gwc-pybundle 2.1.2__py3-none-any.whl

pybundle/steps/security_headers.py

@@ -0,0 +1,309 @@
+"""
+Step: Security Headers Analysis
+Detect security headers in Flask, FastAPI, and Django applications.
+"""
+
+import re
+from pathlib import Path
+from typing import Dict, List, Set, Tuple, Optional
+
+from .base import Step, StepResult
+
+
+class SecurityHeadersStep(Step):
+    """Analyze security headers in web applications."""
+
+    name = "security headers"
+
+    # Security headers and their implementations
+    SECURITY_HEADERS = {
+        "Content-Security-Policy": "CSP",
+        "X-Content-Type-Options": "MIME Type",
+        "X-Frame-Options": "Clickjacking",
+        "Strict-Transport-Security": "HSTS",
+        "X-XSS-Protection": "XSS",
+        "Referrer-Policy": "Referrer",
+        "Permissions-Policy": "Permissions",
+        "Access-Control-Allow-Origin": "CORS",
+    }
+
+    def run(self, ctx: "BundleContext") -> StepResult:  # type: ignore[name-defined]
+        """Analyze security headers in codebase."""
+        import time
+
+        start = time.time()
+
+        root = ctx.root
+
+        # Detect frameworks
+        frameworks = self._detect_frameworks(root)
+
+        # Find security header implementations
+        headers_found = self._find_security_headers(root, frameworks)
+
+        # Generate report
+        lines = [
+            "=" * 80,
+            "SECURITY HEADERS ANALYSIS REPORT",
+            "=" * 80,
+            "",
+        ]
+
+        # Framework detection
+        lines.extend(
+            [
+                "FRAMEWORK DETECTION",
+                "=" * 80,
+                "",
+            ]
+        )
+
+        if frameworks:
+            for framework, details in frameworks.items():
+                lines.append(f"✓ {framework}")
+                if details.get("files"):
+                    lines.append(f"  Found in: {', '.join(details['files'][:3])}")
+                    if len(details["files"]) > 3:
+                        lines.append(f"  ... and {len(details['files']) - 3} more")
+                lines.append("")
+
+        else:
+            lines.append("⊘ No web frameworks detected")
+            lines.append("")
+
+        # Security headers summary
+        lines.extend(
+            [
+                "SECURITY HEADERS IMPLEMENTATION",
+                "=" * 80,
+                "",
+            ]
+        )
+
+        if headers_found:
+            implemented_count = len(headers_found["implemented"])
+            total_count = len(self.SECURITY_HEADERS)
+
+            lines.append(f"Headers implemented: {implemented_count}/{total_count}")
+            lines.append("")
+
+            if headers_found["implemented"]:
+                lines.append("✓ IMPLEMENTED HEADERS:")
+                for header, details in headers_found["implemented"].items():
+                    lines.append(f"  - {header}")
+                    if details.get("files"):
+                        for file_path in details["files"][:2]:
+                            lines.append(f"    Found in: {file_path}")
+                        if len(details["files"]) > 2:
+                            lines.append(f"    ... and {len(details['files']) - 2} more files")
+
+                lines.append("")
+
+            if headers_found["missing"]:
+                lines.append(f"⚠ MISSING HEADERS ({len(headers_found['missing'])}):")
+                for header in sorted(headers_found["missing"]):
+                    purpose = self.SECURITY_HEADERS.get(header, "")
+                    lines.append(f"  - {header} ({purpose})")
+
+                lines.append("")
+
+        else:
+            lines.append("⊘ No security headers found in codebase")
+            lines.append("")
+
+        # Implementation patterns
+        if headers_found and headers_found.get("patterns"):
+            lines.extend(
+                [
+                    "IMPLEMENTATION PATTERNS",
+                    "=" * 80,
+                    "",
+                ]
+            )
+
+            for pattern_type, details in headers_found["patterns"].items():
+                lines.append(f"{pattern_type}:")
+                for location in details[:5]:
+                    lines.append(f"  - {location}")
+                if len(details) > 5:
+                    lines.append(f"  ... and {len(details) - 5} more")
+                lines.append("")
