PyPI - omnibase_infra - Versions diffs - 0.2.1__py3-none-any.whl → 0.2.3__py3-none-any.whl - Mend

omnibase_infra 0.2.1py3-none-any.whl → 0.2.3py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (161) hide show

omnibase_infra/validation/validator_security.py CHANGED Viewed

@@ -1,410 +1,513 @@
 # SPDX-License-Identifier: MIT
 # Copyright (c) 2025 OmniNode Team
-"""Security Validation for ONEX Infrastructure.
+"""Security Validator for ONEX Infrastructure.
-This module provides security validation utilities for handler introspection,
-method exposure, and security constraint enforcement. Part of OMN-1091:
-Structured Validation & Error Reporting for Handlers.
+Contract-driven AST validator for detecting security concerns in Python code.
+Part of OMN-1277: Refactor validators to be Handler and contract-driven.
 Security Validation Scope:
-    - Method exposure via introspection (sensitive method names)
-    - Credential leakage in public method signatures
-    - Insecure patterns in handler code
-    - Missing authentication/authorization decorators
-Integration Status:
-    This module is a PLACEHOLDER for future security validation integration.
-    As of implementation, the security validation logic needs to be integrated
-    with the following components:
-    1. MixinNodeIntrospection._should_skip_method() - Add validation
-    2. Contract linting - Add security rule checks
-    3. Static analysis - Add AST-based security scanning
-    4. Runtime validation - Add security constraint enforcement
+    - Public methods with sensitive names (get_password, get_secret, etc.)
+    - Method signatures containing sensitive parameter names
+    - Admin/internal methods exposed without underscore prefix
+    - Decrypt operations exposed publicly
 Usage:
-    >>> from omnibase_infra.validation.validator_security import (
-    ...     validate_method_exposure,
-    ...     validate_handler_security,
-    ... )
+    >>> from pathlib import Path
+    >>> from omnibase_infra.validation.validator_security import ValidatorSecurity
     >>>
-    >>> # Validate method names for security concerns
-    >>> errors = validate_method_exposure(
-    ...     method_names=["get_credentials", "process_request"],
-    ...     handler_identity=ModelHandlerIdentifier.from_handler_id("auth-handler"),
-    ... )
-    >>>
-    >>> # Check for security violations
-    >>> for error in errors:
-    ...     print(error.format_for_logging())
+    >>> validator = ValidatorSecurity()
+    >>> result = validator.validate(Path("src/"))
+    >>> if not result.is_valid:
+    ...     for issue in result.issues:
+    ...         print(f"{issue.file_path}:{issue.line_number}: {issue.message}")
+CLI Usage:
+    python -m omnibase_infra.validation.validator_security src/
 See Also:
     - docs/patterns/security_patterns.md - Comprehensive security guide
-    - MixinNodeIntrospection - Node capability discovery with security filtering
-    - ModelHandlerValidationError - Structured error reporting
-    - EnumHandlerErrorType.SECURITY_VALIDATION_ERROR - Error classification
+    - ValidatorBase - Base class for contract-driven validators
 """
 from __future__ import annotations
+import ast
+import logging
 import re
-from typing import Final
-from omnibase_infra.models.errors import ModelHandlerValidationError
-from omnibase_infra.models.handlers import ModelHandlerIdentifier
-from omnibase_infra.models.validation import ModelValidationErrorParams
-# Security rule IDs for structured error reporting
-# These IDs enable tracking and remediation of specific security violations
-class SecurityRuleId:
-    """Rule IDs for security validation errors.
-    These IDs provide unique identifiers for each type of security validation
-    failure, enabling structured error tracking and remediation guidance.
