onecoder 0.0.2__py3-none-any.whl

onecoder/evaluation/ttu.py

@@ -0,0 +1,176 @@
+from dataclasses import dataclass, field
+from typing import List, Optional, Dict, Any
+from pathlib import Path
+import json
+import os
+
+@dataclass
+class TTUResult:
+    """Result of a Time-To-Understand (TTU) evaluation."""
+    score: float  # 0.0 to 1.0
+    passed: bool
+    context_found: List[str] = field(default_factory=list)
+    missing_context: List[str] = field(default_factory=list)
+    failure_modes: List[str] = field(default_factory=list)
+    recommendations: List[str] = field(default_factory=list)
+    details: Dict[str, Any] = field(default_factory=dict)
+
+class TTUEvaluator:
+    """Evaluates whether the current context is sufficient to start a task."""
+
+    def __init__(self, threshold: float = 0.8): # Increased threshold due to strict governance
+        self.threshold = threshold
+
+    def evaluate(self, sprint_path: Optional[Path] = None) -> TTUResult:
+        """
+        Evaluates the context of the given sprint path.
+        If no path is provided, attempts to find the current active sprint.
+        """
+        repo_root = self._find_repo_root()
+
+        if sprint_path is None:
+            sprint_path = self._find_active_sprint(repo_root)
+
+        if sprint_path is None:
+            return TTUResult(
+                score=0.0,
+                passed=False,
+                missing_context=["Active Sprint Directory"],
+                failure_modes=["Uninitialized Environment"],
+                recommendations=["Initialize a sprint using 'sprint init' or 'onecoder init'"]
+            )
+
+        score = 0.0
+        missing = []
+        found = []
+        failure_modes = []
+        recommendations = []
+        details = {}
+
+        # 0. Check for AGENTS.md (Governance) - Weight: 0.2
+        agents_md = repo_root / "AGENTS.md"
+        if agents_md.exists():
+            score += 0.2
+            found.append("AGENTS.md")
+        else:
+            missing.append("AGENTS.md (Root)")
+            failure_modes.append("Governance Blindness")
+            recommendations.append("Create AGENTS.md in repo root to define agent policies.")
+
+        # 1. Check for sprint.json (Metadata) - Weight: 0.2
+        sprint_json = sprint_path / "sprint.json"
+        if sprint_json.exists():
+            found.append("sprint.json")
+            try:
+                with open(sprint_json, "r") as f:
+                    data = json.load(f)
+
+                # Check for goals
+                if data.get("goals", {}).get("primary"):
+                    score += 0.15
+                    details["goals"] = "Present"
+                else:
+                    missing.append("Primary Goal in sprint.json")
+                    failure_modes.append("Goal Ambiguity")
+                    recommendations.append("Define a primary goal in sprint.json")
+
+                # Check for tasks
+                if data.get("tasks"):
+                    score += 0.05
+                    details["tasks"] = f"{len(data['tasks'])} tasks found"
+                else:
+                    # Not strictly missing if just starting, but good to have
+                    details["tasks"] = "None"
+
+            except Exception as e:
+                missing.append(f"Valid sprint.json ({str(e)})")
+                failure_modes.append("Corrupt Metadata")
+        else:
+            missing.append("sprint.json")
+            failure_modes.append("Missing Metadata")
+            recommendations.append("Run 'sprint init' to generate sprint structure.")
+
+        # 2. Check for Context/Walkthrough - Weight: 0.3
+        # Look for README.md or WALKTHROUGH.md or context folder
+        context_files = ["README.md", "WALKTHROUGH.md", "context/context.md"]
+        context_found_count = 0
+        for cf in context_files:
+            if (sprint_path / cf).exists():
+                context_found_count += 1
+                found.append(cf)
+
+        if context_found_count > 0:
+            score += 0.3
+        else:
+            missing.append("Context Documentation (README.md or WALKTHROUGH.md)")
+            failure_modes.append("Context Blindness")
+            recommendations.append("Add a README.md or WALKTHROUGH.md describing the sprint.")
+
+        # 3. Check for Media/Reference (Optional but good) - Weight: 0.1
+        media_dir = sprint_path / "media"
+        if media_dir.exists() and any(media_dir.iterdir()):
+            score += 0.1
+            found.append("media/")
+
+        # 4. Check for Planning - Weight: 0.2
+        planning_dir = sprint_path / "planning"
+        if planning_dir.exists():
+            score += 0.2
+            found.append("planning/")
+        else:
+            # Maybe TODO.md?
+            if (sprint_path / "TODO.md").exists():
+                score += 0.2
+                found.append("TODO.md")
+            else:
+                missing.append("Planning Documents")
+                failure_modes.append("Unplanned Execution")
+                recommendations.append("Create a plan in planning/ or TODO.md")
+
+        # Normalize score if needed, but here simple sum max is 1.0
+
+        passed = score >= self.threshold
+
+        return TTUResult(
+            score=min(score, 1.0),
+            passed=passed,
+            context_found=found,
+            missing_context=missing,
+            failure_modes=failure_modes,
+            recommendations=recommendations,
+            details=details
+        )
+
+    def _find_repo_root(self) -> Path:
+        """Finds the repository root."""
+        curr = Path.cwd()
+        root = curr
+        # Traverse up
+        while root != root.parent:
+            if (root / ".git").exists() or (root / ".sprint").exists():
+                return root
+            root = root.parent
+        return curr # Default to cwd if not found
+
+    def _find_active_sprint(self, root: Optional[Path] = None) -> Optional[Path]:
+        # Simple heuristic: Look for .sprint folder in root
+        if root:
+             sprint_dir = root / ".sprint"
+             if sprint_dir.exists():
+                # Get latest subdir
+                subdirs = sorted([d for d in sprint_dir.iterdir() if d.is_dir()])
+                if subdirs:
+                    return subdirs[-1]
+             return None
+
+        # Fallback if root not provided (legacy)
+        cwd = Path.cwd()
+        curr_root = cwd
+        while curr_root != curr_root.parent:
+            sprint_dir = curr_root / ".sprint"
+            if sprint_dir.exists():
+                subdirs = sorted([d for d in sprint_dir.iterdir() if d.is_dir()])
+                if subdirs:
+                    return subdirs[-1]
+            curr_root = curr_root.parent
+        return None

