solokit 0.1.1__py3-none-any.whl

solokit/quality/checkers/security.py

@@ -0,0 +1,261 @@
+#!/usr/bin/env python3
+"""
+Security vulnerability scanner.
+
+Runs security scans using Bandit (Python) and Safety (Python dependencies),
+or npm audit (JavaScript/TypeScript).
+"""
+
+from __future__ import annotations
+
+import json
+import os
+import tempfile
+import time
+from pathlib import Path
+from typing import Any
+
+from solokit.core.command_runner import CommandRunner
+from solokit.core.constants import QUALITY_CHECK_LONG_TIMEOUT
+from solokit.core.logging_config import get_logger
+from solokit.quality.checkers.base import CheckResult, QualityChecker
+
+logger = get_logger(__name__)
+
+
+class SecurityChecker(QualityChecker):
+    """Security vulnerability scanning for Python and JavaScript/TypeScript."""
+
+    def __init__(
+        self,
+        config: dict[str, Any],
+        project_root: Path | None = None,
+        language: str | None = None,
+        runner: CommandRunner | None = None,
+    ):
+        """Initialize security checker.
+
+        Args:
+            config: Security configuration
+            project_root: Project root directory
+            language: Programming language (python, javascript, typescript)
+            runner: Optional CommandRunner instance (for testing)
+        """
+        super().__init__(config, project_root)
+        self.runner = (
+            runner
+            if runner is not None
+            else CommandRunner(default_timeout=QUALITY_CHECK_LONG_TIMEOUT)
+        )
+        self.language = language or self._detect_language()
+
+    def name(self) -> str:
+        """Return checker name."""
+        return "security"
+
+    def is_enabled(self) -> bool:
+        """Check if security scanning is enabled."""
+        return bool(self.config.get("enabled", True))
+
+    def _detect_language(self) -> str:
+        """Detect primary project language."""
+        if (self.project_root / "pyproject.toml").exists() or (
+            self.project_root / "setup.py"
+        ).exists():
+            return "python"
+        elif (self.project_root / "package.json").exists():
+            if (self.project_root / "tsconfig.json").exists():
+                return "typescript"
+            return "javascript"
+        return "python"  # default
+
+    def run(self) -> CheckResult:
+        """Run security vulnerability scan."""
+        start_time = time.time()
+
+        if not self.is_enabled():
+            return self._create_skipped_result()
+
+        logger.info(f"Running security scan for {self.language}")
+
+        if self.language == "python":
+            results = self._scan_python()
+        elif self.language in ["javascript", "typescript"]:
+            results = self._scan_javascript()
+        else:
+            return self._create_skipped_result(reason=f"unsupported language: {self.language}")
+
+        # Check if passed based on fail_on threshold
+        fail_on = self.config.get("fail_on", "high").upper()
+        severity_levels = ["LOW", "MEDIUM", "HIGH", "CRITICAL"]
+
+        if fail_on not in severity_levels:
+            fail_on = "HIGH"
+
+        fail_threshold = severity_levels.index(fail_on)
+
+        passed = True
+        for severity, count in results.get("by_severity", {}).items():
+            if (
+                severity in severity_levels
+                and severity_levels.index(severity) >= fail_threshold
+                and count > 0
+            ):
+                passed = False
+                break
+
+        execution_time = time.time() - start_time
+
+        return CheckResult(
+            checker_name=self.name(),
+            passed=passed,
+            status="passed" if passed else "failed",
+            errors=results.get("vulnerabilities", []),
+            warnings=[],
+            info={
+                "by_severity": results.get("by_severity", {}),
+                "fail_threshold": fail_on,
+                "language": self.language,
+            },
+            execution_time=execution_time,
+        )
+
+    def _scan_python(self) -> dict[str, Any]:
+        """Run Python security scans (Bandit + Safety)."""
+        results: dict[str, Any] = {"vulnerabilities": [], "by_severity": {}}
+
+        # Run Bandit
+        bandit_results = self._run_bandit()
+        if bandit_results:
+            results["bandit"] = bandit_results
+            # Count by severity
+            for issue in bandit_results.get("results", []):
+                severity = issue.get("issue_severity", "LOW")
+                results["by_severity"][severity] = results["by_severity"].get(severity, 0) + 1
+                # Add to vulnerabilities list
+                results["vulnerabilities"].append(
+                    {
+                        "source": "bandit",
+                        "file": issue.get("filename", ""),
+                        "line": issue.get("line_number", 0),
+                        "issue": issue.get("issue_text", ""),
+                        "severity": severity,
+                        "confidence": issue.get("issue_confidence", ""),
+                    }
+                )
+
+        # Run Safety
+        safety_results = self._run_safety()
+        if safety_results:
+            results["safety"] = safety_results
+            results["vulnerabilities"].extend(safety_results)
+
+        return results
+
+    def _run_bandit(self) -> dict[str, Any] | None:
+        """Run Bandit security scanner."""
