traceforge-toolkit 0.1.0__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- traceforge/__init__.py +72 -0
- traceforge/__main__.py +5 -0
- traceforge/_generated.py +254 -0
- traceforge/adapters/__init__.py +12 -0
- traceforge/adapters/base.py +82 -0
- traceforge/adapters/genai_otel.py +164 -0
- traceforge/adapters/mapped_json.py +297 -0
- traceforge/adapters/otel.py +220 -0
- traceforge/boundary/__init__.py +46 -0
- traceforge/boundary/data/boundary-model.joblib +0 -0
- traceforge/boundary/decode.py +87 -0
- traceforge/boundary/features.py +137 -0
- traceforge/boundary/inference.py +267 -0
- traceforge/boundary/inferencer.py +146 -0
- traceforge/classify/__init__.py +95 -0
- traceforge/classify/cmd.py +109 -0
- traceforge/classify/coding.py +213 -0
- traceforge/classify/config.py +554 -0
- traceforge/classify/core.py +266 -0
- traceforge/classify/data/binary_info.yaml +358 -0
- traceforge/classify/data/canonical_tools.yaml +251 -0
- traceforge/classify/data/effect_overrides.yaml +480 -0
- traceforge/classify/data/mcp_profiles.yaml +711 -0
- traceforge/classify/data/recommendation_rules.yaml +111 -0
- traceforge/classify/data/risk.yaml +534 -0
- traceforge/classify/data/shell_defaults.yaml +95 -0
- traceforge/classify/data/shell_rules.yaml +1192 -0
- traceforge/classify/data/tool_classifications.yaml +215 -0
- traceforge/classify/data/verb_inference.yaml +218 -0
- traceforge/classify/mcp.py +181 -0
- traceforge/classify/phases.py +75 -0
- traceforge/classify/powershell.py +93 -0
- traceforge/classify/registry.py +138 -0
- traceforge/classify/risk.py +553 -0
- traceforge/classify/rules.py +215 -0
- traceforge/classify/schema.yaml +282 -0
- traceforge/classify/shell.py +503 -0
- traceforge/classify/tools.py +91 -0
- traceforge/classify/workflow.py +32 -0
- traceforge/cli/__init__.py +42 -0
- traceforge/cli/config_cmd.py +130 -0
- traceforge/cli/detect.py +46 -0
- traceforge/cli/download_cmd.py +74 -0
- traceforge/cli/factory.py +60 -0
- traceforge/cli/gate_cmd.py +30 -0
- traceforge/cli/init_cmd.py +86 -0
- traceforge/cli/replay.py +130 -0
- traceforge/cli/runner.py +181 -0
- traceforge/cli/score.py +217 -0
- traceforge/cli/status.py +65 -0
- traceforge/cli/watch.py +297 -0
- traceforge/config/__init__.py +80 -0
- traceforge/config/defaults.py +149 -0
- traceforge/config/loader.py +239 -0
- traceforge/config/mappings.py +104 -0
- traceforge/config/models.py +579 -0
- traceforge/enricher.py +576 -0
- traceforge/formatting/__init__.py +12 -0
- traceforge/formatting/budget.py +92 -0
- traceforge/formatting/density.py +154 -0
- traceforge/gate/__init__.py +17 -0
- traceforge/gate/client.py +145 -0
- traceforge/gate/external.py +305 -0
- traceforge/gate/registry.py +108 -0
- traceforge/gate/server.py +174 -0
- traceforge/gates/__init__.py +8 -0
- traceforge/gates/pii.py +352 -0
- traceforge/gates/pii_patterns.yaml +228 -0
- traceforge/governance/__init__.py +121 -0
- traceforge/governance/assessor.py +441 -0
- traceforge/governance/budget.py +59 -0
- traceforge/governance/canonical.py +56 -0
- traceforge/governance/codec.py +414 -0
- traceforge/governance/context.py +249 -0
- traceforge/governance/drift.py +196 -0
