PyPI - hypergumbo - Versions diffs - 2.7.0__tar.gz → 3.0.0__tar.gz - Mend

hypergumbo 2.7.0tar.gz → 3.0.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

{hypergumbo-2.7.0 → hypergumbo-3.0.0}/.gitignore RENAMED Viewed

@@ -42,6 +42,7 @@ autonomous_intent.txt
 .agent/.transcript-sync-state.*.json
 .agent/.transcript-poll-state.*
 .agent/.transcript-injection-state.*.json
+.agent/.transcript-injection-state.*.lock
 .agent/.last_session_transcript.jsonl
 .agent/.second_to_last_transcript.jsonl
 .agent/.last_injection_history.jsonl

{hypergumbo-2.7.0 → hypergumbo-3.0.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: hypergumbo
-Version: 2.7.0
+Version: 3.0.0
 Summary: Local-first repo behavior map generator
 Author: Hypergumbo contributors
 License: AGPL-3.0-or-later
@@ -10,10 +10,10 @@ Classifier: License :: OSI Approved :: GNU Affero General Public License v3 or l
 Classifier: Programming Language :: Python :: 3
 Classifier: Programming Language :: Python :: 3 :: Only
 Requires-Python: >=3.10
-Requires-Dist: hypergumbo-core==2.7.0
-Requires-Dist: hypergumbo-lang-common==2.7.0
-Requires-Dist: hypergumbo-lang-extended1==2.7.0
-Requires-Dist: hypergumbo-lang-mainstream==2.7.0
+Requires-Dist: hypergumbo-core==3.0.0
+Requires-Dist: hypergumbo-lang-common==3.0.0
+Requires-Dist: hypergumbo-lang-extended1==3.0.0
+Requires-Dist: hypergumbo-lang-mainstream==3.0.0
 Provides-Extra: dev
 Requires-Dist: bandit~=1.9.3; extra == 'dev'
 Requires-Dist: check-jsonschema~=0.36.1; extra == 'dev'
@@ -150,7 +150,7 @@ hypergumbo . -t 8000   # detailed with many symbols
 hypergumbo [path]              # Markdown sketch (default)
 hypergumbo run [path]          # Full JSON behavior map
 hypergumbo slice --entry X     # Subgraph from entry point
-hypergumbo io-boundaries       # Find all I/O (filesystem, network, subprocess, env)
+hypergumbo io-boundaries       # Find all I/O (filesystem, network, subprocess, env, IPC, browser storage)
 hypergumbo verify-claims ...   # Verify security claims against analysis
 hypergumbo routes [path]       # List HTTP routes
 hypergumbo search <query>      # Search symbols
@@ -168,6 +168,19 @@ hypergumbo . --no-progress     # hide progress indicator (on by default)
 hypergumbo --help --all        # comprehensive help for all commands
 ```
+### Project-local taint catalogs
+`verify-claims` ships with paranoid defaults auto-derived from the built-in IO primitive catalog. Projects can supply their own trust zones, sanitizers, and label maps:
+```bash
+hypergumbo verify-claims claims.yaml \
+    --taint-sources    myrepo/taint/sources.yaml \
+    --taint-sinks      myrepo/taint/sinks/ \
+    --taint-sanitizers myrepo/taint/sanitizers.yaml
+```
+Each flag accepts a YAML file or a directory (globbed as `*.yaml`), and is repeatable. The same paths can be declared inside the claims YAML under `extra_catalogs: {sources, sinks, sanitizers}` — relative paths resolve against the claims-file directory. User entries whose `(module, name, kind)` triple matches a built-in replace it; sanitizers concatenate.
 Results are automatically cached in `~/.cache/hypergumbo/`. Just run:
 ```bash
 hypergumbo .    # auto-runs analysis if no cache exists, then generates sketch
@@ -182,8 +195,8 @@ See `hypergumbo --help` for all options.
 - **Language analyzers**: Python, JS/TS, Java, Rust, Go, C/C++, and [many more](https://codeberg.org/iterabloom/hypergumbo/src/branch/dev/docs/LANGUAGES.md)
 - **Linkers**: Tier 2 edge-recovery passes across four subcategories — Protocol (HTTP, WebSocket, message queues, SQL), Bridge (JNI, wasm_bindgen, Tauri IPC, language-pair FFI), Framework (gRPC, GraphQL, React components, DI resolution, ORM), Infrastructure (containment, inheritance, module imports). [Full catalogue](https://codeberg.org/iterabloom/hypergumbo/src/branch/dev/docs/LINKERS.md).
 - **Framework patterns**: FastAPI, Django, Rails, Spring Boot, Phoenix, Express, and [many more](https://codeberg.org/iterabloom/hypergumbo/src/branch/dev/docs/FRAMEWORKS.md)
-- **I/O boundary detection**: Maps every call chain that reaches the filesystem, network, subprocesses, or environment — across FFI boundaries
-- **Taint-flow analysis**: Traces data from sensitive sources (crypto keys, plaintext) to sinks (filesystem, network), with sanitizer awareness
+- **I/O boundary detection**: Maps every call chain that reaches the filesystem, network, subprocess, environment, IPC, or browser-local storage — across FFI boundaries
+- **Taint-flow analysis**: Traces data from sensitive sources (environment variables, received network input, crypto outputs, key material) to sinks in six trust zones (`host_fs`, `network`, `host_env`, `ipc`, `browser_storage`, `relay`), with sanitizer awareness
 - **Supply chain tiers**: Classifies code as first-party, internal, external, or derived for dependency-aware analysis
 ## How It Works

