tweek 0.1.0__py3-none-any.whl → 0.2.0__py3-none-any.whl

tweek/config/tiers.yaml

@@ -8,21 +8,37 @@
 #   dangerous - Regex + LLM + Sandbox preview
 #
 # Security Layers:
-#   1. Rate Limiting  - Detect resource theft and burst attacks
-#   2. Pattern Match  - Regex patterns for known attack vectors (100+ patterns)
-#   3. LLM Review     - Semantic analysis using Claude Haiku
-#   4. Session Scan   - Cross-turn anomaly detection
-#   5. Sandbox        - Speculative execution in isolated environment
+#   1. Rate Limiting    - Detect resource theft and burst attacks
+#   2. Pattern Match    - Regex patterns for known attack vectors (259 patterns)
+#   2.5 Heuristic Score - Signal-based scoring for confidence-gated LLM escalation
+#   3. LLM Review       - Semantic analysis using Claude Haiku or local LLM
+#   4. Session Scan     - Cross-turn anomaly detection
+#   5. Sandbox          - Speculative execution in isolated environment
 
 version: 2
 
 # LLM Review Configuration
+# Supports: anthropic, openai, google, or any OpenAI-compatible endpoint
+# Provider "auto" checks: local (if enabled) → ANTHROPIC_API_KEY → OPENAI_API_KEY → GOOGLE_API_KEY
 llm_review:
   enabled: true
-  model: claude-3-5-haiku-latest
+  provider: auto              # auto | local | anthropic | openai | google | fallback
+  model: auto                 # auto = provider default, or explicit model name
+  base_url: null              # For OpenAI-compatible endpoints (Ollama, LM Studio, etc.)
+  api_key_env: null           # Override env var name (default: provider-specific)
   timeout_seconds: 5.0
-  # Only review if command length exceeds this
-  min_command_length: 20
+  local:
+    enabled: true             # Probe for Ollama/LM Studio on startup
+    probe_timeout: 0.5        # Max probe time per server (seconds)
+    timeout_seconds: 3.0      # Per-request timeout (local should be fast)
+    ollama_host: null          # Override (default: OLLAMA_HOST env or localhost:11434)
+    lm_studio_host: null       # Override (default: localhost:1234)
+    preferred_models: []       # User override for model ranking
+    validate_on_first_use: true
+    min_validation_score: 0.6  # Must pass 3/5 validation commands
+  fallback:
+    enabled: true             # Enable fallback chain (try local, then cloud)
+    order: [local, cloud]     # Priority order for provider attempts
 
 # Rate Limiting Configuration
 rate_limiting:
@@ -39,6 +55,28 @@ session_analysis:
   lookback_minutes: 30
   alert_on_risk_score: 0.5
 
+# Heuristic Scorer Configuration (Layer 2.5)
+# Bridges the gap between regex patterns and LLM review.
+# Runs ONLY when: no regex match AND LLM not already scheduled.
+# Scores content using signal-based heuristics from pattern families.
+# If score exceeds threshold, escalates to LLM review.
+heuristic_scorer:
+  enabled: true
+  threshold: 0.4               # Score [0.0-1.0] to trigger LLM escalation
+  log_all_scores: false         # Log below-threshold scores (for tuning)
+
+# Local ONNX Model Configuration
+# On-device prompt injection classifier — no API key needed.
+# Install with: pip install tweek[local-models] && tweek model download
+# When installed, takes priority over cloud LLM in auto-detection.
+# Cloud LLM becomes the escalation fallback for uncertain results.
+local_model:
+  enabled: true
+  model: auto                     # auto = configured default, or explicit model name
+  escalate_to_llm: true           # Escalate uncertain results to cloud LLM
+  escalate_min_confidence: 0.1    # Below this = definitely safe, no escalation
+  escalate_max_confidence: 0.9    # Above this = use local result, no escalation
+
 tiers:
   safe:
     description: "Trusted operations - no screening"
@@ -64,14 +102,14 @@ tiers:
 
 # Tool classifications
 tools:
-  # Safe - read-only, no external effects
-  Read: safe
+  # Default - read-only but needs path-based screening
+  Read: default
   Glob: safe
   Grep: safe
 
