sentro 0.1.0__tar.gz

sentro-0.1.0/.gitignore

@@ -0,0 +1,20 @@
+__pycache__/
+*.py[cod]
+*.egg-info/
+.eggs/
+dist/
+build/
+.venv/
+venv/
+.env
+*.egg
+.pytest_cache/
+.coverage
+htmlcov/
+.mypy_cache/
+.ruff_cache/
+*.whl
+*.tar.gz
+/tmp/
+.safe-pip.toml
+*.claude

sentro-0.1.0/.idea/.gitignore

@@ -0,0 +1,3 @@
+# Default ignored files
+/shelf/
+/workspace.xml

sentro-0.1.0/.idea/inspectionProfiles/Project_Default.xml

@@ -0,0 +1,7 @@
+<component name="InspectionProjectProfileManager">
+  <profile version="1.0">
+    <option name="myName" value="Project Default" />
+    <inspection_tool class="PyArgumentListInspection" enabled="false" level="WARNING" enabled_by_default="false" />
+    <inspection_tool class="PyStatementEffectInspection" enabled="false" level="WARNING" enabled_by_default="false" />
+  </profile>
+</component>

sentro-0.1.0/.idea/inspectionProfiles/profiles_settings.xml

@@ -0,0 +1,6 @@
+<component name="InspectionProjectProfileManager">
+  <settings>
+    <option name="USE_PROJECT_PROFILE" value="false" />
+    <version value="1.0" />
+  </settings>
+</component>

sentro-0.1.0/.idea/misc.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="Black">
+    <option name="sdkName" value="uv (safe-pip-install)" />
+  </component>
+  <component name="ProjectRootManager" version="2" project-jdk-name="uv (safe-pip-install)" project-jdk-type="Python SDK" />
+</project>

sentro-0.1.0/.idea/modules.xml

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectModuleManager">
+    <modules>
+      <module fileurl="file://$PROJECT_DIR$/.idea/safe-pip-install.iml" filepath="$PROJECT_DIR$/.idea/safe-pip-install.iml" />
+    </modules>
+  </component>
+</project>

sentro-0.1.0/.idea/safe-pip-install.iml

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module type="PYTHON_MODULE" version="4">
+  <component name="NewModuleRootManager">
+    <content url="file://$MODULE_DIR$">
+      <sourceFolder url="file://$MODULE_DIR$/src" isTestSource="false" />
+      <excludeFolder url="file://$MODULE_DIR$/.venv" />
+    </content>
+    <orderEntry type="jdk" jdkName="uv (safe-pip-install)" jdkType="Python SDK" />
+    <orderEntry type="sourceFolder" forTests="false" />
+  </component>
+  <component name="PyDocumentationSettings">
+    <option name="format" value="PLAIN" />
+    <option name="myDocStringFormat" value="Plain" />
+  </component>
+  <component name="TestRunnerService">
+    <option name="PROJECT_TEST_RUNNER" value="py.test" />
+  </component>
+</module>

sentro-0.1.0/.idea/vcs.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="VcsDirectoryMappings">
+    <mapping directory="$PROJECT_DIR$/.." vcs="Git" />
+  </component>
+</project>