+        try:
+            # Create temporary file for report
+            fd, bandit_report_path = tempfile.mkstemp(suffix=".json")
+            os.close(fd)
+
+            try:
+                src_dir = self.project_root / "src"
+                if not src_dir.exists():
+                    logger.debug("No src/ directory found, skipping Bandit")
+                    return None
+
+                self.runner.run(
+                    [
+                        "bandit",
+                        "-r",
+                        str(src_dir),
+                        "-f",
+                        "json",
+                        "-o",
+                        bandit_report_path,
+                    ],
+                    timeout=QUALITY_CHECK_LONG_TIMEOUT,
+                )
+
+                if Path(bandit_report_path).exists():
+                    try:
+                        with open(bandit_report_path) as f:
+                            content = f.read().strip()
+                            if content:
+                                return json.loads(content)  # type: ignore[no-any-return]
+                    except (json.JSONDecodeError, ValueError) as e:
+                        logger.warning(f"Failed to parse bandit report: {e}")
+                    except OSError as e:
+                        logger.warning(f"Failed to read bandit report: {e}")
+            finally:
+                # Clean up temporary file
+                try:
+                    Path(bandit_report_path).unlink()
+                except OSError:
+                    pass
+
+        except (ImportError, OSError) as e:
+            logger.debug(f"Bandit not available: {e}")
+
+        return None
+
+    def _run_safety(self) -> list[dict[str, Any]]:
+        """Run Safety dependency scanner."""
+        requirements_file = self.project_root / "requirements.txt"
+        if not requirements_file.exists():
+            logger.debug("No requirements.txt found, skipping Safety")
+            return []
+
+        result = self.runner.run(
+            ["safety", "check", "--file", str(requirements_file), "--json"],
+            timeout=QUALITY_CHECK_LONG_TIMEOUT,
+        )
+
+        if result.success and result.stdout:
+            try:
+                # Safety may prefix JSON with deprecation warnings, so find the first JSON marker
+                json_start = min(
+                    (
+                        pos
+                        for pos in [result.stdout.find("{"), result.stdout.find("[")]
+                        if pos != -1
+                    ),
+                    default=-1,
+                )
+                if json_start != -1:
+                    return json.loads(result.stdout[json_start:])  # type: ignore[no-any-return]
+                return json.loads(result.stdout)  # type: ignore[no-any-return]
+            except json.JSONDecodeError as e:
+                logger.warning(f"Failed to parse safety output: {e}")
+                logger.debug(f"Safety output: {result.stdout[:200]}")
+
+        return []
+
+    def _scan_javascript(self) -> dict[str, Any]:
+        """Run JavaScript/TypeScript security scans (npm audit)."""
+        results: dict[str, Any] = {"vulnerabilities": [], "by_severity": {}}
+
+        package_json = self.project_root / "package.json"
+        if not package_json.exists():
+            logger.debug("No package.json found, skipping npm audit")
+            return results
+
+        audit_result = self.runner.run(
+            ["npm", "audit", "--json"], timeout=QUALITY_CHECK_LONG_TIMEOUT
+        )
+
+        if audit_result.success and audit_result.stdout:
+            try:
+                audit_data = json.loads(audit_result.stdout)
+                results["npm_audit"] = audit_data
+
+                # Count by severity
+                for vuln in audit_data.get("vulnerabilities", {}).values():
+                    severity = vuln.get("severity", "low").upper()
+                    results["by_severity"][severity] = results["by_severity"].get(severity, 0) + 1
+
+            except json.JSONDecodeError:
+                logger.warning("Failed to parse npm audit output")
+
+        return results

solokit/quality/checkers/spec_completeness.py

@@ -0,0 +1,127 @@
+#!/usr/bin/env python3
+"""
+Specification completeness checker.
+
+Validates that work item specification files are complete and properly formatted.
+"""
+
+from __future__ import annotations
+
+import time
+from pathlib import Path
+from typing import Any, Union, cast
+
+from solokit.core.exceptions import (
+    FileNotFoundError as SolokitFileNotFoundError,
+)
+from solokit.core.exceptions import SpecValidationError
+from solokit.core.logging_config import get_logger
+from solokit.quality.checkers.base import CheckResult, QualityChecker
+from solokit.work_items.spec_validator import validate_spec_file
+
+logger = get_logger(__name__)
+
+
+class SpecCompletenessChecker(QualityChecker):
+    """Specification file completeness validation."""
