llmcode-cli 1.0.0__py3-none-any.whl

llm_code/cron/__init__.py

@@ -0,0 +1,13 @@
+"""Cron scheduling module for llm-code."""
+from llm_code.cron.parser import CronExpression, next_fire_time, parse_cron
+from llm_code.cron.storage import CronStorage, CronTask
+from llm_code.cron.scheduler import CronScheduler
+
+__all__ = [
+    "CronExpression",
+    "CronScheduler",
+    "CronStorage",
+    "CronTask",
+    "next_fire_time",
+    "parse_cron",
+]

llm_code/cron/parser.py

@@ -0,0 +1,145 @@
+"""Cron expression parser — 5-field standard format (local time).
+
+Fields: minute(0-59) hour(0-23) day-of-month(1-31) month(1-12) day-of-week(0-6, 0=Sunday)
+Syntax: * (all), N (single), N-M (range), N,M (list), */N or N-M/N (step)
+"""
+from __future__ import annotations
+
+import dataclasses
+import datetime
+
+_FIELD_RANGES = {
+    "minute": (0, 59),
+    "hour": (0, 23),
+    "day_of_month": (1, 31),
+    "month": (1, 12),
+    "day_of_week": (0, 6),
+}
+
+_FIELD_ORDER = ("minute", "hour", "day_of_month", "month", "day_of_week")
+
+
+@dataclasses.dataclass(frozen=True)
+class CronExpression:
+    minute: tuple[int | str, ...]
+    hour: tuple[int | str, ...]
+    day_of_month: tuple[int | str, ...]
+    month: tuple[int | str, ...]
+    day_of_week: tuple[int | str, ...]
+
+
+def _parse_field(token: str, field_name: str) -> tuple[int, ...]:
+    """Parse a single cron field token into a sorted tuple of valid integers."""
+    lo, hi = _FIELD_RANGES[field_name]
+
+    if token == "*":
+        return tuple(range(lo, hi + 1))
+
+    # Handle step: */N or range/N
+    if "/" in token:
+        base, step_str = token.split("/", 1)
+        step = int(step_str)
+        if step <= 0:
+            raise ValueError(f"Invalid step value in {field_name}: {step}")
+        if base == "*":
+            return tuple(range(lo, hi + 1, step))
+        if "-" in base:
+            rlo, rhi = (int(x) for x in base.split("-", 1))
+        else:
+            rlo, rhi = int(base), hi
+        _validate_range(rlo, rhi, lo, hi, field_name)
+        return tuple(range(rlo, rhi + 1, step))
+
+    # Handle list: N,M,...
+    if "," in token:
+        values = sorted(int(x) for x in token.split(","))
+        for v in values:
+            if v < lo or v > hi:
+                raise ValueError(f"Value {v} out of range for {field_name} ({lo}-{hi})")
+        return tuple(values)
+
+    # Handle range: N-M
+    if "-" in token:
+        rlo, rhi = (int(x) for x in token.split("-", 1))
+        _validate_range(rlo, rhi, lo, hi, field_name)
+        return tuple(range(rlo, rhi + 1))
+
+    # Single value
+    val = int(token)
+    if val < lo or val > hi:
+        raise ValueError(f"Value {val} out of range for {field_name} ({lo}-{hi})")
+    return (val,)
+
+