+
+        # Recommendations
+        lines.extend(
+            [
+                "=" * 80,
+                "RECOMMENDATIONS",
+                "=" * 80,
+                "",
+            ]
+        )
+
+        if frameworks:
+            framework_name = list(frameworks.keys())[0]
+            lines.append(f"For {framework_name}:")
+            lines.append("")
+
+            if framework_name == "Flask":
+                lines.append("  @app.after_request")
+                lines.append("  def set_security_headers(response):")
+                lines.append(
+                    "      response.headers['X-Content-Type-Options'] = 'nosniff'"
+                )
+                lines.append(
+                    "      response.headers['X-Frame-Options'] = 'SAMEORIGIN'"
+                )
+                lines.append(
+                    "      response.headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'"
+                )
+                lines.append("      return response")
+
+            elif framework_name == "FastAPI":
+                lines.append("  from fastapi.middleware.cors import CORSMiddleware")
+                lines.append("  from fastapi.middleware.trustedhost import TrustedHostMiddleware")
+                lines.append("")
+                lines.append("  app.add_middleware(TrustedHostMiddleware, ...)")
+                lines.append("  app.add_middleware(CORSMiddleware, ...)")
+
+            elif framework_name == "Django":
+                lines.append("  # In settings.py:")
+                lines.append("  SECURE_BROWSER_XSS_FILTER = True")
+                lines.append("  SECURE_CONTENT_SECURITY_POLICY = {...}")
+                lines.append("  SESSION_COOKIE_SECURE = True")
+                lines.append("  CSRF_COOKIE_SECURE = True")
+
+            lines.append("")
+
+        lines.append("  1. Implement missing security headers")
+        lines.append("  2. Set appropriate CSP directives for your application")
+        lines.append("  3. Enable HSTS in production")
+        lines.append("  4. Configure CORS for necessary origins only")
+        lines.append("  5. Use security header testing tools (securityheaders.com)")
+
+        lines.append("")
+
+        # Write report
+        output = "\n".join(lines)
+        dest = ctx.workdir / "logs" / "122_security_headers.txt"
+        dest.parent.mkdir(parents=True, exist_ok=True)
+        dest.write_text(output, encoding="utf-8")
+
+        elapsed = int(time.time() - start)
+        return StepResult(self.name, "OK", elapsed, "")
+
+    def _detect_frameworks(self, root: Path) -> Dict[str, dict]:
+        """Detect web frameworks in the project."""
+        frameworks = {}
+
+        python_files = list(root.rglob("*.py"))
+        file_contents = {}
+
+        for py_file in python_files:
+            if any(
+                part in py_file.parts
+                for part in ["venv", ".venv", "env", "__pycache__", "site-packages"]
+            ):
+                continue
+
+            try:
+                content = py_file.read_text(encoding="utf-8", errors="ignore")
+                file_contents[py_file] = content
+            except (OSError, UnicodeDecodeError):
+                continue
+
+        # Check for Flask
+        for py_file, content in file_contents.items():
+            if "from flask import" in content or "import flask" in content:
+                if "Flask" not in frameworks:
+                    frameworks["Flask"] = {"files": []}
+                frameworks["Flask"]["files"].append(str(py_file.relative_to(root)))
+
+            # Check for FastAPI
+            if "from fastapi import" in content or "import fastapi" in content:
+                if "FastAPI" not in frameworks:
+                    frameworks["FastAPI"] = {"files": []}
+                frameworks["FastAPI"]["files"].append(str(py_file.relative_to(root)))
+
+            # Check for Django
+            if "django" in content and (
+                "from django" in content or "import django" in content
+            ):
+                if "Django" not in frameworks:
+                    frameworks["Django"] = {"files": []}
+                frameworks["Django"]["files"].append(str(py_file.relative_to(root)))
+
+        return frameworks
+
+    def _find_security_headers(self, root: Path, frameworks: Dict) -> Dict:
+        """Find security header implementations."""
