semcodes 0.1.12__py3-none-any.whl

routers/audit.py

@@ -0,0 +1,333 @@
+"""Audit endpoints and analysis pipeline."""
+
+import asyncio
+import hashlib
+import re
+import shutil
+import tempfile
+from datetime import datetime
+from pathlib import Path
+from datetime import timezone
+
+from fastapi import APIRouter, Depends, HTTPException, Request
+
+from config import APP_URL
+from services.pipeline import run_pipeline, run_pipeline_local
+from services.scan_service import (
+    save_scan,
+    get_recent_scans,
+    save_audit_result,
+    get_audit_result,
+    save_badge_cache,
+)
+from routers.auth import get_current_user
+
+router = APIRouter()
+
+
+def _utc_now_iso() -> str:
+    return datetime.now(timezone.utc).isoformat()
+
+
+def _schedule_background_task(coroutine):
+    try:
+        loop = asyncio.get_running_loop()
+    except RuntimeError:
+        coroutine.close()
+        return
+    loop.create_task(coroutine)
+
+
+@router.post("/api/audit")
+async def run_audit(request: Request, user: dict = Depends(get_current_user)):
+    """Run one-click audit on a repo. Requires authentication."""
+    body = await request.json()
+    repo = body["repo"]
+    token = user["github_token"]
+    audit_id = hashlib.sha256(f"{repo}-{_utc_now_iso()}".encode()).hexdigest()[:12]
+
+    benchmark_meta = {
+        "case_id": body.get("case_id"),
+        "source_type": body.get("source_type"),
+        "change_type": body.get("change_type"),
+        "baseline_detected": body.get("baseline_detected"),
+        "benchmark_mode": body.get("benchmark_mode", False),
+        "ticket_id": body.get("ticket_id"),
+        "pr_reference": body.get("pr_reference"),
+    }
+
+    # Save initial audit status to database
+    save_audit_result(
+        audit_id,
+        {
+            "status": "running",
+            "repo": repo,
+            "started": _utc_now_iso(),
+            **{k: v for k, v in benchmark_meta.items() if v is not None},
+        },
+    )
+
+    _schedule_background_task(_run_audit_pipeline(audit_id, repo, token))
+    return {
+        "audit_id": audit_id,
+        "status": "running",
+        **{k: v for k, v in benchmark_meta.items() if v is not None},
+    }
+
+
+@router.get("/api/audit/{audit_id}")
+async def get_audit_result_endpoint(audit_id: str):
+    """Poll audit status and results."""
+    result = get_audit_result(audit_id)
+    if not result:
+        raise HTTPException(404, "Audit not found")
+    return result
+
+
+@router.get("/api/scans/recent")
+async def get_recent_scans_api(limit: int = 100):
+    """Get list of recent scans with metrics."""
+    # Try to get from SQLite first, fall back to in-memory
+    try:
+        scans = get_recent_scans(limit)
+        total = len(scans)
+    except Exception:
+        scans = scan_history[:limit]
+        total = len(scan_history)
+
+    return {
+        "scans": scans,
+        "total": total,
+    }
+
+
+@router.post("/api/analyze")
+async def analyze_repo(request: Request):
+    """Analyze any public repository by URL (sandbox mode). Supports file:// for local repos."""
