gdmcode 0.1.0__py3-none-any.whl

src/tools/quality_tools.py

@@ -0,0 +1,366 @@
+"""Quality tools — automatic lint, type-check, and security scan after file writes.
+
+Runs automatically after every write operation. Results are fed back into the
+agent loop as tool results — the model must fix failures before presenting to user.
+
+Supported linters:
+  .py  → ruff check, mypy --strict
+  .ts  → tsc --noEmit (if tsconfig.json exists)
+  .js  → (eslint if installed, otherwise skipped)
+"""
+from __future__ import annotations
+
+import json
+import logging
+import shutil
+import subprocess
+import tempfile
+from dataclasses import dataclass, field
+from pathlib import Path
+from typing import Any
+
+from src.tools import REGISTRY, ToolBase, ToolResult
+
+__all__ = ["LintFileTool", "TypeCheckTool", "SecurityScanTool", "ComplexityCheckTool"]
+
+log = logging.getLogger(__name__)
+
+# ---------------------------------------------------------------------------
+# Constants
+# ---------------------------------------------------------------------------
+
+_LINT_TIMEOUT_SECS: int = 30
+_MAX_ISSUE_CHARS: int = 4_000
+
+# Which linter binaries map to which suffixes.
+_PY_LINTERS: tuple[str, ...] = ("ruff",)
+_TS_LINTERS: tuple[str, ...] = ("tsc",)
+
+
+# ---------------------------------------------------------------------------
+# Helpers
+# ---------------------------------------------------------------------------
+
+@dataclass
+class LintResult:
+    """Aggregated result from one or more linter runs."""
+
+    issues: list[str] = field(default_factory=list)
+    tool_ran: str = ""
+    exit_code: int = 0
+
+    @property
+    def clean(self) -> bool:
+        return not self.issues
+
+    def summary(self, max_chars: int = _MAX_ISSUE_CHARS) -> str:
+        """Return a compact summary suitable for injection into a tool result."""
+        if self.clean:
+            return f"{self.tool_ran}: no issues found"
+        joined = "\n".join(self.issues)
+        if len(joined) > max_chars:
+            joined = joined[:max_chars] + "\n...(truncated)"
+        return f"{self.tool_ran} found issues:\n{joined}"
+
+
+def _run_cmd(
+    args: list[str],
+    cwd: Path,
+    *,
+    timeout: int = _LINT_TIMEOUT_SECS,
+) -> tuple[int, str]:
+    """Run a subprocess and return (exit_code, combined_output)."""
+    try:
+        result = subprocess.run(
+            args,
+            capture_output=True,
+            text=True,
+            cwd=cwd,
+            timeout=timeout,
+        )
+        combined = (result.stdout + "\n" + result.stderr).strip()
+        return result.returncode, combined
+    except subprocess.TimeoutExpired:
+        return 1, f"Timed out after {timeout}s"
+    except FileNotFoundError:
+        return -1, f"Tool not found: {args[0]!r}"
+    except OSError as exc:
+        return 1, str(exc)
+
+
+def _find_project_root(path: Path) -> Path:
+    """Walk up to find the nearest pyproject.toml / package.json."""
+    for parent in [path] + list(path.parents):
+        if (parent / "pyproject.toml").exists() or (parent / "package.json").exists():
+            return parent
+    return path.parent
+
+
+# ---------------------------------------------------------------------------
+# LintFileTool
+# ---------------------------------------------------------------------------
+
+class LintFileTool(ToolBase):
+    """Run the appropriate linter on a single file after it is written.
+
+    Supports: ruff (Python), tsc --noEmit (TypeScript).
+    Skips silently if the required linter is not installed.
+    """
+
+    name = "lint_file"
+    description = (
+        "Run the linter on a file immediately after writing it. "
+        "Use after every file write to catch issues before presenting to user."
+    )
+    input_schema: dict[str, Any] = {
+        "type": "object",
+        "properties": {
+            "path": {"type": "string", "description": "Absolute or relative path to the file."},
+        },
+        "required": ["path"],
+    }
+
+    def execute(self, params: dict[str, Any]) -> ToolResult:
+        """Run linter for the given file path."""