sentro-0.1.0/.idea/workspace.xml

@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ChangeListManager">
+    <list default="true" id="b83261b5-2f82-4a61-8ff1-8fb46c8264ce" name="Changes" comment="" />
+    <option name="SHOW_DIALOG" value="false" />
+    <option name="HIGHLIGHT_CONFLICTS" value="true" />
+    <option name="HIGHLIGHT_NON_ACTIVE_CHANGELIST" value="false" />
+    <option name="LAST_RESOLUTION" value="IGNORE" />
+  </component>
+  <component name="Git.Settings">
+    <option name="RECENT_GIT_ROOT_PATH" value="$PROJECT_DIR$/.." />
+  </component>
+  <component name="ProjectColorInfo">{
+  &quot;associatedIndex&quot;: 1
+}</component>
+  <component name="ProjectId" id="3CFzClefo4gqasflutg5HAmFyGK" />
+  <component name="ProjectViewState">
+    <option name="hideEmptyMiddlePackages" value="true" />
+    <option name="showLibraryContents" value="true" />
+  </component>
+  <component name="PropertiesComponent"><![CDATA[{
+  "keyToString": {
+    "ModuleVcsDetector.initialDetectionPerformed": "true",
+    "RunOnceActivity.ShowReadmeOnStart": "true",
+    "RunOnceActivity.TerminalTabsStorage.copyFrom.TerminalArrangementManager.252": "true",
+    "RunOnceActivity.git.unshallow": "true",
+    "dart.analysis.tool.window.visible": "false",
+    "git-widget-placeholder": "origin",
+    "last_opened_file_path": "/home/ckdev/development/sentro",
+    "show.migrate.to.gradle.popup": "false"
+  }
+}]]></component>
+  <component name="TaskManager">
+    <task active="true" id="Default" summary="Default task">
+      <changelist id="b83261b5-2f82-4a61-8ff1-8fb46c8264ce" name="Changes" comment="" />
+      <created>1775995982467</created>
+      <option name="number" value="Default" />
+      <option name="presentableId" value="Default" />
+      <updated>1775995982467</updated>
+    </task>
+    <servers />
+  </component>
+</project>

sentro-0.1.0/.pypirc

@@ -0,0 +1,5 @@
+
+[pypi]
+  username = pypi-AgEIcHlwaS5vcmcCJDU4NWVmNWE1LTJlNDgtNDkwNC05ZTJiLTg5ZmEyZGEwNmFjNwACKlszLCIzYjNhMDQ4NS00YzIyLTRmZWMtYmZhYS1kYjJlOTYwYzRjYWMiXQAABiDp1kxUluuyn5czGGcGgE7A3oZSX4pYSH-lILOF35JLlA
+  password = solvyx11062022Aa@
+

