pkgwhy 1.0.0__tar.gz → 1.5.0__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/CHANGELOG.md +47 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/PKG-INFO +76 -4
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/README.md +75 -3
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/SECURITY.md +13 -1
- pkgwhy-1.5.0/docs/ci-templates.md +77 -0
- pkgwhy-1.5.0/docs/commercial-agent-platform.md +135 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/docs/json-schema-compatibility.md +12 -4
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/docs/release-checklist.md +6 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/docs/versioning-policy.md +6 -1
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/pyproject.toml +1 -1
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/__init__.py +1 -1
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/cli.py +359 -1
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/core/constants.py +3 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/core/models.py +123 -1
- pkgwhy-1.5.0/src/pkgwhy/pip_gate.py +382 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/policy/tool_execution.py +6 -1
- pkgwhy-1.5.0/src/pkgwhy/precheck.py +1147 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/registry/tools.py +1 -0
- pkgwhy-1.5.0/src/pkgwhy/registry/trust.py +30 -0
- pkgwhy-1.5.0/tests/fixtures/precheck/requirements.txt +2 -0
- pkgwhy-1.5.0/tests/test_ci_templates.py +34 -0
- pkgwhy-1.5.0/tests/test_commercial_design_docs.py +27 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/test_json_snapshots.py +1 -0
- pkgwhy-1.5.0/tests/test_pip_gate.py +345 -0
- pkgwhy-1.5.0/tests/test_precheck.py +486 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/test_runner.py +14 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/test_tool_judgement.py +46 -1
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/.gitignore +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/CONTRIBUTING.md +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/LICENSE +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/docs/dynamic-sandbox.md +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/docs/production-readiness.md +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/docs/release-candidate-surface.md +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/docs/static-rule-corpus.md +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/docs/threat-model.md +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/scripts/check_public_traces.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/__main__.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/agent/__init__.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/agent/judge.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/core/__init__.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/dependencies/__init__.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/dependencies/graph.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/dependencies/reason.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/dynamic/__init__.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/dynamic/analysis.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/explanations/__init__.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/explanations/explain.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/explanations/local_db.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/imports/__init__.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/imports/scanner.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/inspection/__init__.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/inspection/files.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/inspection/python_static.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/inspection/size.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/inspection/text_patterns.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/manifests/__init__.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/manifests/lockfiles.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/manifests/pyproject.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/manifests/requirements.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/metadata/__init__.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/metadata/installed.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/metadata/pypi.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/policy/__init__.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/policy/agent_policy.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/policy/audit_log.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/provenance/__init__.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/provenance/installed.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/registry/__init__.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/registry/local.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/registry/manifest.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/registry/publish.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/registry/run.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/reports/__init__.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/reports/audit.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/risk/__init__.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/risk/rules.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/risk/scoring.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/typosquat/__init__.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/typosquat/detector.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/typosquat/popular_packages.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/vulnerabilities/__init__.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/vulnerabilities/matching.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/src/pkgwhy/vulnerabilities/osv.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/fixtures/static_rule_corpus/assets/extension.so +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/fixtures/static_rule_corpus/assets/helper.exe +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/fixtures/static_rule_corpus/assets/javascript_false_positive.js +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/fixtures/static_rule_corpus/assets/javascript_signals.min.js +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/fixtures/static_rule_corpus/assets/module.wasm +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/fixtures/static_rule_corpus/assets/postinstall +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/fixtures/static_rule_corpus/assets/pyproject.toml +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/fixtures/static_rule_corpus/assets/setup.cfg +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/fixtures/static_rule_corpus/assets/setup.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/fixtures/static_rule_corpus/python/deserialisation.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/fixtures/static_rule_corpus/python/dynamic_execution.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/fixtures/static_rule_corpus/python/encoded_payloads.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/fixtures/static_rule_corpus/python/import_trap.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/fixtures/static_rule_corpus/python/process_environment_package_manager.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/fixtures/static_rule_corpus/python/url_credential_patterns.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/test_agent_policy.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/test_audit_log.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/test_cli.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/test_dependency_graph.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/test_dynamic.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/test_explanations.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/test_file_static_analysis.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/test_import_scanner.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/test_manifests.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/test_provenance.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/test_publish.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/test_python_static.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/test_registry.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/test_reports.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/test_risk.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/test_risk_rules.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/test_size.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/test_static_rule_corpus.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/test_tool_manifest.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/test_tool_policy.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/test_typosquat.py +0 -0
- {pkgwhy-1.0.0 → pkgwhy-1.5.0}/tests/test_vulnerabilities.py +0 -0
|
@@ -1,5 +1,52 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## 1.5.0 - 2026-06-30
|
|
4
|
+
|
|
5
|
+
- Add `docs/commercial-agent-platform.md` to describe the future commercial and agent platform direction without implementing cloud services, billing, hosted review, API keys, or secrets.
|
|
6
|
+
- Document the product habit around `pkgwhy precheck`, `pkgwhy pip install`, and `pkgwhy agent precheck`.
|
|
7
|
+
- Document future tiers for the free local CLI, Pro local policy packs, team review dashboard, hosted package review cache, shared organization policy, and agent install gateway.
|
|
8
|
+
- Add explicit hosted-review boundaries so the current local CLI does not imply active cloud review or definitive malware detection.
|
|
9
|
+
- Add tests that keep the commercial platform design doc future-only and boundary-aware.
|
|
10
|
+
- Harden precheck and pip-gate follow-up review items: direct-reference handling, hash-locked requirements parsing, PyPI specifier release selection, Python 3.11-compatible tar extraction, private pip decision log paths/permissions, and CI pyproject gate coverage.
|
|
11
|
+
- Harden second-pass review items: sanitized artifact URLs, stable-release preference for PyPI specifiers, safer keep-artifact failure handling, advisory-mode CI audit behavior, quarantine CLI coverage, and stricter pip requirements snapshot boundaries.
|
|
12
|
+
|
|
13
|
+
## 1.4.0 - 2026-06-30
|
|
14
|
+
|
|
15
|
+
- Add local registry trust states: `trusted`, `reviewed`, `quarantined`, `blocked`, and `unknown`.
|
|
16
|
+
- Add trust-state storage to registry index entries and include trust state in tool judgement JSON and human output.
|
|
17
|
+
- Add `pkgwhy registry trust <tool>`, `pkgwhy registry review <tool>`, `pkgwhy registry quarantine <tool>`, `pkgwhy registry block <tool>`, and `pkgwhy registry blocked`.
|
|
18
|
+
- Enforce registry trust state in the local runner policy: `quarantined` and `blocked` tools are refused before execution.
|
|
19
|
+
- Keep newly published local tools at `unknown` trust until a human marks them.