+        path = Path(params.get("path", ""))
+        if not path.exists():
+            return ToolResult(output="", error=f"File not found: {path}")
+
+        suffix = path.suffix.lower()
+        if suffix == ".py":
+            lint = self._lint_python(path)
+        elif suffix in (".ts", ".tsx"):
+            lint = self._lint_typescript(path)
+        else:
+            return ToolResult(output=f"No linter configured for {suffix} files.")
+
+        if lint.exit_code == -1:
+            return ToolResult(output=f"Linter not installed — skipping ({lint.tool_ran})")
+
+        return ToolResult(
+            output=lint.summary(),
+            error=None if lint.clean else lint.summary(),
+            exit_code=lint.exit_code,
+        )
+
+    def _lint_python(self, path: Path) -> LintResult:
+        if not shutil.which("ruff"):
+            return LintResult(tool_ran="ruff", exit_code=-1)
+        root = _find_project_root(path)
+        code, out = _run_cmd(["ruff", "check", str(path)], cwd=root)
+        issues = [l for l in out.splitlines() if l.strip()]
+        return LintResult(issues=issues, tool_ran="ruff", exit_code=code)
+
+    def _lint_typescript(self, path: Path) -> LintResult:
+        if not shutil.which("tsc"):
+            return LintResult(tool_ran="tsc", exit_code=-1)
+        root = _find_project_root(path)
+        tsconfig = root / "tsconfig.json"
+        if not tsconfig.exists():
+            return LintResult(tool_ran="tsc (no tsconfig)", exit_code=0)
+        code, out = _run_cmd(
+            ["tsc", "--noEmit", "--pretty", "false"], cwd=root
+        )
+        issues = [l for l in out.splitlines() if l.strip()]
+        return LintResult(issues=issues, tool_ran="tsc", exit_code=code)
+
+
+# ---------------------------------------------------------------------------
+# TypeCheckTool
+# ---------------------------------------------------------------------------
+
+class TypeCheckTool(ToolBase):
+    """Run mypy --strict on a list of Python files.
+
+    Used after writing Python code to catch type errors early.
+    """
+
+    name = "type_check"
+    description = (
+        "Run mypy --strict on Python files. "
+        "Use after writing Python code to catch type annotation errors."
+    )
+    input_schema: dict[str, Any] = {
+        "type": "object",
+        "properties": {
+            "files": {
+                "type": "array",
+                "items": {"type": "string"},
+                "description": "List of Python file paths to type-check.",
+            },
+        },
+        "required": ["files"],
+    }
+
+    def execute(self, params: dict[str, Any]) -> ToolResult:
+        """Run mypy on specified files."""
+        files: list[str] = params.get("files", [])
+        if not files:
+            return ToolResult(output="No files specified for type check.")
+
+        if not shutil.which("mypy"):
+            return ToolResult(output="mypy not installed — skipping type check.")
+
+        paths = [Path(f) for f in files]
+        existing = [str(p) for p in paths if p.exists()]
+        if not existing:
+            return ToolResult(output="", error="None of the specified files exist.")
+
+        root = _find_project_root(paths[0])
+        code, out = _run_cmd(
+            ["mypy", "--strict", "--no-error-summary", *existing],
+            cwd=root,
+            timeout=60,
+        )
+        issues = [l for l in out.splitlines() if l.strip() and "error:" in l]
+        result = LintResult(issues=issues, tool_ran="mypy", exit_code=code)
+
+        return ToolResult(
+            output=result.summary(),
+            error=None if result.clean else result.summary(),
+            exit_code=code,
+        )
+
+
+# ---------------------------------------------------------------------------
+# SecurityScanTool
+# ---------------------------------------------------------------------------
+
+class SecurityScanTool(ToolBase):
+    """Run a fast security scanner on a file.
+
+    Python: bandit -r (checks for common security issues).
+    TypeScript/JavaScript: semgrep --config=auto (if installed).
+    Falls back gracefully if tools are not installed.
+    """
+
+    name = "security_scan"
+    description = (
+        "Run a security scanner on a file. "
+        "Automatically triggered on auth/session/crypto/SQL/file-I/O changes."