   # Default - modifications with standard screening
   Edit: default
-  Write: default
+  Write: risky
   NotebookEdit: default
 
   # Risky - external communication or significant changes
@@ -98,6 +136,17 @@ skills:
   # Dangerous skills (system-level)
   deploy: dangerous
 
+# Non-English Language Detection
+# English-only regex patterns (~40 of 116) cannot match prompt injection in
+# other languages. This setting controls how non-English content is handled.
+#
+# Options:
+#   escalate  - Auto-escalate to LLM review tier (default, recommended)
+#   translate - Translate to English before pattern matching (requires API key)
+#   both      - Escalate AND translate (maximum coverage)
+#   none      - No special handling (English-only patterns may miss attacks)
+non_english_handling: escalate
+
 # Content-based escalations
 # These patterns can escalate a tool's tier based on content
 escalations:
@@ -125,5 +174,106 @@ escalations:
     description: "Elevated privileges"
     escalate_to: dangerous
 
+  # Path-only patterns for Read/Write/Edit (no command prefix required)
+  - pattern: '\.ssh/(id_rsa|id_ed25519|id_ecdsa|authorized_keys|known_hosts|config)'
+    description: "SSH credential file access"
+    escalate_to: dangerous
+
+  - pattern: '\.aws/(credentials|config)'
+    description: "AWS credential file access"
+    escalate_to: dangerous
+
+  - pattern: '\.env(\.|$)'
+    description: "Environment file with potential secrets"
+    escalate_to: risky
+
+  - pattern: '\.kube/config'
+    description: "Kubernetes config access"
+    escalate_to: dangerous
+
+  - pattern: '\.gnupg/(private-keys|secring|trustdb)'
+    description: "GPG private key access"
+    escalate_to: dangerous
+
+  - pattern: '\.netrc'
+    description: "Network credentials file"
+    escalate_to: dangerous
+
+  # --- Prompt Injection Content Escalations ---
+  # Escalate default-tier tools to risky when content contains prompt injection indicators
+
+  - pattern: '(system\s+prompt|your\s+instructions|your\s+configuration|your\s+rules|your\s+guidelines).{0,30}(extract|show|reveal|output|share|display|dump|print)'
+    description: "System prompt extraction attempt"
+    escalate_to: risky
+
+  - pattern: '(decode\s+and\s+(follow|execute)|SYSTEM\s*:.*Debug|supersedes?\s+all\s+(other|previous)\s+instructions)'
+    description: "Encoded instruction or priority injection"
+    escalate_to: risky
+
+  - pattern: '(administrator\s+override|debug\s+mode\s+(enabled|active)|diagnostic\s+mode|maintenance\s+mode)'
+    description: "Fake administrative mode activation"
+    escalate_to: risky
+
+  - pattern: '(your\s+turn.{0,30}(continue|share|show)|DIAGNOSTIC\s+\d+|Step\s+\d+.{0,30}output\s+your)'
+    description: "Multi-shot or sequential extraction"
+    escalate_to: risky
+
+  - pattern: '(i\s+(wrote|created)\s+your\s+instructions|you\s+already\s+showed\s+me|we\s+agreed\s+you\s+would)'
+    description: "Social engineering claim for prompt access"
+    escalate_to: risky
+
+  - pattern: '([╔╗╚╝║═█░▓]{5,}|TECHIRAL|!KAEL|GODMODE)'
+    description: "Visual encoding or advanced jailbreak signature"
+    escalate_to: risky
+
+  # --- Red Team Hardening: Indirect Extraction Escalations (2026-02-01) ---
+  # These patterns catch bypass techniques that succeeded during multi-LLM TAP testing
+
+  - pattern: '(repeat|recite|reproduce).{0,20}(what\s+your\s+creators?|what\s+you\s+were\s+told|your\s+(purpose|rules|guidelines|instructions))'
+    description: "Indirect system prompt extraction via creator/purpose framing"
+    escalate_to: risky
+
+  - pattern: '(philosophy|principles?|design)\s+behind\s+(your|the)\s+(creation|design|helpfulness|responses?|behavior)'
+    description: "Crescendo opener: philosophical framing for system prompt extraction"
+    escalate_to: risky
+
+  - pattern: '(walk\s+me\s+through|trace\s+through|step\s+through)\s+.{0,30}(internal|your).{0,20}(reasoning|process|flow|logic|decision)'
+    description: "Chain-of-thought hijacking: request to trace internal processes"
+    escalate_to: risky
+
+# Path boundary escalation
+# Escalates tier when tool targets files outside the project working directory.
+# Additive to content-based escalations -- both are evaluated, highest tier wins.
+path_boundary:
+  enabled: true
+
+  # Default escalation for generic out-of-project access
+  default_escalate_to: risky
+
+  # Sensitive system directories get higher escalation than generic
+  # out-of-project access. Uses substring matching on the resolved path.
+  sensitive_directories:
+    - pattern: ".ssh"
+      escalate_to: dangerous
+      description: "SSH directory access"
+    - pattern: ".aws"
+      escalate_to: dangerous
+      description: "AWS credentials directory"
+    - pattern: ".gnupg"
+      escalate_to: dangerous
+      description: "GPG keyring directory"
+    - pattern: ".kube"
+      escalate_to: dangerous
+      description: "Kubernetes config directory"
+    - pattern: "/etc/shadow"
+      escalate_to: dangerous
+      description: "System shadow file"
+    - pattern: "/etc/sudoers"
+      escalate_to: dangerous
+      description: "Sudoers file"
+    - pattern: "/etc/passwd"
+      escalate_to: risky
+      description: "System passwd file"
+
 # Default tier for unclassified tools/skills
 default_tier: default

