gitgalaxy 1.0.6__tar.gz → 1.0.8__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- {gitgalaxy-1.0.6 → gitgalaxy-1.0.8}/PKG-INFO +30 -8
- gitgalaxy-1.0.8/README.md +104 -0
- {gitgalaxy-1.0.6 → gitgalaxy-1.0.8}/gitgalaxy/aperture.py +20 -18
- {gitgalaxy-1.0.6 → gitgalaxy-1.0.8}/gitgalaxy/audit_recorder.py +107 -4
- {gitgalaxy-1.0.6 → gitgalaxy-1.0.8}/gitgalaxy/detector.py +5 -13
- {gitgalaxy-1.0.6 → gitgalaxy-1.0.8}/gitgalaxy/galaxyscope.py +100 -6
- {gitgalaxy-1.0.6 → gitgalaxy-1.0.8}/gitgalaxy/gitgalaxy_standards_v011.py +181 -230
- {gitgalaxy-1.0.6 → gitgalaxy-1.0.8}/gitgalaxy/gpu_recorder.py +15 -42
- {gitgalaxy-1.0.6 → gitgalaxy-1.0.8}/gitgalaxy/language_lens.py +36 -2
- {gitgalaxy-1.0.6 → gitgalaxy-1.0.8}/gitgalaxy/llm_recorder.py +116 -20
- gitgalaxy-1.0.8/gitgalaxy/security_lens.py +181 -0
- {gitgalaxy-1.0.6 → gitgalaxy-1.0.8}/gitgalaxy/signal_processor.py +211 -26
- {gitgalaxy-1.0.6 → gitgalaxy-1.0.8}/gitgalaxy/spectral_auditor.py +33 -2
- {gitgalaxy-1.0.6 → gitgalaxy-1.0.8}/gitgalaxy.egg-info/PKG-INFO +30 -8
- {gitgalaxy-1.0.6 → gitgalaxy-1.0.8}/gitgalaxy.egg-info/SOURCES.txt +1 -0
- {gitgalaxy-1.0.6 → gitgalaxy-1.0.8}/pyproject.toml +1 -1
- gitgalaxy-1.0.6/README.md +0 -82
- {gitgalaxy-1.0.6 → gitgalaxy-1.0.8}/LICENSE +0 -0
- {gitgalaxy-1.0.6 → gitgalaxy-1.0.8}/gitgalaxy/__init__.py +0 -0
- {gitgalaxy-1.0.6 → gitgalaxy-1.0.8}/gitgalaxy/chronometer.py +0 -0
- {gitgalaxy-1.0.6 → gitgalaxy-1.0.8}/gitgalaxy/guidestar_lens.py +0 -0
- {gitgalaxy-1.0.6 → gitgalaxy-1.0.8}/gitgalaxy/prism.py +0 -0
- {gitgalaxy-1.0.6 → gitgalaxy-1.0.8}/gitgalaxy/record_keeper.py +0 -0
- {gitgalaxy-1.0.6 → gitgalaxy-1.0.8}/gitgalaxy.egg-info/dependency_links.txt +0 -0
- {gitgalaxy-1.0.6 → gitgalaxy-1.0.8}/gitgalaxy.egg-info/entry_points.txt +0 -0
- {gitgalaxy-1.0.6 → gitgalaxy-1.0.8}/gitgalaxy.egg-info/top_level.txt +0 -0
- {gitgalaxy-1.0.6 → gitgalaxy-1.0.8}/setup.cfg +0 -0
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.4
|
|
2
2
|
Name: gitgalaxy
|
|
3
|
-
Version: 1.0.
|
|
3
|
+
Version: 1.0.8
|
|
4
4
|
Summary: Visualizes codebase complexity as explorable 3D galaxies.
|
|
5
5
|
Author: Joe Esquibel
|
|
6
6
|
License: PolyForm Noncommercial License 1.0.0
|
|
@@ -20,14 +20,24 @@ Dynamic: license-file
|
|
|
20
20
|
[](https://badge.fury.io/py/gitgalaxy)
|
|
21
21
|
[](https://www.python.org/downloads/)
|
|
22
22
|
[](https://polyformproject.org/licenses/noncommercial/1.0.0/)
|
|
23
|
+
|
|
24
|
+
[](#)
|
|
25
|
+
[](#)
|
|
26
|
+
[](#)
|
|
27
|
+
[](#)
|
|
28
|
+
[](#)
|
|
29
|
+
|
|
23
30
|
[](https://pypi.org/project/gitgalaxy/)
|
|
24
31
|
[](#)
|
|
25
|
-
|
|
26
|
-
[](#)
|
|
32
|
+
|
|
27
33
|
|
|
28
34
|
Code is art. Logic is art. Systems engineering is art.
|
|
29
35
|
|
|
30
|
-
GitGalaxy
|
|
36
|
+
GitGalaxy is a two-part ecosystem connected by a universal JSON contract. It is designed to extract the structural DNA of massive software repositories and render their non-visual architecture into measurable, explorable 3D galaxies.
|
|
37
|
+
|
|
38
|
+
**1. The blAST Engine - The galaxyscope (Backend):** A hyper-scale, language-agnostic static analysis CLI. Based on 50 years of bioinformatics and genetic sequencing algorithms, it parses code at ~100,000 LOC/second. It outputs rich JSON telemetry, SQLite databases, and low-token Markdown briefs optimized for AI-agent workflows.
|
|
39
|
+
|
|
40
|
+
**2. The Observatory (Frontend):** Drop your galaxy.json into the free viewer at [GitGalaxy.io](https://gitgalaxy.io/) or use the repo's airgap_observatory, a standalone, zero-telemetry WebGPU visualizer. Both visualizers read the JSON contract and renders the entire code base as a procedural 3D galaxy where files are stars, allowing humans to visually map scale and risk exposure instantly.
|
|
31
41
|
|
|
32
42
|
**Live Demo:** View 3D galaxy examples of Apollo-11, Linux, Tensorflow and more at [GitGalaxy.io](https://gitgalaxy.io/)
|
|
33
43
|
|
|
@@ -74,13 +84,17 @@ Open your web browser and go to http://localhost:8000.
|
|
|
74
84
|
|
|
75
85
|
Drag and drop your newly generated _galaxy.json file to instantly render your architecture.