- traceforge/governance/emitter.py +234 -0
- traceforge/governance/envelope.py +138 -0
- traceforge/governance/ifc.py +364 -0
- traceforge/governance/integrity.py +162 -0
- traceforge/governance/labeler.py +250 -0
- traceforge/governance/mcp_drift.py +328 -0
- traceforge/governance/monitor.py +539 -0
- traceforge/governance/observer.py +276 -0
- traceforge/governance/persistence.py +401 -0
- traceforge/governance/phase1.py +77 -0
- traceforge/governance/pii.py +276 -0
- traceforge/governance/pipeline.py +840 -0
- traceforge/governance/registry.py +110 -0
- traceforge/governance/results.py +183 -0
- traceforge/governance/risk_wrapper.py +113 -0
- traceforge/governance/rules.py +368 -0
- traceforge/governance/scorer.py +262 -0
- traceforge/governance/shield.py +318 -0
- traceforge/governance/state.py +466 -0
- traceforge/governance/types.py +176 -0
- traceforge/mappings/__init__.py +1 -0
- traceforge/mappings/aider.yaml +216 -0
- traceforge/mappings/aider_markdown.yaml +113 -0
- traceforge/mappings/amazonq.yaml +56 -0
- traceforge/mappings/antigravity.yaml +88 -0
- traceforge/mappings/claude.yaml +93 -0
- traceforge/mappings/cline.yaml +286 -0
- traceforge/mappings/codex.yaml +158 -0
- traceforge/mappings/continue_dev.yaml +57 -0
- traceforge/mappings/copilot.yaml +266 -0
- traceforge/mappings/copilot_markdown.yaml +72 -0
- traceforge/mappings/copilot_vscode.yaml +181 -0
- traceforge/mappings/crewai.yaml +592 -0
- traceforge/mappings/goose.yaml +128 -0
- traceforge/mappings/langgraph.yaml +165 -0
- traceforge/mappings/maf.yaml +90 -0
- traceforge/mappings/maf_transcript.yaml +99 -0
- traceforge/mappings/openai_agents.yaml +144 -0
- traceforge/mappings/opencode.yaml +473 -0
- traceforge/mappings/openhands.yaml +320 -0
- traceforge/mappings/pydantic_ai.yaml +183 -0
- traceforge/mappings/smolagents.yaml +89 -0
- traceforge/mappings/sweagent.yaml +82 -0
- traceforge/migrations/__init__.py +1 -0
- traceforge/migrations/env.py +60 -0
- traceforge/migrations/models.py +145 -0
- traceforge/migrations/runner.py +44 -0
- traceforge/migrations/script.py.mako +25 -0
- traceforge/migrations/versions/0001_initial.py +176 -0
- traceforge/migrations/versions/__init__.py +4 -0
- traceforge/models.py +29 -0
- traceforge/parsers/__init__.py +21 -0
- traceforge/parsers/aider.py +416 -0
- traceforge/parsers/base.py +226 -0
- traceforge/parsers/copilot.py +314 -0
- traceforge/phase/__init__.py +50 -0
- traceforge/phase/data/phase-model.joblib +0 -0
- traceforge/phase/data/potion-base-8M/README.md +99 -0
- traceforge/phase/data/potion-base-8M/config.json +13 -0
- traceforge/phase/data/potion-base-8M/model.safetensors +0 -0
- traceforge/phase/data/potion-base-8M/modules.json +14 -0
- traceforge/phase/data/potion-base-8M/tokenizer.json +1 -0
- traceforge/phase/event_rows.py +107 -0
- traceforge/phase/features.py +468 -0
- traceforge/phase/inference.py +279 -0
- traceforge/phase/inferencer.py +171 -0
- traceforge/phase/segmentation.py +258 -0
- traceforge/pipeline.py +891 -0
- traceforge/preprocessors/__init__.py +34 -0
- traceforge/preprocessors/amazonq.py +224 -0
- traceforge/preprocessors/antigravity.py +116 -0