tweek/diagnostics.py

@@ -54,6 +54,7 @@ def run_health_checks(verbose: bool = False) -> List[HealthCheck]:
         _check_mcp_available,
         _check_proxy_config,
         _check_plugin_integrity,
+        _check_llm_review,
     ]
 
     results = []
@@ -544,9 +545,9 @@ def _check_proxy_config(verbose: bool = False) -> HealthCheck:
 def _check_plugin_integrity(verbose: bool = False) -> HealthCheck:
     """Check installed plugin integrity."""
     try:
-        from tweek.plugins import get_registry
+        from tweek.plugins import init_plugins
 
-        registry = get_registry()
+        registry = init_plugins()
         stats = registry.get_stats()
         total = stats.get("total", 0)
         enabled = stats.get("enabled", 0)
@@ -587,3 +588,71 @@ def _check_plugin_integrity(verbose: bool = False) -> HealthCheck:
             status=CheckStatus.WARNING,
             message=f"Cannot check plugins: {e}",
         )
+
+
+def _check_llm_review(verbose: bool = False) -> HealthCheck:
+    """Check LLM review provider availability and configuration."""
+    try:
+        from tweek.security.llm_reviewer import (
+            get_llm_reviewer,
+            _detect_local_server,
+            FallbackReviewProvider,
+        )
+
+        reviewer = get_llm_reviewer()
+
+        if not reviewer.enabled:
+            return HealthCheck(
+                name="llm_review",
+                label="LLM Review",
+                status=CheckStatus.WARNING,
+                message="No LLM provider available (review disabled)",
+                fix_hint="Set ANTHROPIC_API_KEY, OPENAI_API_KEY, or GOOGLE_API_KEY. "
+                         "Or install Ollama: https://ollama.ai",
+            )
+
+        # Build status message
+        provider_name = reviewer.provider_name
+        model = reviewer.model
+        parts = [f"{model} via {provider_name}"]
+
+        # Check for fallback chain details
+        provider = reviewer._provider_instance
+        if isinstance(provider, FallbackReviewProvider):
+            count = provider.provider_count
+            parts.append(f"fallback chain: {count} providers")
+
+        # Check for local LLM server
+        try:
+            server = _detect_local_server()
+            if server:
+                if verbose:
+                    parts.append(
+                        f"local: {server.model} on {server.server_type} "
+                        f"({len(server.all_models)} models available)"
+                    )
+                else:
+                    parts.append(f"local: {server.server_type}")
+        except Exception:
+            pass
+
+        return HealthCheck(
+            name="llm_review",
+            label="LLM Review",
+            status=CheckStatus.OK,
+            message="; ".join(parts),
+        )
+    except ImportError:
+        return HealthCheck(
+            name="llm_review",
+            label="LLM Review",
+            status=CheckStatus.SKIPPED,
+            message="LLM reviewer module not available",
+        )
+    except Exception as e:
+        return HealthCheck(
+            name="llm_review",
+            label="LLM Review",
+            status=CheckStatus.WARNING,
+            message=f"Cannot check LLM review: {e}",
+        )