|
|
76
86
|
|
|
77
|
-
##
|
|
87
|
+
## 🧬 The blAST Paradigm: Sequencing the DNA of Software
|
|
78
88
|
|
|
79
|
-
|
|
89
|
+
Traditional computer science treats software like a rigid blueprint, using slow, language-specific Abstract Syntax Trees (ASTs) to analyze code. GitGalaxy treats code as a living, mutating organism using **blAST (Broad Lexical Abstract Syntax Tracker)**.
|
|
80
90
|
|
|
81
|
-
|
|
91
|
+
By applying the principles of biological sequence alignment to software, blAST hunts for the universal structural markers of logic across ~40 languages and ~250 file extensions. We translate this genetic code into "phenotypes"—measurable risk exposures.
|
|
82
92
|
|
|
83
|
-
|
|
93
|
+
### Sequencing at Hyper-Scale
|
|
94
|
+
By abandoning the compiler bottleneck, blAST achieves processing velocities that traditional ASTs simply cannot comprehend. In live telemetry tracking across the largest open-source ecosystems, blAST demonstrated its absolute scale:
|
|
95
|
+
* **Peak Velocity:** Sequenced the 141,445 lines of the original **Apollo-11** Guidance Computer assembly code in **0.28 seconds** (an alignment rate of **513,298 LOC/s**).
|
|
96
|
+
* **Massive Monoliths:** Chewed through the **3.2 million lines of OpenCV in just 11.11 seconds** (288,594 LOC/s).
|
|
97
|
+
* **Planetary Scale:** Effortlessly mapped the architectural DNA of planetary-scale repositories like **TensorFlow (7.8M LOC)**, **Kubernetes (5.5M LOC)**, and **FreeBSD (24.4M LOC)** in a fraction of the time required to compile them.
|
|
84
98
|
|
|
85
99
|
## Zero-Trust Architecture
|
|
86
100
|
|
|
@@ -90,6 +104,14 @@ Your code never leaves your machine. GitGalaxy performs 100% of its scanning and
|
|
|
90
104
|
* **Ephemeral Memory Processing:** Repositories are unpacked into a volatile memory buffer (RAM) and are automatically purged when the browser tab is closed.
|
|
91
105
|
* **Privacy-by-Design:** Even when using the web-based viewer, the data remains behind the user's firewall at all times.
|
|
92
106
|
|
|
107
|
+
### The Viral Security Lens: Behavioral Threat Hunting
|
|
108
|
+
Traditional security scanners rely on rigid, outdated virus signatures. blAST acts like an immune system, hunting for the *behavioral genetic markers* of a threat. By analyzing the structural density of I/O hits, execution triggers, and security bypasses, blAST is perfectly engineered to stop modern attack vectors:
|
|
109
|
+
|
|
110
|
+
* **Supply-Chain Poisoning:** Instantly flags seemingly innocent setup scripts that possess an anomalous density of network I/O and dynamic execution (`eval`/`exec`).
|
|
111
|
+
* **Logic Bombs & Sabotage:** Identifies code designed to destroy infrastructure by catching dense concentrations of catastrophic OS commands and raw hardware aborts.
|
|
112
|
+
* **Steganography & Obfuscated Malware:** Mathematically exposes evasion techniques, flagging Unicode Smuggling (homoglyph imports) and sub-atomic custom XOR decryption loops.
|
|
113
|
+
* **Credential Hemorrhaging:** Acts as a ruthless data vault scanner, isolating hardcoded cryptographic assets (`.pem`, `.pfx`, `.jks` files) buried deep within massive repositories.
|
|
114
|
+
|
|
93
115
|
## License & Copyright
|
|
94
116
|
|
|
95
117
|
Copyright (c) 2026 Joe Esquibel
|
|
@@ -0,0 +1,104 @@
|
|
|
1
|
+
# GitGalaxy
|
|
2
|
+
|
|
3
|
+
[](https://badge.fury.io/py/gitgalaxy)
|
|
4
|
+
[](https://www.python.org/downloads/)
|
|
5
|
+
[](https://polyformproject.org/licenses/noncommercial/1.0.0/)
|
|
6
|
+
|
|
7
|
+
[](#)
|
|
8
|
+
[](#)
|
|
9
|
+
[](#)
|
|
10
|
+
[](#)
|
|
11
|
+
[](#)
|
|
12
|
+
|
|
13
|
+
[](https://pypi.org/project/gitgalaxy/)
|
|
14
|
+
[](#)
|
|
15
|
+
|
|
16
|
+
|
|
17
|
+
Code is art. Logic is art. Systems engineering is art.
|
|
18
|
+
|
|
19
|
+
GitGalaxy is a two-part ecosystem connected by a universal JSON contract. It is designed to extract the structural DNA of massive software repositories and render their non-visual architecture into measurable, explorable 3D galaxies.
|
|
20
|
+
|
|
21
|
+
**1. The blAST Engine - The galaxyscope (Backend):** A hyper-scale, language-agnostic static analysis CLI. Based on 50 years of bioinformatics and genetic sequencing algorithms, it parses code at ~100,000 LOC/second. It outputs rich JSON telemetry, SQLite databases, and low-token Markdown briefs optimized for AI-agent workflows.
|
|
22
|
+
|
|
23
|
+
**2. The Observatory (Frontend):** Drop your galaxy.json into the free viewer at [GitGalaxy.io](https://gitgalaxy.io/) or use the repo's airgap_observatory, a standalone, zero-telemetry WebGPU visualizer. Both visualizers read the JSON contract and renders the entire code base as a procedural 3D galaxy where files are stars, allowing humans to visually map scale and risk exposure instantly.
|
|
24
|
+
|
|
25
|
+
**Live Demo:** View 3D galaxy examples of Apollo-11, Linux, Tensorflow and more at [GitGalaxy.io](https://gitgalaxy.io/)
|
|
26
|
+
|
|
27
|
+
> **Note:** This is a condensed version of the full documentation. For more info, please visit: [https://github.com/squid-protocol/gitgalaxy](https://github.com/squid-protocol/gitgalaxy)
|
|
28
|
+
|
|
29
|
+
---
|
|
30
|
+
|
|
31
|
+
## Quickstart
|
|
32
|
+
|
|
33
|
+
### 1. Install
|
|
34
|
+
|
|
35
|
+
```bash
|
|
36
|
+
pip install gitgalaxy
|
|
37
|
+
```
|
|
38
|
+
|
|
39
|
+
### 2. Scan a Repository
|
|
40
|
+
|
|
41
|
+
Point the GalaxyScope at any local repository or ZIP archive. The engine runs entirely on your local machine—zero data is transmitted.