+    body = await request.json()
+    repo_url = body.get("repo_url", "")
+    sandbox = body.get("sandbox", False)
+
+    if not repo_url:
+        raise HTTPException(400, "repo_url required")
+
+    # Initialize actual_repo_url (defaults to repo_url)
+    actual_repo_url = repo_url
+
+    # Support local:/ paths for mounted volume repositories
+    if repo_url.startswith("local:/"):
+        # Extract repo name from local path for audit_id
+        import os
+
+        path = repo_url.replace("local:/", "/local-repos/")
+        repo_name = os.path.basename(path)
+        owner = "local"
+        repo = repo_name
+        # Use the actual mounted path for git clone
+        actual_repo_url = path
+        audit_id = hashlib.sha256(
+            f"local/{repo_name}-{_utc_now_iso()}".encode()
+        ).hexdigest()[:12]
+    elif repo_url.startswith("file://"):
+        # Extract repo name from file path for audit_id
+        import os
+
+        path = repo_url.replace("file://", "")
+        repo_name = os.path.basename(path.rstrip("/.git"))
+        owner = "local"
+        repo = repo_name
+        actual_repo_url = path
+        audit_id = hashlib.sha256(
+            f"local/{repo_name}-{_utc_now_iso()}".encode()
+        ).hexdigest()[:12]
+    else:
+        # Parse owner/repo from URL
+        match = (
+            re.search(r"github\.com/([^/]+)/([^/\.]+)", repo_url)
+            or re.search(r"gitlab\.com/([^/]+)/([^/\.]+)", repo_url)
+            or re.search(r"bitbucket\.org/([^/]+)/([^/\.]+)", repo_url)
+        )
+
+        if not match:
+            ssh_match = re.search(r":([^/]+)/([^/\.]+)\.?", repo_url)
+            if ssh_match:
+                match = ssh_match
+
+        if not match:
+            raise HTTPException(400, "Could not parse owner/repo from URL")
+
+        owner, repo = match.group(1), match.group(2)
+        audit_id = hashlib.sha256(
+            f"{owner}/{repo}-{_utc_now_iso()}".encode()
+        ).hexdigest()[:12]
+
+    benchmark_meta = {
+        "case_id": body.get("case_id"),
+        "source_type": body.get("source_type"),
+        "change_type": body.get("change_type"),
+        "baseline_detected": body.get("baseline_detected"),
+        "benchmark_mode": body.get("benchmark_mode", False),
+        "ticket_id": body.get("ticket_id"),
+        "pr_reference": body.get("pr_reference"),
+    }
+
+    # Save initial audit status to database
+    save_audit_result(
+        audit_id,
+        {
+            "status": "running",
+            "repo": f"{owner}/{repo}",
+            "sandbox": sandbox,
+            "started": _utc_now_iso(),
+            **{k: v for k, v in benchmark_meta.items() if v is not None},
+        },
+    )
+
+    # Use actual_repo_url for local repos, otherwise repo_url
+    _schedule_background_task(
+        _run_sandbox_analysis(audit_id, actual_repo_url, f"{owner}/{repo}")
+    )
+    return {
+        "audit_id": audit_id,
+        "status": "running",
+        "sandbox": True,
+        **{k: v for k, v in benchmark_meta.items() if v is not None},
+    }
+
+
+async def _run_audit_pipeline(audit_id: str, repo: str, token: str):
+    """Background pipeline: clone → code2llm → redup → pyqual → report."""
+    try:
+        result = await run_pipeline(repo, token, include_code2llm_files=True)
+
+        report = {
+            "status": "complete",
+            "repo": repo,
+            "completed": _utc_now_iso(),
+            "stats": result.stats,
+            "health_score": result.health_score,
+            "grade": result.grade,
+            "metrics": {
+                "complexity": result.complexity,
+                "duplication": result.duplication,
+                "quality": result.quality,
+            },
+            "recommendations": result.recommendations,
+            "badge_url": f"{APP_URL}/badge/{repo.replace('/', '-')}.svg",
+            "files": result.code2llm_files.get("files", []),
+        }
+
+        save_audit_result(audit_id, report)
+
+        weekly_issues = sum(
+            1 for r in result.recommendations if r.get("priority") in ("high", "medium")
+        )
+        save_badge_cache(
+            repo,
+            {
+                "score": result.health_score,
+                "grade": result.grade,
+                "updated": _utc_now_iso(),
+                "weekly_issues": weekly_issues,
+            },
+        )
+
+        scan_entry = {
+            "repo": repo,
+            "health_score": result.health_score,
+            "grade": result.grade,
+            "stats": result.stats,
+            "completed": _utc_now_iso(),
+            "badge_url": f"{APP_URL}/badge/{repo.replace('/', '-')}.svg",
+        }
+        try:
+            save_scan(scan_entry)
+        except Exception:
+            pass
+
+    except Exception as e:
+        save_audit_result(audit_id, {"status": "error", "repo": repo, "error": str(e)})
+
+
+async def _run_sandbox_analysis(audit_id: str, repo_url: str, repo: str):
+    """Background analysis for sandbox mode (public repos only)."""