- traceforge/preprocessors/claude.py +95 -0
- traceforge/preprocessors/cline.py +36 -0
- traceforge/preprocessors/codex.py +311 -0
- traceforge/preprocessors/continue_dev.py +119 -0
- traceforge/preprocessors/copilot_vscode.py +171 -0
- traceforge/preprocessors/goose.py +156 -0
- traceforge/preprocessors/maf_transcript.py +84 -0
- traceforge/preprocessors/openai_agents.py +86 -0
- traceforge/preprocessors/opencode.py +85 -0
- traceforge/preprocessors/openhands.py +36 -0
- traceforge/preprocessors/pydantic_ai.py +62 -0
- traceforge/preprocessors/registry.py +24 -0
- traceforge/preprocessors/smolagents.py +90 -0
- traceforge/py.typed +0 -0
- traceforge/sdk/__init__.py +59 -0
- traceforge/sdk/gate_policy.py +63 -0
- traceforge/sdk/gate_types.py +140 -0
- traceforge/sdk/pipeline.py +265 -0
- traceforge/sdk/verdict.py +81 -0
- traceforge/sinks/__init__.py +23 -0
- traceforge/sinks/base.py +95 -0
- traceforge/sinks/callback.py +132 -0
- traceforge/sinks/console.py +112 -0
- traceforge/sinks/factory.py +94 -0
- traceforge/sinks/jsonl.py +125 -0
- traceforge/sinks/otel_exporter.py +212 -0
- traceforge/sinks/parquet.py +260 -0
- traceforge/sinks/s3.py +206 -0
- traceforge/sinks/sqlite_output.py +234 -0
- traceforge/sinks/webhook.py +136 -0
- traceforge/sources/__init__.py +18 -0
- traceforge/sources/auto_detect.py +173 -0
- traceforge/sources/base.py +45 -0
- traceforge/sources/file_poll.py +136 -0
- traceforge/sources/file_watch.py +221 -0
- traceforge/sources/http_poll.py +141 -0
- traceforge/sources/replay.py +63 -0
- traceforge/sources/sqlite.py +187 -0
- traceforge/sources/sse.py +198 -0
- traceforge/telemetry/__init__.py +192 -0
- traceforge/title/__init__.py +23 -0
- traceforge/title/_resolve.py +79 -0
- traceforge/title/context.py +295 -0
- traceforge/title/data/boilerplate_files.json +14 -0
- traceforge/title/heuristics.py +429 -0
- traceforge/title/hygiene.py +90 -0
- traceforge/title/inference.py +314 -0
- traceforge/title/inferencer.py +477 -0
- traceforge/title/naming.py +398 -0
- traceforge/trace.py +291 -0
- traceforge/tracking/__init__.py +30 -0
- traceforge/tracking/models.py +115 -0
- traceforge/tracking/phase_tracker.py +288 -0
- traceforge/types.py +315 -0
- traceforge_toolkit-0.1.0.dist-info/METADATA +188 -0
- traceforge_toolkit-0.1.0.dist-info/RECORD +205 -0
- traceforge_toolkit-0.1.0.dist-info/WHEEL +4 -0
- traceforge_toolkit-0.1.0.dist-info/entry_points.txt +2 -0
- traceforge_toolkit-0.1.0.dist-info/licenses/LICENSE +21 -0
|
@@ -0,0 +1,228 @@
|
|
|
1
|
+
# PII detection patterns — extracted from Microsoft Presidio recognizers.
|
|
2
|
+
# Pure regex, no NLP dependency. Patterns tested against Presidio's own test suites.
|
|
3
|
+
#
|
|
4
|
+
# Structure:
|
|
5
|
+
# entity_type: The PII category name
|
|
6
|
+
# patterns: list of {regex, score, name}
|
|
7
|
+
# - regex: Python re pattern (IGNORECASE applied globally)
|
|
8
|
+
# - score: 0.0-1.0 confidence (higher = fewer false positives)
|
|
9
|
+
# - name: human label for the pattern variant
|
|
10
|
+
# context: list of nearby words that boost confidence (+0.15)
|
|
11
|
+
# validator: optional Python function name for checksum validation (→ score 1.0)
|
