list[re.Pattern[str]] = [
+    # Provider API key formats
+    re.compile(r'\bsk-[A-Za-z0-9\-_]{20,}'),                    # OpenAI
+    re.compile(r'\bxai-[A-Za-z0-9\-_]{20,}'),                   # Grok/xAI
+    re.compile(r'\bghp_[A-Za-z0-9]{36}\b'),                     # GitHub PAT
+    re.compile(r'\bghs_[A-Za-z0-9]{36}\b'),                     # GitHub Actions token
+    re.compile(r'\bBearer\s+[A-Za-z0-9\-_.~+/]{20,}'),          # Bearer tokens
+    # Environment variable assignments (KEY=value, KEY: value, KEY = "value")
+    re.compile(r'(?i)(?:api[_-]?key|token|secret|password|passwd|credential|auth[_-]?token)\s*[=:]\s*["\']?[\w\-\.+/]{8,}["\']?'),
+    # PEM/certificate headers
+    re.compile(r'-----BEGIN\s+[A-Z ]+-----[\s\S]+?-----END\s+[A-Z ]+-----'),
+    # AWS-style access keys
+    re.compile(r'\bAKIA[0-9A-Z]{16}\b'),
+]
+
+_SENSITIVE_FILE_PATTERNS: list[re.Pattern[str]] = [
+    re.compile(r'(?i)\b\S+\.(pem|key|p12|pfx|jks|crt|cer)\b'),
+]
+
+REDACTED: str = "[REDACTED]"
+
+
+class RedactionEngine:
+    """Pattern-based secret redactor for text and structured data.
+
+    Used by event log writers, remote transcript, audit export, and evals
+    to ensure no raw secrets are stored or transmitted.
+
+    Usage::
+
+        engine = RedactionEngine()
+        clean = engine.redact("my key is sk-abc123xyz...")
+        clean_dict = engine.redact_dict({"args": {"content": "sk-abc..."}})
+    """
+
+    def redact(self, text: str) -> str:
+        """Replace secret patterns in text with REDACTED marker."""
+        for pattern in _SECRET_PATTERNS_REDACT + _SENSITIVE_FILE_PATTERNS:
+            text = pattern.sub(REDACTED, text)
+        return text
+
+    def redact_dict(self, d: dict[str, _Any]) -> dict[str, _Any]:
+        """Recursively redact string values in a dict."""
+        result: dict[str, _Any] = {}
+        for k, v in d.items():
+            if isinstance(v, str):
+                result[k] = self.redact(v)
+            elif isinstance(v, dict):
+                result[k] = self.redact_dict(v)
+            elif isinstance(v, list):
+                result[k] = [
+                    self.redact(item) if isinstance(item, str) else item
+                    for item in v
+                ]
+            else:
+                result[k] = v
+        return result
+
+    def redact_json(self, json_str: str) -> str:
+        """Redact a JSON string by parsing, redacting, and re-serialising."""
+        try:
+            obj = _json.loads(json_str)
+            if isinstance(obj, dict):
+                return _json.dumps(self.redact_dict(obj))
+            elif isinstance(obj, str):
+                return _json.dumps(self.redact(obj))
+        except (_json.JSONDecodeError, TypeError):
+            pass
+        # Fallback: redact the raw string
+        return self.redact(json_str)
+
+
+# Module-level singleton — import redact/redact_dict directly
+_redaction_engine = RedactionEngine()
+
+
+def redact(text: str) -> str:
+    """Redact secrets from a plain text string. Module-level convenience wrapper."""
+    return _redaction_engine.redact(text)
+
+
+def redact_dict(d: dict[str, _Any]) -> dict[str, _Any]:
+    """Redact secrets from a dict recursively. Module-level convenience wrapper."""
+    return _redaction_engine.redact_dict(d)
+
+
+def redact_json(json_str: str) -> str:
+    """Redact secrets from a JSON string. Module-level convenience wrapper."""
+    return _redaction_engine.redact_json(json_str)
+
+
+# ---------------------------------------------------------------------------
+# Field safety classifiers (for type annotation use)
+# ---------------------------------------------------------------------------
+
+# Annotate dataclass/TypedDict fields with these to document safety level.
+# Any field with InternalOnly must be stripped before remote/export dispatch.
+SafeForRemote = _Annotated[str, "safe_for_remote"]   # can stream to phone UI
+SafeForExport = _Annotated[str, "safe_for_export"]   # can write to audit/SIEM export
+InternalOnly  = _Annotated[str, "internal_only"]     # never leave this process

src/server/__init__.py

@@ -0,0 +1,7 @@
+"""Bridge server for browser extension communication."""
+from __future__ import annotations
+
+from src.server.bridge import BridgeServer
+from src.server.bridge_client import BridgeClient
+
+__all__ = ["BridgeServer", "BridgeClient"]