tweek 0.4.0__py3-none-any.whl → 0.4.2__py3-none-any.whl

tweek/memory/store.py

@@ -26,6 +26,7 @@ from tweek.memory.schemas import (
 from tweek.memory.safety import (
     MIN_APPROVAL_RATIO,
     MIN_CONFIDENCE_SCORE,
+    MIN_DECISION_SPAN_HOURS,
     MIN_DECISION_THRESHOLD,
     SCOPED_THRESHOLDS,
     compute_suggested_decision,
@@ -36,6 +37,12 @@ from tweek.memory.safety import (
 # Half-life in days for time decay
 DECAY_HALF_LIFE_DAYS = 30
 
+# Valid table names for dynamic SQL (used by get_stats, export_all, clear_table)
+_VALID_TABLES = frozenset({
+    "pattern_decisions", "source_trust", "workflow_baselines",
+    "learned_whitelists", "memory_audit",
+})
+
 # Default global memory DB path
 GLOBAL_MEMORY_PATH = Path.home() / ".tweek" / "memory.db"
 
@@ -339,6 +346,7 @@ class MemoryStore:
                         SUM(CASE WHEN user_response = 'approved' THEN decay_weight ELSE 0 END)
                         / SUM(decay_weight)
                     ELSE 0.5 END as approval_ratio,
+                    MIN(timestamp) as first_decision,
                     MAX(timestamp) as last_decision
                 FROM pattern_decisions
                 WHERE {where_clause} AND decay_weight > 0.01
@@ -360,6 +368,23 @@ class MemoryStore:
             if total_weighted < threshold:
                 continue
 
+            # Temporal spread: decisions must span MIN_DECISION_SPAN_HOURS
+            # to prevent rapid-fire approval bypasses
+            first_ts = row["first_decision"]
+            last_ts = row["last_decision"]
+            if first_ts and last_ts and first_ts != last_ts:
+                try:
+                    t0 = datetime.fromisoformat(first_ts)
+                    t1 = datetime.fromisoformat(last_ts)
+                    span_hours = (t1 - t0).total_seconds() / 3600
+                    if span_hours < MIN_DECISION_SPAN_HOURS:
+                        continue
+                except (ValueError, TypeError):
+                    pass  # Malformed timestamps — skip check, don't block
+            elif total > 1:
+                # Multiple decisions with same timestamp — too rapid
+                continue
+
             # Compute suggested decision with scope-specific threshold
             suggested = compute_suggested_decision(
                 current_decision=current_decision,
@@ -818,8 +843,8 @@ class MemoryStore:
         conn = self._get_connection()
         stats = {}
 
-        for table in ("pattern_decisions", "source_trust", "workflow_baselines",
-                       "learned_whitelists", "memory_audit"):
+        for table in _VALID_TABLES:
+            # table names are from a frozen constant, safe for interpolation
             row = conn.execute(f"SELECT COUNT(*) as cnt FROM {table}").fetchone()
             stats[table] = row["cnt"]
 
@@ -879,8 +904,8 @@ class MemoryStore:
         conn = self._get_connection()
         data = {}
 
-        for table in ("pattern_decisions", "source_trust", "workflow_baselines",
-                       "learned_whitelists"):
+        for table in sorted(_VALID_TABLES - {"memory_audit"}):
+            # table names are from a frozen constant, safe for interpolation
             rows = conn.execute(f"SELECT * FROM {table}").fetchall()
             data[table] = [dict(r) for r in rows]
 
@@ -892,12 +917,8 @@ class MemoryStore:
 
         Returns the number of deleted rows.
         """
-        valid_tables = {
-            "pattern_decisions", "source_trust", "workflow_baselines",
-            "learned_whitelists", "memory_audit",
-        }
-        if table_name not in valid_tables:
-            raise ValueError(f"Invalid table: {table_name}. Must be one of {valid_tables}")
+        if table_name not in _VALID_TABLES:
+            raise ValueError(f"Invalid table: {table_name}. Must be one of {_VALID_TABLES}")
 
         conn = self._get_connection()
         cursor = conn.execute(f"DELETE FROM {table_name}")

