patchops 1.0.0__py3-none-any.whl

lambdas/__init__.py

@@ -0,0 +1 @@
+# (empty — no content needed)

lambdas/code_analyzer/__init__.py

@@ -0,0 +1 @@
+# (empty — no content needed)

lambdas/code_analyzer/handler.py

@@ -0,0 +1,87 @@
+import sys
+import os
+
+# Works both locally (from repo root) and in Lambda
+sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.dirname(
+    os.path.abspath(__file__)
+))))
+from lambdas.shared.utils import safe_call_llm_json
+
+
+def handler(event, context=None):
+    """
+    Hard Boundary Code Analyzer Lambda Handler.
+    Strictly limited to Top 8 vulnerability categories with consolidation.
+    """
+    try:
+        if not event or "source_code" not in event:
+            return {"error": "No source_code provided"}
+
+        source_code = event.get("source_code", "")
+
+        # The Hard Boundary Vulnerability Scanning Prompt
+        prompt = f"""You are an Elite Static Application Security Testing (SAST) engine.
+You are evaluating this Python Flask application.
+
+SOURCE CODE:
+```python
+{source_code}
+```
+
+CRITICAL BOUNDARY DIRECTIVE:
+You must perform an exhaustive sweep for EXACTLY these 8 vulnerability categories:
+
+1. Hardcoded Secrets (CWE-798)
+2. SQL Injection (CWE-89)
+3. Command Injection (CWE-78)
+4. Path Traversal (CWE-22)
+5. Cross-Site Scripting / XSS (CWE-79)
+6. Broken Access Control / IDOR (CWE-284)
+7. Unsafe Deserialization (CWE-502)
+8. Server-Side Request Forgery / SSRF (CWE-918)
+
+RULES:
+
+1. You MUST return an array of exactly 8 objects, one for each category above.
+2. For each category, evaluate logically if it is genuinely present in the given code. Set "is_present" to true or false.
+3. If "is_present" is true, provide the severity, vulnerable_lines (exact match of the code), and an attack_vector explanation.
+4. If "is_present" is false, leave vulnerable_lines as an empty array and attack_vector as empty string.
+5. If the same vulnerability appears multiple times, CONSOLIDATE them into the single object.
+
+STRICT JSON SCHEMA:
+{{
+    "analysis": [
+        {{
+            "vulnerability_type": "<Type, e.g., SQL Injection>",
+            "cwe": "<CWE number, e.g., CWE-89>",
+            "is_present": <true/false boolean value only>,
+            "severity": "<CRITICAL/HIGH/MEDIUM/NONE>",
+            "vulnerable_lines": ["<exact string 1>", "<exact string 2>"],
+            "attack_vector": "<Comprehensive attack explanation>"
+        }}
+    ]
+}}
+
+Return ONLY the JSON object. Start with {{ and end with }}. No other text. Every field must be present."""
+
+        # Call LLM with consolidated findings
+        result = safe_call_llm_json(prompt, max_tokens=3000, retries=2)
+
+        # Validate and clean the response
+        if "error" in result:
+            return result
+
+        analysis = result.get("analysis", [])
+        
+        # Filter to ensure we only return genuinely present vulnerabilities
+        validated_vulns = []
+        for vuln in analysis:
+            is_present = vuln.get("is_present")
+            if is_present is True or str(is_present).lower() == "true":
+                if all(key in vuln for key in ["vulnerability_type", "cwe", "severity", "vulnerable_lines", "attack_vector"]):
+                    validated_vulns.append(vuln)
+        
+        return {"vulnerabilities": validated_vulns}
+
+    except Exception as e:
+        return {"error": f"Code analyzer exception: {str(e)}"}