sentro-0.1.0/PKG-INFO

@@ -0,0 +1,230 @@
+Metadata-Version: 2.4
+Name: sentro
+Version: 0.1.0
+Summary: A security-conscious pip wrapper that scans packages for malicious code before installation
+Author-email: Solvyx <dev@solvyx.dev>
+License: MIT
+Keywords: malware-detection,package-manager,pip,security,supply-chain
+Classifier: Development Status :: 3 - Alpha
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Build Tools
+Requires-Python: >=3.11
+Requires-Dist: click>=8.1
+Requires-Dist: packaging>=24.0
+Requires-Dist: rich>=13.0
+Provides-Extra: dev
+Requires-Dist: pytest-cov>=5.0; extra == 'dev'
+Requires-Dist: pytest-mock>=3.0; extra == 'dev'
+Requires-Dist: pytest>=8.0; extra == 'dev'
+Requires-Dist: responses>=0.25; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# sentro
+
+Built by [Solvyx.dev](https://solvyx.dev) — a pip wrapper that scans Python packages for malicious code before installing them.
+
+```bash
+sentro install requests
+```
+
+```
+╭──────────────────────── sentro scan ─────────────────────────╮
+│   Package : requests 2.31.0                                     │
+│   PyPI    : verified                                            │
+│   Risk    : SAFE  (score 0/100)                                 │
+╰─────────────────────────────────────────────────────────────────╯
+  No issues found.
+```
+
+---
+
+## Why
+
+Supply-chain attacks on PyPI are getting more frequent. Attackers publish packages with names one typo away from `requests` or `numpy`, or shadow internal package names to trigger dependency confusion. The malicious code runs at install time inside `setup.py`, or silently on first `import`.
+
+`sentro` downloads and scans a package before pip ever touches it.
+
+---
+
+## What it detects
+
+| Check | Examples |
+|---|---|
+| **Malicious code** | `eval()` / `exec()` at module level, `os.system()`, `subprocess(shell=True)`, socket connections to hardcoded IPs |
+| **Install hooks** | Dangerous calls in `setup.py` that run unconditionally at install time, `cmdclass` overrides, dynamic `install_requires` |
+| **Obfuscation** | `exec(base64.b64decode(...))` chains, high-entropy string constants, `marshal.loads` payloads |
+| **Typosquatting** | Names similar to popular packages (`reqeusts`, `numpy-dev`), Unicode homoglyphs |
+| **Dependency confusion** | Package names that shadow Python stdlib modules (`json`, `os`, `urllib`) |
+| **Metadata signals** | Package age under 7 days, very low download count, missing author/homepage |
+
+Each finding contributes to a risk score (0–100). The overall verdict is **SAFE**, **WARNING**, or **DANGER**.
+
+---
+
+## Install
+
+```bash
+pip install sentro
+```
+
+Requires Python 3.11+.
+
+---
+
+## Usage
+
+```bash
+# Scan and install
+sentro install requests
+
+# Scan only — don't install
+sentro install requests --no-install
+
+# Block installation if anything scores DANGER
+sentro install requests --strict
+
+# Pin a version
+sentro install "requests==2.28.0"
+
+# Multiple packages
+sentro install requests flask sqlalchemy
+
+# JSON output (for CI pipelines)
+sentro install requests --no-install --output-format json
+
+# See which installer was detected
+sentro detect-installer
+```
+
+---
+
+## Flags
+
+| Flag | Description |
+|---|---|
+| `--strict` | Exit 1 and block install if any package scores DANGER |
+| `--no-install` | Scan only, don't install |
+| `--skip-scan` | Skip scanning, forward directly to the installer |
+| `--output-format text\|json` | Output format (default: `text`) |
+| `--installer pip\|uv\|conda\|mamba\|poetry\|pipenv\|pdm\|auto` | Installer to use (default: `auto`) |
+| `--config PATH` | Path to a TOML config file |
+
+---
+
+## Installer detection
+
+`sentro` auto-detects your package manager so the install step uses the right tool.
+
+| Installer | Detected when |
+|---|---|
+| `uv` | `uv` is on PATH and a virtual env is active |
+| `conda` / `mamba` | `CONDA_DEFAULT_ENV` or `CONDA_PREFIX` is set |
+| `poetry` | `pyproject.toml` has `[tool.poetry]` and `poetry` is on PATH |
+| `pipenv` | `Pipfile` exists and `pipenv` is on PATH |
+| `pdm` | `pyproject.toml` has `[tool.pdm]` and `pdm` is on PATH |
+| `pip` | Fallback |
+
+Override with `--installer pip` or set `SENTRO_INSTALLER=pip`.
+
+---
+
+## Configuration
+
+Create a `.sentro.toml` in your project root (or add `[tool.sentro]` to `pyproject.toml`):
+
+```toml
+[sentro]
+strict = true
+
+[sentro.thresholds]
+warning = 30
+danger  = 70
+
+whitelist_packages  = ["requests", "numpy"]
+scanners_disabled   = ["metadata"]
+```
+
+Config is merged from multiple sources in this order (last wins):
+
+1. `~/.config/sentro/config.toml` — user-level defaults
+2. `pyproject.toml` `[tool.sentro]` in the current directory
+3. `.sentro.toml` in the current directory
+4. `--config PATH` flag
+5. `SENTRO_*` environment variables
+6. CLI flags
+
+### Environment variables
+
+| Variable | Effect |
+|---|---|
+| `SENTRO_STRICT=true` | Enable strict mode |
+| `SENTRO_INSTALLER=pip` | Force a specific installer |
+| `SENTRO_OUTPUT_FORMAT=json` | JSON output |
+| `SENTRO_DANGER_THRESHOLD=50` | Override the DANGER score threshold |
+| `SENTRO_WARNING_THRESHOLD=20` | Override the WARNING score threshold |
+| `SENTRO_WHITELIST=requests,numpy` | Comma-separated whitelist |
+
+---
+
+## CI usage
+
+```yaml
+# GitHub Actions example
+- name: Scan dependencies
+  run: |
+    pip install sentro
+    sentro install -r requirements.txt --strict --output-format json > scan.json
+```
+
+The `--strict` flag makes the step fail if any package scores DANGER. The JSON output can be parsed or stored as an artifact.
+
+---
+
+## False positives
+
+Some legitimate packages use dynamic imports or `eval()` inside functions (template engines, plugin loaders, REPLs). `sentro` tries to distinguish:
+
+- `eval()` / `exec()` **at module level** → DANGER (runs unconditionally on import)
+- `eval()` / `exec()` **inside a function** → WARNING (may be legitimate)
+- `__import__()` **inside a function** → not flagged (standard plugin-loader pattern)
+
+If a package you trust keeps triggering warnings, add it to `whitelist_packages` in your config.
+
+---
+
+## Development
+
+```bash
+git clone https://github.com/solvyx-dev/sentro
+cd sentro
+pip install -e ".[dev]"
+
+# Run tests (no network required)
+pytest -m "not integration"
+
+# Run with coverage
+pytest --cov=sentro --cov-report=term-missing
+
+# Run integration tests (requires internet)
+pytest -m integration
+```
+
+---
+
+## Roadmap
+
+- [ ] `requirements.txt` file scanning (`sentro install -r requirements.txt`)
+- [ ] Support for other languages (npm, cargo, gem)
+- [ ] GitHub Action
+- [ ] Cache scan results to avoid re-scanning unchanged packages
+
+---
+
+## License
+
+MIT — built and maintained by [Solvyx.dev](https://solvyx.dev)