+        implemented = {}
+        patterns = {
+            "Flask after_request": [],
+            "FastAPI Middleware": [],
+            "Django middleware": [],
+            "Direct response.headers": [],
+            "Custom header functions": [],
+        }
+
+        python_files = list(root.rglob("*.py"))
+
+        for py_file in python_files:
+            if any(
+                part in py_file.parts
+                for part in ["venv", ".venv", "env", "__pycache__", "site-packages"]
+            ):
+                continue
+
+            try:
+                content = py_file.read_text(encoding="utf-8", errors="ignore")
+                rel_path = str(py_file.relative_to(root))
+
+                # Find header implementations
+                for header in self.SECURITY_HEADERS:
+                    # Various patterns for setting headers
+                    header_variants = [
+                        f"'{header}'",
+                        f'"{header}"',
+                        header.replace("-", "_").upper(),
+                    ]
+
+                    for variant in header_variants:
+                        if variant in content:
+                            if header not in implemented:
+                                implemented[header] = {"files": []}
+                            if rel_path not in implemented[header]["files"]:
+                                implemented[header]["files"].append(rel_path)
+
+                # Detect patterns
+                if "@app.after_request" in content:
+                    patterns["Flask after_request"].append(rel_path)
+
+                if "CORSMiddleware" in content or "TrustedHostMiddleware" in content:
+                    patterns["FastAPI Middleware"].append(rel_path)
+
+                if "MIDDLEWARE" in content and "django" in content:
+                    patterns["Django middleware"].append(rel_path)
+
+                if "response.headers" in content or "set_header" in content:
+                    patterns["Direct response.headers"].append(rel_path)
+
+                # Check for custom header functions
+                if re.search(
+                    r"def\s+\w*header\w*|def\s+\w*security\w*", content, re.IGNORECASE
+                ):
+                    patterns["Custom header functions"].append(rel_path)
+
+            except (OSError, UnicodeDecodeError):
+                continue
+
+        # Calculate missing headers
+        missing = set(self.SECURITY_HEADERS.keys()) - set(implemented.keys())
+
+        # Filter patterns
+        patterns = {k: list(set(v)) for k, v in patterns.items() if v}
+
+        return {
+            "implemented": implemented,
+            "missing": sorted(missing),
+            "patterns": patterns,
+        }

pybundle/steps/shell.py

@@ -0,0 +1,74 @@
+from __future__ import annotations
+
+import subprocess  # nosec B404 - Required for tool execution, paths validated
+import time
+from dataclasses import dataclass
+from pathlib import Path
+
+from .base import StepResult
+from ..context import BundleContext
+
+
+@dataclass
+class ShellStep:
+    name: str
+    outfile_rel: str
+    cmd: list[str]
+    cwd_is_root: bool = True
+    allow_fail: bool = True
+    require_cmd: str | None = None
+
+    @property
+    def out_rel(self) -> str:
+        return self.outfile_rel
+
+    def run(self, ctx: BundleContext) -> StepResult:
+        if self.require_cmd and not getattr(ctx.tools, self.require_cmd, None):
+            out = ctx.workdir / self.outfile_rel
+            out.parent.mkdir(parents=True, exist_ok=True)
+            out.write_text(
+                f"{self.require_cmd} not found; skipping\n", encoding="utf-8"
+            )
+            return StepResult(self.name, "SKIP", 0, f"missing {self.require_cmd}")
+
+        # Resolve command path if the first element matches a tool name
+        cmd = list(self.cmd)
+        if cmd and self.require_cmd:
+            tool_path = getattr(ctx.tools, self.require_cmd, None)
+            if tool_path and cmd[0] in [self.require_cmd, "python", "python3"]:
+                cmd[0] = tool_path
+
+        out = ctx.workdir / self.outfile_rel
