logomesh 0.1.0__tar.gz

logomesh-0.1.0/.env.example

@@ -0,0 +1,59 @@
+# === GitHub App ===
+# Create at https://github.com/settings/apps
+GITHUB_APP_ID=123456
+GITHUB_PRIVATE_KEY_PATH=./private-key.pem
+# Or set the key directly (newlines escaped as \n):
+# GITHUB_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----"
+GITHUB_WEBHOOK_SECRET=your-webhook-secret
+
+# === LLM ===
+OPENAI_API_KEY=sk-proj-your-key-here
+OPENAI_MODEL=gpt-4o-mini
+# OPENAI_BASE_URL=https://api.openai.com/v1  # override for Azure/local
+
+# Fallback: if no OPENAI_API_KEY, uses Gemini
+# GEMINI_API_KEY=your-gemini-key
+
+# === Sandbox ===
+# SANDBOX_TIMEOUT=15            # seconds per test run (default: 15)
+
+# === Oracle Lanes ===
+# Each lane can be individually enabled/disabled.
+
+# Sentry Replay: replays real production exceptions against PR code.
+# Requires Sentry API access. Lane auto-disables if credentials not set.
+# SENTRY_AUTH_TOKEN=sntrys_your-token-here
+# SENTRY_ORG=your-org
+# SENTRY_PROJECT=your-project
+# SENTRY_BASE_URL=https://sentry.io
+# LOGOMESH_ENABLE_SENTRY_LANE=1
+
+# Static Patterns: auth guard, secrets, skipped tests, debug flags, migration order.
+# LOGOMESH_ENABLE_STATIC_LANE=1
+
+# Type Contracts: test boundary inputs from type hints / Pydantic models. (coming soon)
+# LOGOMESH_ENABLE_TYPE_LANE=1
+
+# Behavioral Regression: compare base vs head output on same inputs. (coming soon)
+# LOGOMESH_ENABLE_REGRESSION_LANE=1
+
+# Test Augmentation: edge-case variants of existing test assertions. (coming soon)
+# LOGOMESH_ENABLE_AUGMENTATION_LANE=1
+
+# === Pipeline Config ===
+# LOGOMESH_ENABLE_CLEAN_SIGNAL=1    # post "no issues found" on clean PRs
+# LOGOMESH_MAX_FINDINGS_PER_FILE=5
+# LOGOMESH_MAX_FINDINGS_PER_PR=15
+# PIPELINE_TIMEOUT_SECONDS=240
+# ENABLE_INLINE_REVIEW=1            # inline ```suggestion``` blocks
+
+# === Supabase (multi-tenant install + run storage) ===
+# You can set either SUPABASE_URL directly OR SUPABASE_PROJECT_REF.
+# SUPABASE_PROJECT_REF=xyzcompanyabc123
+# SUPABASE_URL=https://xyzcompanyabc123.supabase.co
+# Prefer SUPABASE_SERVICE_KEY; SUPABASE_SERVICE_ROLE_KEY also supported.
+# SUPABASE_SERVICE_KEY=eyJhbGciOi...
+# LOGOMESH_MASTER_KEY=<32-byte urlsafe-base64 or 64-char hex>
+
+# === Production ===
+# LOGOMESH_ENV=production       # disables subprocess fallback (requires Docker)

logomesh-0.1.0/.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,27 @@
+---
+name: Bug report
+about: Report something that isn't working correctly
+labels: bug
+---
+
+**Describe the bug**
+What happened?
+
+**To reproduce**
+Steps to reproduce the behavior:
+1. Run `...`
+2. Send request to `...`
+3. See error
+
+**Expected behavior**
+What should have happened instead?
+
+**Environment**
+- OS: [e.g. macOS, Ubuntu 22.04]
+- Python version: [e.g. 3.11.5]
+- uv version:
+
+**Logs / output**
+```
+paste relevant logs here
+```

logomesh-0.1.0/.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,14 @@
+---
+name: Feature request
+about: Suggest an improvement or new feature
+labels: enhancement
+---
+
+**What problem does this solve?**
+Describe the problem or limitation you're running into.
+
+**Proposed solution**
+How would you solve it? Be specific about what you'd change.
+
+**Alternatives considered**
+Any other approaches you thought about?