lambdas/component_tester/handler.py

@@ -0,0 +1,47 @@
+import json
+
+# Mock LLM call for component testing
+def safe_call_llm_json(prompt, max_tokens=1000):
+    # In a real scenario, this would call Groq/OpenAI
+    # For demo purposes, we'll simulate logic
+    if "auth.py" in prompt and "app.py" in prompt:
+        # If app.py is fixed (SQLi fixed), auth.py might need update or be fine
+        # Spec says auth.py has IDOR, but we're checking COMPATIBILITY
+        # Let's say if we change get_profile signature it breaks.
+        return {
+            "is_compatible": False,
+            "issues_found": ["Patched file changed get_profile call site logic"],
+            "suggested_fix": "import db_utils\nimport config\nimport utils\n\ndef login(username, password):\n    return {\"status\": \"success\", \"token\": \"mock-token-123\"}\n\ndef get_profile(user_id):\n    # FIXED IDOR\n    return db_utils.safe_query(\"SELECT * FROM users WHERE id = ?\", (user_id,))[0] if db_utils.query_user(user_id) else None\n\ndef check_token(token):\n    return token == \"mock-token-123\"\n"
+        }
+    return {
+        "is_compatible": True,
+        "issues_found": [],
+        "suggested_fix": ""
+    }
+
+def handler(event, context):
+    patched_file_name = event.get("patched_file_name")
+    original_code = event.get("original_code")
+    patched_code = event.get("patched_code")
+    completed_fixes = event.get("completed_fixes", [])
+    neighbor_file_name = event.get("neighbor_file_name")
+    neighbor_code = event.get("neighbor_code")
+
+    COMPONENT_TEST_PROMPT = f"""
+You are a code compatibility analyst.
+
+PATCHED FILE: {patched_file_name}
+CHANGES MADE:
+{json.dumps(completed_fixes, indent=2)}
+
+NEIGHBOR FILE: {neighbor_file_name}
+{neighbor_code}
+
+TASK: Does the neighbor file still work correctly given the changes made to the patched file?
+Return ONLY JSON.
+"""
+    
+    # In demo mode, we use the mock result
+    result = safe_call_llm_json(COMPONENT_TEST_PROMPT)
+    result["neighbor"] = neighbor_file_name
+    return result

lambdas/exploit_crafter/__init__.py

@@ -0,0 +1 @@
+# (empty — no content needed)

lambdas/exploit_crafter/handler.py

@@ -0,0 +1,111 @@
+import sys
+import os
+
+# Works both locally (from repo root) and in Lambda
+sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.dirname(
+    os.path.abspath(__file__)
+))))
+from lambdas.shared.utils import safe_call_llm_json, call_llm, extract_code_block
+
+EXPLOIT_PROMPT = """You are a red team security researcher writing a proof-of-concept exploit.
+
+Vulnerability type: {vulnerability_type}
+Attack vector: {attack_vector}
+Vulnerable lines: {vulnerable_lines}
+
+The target application is running at http://localhost:5000
+The vulnerable endpoint is: GET /user?id=<INJECT_HERE>
+The endpoint returns JSON in this format: {{"users": [[username, email, role], ...]}}
+
+Write a Python exploit script with these EXACT requirements:
+
+1. First line must be: import requests
+2. Second line must be: import sys
+3. Use the requests params argument to pass the SQL payload, like this:
+   response = requests.get('http://localhost:5000/user',
+                           params={{'id': '1 OR 1=1--'}},
+                           timeout=10)
+4. Parse the JSON response with response.json()
+5. SUCCESS condition: the response contains MORE THAN 1 user in the "users" list
+   This proves the SQL injection worked by dumping all rows
+6. If more than 1 user returned: use print('EXPLOIT_SUCCESS') on its own line,
+   then print the full list of users extracted
+7. If only 1 or 0 users returned: use print('EXPLOIT_FAILED') on its own line
+8. Wrap everything in try/except Exception as e:
+   In the except block: print('EXPLOIT_FAILED') then print(str(e))
+9. Do NOT use sys.stderr — print everything to stdout
+10. Do NOT URL-encode the payload manually — pass raw SQL string to params dict
+11. NEVER use a variable for the success/failure strings — always print the literal strings directly
+
+Return ONLY the raw Python script. No markdown. No explanation.
+The script must start with exactly: import requests"""
+
+def validate_exploit(code: str) -> list:
+    issues = []
+    if 'EXPLOIT_SUCCESS' not in code:
+        issues.append('missing EXPLOIT_SUCCESS string')
+    if 'import requests' not in code:
+        issues.append('missing requests import')
+    if 'import sys' not in code:
+        issues.append('missing sys import')
+    if 'localhost:5000' not in code and '127.0.0.1:5000' not in code:
+        issues.append('does not target localhost:5000')
+    if 'timeout' not in code:
+        issues.append('missing timeout parameter')
+    if 'try' not in code or 'except' not in code:
+        issues.append('missing try/except')
+    if 'params' not in code and 'OR' not in code and 'UNION' not in code:
+        issues.append('no SQL injection payload visible in code')
+    return issues
+
+
+def handler(event, context=None):
+    try:
+        vulnerability_type = event.get("vulnerability_type")
+        attack_vector = event.get("attack_vector")
+
+        if not vulnerability_type or not attack_vector:
+            return {
+                "error": "Missing required fields: vulnerability_type or attack_vector",
+                "exploit_code": ""
+            }
+
+        prompt = EXPLOIT_PROMPT.format(
+            vulnerability_type=vulnerability_type,
+            attack_vector=attack_vector,
+            vulnerable_lines=event.get("vulnerable_lines", [])
+        )
+
+        # First attempt
+        response = call_llm(prompt, max_tokens=1500)
+        code = extract_code_block(response).strip()
+
+        if not code.startswith("import"):
+            code = "import requests\n" + code
+
+        issues = validate_exploit(code)
+
+        # Retry if issues found
+        if issues:
+            retry_prompt = prompt + "\n\nFix these problems in your script: " + ", ".join(issues)
+            response_retry = call_llm(retry_prompt, max_tokens=1500)
+            code_retry = extract_code_block(response_retry).strip()
+
+            if not code_retry.startswith("import"):
+                code_retry = "import requests\n" + code_retry
+
+            final_code = code_retry
+            final_issues = validate_exploit(final_code)
+
+            result = {"exploit_code": final_code}
+            if final_issues:
+                result["warnings"] = final_issues
+            return result
+
+        return {"exploit_code": code}
+
+    except Exception as e:
+        return {
+            "error": str(e),
+            "exploit_code": ""
+        }