+def _validate_range(rlo: int, rhi: int, lo: int, hi: int, field_name: str) -> None:
+    if rlo < lo or rhi > hi or rlo > rhi:
+        raise ValueError(f"Invalid range {rlo}-{rhi} for {field_name} ({lo}-{hi})")
+
+
+def parse_cron(expr: str) -> CronExpression:
+    """Parse a 5-field cron expression string into a CronExpression."""
+    tokens = expr.strip().split()
+    if len(tokens) != 5:
+        raise ValueError(f"Cron expression must have 5 fields, got {len(tokens)}: '{expr}'")
+
+    fields: dict[str, tuple[int, ...]] = {}
+    for token, field_name in zip(tokens, _FIELD_ORDER):
+        try:
+            fields[field_name] = _parse_field(token, field_name)
+        except ValueError:
+            raise
+        except Exception as exc:
+            raise ValueError(f"Invalid {field_name} field '{token}': {exc}") from exc
+
+    return CronExpression(**fields)
+
+
+def _python_weekday_to_cron(py_wd: int) -> int:
+    """Convert Python weekday (0=Mon) to cron weekday (0=Sun)."""
+    return (py_wd + 1) % 7
+
+
+def next_fire_time(
+    expr: CronExpression,
+    after: datetime.datetime,
+) -> datetime.datetime:
+    """Return the next datetime matching the cron expression, strictly after `after`.
+
+    Uses local (naive) time. Raises ValueError if no match found within 1 year.
+    """
+    # Start from the next minute boundary
+    candidate = after.replace(second=0, microsecond=0) + datetime.timedelta(minutes=1)
+    limit = after + datetime.timedelta(days=366)
+
+    while candidate <= limit:
+        cron_dow = _python_weekday_to_cron(candidate.weekday())
+
+        if (
+            candidate.month in expr.month
+            and candidate.day in expr.day_of_month
+            and cron_dow in expr.day_of_week
+            and candidate.hour in expr.hour
+            and candidate.minute in expr.minute
+        ):
+            return candidate
+
+        # Advance: skip non-matching months, days, hours, minutes efficiently
+        if candidate.month not in expr.month:
+            # Jump to first day of next month
+            if candidate.month == 12:
+                candidate = candidate.replace(year=candidate.year + 1, month=1, day=1, hour=0, minute=0)
+            else:
+                candidate = candidate.replace(month=candidate.month + 1, day=1, hour=0, minute=0)
+            continue
+
+        if candidate.day not in expr.day_of_month or cron_dow not in expr.day_of_week:
+            candidate = (candidate + datetime.timedelta(days=1)).replace(hour=0, minute=0)
+            continue
+
+        if candidate.hour not in expr.hour:
+            candidate = (candidate + datetime.timedelta(hours=1)).replace(minute=0)
+            continue
+
+        candidate += datetime.timedelta(minutes=1)
+
+    raise ValueError(f"Cron expression has no matching time within 1 year after {after}")