|
12
|
+
# critical: if true, presence triggers SUPPRESS instead of REDACT
|
|
13
|
+
|
|
14
|
+
version: "pii-v1"
|
|
15
|
+
|
|
16
|
+
# ═══════════════════════════════════════════════════════════════════════════════
|
|
17
|
+
# Credit Cards — Luhn-validated
|
|
18
|
+
# Source: presidio-analyzer/predefined_recognizers/credit_card_recognizer.py
|
|
19
|
+
# ═══════════════════════════════════════════════════════════════════════════════
|
|
20
|
+
entities:
|
|
21
|
+
- entity_type: CREDIT_CARD
|
|
22
|
+
critical: true
|
|
23
|
+
context: [credit, card, visa, mastercard, amex, discover, diners, jcb, maestro, payment]
|
|
24
|
+
validator: luhn
|
|
25
|
+
patterns:
|
|
26
|
+
- name: visa
|
|
27
|
+
regex: '\b4\d{3}[\s\-]?\d{4}[\s\-]?\d{4}[\s\-]?\d{4}\b'
|
|
28
|
+
score: 0.5
|
|
29
|
+
- name: mastercard
|
|
30
|
+
regex: '\b5[1-5]\d{2}[\s\-]?\d{4}[\s\-]?\d{4}[\s\-]?\d{4}\b'
|
|
31
|
+
score: 0.5
|
|
32
|
+
- name: amex
|
|
33
|
+
regex: '\b3[47]\d{2}[\s\-]?\d{6}[\s\-]?\d{5}\b'
|
|
34
|
+
score: 0.5
|
|
35
|
+
- name: discover
|
|
36
|
+
regex: '\b6(?:011|5\d{2})[\s\-]?\d{4}[\s\-]?\d{4}[\s\-]?\d{4}\b'
|
|
37
|
+
score: 0.5
|
|
38
|
+
- name: generic_16
|
|
39
|
+
regex: '\b\d{4}[\s\-]?\d{4}[\s\-]?\d{4}[\s\-]?\d{4}\b'
|
|
40
|
+
score: 0.3
|
|
41
|
+
|
|
42
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
43
|
+
# US Social Security Numbers
|
|
44
|
+
# Source: presidio-analyzer/predefined_recognizers/us_ssn_recognizer.py
|
|
45
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
46
|
+
- entity_type: US_SSN
|
|
47
|
+
critical: true
|
|
48
|
+
context: [social, security, ssn, ss#, "social security", taxpayer, tin]
|
|
49
|
+
patterns:
|
|
50
|
+
- name: ssn_dashes
|
|
51
|
+
regex: '\b(?!000|666|9\d{2})\d{3}-(?!00)\d{2}-(?!0000)\d{4}\b'
|
|
52
|
+
score: 0.85
|
|
53
|
+
- name: ssn_no_dashes
|
|
54
|
+
regex: '\b(?!000|666|9\d{2})\d{3}(?!00)\d{2}(?!0000)\d{4}\b'
|
|
55
|
+
score: 0.3
|
|
56
|
+
|
|
57
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
58
|
+
# Email Addresses
|
|
59
|
+
# Source: presidio-analyzer/predefined_recognizers/email_recognizer.py
|
|
60
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
61
|
+
- entity_type: EMAIL_ADDRESS
|
|
62
|
+
critical: false
|
|
63
|
+
context: [email, mail, e-mail, address, contact, send, to, from, cc, bcc]
|
|
64
|
+
patterns:
|
|
65
|
+
- name: email
|
|
66
|
+
regex: '\b[A-Za-z0-9._%+\-]+@[A-Za-z0-9.\-]+\.[A-Za-z]{2,}\b'
|
|
67
|
+
score: 0.85
|
|
68
|
+
|
|
69
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
70
|
+
# Phone Numbers (international)
|
|
71
|
+
# Source: presidio-analyzer/predefined_recognizers/phone_recognizer.py
|
|
72
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
73
|
+
- entity_type: PHONE_NUMBER
|
|
74
|
+
critical: false
|
|
75
|
+
context: [phone, call, tel, telephone, mobile, cell, fax, contact, dial, number]
|
|
76
|
+
patterns:
|
|
77
|
+
- name: us_phone
|
|
78
|
+
regex: '(?:\+?1[\s\-.]?)?\(?\d{3}\)?[\s\-.]?\d{3}[\s\-.]?\d{4}\b'
|
|
79
|
+
score: 0.4
|
|
80
|
+
- name: intl_phone
|
|
81
|
+
regex: '\+\d{1,3}[\s\-.]?\d{1,4}[\s\-.]?\d{2,4}[\s\-.]?\d{2,4}(?:[\s\-.]?\d{2,4})?'