logomesh-0.1.0/.github/pull_request_template.md

@@ -0,0 +1,16 @@
+## What does this PR do?
+
+<!-- Brief description of the change -->
+
+## Related issue
+
+<!-- Link to the issue this PR addresses, e.g. Fixes #123 -->
+
+## How was this tested?
+
+<!-- Describe how you verified the change works -->
+
+## Checklist
+
+- [ ] My changes don't break existing functionality
+- [ ] I've tested locally with `uv run pytest tests/ -v`

logomesh-0.1.0/.github/workflows/ci.yml

@@ -0,0 +1,38 @@
+name: CI
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.12'
+
+      - name: Install uv
+        run: pip install uv
+
+      - name: Install dependencies
+        run: uv sync
+
+      - name: Run tests
+        run: uv run pytest tests/ -v
+
+      - name: Enforce quality gates
+        if: ${{ vars.ENFORCE_LOGOMESH_QUALITY_GATES == '1' }}
+        run: |
+          UV_CACHE_DIR=/tmp/uv-cache uv run python scripts/quality_gates.py \
+            --run results/real_prs_run_6.json \
+            --replay results/replay_from_run3_current.json \
+            --out results/quality_gates_latest.json \
+            --strict

logomesh-0.1.0/.gitignore

@@ -0,0 +1,87 @@
+# Python
+.venv/
+__pycache__/
+*.pyc
+*.egg-info/
+.mypy_cache/
+.pytest_cache/
+dist/
+build/
+
+# Environment
+.env
+*.pem
+
+# Data
+*.db
+*.db-shm
+*.db-wal
+*.db-journal
+
+# OS
+.DS_Store
+
+# IDE
+.idea/
+.vscode/
+.claude/
+
+# JetBrains / PyCharm
+*.iml
+*.ipr
+*.iws
+.idea_modules/
+out/
+
+# PyCharm local/cached project data
+.idea/**/workspace.xml
+.idea/**/tasks.xml
+.idea/**/usage.statistics.xml
+.idea/**/dictionaries/
+.idea/**/shelf/
+.idea/**/httpRequests/
+.idea/**/dataSources/
+.idea/**/dataSources.local.xml
+.idea/**/dataSources.ids
+.idea/**/dataSources.xml
+.idea/**/uiDesigner.xml
+
+# JetBrains build output dirs
+cmake-build-*/
+
+# Project specific
+docs/startup/
+docs/archive/
+archive/logomesh_legacy/results/
+docs/refs-internal/
+data/job_queue.sqlite3
+
+# Internal strategy/agent docs (not for repo)
+docs/agent_system/
+docs/strategy/discovery/
+docs/strategy/evaluation.md
+docs/strategy/research_validation.md
+docs/strategy/narrowing_philosophy.md
+docs/prompts/
+docs/internal/
+docs/run_results/
+
+# Private internal files — kept locally, never push
+archive/logomesh_legacy/ref-for-agents/
+archive/logomesh_legacy/ruflo_config.json
+.agents/
+
+.playwright-mcp/
+/docs/superpowers/
+.mcp.json
+skills-lock.json
+
+*.log
+*.tmp
+*.bak
+*.swp
+*.python-version
+*.orig
+
+# ALL LEGACY CODE
+archive/