|
|
20
|
+
- Keep tool lock/verify and registry export/import deferred rather than inventing incomplete trust guarantees.
|
|
21
|
+
|
|
22
|
+
## 1.3.0 - 2026-06-30
|
|
23
|
+
|
|
24
|
+
- Add a reusable GitHub Actions package-gate template at `examples/github-actions/pkgwhy-package-gate.yml`.
|
|
25
|
+
- Document CI advisory, strict, and agent modes in `docs/ci-templates.md`.
|
|
26
|
+
- The CI template installs `pkgwhy`, runs requirements precheck, emits JSON and Markdown audit reports, optionally runs agent precheck, uploads reports, and fails only in strict or agent mode.
|
|
27
|
+
- Keep CI package-gate usage local and secret-free by default; no cloud service, hosted review, billing, or credentials are required.
|
|
28
|
+
- Add static validation tests for the CI template and documentation boundaries.
|
|
29
|
+
|
|
30
|
+
## 1.2.0 - 2026-06-30
|
|
31
|
+
|
|
32
|
+
- Add `pkgwhy pip install <package>` as a local pip install gate over `pkgwhy precheck`.
|
|
33
|
+
- Add `pkgwhy pip install -r requirements.txt` for requirements-file gate checks before pip is invoked.
|
|
34
|
+
- Add schema-versioned `pkgwhy.pip_install_gate.v1` JSON with precheck decision, gate exit code, pip invocation status, override status, warnings, reasons, and embedded precheck output.
|
|
35
|
+
- Add `--policy strict`, `--dry-run`, `--override-review`, `--override-block`, and `--override-reason` for explicit install-gate workflows.
|
|
36
|
+
- Add best-effort compact local pip gate decision logs that omit full precheck evidence.
|
|
37
|
+
- Keep tests deterministic by using fake pip runners and dry-run paths; tests do not install arbitrary public packages.
|
|
38
|
+
- Keep the pip gate conservative: pip is called only after precheck allows it or an explicit override is used, and unavailable or incomplete precheck evidence exits without invoking pip.
|
|
39
|
+
|
|
40
|
+
## 1.1.0 - 2026-06-30
|
|
41
|
+
|
|
42
|
+
- Add top-level `pkgwhy precheck` as a local pre-install package gate for humans, CI, and agents.
|
|
43
|
+
- Add schema-versioned `pkgwhy.precheck.v1` JSON for single package requirements, including decision, risk, confidence, evidence summaries, vulnerability/provenance/typosquat/static summaries, and embedded package judgement.
|
|
44
|
+
- Add schema-versioned `pkgwhy.precheck_batch.v1` JSON for `pkgwhy precheck -r requirements.txt` and `pkgwhy precheck pyproject.toml`.
|
|
45
|
+
- Add explicit `--download-artifacts` support that queries PyPI, downloads one wheel or source artifact to a temporary review directory, verifies SHA-256 when PyPI metadata provides it, extracts safely, statically inspects files, and deletes temporary files unless `--keep-artifacts` is set.
|
|
46
|
+
- Add optional `--pypi`, `--osv`, and local `--vulnerability-file` enrichment boundaries to precheck without enabling network by default.
|
|
47
|
+
- Add `--enforce-exit-code` for gate usage while keeping default JSON and human precheck commands easy to inspect interactively.
|
|
48
|
+
- Keep precheck static-first: it does not install, import, or execute inspected package code.
|
|
49
|
+
|
|
3
50
|
## 1.0.0 - 2026-06-30
|
|
4
51
|
|
|
5
52
|
- Promote the `1.0.0rc1` release-candidate surface to the final 1.0.0 tracked codebase after local release-prep review.
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.4
|
|
2
2
|
Name: pkgwhy
|
|
3
|
-
Version: 1.
|
|
3
|
+
Version: 1.5.0
|
|
4
4
|
Summary: Offline-first Python package intelligence and supply-chain security decision support.
|
|
5
5
|
Project-URL: Homepage, https://github.com/devlukeg/pkgwhy
|
|
6
6
|
Project-URL: Repository, https://github.com/devlukeg/pkgwhy
|
|
@@ -42,11 +42,11 @@ Know why a package exists before you or your agent trusts it.
|
|
|
42
42
|
|
|
43
43
|
## Status
|
|
44
44
|
|
|
45
|
-
`pkgwhy` 1.
|
|
45
|
+
`pkgwhy` 1.5.0 is a Python supply-chain security decision-support tool and local pip/CI install gate for developers and AI agents. It is useful for local package inspection, conservative static package review, agent-readable JSON, vulnerability and provenance foundations, policy checks, artifact precheck, guarded pip installs, CI package-gate templates, local registry trust states, commercial/agent platform planning, and the local private-registry and runner MVP.
|
|
46
46
|
|
|
47
47
|
It is not a production security scanner, not malware-detection certainty, and not a full sandbox. Results are evidence and signals for review, not proof that a package is safe or malicious.
|
|
48
48
|
|
|
49
|
-
Current packaged version: `1.
|
|
49
|
+
Current packaged version: `1.5.0`.
|
|
50
50
|
|
|
51
51
|
## What Works Now
|
|
52
52
|
|
|
@@ -58,6 +58,13 @@ pkgwhy explain typer
|
|
|
58
58
|
pkgwhy why typer
|
|
59
59
|
pkgwhy inspect typer
|
|
60
60
|
pkgwhy judge typer --json
|
|
61
|
+
pkgwhy precheck typer --json
|
|
62
|
+
pkgwhy precheck "typer==0.12.5" --json
|
|
63
|
+
pkgwhy precheck -r requirements.txt --json
|
|
64
|
+
pkgwhy precheck pyproject.toml --json
|
|
65
|
+
pkgwhy precheck annotated-doc==0.0.4 --download-artifacts --json
|
|
66
|
+
pkgwhy pip install typer --dry-run
|
|
67
|
+
pkgwhy pip install -r requirements.txt --dry-run
|
|
61
68
|
pkgwhy agent policy --json
|
|
62
69
|
pkgwhy agent precheck typer --json
|
|
63
70
|
pkgwhy risk typer
|
|
@@ -87,6 +94,13 @@ Implemented capabilities include:
|
|
|
87
94
|
- Metadata-derived provenance/source-trust fields from installed metadata and optional PyPI JSON, with unsupported attestation and trusted-publishing checks marked as unknown or not implemented.
|
|
88
95
|
- Conservative risk level, decision, warning, recommendation, evidence, confidence, risk model version, and rule-ID output.
|
|
89
96
|
- Human `inspect`, `risk`, and `judge` reports that show compact rule-evidence summaries, while JSON reports include structured rule details.