lambdas/graph_builder/handler.py

@@ -0,0 +1,52 @@
+import os
+import re
+
+def handler(event, context):
+    repo_path = event.get("repo_path", "PatchOps-Target")
+    nodes = []
+    edges = []
+    found_files = set()
+
+    for root, dirs, files in os.walk(repo_path):
+        for file in files:
+            if file.endswith(".py"):
+                rel_path = os.path.relpath(os.path.join(root, file), repo_path)
+                # Use forward slashes for IDs
+                file_id = rel_path.replace("\\", "/")
+                found_files.add(file_id.replace(".py", ""))
+                
+                with open(os.path.join(root, file), 'r', encoding='utf-8') as f:
+                    lines = f.readlines()
+                    nodes.append({
+                        "id": file_id,
+                        "path": os.path.join(root, file),
+                        "lines": len(lines),
+                        "status": "neutral"
+                    })
+
+    # Regex for imports
+    import_pattern = re.compile(r'^(?:import\s+(\w+)|from\s+(\w+)\s+import)')
+
+    for node in nodes:
+        with open(node["path"], 'r', encoding='utf-8') as f:
+            content = f.read()
+            # Simple line-by-line regex for top-level imports
+            for line in content.splitlines():
+                match = import_pattern.match(line)
+                if match:
+                    # Group 1 is 'import X', Group 2 is 'from X import Y'
+                    imported_module = match.group(1) or match.group(2)
+                    # Check if it's a file in our repo
+                    if imported_module in found_files:
+                        target_id = f"{imported_module}.py"
+                        # Handle potential subdirectories in IDs if needed, but for now simple
+                        edges.append({
+                            "source": node["id"],
+                            "target": target_id,
+                            "type": "imports"
+                        })
+                    # Special case for subdirectories like 'tests/test_suite.py' importing 'app'
+                    # The regex might only catch 'app'
+                    # If we have 'import app', and app.py is in root, it works.
+
+    return {"nodes": nodes, "edges": edges}

lambdas/neighbor_resolver/handler.py

@@ -0,0 +1,23 @@
+def handler(event, context):
+    patched_file = event.get("patched_file")
+    graph = event.get("graph", {"nodes": [], "edges": []})
+    
+    neighbors = set()
+    for edge in graph.get("edges", []):
+        if edge["source"] == patched_file:
+            neighbors.add(edge["target"])
+        if edge["target"] == patched_file:
+            neighbors.add(edge["source"])
+            
+    all_nodes = {n["id"] for n in graph.get("nodes", [])}
+    excluded = list(all_nodes - neighbors - {patched_file})
+    neighbors = list(neighbors)
+    
+    reasoning = f"{patched_file} directly connects to: {', '.join(neighbors)}. " \
+                f"{len(excluded)} files have no direct edge and are excluded."
+                
+    return {
+        "neighbors": neighbors,
+        "excluded": excluded,
+        "reasoning": reasoning
+    }

lambdas/orchestrator/handler.py

@@ -0,0 +1,33 @@
+import json, boto3, uuid
+from datetime import datetime
+
+dynamo = boto3.resource("dynamodb", region_name="eu-north-1")
+table = dynamo.Table("breachloop_pipeline")
+
+def lambda_handler(event, context):
+    try:
+        body = event.get("body")
+
+        if isinstance(body, str):
+            body = json.loads(body)
+        elif body is None:
+            body = event
+
+        run_id = str(uuid.uuid4())
+
+        item = {
+            "run_id": run_id,
+            "status": "RECEIVED",
+            "timestamp": datetime.utcnow().isoformat(),
+            "input": body
+        }
+
+        table.put_item(Item=item)
+
+        return {
+            "statusCode": 200,
+            "body": json.dumps({"run_id": run_id, "status": "RECEIVED"})
+        }
+
+    except Exception as e:
+        return {"statusCode": 500, "body": json.dumps({"error": str(e)})}