logomesh-0.1.0/AGENTS.md

@@ -0,0 +1,62 @@
+# AGENTS.md
+
+## Mission and product constraints
+- logomesh is post-incident **deterministic repro with proof**: only ship artifacts/PRs/comments when `deterministic_repro` reproduces and the exception type matches (`logomesh_orchestrator.py`, `src/oracles/sentry_replay_v2.py`, `src/cli/artifact.py`).
+- Keep output evidence-first and terse (repro call -> observed result, expected property, location/state) and never add scores or "looks good" comments; non-repro or mismatch should stay silent or `needs_human_review` (`src/cli/repro.py`, `src/server/sentry_comment.py`, `src/server/github_comment.py`).
+- LLM output is advisory only; evidence-path test bytes are deterministic from frame locals (`logomesh_orchestrator.py`, `src/oracles/sentry_replay_v2.py`).
+
+## Pipeline mental model (read this first)
+- Sentry webhook ingress is fast-ACK + async dispatch: verify HMAC signature + timestamp window + idempotency, then 202 ACK and semaphore-limited dispatch (`src/server/sentry_webhook.py`).
+- Core repro flow: fetch event -> innermost in-app frame -> resolve source -> build deterministic test -> sandbox run -> verify exception match (`src/oracles/sentry_replay.py`, `src/oracles/sentry_replay_v2.py`, `src/business_logic/sandbox/__init__.py`).
+- LangGraph orchestrator wraps the deterministic core: only `deterministic_repro` yields sealed bytes; other tools are advisory (context, deps prep, commenting) (`logomesh_orchestrator.py`).
+- `logomesh repro` is the primary product path; `logomesh check` runs the single-file verify pipeline (`src/cli/repro.py`, `src/cli/check.py`, `src/core/pipeline.py`).
+
+## Project-specific conventions that matter
+- Single-file verification in `verify_file`: build change scope -> pack parseable source -> make sandbox importable -> generate tests -> cap tests -> inject target stubs -> dependency-aware sandbox run -> classify -> validate -> repro/regression gate -> `VerifyResult` (`src/core/pipeline.py`, `src/core/repro_gate.py`).
+- Property-inference preprocessing gates (fire before any LLM call): (a) `_is_trivial_passthrough` drops wrapper functions whose body is a single delegation (`return self.inner(...)`); (b) arity filter drops properties whose `input_code` doesn't match the function signature; (c) `_is_identity_dunder_property` drops no-op assertions on dunders; (d) `_counter_impl_probe` (one batched LLM call per function, gated by `ENABLE_COUNTER_IMPL_PROBE`, default on) drops properties that a semantically-wrong implementation could still satisfy — bias toward keeping on parse failure. These gates live in `src/business_logic/generator/inference.py` and are wired into BOTH `inference.infer_properties` and the legacy compat shim `src/business_logic/legacy/generator.py` (where `PropertyTestGenerator` actually resolves `infer_properties` / `infer_metamorphic_properties` from). Do not edit legacy's copy without also updating or re-importing from inference.
+- Spotlighting is on by default in inference (`ENABLE_SPOTLIGHTING`): untrusted source is sentinel-rewritten per call before prompt assembly to blunt prompt-injection instructions embedded in code/comments (`_spotlight` in `src/business_logic/generator/inference.py`).
+- Time-Travel Trace: the sandbox conftest (`_TRACE_HOOK` injected in both `_CONFTEST_AUTOMOCK` and `_CONFTEST_STRICT`) installs a `pytest_exception_interact` hook that walks the traceback to the frame inside `target.py`, captures its `f_locals` (with size/type guards), and writes `{func, lineno, locals}` into `finding.trace` (`src/business_logic/sandbox/__init__.py`, `src/business_logic/classifier/core.py`).
+- Classifier artifact suppressors in `src/business_logic/classifier/core.py`: (a) `_trace_has_automock_leak` drops findings whose trace shows `MagicMock` in `target.py` locals (sandbox automock leaked into user code); (b) `_PY2_BUILTINS` set drops `NameError` for Py2-only names (`unicode`, `basestring`, ...) that are unreachable under Python 3 execution; (c) salt dunder globals (`__opts__`, `__salt__`, ...) are dropped as SaltStack-runtime-injected symbols. These filters must stay — they are the reason fabric-style Py2-compat guard FPs stay suppressed.
+- Files with import chains known to fail sandbox collection are skipped early as structurally untestable (`is_structurally_untestable`, currently Twisted/Scrapy fragments) and counted in taxonomy (`src/business_logic/generator/inference.py`).
+- Test generation must **not** wrap calls in `try/except`; failures should surface to pytest/classifier (`src/business_logic/generator/`).
