PyPI - xenfra - Versions diffs - 0.3.1__py3-none-any.whl - Mend

xenfra 0.3.1__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

xenfra/__init__.py +0 -0
xenfra/commands/__init__.py +3 -0
xenfra/commands/auth.py +137 -0
xenfra/commands/auth_device.py +159 -0
xenfra/commands/deployments.py +666 -0
xenfra/commands/intelligence.py +343 -0
xenfra/commands/projects.py +204 -0
xenfra/commands/security_cmd.py +233 -0
xenfra/main.py +75 -0
xenfra/utils/__init__.py +3 -0
xenfra/utils/auth.py +243 -0
xenfra/utils/codebase.py +126 -0
xenfra/utils/config.py +363 -0
xenfra/utils/security.py +336 -0
xenfra/utils/validation.py +234 -0
xenfra-0.3.1.dist-info/METADATA +116 -0
xenfra-0.3.1.dist-info/RECORD +19 -0
xenfra-0.3.1.dist-info/WHEEL +4 -0
xenfra-0.3.1.dist-info/entry_points.txt +3 -0

xenfra/utils/config.py ADDED Viewed

@@ -0,0 +1,363 @@
+"""
+Configuration file generation utilities.
+"""
+import os
+import shutil
+from datetime import datetime
+from pathlib import Path
+import click
+import yaml
+from rich.console import Console
+from rich.prompt import Confirm, IntPrompt, Prompt
+from xenfra_sdk import CodebaseAnalysisResponse
+console = Console()
+def read_xenfra_yaml(filename: str = "xenfra.yaml") -> dict:
+    """
+    Read and parse xenfra.yaml configuration file.
+    Args:
+        filename: Path to the config file (default: xenfra.yaml)
+    Returns:
+        Dictionary containing the configuration
+    Raises:
+        FileNotFoundError: If the config file doesn't exist
+        yaml.YAMLError: If the YAML is malformed
+    """
+    """
+    Read and parse xenfra.yaml configuration file.
+    Args:
+        filename: Path to the config file (default: xenfra.yaml)
+    Returns:
+        Dictionary containing the configuration
+    Raises:
+        FileNotFoundError: If the config file doesn't exist
+    """
+    if not Path(filename).exists():
+        raise FileNotFoundError(
+            f"Configuration file '{filename}' not found. Run 'xenfra init' first."
+        )
+    try:
+        with open(filename, "r") as f:
+            return yaml.safe_load(f) or {}
+    except yaml.YAMLError as e:
+        raise ValueError(f"Invalid YAML in {filename}: {e}")
+    except Exception as e:
+        raise IOError(f"Failed to read {filename}: {e}")
+def generate_xenfra_yaml(analysis: CodebaseAnalysisResponse, filename: str = "xenfra.yaml") -> str:
+    """
+    Generate xenfra.yaml from AI codebase analysis.
+    Args:
+        analysis: CodebaseAnalysisResponse from Intelligence Service
+        filename: Output filename (default: xenfra.yaml)
+    Returns:
+        Path to the generated file
+    """
+    # Build configuration dictionary
+    config = {
+        "name": os.path.basename(os.getcwd()),
+        "framework": analysis.framework,
+        "port": analysis.port,
+    }
+    # Add database configuration if detected
+    if analysis.database and analysis.database != "none":
+        config["database"] = {"type": analysis.database, "env_var": "DATABASE_URL"}
+    # Add cache configuration if detected
+    if analysis.cache and analysis.cache != "none":
+        config["cache"] = {"type": analysis.cache, "env_var": f"{analysis.cache.upper()}_URL"}
+    # Add worker configuration if detected
+    if analysis.workers and len(analysis.workers) > 0:
+        config["workers"] = analysis.workers
+    # Add environment variables
+    if analysis.env_vars and len(analysis.env_vars) > 0:
+        config["env_vars"] = analysis.env_vars
+    # Add instance size
+    config["instance_size"] = analysis.instance_size
+    # Add package manager info (for intelligent diagnosis)
+    if analysis.package_manager:
+        config["package_manager"] = analysis.package_manager
+    if analysis.dependency_file:
+        config["dependency_file"] = analysis.dependency_file
+    # Write to file
+    with open(filename, "w") as f:
+        yaml.dump(config, f, sort_keys=False, default_flow_style=False)
+    return filename
+def create_backup(file_path: str) -> str:
+    """
+    Create a timestamped backup of a file in .xenfra/backups/ directory.