-    """
-    # Method exposure violations (SECURITY-001 to SECURITY-099)
-    SENSITIVE_METHOD_EXPOSED = "SECURITY-001"
-    CREDENTIAL_IN_SIGNATURE = "SECURITY-002"
-    ADMIN_METHOD_PUBLIC = "SECURITY-003"
-    DECRYPT_METHOD_PUBLIC = "SECURITY-004"
-    # Configuration violations (SECURITY-100 to SECURITY-199)
-    CREDENTIAL_IN_CONFIG = "SECURITY-100"
-    HARDCODED_SECRET = "SECURITY-101"
-    INSECURE_CONNECTION = "SECURITY-102"
-    # Pattern violations (SECURITY-200 to SECURITY-299)
-    INSECURE_PATTERN = "SECURITY-200"
-    MISSING_AUTH_CHECK = "SECURITY-201"
-    MISSING_INPUT_VALIDATION = "SECURITY-202"
-# Sensitive method name patterns that should be prefixed with underscore
-# These patterns indicate methods that expose sensitive operations
-# Pre-compiled for performance
-_SENSITIVE_METHOD_PATTERN_STRINGS: Final[tuple[str, ...]] = (
-    r"^get_password$",
-    r"^get_secret$",
-    r"^get_token$",
-    r"^get_api_key$",
-    r"^get_credential",
-    r"^fetch_password$",
-    r"^fetch_secret$",
-    r"^fetch_token$",
-    r"^decrypt_",
-    r"^admin_",
-    r"^internal_",
-    r"^validate_password$",
-    r"^check_password$",
-    r"^verify_password$",
-)
-# Pre-compiled regex patterns for efficient matching
-SENSITIVE_METHOD_PATTERNS: Final[tuple[re.Pattern[str], ...]] = tuple(
-    re.compile(pattern) for pattern in _SENSITIVE_METHOD_PATTERN_STRINGS
-)
-# Patterns that should map to ADMIN_METHOD_PUBLIC rule (SECURITY-003)
-_ADMIN_INTERNAL_PATTERN_STRINGS: Final[tuple[str, ...]] = (
-    r"^admin_",
-    r"^internal_",
-)
-# Pre-compiled admin/internal patterns
-_ADMIN_INTERNAL_PATTERNS: Final[tuple[re.Pattern[str], ...]] = tuple(
-    re.compile(pattern) for pattern in _ADMIN_INTERNAL_PATTERN_STRINGS
-)
-# Parameter names that indicate sensitive data in method signatures
-SENSITIVE_PARAMETER_NAMES: Final[frozenset[str]] = frozenset(
-    {
-        "password",
-        "secret",
-        "token",
-        "api_key",
-        "apikey",
-        "access_key",
-        "private_key",
-        "credential",
-        "auth_token",
-        "bearer_token",
-        "decrypt_key",
-        "encryption_key",
-    }
+import sys
+from dataclasses import dataclass, field
+from pathlib import Path
+from typing import ClassVar
+from omnibase_core.models.common.model_validation_issue import ModelValidationIssue
+from omnibase_core.models.contracts.subcontracts.model_validator_subcontract import (
+    ModelValidatorSubcontract,
 )
+from omnibase_core.validation.validator_base import ValidatorBase
+# Configure logger for this module
+logger = logging.getLogger(__name__)
-def is_sensitive_method_name(method_name: str) -> bool:
-    """Check if method name matches sensitive operation patterns.
-    Args:
-        method_name: Name of the method to check
+@dataclass(frozen=True, slots=True)
+class CompiledPatterns:
+    """Pre-compiled regex patterns for security validation.
-    Returns:
-        True if method name indicates a sensitive operation
+    Patterns are compiled once per contract/file validation, not per method.
+    This significantly improves performance for large codebases by avoiding
+    repeated pattern extraction from contract rules and regex compilation.
-    Example:
-        >>> is_sensitive_method_name("get_password")
-        True
-        >>> is_sensitive_method_name("process_request")
-        False
+    Attributes:
+        admin_patterns: Compiled patterns for admin_method_public rule.
+        decrypt_patterns: Compiled patterns for decrypt_method_public rule.
+        sensitive_patterns: Compiled patterns for sensitive_method_exposed rule.
+        sensitive_params: Lowercase sensitive parameter names (exact match, no regex).