|
|
42
|
+
|
|
43
|
+
```bash
|
|
44
|
+
galaxyscope /path/to/your/local/repo
|
|
45
|
+
```
|
|
46
|
+
|
|
47
|
+
### 3. View the Galaxy
|
|
48
|
+
|
|
49
|
+
GitGalaxy offers two ways to visualize your 3D architecture, both built on a strict Zero-Trust Privacy Model where your code never leaves your machine.
|
|
50
|
+
|
|
51
|
+
**Option A: The Web Viewer (Frictionless)**
|
|
52
|
+
Simply drag and drop your generated "your_repo_galaxy.json" file (or a .zip of your raw repository) directly into GitGalaxy.io. All rendering and scanning happens entirely in your browser's local memory.
|
|
53
|
+
|
|
54
|
+
**Option B: The Local Server (Enterprise & Offline)**
|
|
55
|
+
For teams operating under strict compliance rules or behind corporate firewalls, GitGalaxy includes a 100% static, zero-telemetry local viewer called the Airgap Observatory.
|
|
56
|
+
|
|
57
|
+
There is no backend, no database, and no external API calls. It is a completely closed-box system built on static HTML and JavaScript, you just need to spin up a basic local server to view it.
|
|
58
|
+
|
|
59
|
+
Navigate into the visualizer folder and start Python's built-in static web server:
|
|
60
|
+
|
|
61
|
+
```bash
|
|
62
|
+
git clone https://github.com/squid-protocol/gitgalaxy.git
|
|
63
|
+
cd gitgalaxy/airgap_observatory
|
|
64
|
+
python3 -m http.server 8000
|
|
65
|
+
```
|
|
66
|
+
Open your web browser and go to http://localhost:8000.
|
|
67
|
+
|
|
68
|
+
Drag and drop your newly generated _galaxy.json file to instantly render your architecture.
|
|
69
|
+
|
|
70
|
+
## 🧬 The blAST Paradigm: Sequencing the DNA of Software
|
|
71
|
+
|
|
72
|
+
Traditional computer science treats software like a rigid blueprint, using slow, language-specific Abstract Syntax Trees (ASTs) to analyze code. GitGalaxy treats code as a living, mutating organism using **blAST (Broad Lexical Abstract Syntax Tracker)**.
|
|
73
|
+
|
|
74
|
+
By applying the principles of biological sequence alignment to software, blAST hunts for the universal structural markers of logic across ~40 languages and ~250 file extensions. We translate this genetic code into "phenotypes"—measurable risk exposures.
|
|
75
|
+
|
|
76
|
+
### Sequencing at Hyper-Scale
|
|
77
|
+
By abandoning the compiler bottleneck, blAST achieves processing velocities that traditional ASTs simply cannot comprehend. In live telemetry tracking across the largest open-source ecosystems, blAST demonstrated its absolute scale:
|
|
78
|
+
* **Peak Velocity:** Sequenced the 141,445 lines of the original **Apollo-11** Guidance Computer assembly code in **0.28 seconds** (an alignment rate of **513,298 LOC/s**).
|
|
79
|
+
* **Massive Monoliths:** Chewed through the **3.2 million lines of OpenCV in just 11.11 seconds** (288,594 LOC/s).
|
|
80
|
+
* **Planetary Scale:** Effortlessly mapped the architectural DNA of planetary-scale repositories like **TensorFlow (7.8M LOC)**, **Kubernetes (5.5M LOC)**, and **FreeBSD (24.4M LOC)** in a fraction of the time required to compile them.
|
|
81
|
+
|
|
82
|
+
## Zero-Trust Architecture
|
|
83
|
+
|
|
84
|
+
Your code never leaves your machine. GitGalaxy performs 100% of its scanning and vectorization locally.
|
|
85
|
+
|
|
86
|
+
* **No Data Transmission:** Source code is never transmitted to any API, cloud database, or third-party service.
|
|
87
|
+
* **Ephemeral Memory Processing:** Repositories are unpacked into a volatile memory buffer (RAM) and are automatically purged when the browser tab is closed.
|
|
88
|
+
* **Privacy-by-Design:** Even when using the web-based viewer, the data remains behind the user's firewall at all times.
|
|
89
|
+
|
|
90
|
+
### The Viral Security Lens: Behavioral Threat Hunting
|
|
91
|
+
Traditional security scanners rely on rigid, outdated virus signatures. blAST acts like an immune system, hunting for the *behavioral genetic markers* of a threat. By analyzing the structural density of I/O hits, execution triggers, and security bypasses, blAST is perfectly engineered to stop modern attack vectors:
|
|
92
|
+
|
|
93
|
+
* **Supply-Chain Poisoning:** Instantly flags seemingly innocent setup scripts that possess an anomalous density of network I/O and dynamic execution (`eval`/`exec`).
|
|
94
|
+
* **Logic Bombs & Sabotage:** Identifies code designed to destroy infrastructure by catching dense concentrations of catastrophic OS commands and raw hardware aborts.
|
|
95
|
+
* **Steganography & Obfuscated Malware:** Mathematically exposes evasion techniques, flagging Unicode Smuggling (homoglyph imports) and sub-atomic custom XOR decryption loops.
|
|
96
|
+
* **Credential Hemorrhaging:** Acts as a ruthless data vault scanner, isolating hardcoded cryptographic assets (`.pem`, `.pfx`, `.jks` files) buried deep within massive repositories.
|
|
97
|
+
|
|
98
|
+
## License & Copyright
|
|
99
|
+
|
|
100
|
+
Copyright (c) 2026 Joe Esquibel
|
|
101
|
+
|
|
102
|
+
GitGalaxy is released under the PolyForm Noncommercial License 1.0.0. It is completely free for personal use, research, experiment, testing, and hobby projects. Use by educational or charitable organizations is also permitted.