+    Args:
+        file_path: Path to the file to backup
+    Returns:
+        Path to the backup file
+    """
+    # Create .xenfra/backups directory if it doesn't exist
+    backup_dir = Path(".xenfra") / "backups"
+    backup_dir.mkdir(parents=True, exist_ok=True)
+    # Generate timestamped backup filename
+    timestamp = datetime.now().strftime("%Y%m%d_%H%M%S")
+    file_name = Path(file_path).name
+    backup_path = backup_dir / f"{file_name}.{timestamp}.backup"
+    # Copy file to backup location
+    shutil.copy2(file_path, backup_path)
+    return str(backup_path)
+def apply_patch(patch: dict, target_file: str = None, create_backup_file: bool = True):
+    """
+    Apply a JSON patch to a configuration file with automatic backup.
+    Args:
+        patch: Patch object with file, operation, path, value
+        target_file: Optional override for the file to patch
+        create_backup_file: Whether to create a backup before patching (default: True)
+    Returns:
+        Path to the backup file if created, None otherwise
+    Raises:
+        ValueError: If patch structure is invalid
+        FileNotFoundError: If target file doesn't exist
+        NotImplementedError: If file type is not supported
+    """
+    # Validate patch structure
+    if not isinstance(patch, dict):
+        raise ValueError("Patch must be a dictionary")
+    required_fields = ["file", "operation"]
+    for field in required_fields:
+        if field not in patch:
+            raise ValueError(f"Patch missing required field: {field}")
+    operation = patch.get("operation")
+    if operation not in ["add", "replace", "remove"]:
+        raise ValueError(
+            f"Invalid patch operation: {operation}. Must be 'add', 'replace', or 'remove'"
+        )
+    """
+    Apply a JSON patch to a configuration file with automatic backup.
+    Args:
+        patch: Patch object with file, operation, path, value
+        target_file: Optional override for the file to patch
+        create_backup_file: Whether to create a backup before patching (default: True)
+    Returns:
+        Path to the backup file if created, None otherwise
+    """
+    file_to_patch = target_file or patch.get("file")
+    if not file_to_patch:
+        raise ValueError("No target file specified in patch")
+    if not os.path.exists(file_to_patch):
+        raise FileNotFoundError(f"File '{file_to_patch}' not found")
+    # Create backup before modifying
+    backup_path = None
+    if create_backup_file:
+        backup_path = create_backup(file_to_patch)
+    # For YAML files
+    if file_to_patch.endswith((".yaml", ".yml")):
+        with open(file_to_patch, "r") as f:
+            config_data = yaml.safe_load(f) or {}
+        # Apply patch based on operation
+        operation = patch.get("operation")
+        path = patch.get("path", "").strip("/")
+        value = patch.get("value")
+        if operation == "add":
+            # For simple paths, add to root
+            if path:
+                path_parts = path.split("/")
+                current = config_data
+                for part in path_parts[:-1]:
+                    if part not in current:
+                        current[part] = {}
+                    current = current[part]
+                current[path_parts[-1]] = value
+            else:
+                # Add to root level
+                if isinstance(value, dict):
+                    config_data.update(value)
+                else:
+                    config_data = value
+        elif operation == "replace":
+            if path:
+                path_parts = path.split("/")
+                current = config_data
+                for part in path_parts[:-1]:
+                    current = current[part]
+                current[path_parts[-1]] = value
+            else:
+                config_data = value
+        # Write back
+        with open(file_to_patch, "w") as f:
+            yaml.dump(config_data, f, sort_keys=False, default_flow_style=False)
+    # For JSON files
+    elif file_to_patch.endswith(".json"):
+        import json
+        with open(file_to_patch, "r") as f:
+            config_data = json.load(f)
+        operation = patch.get("operation")
+        path = patch.get("path", "").strip("/")
+        value = patch.get("value")