+- Function extraction is underscore-aware but not "public-only": runtime dunders in `_TESTABLE_DUNDERS` and modified `__init__` paths are intentionally testable; don't reintroduce blanket `_` filtering (`src/business_logic/generator/ast_analysis.py`).
+- Diff-aware scope is semantic, not raw line fuzzing: changed symbols are extracted and packed into parseable source slices (`src/business_logic/change_scope/`, `src/core/pipeline.py`).
+- Sandbox importability is intentionally rewritten: relative imports/external bases/module-level call assignments are mocked to keep `target.py` importable (`make_sandbox_importable` in `src/business_logic/legacy/generator.py`).
+- Sandbox runs are dependency-aware: `Sandbox.run_dependency_aware` accepts dependency files and optional `deps_snapshot` mounts; orchestrator `prepare_environment` can build a snapshot when imports fail (`src/business_logic/sandbox/__init__.py`, `logomesh_orchestrator.py`).
+- Logs are structured JSON only (`log.info/warn/error`) via `src/logomesh_log.py`; preserve `component` names for grepability.
+
+## External integrations and boundaries
+- Sentry webhook auth uses HMAC-SHA256 + timestamp replay window; idempotency is `(issue_id, sha256(payload))` with a 24h in-process LRU; concurrency is capped via `LOGOMESH_MAX_CONCURRENT_RUNS` (`src/server/sentry_webhook.py`).
+- Supabase-backed installations + runs: secrets are AES-256-GCM encrypted and `resolve_secrets()` falls back to env vars; `supabase_client` uses an in-memory shim when credentials are missing (`src/core/installation_secrets.py`, `src/core/supabase_client.py`, `migrations/`).
+- GitHub draft PRs use `gh` CLI first, then REST with `GITHUB_TOKEN` + `GITHUB_REPO`; server comment posting uses per-install tokens (`src/cli/draft_pr.py`, `src/server/github_comment.py`).
+- Sentry + Slack comments are posted from the server layer using per-install secrets (`src/server/sentry_comment.py`, `src/server/slack_summary.py`).
+- LLM provider selection is env-driven (`OPENAI_API_KEY` preferred, Anthropic/Gemini-compatible fallback); temperature/reasoning args come from `src/llm_utils.py`.
+- Sandbox supports Docker hardened runs with subprocess fallback for local dev; path traversal protections and output redaction live in the sandbox (`src/business_logic/sandbox/__init__.py`).
+
+## Developer workflows (high signal)
+- Install deps: `uv sync`
+- Run tests: `uv run pytest tests/ -v`
+- Build sandbox image (required for realistic runs): `docker build -t logomesh-startup-sandbox:latest -f Dockerfile.sandbox .`
+- Run repro: `uv run logomesh repro <sentry-url>`
+- Emit artifact: `uv run logomesh repro <url> --artifact`
+- Draft PR: `uv run logomesh repro <url> --draft-pr`
+- Run local verify: `uv run logomesh check <path>`
+- Run API server locally: `LOGOMESH_ENV=production uv run uvicorn src.server.app:app --port 8080`
+- Replay a historical run: `uv run python scripts/replay_run.py --from results/real_prs_run_3.json --out results/replay_from_run3_current.json`
+- Enforce quality gates (also in CI): `UV_CACHE_DIR=/tmp/uv-cache uv run python scripts/quality_gates.py --run results/real_prs_run_6.json --replay results/replay_from_run3_current.json --out results/quality_gates_latest.json --strict`
+- Apply Supabase migrations: `psql $SUPABASE_DB_URL -f migrations/0001_installation_secrets.sql` and `psql $SUPABASE_DB_URL -f migrations/0002_runs.sql` (or `supabase db push`)
+- CI (`.github/workflows/ci.yml`) runs `pytest tests/ -v` on every push/PR; quality gates run only when `ENFORCE_LOGOMESH_QUALITY_GATES=1` is set
+
+## Where to look before editing
+- Orchestrator + compliance gates: `logomesh_orchestrator.py`
+- Deterministic repro + Sentry parsing: `src/oracles/sentry_replay_v2.py`, `src/oracles/sentry_replay.py`
+- CLI entrypoints + artifact/PR output: `src/cli/repro.py`, `src/cli/check.py`, `src/cli/artifact.py`, `src/cli/draft_pr.py`
+- Core verify pipeline + repro gate: `src/core/pipeline.py`, `src/core/repro_gate.py`
+- Webhooks/API + comment channels: `src/server/sentry_webhook.py`, `src/server/installations_api.py`, `src/server/github_comment.py`, `src/server/sentry_comment.py`, `src/server/slack_summary.py`
+- Secrets + persistence: `src/core/installation_secrets.py`, `src/core/supabase_client.py`, `migrations/`
+- Sandbox security and execution modes: `src/business_logic/sandbox/__init__.py`
+- Generation + validation: `src/business_logic/generator/`, `src/business_logic/validator/`, `src/business_logic/scaffold_filter/__init__.py`
+- Diff/change-scope logic: `src/business_logic/change_scope/`
+- Deep debug walkthrough: `docs/pipeline.md`
+- Launch/replay gate definitions: `docs/refs/QUALITY_GATES.md`
+- Production deployment runbook (systemd/nginx/webhook wiring): `docs/refs/DEPLOYMENT.md`