+
+    def __init__(
+        self,
+        config: dict[str, Any],
+        project_root: Path | None = None,
+        work_item: dict[str, Any] | None = None,
+    ):
+        """Initialize spec completeness checker.
+
+        Args:
+            config: Spec completeness configuration
+            project_root: Project root directory
+            work_item: Work item dictionary with 'id' and 'type' fields
+        """
+        super().__init__(config, project_root)
+        self.work_item = work_item or {}
+
+    def name(self) -> str:
+        """Return checker name."""
+        return "spec_completeness"
+
+    def is_enabled(self) -> bool:
+        """Check if spec completeness validation is enabled."""
+        return bool(self.config.get("enabled", True))
+
+    def run(self) -> CheckResult:
+        """Run spec completeness validation."""
+        start_time = time.time()
+
+        if not self.is_enabled():
+            return self._create_skipped_result()
+
+        work_item_id = self.work_item.get("id")
+        work_item_type = self.work_item.get("type")
+
+        if not work_item_id or not work_item_type:
+            execution_time = time.time() - start_time
+            return CheckResult(
+                checker_name=self.name(),
+                passed=False,
+                status="failed",
+                errors=[{"message": "Work item missing 'id' or 'type' field"}],
+                warnings=[],
+                info={},
+                execution_time=execution_time,
+            )
+
+        logger.info(f"Validating spec file for work item: {work_item_id}")
+
+        # Validate spec file
+        try:
+            validate_spec_file(work_item_id, work_item_type)
+            execution_time = time.time() - start_time
+            return CheckResult(
+                checker_name=self.name(),
+                passed=True,
+                status="passed",
+                errors=[],
+                warnings=[],
+                info={"message": f"Spec file for '{work_item_id}' is complete"},
+                execution_time=execution_time,
+            )
+        except SpecValidationError as e:
+            execution_time = time.time() - start_time
+            validation_errors = e.context.get("validation_errors", [])
+            errors = [{"message": error} for error in validation_errors]
+            return CheckResult(
+                checker_name=self.name(),
+                passed=False,
+                status="failed",
+                errors=cast(list[Union[dict[str, Any], str]], errors),
+                warnings=[],
+                info={
+                    "message": f"Spec file for '{work_item_id}' is incomplete",
+                    "suggestion": e.remediation
+                    or f"Edit .session/specs/{work_item_id}.md to add missing sections",
+                },
+                execution_time=execution_time,
+            )
+        except SolokitFileNotFoundError as e:
+            execution_time = time.time() - start_time
+            return CheckResult(
+                checker_name=self.name(),
+                passed=False,
+                status="failed",
+                errors=[{"message": e.message}],
+                warnings=[],
+                info={"suggestion": e.remediation},
+                execution_time=execution_time,
+            )
+        except (OSError, ValueError) as e:
+            execution_time = time.time() - start_time
+            return CheckResult(
+                checker_name=self.name(),
+                passed=False,
+                status="failed",
+                errors=[{"message": f"Error validating spec file: {str(e)}"}],
+                warnings=[],
+                info={"suggestion": "Check spec file format and validator configuration"},
+                execution_time=execution_time,
+            )

solokit/quality/checkers/tests.py

@@ -0,0 +1,184 @@
+#!/usr/bin/env python3
+"""
+Test execution and coverage checker.
+
+Runs tests using pytest, Jest, or other test frameworks and validates coverage.
+"""
+
+from __future__ import annotations
+
+import json
+import time
+from pathlib import Path
+from typing import Any, Union, cast
+
+from solokit.core.command_runner import CommandRunner
+from solokit.core.constants import TEST_RUNNER_TIMEOUT
+from solokit.core.logging_config import get_logger
+from solokit.quality.checkers.base import CheckResult, QualityChecker
+
+logger = get_logger(__name__)
+
+
+class ExecutionChecker(QualityChecker):
+    """Test execution and coverage validation."""
+
+    def __init__(
+        self,
+        config: dict[str, Any],
+        project_root: Path | None = None,
+        language: str | None = None,
+        runner: CommandRunner | None = None,
+    ):
+        """Initialize test runner.
+
+        Args:
+            config: Test execution configuration
+            project_root: Project root directory
+            language: Programming language (python, javascript, typescript)
+            runner: Optional CommandRunner instance (for testing)
+        """
+        super().__init__(config, project_root)
+        self.runner = (
+            runner if runner is not None else CommandRunner(default_timeout=TEST_RUNNER_TIMEOUT)
+        )
+        self.language = language or self._detect_language()
+
+    def name(self) -> str:
+        """Return checker name."""