llm_code/cron/scheduler.py

@@ -0,0 +1,135 @@
+"""Asyncio-based cron scheduler with file locking and auto-expiry."""
+from __future__ import annotations
+
+import asyncio
+import datetime
+import fcntl
+import logging
+from pathlib import Path
+from typing import Awaitable, Callable
+
+from llm_code.cron.parser import next_fire_time, parse_cron
+from llm_code.cron.storage import CronStorage, CronTask
+
+logger = logging.getLogger(__name__)
+
+_EXPIRY_DAYS = 30
+_DEFAULT_POLL_SECONDS = 60
+
+
+class CronScheduler:
+    """Background cron scheduler that polls storage every N seconds."""
+
+    def __init__(
+        self,
+        storage: CronStorage,
+        lock_path: Path,
+        on_fire: Callable[[str], Awaitable[None]],
+    ) -> None:
+        self._storage = storage
+        self._lock_path = Path(lock_path)
+        self._on_fire = on_fire
+        self._running = False
+
+    async def start(self, poll_interval: float = _DEFAULT_POLL_SECONDS) -> None:
+        """Run the scheduler loop until stop() is called."""
+        self._running = True
+        while self._running:
+            try:
+                await self._tick(now=datetime.datetime.now())
+            except Exception:
+                logger.exception("Error in cron scheduler tick")
+            await asyncio.sleep(poll_interval)
+
+    def stop(self) -> None:
+        self._running = False
+
+    def check_missed(self, now: datetime.datetime) -> list[CronTask]:
+        """Return tasks that have missed fire times since their last_fired_at."""
+        missed: list[CronTask] = []
+        for task in self._storage.list_all():
+            if task.last_fired_at is None:
+                # Never fired — check if created_at means it should have fired
+                ref = task.created_at
+            else:
+                ref = task.last_fired_at
+            try:
+                expr = parse_cron(task.cron)
+                nxt = next_fire_time(expr, ref)
+                if nxt <= now:
+                    missed.append(task)
+            except ValueError:
+                continue
+        return missed
+
+    async def _tick(self, now: datetime.datetime) -> None:
+        """Run one scheduling cycle."""
+        if not self._try_lock():
+            return
+
+        try:
+            await self._process_tasks(now)
+        finally:
+            self._release_lock()
+
+    async def _process_tasks(self, now: datetime.datetime) -> None:
+        tasks = self._storage.list_all()
+        to_remove: list[str] = []
+
+        for task in tasks:
+            # Auto-expire non-permanent recurring tasks older than 30 days
+            if not task.permanent and task.recurring:
+                age = now - task.created_at
+                if age.days > _EXPIRY_DAYS:
+                    logger.info("Expiring task %s (age: %d days)", task.id, age.days)
+                    to_remove.append(task.id)
+                    continue
+
+            # Determine if task should fire
+            try:
+                expr = parse_cron(task.cron)
+            except ValueError:
+                logger.warning("Invalid cron expression for task %s: %s", task.id, task.cron)
+                continue
+
+            ref = task.last_fired_at or task.created_at
+            try:
+                nxt = next_fire_time(expr, ref)
+            except ValueError:
+                continue
+
+            if nxt <= now:
+                logger.info("Firing task %s: %s", task.id, task.prompt)
+                await self._on_fire(task.prompt)
+                self._storage.update_last_fired(task.id, now)
+
+                if not task.recurring:
+                    to_remove.append(task.id)
+
+        for tid in to_remove:
+            self._storage.remove(tid)
+
+    def _try_lock(self) -> bool:
+        """Acquire a file lock; return True if successful."""
+        try:
+            self._lock_path.parent.mkdir(parents=True, exist_ok=True)
+            # Close previous FD if exists to prevent leak
+            if hasattr(self, "_lock_fd") and self._lock_fd:
+                try:
+                    self._lock_fd.close()
+                except Exception:
+                    pass
+            self._lock_fd = open(self._lock_path, "w")
+            fcntl.flock(self._lock_fd, fcntl.LOCK_EX | fcntl.LOCK_NB)
+            return True
+        except (OSError, IOError):
+            return False
+
+    def _release_lock(self) -> None:
+        """Release the file lock."""
+        try:
+            if hasattr(self, "_lock_fd") and self._lock_fd:
+                fcntl.flock(self._lock_fd, fcntl.LOCK_UN)
+                self._lock_fd.close()
+        except (OSError, IOError):
+            pass