logomesh-0.1.0/CLAUDE.md

@@ -0,0 +1,87 @@
+# logomesh
+
+## What This Is
+CLI / GitHub App / MCP server that finds logic bugs and edge-case failures in Python code by inferring invariants, then attacking them with adversarial inputs in a Docker sandbox. Only reports when it has concrete, reproducible evidence.
+
+Primary surface: `logomesh repro <sentry-url>` — paste a Sentry issue URL, get a failing pytest against your current branch with audit-ready post-incident evidence mapped to **SOC2 CC7.3 + CC7.4 + PCI DSS 12.10.5** (incident response). Earlier docs referenced PCI 6.3.2 — that control covers pre-release code review and is the wrong mapping for a post-incident product. Corrected.
+
+## Output Format
+Lead with the violated property and the evidence.
+
+```
+## logomesh found 1 issue
+
+### Negative quantity bypasses checkout validation
+**Property:** Order total should always be ≥ 0
+**I called:** `checkout(item_id=1, qty=-5)`
+**Got:** Order created with total `-$49.95`
+**Location:** checkout.py, line 42
+```
+
+No score. No preliminary comment. Silence = clean.
+
+## Key Paths
+- `src/cli/` — `repro.py`, `artifact.py`, `draft_pr.py`, `check.py`, `main.py`
+- `src/oracles/sentry_replay.py` — Sentry event fetch, frame locals → pytest synthesis
+- `src/business_logic/generator/` — inference, ast_analysis, codegen, models
+- `src/business_logic/sandbox/` — Docker sandbox + `_TRACE_HOOK` injection
+- `src/business_logic/classifier/` — pytest-output → findings, artifact suppression
+- `src/business_logic/validator/`, `src/business_logic/scaffold_filter/` — LLM reachability + static drops
+- `src/business_logic/deep_checks/` — static signals + deep probes
+- `src/core/` — llm_utils, logomesh_log, usage_tracker, config
+- `src/capture/` — runtime capture hooks (FastAPI, Django, SQLAlchemy, Redis, Stripe)
+- `tests/` — 500 unit tests
+- `docs/pipeline.md` — full pipeline walkthrough for contributors
+- `Dockerfile.sandbox` — sandbox image (python:3.12-slim + pytest + pytest-json-report)
+- `logomesh_legacy/` — archived GitHub App, MCP server, benchmark data (kept for reference)
+
+## Architecture
+Single-pass pipeline per changed Python file:
+1. AST extracts public functions + testable dunders
+2. **Passthrough gate** drops trivial wrappers (`_is_trivial_passthrough`)
+3. LLM infers properties/invariants per surviving function
+4. **Counter-impl probe** drops weak properties a wrong-impl could satisfy (1 batched LLM call/function)
+5. Adversarial tests generated targeting remaining properties + edge-case / metamorphic / toxic variants
+6. Executed in Docker sandbox (airgapped, nobody user, memory/PID limits, randomized report filename)
+7. **Time-Travel Trace** hook captures `f_locals` at crash inside `target.py`
+8. Classifier parses pytest output, drops automock-leak / Py2-builtin / scope-slice artifacts
+9. Validator: LLM confirms crash is caller-reachable (1 call per finding)
+10. Repro + base regression + two-signal gates
+11. Formatter posts only if evidence survives
+
+`logomesh repro` path:
+1. Fetch Sentry event → extract innermost app frame + locals
+2. PII redact frame locals (PAN regex + field-name matching)
+3. Synthesize pytest from locals (deterministic) or LLM (default)
+4. Run in sandbox → retry once on no-repro
+5. Emit result / compliance artifact / draft PR
+
+## Dev Commands
+```bash
+uv sync                    # install deps
+uv run pytest tests/ -v    # run tests (500 passing)
+docker build -t logomesh-startup-sandbox:latest -f Dockerfile.sandbox .
+uv run logomesh repro <sentry-url>           # reproduce a crash
+uv run logomesh repro <url> --artifact       # + PCI/SOC2 envelope
+uv run logomesh repro <url> --draft-pr       # + open GitHub draft PR
+uv run logomesh check <path>                 # run check pipeline on local file
+```
+
+## Key Design Rules
+- Only report findings with concrete evidence (violated property + reproducible input/output)
+- Never pip install from PR/user code in sandbox
+- Webhook must ACK in <10s — enqueue and process asynchronously
+- Semaphore(3) concurrency limit, 120s pipeline timeout
+- Graceful degradation: no Docker → subprocess fallback; LLM fails → edge-case tests only
+- Tests must NOT wrap calls in try/except
+- Sandbox: path traversal protection, 512KB file size cap, binary rejection
+- Generator input capped at 4000 chars; retry once on LLM failure
+- PII redaction runs before any frame locals reach LLM or generated test code
+
+## What Was Removed (do not resurrect)
+- `red_logic/` — MCTS orchestrator, dependency_analyzer, semantic_analyzer, constraint_breaker
+- `scoring.py` / CIS formula — meaningless for PRs
+- `compare_vectors.py` / VectorScorer — 400MB model, not needed
+- `analyzer.py` / SemanticAuditor — not used in pipeline
+- Two-pass pipeline / preliminary comment — post nothing until crash confirmed
+- `src/github_app/`, `src/mcp_server/` — moved to `logomesh_legacy/` (deprioritized surfaces)