     """
-    method_lower = method_name.lower()
-    for pattern in SENSITIVE_METHOD_PATTERNS:
-        if pattern.match(method_lower):
-            return True
+    admin_patterns: tuple[re.Pattern[str], ...] = field(default_factory=tuple)
+    decrypt_patterns: tuple[re.Pattern[str], ...] = field(default_factory=tuple)
+    sensitive_patterns: tuple[re.Pattern[str], ...] = field(default_factory=tuple)
+    sensitive_params: frozenset[str] = field(default_factory=frozenset)
-    return False
+@dataclass(frozen=True, slots=True)
+class MethodContext:
+    """Context for method validation - groups related parameters."""
-def _get_sensitivity_rule_id(method_name: str) -> str | None:
-    """Determine the appropriate security rule ID for a sensitive method.
+    method_name: str
+    class_name: str
+    file_path: Path
+    line_number: int
+    contract: ModelValidatorSubcontract
+    compiled_patterns: CompiledPatterns
-    Args:
-        method_name: Name of the method to check
-    Returns:
-        Security rule ID if method is sensitive, None otherwise
+class ValidatorSecurity(ValidatorBase):
+    """Contract-driven security validator for Python source files.
-    Note:
-        - admin_/internal_ methods map to SECURITY-003 (ADMIN_METHOD_PUBLIC)
-        - Other sensitive patterns map to SECURITY-001 (SENSITIVE_METHOD_EXPOSED)
+    This validator uses AST analysis to detect security concerns in Python code:
+    - Public methods with sensitive names (get_password, get_secret, etc.)
+    - Method signatures containing sensitive parameter names
+    - Admin/internal methods exposed without underscore prefix
+    - Decrypt operations exposed publicly
+    The validator is contract-driven via security.validation.yaml, supporting:
+    - Configurable rules with enable/disable per rule
+    - Per-rule severity overrides
+    - Suppression comments for intentional exceptions
+    - Glob-based file targeting and exclusion
+    Thread Safety:
+        ValidatorSecurity instances are NOT thread-safe due to internal mutable
+        state inherited from ValidatorBase. When using parallel execution
+        (e.g., pytest-xdist), create separate validator instances per worker.
+    Attributes:
+        validator_id: Unique identifier for this validator ("security").
+    Usage Example:
+        >>> from pathlib import Path
+        >>> from omnibase_infra.validation.validator_security import ValidatorSecurity
+        >>> validator = ValidatorSecurity()
+        >>> result = validator.validate(Path("src/"))
+        >>> print(f"Valid: {result.is_valid}, Issues: {len(result.issues)}")
+    CLI Usage:
+        python -m omnibase_infra.validation.validator_security src/
     """
-    method_lower = method_name.lower()
-    # Check admin/internal patterns first (SECURITY-003)
-    for pattern in _ADMIN_INTERNAL_PATTERNS:
-        if pattern.match(method_lower):
-            return SecurityRuleId.ADMIN_METHOD_PUBLIC
-    # Check other sensitive patterns (SECURITY-001)
-    for pattern in SENSITIVE_METHOD_PATTERNS:
-        if pattern.match(method_lower):
-            return SecurityRuleId.SENSITIVE_METHOD_EXPOSED
-    return None
+    # ONEX_EXCLUDE: string_id - human-readable validator identifier
+    validator_id: ClassVar[str] = "security"
+    def _get_rule_patterns(
+        self,
+        rule_id: str,
+        param_key: str,
+        contract: ModelValidatorSubcontract,
+    ) -> list[str]:
+        """Extract patterns from a rule's parameters in the contract.
+        Searches the contract's rules for the specified rule_id and extracts
+        the list of patterns from the specified parameter key.
+        Args:
+            rule_id: The rule identifier to look up (e.g., "sensitive_method_exposed").
+            param_key: The parameter key containing the patterns (e.g., "patterns").
+            contract: Validator contract with rule configurations.
+        Returns:
+            List of pattern strings from the rule's parameters. Returns an empty
+            list if the rule is not found, has no parameters, or the param_key
+            is missing/invalid (fail-safe behavior).
