diff --git a/ai_command_auditor/cli/main.py b/ai_command_auditor/cli/main.py index dec1bb9..d138d0e 100755 --- a/ai_command_auditor/cli/main.py +++ b/ai_command_auditor/cli/main.py @@ -19,6 +19,7 @@ from colorama import Fore, Style, init from ..core.config import AuditorConfig, get_config, setup_logging +from ..core.templates import TemplateEngine # Initialize colorama for cross-platform colored output init() @@ -93,9 +94,30 @@ def cli(ctx: click.Context, config_dir: Optional[str], verbose: bool) -> None: ) @click.option("--config-dir", help="Custom config directory (default: .ai-auditor)") @click.option("--force", is_flag=True, help="Overwrite existing configuration") +@click.option( + "--environment", + "-e", + type=click.Choice(["development", "staging", "production"]), + default="development", + help="Environment type for configuration", +) +@click.option( + "--security-level", + "-s", + type=click.Choice(["basic", "standard", "strict"]), + default="standard", + help="Security level for validation rules", +) +@click.option("--team-config", help="Team configuration identifier") @click.pass_context def init_command( - ctx: click.Context, template: str, config_dir: Optional[str], force: bool + ctx: click.Context, + template: str, + config_dir: Optional[str], + force: bool, + environment: str, + security_level: str, + team_config: Optional[str], ) -> None: """Initialize AI Command Auditor in the current project.""" try: @@ -103,9 +125,34 @@ def init_command( config_directory = config_dir or ctx.obj.get("config_dir") print_info(f"Initializing AI Command Auditor with {template} template...") + print_info(f"Environment: {environment}, Security level: {security_level}") + + # Initialize template engine + template_engine = TemplateEngine() + + # Get available templates and validate choice + available_templates = template_engine.get_available_templates() + if template not in available_templates: + # Fall back to 'general' if the specific template doesn't exist yet + if "general" in available_templates: + print_warning( + f"Template '{template}' not available yet, using 'general' template" + ) + template = "general" + elif "base" in available_templates: + print_warning( + f"Template '{template}' not available yet, using 'base' template" + ) + template = "base" + else: + print_error( + f"No templates available. Expected templates: {available_templates}" + ) + sys.exit(1) # Create configuration config = AuditorConfig(config_dir=config_directory) + project_dir = Path.cwd() auditor_dir = config.get_config_dir() # Check if already initialized @@ -114,23 +161,65 @@ def init_command( print_info("Use --force to overwrite existing configuration") return - # Create directory structure - directories = [ - auditor_dir / "config" / "rules", - auditor_dir / "config" / "prompts", - auditor_dir / "hooks", - auditor_dir / "workflows", - ] + # Get project name from current directory + project_name = project_dir.name - for directory in directories: - directory.mkdir(parents=True, exist_ok=True) - print_success(f"Created directory: {directory}") + # Apply template using the new template engine + print_info(f"Applying {template} template...") - # Create basic configuration files - _create_config_files(auditor_dir, template) + # Custom variables for template + custom_variables = { + "project_name": project_name, + "environment": environment, + "security_level": security_level, + } + + if team_config: + custom_variables["team_config"] = team_config + + # Get default variables with environment and security level + variables = template_engine.get_default_variables( + template_type=template, + project_name=project_name, + environment=environment, + security_level=security_level, + ) + variables.update(custom_variables) + + # Apply the template + results = template_engine.apply_template( + project_dir=project_dir, + template_type=template, + project_name=project_name, + custom_variables=variables, + ) + + # Report results + if results["files_created"]: + print_success(f"AI Command Auditor initialized successfully!") + print_info(f"Configuration directory: {auditor_dir}") + print_info(f"Template applied: {template}") + print_info(f"Environment: {environment}") + print_info(f"Security level: {security_level}") + if team_config: + print_info(f"Team config: {team_config}") + print_info(f"Files created: {len(results['files_created'])}") + + for file_info in results["files_created"]: + print_success(f"Created: {file_info['file']}") + + if results["files_failed"]: + print_warning( + f"Some files could not be created: {len(results['files_failed'])}" + ) + for file_info in results["files_failed"]: + print_error(f"Failed: {file_info['file']} - {file_info['errors']}") + + if results["validation_errors"]: + print_warning("Template validation warnings:") + for error in results["validation_errors"]: + print_warning(f" - {error}") - print_success(f"AI Command Auditor initialized successfully!") - print_info(f"Configuration directory: {auditor_dir}") print_info("Next steps:") print_info(" 1. Run 'ai-auditor setup-hooks' to install git hooks") print_info(" 2. Customize rules in .ai-auditor/config/rules/") @@ -755,6 +844,101 @@ def _create_config_files( print_success(f"{action} README: {readme_file}") +@cli.command() +@click.option("--template", help="Test specific template (default: all)") +@click.option( + "--environment-tests", is_flag=True, help="Run environment-specific tests" +) +@click.pass_context +def test_templates( + ctx: click.Context, template: Optional[str], environment_tests: bool +) -> None: + """Test and validate template functionality.""" + try: + print_info("Testing AI Command Auditor templates...") + + template_engine = TemplateEngine() + + if template: + # Test specific template + print_info(f"Testing template: {template}") + + # Basic structure validation + is_valid, errors = template_engine.validate_template_structure(template) + if is_valid: + print_success(f"Template '{template}' structure is valid") + else: + print_error(f"Template '{template}' structure validation failed:") + for error in errors: + print_error(f" - {error}") + return + + # Environment tests if requested + if environment_tests: + print_info(f"Running environment tests for '{template}'...") + env_results = template_engine.test_template_with_environments(template) + + if env_results["all_passed"]: + print_success(f"All environment tests passed for '{template}'") + else: + print_warning(f"Some environment tests failed for '{template}':") + + for test in env_results["environment_tests"]: + if not test["passed"]: + print_error( + f" Environment '{test['environment']}' failed: {test['errors']}" + ) + + for test in env_results["security_level_tests"]: + if not test["passed"]: + print_error( + f" Security level '{test['security_level']}' failed: {test['errors']}" + ) + else: + # Test all templates + print_info("Testing all available templates...") + results = template_engine.validate_all_templates() + + # Print summary + summary = results["summary"] + print_info(f"Template validation summary:") + print_info(f" Total templates: {summary['total_templates']}") + print_info(f" Passed: {summary['passed']}") + print_info(f" Failed: {summary['failed']}") + print_info(f" Success rate: {summary['success_rate']:.1%}") + + # Print details for failed templates + if results["templates_failed"]: + print_warning("Failed templates:") + for failed_template in results["templates_failed"]: + print_error(f" {failed_template['template']}:") + for error in failed_template["structure_errors"]: + print_error(f" Structure: {error}") + for error in failed_template["render_errors"]: + print_error(f" Rendering: {error}") + + # Print passed templates + if results["templates_passed"]: + print_success("Passed templates:") + for passed_template in results["templates_passed"]: + print_success(f" ✓ {passed_template['template']}") + + if summary["success_rate"] == 1.0: + print_success("All templates passed validation!") + else: + print_warning( + "Some templates failed validation. Check the details above." + ) + + except Exception as e: + print_error(f"Failed to test templates: {e}") + if ctx.obj.get("verbose"): + import traceback + + traceback.print_exc() + sys.exit(1) + + def main() -> None: """Main entry point for the CLI.""" cli() diff --git a/ai_command_auditor/core/templates.py b/ai_command_auditor/core/templates.py new file mode 100644 index 0000000..cc4acd2 --- /dev/null +++ b/ai_command_auditor/core/templates.py @@ -0,0 +1,691 @@ +""" +Enhanced template engine for AI Command Auditor. + +This module provides advanced template processing capabilities including +variable substitution, template inheritance, and validation. + +Author: Etherisc +Date: 2024 +Version: 1.0 +""" + +import re +import yaml +from pathlib import Path +from typing import Any, Dict, List, Optional, Tuple, Union + +from .config import AuditorConfig + + +class TemplateEngine: + """Enhanced template engine with variable substitution and inheritance.""" + + def __init__(self, config: Optional[AuditorConfig] = None): + """ + Initialize the template engine. + + Args: + config: Optional configuration instance + """ + self.config = config or AuditorConfig() + self.variables: Dict[str, Any] = {} + self.template_dir = Path(__file__).parent.parent / "templates" + + def set_variables(self, variables: Dict[str, Any]) -> None: + """ + Set template variables for substitution. + + Args: + variables: Dictionary of variables to use in templates + """ + self.variables.update(variables) + + def get_default_variables( + self, + template_type: str, + project_name: str = "project", + environment: str = "development", + security_level: str = "standard", + ) -> Dict[str, Any]: + """ + Get default variable values for a template type. + + Args: + template_type: Type of template (python, node, rust, etc.) + project_name: Name of the project + environment: Environment type (development, staging, production) + security_level: Security level (basic, standard, strict) + + Returns: + Dictionary of default variables + """ + defaults = { + # Project information + "template_type": template_type, + "project_name": project_name, + "environment": environment, + "security_level": security_level, + "team_config": "", + # AI configuration + "ai_model": "gpt-4o", + "ai_timeout": 30, + "ai_max_retries": 3, + "ai_temperature": 0.1, + "ai_max_tokens": 1000, + # Security configuration + "security_max_command_length": 1000, + "security_allow_multiline": False, + "security_strict_mode": False, + "security_blocked_commands": "[]", + # Logging configuration + "logging_level": "INFO", + "logging_file": ".ai-auditor/logs/auditor.log", + "logging_format": "%(asctime)s - %(name)s - %(levelname)s - %(message)s", + # Validation configuration + "validation_enable_ai_check": True, + "validation_enable_rule_check": True, + "validation_require_context": False, + "validation_cache_results": True, + # Integration configuration + "integration_git_hooks": True, + "integration_ci_integration": True, + "integration_pre_commit": True, + "integration_pre_push": True, + # Policy configuration + "policy_block_on_critical": True, + "policy_warn_on_high": True, + "policy_log_all_matches": True, + "policy_require_approval_for": '["critical", "high"]', + # Context configuration + "context_include_user_history": False, + "context_include_file_context": True, + # Template description + "template_description": self._get_template_description(template_type), + } + + # Environment-specific overrides + if environment == "production": + defaults.update( + { + "security_strict_mode": True, + "security_max_command_length": 500, + "logging_level": "WARNING", + "validation_require_context": True, + "ai_temperature": 0.0, # More deterministic for production + "policy_block_on_critical": True, + "context_include_user_history": False, + } + ) + elif environment == "staging": + defaults.update( + { + "security_strict_mode": False, + "logging_level": "INFO", + "validation_require_context": True, + "ai_temperature": 0.05, + } + ) + elif environment == "development": + defaults.update( + { + "security_strict_mode": False, + "logging_level": "DEBUG", + "validation_require_context": False, + "ai_temperature": 0.1, + "context_include_user_history": True, + } + ) + + # Security level overrides + if security_level == "strict": + defaults.update( + { + "security_strict_mode": True, + "security_max_command_length": 300, + "policy_block_on_critical": True, + "policy_warn_on_high": True, + "validation_require_context": True, + "ai_temperature": 0.0, + } + ) + elif security_level == "basic": + defaults.update( + { + "security_strict_mode": False, + "security_max_command_length": 2000, + "policy_block_on_critical": False, + "policy_warn_on_high": False, + "validation_require_context": False, + } + ) + + # Template-specific overrides + if template_type == "python": + defaults.update( + { + "ai_model": "gpt-4o", + "security_blocked_commands": '["eval", "exec", "__import__"]', + "validation_require_context": True, + } + ) + elif template_type == "node": + defaults.update( + { + "security_blocked_commands": '["eval", "Function", "vm.runInThisContext"]', + "validation_require_context": True, + } + ) + elif template_type == "rust": + defaults.update( + { + "security_max_command_length": 500, + "security_blocked_commands": '["unsafe", "transmute"]', + } + ) + elif template_type == "security": + defaults.update( + { + "security_strict_mode": True, + "security_max_command_length": 500, + "policy_block_on_critical": True, + "validation_require_context": True, + "ai_temperature": 0.0, # More deterministic for security + } + ) + elif template_type == "general": + # Use defaults as-is + pass + + return defaults + + def _get_template_description(self, template_type: str) -> str: + """Get description for a template type.""" + descriptions = { + "python": "Python-specific security rules, virtual environment detection, and package management integration", + "node": "Node.js/npm security scanning, framework-specific rules, and package.json validation", + "rust": "Rust-specific security patterns, Cargo.toml validation, and memory safety checks", + "security": "Stricter validation rules, compliance framework integration, and advanced threat detection", + "general": "Language-agnostic rules, universal security patterns, and basic CI/CD integration", + "base": "Foundation template providing core functionality for all other templates", + } + return descriptions.get( + template_type, f"Configuration template for {template_type} projects" + ) + + def load_template(self, template_type: str, file_name: str) -> str: + """ + Load a template file with inheritance support. + + Args: + template_type: Type of template (python, node, rust, etc.) + file_name: Name of the template file to load + + Returns: + Template content as string + + Raises: + FileNotFoundError: If template file doesn't exist + """ + # First try specific template type + template_path = self.template_dir / template_type / file_name + + if template_path.exists(): + with open(template_path, "r", encoding="utf-8") as f: + return f.read() + + # Fall back to base template + base_path = self.template_dir / "base" / file_name + if base_path.exists(): + with open(base_path, "r", encoding="utf-8") as f: + return f.read() + + raise FileNotFoundError( + f"Template '{file_name}' not found for type '{template_type}'" + ) + + def render_template( + self, template: str, variables: Optional[Dict[str, Any]] = None + ) -> str: + """ + Render template with variable substitution. + + Args: + template: Template string to render + variables: Variables to use for substitution (optional) + + Returns: + Rendered template string + """ + # Merge provided variables with instance variables + render_vars = self.variables.copy() + if variables: + render_vars.update(variables) + + # Simple variable substitution using ${variable} syntax + def substitute_variable(match): + var_name = match.group(1) + value = render_vars.get( + var_name, f"${{{var_name}}}" + ) # Keep original if not found + return str(value) + + # Replace ${variable} patterns + result = re.sub(r"\$\{([^}]+)\}", substitute_variable, template) + + return result + + def validate_output(self, content: str, file_type: str) -> Tuple[bool, List[str]]: + """ + Validate rendered template content. + + Args: + content: Rendered template content + file_type: Type of file (yml, yaml, md, etc.) + + Returns: + Tuple of (is_valid, list_of_errors) + """ + errors: List[str] = [] + + # YAML validation for config files + if file_type.lower() in ["yml", "yaml"]: + try: + yaml.safe_load(content) + except yaml.YAMLError as e: + errors.append(f"YAML syntax error: {e}") + + # Check for unresolved variables + unresolved = re.findall(r"\$\{([^}]+)\}", content) + if unresolved: + errors.append(f"Unresolved variables: {', '.join(unresolved)}") + + # Basic content validation + if not content.strip(): + errors.append("Template produced empty content") + + return len(errors) == 0, errors + + def apply_template( + self, + project_dir: Path, + template_type: str, + project_name: str = "project", + custom_variables: Optional[Dict[str, Any]] = None, + ) -> Dict[str, Any]: + """ + Apply complete template set to project directory. + + Args: + project_dir: Directory to create configuration in + template_type: Type of template to apply + project_name: Name of the project + custom_variables: Custom variables to override defaults + + Returns: + Dictionary containing results of template application + """ + # Prepare variables + variables = self.get_default_variables(template_type, project_name) + if custom_variables: + variables.update(custom_variables) + + self.set_variables(variables) + + # Create directory structure + config_dir = project_dir / ".ai-auditor" + directories = [ + config_dir / "config" / "rules", + config_dir / "config" / "prompts", + config_dir / "hooks", + config_dir / "workflows", + config_dir / "logs", + ] + + for directory in directories: + directory.mkdir(parents=True, exist_ok=True) + + # Template files to process + template_files = [ + ("auditor.yml.template", "config/auditor.yml"), + ("security-rules.yml.template", "config/rules/security-rules.yml"), + ("openai-prompts.yml.template", "config/prompts/openai-prompts.yml"), + ("README.md.template", "README.md"), + ] + + results = { + "template_type": template_type, + "project_name": project_name, + "files_created": [], + "files_failed": [], + "variables_used": variables, + "validation_errors": [], + } + + # Process each template file + for template_file, output_file in template_files: + try: + # Load and render template + template_content = self.load_template(template_type, template_file) + rendered_content = self.render_template(template_content) + + # Validate rendered content + file_ext = Path(output_file).suffix.lstrip(".") + is_valid, validation_errors = self.validate_output( + rendered_content, file_ext + ) + + if not is_valid: + results["files_failed"].append( + { + "file": output_file, + "template": template_file, + "errors": validation_errors, + } + ) + results["validation_errors"].extend(validation_errors) + continue + + # Write rendered content + output_path = config_dir / output_file + with open(output_path, "w", encoding="utf-8") as f: + f.write(rendered_content) + + results["files_created"].append( + { + "file": str(output_path), + "template": template_file, + "size": len(rendered_content), + } + ) + + except Exception as e: + results["files_failed"].append( + {"file": output_file, "template": template_file, "errors": [str(e)]} + ) + + return results + + def