lambdas/patch_writer/handler.py

@@ -0,0 +1,121 @@
+import sys
+import os
+import json
+import difflib
+
+# Works both locally (from repo root) and in Lambda
+sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.dirname(
+    os.path.abspath(__file__)
+))))
+from lambdas.shared.utils import safe_call_llm_json, extract_code_block
+
+
+def lambda_handler(event, context=None):
+    """
+    Batch Patch Writer Lambda Handler.
+    Now with fuzzy matching and line-by-line fallback to ensure patches apply.
+    """
+    try:
+        source_code = event.get("source_code", "")
+        vulnerabilities = event.get("vulnerabilities", [])
+
+        if not source_code:
+            return {"error": "Missing source_code", "patched_code": "", "completed_fixes": []}
+        if not vulnerabilities:
+            return {"patched_code": source_code, "completed_fixes": []}
+
+        vulns_str = json.dumps(vulnerabilities, indent=2)
+
+        prompt = f"""You are an elite Application Security Engineer.
+You must fix ALL vulnerabilities in the provide source code.
+
+ORIGINAL CODE:
+```python
+{source_code}
+```
+
+VULNERABILITIES TO FIX:
+{vulns_str}
+
+CRITICAL RULES:
+1. USE SURGICAL SEARCH & REPLACE.
+2. The 'search' block must be a SIGNIFICANT chunk of the original code (e.g., entire function or large block) to ensure uniqueness.
+3. The 'search' block must match the original code EXACTLY, line for line.
+4. If you fix multiple issues in one file, group them into the 'fixes' array.
+
+JSON SCHEMA:
+{{
+    "fixes": [
+        {{
+            "vulnerability_type": "<type>",
+            "cwe": "<cwe>",
+            "changes_made": ["Fix 1", "Fix 2"],
+            "modifications": [
+                {{
+                    "search": "<EXACT block from original source>",
+                    "replace": "<Secure result>"
+                }}
+            ]
+        }}
+    ]
+}}
+"""
+        batch_result = safe_call_llm_json(prompt, max_tokens=4000, retries=2)
+        current_code = source_code
+        completed_fixes = []
+
+        for fix in batch_result.get("fixes", []):
+            vuln_type = fix.get("vulnerability_type", "Unknown")
+            cwe = fix.get("cwe", "")
+            modifications = fix.get("modifications", [])
+            
+            fix_successful = False
+            for mod in modifications:
+                search_text = mod.get("search", "").strip()
+                replace_text = mod.get("replace", "")
+
+                if not search_text: continue
+
+                # 1. Exact Match
+                if search_text in current_code:
+                    current_code = current_code.replace(search_text, replace_text, 1)
+                    fix_successful = True
+                else:
+                    # 2. Fuzzy Match / Line-by-line fallback
+                    # This is the "Root Cause" fix - being more flexible with hallucinated search strings
+                    search_lines = [l.strip() for l in search_text.split('\n') if l.strip()]
+                    source_lines = current_code.split('\n')
+                    
+                    best_match_start = -1
+                    best_match_score = 0
+                    
+                    # Look for the block with highest overlap
+                    for i in range(len(source_lines) - len(search_lines) + 1):
+                        window = [l.strip() for l in source_lines[i : i+len(search_lines)] if l.strip()]
+                        if not window: continue
+                        
+                        score = difflib.SequenceMatcher(None, '\n'.join(search_lines), '\n'.join(window)).ratio()
+                        if score > 0.85 and score > best_match_score:
+                            best_match_score = score
+                            best_match_start = i
+                    
+                    if best_match_start != -1:
+                        # Replace the block
+                        new_lines = source_lines[:best_match_start] + [replace_text] + source_lines[best_match_start + len(search_lines):]
+                        current_code = '\n'.join(new_lines)
+                        fix_successful = True
+                    else:
+                        print(f"⚠️  WARNING: Could not apply patch for {vuln_type} - Search string not found (even with 85% fuzzy match).")
+
+            if fix_successful:
+                completed_fixes.append({"type": vuln_type, "cwe": cwe, "changes_made": fix.get("changes_made", [])})
+
+        return {
+            "patched_code": current_code,
+            "completed_fixes": completed_fixes,
+            "total_vulnerabilities": len(vulnerabilities),
+            "successful_patches": len(completed_fixes)
+        }
+
+    except Exception as e:
+        return {"error": f"Exception: {str(e)}", "patched_code": "", "completed_fixes": []}