+        if operation == "add":
+            if path:
+                path_parts = path.split("/")
+                current = config_data
+                for part in path_parts[:-1]:
+                    if part not in current:
+                        current[part] = {}
+                    current = current[part]
+                current[path_parts[-1]] = value
+            else:
+                if isinstance(value, dict):
+                    config_data.update(value)
+                else:
+                    config_data = value
+        elif operation == "replace":
+            if path:
+                path_parts = path.split("/")
+                current = config_data
+                for part in path_parts[:-1]:
+                    current = current[part]
+                current[path_parts[-1]] = value
+            else:
+                config_data = value
+        # Write back
+        with open(file_to_patch, "w") as f:
+            json.dump(config_data, f, indent=2)
+    # For text files (like requirements.txt)
+    elif file_to_patch.endswith(".txt"):
+        operation = patch.get("operation")
+        value = patch.get("value")
+        if operation == "add":
+            # Append to file
+            with open(file_to_patch, "a") as f:
+                f.write(f"\n{value}\n")
+        elif operation == "replace":
+            # Replace entire file
+            with open(file_to_patch, "w") as f:
+                f.write(str(value))
+    else:
+        # Design decision: Only support auto-patching for common dependency files
+        # Other file types should be manually edited to avoid data loss
+        # See docs/future-enhancements.md #4 for potential extensions
+        raise NotImplementedError(f"Patching not supported for file type: {file_to_patch}")
+    return backup_path
+def manual_prompt_for_config(filename: str = "xenfra.yaml") -> str:
+    """
+    Prompt user interactively for configuration details and generate xenfra.yaml.
+    Args:
+        filename: Output filename (default: xenfra.yaml)
+    Returns:
+        Path to the generated file
+    """
+    config = {}
+    # Project name (default to directory name)
+    default_name = os.path.basename(os.getcwd())
+    config["name"] = Prompt.ask("Project name", default=default_name)
+    # Framework
+    framework = Prompt.ask(
+        "Framework", choices=["fastapi", "flask", "django", "other"], default="fastapi"
+    )
+    config["framework"] = framework
+    # Port
+    port = IntPrompt.ask("Application port", default=8000)
+    # Validate port
+    from .validation import validate_port
+    is_valid, error_msg = validate_port(port)
+    if not is_valid:
+        console.print(f"[bold red]Invalid port: {error_msg}[/bold red]")
+        raise click.Abort()
+    config["port"] = port
+    # Database
+    use_database = Confirm.ask("Does your app use a database?", default=False)
+    if use_database:
+        db_type = Prompt.ask(
+            "Database type",
+            choices=["postgresql", "mysql", "sqlite", "mongodb"],
+            default="postgresql",
+        )
+        config["database"] = {"type": db_type, "env_var": "DATABASE_URL"}
+    # Cache
+    use_cache = Confirm.ask("Does your app use caching?", default=False)
+    if use_cache:
+        cache_type = Prompt.ask("Cache type", choices=["redis", "memcached"], default="redis")
+        config["cache"] = {"type": cache_type, "env_var": f"{cache_type.upper()}_URL"}
+    # Instance size
+    instance_size = Prompt.ask(
+        "Instance size", choices=["basic", "standard", "premium"], default="basic"
+    )
+    config["instance_size"] = instance_size
+    # Environment variables
+    add_env = Confirm.ask("Add environment variables?", default=False)
+    if add_env:
+        env_vars = []
+        while True:
+            env_var = Prompt.ask("Environment variable name (blank to finish)", default="")
+            if not env_var:
+                break
+            env_vars.append(env_var)
+        if env_vars:
+            config["env_vars"] = env_vars
+    # Write to file
+    with open(filename, "w") as f:
+        yaml.dump(config, f, sort_keys=False, default_flow_style=False)
+    return filename

xenfra/utils/security.py ADDED Viewed

@@ -0,0 +1,336 @@
+"""
+Security utilities for Xenfra CLI.