+    )
+    input_schema: dict[str, Any] = {
+        "type": "object",
+        "properties": {
+            "path": {"type": "string", "description": "Path to the file to scan."},
+        },
+        "required": ["path"],
+    }
+
+    def execute(self, params: dict[str, Any]) -> ToolResult:
+        """Run security scanner for the given file."""
+        path = Path(params.get("path", ""))
+        if not path.exists():
+            return ToolResult(output="", error=f"File not found: {path}")
+
+        suffix = path.suffix.lower()
+        if suffix == ".py":
+            return self._scan_python(path)
+        if suffix in (".ts", ".tsx", ".js", ".jsx"):
+            return self._scan_js(path)
+        return ToolResult(output=f"No security scanner configured for {suffix} files.")
+
+    def _scan_python(self, path: Path) -> ToolResult:
+        if not shutil.which("bandit"):
+            return ToolResult(output="bandit not installed — security scan skipped.")
+        root = _find_project_root(path)
+        code, out = _run_cmd(
+            ["bandit", "-r", str(path), "-f", "text", "-ll"],
+            cwd=root,
+        )
+        if code == 0:
+            return ToolResult(output="bandit: no high/medium issues found.")
+        lines = [l for l in out.splitlines() if l.strip()]
+        issues = "\n".join(lines[:60])
+        return ToolResult(
+            output=issues,
+            error=issues if code != 0 else None,
+            exit_code=code,
+        )
+
+    def _scan_js(self, path: Path) -> ToolResult:
+        if not shutil.which("semgrep"):
+            return ToolResult(output="semgrep not installed — security scan skipped.")
+        root = _find_project_root(path)
+        # Use a temp file for --json-output (cross-platform; /dev/null fails on Windows)
+        with tempfile.NamedTemporaryFile(suffix=".json", delete=False) as _f:
+            out_path = _f.name
+        code, out = _run_cmd(
+            ["semgrep", "--config=auto", str(path), f"--json-output={out_path}"],
+            cwd=root,
+            timeout=60,
+        )
+        try:
+            Path(out_path).unlink(missing_ok=True)
+        except OSError:
+            pass
+        if code == 0:
+            return ToolResult(output="semgrep: no issues found.")
+        lines = [l for l in out.splitlines() if l.strip()]
+        issues = "\n".join(lines[:60])
+        return ToolResult(
+            output=issues,
+            error=issues if code != 0 else None,
+            exit_code=code,
+        )
+
+
+# ---------------------------------------------------------------------------
+# ComplexityCheckTool
+# ---------------------------------------------------------------------------
+
+class ComplexityCheckTool(ToolBase):
+    """Check cyclomatic complexity using radon cc.
+
+    Flags functions with complexity > 15 (radon grade C or higher).
+    Silently skips if radon is not installed.
+    """
+
+    name = "complexity_check"
+    description = (
+        "Check cyclomatic complexity using radon. "
+        "Flags functions with complexity > 15 as high risk."
+    )
+    input_schema: dict[str, Any] = {
+        "type": "object",
+        "properties": {
+            "path": {"type": "string", "description": "Path to the Python file to check."},
+        },
+        "required": ["path"],
+    }
+
+    def execute(self, params: dict[str, Any]) -> ToolResult:
+        """Run radon cc on the given file."""
+        path_str = params.get("path", "")
+        if not shutil.which("radon"):
+            return ToolResult(output="radon not installed - skipping complexity check")
+        result = subprocess.run(
+            ["radon", "cc", path_str, "--min", "C", "--json"],
+            capture_output=True, text=True, timeout=30,
+        )
+        if result.returncode != 0:
+            return ToolResult(output="", error=result.stderr or "radon cc failed")
+        try:
+            data: dict[str, Any] = json.loads(result.stdout or "{}")
+        except json.JSONDecodeError:
+            return ToolResult(output="radon: could not parse output")
+        high_complexity = [
+            f"{fn['name']} (complexity={fn['complexity']})"
+            for fns in data.values()
+            for fn in fns
+            if isinstance(fn, dict) and fn.get("complexity", 0) > 15
+        ]
+        if high_complexity:
+            return ToolResult(
+                output=f"High complexity functions: {', '.join(high_complexity)}",
+            )
+        return ToolResult(output="Complexity OK (all functions <= 15)")
+
+# ---------------------------------------------------------------------------
+# Registration
+# ---------------------------------------------------------------------------
+
+REGISTRY.register(LintFileTool())
+REGISTRY.register(TypeCheckTool())
+REGISTRY.register(SecurityScanTool())
+REGISTRY.register(ComplexityCheckTool())

src/tools/read_tools.py

@@ -0,0 +1,318 @@
+"""FileReadTool, FileWriteTool, FileEditTool — safe file operations.