|
|
97
|
+
- Pre-install package precheck for package requirements, requirements files, and `pyproject.toml` dependencies.
|
|
98
|
+
- Explicit artifact-download precheck that downloads a PyPI wheel or source artifact to a temporary review directory, verifies SHA-256 when available, extracts safely, statically inspects files, and deletes temporary files by default.
|
|
99
|
+
- Optional gate exit codes via `pkgwhy precheck --enforce-exit-code`.
|
|
100
|
+
- Guarded pip install flow via `pkgwhy pip install`, with precheck first, stable exit codes, explicit overrides, and compact local decision logs.
|
|
101
|
+
- Reusable GitHub Actions package-gate template with advisory, strict, and agent modes.
|
|
102
|
+
- Local registry trust states for private tools: `trusted`, `reviewed`, `quarantined`, `blocked`, and `unknown`.
|
|
103
|
+
- Commercial and agent platform architecture documentation for future local policy packs, team review, hosted evidence cache, shared organization policy, and agent install gateway.
|
|
90
104
|
- Stable JSON output for agent workflows.
|
|
91
105
|
- Schema-versioned agent policy and package precheck output.
|
|
92
106
|
- Conservative non-interactive agent defaults that block unknown or high-risk package use until a human reviews the evidence.
|
|
@@ -100,6 +114,9 @@ pkgwhy registry list
|
|
|
100
114
|
pkgwhy registry add local-copy ~/.pkgwhy/registry
|
|
101
115
|
pkgwhy registry use local
|
|
102
116
|
pkgwhy publish ./my_tool.py
|
|
117
|
+
pkgwhy registry trust local/my_tool
|
|
118
|
+
pkgwhy registry quarantine local/my_tool
|
|
119
|
+
pkgwhy registry blocked
|
|
103
120
|
pkgwhy tool inspect local/my_tool
|
|
104
121
|
pkgwhy tool judge local/my_tool --json
|
|
105
122
|
pkgwhy run local/my_tool
|
|
@@ -121,6 +138,7 @@ Current runner policy is intentionally conservative:
|
|
|
121
138
|
- Corrupt registry indexes fail closed for publish and tool-judgement paths.
|
|
122
139
|
- Symlinks are not bundled, and stored registry paths must remain inside the registry root.
|
|
123
140
|
- Bundle hash mismatch or a missing bundle blocks execution.
|
|
141
|
+
- Quarantined or blocked registry trust states block execution.
|
|
124
142
|
- `sandbox_only` and `block` tool judgements block execution.
|
|
125
143
|
- Non-interactive execution is blocked unless both the judgement and manifest agent policy allow it.
|
|
126
144
|
- Tools with declared dependencies are not run yet because dependency installation is not implemented.
|
|
@@ -134,11 +152,12 @@ These are roadmap items, not current features:
|
|
|
134
152
|
|
|
135
153
|
- Complete vulnerability database coverage, transitive vulnerability analysis, or guaranteed advisory freshness.
|
|
136
154
|
- Default online vulnerability lookup. Network access is only used when explicitly requested.
|
|
137
|
-
-
|
|
155
|
+
- Persistent cached PyPI/source lookup beyond the current OSV response cache.
|
|
138
156
|
- Cloud/private remote registry backends.
|
|
139
157
|
- `pull`, mirroring, and remote synchronization.
|
|
140
158
|
- Tool dependency installation in the runner.
|
|
141
159
|
- Tool bundle signing and signature verification.
|
|
160
|
+
- Tool lock/verify commands and registry export/import.
|
|
142
161
|
- Dynamic sandbox analysis for arbitrary packages.
|
|
143
162
|
- Tool-specific `pkgwhy agent judge` expansion beyond the current package precheck path.
|
|
144
163
|
- `pkgwhy agent explain-decision <review-id>`.
|
|
@@ -197,6 +216,58 @@ Emit machine-readable judgement JSON:
|
|
|
197
216
|
pkgwhy judge typer --json
|
|
198
217
|
```
|
|
199
218
|
|
|
219
|
+
Before installing a package, run a local precheck:
|
|
220
|
+
|
|
221
|
+
```bash
|
|
222
|
+
pkgwhy precheck typer --json
|
|
223
|
+
pkgwhy precheck "typer==0.12.5" --json
|
|
224
|
+
pkgwhy precheck -r requirements.txt --json
|
|
225
|
+
pkgwhy precheck pyproject.toml --json
|
|
226
|
+
```
|
|
227
|
+
|
|
228
|
+
By default, `pkgwhy precheck` uses local installed metadata when available and does not use the network. Add `--pypi` or `--osv` only when you want explicit online enrichment. Add `--download-artifacts` to query PyPI, download one wheel or source artifact, verify its SHA-256 when PyPI metadata provides it, extract it to a temporary review directory, inspect it statically, and delete the temporary files. The command does not install, import, or execute inspected package code.
|
|
229
|
+
|
|
230
|
+
For CI or install-gate usage, add `--enforce-exit-code`:
|
|
231
|
+
|
|
232
|
+
```bash
|
|
233
|
+
pkgwhy precheck typer --json --enforce-exit-code
|
|
234
|
+
```
|
|
235
|
+
|
|
236
|
+
Exit codes are:
|
|
237
|
+
|
|
238
|
+
- `0`: allow.
|
|
239
|
+
- `1`: allow with caution or manual review.
|
|
240
|
+
- `2`: block or sandbox-only.
|
|
241
|
+
- `4`: requested online/artifact lookup was unavailable or failed.
|
|
242
|
+
|
|
243
|
+
To gate an install, use `pkgwhy pip install` instead of raw `pip install`:
|
|
244
|
+
|
|
245
|
+
```bash
|
|
246
|
+
pkgwhy pip install typer
|
|
247
|
+
pkgwhy pip install typer --policy strict
|
|
248
|
+
pkgwhy pip install -r requirements.txt
|
|
249
|
+
pkgwhy pip install typer --dry-run --json
|
|
250
|
+
```
|
|
251
|
+
|
|
252
|
+
The pip gate always runs precheck first. It invokes pip only when the precheck policy allows the install, or when a human uses an explicit override flag. Review/caution results exit `1`, block/sandbox-only results exit `2`, tool/config errors exit `3`, and unavailable or incomplete requested evidence exits `4`. `--dry-run` evaluates the gate and writes the local decision log without invoking pip.
|
|
253
|
+
|
|
254
|
+
Overrides are explicit:
|
|
255
|
+
|
|
256
|
+
```bash
|
|
257
|
+
pkgwhy pip install typer --override-review --override-reason "reviewed local evidence"
|
|
258
|
+
pkgwhy pip install suspicious-name --override-block --override-reason "temporary isolated test"
|
|
259
|
+
```
|
|
260
|
+
|
|
261
|
+
Agents and automated workflows should use `pkgwhy pip install` when dependency policy is required, not raw `pip install`. The command is still decision support: it does not prove a package is safe and it does not sandbox pip or installed package code.