get_available_templates(self) -> List[str]: + """ + Get list of available template types. + + Returns: + List of template names + """ + templates = [] + for item in self.template_dir.iterdir(): + if item.is_dir() and not item.name.startswith("__"): + # Verify template has required files + required_files = [ + "auditor.yml.template", + "security-rules.yml.template", + "openai-prompts.yml.template", + ] + if all((item / f).exists() for f in required_files): + templates.append(item.name) + return sorted(templates) + + def validate_template_structure(self, template_type: str) -> Tuple[bool, List[str]]: + """ + Validate that a template has the required structure. + + Args: + template_type: Name of template to validate + + Returns: + Tuple of (is_valid, list_of_errors) + """ + errors: List[str] = [] + template_dir = self.template_dir / template_type + + if not template_dir.exists(): + errors.append(f"Template directory '{template_type}' does not exist") + return False, errors + + # Check required files + required_files = [ + "auditor.yml.template", + "security-rules.yml.template", + "openai-prompts.yml.template", + ] + + for file_name in required_files: + file_path = template_dir / file_name + if not file_path.exists(): + errors.append(f"Required template file missing: {file_name}") + else: + # Try to load and validate syntax + try: + with open(file_path, "r", encoding="utf-8") as f: + content = f.read() + + # Basic template syntax validation + if not content.strip(): + errors.append(f"Template file is empty: {file_name}") + + except Exception as e: + errors.append(f"Cannot read template file {file_name}: {e}") + + return len(errors) == 0, errors + + def validate_all_templates(self) -> Dict[str, Any]: + """ + Validate all available templates. + + Returns: + Dictionary containing validation results for all templates + """ + results: Dict[str, Any] = { + "templates_tested": [], + "templates_passed": [], + "templates_failed": [], + "validation_errors": [], + "summary": {}, + } + + available_templates = self.get_available_templates() + + for template_type in available_templates: + print(f"Validating template: {template_type}") + + # Test template structure + is_valid, errors = self.validate_template_structure(template_type) + + template_result: Dict[str, Any] = { + "template": template_type, + "structure_valid": is_valid, + "structure_errors": errors, + "render_test_passed": False, + "render_errors": [], + } + + results["templates_tested"].append(template_type) + + if is_valid: + # Test template rendering + try: + test_variables = self.get_default_variables( + template_type, "test-project" + ) + + # Test each template file + template_files = [ + "auditor.yml.template", + "security-rules.yml.template", + "openai-prompts.yml.template", + "README.md.template", + ] + + render_success = True + for template_file in template_files: + try: + template_content = self.load_template( + template_type, template_file + ) + rendered_content = self.render_template( + template_content, test_variables + ) + + # Validate rendered content + file_ext = ( + Path(template_file) + .suffix.replace(".template", "") + .lstrip(".") + ) + content_valid, content_errors = self.validate_output( + rendered_content, file_ext + ) + + if not content_valid: + template_result["render_errors"].extend(content_errors) + render_success = False + + except Exception as e: + template_result["render_errors"].append( + f"Failed to render {template_file}: {e}" + ) + render_success = False + + template_result["render_test_passed"] = render_success + + except Exception as e: + template_result["render_errors"].append( + f"Template rendering failed: {e}" + ) + + # Categorize results + if ( + template_result["structure_valid"] + and template_result["render_test_passed"] + ): + results["templates_passed"].append(template_result) + else: + results["templates_failed"].append(template_result) + results["validation_errors"].extend(template_result["structure_errors"]) + results["validation_errors"].extend(template_result["render_errors"]) + + # Generate summary + results["summary"] = { + "total_templates": len(available_templates), + "passed": len(results["templates_passed"]), + "failed": len(results["templates_failed"]), + "success_rate": ( + len(results["templates_passed"]) / len(available_templates) + if available_templates + else 0 + ), + } + + return results + + def test_template_with_environments(self, template_type: str) -> Dict[str, Any]: + """ + Test a template with different environment and security level combinations. + + Args: + template_type: Name of template to test + + Returns: + Dictionary containing test results + """ + results = { + "template": template_type, + "environment_tests": [], + "security_level_tests": [], + "combination_tests": [], + "all_passed": True, + } + + environments = ["development", "staging", "production"] + security_levels = ["basic", "standard", "strict"] + + # Test each environment + for env in environments: + try: + variables = self.get_default_variables( + template_type, "test-project", env, "standard" + ) + template_content = self.load_template( + template_type, "auditor.yml.template" + ) + rendered_content = self.render_template(template_content, variables) + + is_valid, errors = self.validate_output(rendered_content, "yml") + + results["environment_tests"].append( + {"environment": env, "passed": is_valid, "errors": errors} + ) + + if not is_valid: + results["all_passed"] = False + + except Exception as e: + results["environment_tests"].append( + {"environment": env, "passed": False, "errors": [str(e)]} + ) + results["all_passed"] = False + + # Test each security level + for sec_level in security_levels: + try: + variables = self.get_default_variables( + template_type, "test-project", "development", sec_level + ) + template_content = self.load_template( + template_type, "auditor.yml.template" + ) + rendered_content = self.render_template(template_content, variables) + + is_valid, errors = self.validate_output(rendered_content, "yml") + + results["security_level_tests"].append( + {"security_level": sec_level, "passed": is_valid, "errors": errors} + ) + + if not is_valid: + results["all_passed"] = False + + except Exception as e: + results["security_level_tests"].append( + {"security_level": sec_level, "passed": False, "errors": [str(e)]} + ) + results["all_passed"] = False + + # Test combinations + for env in environments: + for sec_level in security_levels: + try: + variables = self.get_default_variables( + template_type, "test-project", env, sec_level + ) + template_content = self.load_template( + template_type, "auditor.yml.template" + ) + rendered_content = self.render_template(template_content, variables) + + is_valid, errors = self.validate_output(rendered_content, "yml") + + results["combination_tests"].append( + { + "environment": env, + "security_level": sec_level, + "passed": is_valid, + "errors": errors, + } + ) + + if not is_valid: + results["all_passed"] = False + + except Exception as e: + results["combination_tests"].append( + { + "environment": env, + "security_level": sec_level, + "passed": False, + "errors": [str(e)], + } + ) + results["all_passed"] = False + + return results diff --git a/ai_command_auditor/templates/__init__.py b/ai_command_auditor/templates/__init__.py new file mode 100644 index 0000000..a42b51f --- /dev/null +++ b/ai_command_auditor/templates/__init__.py @@ -0,0 +1,91 @@ +""" +Template system for AI Command Auditor. + +This module provides template discovery, loading, and validation functionality +for different project types and configurations. + +Author: Etherisc +Date: 2024 +Version: 1.0 +""" + +from pathlib import Path +from typing import List + +# Template directory structure +TEMPLATE_DIR = Path(__file__).parent + + +def get_available_templates() -> List[str]: + """ + Get list of available template types. + + Returns: + List of template names (directory names) + """ + template_types = [] + for item in TEMPLATE_DIR.iterdir(): + if item.is_dir() and not item.name.startswith("__"): + template_types.append(item.name) + return sorted(template_types) + + +def get_template_dir(template_type: str) -> Path: + """ + Get the directory path for a specific template type. + + Args: + template_type: Name of the template (e.g., 'python', 'node', 'general') + + Returns: + Path to the template directory + + Raises: + ValueError: If template type is not found + """ + template_dir = TEMPLATE_DIR / template_type + if not template_dir.exists(): + available = get_available_templates() + raise ValueError( + f"Template '{template_type}' not found. Available: {available}" + ) + + return template_dir + + +def validate_template_structure(template_type: str) -> bool: + """ + Validate that a template has the required structure. + + Args: + template_type: Name of the template to validate + + Returns: + True if template structure is valid + """ + try: + template_dir = get_template_dir(template_type) + + # Check for required template files + required_files = [ + "auditor.yml.template", + "security-rules.yml.template", + "openai-prompts.yml.template", + ] + + for file_name in required_files: + if not (template_dir / file_name).exists(): + return False + + return True + + except ValueError: + return False + + +__all__ = [ + "TEMPLATE_DIR", + "get_available_templates", + "get_template_dir", + "validate_template_structure", +] diff --git a/ai_command_auditor/templates/base/README.md.template b/ai_command_auditor/templates/base/README.md.template new file mode 100644 index 0000000..bdeb5c8 --- /dev/null +++ b/ai_command_auditor/templates/base/README.md.template @@ -0,0 +1,223 @@ +# AI Command Auditor Configuration + +This directory contains the AI Command Auditor configuration for the **${project_name}** project. + +## Template Information + +- **Template Type**: ${template_type} +- **Version**: 1.0.0 +- **Environment**: ${environment} +- **Created**: $(date) + +## Directory Structure + +``` +.ai-auditor/ +├── config/ +│ ├── auditor.yml # Main configuration +│ ├── rules/ +│ │ └── security-rules.yml # Security validation rules +│ └── prompts/ +│ └── openai-prompts.yml # AI validation prompts +├── hooks/ # Git hook scripts +├── workflows/ # GitHub Actions templates +└── README.md # This file +``` + +## Configuration Files + +### Main Configuration (`config/auditor.yml`) + +Controls the core behavior of the AI Command Auditor: + +- **AI Settings**: Model configuration, timeouts, and retry logic +- **Security Settings**: Command length limits, multiline handling, strict mode +- **Logging**: Log levels, output formats, and file locations +- **Validation**: Rule checking, AI analysis, and caching options +- **Integration**: Git hooks, CI/CD pipeline integration + +### Security Rules (`config/rules/security-rules.yml`) + +Defines patterns for dangerous commands that should be blocked or flagged: + +- **Dangerous Patterns**: Critical security risks that are blocked +- **Suspicious Patterns**: Commands that warrant attention +- **Injection Patterns**: Common command injection techniques +- **Policy Configuration**: Action thresholds and approval workflows + +Each rule specifies: +- `pattern`: Regular expression to match commands +- `severity`: critical, high, medium, low +- `action`: block, warn, log +- `message`: Human-readable explanation + +### AI Prompts (`config/prompts/openai-prompts.yml`) + +Templates for AI-powered command analysis: + +- **Security Analysis**: Primary threat assessment +- **Code Review**: Development command validation +- **Compliance Analysis**: Policy compliance checking +- **Performance Analysis**: Resource impact assessment +- **Educational Analysis**: Learning-focused explanations + +## Usage + +### Command Validation + +Test commands before execution: + +```bash +# Test a single command +ai-auditor check-command "rm -rf temp/" + +# Test with additional context +ai-auditor check-command "npm install package" --context "Installing dependencies" + +# Get JSON output for automation +ai-auditor check-command "sudo systemctl restart service" --json +``` + +### Setup and Maintenance + +```bash +# Validate your configuration +ai-auditor validate-setup + +# Update configuration templates +ai-auditor update-config + +# Reinstall git hooks +ai-auditor setup-hooks --force +``` + +### Integration + +The AI Command Auditor integrates with: + +- **Git Hooks**: Validates commands in commit messages and scripts +- **CI/CD Pipelines**: Analyzes deployment and build commands +- **Development Workflow**: Real-time validation during development + +## Customization + +### Adding Custom Rules + +Edit `config/rules/security-rules.yml` to add project-specific patterns: + +```yaml +dangerous_patterns: + - pattern: 'your-custom-pattern' + severity: high + message: "Description of the risk" + action: warn +``` + +### Modifying AI Prompts + +Customize `config/prompts/openai-prompts.yml` for your use case: + +```yaml +prompts: + custom_analysis: | + Your custom prompt template here. + Command: {command} + Context: {context} +``` + +### Environment-Specific