onecoder/governance/probllm.py

@@ -0,0 +1,91 @@
+import yaml
+import os
+import re
+
+class ProbLLMGuardian:
+    """
+    Enforces governance policies to prevent ProbLLM vulnerabilities (Prompt Injection,
+    Automatic Tool Invocation, Data Exfiltration).
+    """
+
+    def __init__(self, governance_path="governance.yaml"):
+        self.governance_path = governance_path
+        self.policy = self._load_policy()
+
+    def _load_policy(self):
+        """Loads the governance policy from yaml."""
+        if not os.path.exists(self.governance_path):
+            return {}
+
+        try:
+            with open(self.governance_path, "r") as f:
+                data = yaml.safe_load(f)
+                return data.get("probllm_prevention", {})
+        except Exception:
+            return {}
+
+    def is_enabled(self):
+        """Checks if ProbLLM prevention is enabled."""
+        return self.policy.get("enabled", False)
+
+    def validate_tool_execution(self, tool_name: str, args: dict):
+        """
+        Validates whether a tool execution is safe based on the policy.
+        Returns (is_safe, message).
+        """
+        if not self.is_enabled():
+            return True, "Policy disabled"
+
+        # 1. Check for High-Risk Tools requiring Confirmation
+        restricted_tools = self.policy.get("require_human_confirmation_for_tools", [])
+        if tool_name in restricted_tools:
+            # In a real CLI, we would prompt here.
+            # For now, we return a warning status that the caller must handle (e.g., prompt user).
+            return False, f"Tool '{tool_name}' is restricted and requires Human Confirmation."
+
+        # 2. Check for Secret Exposure in Args (Input Sanitization)
+        # (Simplified check: looks for env var patterns like $SECRET or generic key patterns)
+        if self.policy.get("block_secret_exposure", True):
+            if self._contains_secrets(str(args)):
+                return False, "Tool arguments appear to contain secrets or environment variables."
+
+        return True, "Safe"
+
+    def validate_output(self, output: str):
+        """
+        Scans LLM or Tool output for leaked secrets.
+        """
+        if not self.is_enabled():
+            return True, "Policy disabled"
+
+        if self.policy.get("block_secret_exposure", True):
+            if self._contains_secrets(output):
+                 return False, "Output blocked: Potential secret leakage detected."
+
+        return True, "Safe"
+
+    def _contains_secrets(self, text: str) -> bool:
+        """
+        Heuristic check for secrets.
+        """
+        # 1. Check for common API Key patterns (simplified)
+        # Starts with sk-, gh-, etc. followed by alphanumeric
+        patterns = [
+            r"sk-[a-zA-Z0-9]{20,}", # OpenAI/Stripe style
+            r"gh[pousr]-[a-zA-Z0-9]{20,}", # GitHub tokens
+            r"xox[baprs]-[a-zA-Z0-9]{10,}", # Slack tokens
+        ]
+
+        for pattern in patterns:
+            if re.search(pattern, text):
+                return True
+
+        # 2. Check if any known environment variable values are present
+        # (Be careful not to block common words if an env var is common)
+        sensitive_keys = ["API_KEY", "SECRET", "TOKEN", "PASSWORD", "CREDENTIALS"]
+        for key, value in os.environ.items():
+            if any(s in key for s in sensitive_keys) and len(value) > 8: # Only check long secrets
+                if value in text:
+                    return True
+
+        return False