|
|
103
|
+
|
|
104
|
+
Any commercial use or integration into commercial SaaS products or corporate CI/CD pipelines requires a separate commercial license. Please reach out via gitgalaxy.io to discuss commercial integration.
|
|
@@ -104,14 +104,6 @@ class ApertureFilter:
|
|
|
104
104
|
"""
|
|
105
105
|
[PHASE 0 ENTRY POINT]
|
|
106
106
|
Fast path-only check to build the CensusArray (Radar Walk).
|
|
107
|
-
Now safely fetches file size to prevent the 0-Byte Dark Matter telemetry bug.
|
|
108
|
-
|
|
109
|
-
Args:
|
|
110
|
-
file_path: The artifact's path.
|
|
111
|
-
has_intent: True if the GuideStar mapped this file in a manifest or priority list.
|
|
112
|
-
|
|
113
|
-
Returns:
|
|
114
|
-
Tuple: (is_valid: bool, size_bytes: int, reason: str)
|
|
115
107
|
"""
|
|
116
108
|
path_obj = Path(file_path)
|
|
117
109
|
normalized_path = path_obj.as_posix()
|
|
@@ -122,20 +114,28 @@ class ApertureFilter:
|
|
|
122
114
|
except ValueError:
|
|
123
115
|
relative_path = normalized_path
|
|
124
116
|
|
|
125
|
-
# Safely fetch size before making drop decisions to ensure accurate Dark Matter telemetry
|
|
126
117
|
try:
|
|
127
118
|
size_bytes = path_obj.stat().st_size if path_obj.exists() else 0
|
|
128
119
|
except OSError:
|
|
129
120
|
size_bytes = 0
|
|
130
121
|
|
|
131
|
-
#
|
|
132
|
-
#
|
|
122
|
+
# ======================================================================
|
|
123
|
+
# 0.1 TIER 0.1: THE SECRETS RADAR (Highest Priority Security Check)
|
|
124
|
+
# Checks for leaked credentials, databases, and private keys.
|
|
125
|
+
# ======================================================================
|
|
126
|
+
if path_obj.name in self.config.get("SECRETS_EXACT", set()) or ext.lower() in self.config.get("SECRETS_EXTENSIONS", set()):
|
|
127
|
+
reason = f"CRITICAL LEAK (Exposed Secret / Key Detected: '{path_obj.name}')"
|
|
128
|
+
self.logger.critical(f"🛡️ SECURITY BREACH: {reason} at {relative_path}")
|
|
129
|
+
return False, size_bytes, reason
|
|
130
|
+
|
|
131
|
+
# ======================================================================
|
|
132
|
+
# 0.5 TIER 0.5: THE ABSOLUTE EXTENSION SHIELD (Impervious to Intent)
|
|
133
|
+
# ======================================================================
|
|
133
134
|
if ext.lower() in self.black_hole_exts:
|
|
134
135
|
reason = f"Blocked (Explicitly Blacklisted Media/Binary Extension: '{ext}')"
|
|
135
136
|
self.logger.debug(f"{reason}: {relative_path}")
|
|
136
137
|
return False, size_bytes, reason
|
|
137
138
|
|
|
138
|
-
# Resolve intent status against cache
|
|
139
139
|
active_intent = has_intent or (normalized_path in self._intent_cache)
|
|
140
140
|
if active_intent:
|
|
141
141
|
self._intent_cache.add(normalized_path)
|
|
@@ -147,21 +147,17 @@ class ApertureFilter:
|
|
|
147
147
|
return False, size_bytes, reason
|
|
148
148
|
|
|
149
149
|
# --- INTENT BYPASS ---
|
|
150
|
-
# If the file has a GuideStar lock, it bypasses linguistic whitelisting entirely.
|
|
151
150
|
if active_intent:
|
|
152
151
|
reason = "Passed (GuideStar Intent Lock Bypassed Tier 2)"
|
|
153
152
|
self.logger.debug(f"{reason}: {relative_path}")
|
|
154
153
|
return True, size_bytes, reason
|
|
155
154
|
|
|
156
155
|
# 2. TIER 2: THE VISIBLE SPECTRUM (Linguistic Whitelisting)
|
|
157
|
-
# Rule 2.1: Deep Space Remnants (Spec 2.3.3.B)
|
|
158
|
-
# We allow extensionless files through without intent to be evaluated by the Shebang Scanner
|
|
159
156
|
if not ext:
|
|
160
157
|
reason = "Passed (Extensionless -> Shebang scan required)"
|
|
161
158
|
self.logger.debug(f"{reason}: {relative_path}")
|
|
162
159
|
return True, size_bytes, reason
|
|
163
160
|
|
|
164
|
-
# Rule 2.2: Known Ecosystem Anchor or Whitelisted Extension
|
|
165
161
|
if path_obj.name in self.ecosystem_anchors or ext.lower() in self.whitelisted_extensions:
|
|
166
162
|
reason = "Passed (Ecosystem Anchor or Whitelisted Ext)"
|
|
167
163
|
return True, size_bytes, reason
|
|
@@ -169,7 +165,7 @@ class ApertureFilter:
|
|
|
169
165
|
reason = f"Blocked (Unsupported or Unrecognized Extension: '{ext}')"
|
|
170
166
|
self.logger.debug(f"{reason}: {relative_path}")
|
|
171
167
|
return False, size_bytes, reason
|
|
172
|
-
|
|
168
|
+
|
|
173
169
|
def is_in_scope(self, file_path: Union[str, Path], content: Optional[str] = None, has_intent: bool = False) -> FilterResult:
|
|
174
170
|
"""Runs the 5-tier perimeter gate to validate maintainable code matter."""