|
|
262
|
+
|
|
263
|
+
For CI package gates, start from the reusable GitHub Actions template:
|
|
264
|
+
|
|
265
|
+
```text
|
|
266
|
+
examples/github-actions/pkgwhy-package-gate.yml
|
|
267
|
+
```
|
|
268
|
+
|
|
269
|
+
See [CI Templates](docs/ci-templates.md) for advisory, strict, and agent-mode usage. The template does not require secrets or a hosted `pkgwhy` service.
|
|
270
|
+
|
|
200
271
|
Inspect the default agent policy and run a conservative agent precheck:
|
|
201
272
|
|
|
202
273
|
```bash
|
|
@@ -669,6 +740,7 @@ Release and process references:
|
|
|
669
740
|
- [1.0.0 Feature Surface](docs/release-candidate-surface.md)
|
|
670
741
|
- [Threat Model](docs/threat-model.md)
|
|
671
742
|
- [Production Readiness Blockers](docs/production-readiness.md)
|
|
743
|
+
- [Commercial And Agent Platform Direction](docs/commercial-agent-platform.md)
|
|
672
744
|
|
|
673
745
|
## Roadmap
|
|
674
746
|
|
|
@@ -6,11 +6,11 @@ Know why a package exists before you or your agent trusts it.
|
|
|
6
6
|
|
|
7
7
|
## Status
|
|
8
8
|
|
|
9
|
-
`pkgwhy` 1.
|
|
9
|
+
`pkgwhy` 1.5.0 is a Python supply-chain security decision-support tool and local pip/CI install gate for developers and AI agents. It is useful for local package inspection, conservative static package review, agent-readable JSON, vulnerability and provenance foundations, policy checks, artifact precheck, guarded pip installs, CI package-gate templates, local registry trust states, commercial/agent platform planning, and the local private-registry and runner MVP.
|
|
10
10
|
|
|
11
11
|
It is not a production security scanner, not malware-detection certainty, and not a full sandbox. Results are evidence and signals for review, not proof that a package is safe or malicious.
|
|
12
12
|
|
|
13
|
-
Current packaged version: `1.
|
|
13
|
+
Current packaged version: `1.5.0`.
|
|
14
14
|
|
|
15
15
|
## What Works Now
|
|
16
16
|
|
|
@@ -22,6 +22,13 @@ pkgwhy explain typer
|
|
|
22
22
|
pkgwhy why typer
|
|
23
23
|
pkgwhy inspect typer
|
|
24
24
|
pkgwhy judge typer --json
|
|
25
|
+
pkgwhy precheck typer --json
|
|
26
|
+
pkgwhy precheck "typer==0.12.5" --json
|
|
27
|
+
pkgwhy precheck -r requirements.txt --json
|
|
28
|
+
pkgwhy precheck pyproject.toml --json
|
|
29
|
+
pkgwhy precheck annotated-doc==0.0.4 --download-artifacts --json
|
|
30
|
+
pkgwhy pip install typer --dry-run
|
|
31
|
+
pkgwhy pip install -r requirements.txt --dry-run
|
|
25
32
|
pkgwhy agent policy --json
|
|
26
33
|
pkgwhy agent precheck typer --json
|
|
27
34
|
pkgwhy risk typer
|
|
@@ -51,6 +58,13 @@ Implemented capabilities include:
|
|
|
51
58
|
- Metadata-derived provenance/source-trust fields from installed metadata and optional PyPI JSON, with unsupported attestation and trusted-publishing checks marked as unknown or not implemented.
|
|
52
59
|
- Conservative risk level, decision, warning, recommendation, evidence, confidence, risk model version, and rule-ID output.
|
|
53
60
|
- Human `inspect`, `risk`, and `judge` reports that show compact rule-evidence summaries, while JSON reports include structured rule details.
|
|
61
|
+
- Pre-install package precheck for package requirements, requirements files, and `pyproject.toml` dependencies.
|
|
62
|
+
- Explicit artifact-download precheck that downloads a PyPI wheel or source artifact to a temporary review directory, verifies SHA-256 when available, extracts safely, statically inspects files, and deletes temporary files by default.
|
|
63
|
+
- Optional gate exit codes via `pkgwhy precheck --enforce-exit-code`.
|
|
64
|
+
- Guarded pip install flow via `pkgwhy pip install`, with precheck first, stable exit codes, explicit overrides, and compact local decision logs.
|
|
65
|
+
- Reusable GitHub Actions package-gate template with advisory, strict, and agent modes.
|
|
66
|
+
- Local registry trust states for private tools: `trusted`, `reviewed`, `quarantined`, `blocked`, and `unknown`.
|
|
67
|
+
- Commercial and agent platform architecture documentation for future local policy packs, team review, hosted evidence cache, shared organization policy, and agent install gateway.
|
|
54
68
|
- Stable JSON output for agent workflows.
|
|
55
69
|
- Schema-versioned agent policy and package precheck output.
|
|
56
70
|
- Conservative non-interactive agent defaults that block unknown or high-risk package use until a human reviews the evidence.
|
|
@@ -64,6 +78,9 @@ pkgwhy registry list
|
|
|
64
78
|
pkgwhy registry add local-copy ~/.pkgwhy/registry
|
|
65
79
|
pkgwhy registry use local
|
|
66
80
|
pkgwhy publish ./my_tool.py
|
|
81
|
+
pkgwhy registry trust local/my_tool
|
|
82
|
+
pkgwhy registry quarantine local/my_tool
|
|
83
|
+
pkgwhy registry blocked
|
|
67
84
|
pkgwhy tool inspect local/my_tool
|
|
68
85
|
pkgwhy tool judge local/my_tool --json
|
|
69
86
|
pkgwhy run local/my_tool
|
|
@@ -85,6 +102,7 @@ Current runner policy is intentionally conservative:
|
|
|
85
102
|
- Corrupt registry indexes fail closed for publish and tool-judgement paths.
|
|
86
103
|
- Symlinks are not bundled, and stored registry paths must remain inside the registry root.
|
|
87
104
|
- Bundle hash mismatch or a missing bundle blocks execution.
|
|
105
|
+
- Quarantined or blocked registry trust states block execution.
|
|
88
106
|
- `sandbox_only` and `block` tool judgements block execution.
|
|
89
107
|
- Non-interactive execution is blocked unless both the judgement and manifest agent policy allow it.
|
|
90
108
|
- Tools with declared dependencies are not run yet because dependency installation is not implemented.