llm_code/cron/storage.py

@@ -0,0 +1,126 @@
+"""Persistent storage for scheduled cron tasks."""
+from __future__ import annotations
+
+import dataclasses
+import datetime
+import json
+import uuid
+from pathlib import Path
+
+_MAX_TASKS = 50
+_ISO_FORMAT = "%Y-%m-%dT%H:%M:%S"
+
+
+@dataclasses.dataclass(frozen=True)
+class CronTask:
+    id: str
+    cron: str
+    prompt: str
+    recurring: bool
+    permanent: bool
+    created_at: datetime.datetime
+    last_fired_at: datetime.datetime | None = None
+
+
+class CronStorage:
+    """Load/save cron tasks from a JSON file under .llm-code/."""
+
+    def __init__(self, path: Path) -> None:
+        self._path = Path(path)
+        self._tasks: list[CronTask] = self._load()
+
+    def _load(self) -> list[CronTask]:
+        if not self._path.exists():
+            return []
+        try:
+            data = json.loads(self._path.read_text(encoding="utf-8"))
+        except (json.JSONDecodeError, OSError):
+            return []
+        tasks: list[CronTask] = []
+        for raw in data.get("tasks", []):
+            last_fired = None
+            if raw.get("last_fired_at"):
+                last_fired = datetime.datetime.strptime(raw["last_fired_at"], _ISO_FORMAT)
+            tasks.append(CronTask(
+                id=raw["id"],
+                cron=raw["cron"],
+                prompt=raw["prompt"],
+                recurring=raw.get("recurring", True),
+                permanent=raw.get("permanent", False),
+                created_at=datetime.datetime.strptime(raw["created_at"], _ISO_FORMAT),
+                last_fired_at=last_fired,
+            ))
+        return tasks
+
+    def _save(self) -> None:
+        self._path.parent.mkdir(parents=True, exist_ok=True)
+        data = {
+            "tasks": [
+                {
+                    "id": t.id,
+                    "cron": t.cron,
+                    "prompt": t.prompt,
+                    "recurring": t.recurring,
+                    "permanent": t.permanent,
+                    "created_at": t.created_at.strftime(_ISO_FORMAT),
+                    "last_fired_at": t.last_fired_at.strftime(_ISO_FORMAT) if t.last_fired_at else None,
+                }
+                for t in self._tasks
+            ]
+        }
+        self._path.write_text(json.dumps(data, indent=2), encoding="utf-8")
+
+    def add(
+        self,
+        cron: str,
+        prompt: str,
+        recurring: bool,
+        permanent: bool,
+    ) -> CronTask:
+        """Add a new task. Raises ValueError if at capacity (50)."""
+        if len(self._tasks) >= _MAX_TASKS:
+            raise ValueError(f"Maximum {_MAX_TASKS} scheduled tasks reached")
+        task = CronTask(
+            id=uuid.uuid4().hex[:12],
+            cron=cron,
+            prompt=prompt,
+            recurring=recurring,
+            permanent=permanent,
+            created_at=datetime.datetime.now(),
+        )
+        self._tasks = [*self._tasks, task]
+        self._save()
+        return task
+
+    def remove(self, task_id: str) -> bool:
+        """Remove a task by ID. Returns True if found and removed."""
+        new_tasks = [t for t in self._tasks if t.id != task_id]
+        if len(new_tasks) == len(self._tasks):
+            return False
+        self._tasks = new_tasks
+        self._save()
+        return True
+
+    def list_all(self) -> list[CronTask]:
+        """Return all tasks (immutable copies via frozen dataclass)."""
+        return list(self._tasks)
+
+    def update_last_fired(
+        self,
+        task_id: str,
+        fired_at: datetime.datetime,
+    ) -> CronTask | None:
+        """Update last_fired_at for a task. Returns updated task or None."""
+        new_tasks: list[CronTask] = []
+        updated: CronTask | None = None
+        for t in self._tasks:
+            if t.id == task_id:
+                updated = dataclasses.replace(t, last_fired_at=fired_at)
+                new_tasks.append(updated)
+            else:
+                new_tasks.append(t)
+        if updated is None:
+            return None
+        self._tasks = new_tasks
+        self._save()
+        return updated

llm_code/enterprise/__init__.py

@@ -0,0 +1 @@
+"""Enterprise features — auth, RBAC, audit."""