+    workdir = Path(tempfile.mkdtemp(prefix="semcod-sandbox-"))
+
+    try:
+        # Check if this is a local path (starts with /local-repos/)
+        if repo_url.startswith("/local-repos/"):
+            source_path = Path(repo_url)
+            if source_path.exists():
+                shutil.copytree(source_path, workdir / "repo")
+            else:
+                save_audit_result(
+                    audit_id,
+                    {
+                        "status": "error",
+                        "error": f"Local repository not found: {repo_url}",
+                        "repo": repo,
+                    },
+                )
+                return
+        else:
+            # Use git clone for remote repos
+            proc = await asyncio.create_subprocess_exec(
+                "git",
+                "clone",
+                "--depth=1",
+                repo_url,
+                str(workdir / "repo"),
+                stdout=asyncio.subprocess.PIPE,
+                stderr=asyncio.subprocess.PIPE,
+            )
+            await proc.wait()
+            if proc.returncode != 0:
+                save_audit_result(
+                    audit_id,
+                    {
+                        "status": "error",
+                        "error": "Failed to clone repository. Ensure it's public.",
+                        "repo": repo,
+                    },
+                )
+                return
+
+        result = await run_pipeline_local(workdir / "repo", include_code2llm_files=True)
+
+        report = {
+            "status": "complete",
+            "repo": repo,
+            "sandbox": True,
+            "completed": _utc_now_iso(),
+            "stats": result.stats,
+            "health_score": result.health_score,
+            "grade": result.grade,
+            "metrics": {
+                "complexity": result.complexity,
+                "duplication": result.duplication,
+                "quality": result.quality,
+            },
+            "recommendations": result.recommendations,
+            "files": result.code2llm_files.get("files", []),
+        }
+
+        save_audit_result(audit_id, report)
+
+        scan_entry = {
+            "repo": repo,
+            "health_score": result.health_score,
+            "grade": result.grade,
+            "stats": result.stats,
+            "completed": _utc_now_iso(),
+            "sandbox": True,
+            "badge_url": f"{APP_URL}/badge/{repo.replace('/', '-')}.svg",
+        }
+        try:
+            save_scan(scan_entry)
+        except Exception:
+            pass
+
+    except Exception as e:
+        save_audit_result(audit_id, {"status": "error", "error": str(e), "repo": repo})
+    finally:
+        shutil.rmtree(workdir, ignore_errors=True)

routers/auth.py

@@ -0,0 +1,268 @@
+import httpx
+import jwt
+from datetime import datetime, timedelta, timezone
+from fastapi import APIRouter, Depends, HTTPException
+from fastapi.responses import RedirectResponse
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
+
+from config import (
+    APP_URL,
+    FRONTEND_URL,
+    GITHUB_CLIENT_ID,
+    GITHUB_CLIENT_SECRET,
+    GITHUB_OAUTH_SCOPE,
+    SECRET_KEY,
+    SESSION_EXPIRE_HOURS,
+    REPOS_PER_PAGE,
+    GITHUB_OAUTH_AUTHORIZE_URL,
+    GITHUB_OAUTH_TOKEN_URL,
+    GITHUB_API_BASE_URL,
+    GITEA_CLIENT_ID,
+    GITEA_CLIENT_SECRET,
+    GITEA_OAUTH_AUTHORIZE_URL,
+    GITEA_OAUTH_TOKEN_URL,
+    GITEA_API_BASE_URL,
+)
+from database import upsert_user, get_user_by_id
+
+router = APIRouter()
+security = HTTPBearer(auto_error=False)
+
+
+def create_session_token(user_id: int) -> str:
+    payload = {
+        "sub": str(user_id),
+        "exp": datetime.now(timezone.utc) + timedelta(hours=SESSION_EXPIRE_HOURS),
+        "iat": datetime.now(timezone.utc),
+    }
+    return jwt.encode(payload, SECRET_KEY, algorithm="HS256")
+
+
+def decode_session_token(token: str) -> dict:
+    try:
+        return jwt.decode(token, SECRET_KEY, algorithms=["HS256"])
+    except jwt.ExpiredSignatureError:
+        raise HTTPException(401, "Session expired")
+    except jwt.InvalidTokenError:
+        raise HTTPException(401, "Invalid token")
+
+
+async def get_current_user(
+    credentials: HTTPAuthorizationCredentials = Depends(security),
+) -> dict:
+    if not credentials:
+        raise HTTPException(401, "Not authenticated")
+    payload = decode_session_token(credentials.credentials)
+    user_id = payload.get("sub")
+    if not user_id:
+        raise HTTPException(401, "Invalid token payload")
+    user = get_user_by_id(int(user_id))
+    if not user:
+        raise HTTPException(401, "User not found")
+    return user
+
+
+@router.post("/auth/gh-token")
+async def auth_via_github_token(token: str):
+    """Exchange a GitHub personal access token (e.g. from `gh auth token`) for a Semcod session JWT.