tweek/hooks/break_glass.py

@@ -0,0 +1,163 @@
+"""
+Tweek Break-Glass Override System
+
+Provides an audited escape path for hard-blocked (deny) patterns.
+Break-glass downgrades "deny" to "ask" (never to "allow") — the user
+still must explicitly approve after the override.
+
+State file: ~/.tweek/break_glass.json
+All uses are logged as BREAK_GLASS events for full audit trail.
+
+The AI agent cannot execute `tweek override` — it requires a
+separate CLI invocation by a human operator.
+"""
+
+import json
+import sys
+from datetime import datetime, timezone, timedelta
+from pathlib import Path
+from typing import Dict, List, Optional
+
+
+BREAK_GLASS_PATH = Path.home() / ".tweek" / "break_glass.json"
+
+
+def _load_state() -> Dict:
+    """Load break-glass state from disk."""
+    if not BREAK_GLASS_PATH.exists():
+        return {"overrides": []}
+    try:
+        with open(BREAK_GLASS_PATH) as f:
+            return json.load(f)
+    except (json.JSONDecodeError, OSError):
+        return {"overrides": []}
+
+
+def _save_state(state: Dict) -> None:
+    """Save break-glass state to disk."""
+    BREAK_GLASS_PATH.parent.mkdir(parents=True, exist_ok=True)
+    with open(BREAK_GLASS_PATH, "w") as f:
+        json.dump(state, f, indent=2)
+
+
+def _now_iso() -> str:
+    """Current time as ISO 8601 string."""
+    return datetime.now(timezone.utc).isoformat()
+
+
+def create_override(
+    pattern_name: str,
+    mode: str = "once",
+    duration_minutes: Optional[int] = None,
+    reason: str = "",
+) -> Dict:
+    """Create a new break-glass override.
+
+    Args:
+        pattern_name: The pattern to override (e.g., "ssh_key_read").
+        mode: "once" (consumed on first use) or "duration" (time-limited).
+        duration_minutes: Minutes until expiry (required for mode="duration").
+        reason: Human-provided reason for the override.
+
+    Returns:
+        The created override dict.
+    """
+    state = _load_state()
+    now = datetime.now(timezone.utc)
+
+    override = {
+        "pattern": pattern_name,
+        "mode": mode,
+        "reason": reason,
+        "created_at": now.isoformat(),
+        "expires_at": None,
+        "used": False,
+        "used_at": None,
+    }
+
+    if mode == "duration" and duration_minutes:
+        expires = now + timedelta(minutes=duration_minutes)
+        override["expires_at"] = expires.isoformat()
+
+    state["overrides"].append(override)
+    _save_state(state)
+    return override
+
+
+def check_override(pattern_name: str) -> Optional[Dict]:
+    """Check if a valid break-glass override exists for a pattern.
+
+    If a valid override is found:
+    - For "once" mode: marks it as used (consumed)
+    - For "duration" mode: checks expiry
+
+    Returns the override dict if valid, None otherwise.
+    """
+    state = _load_state()
+    now = datetime.now(timezone.utc)
+    found = None
+
+    for override in state["overrides"]:
+        if override["pattern"] != pattern_name:
+            continue
+
+        # Skip already-consumed single-use overrides
+        if override["mode"] == "once" and override.get("used"):
+            continue
+
+        # Check expiry for duration-based overrides
+        if override.get("expires_at"):
+            try:
+                expires = datetime.fromisoformat(override["expires_at"])
+                if now > expires:
+                    continue
+            except (ValueError, TypeError):
+                continue
+
+        found = override
+        break
+
+    if found:
+        # Consume single-use overrides
+        if found["mode"] == "once":
+            found["used"] = True
+            found["used_at"] = now.isoformat()
+            _save_state(state)
+
+    return found
+
+
+def list_overrides() -> List[Dict]:
+    """List all overrides (including expired/consumed for audit)."""
+    state = _load_state()
+    return state.get("overrides", [])
+
+
+def list_active_overrides() -> List[Dict]:
+    """List only currently active (non-expired, non-consumed) overrides."""
+    state = _load_state()
+    now = datetime.now(timezone.utc)
+    active = []
+
+    for override in state.get("overrides", []):
+        if override["mode"] == "once" and override.get("used"):
+            continue
+        if override.get("expires_at"):
+            try:
+                expires = datetime.fromisoformat(override["expires_at"])
+                if now > expires:
+                    continue
+            except (ValueError, TypeError):
+                continue
+        active.append(override)
+
+    return active
+
+
+def clear_overrides() -> int:
+    """Remove all overrides. Returns count of removed overrides."""
+    state = _load_state()
+    count = len(state.get("overrides", []))
+    state["overrides"] = []
+    _save_state(state)
+    return count