+        out.parent.mkdir(parents=True, exist_ok=True)
+
+        start = time.time()
+        header = (
+            f"## PWD: {ctx.root if self.cwd_is_root else Path.cwd()}\n"
+            f"## CMD: {' '.join(cmd)}\n\n"
+        )
+
+        try:
+            cp = subprocess.run(  # nosec B603
+                cmd,
+                cwd=str(ctx.root) if self.cwd_is_root else None,
+                text=True,
+                capture_output=True,
+                check=False,
+            )
+            text = header + (cp.stdout or "") + ("\n" + cp.stderr if cp.stderr else "")
+            out.write_text(ctx.redact_text(text), encoding="utf-8")
+            status = (
+                "PASS"
+                if cp.returncode == 0
+                else ("FAIL" if not self.allow_fail else "PASS")
+            )
+            note = "" if cp.returncode == 0 else f"exit={cp.returncode}"
+        except Exception as e:
+            out.write_text(
+                ctx.redact_text(header + f"\nEXCEPTION: {e}\n"), encoding="utf-8"
+            )
+            status = "FAIL" if not self.allow_fail else "PASS"
+            note = str(e)
+
+        dur = int(time.time() - start)
+        return StepResult(self.name, status, dur, note)

pybundle/steps/slow_tests.py

@@ -0,0 +1,178 @@
+"""
+Slow test identification - Milestone 4 (v1.4.1)
+"""
+
+from __future__ import annotations
+
+import subprocess
+import time
+from dataclasses import dataclass
+
+from .base import StepResult
+from ..context import BundleContext
+
+
+@dataclass
+class SlowTestsStep:
+    """
+    Identify slow tests by parsing pytest duration output.
+
+    Outputs:
+    - logs/71_slow_tests.txt: Ranked list of slowest tests
+    """
+
+    name: str = "slow_tests"
+
+    def run(self, ctx: BundleContext) -> StepResult:
+        start = time.time()
+
+        if not ctx.tools.pytest:
+            return StepResult(self.name, "SKIP", 0, "pytest not found")
+
+        tests_dir = ctx.root / "tests"
+        if not tests_dir.is_dir():
+            return StepResult(self.name, "SKIP", 0, "no tests/ directory")
+
+        threshold = ctx.options.slow_test_threshold
+        ctx.emit(f"  Identifying tests slower than {threshold}s...")
+
+        output_file = ctx.workdir / "logs" / "71_slow_tests.txt"
+        output_file.parent.mkdir(parents=True, exist_ok=True)
+
+        try:
+            # Run pytest with duration reporting
+            result = subprocess.run(
+                [
+                    str(ctx.tools.pytest),
+                    "-v",
+                    "--durations=0",  # Show all durations
+                    "--tb=no",  # No traceback to keep output clean
+                ],
+                cwd=ctx.root,
+                capture_output=True,
+                text=True,
+                timeout=180,  # 3 minute timeout
+            )
+
+            # Parse durations from output
+            slow_tests = self._parse_durations(result.stdout, threshold)
+
+            # Generate report
+            with output_file.open("w") as f:
+                f.write("=" * 70 + "\n")
+                f.write(f"SLOW TEST IDENTIFICATION (threshold: {threshold}s)\n")
+                f.write("=" * 70 + "\n\n")
+
+                if slow_tests:
+                    f.write(
+                        f"Found {len(slow_tests)} test(s) exceeding {threshold}s:\n\n"
+                    )
+
+                    # Sort by duration (descending)
+                    slow_tests.sort(key=lambda x: x[1], reverse=True)
+
+                    f.write(f"{'Duration (s)':<15} {'Test'}\n")
+                    f.write("-" * 70 + "\n")
+
+                    for test_name, duration in slow_tests:
+                        f.write(f"{duration:>13.2f}  {test_name}\n")
+
+                    f.write("\n" + "=" * 70 + "\n")
+                    f.write("STATISTICS:\n")
+                    f.write("-" * 70 + "\n")
+                    total_time = sum(d for _, d in slow_tests)
+                    avg_time = total_time / len(slow_tests)
+                    f.write(f"Total slow test time: {total_time:.2f}s\n")
+                    f.write(f"Average slow test time: {avg_time:.2f}s\n")