+
+    This allows CLI tools using `gh` to authenticate without browser-based OAuth.
+    """
+    async with httpx.AsyncClient() as client:
+        profile_resp = await client.get(
+            f"{GITHUB_API_BASE_URL}/user",
+            headers={
+                "Authorization": f"Bearer {token}",
+                "Accept": "application/vnd.github+json",
+            },
+        )
+    if profile_resp.status_code != 200:
+        raise HTTPException(401, "Invalid GitHub token")
+    profile = profile_resp.json()
+
+    github_id = profile.get("id")
+    if not github_id:
+        raise HTTPException(400, "Failed to fetch GitHub profile")
+
+    user = upsert_user(
+        github_id=github_id,
+        login=profile.get("login", ""),
+        name=profile.get("name", "") or profile.get("login", ""),
+        avatar_url=profile.get("avatar_url", ""),
+        github_token=token,
+    )
+
+    session_token = create_session_token(user["id"])
+    return {
+        "session_token": session_token,
+        "user": {"id": user["id"], "login": user["login"]},
+    }
+
+
+@router.get("/auth/github")
+async def github_oauth_start():
+    """Step 1: Redirect user to GitHub OAuth."""
+    scope = GITHUB_OAUTH_SCOPE
+    url = (
+        f"{GITHUB_OAUTH_AUTHORIZE_URL}"
+        f"?client_id={GITHUB_CLIENT_ID}"
+        f"&scope={scope}"
+        f"&redirect_uri={APP_URL}/auth/callback"
+    )
+    return RedirectResponse(url)
+
+
+@router.get("/auth/callback")
+async def github_oauth_callback(code: str):
+    """Step 2: Exchange code for token, fetch profile, create user, issue JWT."""
+    async with httpx.AsyncClient() as client:
+        token_resp = await client.post(
+            GITHUB_OAUTH_TOKEN_URL,
+            json={
+                "client_id": GITHUB_CLIENT_ID,
+                "client_secret": GITHUB_CLIENT_SECRET,
+                "code": code,
+            },
+            headers={"Accept": "application/json"},
+        )
+        token_data = token_resp.json()
+
+    github_token = token_data.get("access_token")
+    if not github_token:
+        raise HTTPException(400, "OAuth failed")
+
+    async with httpx.AsyncClient() as client:
+        profile_resp = await client.get(
+            f"{GITHUB_API_BASE_URL}/user",
+            headers={
+                "Authorization": f"Bearer {github_token}",
+                "Accept": "application/vnd.github+json",
+            },
+        )
+    profile = profile_resp.json()
+
+    github_id = profile.get("id")
+    if not github_id:
+        raise HTTPException(400, "Failed to fetch GitHub profile")
+
+    user = upsert_user(
+        github_id=github_id,
+        login=profile.get("login", ""),
+        name=profile.get("name", "") or profile.get("login", ""),
+        avatar_url=profile.get("avatar_url", ""),
+        github_token=github_token,
+    )
+
+    session_token = create_session_token(user["id"])
+    return RedirectResponse(f"{FRONTEND_URL}/audit?session={session_token}")
+
+
+@router.get("/auth/gitea")
+async def gitea_oauth_start():
+    """Step 1: Redirect user to Gitea OAuth."""