|
|
82
|
+
score: 0.4
|
|
83
|
+
|
|
84
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
85
|
+
# IP Addresses
|
|
86
|
+
# Source: presidio-analyzer/predefined_recognizers/ip_recognizer.py
|
|
87
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
88
|
+
- entity_type: IP_ADDRESS
|
|
89
|
+
critical: false
|
|
90
|
+
context: [ip, address, host, server, network, subnet, dns, proxy]
|
|
91
|
+
patterns:
|
|
92
|
+
- name: ipv4
|
|
93
|
+
regex: '\b(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\b'
|
|
94
|
+
score: 0.6
|
|
95
|
+
- name: ipv6
|
|
96
|
+
regex: '\b(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}\b'
|
|
97
|
+
score: 0.6
|
|
98
|
+
|
|
99
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
100
|
+
# IBAN (International Bank Account Number)
|
|
101
|
+
# Source: presidio-analyzer/predefined_recognizers/iban_recognizer.py
|
|
102
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
103
|
+
- entity_type: IBAN_CODE
|
|
104
|
+
critical: true
|
|
105
|
+
context: [iban, bank, account, transfer, swift, bic, wire, payment]
|
|
106
|
+
validator: iban
|
|
107
|
+
patterns:
|
|
108
|
+
- name: iban_generic
|
|
109
|
+
regex: '\b[A-Z]{2}\d{2}[\s]?[\dA-Z]{4}[\s]?(?:[\dA-Z]{4}[\s]?){1,7}[\dA-Z]{1,4}\b'
|
|
110
|
+
score: 0.5
|
|
111
|
+
|
|
112
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
113
|
+
# US Passport
|
|
114
|
+
# Source: presidio-analyzer/predefined_recognizers/us_passport_recognizer.py
|
|
115
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
116
|
+
- entity_type: US_PASSPORT
|
|
117
|
+
critical: true
|
|
118
|
+
context: [passport, travel, document, us passport, state department]
|
|
119
|
+
patterns:
|
|
120
|
+
- name: us_passport
|
|
121
|
+
regex: '\b[A-Z]?\d{8,9}\b'
|
|
122
|
+
score: 0.1 # Very weak without context — lots of 8-9 digit numbers
|
|
123
|
+
|
|
124
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
125
|
+
# US Bank Account / Routing Numbers
|
|
126
|
+
# Source: presidio-analyzer/predefined_recognizers/us_bank_recognizer.py
|
|
127
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
128
|
+
- entity_type: US_BANK_NUMBER
|
|
129
|
+
critical: true
|
|
130
|
+
context: [bank, account, routing, aba, checking, savings, wire, ach]
|
|
131
|
+
patterns:
|
|
132
|
+
- name: us_routing
|
|
133
|
+
regex: '\b\d{9}\b'
|
|
134
|
+
score: 0.05 # Very weak alone — 9-digit numbers are everywhere
|
|
135
|
+
|
|
136
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
137
|
+
# Cryptocurrency Addresses
|
|
138
|
+
# Source: presidio-analyzer/predefined_recognizers/crypto_recognizer.py
|
|
139
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
140
|
+
- entity_type: CRYPTO