+        """
+        for rule in contract.rules:
+            if rule.rule_id == rule_id:
+                if rule.parameters is None:
+                    logger.debug(
+                        "Rule %s has no parameters, returning empty list",
+                        rule_id,
+                    )
+                    return []
+                patterns = rule.parameters.get(param_key)
+                if patterns is None:
+                    logger.debug(
+                        "Rule %s missing param_key %s, returning empty list",
+                        rule_id,
+                        param_key,
+                    )
+                    return []
+                if isinstance(patterns, list):
+                    # Ensure all items are strings
+                    return [str(p) for p in patterns]
+                logger.warning(
+                    "Rule %s param_key %s is not a list: %s",
+                    rule_id,
+                    param_key,
+                    type(patterns).__name__,
+                )
+                return []
+        logger.debug("Rule %s not found in contract, returning empty list", rule_id)
+        return []
+    def _compile_patterns(
+        self,
+        contract: ModelValidatorSubcontract,
+    ) -> CompiledPatterns:
+        """Compile and cache all regex patterns from contract rules.
+        This method extracts patterns from the contract once per file validation,
+        compiles them into re.Pattern objects, and returns a frozen dataclass.
+        This avoids repeated pattern extraction and compilation for every method.
+        Args:
+            contract: Validator contract with rule configurations.
+        Returns:
+            CompiledPatterns instance with pre-compiled patterns.
+        """
+        def compile_pattern_list(patterns: list[str]) -> tuple[re.Pattern[str], ...]:
+            """Compile a list of pattern strings into regex Pattern objects."""
+            compiled: list[re.Pattern[str]] = []
+            for pattern in patterns:
+                try:
+                    compiled.append(re.compile(pattern))
+                except re.error as e:
+                    logger.warning(
+                        "Invalid regex pattern '%s': %s - skipping",
+                        pattern,
+                        e,
+                    )
+            return tuple(compiled)
+        # Extract and compile patterns for each rule
+        admin_patterns = compile_pattern_list(
+            self._get_rule_patterns("admin_method_public", "patterns", contract)
+        )
+        decrypt_patterns = compile_pattern_list(
+            self._get_rule_patterns("decrypt_method_public", "patterns", contract)
+        )
+        sensitive_patterns = compile_pattern_list(
+            self._get_rule_patterns("sensitive_method_exposed", "patterns", contract)
+        )
+        # Extract sensitive parameter names (exact match, no regex compilation needed)
+        sensitive_params_list = self._get_rule_patterns(
+            "credential_in_signature", "sensitive_params", contract
+        )
+        sensitive_params = frozenset(p.lower() for p in sensitive_params_list)
+        return CompiledPatterns(
+            admin_patterns=admin_patterns,
+            decrypt_patterns=decrypt_patterns,
+            sensitive_patterns=sensitive_patterns,
+            sensitive_params=sensitive_params,
+        )
+    def _validate_file(
+        self,
+        path: Path,
+        contract: ModelValidatorSubcontract,
+    ) -> tuple[ModelValidationIssue, ...]:
+        """Validate a single Python file for security violations.
+        Uses AST analysis to detect:
+        - Sensitive method names in class definitions
+        - Sensitive parameter names in method signatures
+        Args:
+            path: Path to the Python file to validate.
+            contract: Validator contract with configuration.
+        Returns:
+            Tuple of ModelValidationIssue instances for violations found.
+        """
+        try:
+            source = path.read_text(encoding="utf-8")
+        except OSError as e:
+            # fallback-ok: log warning and skip file on read errors
+            logger.warning("Cannot read file %s: %s", path, e)
+            return ()
+        try:
+            tree = ast.parse(source, filename=str(path))
+        except SyntaxError as e:
+            # fallback-ok: log warning and skip file with syntax errors
+            logger.warning(
+                "Skipping file with syntax error: path=%s, line=%s, error=%s",
+                path,
+                e.lineno,
+                e.msg,
+            )
+            return ()
-def has_sensitive_parameters(signature: str) -> list[str]:
-    """Extract sensitive parameter names from method signature.