+    if not GITEA_CLIENT_ID or not GITEA_OAUTH_AUTHORIZE_URL:
+        raise HTTPException(501, "Gitea OAuth not configured")
+    from urllib.parse import urlencode
+
+    params = urlencode(
+        {
+            "client_id": GITEA_CLIENT_ID,
+            "redirect_uri": f"{APP_URL}/auth/callback/gitea",
+            "response_type": "code",
+            "scope": "repo",
+        }
+    )
+    return RedirectResponse(f"{GITEA_OAUTH_AUTHORIZE_URL}?{params}")
+
+
+@router.get("/auth/callback/gitea")
+async def gitea_oauth_callback(code: str):
+    """Step 2: Exchange code for token, fetch profile, create user, issue JWT."""
+    if not GITEA_CLIENT_ID or not GITEA_OAUTH_TOKEN_URL:
+        raise HTTPException(501, "Gitea OAuth not configured")
+
+    async with httpx.AsyncClient() as client:
+        token_resp = await client.post(
+            GITEA_OAUTH_TOKEN_URL,
+            json={
+                "client_id": GITEA_CLIENT_ID,
+                "client_secret": GITEA_CLIENT_SECRET,
+                "code": code,
+                "grant_type": "authorization_code",
+                "redirect_uri": f"{APP_URL}/auth/callback/gitea",
+            },
+            headers={"Accept": "application/json"},
+        )
+        token_data = token_resp.json()
+
+    gitea_token = token_data.get("access_token")
+    if not gitea_token:
+        raise HTTPException(400, "Gitea OAuth failed")
+
+    async with httpx.AsyncClient() as client:
+        profile_resp = await client.get(
+            f"{GITEA_API_BASE_URL}/api/v1/user",
+            headers={"Authorization": f"token {gitea_token}"},
+        )
+    profile = profile_resp.json()
+
+    gitea_id = profile.get("id")
+    if not gitea_id:
+        raise HTTPException(400, "Failed to fetch Gitea profile")
+
+    user = upsert_user(
+        github_id=gitea_id,
+        login=profile.get("login", ""),
+        name=profile.get("full_name", "") or profile.get("login", ""),
+        avatar_url=profile.get("avatar_url", ""),
+        github_token=gitea_token,
+    )
+
+    session_token = create_session_token(user["id"])
+    return RedirectResponse(f"{FRONTEND_URL}/audit?session={session_token}")
+
+
+@router.get("/api/me")
+async def get_me(user: dict = Depends(get_current_user)):
+    return {
+        "id": user["id"],
+        "login": user["login"],
+        "name": user["name"],
+        "avatar_url": user["avatar_url"],
+    }
+
+
+@router.post("/api/logout")
+async def logout():
+    return {"message": "Logged out"}
+
+
+@router.get("/api/repos")
+async def list_repos(user: dict = Depends(get_current_user)):
+    """List user's repos for audit selection."""
+    if not user.get("github_token"):
+        raise HTTPException(status_code=401, detail="GitHub token required")
+
+    async with httpx.AsyncClient() as client:
+        resp = await client.get(
+            f"{GITHUB_API_BASE_URL}/user/repos",
+            params={"sort": "updated", "per_page": REPOS_PER_PAGE, "type": "owner"},
+            headers={
+                "Authorization": f"Bearer {user['github_token']}",
+                "Accept": "application/vnd.github+json",
+            },
+        )
+    repos = resp.json()
+    return [
+        {
+            "full_name": r["full_name"],
+            "name": r["name"],
+            "language": r.get("language"),
+            "stars": r.get("stargazers_count", 0),
+            "size_kb": r.get("size", 0),
+            "private": r.get("private", False),
+            "default_branch": r.get("default_branch", "main"),
+        }
+        for r in repos
+        if isinstance(r, dict)
+    ]