sentro-0.1.0/PUBLISH.md

@@ -0,0 +1,100 @@
+# PyPI Publishing Checklist
+
+## Status: Ready to publish
+
+Name confirmed available on PyPI: **`sentro`**
+
+---
+
+## What is already done
+
+- [x] Package name `sentro` available on PyPI
+- [x] `README.md` written
+- [x] `pyproject.toml` complete — author: Solvyx, dev@solvyx.dev
+- [x] 91 unit tests passing
+- [x] `build` and `twine` installed
+- [x] All references updated to `sentro`
+
+---
+
+## Publishing steps
+
+### 1. Create a PyPI account
+https://pypi.org/account/register
+
+### 2. Create an API token
+https://pypi.org/manage/account/token/
+
+Set scope to "Entire account" for the first upload, then restrict it to the `sentro` project.
+
+### 3. Configure credentials
+
+```bash
+# Option A — ~/.pypirc file
+[pypi]
+  username = __token__
+  password = pypi-xxxxxxxxxxxxxxxx
+
+# Option B — env vars (better for CI)
+export TWINE_USERNAME=__token__
+export TWINE_PASSWORD=pypi-xxxxxxxxxxxxxxxx
+```
+
+### 4. Build
+
+```bash
+cd /home/ckdev/development/sentro
+python -m build
+# produces:
+#   dist/sentro-0.1.0-py3-none-any.whl
+#   dist/sentro-0.1.0.tar.gz
+```
+
+### 5. Test on TestPyPI first
+
+```bash
+twine upload --repository testpypi dist/*
+# verify at: https://test.pypi.org/project/sentro/
+
+pip install --index-url https://test.pypi.org/simple/ sentro
+sentro --version
+sentro install requests --no-install
+```
+
+### 6. Upload to PyPI
+
+```bash
+twine upload dist/*
+```
+
+### 7. Verify live
+
+```bash
+pip install sentro
+sentro --version
+sentro install requests --no-install
+```
+
+---
+
+## Bumping the version
+
+When ready to release a new version:
+
+1. Update `pyproject.toml` → `version = "x.x.x"`
+2. Update `src/sentro/_version.py` → `__version__ = "x.x.x"`
+3. Build and upload again
+
+Current version: `0.1.0`
+
+Before bumping to `1.0.0` consider:
+- `requirements.txt` file scanning (`sentro install -r requirements.txt`)
+- Broader real-world package testing
+- Stable config format
+
+---
+
+## Notes
+
+- `PUBLISH.md` is dev-only — it won't be included in the PyPI distribution
+- The GitHub repo should be at `https://github.com/solvyx-dev/sentro` before publishing