llm_code/enterprise/audit.py

@@ -0,0 +1,59 @@
+"""Audit logging — JSONL file logger with composite support."""
+from __future__ import annotations
+
+import json
+import logging
+from abc import ABC, abstractmethod
+from dataclasses import dataclass, field
+from pathlib import Path
+
+_log = logging.getLogger(__name__)
+
+
+@dataclass(frozen=True)
+class AuditEvent:
+    timestamp: str
+    event_type: str
+    user_id: str
+    tool_name: str = ""
+    action: str = ""
+    outcome: str = ""
+    metadata: dict = field(default_factory=dict)
+
+
+class AuditLogger(ABC):
+    @abstractmethod
+    async def log(self, event: AuditEvent) -> None: ...
+
+
+class FileAuditLogger(AuditLogger):
+    def __init__(self, audit_dir: Path) -> None:
+        self._audit_dir = audit_dir
+
+    async def log(self, event: AuditEvent) -> None:
+        self._audit_dir.mkdir(parents=True, exist_ok=True)
+        date_str = event.timestamp[:10]
+        path = self._audit_dir / f"{date_str}.jsonl"
+        line = json.dumps({
+            "timestamp": event.timestamp,
+            "event_type": event.event_type,
+            "user_id": event.user_id,
+            "tool_name": event.tool_name,
+            "action": event.action,
+            "outcome": event.outcome,
+            "metadata": event.metadata,
+        })
+        with open(path, "a", encoding="utf-8") as f:
+            f.write(line + "\n")
+
+
+class CompositeAuditLogger(AuditLogger):
+    def __init__(self, loggers: list[AuditLogger]) -> None:
+        self._loggers = loggers
+
+    async def log(self, event: AuditEvent) -> None:
+        for logger in self._loggers:
+            try:
+                await logger.log(event)
+            except Exception as exc:
+                _log.warning("Audit logger failed: %s", exc)

llm_code/enterprise/auth.py

@@ -0,0 +1,26 @@
+"""Authentication provider abstraction and identity model."""
+from __future__ import annotations
+
+from abc import ABC, abstractmethod
+from dataclasses import dataclass, field
+
+
+@dataclass(frozen=True)
+class AuthIdentity:
+    """Represents an authenticated user."""
+    user_id: str
+    email: str
+    display_name: str
+    groups: tuple[str, ...] = ()
+    raw_claims: dict = field(default_factory=dict)
+
+
+class AuthProvider(ABC):
+    @abstractmethod
+    async def authenticate(self) -> AuthIdentity: ...
+
+    @abstractmethod
+    async def refresh(self) -> AuthIdentity | None: ...
+
+    @abstractmethod
+    async def revoke(self) -> None: ...

llm_code/enterprise/oidc.py

@@ -0,0 +1,95 @@
+"""OIDC authentication provider with PKCE flow."""
+from __future__ import annotations
+
+import hashlib
+import json
+import logging
+import secrets
+from base64 import urlsafe_b64encode
+from dataclasses import dataclass
+from pathlib import Path
+
+import httpx
+
+from llm_code.enterprise.auth import AuthIdentity, AuthProvider
+
+_log = logging.getLogger(__name__)
+
+
+@dataclass(frozen=True)
+class OIDCConfig:
+    issuer: str
+    client_id: str
+    client_secret: str = ""
+    scopes: tuple[str, ...] = ("openid", "email", "profile")
+    redirect_port: int = 9877
+
+
+class OIDCProvider(AuthProvider):
+    def __init__(self, config: OIDCConfig, token_dir: Path | None = None) -> None:
+        self._config = config
+        self._token_dir = token_dir or Path.home() / ".llm-code" / "auth"
+        self._token_path = self._token_dir / "oidc_tokens.json"
+        self._endpoints: dict[str, str] | None = None
+
+    async def _discover(self) -> dict[str, str]:
+        if self._endpoints is not None:
+            return self._endpoints
+        url = f"{self._config.issuer.rstrip('/')}/.well-known/openid-configuration"
+        async with httpx.AsyncClient() as client:
+            resp = await client.get(url)
+            resp.raise_for_status()
+            self._endpoints = resp.json()
+            return self._endpoints
+
+    @staticmethod
+    def _generate_pkce() -> tuple[str, str]:
+        verifier = secrets.token_urlsafe(64)
+        digest = hashlib.sha256(verifier.encode()).digest()
+        challenge = urlsafe_b64encode(digest).rstrip(b"=").decode()
+        return verifier, challenge
+
+    def _save_tokens(self, tokens: dict) -> None:
+        self._token_dir.mkdir(parents=True, exist_ok=True)
+        self._token_path.write_text(json.dumps(tokens), encoding="utf-8")
+
+    def _load_tokens(self) -> dict | None:
+        if not self._token_path.exists():
+            return None
+        try:
+            return json.loads(self._token_path.read_text(encoding="utf-8"))
+        except (json.JSONDecodeError, OSError):
+            return None
+
+    async def authenticate(self) -> AuthIdentity:
+        await self._discover()
+        raise NotImplementedError(
+            "Full OIDC PKCE flow requires browser interaction. "
+            "Use 'llm-code auth login' command."
+        )
+
+    async def refresh(self) -> AuthIdentity | None:
+        tokens = self._load_tokens()
+        if not tokens or "refresh_token" not in tokens:
+            return None
+        endpoints = await self._discover()
+        token_url = endpoints.get("token_endpoint", "")
+        async with httpx.AsyncClient() as client:
+            resp = await client.post(token_url, data={
+                "grant_type": "refresh_token",
+                "client_id": self._config.client_id,
+                "refresh_token": tokens["refresh_token"],
+            })
+            if resp.status_code != 200:
+                return None
+            new_tokens = resp.json()
+            self._save_tokens(new_tokens)
+            return AuthIdentity(
+                user_id=new_tokens.get("sub", ""),
+                email=new_tokens.get("email", ""),
+                display_name=new_tokens.get("name", ""),
+            )
+
+    async def revoke(self) -> None:
+        if self._token_path.exists():
+            self._token_path.unlink()