+
+Security contracts:
+  - All paths are resolved and checked to be inside the workspace root.
+  - Binary files are detected and blocked from being injected into context.
+  - File reads are truncated at MAX_READ_BYTES.
+  - File writes create parent directories automatically.
+  - FileEditTool does exact-string replace (like Claude Code's FileEditTool) and
+    returns a unified diff of the change.
+"""
+from __future__ import annotations
+
+import difflib
+import logging
+import mimetypes
+import os
+from pathlib import Path
+from typing import Any, ClassVar
+
+from src.security import InjectionResult, check_file_injection, tag_untrusted
+from src.tools import REGISTRY, ToolBase, ToolResult
+
+__all__ = ["FileReadTool", "FileWriteTool", "FileEditTool"]
+
+log = logging.getLogger(__name__)
+
+# ---------------------------------------------------------------------------
+# Constants
+# ---------------------------------------------------------------------------
+
+_MAX_READ_BYTES: int = 200_000       # ~200 KB — enough for large source files
+_MAX_WRITE_BYTES: int = 1_000_000    # 1 MB write limit
+_MAX_LINES_DEFAULT: int = 2_000      # default line cap for reads (avoids massive files)
+
+_BINARY_MIME_PREFIXES: tuple[str, ...] = (
+    "image/", "audio/", "video/", "application/octet-stream",
+    "application/zip", "application/gzip", "application/x-tar",
+)
+
+
+# ---------------------------------------------------------------------------
+# Safety helpers
+# ---------------------------------------------------------------------------
+
+def _resolve_safe(path_str: str, workspace: Path | None) -> tuple[Path, str | None]:
+    """Resolve path; return (resolved_path, error_or_None).
+
+    Error is returned if the path escapes the workspace root.
+    """
+    try:
+        p = Path(path_str).resolve()
+    except Exception as exc:  # noqa: BLE001
+        return Path(path_str), f"Cannot resolve path: {exc}"
+
+    if workspace is not None:
+        try:
+            p.relative_to(workspace)
+        except ValueError:
+            return p, f"Path {path_str!r} is outside workspace {workspace}"
+    return p, None
+
+
+def _is_binary(path: Path) -> bool:
+    """Return True if the file looks like a binary (non-text) file."""
+    mime, _ = mimetypes.guess_type(str(path))
+    if mime and any(mime.startswith(p) for p in _BINARY_MIME_PREFIXES):
+        return True
+    # Sniff first 512 bytes.
+    try:
+        with path.open("rb") as f:
+            sample = f.read(512)
+        return b"\x00" in sample
+    except OSError:
+        return False
+
+
+def _is_document(path_str: str) -> bool:
+    """Return True if the file extension is a supported document format."""
+    from src.tools.document_tool import is_document_path
+    return is_document_path(path_str)
+
+
+def _read_text(path: Path, max_lines: int | None = None) -> tuple[str, bool]:
+    """Read a text file; return (content, was_truncated)."""
+    raw = path.read_bytes()
+    if len(raw) > _MAX_READ_BYTES:
+        raw = raw[:_MAX_READ_BYTES]
+        truncated = True
+    else:
+        truncated = False
+    content = raw.decode("utf-8", errors="replace")
+    if max_lines is not None:
+        lines = content.splitlines(keepends=True)
+        if len(lines) > max_lines:
+            content = "".join(lines[:max_lines])
+            truncated = True
+    return content, truncated
+
+
+# ---------------------------------------------------------------------------
+# FileReadTool
+# ---------------------------------------------------------------------------
+
+class FileReadTool(ToolBase):
+    """Read the text content of a file."""