|
|
@@ -98,11 +116,12 @@ These are roadmap items, not current features:
|
|
|
98
116
|
|
|
99
117
|
- Complete vulnerability database coverage, transitive vulnerability analysis, or guaranteed advisory freshness.
|
|
100
118
|
- Default online vulnerability lookup. Network access is only used when explicitly requested.
|
|
101
|
-
-
|
|
119
|
+
- Persistent cached PyPI/source lookup beyond the current OSV response cache.
|
|
102
120
|
- Cloud/private remote registry backends.
|
|
103
121
|
- `pull`, mirroring, and remote synchronization.
|
|
104
122
|
- Tool dependency installation in the runner.
|
|
105
123
|
- Tool bundle signing and signature verification.
|
|
124
|
+
- Tool lock/verify commands and registry export/import.
|
|
106
125
|
- Dynamic sandbox analysis for arbitrary packages.
|
|
107
126
|
- Tool-specific `pkgwhy agent judge` expansion beyond the current package precheck path.
|
|
108
127
|
- `pkgwhy agent explain-decision <review-id>`.
|
|
@@ -161,6 +180,58 @@ Emit machine-readable judgement JSON:
|
|
|
161
180
|
pkgwhy judge typer --json
|
|
162
181
|
```
|
|
163
182
|
|
|
183
|
+
Before installing a package, run a local precheck:
|
|
184
|
+
|
|
185
|
+
```bash
|
|
186
|
+
pkgwhy precheck typer --json
|
|
187
|
+
pkgwhy precheck "typer==0.12.5" --json
|
|
188
|
+
pkgwhy precheck -r requirements.txt --json
|
|
189
|
+
pkgwhy precheck pyproject.toml --json
|
|
190
|
+
```
|
|
191
|
+
|
|
192
|
+
By default, `pkgwhy precheck` uses local installed metadata when available and does not use the network. Add `--pypi` or `--osv` only when you want explicit online enrichment. Add `--download-artifacts` to query PyPI, download one wheel or source artifact, verify its SHA-256 when PyPI metadata provides it, extract it to a temporary review directory, inspect it statically, and delete the temporary files. The command does not install, import, or execute inspected package code.
|
|
193
|
+
|
|
194
|
+
For CI or install-gate usage, add `--enforce-exit-code`:
|
|
195
|
+
|
|
196
|
+
```bash
|
|
197
|
+
pkgwhy precheck typer --json --enforce-exit-code
|
|
198
|
+
```
|
|
199
|
+
|
|
200
|
+
Exit codes are:
|
|
201
|
+
|
|
202
|
+
- `0`: allow.
|
|
203
|
+
- `1`: allow with caution or manual review.
|
|
204
|
+
- `2`: block or sandbox-only.
|
|
205
|
+
- `4`: requested online/artifact lookup was unavailable or failed.
|
|
206
|
+
|
|
207
|
+
To gate an install, use `pkgwhy pip install` instead of raw `pip install`:
|
|
208
|
+
|
|
209
|
+
```bash
|
|
210
|
+
pkgwhy pip install typer
|
|
211
|
+
pkgwhy pip install typer --policy strict
|
|
212
|
+
pkgwhy pip install -r requirements.txt
|
|
213
|
+
pkgwhy pip install typer --dry-run --json
|
|
214
|
+
```
|
|
215
|
+
|
|
216
|
+
The pip gate always runs precheck first. It invokes pip only when the precheck policy allows the install, or when a human uses an explicit override flag. Review/caution results exit `1`, block/sandbox-only results exit `2`, tool/config errors exit `3`, and unavailable or incomplete requested evidence exits `4`. `--dry-run` evaluates the gate and writes the local decision log without invoking pip.
|
|
217
|
+
|
|
218
|
+
Overrides are explicit:
|
|
219
|
+
|
|
220
|
+
```bash
|
|
221
|
+
pkgwhy pip install typer --override-review --override-reason "reviewed local evidence"
|
|
222
|
+
pkgwhy pip install suspicious-name --override-block --override-reason "temporary isolated test"
|
|
223
|
+
```
|
|
224
|
+
|
|
225
|
+
Agents and automated workflows should use `pkgwhy pip install` when dependency policy is required, not raw `pip install`. The command is still decision support: it does not prove a package is safe and it does not sandbox pip or installed package code.
|
|
226
|
+
|
|
227
|
+
For CI package gates, start from the reusable GitHub Actions template:
|
|
228
|
+
|
|
229
|
+
```text
|
|
230
|
+
examples/github-actions/pkgwhy-package-gate.yml
|
|
231
|
+
```
|
|
232
|
+
|
|
233
|
+
See [CI Templates](docs/ci-templates.md) for advisory, strict, and agent-mode usage. The template does not require secrets or a hosted `pkgwhy` service.
|
|
234
|
+
|
|
164
235
|
Inspect the default agent policy and run a conservative agent precheck:
|
|
165
236
|
|
|
166
237
|
```bash
|
|
@@ -633,6 +704,7 @@ Release and process references:
|
|
|
633
704
|
- [1.0.0 Feature Surface](docs/release-candidate-surface.md)
|
|
634
705
|
- [Threat Model](docs/threat-model.md)
|
|
635
706
|
- [Production Readiness Blockers](docs/production-readiness.md)
|
|
707
|
+
- [Commercial And Agent Platform Direction](docs/commercial-agent-platform.md)
|
|
636
708
|
|
|
637
709
|
## Roadmap
|
|
638
710
|
|
|
@@ -2,7 +2,7 @@
|
|
|
2
2
|
|
|
3
3
|
## Supported Status
|
|
4
4
|
|
|
5
|
-
`pkgwhy` 1.
|
|
5
|
+
`pkgwhy` 1.5.0 includes static evidence hardening, vulnerability/provenance foundations, static rule corpus/schema hardening, release/process hardening, a safe-fail experimental dynamic command skeleton, agent policy foundations, local pre-install and pip install gates, reusable CI package-gate templates, local registry trust states, commercial/agent platform planning, and local registry/runner hardening. It is not a production malware scanner and should not be treated as a definitive malware detector or full sandbox.
|
|
6
6
|
|
|
7
7
|
## Reporting Security Issues
|
|
8
8
|
|
|
@@ -36,6 +36,16 @@ The local runner blocks missing or hash-mismatched bundles, corrupt registry ind
|
|
|
36
36
|
|
|
37
37
|
Local registry publishing blocks duplicate owner/name/version records and rejects symlinks in tool bundles. Registry-stored manifest and bundle paths must resolve inside the registry root.