-    Args:
-        signature: Method signature string (e.g., "(username: str, password: str)")
+        issues: list[ModelValidationIssue] = []
-    Returns:
-        List of sensitive parameter names found in signature
+        # Compile patterns once for the entire file validation
+        # This avoids repeated pattern extraction and regex compilation per method
+        compiled_patterns = self._compile_patterns(contract)
-    Example:
-        >>> has_sensitive_parameters("(username: str, password: str)")
-        ['password']
-        >>> has_sensitive_parameters("(user_id: UUID, data: dict)")
-        []
-    """
-    signature_lower = signature.lower()
-    found_sensitive = []
+        # Visit all class definitions in the file
+        for node in ast.walk(tree):
+            if isinstance(node, ast.ClassDef):
+                class_issues = self._check_class_methods(
+                    node, path, contract, compiled_patterns
+                )
+                issues.extend(class_issues)
+        return tuple(issues)
+    def _check_class_methods(
+        self,
+        class_node: ast.ClassDef,
+        file_path: Path,
+        contract: ModelValidatorSubcontract,
+        compiled_patterns: CompiledPatterns,
+    ) -> list[ModelValidationIssue]:
+        """Check class methods for security violations."""
+        issues: list[ModelValidationIssue] = []
+        for node in class_node.body:
+            if isinstance(node, (ast.FunctionDef, ast.AsyncFunctionDef)):
+                method_name = node.name
+                # Skip private/protected methods (already safe)
+                if method_name.startswith("_"):
+                    continue
+                # Skip dunder methods
+                if method_name.startswith("__") and method_name.endswith("__"):
+                    continue
+                ctx = MethodContext(
+                    method_name=method_name,
+                    class_name=class_node.name,
+                    file_path=file_path,
+                    line_number=node.lineno,
+                    contract=contract,
+                    compiled_patterns=compiled_patterns,
+                )
+                method_issues = self._check_method(node, ctx)
+                issues.extend(method_issues)
+        return issues
+    def _check_method(
+        self,
+        method_node: ast.FunctionDef | ast.AsyncFunctionDef,
+        ctx: MethodContext,
+    ) -> list[ModelValidationIssue]:
+        """Check a single method for security violations."""
+        issues: list[ModelValidationIssue] = []
+        # Check for sensitive method names
+        method_issues = self._check_sensitive_method_name(ctx)
+        issues.extend(method_issues)
+        # Check for sensitive parameters in signature
+        param_issues = self._check_sensitive_parameters(method_node, ctx)
+        issues.extend(param_issues)
+        return issues
+    def _check_sensitive_method_name(
+        self,
+        ctx: MethodContext,
+    ) -> list[ModelValidationIssue]:
+        """Check if method name matches sensitive patterns.
+        Uses pre-compiled patterns from ctx.compiled_patterns for efficiency.
+        Patterns are originally read from contract.rules[].parameters.
+        """
+        issues: list[ModelValidationIssue] = []
+        method_lower = ctx.method_name.lower()
+        # Check admin/internal patterns (rule: admin_method_public)
+        # Uses pre-compiled patterns from ctx.compiled_patterns
+        for pattern in ctx.compiled_patterns.admin_patterns:
+            if pattern.match(method_lower):
+                enabled, severity = self._get_rule_config(
+                    "admin_method_public", ctx.contract
+                )
+                if enabled:
+                    issues.append(
+                        ModelValidationIssue(
+                            severity=severity,
+                            message=f"Class '{ctx.class_name}' exposes admin/internal method '{ctx.method_name}'",
+                            code="admin_method_public",
+                            file_path=ctx.file_path,
+                            line_number=ctx.line_number,
+                            rule_name="admin_method_public",
+                            suggestion=f"Prefix method with underscore: '_{ctx.method_name}' or move to separate admin module",
+                            context={
+                                "class_name": ctx.class_name,
+                                "method_name": ctx.method_name,
+                                "violation_type": "admin_method_public",