+
+    name: ClassVar[str] = "read_file"
+    description: ClassVar[str] = (
+        "Read the contents of a text file. "
+        "Returns the file contents tagged as untrusted (safe to inject into prompts). "
+        "Binary files are rejected. Large files are truncated at 200 KB."
+    )
+    input_schema: ClassVar[dict[str, Any]] = {
+        "type": "object",
+        "required": ["path"],
+        "properties": {
+            "path": {"type": "string", "description": "Absolute or project-relative file path."},
+            "start_line": {"type": "integer", "description": "First line to return (1-indexed)."},
+            "end_line": {"type": "integer", "description": "Last line to return (inclusive)."},
+        },
+        "additionalProperties": False,
+    }
+
+    def __init__(self, workspace: Path | None = None) -> None:
+        self._workspace = workspace
+
+    def execute(self, params: dict[str, Any]) -> ToolResult:  # noqa: D102
+        path_str: str = params["path"]
+        start_line: int | None = params.get("start_line")
+        end_line: int | None = params.get("end_line")
+
+        path, err = _resolve_safe(path_str, self._workspace)
+        if err:
+            return ToolResult(output="", error=err)
+        if not path.exists():
+            return ToolResult(output="", error=f"File not found: {path}")
+        if not path.is_file():
+            return ToolResult(output="", error=f"Not a file: {path}")
+        if _is_document(path_str):
+            from src.tools.document_tool import read_document_tool
+            text = read_document_tool(str(path))
+            if text.startswith("Error"):
+                return ToolResult(output="", error=text)
+            # Run through the same injection/tagging pipeline as plain text reads
+            injection = check_file_injection(text, filename=str(path))
+            if injection.is_injected and injection.severity == "high":
+                text = f"[SECURITY: injection attempt blocked in {path.name}]"
+            text = tag_untrusted(text, filename=str(path))
+            return ToolResult(output=text, metadata={"path": str(path), "size_bytes": path.stat().st_size})
+        if _is_binary(path):
+            return ToolResult(output="", error=f"Binary file {path.name!r} cannot be read as text.")
+
+        content, truncated = _read_text(path)
+
+        if start_line is not None or end_line is not None:
+            lines = content.splitlines(keepends=True)
+            s = (start_line or 1) - 1
+            e = end_line if end_line else len(lines)
+            content = "".join(lines[s:e])
+
+        # Injection check before tagging — redact high-severity content
+        injection = check_file_injection(content, filename=str(path))
+        if injection.is_injected and injection.severity == "high":
+            content = (
+                f"[SECURITY: injection attempt blocked in {path.name}]"
+            )
+
+        tagged = tag_untrusted(content, filename=str(path))
+        return ToolResult(
+            output=tagged,
+            truncated=truncated,
+            metadata={"path": str(path), "size_bytes": path.stat().st_size},
+        )
+
+
+# ---------------------------------------------------------------------------
+# FileWriteTool
+# ---------------------------------------------------------------------------
+
+class FileWriteTool(ToolBase):
+    """Write or overwrite the full content of a file."""
+
+    name: ClassVar[str] = "write_file"
+    description: ClassVar[str] = (
+        "Write or overwrite a file with new content. "
+        "Creates parent directories automatically. "
+        "Use FileEditTool for targeted edits — FileWriteTool replaces the entire file."
+    )
+    input_schema: ClassVar[dict[str, Any]] = {
+        "type": "object",
+        "required": ["path", "content"],
+        "properties": {
+            "path": {"type": "string", "description": "Absolute or project-relative file path."},
+            "content": {"type": "string", "description": "Full file content to write."},
+        },
+        "additionalProperties": False,
+    }
+
+    def __init__(self, workspace: Path | None = None) -> None:
+        self._workspace = workspace
+
+    def execute(self, params: dict[str, Any]) -> ToolResult:  # noqa: D102
+        path_str: str = params["path"]
+        content: str = params["content"]
+
+        path, err = _resolve_safe(path_str, self._workspace)
+        if err:
+            return ToolResult(output="", error=err)
+
+        if len(content.encode("utf-8")) > _MAX_WRITE_BYTES:
+            return ToolResult(output="", error=f"Content exceeds {_MAX_WRITE_BYTES // 1024} KB write limit.")