|
|
141
|
+
critical: false
|
|
142
|
+
context: [bitcoin, btc, eth, ethereum, wallet, crypto, blockchain, address]
|
|
143
|
+
patterns:
|
|
144
|
+
- name: btc_p2pkh
|
|
145
|
+
regex: '\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b'
|
|
146
|
+
score: 0.5
|
|
147
|
+
- name: btc_bech32
|
|
148
|
+
regex: '\bbc1[a-z0-9]{39,59}\b'
|
|
149
|
+
score: 0.7
|
|
150
|
+
- name: eth
|
|
151
|
+
regex: '\b0x[0-9a-fA-F]{40}\b'
|
|
152
|
+
score: 0.7
|
|
153
|
+
|
|
154
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
155
|
+
# API Keys / Secrets (traceforge addition — not in Presidio)
|
|
156
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
157
|
+
- entity_type: API_KEY
|
|
158
|
+
critical: true
|
|
159
|
+
context: [key, token, secret, api, bearer, authorization, auth, credential, password]
|
|
160
|
+
patterns:
|
|
161
|
+
- name: openai_key
|
|
162
|
+
regex: '\bsk-[A-Za-z0-9]{20,}\b'
|
|
163
|
+
score: 0.9
|
|
164
|
+
- name: github_pat
|
|
165
|
+
regex: '\b(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9]{36,}\b'
|
|
166
|
+
score: 0.95
|
|
167
|
+
- name: aws_access_key
|
|
168
|
+
regex: '\bAKIA[0-9A-Z]{16}\b'
|
|
169
|
+
score: 0.95
|
|
170
|
+
- name: aws_secret_key
|
|
171
|
+
regex: '\b[A-Za-z0-9/+=]{40}\b'
|
|
172
|
+
score: 0.1 # Very weak — needs context
|
|
173
|
+
- name: azure_key
|
|
174
|
+
regex: '\b[A-Za-z0-9+/]{86}==\b'
|
|
175
|
+
score: 0.6
|
|
176
|
+
- name: generic_bearer
|
|
177
|
+
regex: '\b(?:Bearer|token)\s+[A-Za-z0-9\-._~+/]+=*\b'
|
|
178
|
+
score: 0.4
|
|
179
|
+
- name: slack_token
|
|
180
|
+
regex: '\bxox[baprs]-[0-9a-zA-Z\-]{10,}\b'
|
|
181
|
+
score: 0.9
|
|
182
|
+
- name: stripe_key
|
|
183
|
+
regex: '\b(?:sk|pk)_(?:live|test)_[A-Za-z0-9]{20,}\b'
|
|
184
|
+
score: 0.95
|
|
185
|
+
|
|
186
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
187
|
+
# URLs (for detecting leaked internal URLs)
|
|
188
|
+
# Source: presidio-analyzer/predefined_recognizers/url_recognizer.py
|
|
189
|
+
# ═══════════════════════════════════════════════════════════════════════════
|
|
190
|
+
- entity_type: URL
|
|
191
|
+
critical: false
|
|
192
|
+
context: [url, link, endpoint, webhook, redirect, href, src]
|
|
193
|
+
patterns:
|
|
194
|
+
- name: url_http
|
|
195
|
+
regex: '\bhttps?://[^\s<>\"\'']{3,}\b'
|
|
196
|
+
score: 0.5
|
|
197
|
+
|
|
198
|
+
# ═══════════════════════════════════════════════════════════════════════════════
|
|
199
|
+
# Allow list — values that match PII patterns but should never be flagged
|
|
200
|
+
# ═══════════════════════════════════════════════════════════════════════════════
|
|
201
|
+
default_allow_list:
|
|
202
|
+
- "127.0.0.1"
|
|
203
|