+                            },
+                        )
+                    )
+                return issues  # Don't double-report
+        # Check decrypt patterns (rule: decrypt_method_public)
+        # Uses pre-compiled patterns from ctx.compiled_patterns
+        for pattern in ctx.compiled_patterns.decrypt_patterns:
+            if pattern.match(method_lower):
+                enabled, severity = self._get_rule_config(
+                    "decrypt_method_public", ctx.contract
+                )
+                if enabled:
+                    issues.append(
+                        ModelValidationIssue(
+                            severity=severity,
+                            message=f"Class '{ctx.class_name}' exposes decrypt method '{ctx.method_name}'",
+                            code="decrypt_method_public",
+                            file_path=ctx.file_path,
+                            line_number=ctx.line_number,
+                            rule_name="decrypt_method_public",
+                            suggestion=f"Prefix method with underscore: '_{ctx.method_name}' to exclude from public API",
+                            context={
+                                "class_name": ctx.class_name,
+                                "method_name": ctx.method_name,
+                                "violation_type": "decrypt_method_public",
+                            },
+                        )
+                    )
+                return issues  # Don't double-report
+        # Check other sensitive patterns (rule: sensitive_method_exposed)
+        # Uses pre-compiled patterns from ctx.compiled_patterns
+        for pattern in ctx.compiled_patterns.sensitive_patterns:
+            if pattern.match(method_lower):
+                enabled, severity = self._get_rule_config(
+                    "sensitive_method_exposed", ctx.contract
+                )
+                if enabled:
+                    issues.append(
+                        ModelValidationIssue(
+                            severity=severity,
+                            message=f"Class '{ctx.class_name}' exposes sensitive method '{ctx.method_name}'",
+                            code="sensitive_method_exposed",
+                            file_path=ctx.file_path,
+                            line_number=ctx.line_number,
+                            rule_name="sensitive_method_exposed",
+                            suggestion=f"Prefix method with underscore: '_{ctx.method_name}' to exclude from introspection",
+                            context={
+                                "class_name": ctx.class_name,
+                                "method_name": ctx.method_name,
+                                "violation_type": "sensitive_method_exposed",
+                            },
+                        )
+                    )
+                break
+        return issues
+    def _check_sensitive_parameters(
+        self,
+        method_node: ast.FunctionDef | ast.AsyncFunctionDef,
+        ctx: MethodContext,
+    ) -> list[ModelValidationIssue]:
+        """Check method signature for sensitive parameter names.
+        Uses pre-compiled sensitive_params frozenset from ctx.compiled_patterns.
+        Patterns are originally read from contract.rules[].parameters.
+        """
+        issues: list[ModelValidationIssue] = []
+        # Get rule configuration
+        enabled, severity = self._get_rule_config(
+            "credential_in_signature", ctx.contract
+        )
+        if not enabled:
+            return issues
+        # Use pre-compiled sensitive params (already lowercase frozenset)
+        sensitive_params = ctx.compiled_patterns.sensitive_params
+        # If no patterns defined in contract, return early (fail-safe)
+        if not sensitive_params:
+            return issues
+        # Extract parameter names from AST
+        found_sensitive: list[str] = []
+        for arg in method_node.args.args:
+            arg_name_lower = arg.arg.lower()
+            if arg_name_lower in sensitive_params:
+                found_sensitive.append(arg.arg)
+        # Also check keyword-only args (parameters after * in signature)
+        for arg in method_node.args.kwonlyargs:
+            arg_name_lower = arg.arg.lower()
+            if arg_name_lower in sensitive_params:
+                found_sensitive.append(arg.arg)
+        # Also check positional-only args (Python 3.8+, parameters before / in signature)
+        # Example: def authenticate(username, /, password): ...