+Implements comprehensive URL validation, domain whitelisting, HTTPS enforcement, and certificate pinning.
+"""
+import os
+import ssl
+from urllib.parse import urlparse
+import certifi
+import click
+import httpx
+from rich.console import Console
+console = Console()
+# Production API URL
+PRODUCTION_API_URL = "https://api.xenfra.tech"
+# Allowed domains (whitelist) - Solution 2
+ALLOWED_DOMAINS = [
+    "api.xenfra.tech",  # Production
+    "api-staging.xenfra.tech",  # Staging
+    "localhost",  # Local development
+    "127.0.0.1",  # Local development (IP)
+]
+# Certificate fingerprints for pinning - Solution 4
+# These should be updated when certificates are rotated
+PINNED_CERTIFICATES = {
+    "api.xenfra.tech": {
+        # SHA256 fingerprint of the expected certificate
+        # Example: "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
+        # To get fingerprint, run:
+        # openssl s_client -connect api.xenfra.tech:443 | openssl x509 -pubkey -noout \
+        # | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64
+        "fingerprints": [],  # Add actual fingerprints when you have production cert
+    }
+}
+class SecurityConfig:
+    """Security configuration for CLI."""
+    def __init__(self):
+        """Initialize security configuration from environment."""
+        # PRODUCTION-ONLY: Default to production settings
+        # Environment variable only used for self-hosted instances
+        self.environment = "production"
+        # Security settings - ALWAYS enforced for production safety
+        self.enforce_https = True  # Always require HTTPS
+        self.enforce_whitelist = False  # Allow self-hosted instances
+        self.enable_cert_pinning = False  # Disabled (see future-enhancements.md #3)
+        self.warn_on_http = True  # Always warn on HTTP
+    def is_production(self) -> bool:
+        """Check if running in production environment."""
+        return self.environment == "production"
+    def is_development(self) -> bool:
+        """Check if running in development environment."""
+        return self.environment in ["development", "dev", "local"]
+# Global security configuration
+security_config = SecurityConfig()
+def validate_url_format(url: str) -> dict:
+    """
+    Solution 1: Basic URL validation.
+    Args:
+        url: The URL to validate
+    Returns:
+        Parsed URL components
+    Raises:
+        ValueError: If URL format is invalid
+    """
+    try:
+        parsed = urlparse(url)
+        # Check scheme
+        if parsed.scheme not in ["http", "https"]:
+            raise ValueError(
+                f"Invalid URL scheme '{parsed.scheme}'. " f"Only 'http' and 'https' are allowed."
+            )
+        # Check hostname exists
+        if not parsed.hostname:
+            raise ValueError("URL must include a hostname")
+        # Check for malicious patterns
+        if ".." in url or "@" in url:
+            raise ValueError("URL contains suspicious characters")
+        # Prevent URL with credentials (http://user:pass@host)
+        if parsed.username or parsed.password:
+            raise ValueError("URLs with embedded credentials are not allowed")
+        return {
+            "scheme": parsed.scheme,
+            "hostname": parsed.hostname,
+            "port": parsed.port,
+            "url": url,
+        }
+    except Exception as e:
+        raise ValueError(f"Invalid URL format: {e}")
+def check_domain_whitelist(hostname: str) -> bool:
+    """
+    Solution 2: Domain whitelist validation.