+                    f.write(
+                        f"Slowest test: {slow_tests[0][1]:.2f}s ({slow_tests[0][0]})\n"
+                    )
+
+                    f.write("\n" + "=" * 70 + "\n")
+                    f.write("RECOMMENDATIONS:\n")
+                    f.write("- Profile slow tests to identify bottlenecks\n")
+                    f.write("- Consider using pytest fixtures to reduce setup time\n")
+                    f.write("- Mock external dependencies (DB, API calls, file I/O)\n")
+                    f.write("- Use pytest-xdist for parallel test execution\n")
+                else:
+                    f.write(f"✅ No tests exceed {threshold}s threshold!\n\n")
+
+                    # Still show fastest tests for context
+                    all_tests = self._parse_all_durations(result.stdout)
+                    if all_tests:
+                        all_tests.sort(key=lambda x: x[1], reverse=True)
+                        f.write("Top 10 longest tests (all under threshold):\n\n")
+                        f.write(f"{'Duration (s)':<15} {'Test'}\n")
+                        f.write("-" * 70 + "\n")
+                        for test_name, duration in all_tests[:10]:
+                            f.write(f"{duration:>13.2f}  {test_name}\n")
+
+                # Append raw duration output for reference
+                f.write("\n" + "=" * 70 + "\n")
+                f.write("RAW PYTEST DURATION OUTPUT:\n")
+                f.write("-" * 70 + "\n")
+                # Find and include the duration section
+                in_duration_section = False
+                for line in result.stdout.splitlines():
+                    if "slowest durations" in line.lower() or "=== " in line:
+                        in_duration_section = True
+                    if in_duration_section:
+                        f.write(line + "\n")
+
+            elapsed = int((time.time() - start) * 1000)
+
+            if slow_tests:
+                return StepResult(
+                    self.name, "OK", elapsed, f"{len(slow_tests)} slow tests"
+                )
+            else:
+                return StepResult(self.name, "OK", elapsed)
+
+        except subprocess.TimeoutExpired:
+            elapsed = int((time.time() - start) * 1000)
+            return StepResult(self.name, "FAIL", elapsed, "timeout")
+        except Exception as e:
+            elapsed = int((time.time() - start) * 1000)
+            return StepResult(self.name, "FAIL", elapsed, str(e))
+
+    def _parse_durations(
+        self, output: str, threshold: float
+    ) -> list[tuple[str, float]]:
+        """Parse pytest --durations output for tests exceeding threshold"""
+        slow_tests = []
+
+        # Look for duration lines like: "0.52s call     test_file.py::test_name"
+        for line in output.splitlines():
+            if "s call" in line or "s setup" in line or "s teardown" in line:
+                parts = line.split()
+                if len(parts) >= 3:
+                    try:
+                        duration_str = parts[0].rstrip("s")
+                        duration = float(duration_str)
+
+                        if duration >= threshold:
+                            # Extract test name (usually the last part)
+                            test_name = parts[-1]
+                            slow_tests.append((test_name, duration))
+                    except (ValueError, IndexError):
+                        continue
+
+        return slow_tests
+
+    def _parse_all_durations(self, output: str) -> list[tuple[str, float]]:
+        """Parse all test durations"""
+        all_tests = []
+
+        for line in output.splitlines():
+            if "s call" in line:
+                parts = line.split()
+                if len(parts) >= 3:
+                    try:
+                        duration_str = parts[0].rstrip("s")
+                        duration = float(duration_str)
+                        test_name = parts[-1]
+                        all_tests.append((test_name, duration))
+                    except (ValueError, IndexError):
+                        continue
+
+        return all_tests