|
|
175
171
|
path_obj = Path(file_path)
|
|
@@ -211,7 +207,13 @@ class ApertureFilter:
|
|
|
211
207
|
# --- TIER 1 & 2: PATH VALIDATION ---
|
|
212
208
|
is_valid, size_bytes, reason = self.evaluate_path_integrity(path_obj, has_intent=active_intent)
|
|
213
209
|
if not is_valid:
|
|
214
|
-
|
|
210
|
+
# --- SECRETS RADAR CHECK ---
|
|
211
|
+
if reason and "CRITICAL LEAK" in reason:
|
|
212
|
+
# Uses the new QUARANTINE band and aligned terminology
|
|
213
|
+
result["band"] = self.bands.get("QUARANTINE", "critical_secret_leak")
|
|
214
|
+
else:
|
|
215
|
+
result["band"] = self.bands.get("RADIO", "ignored_system_or_hidden_file")
|
|
216
|
+
|
|
215
217
|
result["reason"] = reason
|
|
216
218
|
result["size_bytes"] = size_bytes
|
|
217
219
|
return result
|
|
@@ -252,14 +252,117 @@ class AuditRecorder:
|
|
|
252
252
|
"Discovery Proof": "Logic Splicer Shielding"
|
|
253
253
|
})
|
|
254
254
|
|
|
255
|
-
#
|
|
255
|
+
# ==========================================================
|
|
256
|
+
# 4. FORENSIC SECURITY & VULNERABILITY AUDIT (Section 3)
|
|
257
|
+
# ==========================================================
|
|
258
|
+
sec_risk_mapping = {
|
|
259
|
+
"secrets_risk": {"label": "Secrets Risk Exposure", "threshold": 0.1},
|
|
260
|
+
"obscured_payload": {"label": "Hidden Malware Risk Exposure", "threshold": 60.0},
|
|
261
|
+
"logic_bomb": {"label": "Logic Bomb / Sabotage Risk Exposure", "threshold": 50.0},
|
|
262
|
+
"injection_surface": {"label": "Injection Surface Risk Exposure", "threshold": 65.0},
|
|
263
|
+
"memory_corruption": {"label": "Memory Corruption Risk Exposure", "threshold": 60.0}
|
|
264
|
+
}
|
|
265
|
+
|
|
266
|
+
sec_hit_mapping = {
|
|
267
|
+
"sec_danger": "Dangerous Code Execution (Eval/Exec)",
|
|
268
|
+
"sec_safety_neg": "Security Rule Bypasses",
|
|
269
|
+
"sec_io": "Suspicious Network Connections",
|
|
270
|
+
"sec_flux": "Global Environment Tampering",
|
|
271
|
+
"sec_heat_triggers": "Scrambled / Obfuscated Code",
|
|
272
|
+
"sec_graveyard": "Shadow Logic (Hidden Code)",
|
|
273
|
+
"sec_bitwise_hits": "Sub-Atomic Decryption (Custom XOR)",
|
|
274
|
+
"sec_shadow_imports": "Steganographic Execution (Shadow Imports)",
|
|
275
|
+
"sec_homoglyphs": "Unicode Smuggling (Homoglyph Imports)"
|
|
276
|
+
}
|
|
277
|
+
|
|
278
|
+
quarantined_files = []
|
|
279
|
+
vuln_exposures = {
|
|
280
|
+
data["label"]: {
|
|
281
|
+
"Alert Threshold": f">= {data['threshold']}%",
|
|
282
|
+
"Artifacts Flagged": 0,
|
|
283
|
+
"Critical Files": []
|
|
284
|
+
} for key, data in sec_risk_mapping.items()
|
|
285
|
+
}
|
|
286
|
+
|
|
287
|
+
raw_threat_hits = {
|
|
288
|
+
"_description": "The total number of times these specific malicious regex patterns were triggered across all scanned files.",
|
|
289
|
+
**{label: 0 for label in sec_hit_mapping.values()}
|
|
290
|
+
}
|
|
291
|
+
|
|
292
|
+
# Safe index lookups
|
|
293
|
+
risk_indices = {k: self.RISK_SCHEMA.index(k) for k in sec_risk_mapping.keys() if k in self.RISK_SCHEMA}
|
|
294
|
+
hit_indices = {k: self.HIT_SCHEMA.index(k) for k in sec_hit_mapping.keys() if k in self.HIT_SCHEMA}
|
|
295
|
+
|
|
296
|
+
# Sweep the stars for security anomalies
|
|
297
|
+
for star in stars:
|
|
298
|
+
path = star.get("path", "Unknown")
|
|
299
|
+
band = star.get("band", "")
|
|
300
|
+
|
|
301
|
+
if band == "critical_secret_leak":
|
|
302
|
+
quarantined_files.append({
|
|
303
|
+
"Path": path,
|
|
304
|
+
"Diagnostic": star.get("telemetry", {}).get("domain_context", {}).get("warning", "CRITICAL LEAK (Exposed Secret / Key Detected)")
|
|
305
|
+
})
|
|
306
|
+
|
|
307
|
+
risk_vector = star.get("risk_vector", [])
|
|
308
|
+
if len(risk_vector) == len(self.RISK_SCHEMA):
|
|
309
|
+
for r_key, r_idx in risk_indices.items():
|
|
310
|
+
score = risk_vector[r_idx]
|
|
311
|
+
mapping = sec_risk_mapping[r_key]
|
|
312
|
+
if score >= mapping["threshold"]:
|
|
313
|
+
label = mapping["label"]
|
|
314
|
+
vuln_exposures[label]["Critical Files"].append({"Path": path, "Score": f"{score:.1f}%"})
|
|
315
|
+
vuln_exposures[label]["Artifacts Flagged"] += 1
|
|
316
|
+
|
|
317
|
+
# Aggregate the raw threat hits
|
|
318
|
+
hit_vector = star.get("hit_vector")
|
|
319
|
+
if isinstance(hit_vector, list) and len(hit_vector) == len(self.HIT_SCHEMA):
|
|
320
|
+
for h_key, h_idx in hit_indices.items():
|
|
321
|
+
hits = hit_vector[h_idx]
|
|
322
|
+
if hits > 0:
|
|
323
|
+
label = sec_hit_mapping[h_key]
|
|
324
|
+
raw_threat_hits[label] += hits
|
|
325
|
+
|
|
326
|
+
# --- THE FALSE POSITIVE FIX: Decouple Active Threats from Surface Risks ---
|
|
327
|
+
# 1. Count actual malicious regex hits (ignoring the _description string)
|
|
328
|
+
malicious_hits_total = sum(v for k, v in raw_threat_hits.items() if isinstance(v, int))
|
|
329
|
+
|
|
330
|
+
# 2. Check for explicit malware
|
|
331
|
+
has_malware = vuln_exposures["Hidden Malware Risk Exposure"]["Artifacts Flagged"] > 0
|
|
332
|
+
has_secrets = vuln_exposures["Secrets Risk Exposure"]["Artifacts Flagged"] > 0
|
|
333
|
+
|
|
334
|
+
# 3. Tiered Status Routing
|
|
335
|
+
if quarantined_files or has_malware or has_secrets or malicious_hits_total > 0:
|
|
336
|
+
audit_status = "CRITICAL_THREATS_DETECTED"
|
|
337
|
+
elif any(v["Artifacts Flagged"] > 0 for v in vuln_exposures.values()):