+    Args:
+        hostname: The hostname to check
+    Returns:
+        True if domain is whitelisted
+    Raises:
+        ValueError: If domain is not whitelisted and enforcement is enabled
+    """
+    is_whitelisted = hostname in ALLOWED_DOMAINS
+    if not is_whitelisted:
+        if security_config.enforce_whitelist:
+            # Hard block in strict mode
+            raise ValueError(
+                f"Domain '{hostname}' is not in the whitelist.\n"
+                f"Allowed domains: {', '.join(ALLOWED_DOMAINS)}\n\n"
+                f"If you're using a self-hosted Xenfra instance:\n"
+                f"1. Set XENFRA_ENFORCE_WHITELIST=false\n"
+                f"2. Or contact support to whitelist your domain"
+            )
+        else:
+            # Soft warning in permissive mode
+            console.print(
+                f"[yellow]⚠️  Warning: Domain '{hostname}' is not in the official whitelist.[/yellow]"
+            )
+            console.print(f"[dim]Whitelisted domains: {', '.join(ALLOWED_DOMAINS)}[/dim]")
+            console.print("[yellow]Are you sure you want to connect to this API?[/yellow]")
+            if not click.confirm("Continue?", default=False):
+                raise click.Abort()
+    return is_whitelisted
+def enforce_https(scheme: str, hostname: str) -> None:
+    """
+    Solution 3: HTTPS enforcement.
+    Args:
+        scheme: URL scheme (http/https)
+        hostname: The hostname
+    Raises:
+        ValueError: If HTTPS is required but HTTP is used
+    """
+    # Development exception: localhost is OK with HTTP
+    is_localhost = hostname in ["localhost", "127.0.0.1"]
+    if scheme == "http" and not is_localhost:
+        if security_config.enforce_https:
+            # Hard block in production/strict mode
+            raise ValueError(
+                f"HTTPS is required (environment: {security_config.environment}).\n"
+                f"Current URL uses insecure HTTP.\n\n"
+                f"To fix:\n"
+                f"1. Update XENFRA_API_URL to use https://\n"
+                f"2. Or set XENFRA_ENFORCE_HTTPS=false (not recommended)"
+            )
+        elif security_config.warn_on_http:
+            # Soft warning
+            console.print("[bold yellow]⚠️  Security Warning: Using unencrypted HTTP![/bold yellow]")
+            console.print(f"[yellow]Connecting to: {scheme}://{hostname}[/yellow]")
+            console.print("[yellow]Your credentials and data will be sent in plain text.[/yellow]")
+            console.print("[yellow]This should ONLY be used for local development.[/yellow]\n")
+            if not click.confirm("Continue with insecure connection?", default=False):
+                raise click.Abort()
+def create_secure_client(url: str, token: str = None) -> httpx.Client:
+    """
+    Solution 4: Create HTTP client with optional certificate pinning.
+    Args:
+        url: The base URL
+        token: Optional authentication token
+    Returns:
+        Configured httpx.Client with security settings
+    """
+    parsed = urlparse(url)
+    headers = {"Content-Type": "application/json"}
+    if token:
+        headers["Authorization"] = f"Bearer {token}"
+    # Certificate pinning for production domains (if enabled)
+    if security_config.enable_cert_pinning and parsed.hostname in PINNED_CERTIFICATES:
+        console.print(f"[dim]Enabling certificate pinning for {parsed.hostname}[/dim]")
+        # Create SSL context with certificate verification
+        ssl_context = ssl.create_default_context(cafile=certifi.where())
+        ssl_context.check_hostname = True
+        ssl_context.verify_mode = ssl.CERT_REQUIRED
+        # Note: Full certificate pinning implementation would require custom verification
+        # For now, we use strict certificate validation with system CA bundle
+        # Future enhancement: Certificate fingerprint pinning (see docs/future-enhancements.md #3)
+        return httpx.Client(
+            base_url=url,
+            headers=headers,
+            verify=ssl_context,
+            timeout=30.0,
+        )
+    else:
+        # Standard client with default certificate verification
+        return httpx.Client(
+            base_url=url,
+            headers=headers,
+            timeout=30.0,
+        )
+def validate_and_get_api_url(url: str = None) -> str:
+    """
+    Comprehensive API URL validation (combines all 4 solutions).