logomesh-0.1.0/Dockerfile.sandbox

@@ -0,0 +1,118 @@
+# Sandbox image for running PR tests in isolation.
+# Build: docker build -t logomesh-startup-sandbox:latest -f Dockerfile.sandbox .
+#
+# Fat image: native toolchains baked in so PRs against packages with
+# C/Rust extensions (datafusion, pydantic-core, lxml, psycopg, protobuf)
+# can build+test without network.
+FROM python:3.12-slim
+
+ENV DEBIAN_FRONTEND=noninteractive \
+    PIP_NO_CACHE_DIR=1 \
+    PIP_DISABLE_PIP_VERSION_CHECK=1 \
+    CARGO_HOME=/opt/cargo \
+    RUSTUP_HOME=/opt/rustup \
+    PATH=/opt/cargo/bin:$PATH \
+    TZ=UTC \
+    LANG=C.UTF-8 \
+    LC_ALL=C.UTF-8 \
+    # --- Determinism layer (Task #4: never-fails) ---
+    # PYTHONHASHSEED=0: dict/set iteration order stable across runs so the same
+    # test + same input always produces the same output. Without this, findings
+    # can "flap" between runs, which destroys dev trust exactly once.
+    PYTHONHASHSEED=0 \
+    # No .pyc artifacts on the read-only FS — prevents permission errors at import.
+    PYTHONDONTWRITEBYTECODE=1 \
+    # Streams not buffered — every log line lands in real time.
+    PYTHONUNBUFFERED=1 \
+    # Stable random seeds for anything that consults sys-level sources.
+    SOURCE_DATE_EPOCH=1704067200 \
+    # Locale already C.UTF-8 above — keeps sort/str.isdigit/etc. deterministic.
+    PYTHONIOENCODING=utf-8
+
+# Native build deps:
+#   gcc/g++/make/pkg-config — C/C++ extensions
+#   libpq-dev              — psycopg / asyncpg
+#   libxml2-dev libxslt1-dev — lxml
+#   libssl-dev libffi-dev  — cryptography, cffi
+#   zlib1g-dev libjpeg-dev — Pillow-ish
+#   protobuf-compiler      — protoc for grpc/proto codegen
+#   curl ca-certificates   — rustup bootstrap
+#   git                    — pip VCS installs if ever needed
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        gcc g++ make pkg-config \
+        clang \
+        libpq-dev \
+        libxml2-dev libxslt1-dev \
+        libssl-dev libffi-dev \
+        zlib1g-dev libjpeg-dev \
+        protobuf-compiler \
+        curl ca-certificates git \
+    && rm -rf /var/lib/apt/lists/*
+
+# Rust toolchain (stable, minimal profile) for pydantic-core, cryptography>=42,
+# orjson, tokenizers, polars, datafusion, etc.
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \
+      | sh -s -- -y --default-toolchain stable --profile minimal \
+    && chmod -R a+rX /opt/cargo /opt/rustup
+
+RUN pip install pytest pytest-json-report hypothesis pytest-xdist \
+    && pip install "crosshair-tool" "hypothesis[crosshair]" \
+    && pip install atheris || true \
+    && pip install time-machine responses respx vcrpy pytest-recording \
+    && pip install pytest-sqlalchemy-mock frontrun || true \
+    && rm -rf /root/.cache
+
+# Pre-baked native extension libraries — most common PR targets.