|
|
38
38
|
|
|
39
|
+
Local registry trust states are local policy labels. New tools default to `unknown`. `trusted` and `reviewed` are human-maintained labels, not cryptographic verification. `quarantined` and `blocked` tools are refused by the local runner before execution.
|
|
40
|
+
|
|
41
|
+
Pre-install package gate commands are decision support. `pkgwhy precheck <package> --json` checks package requirements before installation and can optionally query PyPI/OSV or download artifacts only when explicit flags request that work. Artifact precheck downloads to a temporary review directory, verifies SHA-256 when PyPI metadata provides it, statically inspects files, and deletes temporary files by default. It does not install, import, or execute inspected package code.
|
|
42
|
+
|
|
43
|
+
Pip install gate commands are also decision support. `pkgwhy pip install <package>` and `pkgwhy pip install -r requirements.txt` run precheck before invoking pip. Pip is invoked only when policy allows or when a human uses an explicit override flag. The gate logs compact local decision summaries when possible, but those logs are not tamper-proof audit records. The pip gate does not sandbox pip, installed package code, build backends, or install-time behavior.
|
|
44
|
+
|
|
45
|
+
CI templates are local workflow scaffolding. They install and run the local `pkgwhy` CLI, write reports, and optionally fail jobs based on configured mode. They do not contact a hosted `pkgwhy` service, provide a cloud review, or require secrets for basic use.
|
|
46
|
+
|
|
47
|
+
Commercial and agent platform documentation is roadmap-only. The current release does not configure hosted review, billing, payment providers, API keys, cloud services, remote policy enforcement, or shared accounts.
|
|
48
|
+
|
|
39
49
|
Agent policy commands are decision support. `pkgwhy agent precheck <package> --json` applies conservative policy to package judgement JSON and defaults to blocking unknown or high-risk package use in non-interactive mode until a human reviews the evidence. Agent decision logs are local compact summaries, best-effort when the config directory is writable, and intentionally omit full package evidence. They are not a tamper-proof audit system.
|
|
40
50
|
|
|
41
51
|
Runner warning:
|
|
@@ -54,7 +64,9 @@ Dynamic analysis is a separate experimental roadmap area and is not part of the
|
|
|
54
64
|
- Full source distribution versus wheel comparison is not implemented yet.
|
|
55
65
|
- No runner dependency installation yet.
|
|
56
66
|
- No tool bundle signing or signature verification yet.
|
|
67
|
+
- No tool lock/verify commands or registry export/import yet.
|
|
57
68
|
- No tamper-proof audit log, remote attestation, or signed decision record yet.
|
|
69
|
+
- No sandboxed pip execution; `pkgwhy pip install` is a policy gate before pip, not an installer sandbox.
|
|
58
70
|
- No tool-specific agent judgement beyond the current package precheck alias yet.
|
|
59
71
|
- No cloud registry, remote pull, hosted review API, or account-based registry auth yet.
|
|
60
72
|
- Typosquatting detection is heuristic and conservative. It can miss risky names and can surface false positives.
|
|
@@ -0,0 +1,77 @@
|
|
|
1
|
+
# CI Templates
|
|
2
|
+
|
|
3
|
+
`pkgwhy` can run as a local CI package gate without a cloud service, API key, or secret.
|
|
4
|
+
|
|
5
|
+
The reusable GitHub Actions template is:
|
|
6
|
+
|
|
7
|
+
```text
|
|
8
|
+
examples/github-actions/pkgwhy-package-gate.yml
|
|
9
|
+
```
|
|
10
|
+
|
|
11
|
+
Copy it into a repository as `.github/workflows/pkgwhy-package-gate.yml` and choose a mode with `PKGWHY_MODE`.
|
|
12
|
+
|
|
13
|
+
## Modes
|
|
14
|
+
|
|
15
|
+
- `advisory`: produce reports and never fail the job.
|
|
16
|
+
- `strict`: fail when `pkgwhy precheck -r requirements.txt --enforce-exit-code` returns review, block, or unavailable-evidence exit codes.
|
|
17
|
+
- `agent`: use the same dependency-file gate as strict mode and optionally run `pkgwhy agent precheck "$PKGWHY_AGENT_PACKAGE" --json`.
|
|
18
|
+
|
|
19
|
+
## Reports
|
|
20
|
+
|
|
21
|
+
The template writes:
|
|
22
|
+
|
|
23
|
+
- `pkgwhy-reports/precheck.json`
|
|
24
|
+
- `pkgwhy-reports/audit.json`
|
|
25
|
+
- `pkgwhy-reports/audit.md`
|
|
26
|
+
- `pkgwhy-reports/agent-precheck.json` when `PKGWHY_MODE=agent` and `PKGWHY_AGENT_PACKAGE` is set.
|
|
27
|
+
|
|
28
|
+
The template uploads those reports with `actions/upload-artifact`.
|
|
29
|
+
|
|
30
|
+
## Advisory Mode
|
|
31
|
+
|
|
32
|
+
Use advisory mode while introducing the gate:
|
|
33
|
+
|
|
34
|
+
```yaml
|
|
35
|
+
env:
|
|
36
|
+
PKGWHY_MODE: advisory
|
|
37
|
+
```
|
|
38
|
+
|
|
39
|
+
This mode is report-only. It does not claim packages are safe and does not block a pull request.
|
|
40
|
+
|
|
41
|
+
## Strict Mode
|
|
42
|
+
|
|
43
|
+
Use strict mode when dependency changes should be blocked until precheck allows them:
|
|
44
|
+
|
|
45
|
+
```yaml
|
|
46
|
+
env:
|
|
47
|
+
PKGWHY_MODE: strict
|
|
48
|
+
```
|
|
49
|
+
|
|
50
|
+
Strict mode uses the precheck exit code:
|
|
51
|
+
|
|
52
|
+
- `0`: allow.
|
|
53
|
+
- `1`: review or caution.
|
|
54
|
+
- `2`: block or sandbox-only.
|
|
55
|
+
- `4`: requested evidence was unavailable or incomplete.
|
|
56
|
+
|
|
57
|
+
Any non-zero precheck exit fails the job.
|
|
58
|
+
|
|
59
|
+
## Agent Mode
|
|
60
|
+
|
|
61
|
+
Use agent mode for repositories where automated agents should not install dependencies without a precheck:
|
|
62
|
+
|
|
63
|
+
```yaml
|
|
64
|
+
env:
|
|
65
|
+
PKGWHY_MODE: agent
|
|
66
|
+
PKGWHY_AGENT_PACKAGE: typer
|
|
67
|
+
```
|
|
68
|
+
|
|
69
|
+
Agent mode is still local decision support. It does not prove package safety, run a hosted review, or sandbox pip.