tweek/plugins/base.py

@@ -59,11 +59,19 @@ class ReDoSProtection:
     # Dangerous pattern indicators (simple heuristics)
     # These are common patterns that can cause exponential backtracking
     DANGEROUS_PATTERNS = [
-        # Nested quantifiers
+        # Nested quantifiers with dot
         r'\(\.\*\)\+',           # (.*)+
         r'\(\.\+\)\+',           # (.+)+
         r'\(\.\*\)\*',           # (.*)*
         r'\(\.\+\)\*',           # (.+)*
+        # Nested quantifiers with character classes
+        r'\(\[a-z[^\]]*\]\+\)\+',    # ([a-z]+)+
+        r'\(\\w\+\)\+',             # (\w+)+
+        r'\(\\d\+\)\+',             # (\d+)+
+        r'\(\\s\+\)\+',             # (\s+)+
+        # Multi-char groups with nested quantifiers
+        r'\(\.\{2,\}?\)\+',         # (.{2,})+
+        r'\([^)]+\{[0-9,]+\}\)\+',  # (x{n,m})+
         # Overlapping alternation with quantifiers
         r'\([^)]*\|[^)]*\)\+',   # (a|a)+
         r'\([^)]*\|[^)]*\)\*',   # (a|a)*

tweek/plugins/detectors/openclaw.py

@@ -9,11 +9,17 @@ Detects OpenClaw AI personal assistant:
 - Potential proxy conflicts
 """
 
-import os
-import subprocess
 import json
 from pathlib import Path
-from typing import Optional, List, Dict, Any
+from typing import List, Dict, Any
+
+from tweek.integrations.openclaw_detection import (
+    OPENCLAW_CONFIG,
+    OPENCLAW_DEFAULT_PORT,
+    check_gateway_active,
+    check_npm_installation,
+    check_running_process,
+)
 from tweek.plugins.base import ToolDetectorPlugin, DetectionResult
 
 
@@ -33,8 +39,8 @@ class OpenClawDetector(ToolDetectorPlugin):
     AUTHOR = "Tweek"
     REQUIRES_LICENSE = "free"
     TAGS = ["detector", "openclaw", "assistant"]
+    DEFAULT_PORT = OPENCLAW_DEFAULT_PORT
 
-    DEFAULT_PORT = 18789
     CONFIG_LOCATIONS = [
         Path.home() / ".openclaw" / "openclaw.json",
     ]
@@ -44,15 +50,13 @@ class OpenClawDetector(ToolDetectorPlugin):
         return "openclaw"
 
     def detect(self) -> DetectionResult:
-        """
-        Detect OpenClaw installation and status.
-        """
+        """Detect OpenClaw installation and status."""
         result = DetectionResult(
             detected=False,
             tool_name=self.name,
         )
 
-        # Check npm global installation
+        # Check npm global installation (via wrapper for testability)
         npm_info = self._check_npm_installation()
         if npm_info:
             result.detected = True
@@ -69,16 +73,16 @@ class OpenClawDetector(ToolDetectorPlugin):
             try:
                 with open(config_path) as f:
                     config = json.load(f)
-                    result.port = config.get("gateway", {}).get("port", self.DEFAULT_PORT)
+                    result.port = config.get("gateway", {}).get("port", OPENCLAW_DEFAULT_PORT)
             except (json.JSONDecodeError, IOError):
-                result.port = self.DEFAULT_PORT
+                result.port = OPENCLAW_DEFAULT_PORT
 
         # Check for home directory existence
         openclaw_home = Path.home() / ".openclaw"
         if openclaw_home.exists():
             result.detected = True
 
-        # Check for running process
+        # Check for running process (via wrapper for testability)
         process_info = self._check_running_process()
         if process_info:
             result.detected = True
@@ -87,99 +91,33 @@ class OpenClawDetector(ToolDetectorPlugin):
             if process_info.get("port"):
                 result.port = process_info["port"]
 
-        # Check if gateway is active
+        # Check if gateway is active (via wrapper for testability)
         if result.port:
             result.metadata["gateway_active"] = self._check_gateway_active(result.port)
 
         return result
 
-    def _check_npm_installation(self) -> Optional[Dict[str, str]]:
-        """Check if openclaw is installed via npm."""
-        try:
-            # Try npm list -g
-            proc = subprocess.run(
-                ["npm", "list", "-g", "openclaw", "--json"],
-                capture_output=True,
-                text=True,
-                timeout=10,
-            )
-            if proc.returncode == 0:
-                data = json.loads(proc.stdout)
-                deps = data.get("dependencies", {})
-                if "openclaw" in deps:
-                    return {
-                        "version": deps["openclaw"].get("version", "unknown"),
-                        "path": data.get("path", ""),
-                    }
-        except (subprocess.TimeoutExpired, json.JSONDecodeError, FileNotFoundError):
-            pass
-
-        # Try which/where
-        try:
-            proc = subprocess.run(
-                ["which", "openclaw"] if os.name != "nt" else ["where", "openclaw"],
-                capture_output=True,
-                text=True,
-                timeout=5,
-            )
-            if proc.returncode == 0 and proc.stdout.strip():
-                return {"path": proc.stdout.strip().split("\n")[0]}
-        except (subprocess.TimeoutExpired, FileNotFoundError):
-            pass
-
-        return None
-
-    def _find_config(self) -> Optional[Path]:
+    def _find_config(self):
         """Find OpenClaw config file."""
         for path in self.CONFIG_LOCATIONS:
             if path.exists():
                 return path
         return None
 