onecoder/hooks.py

@@ -0,0 +1,74 @@
+import os
+import json
+import subprocess
+import fnmatch
+from typing import List, Dict, Any, Optional
+from pathlib import Path
+
+class HooksManager:
+    def __init__(self, config_filename: str = "onecoder.hooks.json"):
+        self.config_filename = config_filename
+        self.config = self._load_config()
+
+    def _load_config(self) -> Dict[str, Any]:
+        """Loads the configuration from the hooks file in the current directory."""
+        # Look for config in current working directory
+        config_path = Path.cwd() / self.config_filename
+        if config_path.exists():
+            try:
+                with open(config_path, "r") as f:
+                    return json.load(f)
+            except json.JSONDecodeError as e:
+                print(f"Error parsing {self.config_filename}: {e}")
+                return {}
+            except Exception as e:
+                print(f"Error reading {self.config_filename}: {e}")
+                return {}
+        return {}
+
+    def _run_command(self, command: str):
+        """Runs a shell command."""
+        print(f"[Hooks] Running: {command}")
+        try:
+            # shell=True is used to allow running complex commands like "cargo check"
+            # Security note: command comes from a user-defined config file.
+            subprocess.run(command, shell=True, check=True)
+        except subprocess.CalledProcessError as e:
+            print(f"[Hooks] Command failed: {command} (Exit code: {e.returncode})")
+        except Exception as e:
+            print(f"[Hooks] Error running command {command}: {e}")
+
+    def on_file_edit(self, filepath: str):
+        """Triggers hooks configured for file edits."""
+        # Reload config to pick up changes without restart
+        self.config = self._load_config()
+
+        file_patterns = self.config.get("file_patterns", [])
+
+        # Determine relative path for matching
+        try:
+            rel_path = os.path.relpath(filepath, os.getcwd())
+        except ValueError:
+            # If filepath is on a different drive or invalid, use absolute
+            rel_path = filepath
+
+        for item in file_patterns:
+            pattern = item.get("pattern")
+            command = item.get("command")
+
+            if pattern and command:
+                if fnmatch.fnmatch(rel_path, pattern):
+                    print(f"[Hooks] File {rel_path} matches pattern {pattern}")
+                    self._run_command(command)
+
+    def on_stop(self):
+        """Triggers hooks configured for session stop."""
+        self.config = self._load_config()
+        commands = self.config.get("on_stop", [])
+        if commands:
+            print("[Hooks] Running on_stop hooks...")
+            for command in commands:
+                self._run_command(command)
+
+# Global instance
+hooks_manager = HooksManager()