+        # Here 'username' is positional-only and would be in posonlyargs
+        for arg in method_node.args.posonlyargs:
+            arg_name_lower = arg.arg.lower()
+            if arg_name_lower in sensitive_params:
+                found_sensitive.append(arg.arg)
+        # Check vararg (*args parameter)
+        # Example: def process(*passwords): ... would expose sensitive vararg name
+        if method_node.args.vararg:
+            vararg_name_lower = method_node.args.vararg.arg.lower()
+            if vararg_name_lower in sensitive_params:
+                found_sensitive.append(method_node.args.vararg.arg)
+        # Check kwarg (**kwargs parameter)
+        # Example: def process(**secrets): ... would expose sensitive kwarg name
+        if method_node.args.kwarg:
+            kwarg_name_lower = method_node.args.kwarg.arg.lower()
+            if kwarg_name_lower in sensitive_params:
+                found_sensitive.append(method_node.args.kwarg.arg)
+        if found_sensitive:
+            issues.append(
+                ModelValidationIssue(
+                    severity=severity,
+                    message=f"Method '{ctx.class_name}.{ctx.method_name}' has sensitive parameters: {', '.join(found_sensitive)}",
+                    code="credential_in_signature",
+                    file_path=ctx.file_path,
+                    line_number=ctx.line_number,
+                    rule_name="credential_in_signature",
+                    suggestion=f"Use generic parameter names (e.g., 'data' instead of '{found_sensitive[0]}') or make method private",
+                    context={
+                        "class_name": ctx.class_name,
+                        "method_name": ctx.method_name,
+                        "sensitive_parameters": ", ".join(found_sensitive),
+                        "violation_type": "credential_in_signature",
+                    },
+                )
+            )
-    for param_name in SENSITIVE_PARAMETER_NAMES:
-        # Match parameter name as word boundary to avoid false positives
-        # e.g., "password" matches but "password_hash" doesn't
-        pattern = rf"\b{param_name}\b"
-        if re.search(pattern, signature_lower):
-            found_sensitive.append(param_name)
+        return issues
-    return found_sensitive
+# CLI entry point
+if __name__ == "__main__":
+    sys.exit(ValidatorSecurity.main())
-def validate_method_exposure(
-    method_names: list[str],
-    handler_identity: ModelHandlerIdentifier,
-    method_signatures: dict[str, str] | None = None,
-    file_path: str | None = None,
-) -> list[ModelHandlerValidationError]:
-    """Validate method names and signatures for security concerns.
-    Checks for:
-    - Sensitive method names that should be private (prefixed with _)
-    - Method signatures containing sensitive parameter names
-    - Admin/internal operations exposed publicly
-    Args:
-        method_names: List of public method names to validate
-        handler_identity: Handler identification information
-        method_signatures: Optional dict mapping method names to signatures
-        file_path: Optional file path for error context
-    Returns:
-        List of ModelHandlerValidationError for any violations found
-    Example:
-        >>> from omnibase_infra.models.handlers import ModelHandlerIdentifier
-        >>> identity = ModelHandlerIdentifier.from_handler_id("auth-handler")
-        >>> errors = validate_method_exposure(
-        ...     method_names=["get_api_key", "process_request"],
-        ...     handler_identity=identity,
-        ...     method_signatures={"get_api_key": "() -> str"},
-        ... )
-        >>> len(errors)
-        1
-        >>> errors[0].rule_id
-        'SECURITY-001'
-    """
-    errors: list[ModelHandlerValidationError] = []
-    for method_name in method_names:
-        # Check for sensitive method names and get appropriate rule ID
-        rule_id = _get_sensitivity_rule_id(method_name)
-        if rule_id is not None:
-            # Customize message and hint based on rule type
-            if rule_id == SecurityRuleId.ADMIN_METHOD_PUBLIC:
-                message = f"Handler exposes admin/internal method '{method_name}'"
-                remediation_hint = f"Prefix method with underscore: '_{method_name}' or move to separate admin module"
-                violation_type = "admin_method_public"
-            else:
-                message = f"Handler exposes sensitive method '{method_name}'"
-                remediation_hint = f"Prefix method with underscore: '_{method_name}' to exclude from introspection"
-                violation_type = "sensitive_method_exposed"
-            error = ModelHandlerValidationError.from_security_violation(
-                rule_id=rule_id,
-                message=message,
-                remediation_hint=remediation_hint,
-                handler_identity=handler_identity,
-                file_path=file_path,
-                details={
-                    "method_name": method_name,
-                    "violation_type": violation_type,
-                },
-            )
-            errors.append(error)
-    # Check method signatures if provided
-    if method_signatures:
-        for method_name, signature in method_signatures.items():
-            sensitive_params = has_sensitive_parameters(signature)
-            if sensitive_params:
-                error = ModelHandlerValidationError.from_security_violation(
-                    rule_id=SecurityRuleId.CREDENTIAL_IN_SIGNATURE,
-                    message=f"Method '{method_name}' has sensitive parameters in signature: {', '.join(sensitive_params)}",
-                    remediation_hint=f"Use generic parameter names (e.g., 'data' instead of '{sensitive_params[0]}') or make method private",
-                    handler_identity=handler_identity,
-                    file_path=file_path,
-                    details={
-                        "method_name": method_name,
-                        "signature": signature,
-                        "sensitive_parameters": sensitive_params,
-                        "violation_type": "credential_in_signature",
-                    },
-                )
-                errors.append(error)
-    return errors
-def validate_handler_security(
-    handler_identity: ModelHandlerIdentifier,
-    capabilities: dict[str, object],
-    file_path: str | None = None,
-) -> list[ModelHandlerValidationError]:
-    """Validate handler capabilities for security violations.