-    def _check_running_process(self) -> Optional[Dict[str, Any]]:
-        """Check if openclaw process is running."""
-        try:
-            if os.name == "nt":
-                # Windows
-                proc = subprocess.run(
-                    ["tasklist", "/FI", "IMAGENAME eq node.exe", "/FO", "CSV"],
-                    capture_output=True,
-                    text=True,
-                    timeout=10,
-                )
-                if "openclaw" in proc.stdout.lower():
-                    return {"running": True}
-            else:
-                # Unix-like
-                proc = subprocess.run(
-                    ["pgrep", "-f", "openclaw"],
-                    capture_output=True,
-                    text=True,
-                    timeout=10,
-                )
-                if proc.returncode == 0 and proc.stdout.strip():
-                    pids = proc.stdout.strip().split("\n")
-                    return {"pid": pids[0]}
-
-                # Also check for node process with openclaw
-                proc = subprocess.run(
-                    ["pgrep", "-af", "node.*openclaw"],
-                    capture_output=True,
-                    text=True,
-                    timeout=10,
-                )
-                if proc.returncode == 0 and proc.stdout.strip():
-                    return {"running": True}
+    def _check_npm_installation(self) -> dict | None:
+        """Check npm global installation (wrapper for shared detection)."""
+        return check_npm_installation()
 
-        except (subprocess.TimeoutExpired, FileNotFoundError):
-            pass
-
-        return None
+    def _check_running_process(self) -> dict | None:
+        """Check for running openclaw process (wrapper for shared detection)."""
+        return check_running_process()
 
-    def _check_gateway_active(self, port: int) -> bool:
-        """Check if OpenClaw gateway is listening on port."""
+    def _check_gateway_active(self, port: int | None = None) -> bool:
+        """Check if gateway is active on the given port."""
+        import socket
+        if port is None:
+            port = self.DEFAULT_PORT
         try:
-            import socket
             sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
             sock.settimeout(1)
             result = sock.connect_ex(("127.0.0.1", port))
@@ -197,12 +135,13 @@ class OpenClawDetector(ToolDetectorPlugin):
             if result.metadata.get("gateway_active"):
                 conflicts.append(
                     f"OpenClaw gateway is active on port {result.port}. "
-                    "This may intercept LLM API calls before Tweek."
+                    "Both OpenClaw and Tweek will screen tool calls; "
+                    "execution order depends on plugin configuration."
                 )
             elif result.running:
                 conflicts.append(
                     "OpenClaw process is running. Gateway may start and "
-                    "intercept LLM API calls."
+                    "begin screening tool calls alongside Tweek."
                 )
 
         return conflicts

tweek/plugins/screening/heuristic_scorer.py

@@ -70,6 +70,10 @@ _BENIGN_PATTERNS = [
     ]
 ]
 
+# Command chaining operators -- presence means a "benign" prefix does not
+# guarantee the entire command is benign (Finding F7 fix).
+_CHAIN_OPERATORS_RE = re.compile(r"\s*(?:&&|\|\||;)\s*")
+
 # Shell expansion patterns
 _SHELL_EXPANSION_RE = re.compile(r"\$\(|\$\{|`[^`]+`|\beval\s|\bexec\s|\bsource\s")
 
@@ -212,8 +216,15 @@ class HeuristicScorerPlugin(ScreeningPlugin):
         return re.split(r"[\s|;&()]+", content.lower())
 
     def _is_benign(self, content: str) -> Optional[str]:
-        """Check if content matches a known-benign pattern."""
+        """Check if content matches a known-benign pattern.
+
+        Returns None (not benign) if command chaining operators are detected,
+        since a benign prefix (e.g. 'git commit') does not make the entire
+        chained command benign (e.g. 'git commit && curl evil.com').
+        """
         stripped = content.strip()
+        if _CHAIN_OPERATORS_RE.search(stripped):
+            return None
         for pattern in _BENIGN_PATTERNS:
             if pattern.match(stripped):
                 return pattern.pattern

tweek/plugins/screening/local_model_reviewer.py

@@ -91,6 +91,15 @@ class LocalModelReviewerPlugin(ScreeningPlugin):
                 reason=f"Local model inference error: {e}",
             )
 