onecoder/ipc_auth.py

@@ -0,0 +1,200 @@
+import os
+import socket
+import uuid
+import secrets
+import asyncio
+import time
+from typing import Dict, Optional
+
+
+class TokenStore:
+    """Manages session-based tokens with TTL for API authentication."""
+
+    def __init__(self, ttl_seconds: int = 3600):
+        """
+        Initialize token store.
+
+        Args:
+            ttl_seconds: Time-to-live for tokens in seconds (default: 1 hour)
+        """
+        self._tokens: Dict[str, float] = {}  # token -> expiry_timestamp
+        self.ttl_seconds = ttl_seconds
+
+    def generate_token(self) -> str:
+        """Generate a new session token with TTL."""
+        token = secrets.token_urlsafe(32)
+        expiry = time.time() + self.ttl_seconds
+        self._tokens[token] = expiry
+        return token
+
+    def validate_token(self, token: str) -> bool:
+        """
+        Validates a token without consuming it (session-based).
+
+        Args:
+            token: The token to validate
+
+        Returns:
+            True if token exists and hasn't expired, False otherwise
+        """
+        if token not in self._tokens:
+            return False
+
+        # Check if token has expired
+        if time.time() > self._tokens[token]:
+            # Clean up expired token
+            del self._tokens[token]
+            return False
+
+        return True
+
+    def cleanup_expired(self) -> int:
+        """
+        Remove expired tokens from the store.
+
+        Returns:
+            Number of tokens cleaned up
+        """
+        current_time = time.time()
+        expired_tokens = [
+            token for token, expiry in self._tokens.items() if current_time > expiry
+        ]
+
+        for token in expired_tokens:
+            del self._tokens[token]
+
+        return len(expired_tokens)
+
+    def revoke_token(self, token: str) -> bool:
+        """
+        Manually revoke a token.
+
+        Args:
+            token: The token to revoke
+
+        Returns:
+            True if token was revoked, False if it didn't exist
+        """
+        if token in self._tokens:
+            del self._tokens[token]
+            return True
+        return False
+
+
+# Global store for the running process
+TOKEN_STORE = TokenStore()
+
+
+class IPCAuthServer:
+    """
+    A Unix Domain Socket server that vends one-time tokens to local clients.
+    This ensures that only processes with access to the socket (local users)
+    can obtain authorization to hit the agent API.
+    """
+
+    def __init__(self, socket_path: str = "/tmp/onecoder_auth.sock"):
+        self.socket_path = socket_path
+
+    async def start(self):
+        if os.path.exists(self.socket_path):
+            os.remove(self.socket_path)
+
+        server = await asyncio.start_unix_server(self.handle_client, self.socket_path)
+
+        # Ensure only the current user can read/write to the socket
+        os.chmod(self.socket_path, 0o600)
+
+        print(f"IPC Auth Server started on {self.socket_path}")
+
+        # Start periodic cleanup task
+        cleanup_task = asyncio.create_task(self._periodic_cleanup())
+
+        async with server:
+            try:
+                await server.serve_forever()
+            finally:
+                cleanup_task.cancel()
+
+    async def _periodic_cleanup(self):
+        """Periodically clean up expired tokens (every 5 minutes)."""
+        while True:
+            await asyncio.sleep(300)  # 5 minutes
+            cleaned = TOKEN_STORE.cleanup_expired()
+            if cleaned > 0:
+                print(f"Cleaned up {cleaned} expired tokens")
+
+    async def handle_client(
+        self, reader: asyncio.StreamReader, writer: asyncio.StreamWriter
+    ):
+        """
+        Handles token requests from local UI launchers.
+        Protocol:
+        - Client sends: "REQUEST_TOKEN\n"
+        - Server replies: "<token>\n"
+        """
+        data = await reader.readline()
+        message = data.decode().strip()
+
+        if message == "REQUEST_TOKEN":
+            token = TOKEN_STORE.generate_token()
+            writer.write(f"{token}\n".encode())
+            await writer.drain()
+
+        writer.close()
+        await writer.wait_closed()
+
+
+async def get_token_from_ipc(
+    socket_path: str = "/tmp/onecoder_auth.sock",
+) -> Optional[str]:
+    """Client utility to fetch a token via the IPC socket."""
+    try:
+        reader, writer = await asyncio.open_unix_connection(socket_path)
+        writer.write(b"REQUEST_TOKEN\n")
+        await writer.drain()
+
+        data = await reader.readline()
+        token = data.decode().strip()
+
+        writer.close()
+        await writer.wait_closed()
+        return token
+    except Exception as e:
+        print(f"Error fetching token from IPC: {e}")
+        return None
+
+
+if __name__ == "__main__":
+    # Test execution
+    async def main():
+        server = IPCAuthServer()
+        # Run server in background
+        server_task = asyncio.create_task(server.start())
+        await asyncio.sleep(1)  # Wait for startup
+
+        # Simulate client
+        token = await get_token_from_ipc()
+        if token:
+            print(f"Client fetched token: {token}")
+
+            # Validate (should work - session-based)
+            is_valid = TOKEN_STORE.validate_token(token)
+            print(f"Token is valid: {is_valid}")
+
+            # Validate again (should still work - not consumed)
+            is_valid_again = TOKEN_STORE.validate_token(token)
+            print(f"Token is still valid after first check: {is_valid_again}")
+
+            # Revoke token
+            revoked = TOKEN_STORE.revoke_token(token)
+            print(f"Token revoked: {revoked}")
+
+            # Validate after revocation (should fail)
+            is_valid_after_revoke = TOKEN_STORE.validate_token(token)
+            print(f"Token valid after revocation: {is_valid_after_revoke}")
+        else:
+            print("Failed to fetch token from IPC")
+
+        server_task.cancel()
+
+    asyncio.run(main())