{hypergumbo-2.7.0 → hypergumbo-3.0.0}/README.md RENAMED Viewed

@@ -120,7 +120,7 @@ hypergumbo . -t 8000   # detailed with many symbols
 hypergumbo [path]              # Markdown sketch (default)
 hypergumbo run [path]          # Full JSON behavior map
 hypergumbo slice --entry X     # Subgraph from entry point
-hypergumbo io-boundaries       # Find all I/O (filesystem, network, subprocess, env)
+hypergumbo io-boundaries       # Find all I/O (filesystem, network, subprocess, env, IPC, browser storage)
 hypergumbo verify-claims ...   # Verify security claims against analysis
 hypergumbo routes [path]       # List HTTP routes
 hypergumbo search <query>      # Search symbols
@@ -138,6 +138,19 @@ hypergumbo . --no-progress     # hide progress indicator (on by default)
 hypergumbo --help --all        # comprehensive help for all commands
 ```
+### Project-local taint catalogs
+`verify-claims` ships with paranoid defaults auto-derived from the built-in IO primitive catalog. Projects can supply their own trust zones, sanitizers, and label maps:
+```bash
+hypergumbo verify-claims claims.yaml \
+    --taint-sources    myrepo/taint/sources.yaml \
+    --taint-sinks      myrepo/taint/sinks/ \
+    --taint-sanitizers myrepo/taint/sanitizers.yaml
+```
+Each flag accepts a YAML file or a directory (globbed as `*.yaml`), and is repeatable. The same paths can be declared inside the claims YAML under `extra_catalogs: {sources, sinks, sanitizers}` — relative paths resolve against the claims-file directory. User entries whose `(module, name, kind)` triple matches a built-in replace it; sanitizers concatenate.
 Results are automatically cached in `~/.cache/hypergumbo/`. Just run:
 ```bash
 hypergumbo .    # auto-runs analysis if no cache exists, then generates sketch
@@ -152,8 +165,8 @@ See `hypergumbo --help` for all options.
 - **Language analyzers**: Python, JS/TS, Java, Rust, Go, C/C++, and [many more](https://codeberg.org/iterabloom/hypergumbo/src/branch/dev/docs/LANGUAGES.md)
 - **Linkers**: Tier 2 edge-recovery passes across four subcategories — Protocol (HTTP, WebSocket, message queues, SQL), Bridge (JNI, wasm_bindgen, Tauri IPC, language-pair FFI), Framework (gRPC, GraphQL, React components, DI resolution, ORM), Infrastructure (containment, inheritance, module imports). [Full catalogue](https://codeberg.org/iterabloom/hypergumbo/src/branch/dev/docs/LINKERS.md).
 - **Framework patterns**: FastAPI, Django, Rails, Spring Boot, Phoenix, Express, and [many more](https://codeberg.org/iterabloom/hypergumbo/src/branch/dev/docs/FRAMEWORKS.md)
-- **I/O boundary detection**: Maps every call chain that reaches the filesystem, network, subprocesses, or environment — across FFI boundaries
-- **Taint-flow analysis**: Traces data from sensitive sources (crypto keys, plaintext) to sinks (filesystem, network), with sanitizer awareness
+- **I/O boundary detection**: Maps every call chain that reaches the filesystem, network, subprocess, environment, IPC, or browser-local storage — across FFI boundaries
+- **Taint-flow analysis**: Traces data from sensitive sources (environment variables, received network input, crypto outputs, key material) to sinks in six trust zones (`host_fs`, `network`, `host_env`, `ipc`, `browser_storage`, `relay`), with sanitizer awareness
 - **Supply chain tiers**: Classifies code as first-party, internal, external, or derived for dependency-aware analysis
 ## How It Works

{hypergumbo-2.7.0 → hypergumbo-3.0.0}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "hypergumbo"
-version = "2.7.0"
+version = "3.0.0"
 description = "Local-first repo behavior map generator"
 readme = "README.md"
 requires-python = ">=3.10"
@@ -19,10 +19,10 @@ classifiers = [
 ]
 dependencies = [
   # Meta-package that pulls in all hypergumbo components
-  "hypergumbo-core==2.7.0",
-  "hypergumbo-lang-mainstream==2.7.0",
-  "hypergumbo-lang-common==2.7.0",
-  "hypergumbo-lang-extended1==2.7.0",
+  "hypergumbo-core==3.0.0",
+  "hypergumbo-lang-mainstream==3.0.0",
+  "hypergumbo-lang-common==3.0.0",
+  "hypergumbo-lang-extended1==3.0.0",
 ]
 [project.optional-dependencies]

{hypergumbo-2.7.0 → hypergumbo-3.0.0}/src/hypergumbo/__init__.py RENAMED Viewed

File without changes

{hypergumbo-2.7.0 → hypergumbo-3.0.0}/src/hypergumbo/__main__.py RENAMED Viewed

File without changes

{hypergumbo-2.7.0 → hypergumbo-3.0.0}/tests/test_meta.py RENAMED Viewed

File without changes

hypergumbo 2.7.0__tar.gz → 3.0.0__tar.gz

hypergumbo 2.7.0tar.gz → 3.0.0tar.gz