Configuration + +For different environments (dev, staging, prod), create separate configurations: + +```bash +# Initialize for production with strict settings +ai-auditor init --template security --force + +# Use environment-specific config directory +ai-auditor --config-dir .ai-auditor-prod validate-setup +``` + +## Security Considerations + +### API Key Management + +The AI Command Auditor requires an OpenAI API key: + +```bash +# Set via environment variable (recommended) +export OPENAI_API_KEY="your-api-key-here" + +# Or configure in your shell profile +echo 'export OPENAI_API_KEY="your-key"' >> ~/.bashrc +``` + +**Important**: Never commit API keys to version control. + +### Data Privacy + +- Commands are sent to OpenAI for analysis +- Consider using local models for sensitive environments +- Review OpenAI's data usage policies +- Use environment variables for sensitive context + +### Access Control + +- Restrict write access to `.ai-auditor/` directory +- Use team configurations for shared settings +- Implement approval workflows for configuration changes + +## Troubleshooting + +### Common Issues + +1. **API Key Not Found** + ```bash + export OPENAI_API_KEY="your-key" + ai-auditor validate-setup + ``` + +2. **Git Hooks Not Working** + ```bash + ai-auditor setup-hooks --force + ``` + +3. **Template Validation Errors** + ```bash + ai-auditor validate-setup --verbose + ``` + +### Debug Mode + +Enable verbose logging for troubleshooting: + +```bash +ai-auditor --verbose check-command "problematic command" +``` + +### Log Files + +Check logs for detailed error information: + +```bash +# Default log location +tail -f ${logging_file} + +# Or check system logs +journalctl -u ai-command-auditor +``` + +## Support + +For help and support: + +- Documentation: [AI Command Auditor Wiki](https://github.com/etherisc/ai-command-auditor/wiki) +- Issues: [GitHub Issues](https://github.com/etherisc/ai-command-auditor/issues) +- Discussions: [GitHub Discussions](https://github.com/etherisc/ai-command-auditor/discussions) + +## Template: ${template_type} + +This configuration was created using the **${template_type}** template, which includes: + +${template_description} + +For template-specific documentation and examples, see the [${template_type} template guide](https://github.com/etherisc/ai-command-auditor/wiki/Templates/${template_type}). \ No newline at end of file diff --git a/ai_command_auditor/templates/base/auditor.yml.template b/ai_command_auditor/templates/base/auditor.yml.template new file mode 100644 index 0000000..52a6046 --- /dev/null +++ b/ai_command_auditor/templates/base/auditor.yml.template @@ -0,0 +1,46 @@ +# AI Command Auditor Base Configuration Template +# This template provides the foundation for all project types + +version: "1.0.0" +template: "${template_type}" +project_name: "${project_name}" + +# AI Configuration +ai: + model: "${ai_model}" + timeout: ${ai_timeout} + max_retries: ${ai_max_retries} + temperature: ${ai_temperature} + max_tokens: ${ai_max_tokens} + +# Security Configuration +security: + enabled: true + max_command_length: ${security_max_command_length} + allow_multiline: ${security_allow_multiline} + strict_mode: ${security_strict_mode} + blocked_commands: ${security_blocked_commands} + +# Logging Configuration +logging: + level: "${logging_level}" + file: "${logging_file}" + format: "${logging_format}" + +# Validation Configuration +validation: + enable_ai_check: ${validation_enable_ai_check} + enable_rule_check: ${validation_enable_rule_check} + require_context: ${validation_require_context} + cache_results: ${validation_cache_results} + +# Integration Configuration +integration: + git_hooks: ${integration_git_hooks} + ci_integration: ${integration_ci_integration} + pre_commit: ${integration_pre_commit} + pre_push: ${integration_pre_push} + +# Environment Configuration +environment: "${environment}" +team_config: "${team_config}" \ No newline at end of file diff --git a/ai_command_auditor/templates/base/openai-prompts.yml.template b/ai_command_auditor/templates/base/openai-prompts.yml.template new file mode 100644 index 0000000..a7d5739 --- /dev/null +++ b/ai_command_auditor/templates/base/openai-prompts.yml.template @@ -0,0 +1,114 @@ +# AI Command Auditor Base OpenAI Prompts Template +# This template provides core AI prompts for all project types + +version: "1.0.0" +template: "${template_type}" + +# Core prompts for security analysis +prompts: + # Primary security analysis prompt + security_analysis: | + You are a security expert analyzing shell commands for potential risks. + + Command to analyze: {command} + Context: {context} + Environment: ${environment} + Project type: ${template_type} + + Please analyze this command for: + 1. Security vulnerabilities + 2. Potential for system damage + 3. Malicious behavior patterns + 4. Data exfiltration risks + 5. Privilege escalation attempts + + Rate the security risk on a scale of 1-10 and provide: + - Risk score (1-10) + - Risk category (low/medium/high/critical) + - Specific concerns found + - Recommended action (allow/warn/block) + - Safer alternatives if blocking + + Respond in JSON format: + { + "risk_score": <1-10>, + "risk_category": "", + "action": "", + "concerns": ["", ""], + "message": "", + "alternatives": ["", ""] + } + + # Code review prompt for development commands + code_review: | + Analyze this development command for code quality and security: + + Command: {command} + File context: {file_context} + Project: ${project_name} + + Check for: + - Security vulnerabilities + - Code quality issues + - Best practice violations + - Performance implications + + Provide structured feedback in JSON format. + + # Compliance analysis for regulated environments + compliance_analysis: | + Review this command for compliance with security policies: + + Command: {command} + Policy level: ${security_strict_mode} + Environment: ${environment} + + Verify compliance with: + - Data handling requirements + - Access control policies + - Audit trail requirements + - Change management procedures + + Report any compliance violations found. + + # Performance impact analysis + performance_analysis: | + Analyze the potential performance impact of this command: + + Command: {command} + System context: {system_context} + + Consider: + - Resource consumption (CPU, memory, disk, network) + - Execution time estimates + - System load impact + - Potential bottlenecks + + Provide recommendations for optimization if needed. + + # Educational prompts for learning + educational_analysis: | + Explain this command in educational terms: + + Command: {command} + User level: {user_level} + + Provide: + - What the command does + - Why it might be risky + - How to use it safely + - Learning resources for better alternatives + +# Prompt configuration +prompt_config: + max_tokens: ${ai_max_tokens} + temperature: ${ai_temperature} + model: "${ai_model}" + timeout: ${ai_timeout} + +# Context injection settings +context: + include_environment: true + include_project_info: true + include_user_history: ${context_include_user_history} + include_file_context: ${context_include_file_context} \ No newline at end of file diff --git a/ai_command_auditor/templates/base/security-rules.yml.template b/ai_command_auditor/templates/base/security-rules.yml.template new file mode 100644 index 0000000..15a8764 --- /dev/null +++ b/ai_command_auditor/templates/base/security-rules.yml.template @@ -0,0 +1,102 @@ +# AI Command Auditor Base Security Rules Template +# This template provides core security rules for all project types + +version: "1.0.0" +template: "${template_type}" + +# Core dangerous patterns that apply to all environments +dangerous_patterns: + # File system operations + - pattern: 'rm\s+-rf\s+/' + severity: critical + message: "Attempting to delete root directory" + action: block + + - pattern: 'rm\s+-rf\s+\*' + severity: high + message: "Recursive deletion with wildcard" + action: block + + - pattern: 'chmod\s+777' + severity: high + message: "Setting dangerous file permissions (777)" + action: warn + + - pattern: 'sudo\s+chmod\s+777' + severity: critical + message: "Setting dangerous file permissions with sudo" + action: block + + # Network operations + - pattern: 'curl.*\|\s*(bash|sh)' + severity: high + message: "Piping download directly to shell execution" + action: block + + - pattern: 'wget.*\|\s*(bash|sh)' + severity: high + message: "Piping download directly to shell execution" + action: block + + # Process operations + - pattern: ':\(\)\{\s*:\|:&\s*\};:' + severity: critical + message: "Fork bomb detected" + action: block + + - pattern: 'kill\s+-9\s+1' + severity: critical + message: "Attempting to kill init process" + action: block + + # Data operations + - pattern: 'dd\s+if=/dev/zero' + severity: high + message: "Potential disk space exhaustion" + action: warn + + - pattern: '>\s*/dev/sd[a-z]' + severity: critical + message: "Writing directly to disk device" + action: block + +# Suspicious patterns that warrant attention +suspicious_patterns: + - pattern: 'base64.*decode' + severity: medium + message: "Base64 decoding operation" + action: warn + + - pattern: 'nc\s+-l' + severity: medium + message: "Starting netcat listener" + action: warn + + - pattern: 'nohup.*&' + severity: low + message: "Background process creation" + action: log + +# Command injection patterns +injection_patterns: + - pattern: '.*;.*' + severity: medium + message: "Command chaining detected" + action: warn + + - pattern: '.*\|\|.*' + severity: low + message: "Conditional command execution" + action: log + + - pattern: '.*&&.*' + severity: low + message: "Conditional command execution" + action: log + +# Security policy configuration +policy: + block_on_critical: ${policy_block_on_critical} + warn_on_high: ${policy_warn_on_high} + log_all_matches: ${policy_log_all_matches} + require_approval_for: ${policy_require_approval_for} \ No newline at end of file diff --git a/ai_command_auditor/templates/general/auditor.yml.template b/ai_command_auditor/templates/general/auditor.yml.template new file mode 100644 index 0000000..cb8fbf1 --- /dev/null +++ b/ai_command_auditor/templates/general/auditor.yml.template @@ -0,0 +1,46 @@ +# AI Command Auditor General Configuration Template +# Language-agnostic configuration suitable for any project type + +version: "1.0.0" +template: "${template_type}" +project_name: "${project_name}" + +# AI Configuration - Balanced settings for general use +ai: + model: "${ai_model}" + timeout: ${ai_timeout} + max_retries: ${ai_max_retries} + temperature: ${ai_temperature} + max_tokens: ${ai_max_tokens} + +# Security Configuration - General security settings +security: + enabled: true + max_command_length: ${security_max_command_length} + allow_multiline: ${security_allow_multiline} + strict_mode: ${security_strict_mode} + blocked_commands: ${security_blocked_commands} + +# Logging Configuration +logging: + level: "${logging_level}" + file: "${logging_file}" + format: "${logging_format}" + +# Validation Configuration - Standard validation settings +validation: + enable_ai_check: ${validation_enable_ai_check} + enable_rule_check: ${validation_enable_rule_check} + require_context: ${validation_require_context} + cache_results: ${validation_cache_results} + +# Integration Configuration +integration: + git_hooks: ${integration_git_hooks} + ci_integration: ${integration_ci_integration} + pre_commit: ${integration_pre_commit} + pre_push: ${integration_pre_push} + +# Environment Configuration +environment: "${environment}" +team_config: "${team_config}" \ No newline at end of file diff --git a/ai_command_auditor/templates/general/openai-prompts.yml.template b/ai_command_auditor/templates/general/openai-prompts.yml.template new file mode 100644 index 0000000..7727f8d --- /dev/null +++ b/ai_command_auditor/templates/general/openai-prompts.yml.template @@ -0,0 +1,142 @@ +# AI Command Auditor General OpenAI Prompts Template +# Language-agnostic AI prompts for universal use + +version: "1.0.0" +template: "${template_type}" + +# General-purpose prompts +prompts: + # Primary security analysis for any project type + security_analysis: | + You are a security expert analyzing shell commands for potential risks in a general development environment. + + Command to analyze: {command} + Context: {context} + Environment: ${environment} + Project: ${project_name} + + Please analyze this command for general security issues: + 1. File system security risks + 2. Network security concerns + 3. Process and privilege escalation + 4. Data integrity threats + 5. Command injection vulnerabilities + 6. System resource abuse + 7. Malicious behavior patterns + + Rate the security risk on a scale of 1-10 and provide: + - Risk score (1-10) + - Risk category (low/medium/high/critical) + - Specific security concerns found + - Recommended action (allow/warn/block) + - Safer alternatives if blocking + + Respond in JSON format: + { + "risk_score": <1-10>, + "risk_category": "", + "action": "", + "concerns": ["", ""], + "message": "", + "alternatives": ["", ""] + } + + # General