tweek/hooks/feedback.py

@@ -0,0 +1,223 @@
+"""
+Tweek False-Positive Feedback Loop
+
+Tracks per-pattern false positive rates and automatically demotes
+noisy patterns when their FP rate exceeds the threshold.
+
+State file: ~/.tweek/feedback.json
+
+Threshold: 5% FP rate with minimum 20 triggers (Google Tricorder standard).
+CRITICAL patterns are never auto-demoted (safety constraint).
+"""
+
+import json
+from datetime import datetime, timezone
+from pathlib import Path
+from typing import Dict, Optional
+
+
+FEEDBACK_PATH = Path.home() / ".tweek" / "feedback.json"
+
+# Google Tricorder threshold: 5% max FP rate
+FP_THRESHOLD = 0.05
+MIN_TRIGGERS_FOR_DEMOTION = 20
+
+# Severity demotion chain: critical is never demoted
+DEMOTION_MAP = {
+    "high": "medium",
+    "medium": "low",
+    "low": "low",  # Already at lowest
+}
+
+# Severities immune from auto-demotion
+IMMUNE_SEVERITIES = {"critical"}
+
+
+def _load_state() -> Dict:
+    """Load feedback state from disk."""
+    if not FEEDBACK_PATH.exists():
+        return {"patterns": {}}
+    try:
+        with open(FEEDBACK_PATH) as f:
+            return json.load(f)
+    except (json.JSONDecodeError, OSError):
+        return {"patterns": {}}
+
+
+def _save_state(state: Dict) -> None:
+    """Save feedback state to disk."""
+    FEEDBACK_PATH.parent.mkdir(parents=True, exist_ok=True)
+    with open(FEEDBACK_PATH, "w") as f:
+        json.dump(state, f, indent=2)
+
+
+def record_trigger(pattern_name: str, severity: str) -> None:
+    """Record that a pattern triggered (called after USER_APPROVED event).
+
+    This increments the total trigger count for FP rate calculation.
+    """
+    state = _load_state()
+    patterns = state.setdefault("patterns", {})
+
+    if pattern_name not in patterns:
+        patterns[pattern_name] = {
+            "total_triggers": 0,
+            "false_positives": 0,
+            "fp_rate": 0.0,
+            "last_trigger_at": None,
+            "last_fp_at": None,
+            "auto_demoted": False,
+            "original_severity": severity,
+            "current_severity": severity,
+        }
+
+    entry = patterns[pattern_name]
+    entry["total_triggers"] += 1
+    entry["last_trigger_at"] = datetime.now(timezone.utc).isoformat()
+    _update_fp_rate(entry)
+    _save_state(state)
+
+
+def report_false_positive(pattern_name: str, context: str = "") -> Dict:
+    """Report a false positive for a pattern.
+
+    Returns the updated pattern stats dict.
+    """
+    state = _load_state()
+    patterns = state.setdefault("patterns", {})
+
+    if pattern_name not in patterns:
+        patterns[pattern_name] = {
+            "total_triggers": 1,  # At least 1 trigger to report FP
+            "false_positives": 0,
+            "fp_rate": 0.0,
+            "last_trigger_at": None,
+            "last_fp_at": None,
+            "auto_demoted": False,
+            "original_severity": "unknown",
+            "current_severity": "unknown",
+        }
+
+    entry = patterns[pattern_name]
+    entry["false_positives"] += 1
+    entry["last_fp_at"] = datetime.now(timezone.utc).isoformat()
+
+    if context:
+        contexts = entry.setdefault("fp_contexts", [])
+        contexts.append({
+            "context": context,
+            "reported_at": datetime.now(timezone.utc).isoformat(),
+        })
+        # Keep last 10 contexts
+        entry["fp_contexts"] = contexts[-10:]