+
- "0.0.0.0"
|
|
204
|
+
- "localhost"
|
|
205
|
+
- "::1"
|
|
206
|
+
- "255.255.255.255"
|
|
207
|
+
- "192.168.0.0"
|
|
208
|
+
- "10.0.0.0"
|
|
209
|
+
- "172.16.0.0"
|
|
210
|
+
- "example.com"
|
|
211
|
+
- "test@example.com"
|
|
212
|
+
- "noreply@github.com"
|
|
213
|
+
- "0000-0000-0000-0000"
|
|
214
|
+
|
|
215
|
+
# ═══════════════════════════════════════════════════════════════════════════════
|
|
216
|
+
# Context boost — how much nearby context words increase confidence
|
|
217
|
+
# ═══════════════════════════════════════════════════════════════════════════════
|
|
218
|
+
context_boost: 0.25
|
|
219
|
+
context_window: 50 # characters to look around the match for context words
|
|
220
|
+
|
|
221
|
+
# ═══════════════════════════════════════════════════════════════════════════════
|
|
222
|
+
# Score thresholds for gating decisions
|
|
223
|
+
# ═══════════════════════════════════════════════════════════════════════════════
|
|
224
|
+
thresholds:
|
|
225
|
+
# Minimum score to consider a match a true finding
|
|
226
|
+
detection: 0.4
|
|
227
|
+
# Minimum score for redaction (below this, no action taken)
|
|
228
|
+
redaction: 0.5
|
|
@@ -0,0 +1,121 @@
|
|
|
1
|
+
"""Governance extensions — enrichment pipeline, labeling, and persistence."""
|
|
2
|
+
|
|
3
|
+
from traceforge.governance.types import (
|
|
4
|
+
CommandAnalysis,
|
|
5
|
+
EnrichmentContext,
|
|
6
|
+
PipeSegment,
|
|
7
|
+
SessionEvent,
|
|
8
|
+
ToolCallEvent,
|
|
9
|
+
ToolResultEvent,
|
|
10
|
+
compute_source_event_key,
|
|
11
|
+
)
|
|
12
|
+
from traceforge.governance.state import (
|
|
13
|
+
BudgetSnapshot,
|
|
14
|
+
SessionState,
|
|
15
|
+
SessionStateSnapshot,
|
|
16
|
+
TaintEntry,
|
|
17
|
+
)
|
|
18
|
+
from traceforge.governance.persistence import SystemStore
|
|
19
|
+
from traceforge.governance.labeler import GovernanceLabeler, GovernanceResult
|
|
20
|
+
from traceforge.governance.results import (
|
|
21
|
+
Evidence,
|
|
22
|
+
EvidencePointer,
|
|
23
|
+
EscalationContext,
|
|
24
|
+
Phase3Result,
|
|
25
|
+
RecommendedAction,
|
|
26
|
+
RecommendationResult,
|
|
27
|
+
RiskRecommendation,
|
|
28
|
+
SessionMeta,
|
|
29
|
+
TransformSuggestion,
|
|
30
|
+
)
|
|
31
|
+
from traceforge.governance.pipeline import GovernancePipeline
|
|
32
|
+
from traceforge.governance.rules import (
|
|
33
|
+
Predicate,
|
|
34
|
+
Rule,
|
|
35
|
+
RuleMatch,
|
|
36
|
+
RecommendationTemplate,
|
|
37
|
+
evaluate_rules,
|
|
38
|
+
parse_rules,
|
|
39
|
+
)
|
|
40
|
+
from traceforge.governance.risk_wrapper import RiskModifiers, assess_governance_risk
|
|
41
|
+
from traceforge.governance.canonical import compute_canonical_hash
|
|
42
|
+