|
|
338
|
+
# DOOM lands here. High architectural risk, but no active malicious intent.
|
|
339
|
+
audit_status = "ELEVATED_SURFACE_RISK"
|
|
340
|
+
else:
|
|
341
|
+
audit_status = "SECURE"
|
|
342
|
+
|
|
343
|
+
security_audit = {
|
|
344
|
+
"Audit Status": audit_status,
|
|
345
|
+
"Scope": {
|
|
346
|
+
"Artifacts Evaluated": len(stars),
|
|
347
|
+
"Threat Signatures Monitored": len(sec_hit_mapping),
|
|
348
|
+
"Vulnerability Vectors Calculated": len(sec_risk_mapping)
|
|
349
|
+
},
|
|
350
|
+
"Exposed Secrets & Credentials (Quarantined Files)": quarantined_files,
|
|
351
|
+
"Vulnerability Exposures (Threshold Breaches)": vuln_exposures,
|
|
352
|
+
"Raw Threat Signature Hits (Total Repository Occurrences)": raw_threat_hits
|
|
353
|
+
}
|
|
354
|
+
|
|
355
|
+
# ==========================================================
|
|
356
|
+
# 5. Final Mission Archive Packaging
|
|
357
|
+
# ==========================================================
|
|
256
358
|
mission_audit = {
|
|
257
359
|
"Audit Protocol": "GitGalaxy v6.2.0-Audit",
|
|
258
360
|
"1. Forensic Trail (Traceability)": forensic_trail,
|
|
259
361
|
"2. Global Synthesis Summary": summary,
|
|
260
|
-
"3.
|
|
261
|
-
"4.
|
|
262
|
-
"5.
|
|
362
|
+
"3. Forensic Security & Vulnerability Audit": security_audit,
|
|
363
|
+
"4. High-Value Forensic Report": forensic_report,
|
|
364
|
+
"5. Dark Matter (Excluded Artifacts)": pretty_singularity,
|
|
365
|
+
"6. Visible Matter (Scanned Artifacts)": pretty_constellations
|
|
263
366
|
}
|
|
264
367
|
|
|
265
368
|
# --- ABSOLUTE ROUTING LOGIC ---
|
|
@@ -13,6 +13,8 @@ import hashlib
|
|
|
13
13
|
import logging
|
|
14
14
|
import time
|
|
15
15
|
from typing import Dict, List, Any, TypedDict, Optional, Tuple
|
|
16
|
+
from . import gitgalaxy_standards_v011 as config
|
|
17
|
+
|
|
16
18
|
|
|
17
19
|
# ==============================================================================
|
|
18
20
|
# GitGalaxy Phase 2.5 & 7.5: Logic Splicer & Cartographer
|
|
@@ -214,19 +216,9 @@ class LogicSplicer:
|
|
|
214
216
|
3. Integration Modes: Labels (A), Braces (B), Indentation (C), Keywords (D), Terminators (E).
|
|
215
217
|
"""
|
|
216
218
|
|
|
217
|
-
# ---
|
|
218
|
-
|
|
219
|
-
|
|
220
|
-
"safety_neg", "danger", "io", "api", "flux", "graveyard", "doc",
|
|
221
|
-
"test", "concurrency", "ui_framework", "closures", "globals",
|
|
222
|
-
"decorators", "generics", "comprehensions", "scientific", "heat_triggers",
|
|
223
|
-
"import", "ownership", "planned_debt", "fragile_debt", "private_info",
|
|
224
|
-
"spec_exposure", "civil_war", "ssr_boundaries", "events",
|
|
225
|
-
"dependency_injection", "macros", "pointers", "memory_alloc",
|
|
226
|
-
"inline_asm", "telemetry", "print_hits", "cast_hits", "bailout_hits",
|
|
227
|
-
"halt_hits", "bitwise_hits", "sync_locks", "freeze_hits", "cleanup",
|
|
228
|
-
"encapsulation", "listeners", "test_skip", "indent_tabs", "indent_spaces"
|
|
229
|
-
]
|
|
219
|
+
# --- DYNAMIC SCHEMA FETCH ---
|
|
220
|
+
# Directly mirrors the central registry to prevent schema drift
|
|
221
|
+
UNIVERSAL_METRICS_SCHEMA = config.RECORDING_SCHEMAS.get("SIGNAL_SCHEMA", [])
|
|
230
222
|
|
|
231
223
|
HANDSHAKE_REGISTRY = [
|
|
232
224
|
{"trigger": re.compile(r'<script', re.I), "end": re.compile(r'</script>', re.I), "target": "javascript", "pair": None},
|
|
@@ -34,6 +34,7 @@ from .spectral_auditor import SpectralAuditor
|
|
|
34
34
|
from .gpu_recorder import GPURecorder
|
|
35
35
|
from .audit_recorder import AuditRecorder
|
|
36
36
|
from .llm_recorder import LLMRecorder
|
|
37
|
+
from .security_lens import SecurityLens
|
|
37
38
|
# Load Universal Laws from config
|
|
38
39
|
from . import gitgalaxy_standards_v011 as scanning_config
|
|
39
40
|
|
|
@@ -111,13 +112,22 @@ def _process_file_worker(rel_path: str) -> Dict[str, Any]:
|
|
|
111
112
|
"""Processes a single file path using the worker's cached hardware modules."""