+        # F6: Force cloud LLM escalation for dangerous-tier commands.
+        # A poisoned local model could produce high-confidence false negatives.
+        # When always_escalate_dangerous is enabled, override the local model's
+        # should_escalate to True for dangerous-tier commands.
+        tier = context.get("tier", "default")
+        always_escalate = (self._config or {}).get("always_escalate_dangerous", True)
+        if tier == "dangerous" and always_escalate and not result.should_escalate:
+            result.should_escalate = True
+
         # Map risk levels to screening result
         risk_severity_map = {
             "safe": Severity.LOW,

tweek/security/language.py

@@ -229,7 +229,8 @@ def detect_non_english(content: str, min_confidence: float = 0.3) -> LanguageDet
         )
         extended_ratio = extended_count / max(total_alpha, 1)
 
-        if extended_ratio >= 0.08:  # 8%+ accented characters suggests non-English
+        _EXTENDED_LATIN_THRESHOLD = 0.12  # 12%+ accented characters suggests non-English
+        if extended_ratio >= _EXTENDED_LATIN_THRESHOLD:
             detected_scripts.add("LATIN_EXTENDED")
             confidence = min(1.0, extended_ratio * 5)
 

tweek/security/llm_reviewer.py

@@ -528,15 +528,17 @@ class GoogleReviewProvider(ReviewProvider):
         self._model = model
         self._api_key = api_key
         self._timeout = timeout
-        genai.configure(api_key=api_key)
-        self._genai_model = genai.GenerativeModel(
-            model_name=model,
-            system_instruction=None,  # Set per-call
-        )
+        self._configured = False
+
+    def _ensure_configured(self):
+        """Lazily configure the SDK on first use (avoids blocking API calls at init)."""
+        if not self._configured:
+            genai.configure(api_key=self._api_key)
+            self._configured = True
 
     def call(self, system_prompt: str, user_prompt: str, max_tokens: int = 256) -> str:
         try:
-            # Create model with system instruction for this call
+            self._ensure_configured()
             model = genai.GenerativeModel(
                 model_name=self._model,
                 system_instruction=system_prompt,
@@ -1136,6 +1138,7 @@ Do not include any other text or explanation."""
         api_key_env: Optional[str] = None,
         local_config: Optional[Dict[str, Any]] = None,
         fallback_config: Optional[Dict[str, Any]] = None,
+        fail_mode: str = "open",
     ):
         """Initialize the LLM reviewer.
 
@@ -1149,8 +1152,10 @@ Do not include any other text or explanation."""
             api_key_env: Override which env var to read for the API key
             local_config: Config for local LLM server detection (Ollama/LM Studio)
             fallback_config: Config for fallback chain behavior
+            fail_mode: Behavior when LLM unavailable: "open", "closed", or "escalate"
         """
         self.timeout = timeout
+        self._fail_mode = fail_mode
         self._provider_instance: Optional[ReviewProvider] = None
 
         if enabled:
@@ -1307,40 +1312,61 @@ Do not include any other text or explanation."""
             )
 
         except ReviewProviderError as e:
-            # Infrastructure errors (auth, network, rate limit, timeout) should
-            # NOT block the user with a scary dialog. Pattern matching is the
-            # primary defense; LLM review is a supplementary layer. Gracefully
-            # degrade and let pattern matching handle it.
             import sys
             error_type = "timeout" if e.is_timeout else "provider_error"
             print(
                 f"tweek: LLM review unavailable ({self.provider_name}): {e}",
                 file=sys.stderr,
             )
-            return LLMReviewResult(
-                risk_level=RiskLevel.SAFE,
-                reason=f"LLM review unavailable ({self.provider_name}): {e}",
-                confidence=0.0,
-                details={"error": error_type, "provider": self.provider_name,
-                         "graceful_degradation": True},
-                should_prompt=False
-            )
+            return self._build_fail_result(error_type, str(e))
 