+# Installed so sandbox can import them without network access.
+# "|| true" on each: build succeeds even if a wheel fails (e.g., architecture mismatch).
+RUN pip install \
+        pyarrow \
+        polars \
+        duckdb \
+        pandas \
+        numpy \
+    && pip install datafusion || true \
+    && rm -rf /root/.cache
+
+# Pre-baked web/fintech/auth stack — covers the top runtime dependencies
+# that degraded findings to "analysis-based" on real PRs. On LogoMesh's
+# own self-review PR (#2), 27 of 28 findings fell to analysis-only mode
+# because openai/pydantic/etc. weren't importable. Pre-installing the
+# common set eliminates 80%+ of those cases without the user needing a
+# `.logomesh.toml` deps entry — YAML stays for the long tail.
+#
+# Order: pydantic first (the #1 missing dep). Pinned to >=2 to match
+# the validator and generator assumptions in our own codebase. Separate
+# RUN layer so bumping LLM SDKs doesn't invalidate the web-stack cache.
+RUN pip install \
+        "pydantic>=2" \
+        pydantic-settings \
+        fastapi \
+        starlette \
+        httpx \
+        requests \
+        aiohttp \
+        sqlalchemy \
+        psycopg2-binary \
+        redis \
+        celery \
+        boto3 \
+        pyjwt \
+        cryptography \
+        stripe \
+    && rm -rf /root/.cache
+
+# LLM SDKs — separate layer because they release breaking changes
+# every few weeks. "|| true" so a flaky openai wheel doesn't block
+# the whole image build.
+RUN pip install openai anthropic || true \
+    && rm -rf /root/.cache
+
+# Hypothesis DB mount point — persisted counterexamples survive across PR runs
+# when the host bind-mounts a directory here. Pre-created so non-root user can
+# write even when the mount is absent (Hypothesis falls back to fresh DB).
+RUN mkdir -p /hypothesis-db && chmod 0777 /hypothesis-db
+
+WORKDIR /workspace
+
+USER nobody

logomesh-0.1.0/Makefile

@@ -0,0 +1,18 @@
+.PHONY: verify-latest gates-latest sandbox
+
+LATEST_RUN := $(shell ls -1 results/real_prs_run_*.json 2>/dev/null | awk -F'[_.]' '{print $$(NF-1), $$0}' | sort -n | tail -1 | awk '{print $$2}')
+LATEST_RUN_ID := $(shell echo $(LATEST_RUN) | sed -E 's|.*real_prs_run_([0-9]+)\.json|\1|')
+
+sandbox:
+	docker build -t logomesh-startup-sandbox:latest -f Dockerfile.sandbox .
+	docker image prune -f
+
+verify-latest:
+	@test -n "$(LATEST_RUN)" || (echo "no results/real_prs_run_*.json found" && exit 1)
+	@echo "verifying $(LATEST_RUN) -> benchmarks/labels/run_$(LATEST_RUN_ID).json"
+	@mkdir -p benchmarks/labels
+	uv run python scripts/verify_findings.py $(LATEST_RUN) --label-out benchmarks/labels/run_$(LATEST_RUN_ID).json
+
+gates-latest:
+	@test -n "$(LATEST_RUN)" || (echo "no results/real_prs_run_*.json found" && exit 1)
+	uv run python scripts/quality_gates.py --run $(LATEST_RUN) --labels benchmarks/labels --strict