+    Args:
+        url: Optional URL override (only for self-hosted instances)
+    Returns:
+        Validated API URL (defaults to https://api.xenfra.tech)
+    Raises:
+        ValueError: If URL fails validation
+        click.Abort: If user cancels security prompts
+    """
+    # PRODUCTION DEFAULT: Use hardcoded production URL
+    # Only check environment variable for self-hosted overrides
+    if url is None:
+        url = os.getenv("XENFRA_API_URL", PRODUCTION_API_URL)
+    try:
+        # Solution 1: Validate URL format
+        parsed = validate_url_format(url)
+        # Solution 2: Check domain whitelist
+        check_domain_whitelist(parsed["hostname"])
+        # Solution 3: Enforce HTTPS
+        enforce_https(parsed["scheme"], parsed["hostname"])
+        # Display security info ONLY in debug mode
+        # Normal users shouldn't see this
+        if os.getenv("DEBUG") or os.getenv("XENFRA_DEBUG"):
+            console.print(f"[dim]🔒 Security: API URL validated: {url}[/dim]")
+            console.print(f"[dim]   Environment: {security_config.environment}[/dim]")
+            console.print(f"[dim]   HTTPS enforced: {security_config.enforce_https}[/dim]")
+            console.print(f"[dim]   Whitelist enforced: {security_config.enforce_whitelist}[/dim]")
+            console.print(f"[dim]   Cert pinning: {security_config.enable_cert_pinning}[/dim]")
+        return url
+    except ValueError as e:
+        console.print("[bold red]🔒 Security Validation Failed:[/bold red]")
+        console.print(f"[red]{e}[/red]")
+        raise click.Abort()
+def display_security_info():
+    """Display current security configuration."""
+    console.print("\n[bold cyan]🔒 Security Configuration:[/bold cyan]")
+    table_data = [
+        ("Environment", security_config.environment),
+        ("HTTPS Enforcement", "✅ Enabled" if security_config.enforce_https else "⚠️  Disabled"),
+        (
+            "Domain Whitelist",
+            "✅ Enforced" if security_config.enforce_whitelist else "⚠️  Warning Only",
+        ),
+        ("HTTP Warning", "✅ Enabled" if security_config.warn_on_http else "❌ Disabled"),
+        (
+            "Certificate Pinning",
+            "✅ Enabled" if security_config.enable_cert_pinning else "❌ Disabled",
+        ),
+    ]
+    for key, value in table_data:
+        console.print(f"  {key}: {value}")
+    console.print()
+# Environment variable documentation
+"""
+PRODUCTION-FIRST DESIGN:
+The CLI defaults to production (api.xenfra.tech) with HTTPS enforcement.
+No configuration needed for normal users.
+Environment variables (for developers/self-hosted only):
+XENFRA_ENV=development
+  - Enables local development mode
+  - Allows HTTP, relaxes security
+  - Default: production (safe by default)
+XENFRA_API_URL=https://your-instance.com
+  - Override API URL for self-hosted instances
+  - Default: https://api.xenfra.tech
+XENFRA_ENFORCE_HTTPS=true|false
+  - Require HTTPS for all connections
+  - Default: true (production), false (development)
+Example usage:
+# Production users (zero config):
+xenfra auth login
+xenfra deploy
+# Local development:
+XENFRA_ENV=development xenfra auth login
+# Self-hosted instance:
+XENFRA_API_URL=https://xenfra.mycompany.com xenfra login
+"""