lambdas/pr_generator/handler.py

@@ -0,0 +1,126 @@
+import sys
+import os
+import json
+import uuid
+
+# Works both locally (from repo root) and in Lambda
+sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.dirname(
+    os.path.abspath(__file__)
+))))
+
+from github import Github, GithubException
+from .template import generate_pr_body
+
+
+def lambda_handler(event, context=None):
+    """
+    PR Generator Lambda Handler.
+    Creates a GitHub Pull Request with the approved security patches.
+    """
+    try:
+        # Extract input fields
+        repo_full_name = event.get("repo_full_name", "")
+        file_path = event.get("file_path", "")
+        final_patch = event.get("final_patch", "")
+        fixed_vulnerabilities = event.get("fixed_vulnerabilities", [])
+        
+        # NEW: Extra audit results
+        req_check_result = event.get("req_check_result")
+        test_results = event.get("test_results", [])
+
+        print(f"PR_GENERATOR: Targeting repo {repo_full_name}, file {file_path}")
+
+        # Validate required fields
+        if not all([repo_full_name, file_path, final_patch]):
+            return {
+                "status": "ERROR",
+                "pr_url": "",
+                "branch_name": "",
+                "error_message": f"Missing required fields. Received: repo={repo_full_name}, path={file_path}"
+            }
+
+        # Fetch GitHub token from environment
+        github_token = os.environ.get("GITHUB_TOKEN")
+        if not github_token:
+            return {
+                "status": "ERROR",
+                "pr_url": "",
+                "branch_name": "",
+                "error_message": "GITHUB_TOKEN environment variable not set"
+            }
+
+        # Initialize GitHub client
+        g = Github(github_token)
+
+        # Get the repository
+        try:
+            repo = g.get_repo(repo_full_name)
+        except GithubException as ge:
+            if ge.status == 404:
+                return {"status": "ERROR", "error_message": f"Repository '{repo_full_name}' not found. Check name and token permissions."}
+            raise ge
+
+        # Get the default branch
+        default_branch = repo.default_branch
+        main_ref = repo.get_git_ref(f"heads/{default_branch}")
+        main_sha = main_ref.object.sha
+
+        # Generate unique branch name
+        branch_name = f"patchops-fix-{uuid.uuid4().hex[:8]}"
+
+        # Create new branch from main
+        repo.create_git_ref(ref=f"refs/heads/{branch_name}", sha=main_sha)
+
+        # Get the current file's SHA
+        try:
+            file_contents = repo.get_contents(file_path, ref=default_branch)
+            current_file_sha = file_contents.sha
+        except GithubException as ge:
+            if ge.status == 404:
+                return {"status": "ERROR", "error_message": f"File '{file_path}' not found in repo '{repo_full_name}'."}
+            raise ge
+
+        # Update the file
+        vulnerability_summary = f"{len(fixed_vulnerabilities)} vulnerabilities" if fixed_vulnerabilities else "security fixes"
+        commit_message = f"Auto-patch: Fix {vulnerability_summary}"
+        repo.update_file(
+            path=file_path,
+            message=commit_message,
+            content=final_patch,
+            sha=current_file_sha,
+            branch=branch_name
+        )
+
+        # Generate the PR body markdown - PASS NEW RESULTS
+        pr_body = generate_pr_body(
+            fixed_vulnerabilities_list=fixed_vulnerabilities,
+            req_check_result=req_check_result,
+            test_results=test_results
+        )
+
+        # Create the Pull Request title
+        pr_title = "🔒 Security Patch: Autonomous Remediation & Verification"
+        if fixed_vulnerabilities and fixed_vulnerabilities[0].get('vulnerability_type') != "Dependency Consistency Fix":
+             pr_title = f"🔒 Security Patch: {len(fixed_vulnerabilities)} Vulnerabilities Fixed"
+
+        # Create the Pull Request
+        pr = repo.create_pull(
+            title=pr_title,
+            body=pr_body,
+            head=branch_name,
+            base=default_branch
+        )
+
+        return {
+            "status": "SUCCESS",
+            "pr_url": pr.html_url,
+            "branch_name": branch_name
+        }
+
+    except GithubException as e:
+        error_msg = f"GitHub API error: {e.status} {e.data.get('message', str(e))}"
+        return {"status": "ERROR", "pr_url": "", "branch_name": "", "error_message": error_msg}
+
+    except Exception as e:
+        error_msg = f"PR generation exception: {str(e)}"
+        return {"status": "ERROR", "pr_url": "", "branch_name": "", "error_message": error_msg}