|
|
112
113
|
global _worker_state
|
|
113
114
|
|
|
115
|
+
# ---> START THE CLOCK FOR THE MICRO-PROFILER <---
|
|
116
|
+
t_start = time.time()
|
|
117
|
+
|
|
114
118
|
root = _worker_state['root']
|
|
115
119
|
full_path_str = str(root / rel_path)
|
|
116
120
|
|
|
117
121
|
# --- NEW: PARALLEL PHANTOM CHECK ---
|
|
118
122
|
# Silently evaporates files missing on disk to prevent main-thread anomaly logging
|
|
119
123
|
if not Path(full_path_str).is_file():
|
|
120
|
-
return {
|
|
124
|
+
return {
|
|
125
|
+
"rel_path": rel_path,
|
|
126
|
+
"status": "phantom",
|
|
127
|
+
"reason": "Phantom file (missing on disk)",
|
|
128
|
+
"data": {},
|
|
129
|
+
"processing_time": time.time() - t_start
|
|
130
|
+
}
|
|
121
131
|
|
|
122
132
|
logger = _worker_state['worker_logger']
|
|
123
133
|
aperture = _worker_state['filter']
|
|
@@ -139,19 +149,28 @@ def _process_file_worker(rel_path: str) -> Dict[str, Any]:
|
|
|
139
149
|
observation["status"] = "singularity"
|
|
140
150
|
observation["reason"] = reason
|
|
141
151
|
observation["size_bytes"] = size_bytes
|
|
152
|
+
observation["processing_time"] = time.time() - t_start
|
|
142
153
|
return observation
|
|
143
154
|
|
|
144
155
|
try:
|
|
145
156
|
with open(full_path_str, 'r', encoding='utf-8', errors='ignore') as f:
|
|
146
157
|
content_buffer = f.read()
|
|
158
|
+
except FileNotFoundError:
|
|
159
|
+
# Replaces the Phantom Check! Fast, zero-overhead disk failure routing.
|
|
160
|
+
observation["status"] = "phantom"
|
|
161
|
+
observation["reason"] = "Phantom file (missing on disk)"
|
|
162
|
+
observation["processing_time"] = time.time() - t_start
|
|
163
|
+
return observation
|
|
147
164
|
except Exception as e:
|
|
148
165
|
observation["reason"] = f"I/O Error: {str(e)}"
|
|
166
|
+
observation["processing_time"] = time.time() - t_start
|
|
149
167
|
return observation
|
|
150
168
|
|
|
151
169
|
filter_res = aperture.is_in_scope(full_path_str, content=content_buffer, has_intent=has_prior)
|
|
152
170
|
if not filter_res["is_in_scope"]:
|
|
153
171
|
observation["status"] = "singularity"
|
|
154
172
|
observation["reason"] = filter_res["reason"]
|
|
173
|
+
observation["processing_time"] = time.time() - t_start
|
|
155
174
|
return observation
|
|
156
175
|
|
|
157
176
|
detection_result = detector.inspect(
|
|
@@ -169,6 +188,7 @@ def _process_file_worker(rel_path: str) -> Dict[str, Any]:
|
|
|
169
188
|
observation["status"] = "singularity"
|
|
170
189
|
observation["reason"] = f"Unsupported Format (.{lang_id})"
|
|
171
190
|
observation["identity_confidence"] = detection_result.get("intensity", 0.0)
|
|
191
|
+
observation["processing_time"] = time.time() - t_start
|
|
172
192
|
return observation
|
|
173
193
|
|
|
174
194
|
refraction = prism.refract(content_buffer, lang_id)
|
|
@@ -218,12 +238,12 @@ def _process_file_worker(rel_path: str) -> Dict[str, Any]:
|
|
|
218
238
|
"prior_lock": has_prior,
|
|
219
239
|
"coding_loc": refraction["coding_loc"],
|
|
220
240
|
"doc_loc": refraction["doc_loc"],
|
|
221
|
-
"raw_imports": raw_imports,
|
|
222
|
-
"popularity_hits": popularity_hits
|
|
241
|
+
"raw_imports": raw_imports,
|
|
242
|
+
"popularity_hits": popularity_hits
|
|
223
243
|
}
|
|
224
244
|
|
|
225
245
|
data_payload.update(logic_data)
|
|
226
|
-
data_payload["raw_imports"] = list(raw_imports)
|
|
246
|
+
data_payload["raw_imports"] = list(raw_imports)
|
|
227
247
|
data_payload["control_flow_ratio"] = logic_data.get("total_control_flow_ratio", 0.0)
|
|
228
248
|
data_payload["file_impact"] = logic_data.get("sum_fxn_impact", 0.0)
|
|
229
249
|
|
|
@@ -232,6 +252,17 @@ def _process_file_worker(rel_path: str) -> Dict[str, Any]:
|
|
|
232
252
|
except Exception as e:
|
|
233
253
|
observation["status"] = "anomaly"
|
|
234
254
|
observation["reason"] = f"Hardware failure: {str(e)}"
|
|
255
|
+
|
|
256
|
+
# ---> RECORD THE FINAL TIME <---
|
|
257
|
+
total_time = time.time() - t_start
|
|
258
|
+
observation["processing_time"] = total_time
|
|
259
|
+
|
|
260
|
+
# ---> NEW: REAL-TIME SLOW FILE ALERT <---
|
|
261
|
+
if total_time > 10.0:
|
|
262
|
+
logger.warning(f"🐌 SLOW PARSE DETECTED: '{rel_path}' took {total_time:.2f} seconds.")
|
|
263
|
+
|
|
264
|
+
# ---> RECORD THE FINAL TIME <---
|
|
265
|
+
observation["processing_time"] = time.time() - t_start
|
|
235
266
|
|
|
236
267
|
return observation
|
|
237
268
|
|
|
@@ -638,8 +669,13 @@ class Orchestrator:
|
|
|
638
669
|
if not clean_path:
|
|
639
670
|
continue
|
|
640
671
|
|
|
672
|
+
# THE FIX: Don't turn file extensions into folders!
|
|
673
|
+
# If the string has a dot but no slash, we only replace '.' with '/'
|
|
674
|
+
# if it is NOT a recognized file extension.
|
|
641
675
|
if "." in clean_path and "/" not in clean_path:
|
|
642
|
-
|
|
676
|
+
ext_guess = "." + clean_path.rsplit('.', 1)[-1].lower()
|
|
677
|
+
if ext_guess not in self.ext_tally:
|
|
678
|
+
clean_path = clean_path.replace(".", "/")
|
|
643
679
|
|
|
644
680
|
# Strip leading relative markers so it aligns with our suffix map
|
|
645
681
|
clean_path = clean_path.lstrip("./")
|
|
@@ -792,6 +828,52 @@ class Orchestrator:
|
|
|
792
828
|
"file_impact": forensic_result["file_impact"],
|
|
793
829
|
"telemetry": telemetry_payload
|
|
794
830
|
})
|
|
831
|
+
|
|
832
|
+
# ==================================================================
|
|
833
|
+
# THE SECRETS SUPERNOVA INJECTION (Synthetic Visualization)
|
|
834
|
+
# Pull critical leaks out of Dark Matter and force them onto the map
|
|
835
|
+
# ==================================================================
|
|
836
|
+
leaks = [cand for cand in self.singularity_candidates if "CRITICAL LEAK" in cand.get("reason", "")]
|
|
837
|
+
|
|
838
|
+
# Remove them from Dark Matter so they aren't double-counted in the summary
|
|
839
|
+
self.singularity_candidates = [cand for cand in self.singularity_candidates if "CRITICAL LEAK" not in cand.get("reason", "")]
|
|
840
|
+
|
|
841
|
+
from .signal_processor import SignalProcessor
|
|
842
|
+
|
|
843
|
+
for leak in leaks:
|
|
844
|
+
rel_path = leak["path"]
|
|
845
|
+
logger.critical(f"Supernova Injection: Forcing {rel_path} onto the 3D Map!")
|
|
846
|
+
|
|
847
|
+
synthetic_star = {
|
|
848
|
+
"name": Path(rel_path).name,
|
|
849
|
+
"path": rel_path,
|
|
850
|
+
"lang_id": "plaintext", # <-- Bypasses the Spectral Auditor as Inert Matter
|
|
851
|
+
"coding_loc": 1,
|
|
852
|
+
"total_loc": 1,
|
|
853
|
+
"band": "critical_secret_leak",
|
|
854
|
+
|
|
855
|
+
# 18-point risk vector. Index 17 is secrets_risk. Peg it to 100%.
|
|
856
|
+
"risk_vector": [0.0] * 13 + [0.0, 0.0, 0.0, 0.0, 100.0],
|
|
857
|
+
"hit_vector": [0] * len(SignalProcessor.SIGNAL_SCHEMA),
|
|
858
|
+
|
|
859
|
+
# ---> CARTOGRAPHER GRAVITY <---
|
|
860
|
+
# This makes the radius massive and pushes all other files away
|
|
861
|
+
"file_impact": 5000.0,
|
|
862
|
+
|
|
863
|
+
"telemetry": {
|
|
864
|
+
"ownership": "Secrets Radar",
|
|
865
|
+
"domain_context": {"warning": "CRITICAL CREDENTIAL LEAK DETECTED"},
|
|
866
|
+
"identity_source_proof": "Aperture Security Override",
|
|
867
|
+
"identity_lock_tier": 0
|
|
868
|
+
}
|
|
869
|
+
}
|
|
870
|
+
|
|
871
|
+
# Manually flag the private_info hit so UI tooltips show the exact trigger
|
|
872
|
+
if "private_info" in SignalProcessor.SIGNAL_SCHEMA:
|
|
873
|
+
idx = SignalProcessor.SIGNAL_SCHEMA.index("private_info")
|
|
874
|
+
synthetic_star["hit_vector"][idx] = 1
|
|
875
|
+
|
|
876
|
+
self.stars.append(synthetic_star)
|
|
795
877
|
|
|
796
878
|
def _prepare_target(self, target_input: Union[str, Path]) -> Path:
|
|
797
879
|
"""Prepares the filesystem for analysis."""
|
|
@@ -929,6 +1011,7 @@ def main():
|
|
|
929
1011
|
parser.add_argument("target", help="Path to repo or ZIP")
|
|
930
1012
|
parser.add_argument("--output", default=None, help="Optional output filename override")
|
|
931
1013
|
parser.add_argument("--debug", action="store_true", help="Turn on verbose Analytical logging")
|
|
1014
|
+
parser.add_argument("--paranoid", action="store_true", help="Lower security thresholds to flag more potential threats.")
|
|
932
1015
|
|
|
933
1016
|
args = parser.parse_args()
|
|
934
1017
|
|
|
@@ -977,6 +1060,16 @@ def main():
|
|
|
977
1060
|
merged_langs[lang]['rules'].update(rules_patch)
|
|
978
1061
|
logging.debug(f" -> Patched '{lang}' geometry rules.")
|
|
979
1062
|
|
|
1063
|
+
# =========================================================
|
|
1064
|
+
# --- NEW: SECURITY LENS INTEGRATION ---
|
|
1065
|
+
# =========================================================
|
|
1066
|
+
logging.info("🛡️ SECURITY LENS ACTIVE: Passively monitoring for Threat Signatures.")
|
|
1067
|
+
lens = SecurityLens(parent_logger=logging.getLogger())
|
|
1068
|
+
|
|
1069
|
+
# Unconditionally inject the 'sec_' prefixed observers into the registry
|
|
1070
|
+
merged_langs = lens.arm_lens(merged_langs)
|
|
1071
|
+
# =========================================================
|
|
1072
|
+
|
|
980
1073
|
# ---------------------------------------------------------
|
|
981
1074
|
# 3. Assemble the Final Configuration
|
|
982
1075
|
# ---------------------------------------------------------
|
|
@@ -986,7 +1079,8 @@ def main():
|
|
|
986
1079
|
"APERTURE_CONFIG": getattr(scanning_config, "APERTURE_CONFIG", {}),
|
|
987
1080
|
"PATH_MODIFIERS": getattr(scanning_config, "PATH_MODIFIERS", {}),
|
|
988
1081
|
"PRIORITY_WHITELIST": getattr(scanning_config, "PRIORITY_WHITELIST", []),
|
|
989
|
-
"DOCUMENTATION_LANGUAGES": getattr(scanning_config, "DOCUMENTATION_LANGUAGES", set())
|
|
1082
|
+
"DOCUMENTATION_LANGUAGES": getattr(scanning_config, "DOCUMENTATION_LANGUAGES", set()),
|
|
1083
|
+
"PARANOID_MODE": args.paranoid # ---> 2. INJECT INTO CONFIG <---
|
|
990
1084
|
}
|
|
991
1085
|
|
|
992
1086
|
# ---------------------------------------------------------
|