         except Exception as e:
-            # Unexpected error — also degrade gracefully. Pattern matching
-            # already ran; don't punish the user for an LLM config issue.
             import sys
             print(
                 f"tweek: LLM review error: {e}",
                 file=sys.stderr,
             )
+            return self._build_fail_result("unexpected_error", str(e))
+
+    def _build_fail_result(self, error_type: str, error_msg: str) -> LLMReviewResult:
+        """Build an LLMReviewResult based on the configured fail_mode.
+
+        Args:
+            error_type: Type of error (timeout, provider_error, unexpected_error)
+            error_msg: Human-readable error message
+
+        Returns:
+            LLMReviewResult configured per self._fail_mode:
+            - "open": SAFE, should_prompt=False (default, backward compatible)
+            - "closed": DANGEROUS, should_prompt=True (hard block)
+            - "escalate": SUSPICIOUS, should_prompt=True (ask user)
+        """
+        if self._fail_mode == "closed":
+            return LLMReviewResult(
+                risk_level=RiskLevel.DANGEROUS,
+                reason=f"LLM review unavailable; fail-closed policy active ({error_msg})",
+                confidence=0.0,
+                details={"error": error_type, "provider": self.provider_name,
+                         "fail_mode": "closed"},
+                should_prompt=True,
+            )
+        elif self._fail_mode == "escalate":
+            return LLMReviewResult(
+                risk_level=RiskLevel.SUSPICIOUS,
+                reason=f"LLM review unavailable; escalating to user ({error_msg})",
+                confidence=0.0,
+                details={"error": error_type, "provider": self.provider_name,
+                         "fail_mode": "escalate"},
+                should_prompt=True,
+            )
+        else:  # "open" (default, backward compatible)
             return LLMReviewResult(
                 risk_level=RiskLevel.SAFE,
-                reason=f"LLM review unavailable (unexpected error): {e}",
+                reason=f"LLM review unavailable ({self.provider_name}): {error_msg}",
                 confidence=0.0,
-                details={"error": str(e), "provider": self.provider_name,
-                         "graceful_degradation": True},
-                should_prompt=False
+                details={"error": error_type, "provider": self.provider_name,
+                         "graceful_degradation": True, "fail_mode": "open"},
+                should_prompt=False,
             )
 
     # Translation prompt for non-English skill/content audit
@@ -1462,6 +1488,7 @@ def get_llm_reviewer(
         # Load local/fallback config from tiers.yaml
         local_config = None
         fallback_config = None
+        fail_mode = "open"
         try:
             import yaml
             tiers_path = Path(__file__).parent.parent / "config" / "tiers.yaml"
@@ -1482,6 +1509,7 @@ def get_llm_reviewer(
                     api_key_env = llm_cfg.get("api_key_env")
                 if enabled:
                     enabled = llm_cfg.get("enabled", True)
+                fail_mode = llm_cfg.get("fail_mode", "open")
         except Exception:
             pass  # Config loading is best-effort
 
@@ -1493,6 +1521,7 @@ def get_llm_reviewer(
             api_key_env=api_key_env,
             local_config=local_config,
             fallback_config=fallback_config,
+            fail_mode=fail_mode,
         )
     return _llm_reviewer
 

tweek/security/local_model.py

@@ -88,6 +88,7 @@ class LocalModelInference:
         self._tokenizer: Optional[object] = None  # Tokenizer
         self._lock = threading.Lock()
         self._loaded = False
+        self._integrity_verified = False
 
         # Load metadata
         self._label_map: Dict[int, str] = {}
@@ -176,6 +177,26 @@ class LocalModelInference:
             # Load metadata
             self._load_metadata()
 
+            # Verify model file integrity (SHA-256 checksums)
+            if not self._integrity_verified:
+                try:
+                    from tweek.security.model_registry import verify_model_hashes
+                    hash_results = verify_model_hashes(self._model_name)
+                    mismatched = [
+                        f for f, status in hash_results.items()
+                        if status == "mismatch"
+                    ]
+                    if mismatched:
+                        raise RuntimeError(
+                            f"Model integrity check failed for: "
+                            f"{', '.join(mismatched)}. "
+                            f"Files may be corrupted or tampered with. "
+                            f"Run 'tweek model download --force' to re-download."
+                        )
+                    self._integrity_verified = True
+                except ImportError:
+                    pass  # model_registry not available; skip verification
+
             self._loaded = True
 
     def is_loaded(self) -> bool:

tweek/security/model_registry.py

@@ -377,6 +377,8 @@ def verify_model(name: str) -> Dict[str, bool]:
 
     status["model_meta.yaml"] = (model_dir / "model_meta.yaml").exists()
 
+    return status
+
 
 def verify_model_hashes(name: str) -> Dict[str, Optional[str]]:
     """Verify SHA-256 integrity of an installed model's files.
@@ -413,8 +415,6 @@ def verify_model_hashes(name: str) -> Dict[str, Optional[str]]:
 
     return results
 
-    return status
-
 
 def get_model_size(name: str) -> Optional[int]:
     """Get the total size of an installed model in bytes.