+
+    _update_fp_rate(entry)
+    _check_auto_demotion(entry)
+    _save_state(state)
+
+    # Bridge to agentic memory: record the FP as an "approved" decision
+    try:
+        from tweek.memory.schemas import PatternDecisionEntry
+        from tweek.memory.store import get_memory_store
+
+        store = get_memory_store()
+        fp_entry = PatternDecisionEntry(
+            pattern_name=pattern_name,
+            pattern_id=None,
+            original_severity=entry.get("original_severity", "unknown"),
+            original_confidence="heuristic",
+            decision="ask",
+            user_response="approved",  # FP = user approved (it was safe)
+            tool_name="feedback",
+            content_hash=None,
+            path_prefix=None,
+            project_hash=None,
+        )
+        store.record_decision(fp_entry)
+    except Exception:
+        pass  # Memory bridge is best-effort
+
+    return dict(entry)
+
+
+def _update_fp_rate(entry: Dict) -> None:
+    """Recalculate FP rate from counts."""
+    total = entry.get("total_triggers", 0)
+    if total > 0:
+        entry["fp_rate"] = entry.get("false_positives", 0) / total
+    else:
+        entry["fp_rate"] = 0.0
+
+
+def _check_auto_demotion(entry: Dict) -> None:
+    """Check if pattern should be auto-demoted based on FP rate."""
+    # Already demoted
+    if entry.get("auto_demoted"):
+        return
+
+    # Not enough data
+    if entry.get("total_triggers", 0) < MIN_TRIGGERS_FOR_DEMOTION:
+        return
+
+    # Below threshold
+    if entry.get("fp_rate", 0) < FP_THRESHOLD:
+        return
+
+    # CRITICAL patterns are never auto-demoted
+    original = entry.get("original_severity", "")
+    if original in IMMUNE_SEVERITIES:
+        return
+
+    # Auto-demote
+    demoted_to = DEMOTION_MAP.get(original, original)
+    if demoted_to != original:
+        entry["auto_demoted"] = True
+        entry["current_severity"] = demoted_to
+        entry["demoted_at"] = datetime.now(timezone.utc).isoformat()
+
+
+def get_effective_severity(pattern_name: str, original_severity: str) -> str:
+    """Get the effective severity for a pattern, accounting for FP demotions.
+
+    Args:
+        pattern_name: The pattern name.
+        original_severity: The severity from patterns.yaml.
+
+    Returns:
+        The effective severity (may be demoted).
+    """
+    state = _load_state()
+    entry = state.get("patterns", {}).get(pattern_name)
+    if entry and entry.get("auto_demoted"):
+        return entry.get("current_severity", original_severity)
+    return original_severity
+
+
+def get_stats() -> Dict[str, Dict]:
+    """Get all pattern feedback statistics."""
+    state = _load_state()
+    return state.get("patterns", {})
+
+
+def reset_pattern(pattern_name: str) -> Optional[Dict]:
+    """Reset FP tracking and undo auto-demotion for a pattern.
+
+    Returns info about what was reset, or None if pattern not found.
+    """
+    state = _load_state()
+    patterns = state.get("patterns", {})
+
+    if pattern_name not in patterns:
+        return None
+
+    entry = patterns[pattern_name]
+    result = {
+        "was_demoted": entry.get("auto_demoted", False),
+        "original_severity": entry.get("original_severity"),
+        "previous_fp_rate": entry.get("fp_rate"),
+    }
+
+    del patterns[pattern_name]
+    _save_state(state)
+
+    return result