sentro-0.1.0/README.md

@@ -0,0 +1,204 @@
+# sentro
+
+Built by [Solvyx.dev](https://solvyx.dev) — a pip wrapper that scans Python packages for malicious code before installing them.
+
+```bash
+sentro install requests
+```
+
+```
+╭──────────────────────── sentro scan ─────────────────────────╮
+│   Package : requests 2.31.0                                     │
+│   PyPI    : verified                                            │
+│   Risk    : SAFE  (score 0/100)                                 │
+╰─────────────────────────────────────────────────────────────────╯
+  No issues found.
+```
+
+---
+
+## Why
+
+Supply-chain attacks on PyPI are getting more frequent. Attackers publish packages with names one typo away from `requests` or `numpy`, or shadow internal package names to trigger dependency confusion. The malicious code runs at install time inside `setup.py`, or silently on first `import`.
+
+`sentro` downloads and scans a package before pip ever touches it.
+
+---
+
+## What it detects
+
+| Check | Examples |
+|---|---|
+| **Malicious code** | `eval()` / `exec()` at module level, `os.system()`, `subprocess(shell=True)`, socket connections to hardcoded IPs |
+| **Install hooks** | Dangerous calls in `setup.py` that run unconditionally at install time, `cmdclass` overrides, dynamic `install_requires` |
+| **Obfuscation** | `exec(base64.b64decode(...))` chains, high-entropy string constants, `marshal.loads` payloads |
+| **Typosquatting** | Names similar to popular packages (`reqeusts`, `numpy-dev`), Unicode homoglyphs |
+| **Dependency confusion** | Package names that shadow Python stdlib modules (`json`, `os`, `urllib`) |
+| **Metadata signals** | Package age under 7 days, very low download count, missing author/homepage |
+
+Each finding contributes to a risk score (0–100). The overall verdict is **SAFE**, **WARNING**, or **DANGER**.
+
+---
+
+## Install
+
+```bash
+pip install sentro
+```
+
+Requires Python 3.11+.
+
+---
+
+## Usage
+
+```bash
+# Scan and install
+sentro install requests
+
+# Scan only — don't install
+sentro install requests --no-install
+
+# Block installation if anything scores DANGER
+sentro install requests --strict
+
+# Pin a version
+sentro install "requests==2.28.0"
+
+# Multiple packages
+sentro install requests flask sqlalchemy
+
+# JSON output (for CI pipelines)
+sentro install requests --no-install --output-format json
+
+# See which installer was detected
+sentro detect-installer
+```
+
+---
+
+## Flags
+
+| Flag | Description |
+|---|---|
+| `--strict` | Exit 1 and block install if any package scores DANGER |
+| `--no-install` | Scan only, don't install |
+| `--skip-scan` | Skip scanning, forward directly to the installer |
+| `--output-format text\|json` | Output format (default: `text`) |
+| `--installer pip\|uv\|conda\|mamba\|poetry\|pipenv\|pdm\|auto` | Installer to use (default: `auto`) |
+| `--config PATH` | Path to a TOML config file |
+
+---
+
+## Installer detection
+
+`sentro` auto-detects your package manager so the install step uses the right tool.
+
+| Installer | Detected when |
+|---|---|
+| `uv` | `uv` is on PATH and a virtual env is active |
+| `conda` / `mamba` | `CONDA_DEFAULT_ENV` or `CONDA_PREFIX` is set |