+        return "tests"
+
+    def is_enabled(self) -> bool:
+        """Check if test execution is enabled."""
+        return bool(self.config.get("enabled", True))
+
+    def _detect_language(self) -> str:
+        """Detect primary project language."""
+        if (self.project_root / "pyproject.toml").exists() or (
+            self.project_root / "setup.py"
+        ).exists():
+            return "python"
+        elif (self.project_root / "package.json").exists():
+            if (self.project_root / "tsconfig.json").exists():
+                return "typescript"
+            return "javascript"
+        return "python"  # default
+
+    def run(self) -> CheckResult:
+        """Run test suite with coverage."""
+        start_time = time.time()
+
+        if not self.is_enabled():
+            return self._create_skipped_result()
+
+        logger.info(f"Running tests for {self.language}")
+
+        # Get test command for language
+        commands = self.config.get("commands", {})
+        command = commands.get(self.language)
+        if not command:
+            logger.warning(f"No test command configured for language: {self.language}")
+            return self._create_skipped_result(reason=f"no command for {self.language}")
+
+        # Run tests
+        result = self.runner.run(command.split(), timeout=TEST_RUNNER_TIMEOUT)
+
+        # pytest exit codes:
+        # 0 = all tests passed
+        # 1 = tests were collected and run but some failed
+        # 2 = test execution was interrupted
+        # 3 = internal error
+        # 4 = pytest command line usage error
+        # 5 = no tests were collected
+
+        if result.timed_out:
+            execution_time = time.time() - start_time
+            return CheckResult(
+                checker_name=self.name(),
+                passed=False,
+                status="failed",
+                errors=[{"message": "Test execution timed out"}],
+                warnings=[],
+                info={"reason": "timeout"},
+                execution_time=execution_time,
+            )
+
+        # Command not found (test tool not available)
+        if result.returncode == -1 and "not found" in result.stderr.lower():
+            return self._create_skipped_result(reason=f"{command.split()[0]} not available")
+
+        # Treat "no tests collected" (exit code 5) as skipped, not failed
+        if result.returncode == 5:
+            execution_time = time.time() - start_time
+            return CheckResult(
+                checker_name=self.name(),
+                passed=True,
+                status="skipped",
+                errors=[],
+                warnings=[],
+                info={"reason": "no tests collected", "returncode": result.returncode},
+                execution_time=execution_time,
+            )
+
+        # Parse coverage
+        coverage = self._parse_coverage()
+        passed = result.returncode == 0
+
+        # Check coverage threshold
+        threshold = self.config.get("coverage_threshold", 80)
+        if coverage is not None and coverage < threshold:
+            passed = False
+
+        execution_time = time.time() - start_time
+
+        errors = []
+        if result.returncode != 0:
+            errors.append(
+                {
+                    "message": f"Tests failed with exit code {result.returncode}",
+                    "output": (result.stderr[:500] if result.stderr else ""),  # Limit output
+                }
+            )
+
+        if coverage is not None and coverage < threshold:
+            errors.append({"message": f"Coverage {coverage}% below threshold {threshold}%"})
+
+        return CheckResult(
+            checker_name=self.name(),
+            passed=passed,
+            status="passed" if passed else "failed",
+            errors=cast(list[Union[dict[str, Any], str]], errors),
+            warnings=[],
+            info={
+                "coverage": coverage,
+                "threshold": threshold,
+                "returncode": result.returncode,
+                "output": result.stdout[:1000] if result.stdout else "",  # Limit output
+            },
+            execution_time=execution_time,
+        )
+
+    def _parse_coverage(self) -> float | None:
+        """Parse coverage from test results."""
+        try:
+            if self.language == "python":
+                coverage_file = self.project_root / "coverage.json"
+                if coverage_file.exists():
+                    with open(coverage_file) as f:
+                        data = json.load(f)
+                    return data.get("totals", {}).get("percent_covered", 0)  # type: ignore[no-any-return]
+
+            elif self.language in ["javascript", "typescript"]:
+                coverage_file = self.project_root / "coverage" / "coverage-summary.json"
+                if coverage_file.exists():
+                    with open(coverage_file) as f:
+                        data = json.load(f)
+                    return data.get("total", {}).get("lines", {}).get("pct", 0)  # type: ignore[no-any-return]
+
+            return None
+        except OSError as e:
+            logger.debug(f"Failed to read coverage file: {e}")
+            return None
+        except json.JSONDecodeError as e:
+            logger.debug(f"Failed to parse coverage file: {e}")
+            return None