llm_code/enterprise/rbac.py

@@ -0,0 +1,65 @@
+"""Role-based access control engine."""
+from __future__ import annotations
+
+import fnmatch
+from dataclasses import dataclass
+
+from llm_code.enterprise.auth import AuthIdentity
+
+
+@dataclass(frozen=True)
+class Role:
+    name: str
+    permissions: frozenset[str]
+    tool_allow: tuple[str, ...] = ()
+    tool_deny: tuple[str, ...] = ()
+
+
+DEFAULT_ROLES: dict[str, Role] = {
+    "admin": Role("admin", frozenset({"*"})),
+    "developer": Role(
+        "developer",
+        frozenset({"tool:*", "swarm:create", "session:*", "skill:*"}),
+        tool_deny=("tool:bash:rm -rf *",),
+    ),
+    "viewer": Role(
+        "viewer",
+        frozenset({"tool:read", "tool:glob", "tool:grep", "session:read"}),
+    ),
+}
+
+
+class RBACEngine:
+    def __init__(self, group_role_mapping: dict[str, str], custom_roles: dict[str, Role] | None = None) -> None:
+        self._group_role_mapping = group_role_mapping
+        self._roles = {**DEFAULT_ROLES, **(custom_roles or {})}
+
+    def _get_roles(self, identity: AuthIdentity | None) -> list[Role]:
+        if identity is None:
+            return [self._roles["admin"]]
+        roles = []
+        for group in identity.groups:
+            role_name = self._group_role_mapping.get(group)
+            if role_name and role_name in self._roles:
+                roles.append(self._roles[role_name])
+        return roles
+
+    def is_allowed(self, identity: AuthIdentity | None, permission: str) -> bool:
+        roles = self._get_roles(identity)
+        if not roles:
+            return False
+        for role in roles:
+            if "*" in role.permissions:
+                return True
+            for perm in role.permissions:
+                if perm == permission or (perm.endswith(":*") and permission.startswith(perm[:-1])):
+                    return True
+        return False
+
+    def is_denied_by_pattern(self, identity: AuthIdentity | None, action: str) -> bool:
+        roles = self._get_roles(identity)
+        for role in roles:
+            for pattern in role.tool_deny:
+                if fnmatch.fnmatch(action, pattern):
+                    return True
+        return False

llm_code/harness/__init__.py

@@ -0,0 +1,5 @@
+"""Harness Engine — unified quality control framework."""
+from llm_code.harness.config import HarnessConfig, HarnessControl, HarnessFinding
+from llm_code.harness.engine import HarnessEngine
+
+__all__ = ["HarnessConfig", "HarnessControl", "HarnessFinding", "HarnessEngine"]