+
+        path.parent.mkdir(parents=True, exist_ok=True)
+        tmp = path.with_suffix(path.suffix + ".gdm_tmp")
+        tmp.write_text(content, encoding="utf-8")
+        tmp.replace(path)  # atomic rename — safe on same-drive paths
+        log.info("FileWriteTool wrote %d bytes to %s", len(content), path)
+
+        return ToolResult(
+            output=f"Wrote {len(content.splitlines())} lines to {path.name}",
+            metadata={"path": str(path), "bytes_written": len(content.encode("utf-8"))},
+        )
+
+
+# ---------------------------------------------------------------------------
+# FileEditTool
+# ---------------------------------------------------------------------------
+
+class FileEditTool(ToolBase):
+    """Apply an exact-string replacement to a file, returning a unified diff.
+
+    The `old_str` must appear exactly once in the file.
+    The tool fails if there are zero or multiple matches — this prevents
+    accidental mass-edits from ambiguous patterns.
+    """
+
+    name: ClassVar[str] = "edit_file"
+    description: ClassVar[str] = (
+        "Replace an exact string in a file. "
+        "old_str must appear exactly once. "
+        "Returns a unified diff of the change."
+    )
+    input_schema: ClassVar[dict[str, Any]] = {
+        "type": "object",
+        "required": ["path", "old_str", "new_str"],
+        "properties": {
+            "path": {"type": "string", "description": "Absolute or project-relative file path."},
+            "old_str": {"type": "string", "description": "Exact text to replace (must be unique in file)."},
+            "new_str": {"type": "string", "description": "Replacement text."},
+        },
+        "additionalProperties": False,
+    }
+
+    def __init__(self, workspace: Path | None = None) -> None:
+        self._workspace = workspace
+
+    def execute(self, params: dict[str, Any]) -> ToolResult:  # noqa: D102
+        path_str: str = params["path"]
+        old_str: str = params["old_str"]
+        new_str: str = params["new_str"]
+
+        path, err = _resolve_safe(path_str, self._workspace)
+        if err:
+            return ToolResult(output="", error=err)
+        if not path.exists():
+            return ToolResult(output="", error=f"File not found: {path}")
+        if _is_binary(path):
+            return ToolResult(output="", error="Cannot edit binary file.")
+
+        original = path.read_text(encoding="utf-8", errors="replace")
+        count = original.count(old_str)
+
+        if count == 0:
+            return ToolResult(output="", error="old_str not found in file. No edit applied.")
+        if count > 1:
+            return ToolResult(
+                output="",
+                error=f"old_str appears {count} times — too ambiguous. Add more context.",
+            )
+
+        updated = original.replace(old_str, new_str, 1)
+        tmp = path.with_suffix(path.suffix + ".gdm_tmp")
+        tmp.write_text(updated, encoding="utf-8")
+        tmp.replace(path)  # atomic rename
+
+        diff = _make_diff(original, updated, path.name)
+        log.info("FileEditTool patched %s (%d chars → %d chars)", path.name, len(original), len(updated))
+
+        return ToolResult(
+            output=diff,
+            metadata={"path": str(path), "old_len": len(original), "new_len": len(updated)},
+        )
+
+
+# ---------------------------------------------------------------------------
+# Diff helper
+# ---------------------------------------------------------------------------
+
+def _make_diff(original: str, updated: str, filename: str) -> str:
+    """Return a compact unified diff string."""
+    orig_lines = original.splitlines(keepends=True)
+    new_lines = updated.splitlines(keepends=True)
+    diff_lines = difflib.unified_diff(
+        orig_lines, new_lines,
+        fromfile=f"a/{filename}",
+        tofile=f"b/{filename}",
+        lineterm="",
+    )
+    return "".join(diff_lines) or "(no diff — content unchanged)"
+
+
+# ---------------------------------------------------------------------------
+# Auto-register
+# ---------------------------------------------------------------------------
+
+REGISTRY.register(FileReadTool())
+REGISTRY.register(FileWriteTool())
+REGISTRY.register(FileEditTool())