+| `poetry` | `pyproject.toml` has `[tool.poetry]` and `poetry` is on PATH |
+| `pipenv` | `Pipfile` exists and `pipenv` is on PATH |
+| `pdm` | `pyproject.toml` has `[tool.pdm]` and `pdm` is on PATH |
+| `pip` | Fallback |
+
+Override with `--installer pip` or set `SENTRO_INSTALLER=pip`.
+
+---
+
+## Configuration
+
+Create a `.sentro.toml` in your project root (or add `[tool.sentro]` to `pyproject.toml`):
+
+```toml
+[sentro]
+strict = true
+
+[sentro.thresholds]
+warning = 30
+danger  = 70
+
+whitelist_packages  = ["requests", "numpy"]
+scanners_disabled   = ["metadata"]
+```
+
+Config is merged from multiple sources in this order (last wins):
+
+1. `~/.config/sentro/config.toml` — user-level defaults
+2. `pyproject.toml` `[tool.sentro]` in the current directory
+3. `.sentro.toml` in the current directory
+4. `--config PATH` flag
+5. `SENTRO_*` environment variables
+6. CLI flags
+
+### Environment variables
+
+| Variable | Effect |
+|---|---|
+| `SENTRO_STRICT=true` | Enable strict mode |
+| `SENTRO_INSTALLER=pip` | Force a specific installer |
+| `SENTRO_OUTPUT_FORMAT=json` | JSON output |
+| `SENTRO_DANGER_THRESHOLD=50` | Override the DANGER score threshold |
+| `SENTRO_WARNING_THRESHOLD=20` | Override the WARNING score threshold |
+| `SENTRO_WHITELIST=requests,numpy` | Comma-separated whitelist |
+
+---
+
+## CI usage
+
+```yaml
+# GitHub Actions example
+- name: Scan dependencies
+  run: |
+    pip install sentro
+    sentro install -r requirements.txt --strict --output-format json > scan.json
+```
+
+The `--strict` flag makes the step fail if any package scores DANGER. The JSON output can be parsed or stored as an artifact.
+
+---
+
+## False positives
+
+Some legitimate packages use dynamic imports or `eval()` inside functions (template engines, plugin loaders, REPLs). `sentro` tries to distinguish:
+
+- `eval()` / `exec()` **at module level** → DANGER (runs unconditionally on import)
+- `eval()` / `exec()` **inside a function** → WARNING (may be legitimate)
+- `__import__()` **inside a function** → not flagged (standard plugin-loader pattern)
+
+If a package you trust keeps triggering warnings, add it to `whitelist_packages` in your config.
+
+---
+
+## Development
+
+```bash
+git clone https://github.com/solvyx-dev/sentro
+cd sentro
+pip install -e ".[dev]"
+
+# Run tests (no network required)
+pytest -m "not integration"
+
+# Run with coverage
+pytest --cov=sentro --cov-report=term-missing
+
+# Run integration tests (requires internet)
+pytest -m integration
+```
+
+---
+
+## Roadmap
+
+- [ ] `requirements.txt` file scanning (`sentro install -r requirements.txt`)
+- [ ] Support for other languages (npm, cargo, gem)
+- [ ] GitHub Action
+- [ ] Cache scan results to avoid re-scanning unchanged packages
+
+---
+
+## License
+
+MIT — built and maintained by [Solvyx.dev](https://solvyx.dev)

sentro-0.1.0/pypitoken.text

@@ -0,0 +1,5 @@
+#pypi_token
+pypi-AgEIcHlwaS5vcmcCJDU4NWVmNWE1LTJlNDgtNDkwNC05ZTJiLTg5ZmEyZGEwNmFjNwACKlszLCIzYjNhMDQ4NS00YzIyLTRmZWMtYmZhYS1kYjJlOTYwYzRjYWMiXQAABiDp1kxUluuyn5czGGcGgE7A3oZSX4pYSH-lILOF35JLlA
+
+#pytest
+pypi-AgENdGVzdC5weXBpLm9yZwIkYmJiYjJiYjItZmQ0NC00ODEwLTg2MzUtODY5M2E2NTRmMmRmAAIqWzMsImQ0ZjJiYWVkLWMzZWMtNDJhOC1hZGNjLTgzOWVjMDYxOTQ4NyJdAAAGIDrSZxLBJkzqeh6h47AmWXOAkuxOgILfO7xg-b4YQ7VL