-    This is the main entry point for security validation of a handler's
-    introspection data. It checks:
-    - Method exposure (sensitive method names)
-    - Method signatures (sensitive parameters)
-    - Security best practices
-    Args:
-        handler_identity: Handler identification information
-        capabilities: Capabilities dict from MixinNodeIntrospection.get_capabilities()
-        file_path: Optional file path for error context
-    Returns:
-        List of ModelHandlerValidationError for any violations found
-    Example:
-        >>> capabilities = {
-        ...     "operations": ["get_api_key", "process_request"],
-        ...     "protocols": ["ProtocolDatabaseAdapter"],
-        ...     "has_fsm": False,
-        ...     "method_signatures": {
-        ...         "get_api_key": "() -> str",
-        ...         "process_request": "(data: dict) -> Result",
-        ...     },
-        ... }
-        >>> errors = validate_handler_security(
-        ...     handler_identity=ModelHandlerIdentifier.from_handler_id("auth"),
-        ...     capabilities=capabilities,
-        ... )
-        >>> len(errors) > 0
-        True
-    """
-    operations = capabilities.get("operations", [])
-    if not isinstance(operations, list):
-        operations = []
-    method_signatures = capabilities.get("method_signatures", {})
-    if not isinstance(method_signatures, dict):
-        method_signatures = {}
-    return validate_method_exposure(
-        method_names=operations,
-        handler_identity=handler_identity,
-        method_signatures=method_signatures,
-        file_path=file_path,
-    )
-def convert_to_validation_error(
-    params: ModelValidationErrorParams,
-) -> ModelHandlerValidationError:
-    """Convert a security issue to ModelHandlerValidationError.
-    This is a convenience function for creating security validation errors
-    with consistent structure. Use this when integrating security checks
-    into existing validation pipelines.
-    Args:
-        params: Parameters encapsulating rule_id, message, remediation_hint,
-            handler_identity, and optional file_path, line_number, details.
-    Returns:
-        ModelHandlerValidationError configured for security violations
-    Example:
-        >>> params = ModelValidationErrorParams(
-        ...     rule_code=SecurityRuleId.SENSITIVE_METHOD_EXPOSED,
-        ...     message="Handler exposes 'get_password' method",
-        ...     remediation_hint="Prefix with underscore: '_get_password'",
-        ...     handler_identity=ModelHandlerIdentifier.from_handler_id("auth"),
-        ...     file_path="nodes/auth/handlers/handler_authenticate.py",
-        ...     line_number=42,
-        ... )
-        >>> error = convert_to_validation_error(params)
-        >>> error.error_type == EnumHandlerErrorType.SECURITY_VALIDATION_ERROR
-        True
-    """
-    return ModelHandlerValidationError.from_security_violation(
-        rule_id=params.rule_code,
-        message=params.message,
-        remediation_hint=params.remediation_hint,
-        handler_identity=params.handler_identity,
-        file_path=params.file_path,
-        line_number=params.line_number,
-        details=params.details,
-    )
-__all__ = [
-    "SENSITIVE_METHOD_PATTERNS",
-    "SENSITIVE_PARAMETER_NAMES",
-    "SecurityRuleId",
-    "convert_to_validation_error",
-    "has_sensitive_parameters",
-    "is_sensitive_method_name",
-    "validate_handler_security",
-    "validate_method_exposure",
-]
+__all__ = ["ValidatorSecurity"]

omnibase_infra 0.2.1__py3-none-any.whl → 0.2.3__py3-none-any.whl

omnibase_infra 0.2.1py3-none-any.whl → 0.2.3py3-none-any.whl