|
|
70
|
+
|
|
71
|
+
## Boundaries
|
|
72
|
+
|
|
73
|
+
- No secrets are required for basic use.
|
|
74
|
+
- No hosted `pkgwhy` service is contacted.
|
|
75
|
+
- OSV.dev or PyPI lookups happen only if you add explicit flags to the template.
|
|
76
|
+
- Static analysis signals are evidence for review, not proof of malicious or safe behavior.
|
|
77
|
+
- `pkgwhy pip install` should be used instead of raw `pip install` when install policy is required.
|
|
@@ -0,0 +1,135 @@
|
|
|
1
|
+
# Commercial And Agent Platform Direction
|
|
2
|
+
|
|
3
|
+
`pkgwhy` is a local-first package decision-support CLI before it is a hosted product. The commercial direction is to make `pkgwhy` the install gate before `pip install` for humans, CI systems, and AI coding agents:
|
|
4
|
+
|
|
5
|
+
```bash
|
|
6
|
+
pkgwhy precheck <package>
|
|
7
|
+
pkgwhy pip install <package>
|
|
8
|
+
pkgwhy agent precheck <package> --json
|
|
9
|
+
```
|
|
10
|
+
|
|
11
|
+
Core message:
|
|
12
|
+
|
|
13
|
+
- Before pip install, ask why.
|
|
14
|
+
- Stop AI agents from pip-installing mystery code.
|
|
15
|
+
- Treat `pkgwhy` output as decision support, not proof that code is safe or malicious.
|
|
16
|
+
|
|
17
|
+
This document is architecture and roadmap only. It does not configure a hosted service, billing system, API key, cloud registry, remote review backend, or secrets.
|
|
18
|
+
|
|
19
|
+
## Local Free CLI
|
|
20
|
+
|
|
21
|
+
The free local CLI remains the foundation:
|
|
22
|
+
|
|
23
|
+
- offline-first installed package inspection;
|
|
24
|
+
- metadata, manifest, lockfile, and source-file review;
|
|
25
|
+
- static capability and readability signals;
|
|
26
|
+
- local vulnerability/provenance enrichment when configured;
|
|
27
|
+
- `precheck` before installation;
|
|
28
|
+
- `pip install` gate over precheck;
|
|
29
|
+
- agent-readable JSON and conservative exit codes;
|
|
30
|
+
- local private-tool registry and runner;
|
|
31
|
+
- local trust labels for private tools.
|
|
32
|
+
|
|
33
|
+
The local CLI should keep working without a network connection, hosted account, API key, or model provider.
|
|
34
|
+
|
|
35
|
+
## Pro Local Policy Packs
|
|
36
|
+
|
|
37
|
+
Future Pro policy packs may add stronger local policy configuration while keeping enforcement on the user's machine:
|
|
38
|
+
|
|
39
|
+
- organization-ready deny and allow rules;
|
|
40
|
+
- curated trusted package baselines;
|
|
41
|
+
- stricter agent install policies;
|
|
42
|
+
- saved review profiles for common environments;
|
|
43
|
+
- local report signing when signing support exists;
|
|
44
|
+
- richer local audit history.
|
|
45
|
+
|
|
46
|
+
Policy packs must not pretend to provide malware certainty or full sandboxing. They should make review decisions more consistent and easier to enforce.
|
|
47
|
+
|
|
48
|
+
## Team And Cloud Review Dashboard
|
|
49
|
+
|
|
50
|
+
A future team dashboard may coordinate package reviews across users and repositories:
|
|
51
|
+
|
|
52
|
+
- review queues for package requests;
|
|
53
|
+
- shared decisions with expiry dates;
|
|
54
|
+
- links to package evidence and local CLI JSON;
|
|
55
|
+
- policy exceptions with named approvers;
|
|
56
|
+
- historical review records;
|
|
57
|
+
- team-level policy distribution.
|
|
58
|
+
|
|
59
|
+
This is not implemented in the current release. The current repository contains no hosted service, account system, payment flow, or remote review API.
|
|
60
|
+
|
|
61
|
+
## Hosted Package Review Cache
|
|
62
|
+
|
|
63
|
+
A future hosted cache may store source-grounded package review evidence so teams and agents do not repeat the same lookup work:
|
|
64
|
+
|
|
65
|
+
- package metadata snapshots;
|
|
66
|
+
- artifact hashes and static inspection summaries;
|
|
67
|
+
- known vulnerability source snapshots;
|
|
68
|
+
- provenance and repository metadata snapshots;
|
|
69
|
+
- review freshness timestamps;
|
|
70
|
+
- privacy controls for private package names and internal decisions.
|
|
71
|
+
|
|
72
|
+
Hosted cache output should be source-attributed and freshness-aware. Missing hosted evidence must not be treated as proof that a package is safe.
|
|
73
|
+
|
|
74
|
+
## Shared Organization Policy
|
|
75
|
+
|
|
76
|
+
Shared policy should make agent behavior predictable:
|
|
77
|
+
|
|
78
|
+
- block raw public installs by default where required;
|
|
79
|
+
- require `pkgwhy precheck` or `pkgwhy pip install`;
|
|
80
|
+
- allow trusted internal packages;
|
|
81
|
+
- quarantine packages under review;
|
|
82
|
+
- block known-bad or policy-disallowed packages;
|
|
83
|
+
- require explicit human override reasons.
|
|
84
|
+
|
|
85
|
+
Policy enforcement should remain conservative. A policy decision can block or require review; it should not claim that a package is definitively safe.
|
|
86
|
+
|
|
87
|
+
## Agent Install Gateway
|
|
88
|
+
|
|
89
|
+
The agent install gateway is the commercial platform boundary for AI coding agents. Its job is to turn a package install request into a reviewable decision:
|
|
90
|
+
|
|
91
|
+
1. Agent requests a package install.
|
|
92
|
+
2. Gateway runs or requires `pkgwhy precheck`.
|
|
93
|
+
3. Policy decides allow, caution, review, sandbox-only, or block.
|
|
94
|
+
4. Allowed installs go through `pkgwhy pip install` or a controlled package source.
|
|
95
|
+
5. Review-required and blocked installs return structured JSON for the agent.
|
|
96
|
+
6. Human overrides require explicit reason logging.
|
|
97
|
+
|
|
98
|
+
The local implementation today is `pkgwhy agent precheck` plus `pkgwhy pip install`. A hosted gateway is future work and must not silently install unknown public packages.