from traceforge.governance.pii import PIIScanner
|
|
43
|
+
from traceforge.governance.ifc import IFCChecker, SCOPE_TO_LABEL, PATH_LABEL_RULES
|
|
44
|
+
from traceforge.governance.integrity import IntegrityVerifier
|
|
45
|
+
from traceforge.governance.mcp_drift import MCPIntegrityScanner, MCPIntegrityAlert, MCPToolProfile
|
|
46
|
+
from traceforge.governance.drift import DriftDetector, DriftAssessment
|
|
47
|
+
from traceforge.governance.budget import BudgetThresholds, BudgetTracker
|
|
48
|
+
from traceforge.governance.envelope import ContextGapEvent, EnrichedEvent
|
|
49
|
+
from traceforge.governance.emitter import EnrichedEmitter
|
|
50
|
+
from traceforge.governance.observer import (
|
|
51
|
+
AgentContext,
|
|
52
|
+
GovernanceObserver,
|
|
53
|
+
TraceforgeObserver,
|
|
54
|
+
create_observer,
|
|
55
|
+
)
|
|
56
|
+
|
|
57
|
+
__all__ = [
|
|
58
|
+
# Types
|
|
59
|
+
"CommandAnalysis",
|
|
60
|
+
"EnrichmentContext",
|
|
61
|
+
"PipeSegment",
|
|
62
|
+
"SessionEvent",
|
|
63
|
+
"ToolCallEvent",
|
|
64
|
+
"ToolResultEvent",
|
|
65
|
+
"compute_source_event_key",
|
|
66
|
+
# State
|
|
67
|
+
"BudgetSnapshot",
|
|
68
|
+
"SessionState",
|
|
69
|
+
"SessionStateSnapshot",
|
|
70
|
+
"TaintEntry",
|
|
71
|
+
# Persistence
|
|
72
|
+
"SystemStore",
|
|
73
|
+
# Labeler
|
|
74
|
+
"GovernanceLabeler",
|
|
75
|
+
"GovernanceResult",
|
|
76
|
+
# Pipeline
|
|
77
|
+
"Evidence",
|
|
78
|
+
"EvidencePointer",
|
|
79
|
+
"EscalationContext",
|
|
80
|
+
"GovernancePipeline",
|
|
81
|
+
"Phase3Result",
|
|
82
|
+
"RecommendedAction",
|
|
83
|
+
"RecommendationResult",
|
|
84
|
+
"RiskRecommendation",
|
|
85
|
+
"SessionMeta",
|
|
86
|
+
"TransformSuggestion",
|
|
87
|
+
# Rules
|
|
88
|
+
"Predicate",
|
|
89
|
+
"Rule",
|
|
90
|
+
"RuleMatch",
|
|
91
|
+
"RecommendationTemplate",
|
|
92
|
+
"evaluate_rules",
|
|
93
|
+
"parse_rules",
|
|
94
|
+
# Risk
|
|
95
|
+
"RiskModifiers",
|
|
96
|
+
"assess_governance_risk",
|
|
97
|
+
# Canonical
|
|
98
|
+
"compute_canonical_hash",
|
|
99
|
+
# Scanners
|
|
100
|
+
"PIIScanner",
|
|
101
|
+
"IFCChecker",
|
|
102
|
+
"SCOPE_TO_LABEL",
|
|
103
|
+
"PATH_LABEL_RULES",
|
|
104
|
+
"IntegrityVerifier",
|
|
105
|
+
"MCPIntegrityScanner",
|
|
106
|
+
"MCPIntegrityAlert",
|
|
107
|
+
"MCPToolProfile",
|
|
108
|
+
"DriftDetector",
|
|
109
|
+
"DriftAssessment",
|
|
110
|
+
# Budget
|
|
111
|
+
"BudgetThresholds",
|
|
112
|
+
"BudgetTracker",
|
|
113
|
+
# Envelope & Observer
|
|
114
|
+
"ContextGapEvent",
|
|
115
|
+
"EnrichedEvent",
|
|
116
|
+
"EnrichedEmitter",
|
|
117
|
+
"TraceforgeObserver",
|
|
118
|
+
"GovernanceObserver",
|
|
119
|
+
"AgentContext",
|
|
120
|
+
"create_observer",
|
|
121
|
+
]
|