|
|
99
|
+
|
|
100
|
+
## MCP And Agent Gateway Design
|
|
101
|
+
|
|
102
|
+
A future MCP or agent gateway can expose a small, explicit tool surface:
|
|
103
|
+
|
|
104
|
+
- `precheck_package(package_spec, policy_mode)`;
|
|
105
|
+
- `pip_install_package(package_spec, policy_mode, override_reason)`;
|
|
106
|
+
- `explain_decision(review_id)`;
|
|
107
|
+
- `list_policy()`;
|
|
108
|
+
- `request_human_review(package_spec, evidence)`;
|
|
109
|
+
- `record_override(review_id, reason)`.
|
|
110
|
+
|
|
111
|
+
The gateway should return schema-versioned JSON, avoid executing inspected package code, and fail closed when data is unavailable. It should not expose a raw unrestricted package-install tool.
|
|
112
|
+
|
|
113
|
+
## Hosted Review Boundaries
|
|
114
|
+
|
|
115
|
+
Hosted review is future only in this release:
|
|
116
|
+
|
|
117
|
+
- no cloud service is configured;
|
|
118
|
+
- no billing provider is configured;
|
|
119
|
+
- no API keys are required;
|
|
120
|
+
- no secrets are stored;
|
|
121
|
+
- no package names or review data are uploaded by the local CLI unless a future explicit feature says so;
|
|
122
|
+
- no cloud result is fabricated;
|
|
123
|
+
- no hosted decision is treated as definitive malware detection.
|
|
124
|
+
|
|
125
|
+
## Roadmap Tiers
|
|
126
|
+
|
|
127
|
+
Planned product tiers are design targets, not active billing:
|
|
128
|
+
|
|
129
|
+
- Free local CLI: precheck, pip gate, local JSON, local registry, and local trust labels.
|
|
130
|
+
- Pro local policy packs: stricter local rules, saved profiles, local reports, and team-ready defaults.
|
|
131
|
+
- Team review dashboard: shared package decisions, approvals, policy exceptions, and review history.
|
|
132
|
+
- Hosted package review cache: source-grounded cached package evidence with freshness and privacy controls.
|
|
133
|
+
- Agent install gateway: controlled package installation boundary for AI agents.
|
|
134
|
+
|
|
135
|
+
The next engineering step is to deepen local policy and registry trust before any hosted review or commercial account system is built.
|
|
@@ -7,16 +7,19 @@ Public command JSON is offline-first by default. Optional online enrichment, suc
|
|
|
7
7
|
Current public JSON contracts:
|
|
8
8
|
|
|
9
9
|
- `pkgwhy.package_judgement.v1` for `pkgwhy judge <package> --json` and embedded package judgements.
|
|
10
|
+
- `pkgwhy.precheck.v1` for `pkgwhy precheck <package> --json`.
|
|
11
|
+
- `pkgwhy.precheck_batch.v1` for `pkgwhy precheck -r requirements.txt --json` and `pkgwhy precheck pyproject.toml --json`.
|
|
12
|
+
- `pkgwhy.pip_install_gate.v1` for `pkgwhy pip install <package> --json` and `pkgwhy pip install -r requirements.txt --json`.
|
|
10
13
|
- `pkgwhy.audit.v2` for `pkgwhy audit --json`.
|
|
11
14
|
- `pkgwhy.agent_policy.v1` for `pkgwhy agent policy --json`.
|
|
12
15
|
- `pkgwhy.agent_package_precheck.v1` for `pkgwhy agent precheck <package> --json` and `pkgwhy agent judge <package> --json`.
|
|
13
|
-
- `pkgwhy.tool_judgement.v1` for `pkgwhy tool judge <tool> --json`.
|
|
16
|
+
- `pkgwhy.tool_judgement.v1` for `pkgwhy tool judge <tool> --json`, including local registry `trust_state`.
|
|
14
17
|
- `pkgwhy.tool_manifest.v1` for local private-tool manifests embedded in tool judgement JSON.
|
|
15
18
|
- `pkgwhy.dynamic_analysis.v1` for experimental dynamic-analysis JSON.
|
|
16
19
|
|
|
17
20
|
## Compatibility Rules
|
|
18
21
|
|
|
19
|
-
During the 1.
|
|
22
|
+
During the current 1.x release line, schema versions are compatibility surfaces for agent workflows. Changes should be deliberate:
|
|
20
23
|
|
|
21
24
|
- Additive optional fields may keep the same schema version when existing consumers can ignore them safely.
|
|
22
25
|
- Required field additions, removals, renamed fields, enum meaning changes, or nested shape changes must bump the affected schema version.
|
|
@@ -24,11 +27,16 @@ During the 1.0.0 release line, schema versions are compatibility surfaces for ag
|
|
|
24
27
|
- Schema versions are not reused for different incompatible shapes.
|
|
25
28
|
- Compatibility changes must be documented in `CHANGELOG.md`.
|
|
26
29
|
|
|
27
|
-
##
|
|
30
|
+
## Test Coverage
|
|
28
31
|
|
|
29
|
-
The test suite includes normalized golden snapshots for:
|
|
32
|
+
The test suite includes normalized golden snapshots or focused schema validation for:
|
|
30
33
|
|
|
31
34
|
- `pkgwhy judge <package> --json`
|
|
35
|
+
- `pkgwhy precheck <package> --json`
|
|
36
|
+
- `pkgwhy precheck -r requirements.txt --json`
|
|
37
|
+
- `pkgwhy precheck pyproject.toml --json`
|
|
38
|
+
- `pkgwhy pip install <package> --json`
|
|
39
|
+
- `pkgwhy pip install -r requirements.txt --json`
|
|
32
40
|
- `pkgwhy audit --json`
|
|
33
41
|
- `pkgwhy agent precheck <package> --json`
|
|
34
42
|
- `pkgwhy agent judge <package> --json`
|
|
@@ -32,6 +32,12 @@ Run CLI smokes:
|
|
|
32
32
|
.venv/bin/python -m pkgwhy judge typer --json
|
|
33
33
|
.venv/bin/python -m pkgwhy risk typer
|
|
34
34
|
.venv/bin/python -m pkgwhy audit --limit 2 --json
|
|
35
|
+
.venv/bin/python -m pkgwhy precheck typer --json
|
|
36
|
+
.venv/bin/python -m pkgwhy precheck -r tests/fixtures/precheck/requirements.txt --json
|
|
37
|
+
.venv/bin/python -m pkgwhy precheck pyproject.toml --json
|
|
38
|
+
.venv/bin/python -m pkgwhy pip --help
|
|
39
|
+
.venv/bin/python -m pkgwhy pip install --help
|
|
40
|
+
.venv/bin/python -m pkgwhy pip install typer --dry-run --json
|
|
35
41
|
.venv/bin/python -m pkgwhy typos requests pandas-stubs
|
|
36
42
|
.venv/bin/python -m pkgwhy agent --help
|
|
37
43
|
.venv/bin/python -m pkgwhy agent precheck typer --json
|