code and command review + general_review: | + Analyze this command for security and best practices: + + Command: {command} + Context: {context} + Project type: General development + + Check for: + - Security vulnerabilities + - Best practice violations + - Potential system risks + - Data security concerns + - Resource usage implications + + Provide structured feedback with general recommendations. + + # System administration analysis + sysadmin_analysis: | + Analyze this system administration command: + + Command: {command} + System context: {system_context} + Privilege level: {privilege_level} + + Evaluate: + - System security impact + - Administrative privilege usage + - Service and process management + - File system and permission changes + - Network configuration changes + - Backup and recovery implications + + Provide system administration security recommendations. + + # Development workflow analysis + dev_workflow_analysis: | + Analyze this development workflow command: + + Command: {command} + Development stage: {dev_stage} + Project phase: {project_phase} + + Evaluate: + - Development security practices + - Build and deployment safety + - Version control security + - Dependency management + - Testing and quality assurance + - CI/CD pipeline integration + + Recommend secure development practices. + + # General compliance analysis + compliance_analysis: | + Review this command for general compliance and policy adherence: + + Command: {command} + Policy level: ${security_strict_mode} + Environment: ${environment} + + Verify compliance with: + - General security policies + - Data handling requirements + - Access control principles + - Audit and logging requirements + - Change management procedures + + Report any policy violations or concerns. + + # Educational general analysis + educational_analysis: | + Explain this command for general learning purposes: + + Command: {command} + User level: {user_level} + Learning context: {learning_context} + + Provide: + - What the command does + - Why it might be risky + - How to use it safely + - General security principles involved + - Best practices for similar commands + - Learning resources for secure command usage + +# General prompt configuration +prompt_config: + max_tokens: ${ai_max_tokens} + temperature: ${ai_temperature} + model: "${ai_model}" + timeout: ${ai_timeout} + +# Context injection settings +context: + include_environment: true + include_project_info: true + include_user_history: ${context_include_user_history} + include_file_context: ${context_include_file_context} \ No newline at end of file diff --git a/ai_command_auditor/templates/general/security-rules.yml.template b/ai_command_auditor/templates/general/security-rules.yml.template new file mode 100644 index 0000000..0252991 --- /dev/null +++ b/ai_command_auditor/templates/general/security-rules.yml.template @@ -0,0 +1,120 @@ +# AI Command Auditor General Security Rules Template +# Language-agnostic security rules suitable for any project type + +version: "1.0.0" +template: "${template_type}" + +# Core dangerous patterns (inherits from base template) +dangerous_patterns: + # File system operations + - pattern: 'rm\s+-rf\s+/' + severity: critical + message: "Attempting to delete root directory" + action: block + + - pattern: 'rm\s+-rf\s+\*' + severity: high + message: "Recursive deletion with wildcard" + action: block + + - pattern: 'chmod\s+777' + severity: high + message: "Setting dangerous file permissions (777)" + action: warn + + - pattern: 'sudo\s+chmod\s+777' + severity: critical + message: "Setting dangerous file permissions with sudo" + action: block + + # Network operations + - pattern: 'curl.*\|\s*(bash|sh)' + severity: high + message: "Piping download directly to shell execution" + action: block + + - pattern: 'wget.*\|\s*(bash|sh)' + severity: high + message: "Piping download directly to shell execution" + action: block + + # Process operations + - pattern: ':\(\)\{\s*:\|:&\s*\};:' + severity: critical + message: "Fork bomb detected" + action: block + + - pattern: 'kill\s+-9\s+1' + severity: critical + message: "Attempting to kill init process" + action: block + + # Data operations + - pattern: 'dd\s+if=/dev/zero' + severity: high + message: "Potential disk space exhaustion" + action: warn + + - pattern: '>\s*/dev/sd[a-z]' + severity: critical + message: "Writing directly to disk device" + action: block + +# General suspicious patterns +suspicious_patterns: + - pattern: 'base64.*decode' + severity: medium + message: "Base64 decoding operation" + action: warn + + - pattern: 'nc\s+-l' + severity: medium + message: "Starting netcat listener" + action: warn + + - pattern: 'nohup.*&' + severity: low + message: "Background process creation" + action: log + +# Command injection patterns +injection_patterns: + - pattern: '.*;.*' + severity: medium + message: "Command chaining detected" + action: warn + + - pattern: '.*\|\|.*' + severity: low + message: "Conditional command execution" + action: log + + - pattern: '.*&&.*' + severity: low + message: "Conditional command execution" + action: log + +# General development patterns +development_patterns: + # Package managers + safe_commands: + - 'make' + - 'make install' + - 'make clean' + - 'git' + - 'docker build' + - 'docker run' + + # Potentially risky but common + review_commands: + - pattern: 'sudo\s+make\s+install' + severity: medium + message: "Installing software with elevated privileges" + action: warn + +# Security policy configuration +policy: + block_on_critical: ${policy_block_on_critical} + warn_on_high: ${policy_warn_on_high} + log_all_matches: ${policy_log_all_matches} + require_approval_for: ${policy_require_approval_for} \ No newline at end of file diff --git a/ai_command_auditor/templates/python/auditor.yml.template b/ai_command_auditor/templates/python/auditor.yml.template new file mode 100644 index 0000000..f69bd4e --- /dev/null +++ b/ai_command_auditor/templates/python/auditor.yml.template @@ -0,0 +1,70 @@ +# AI Command Auditor Python Configuration Template +# Specialized configuration for Python development projects + +version: "1.0.0" +template: "${template_type}" +project_name: "${project_name}" + +# AI Configuration - Optimized for Python analysis +ai: + model: "${ai_model}" + timeout: ${ai_timeout} + max_retries: ${ai_max_retries} + temperature: ${ai_temperature} + max_tokens: ${ai_max_tokens} + +# Security Configuration - Python-specific security settings +security: + enabled: true + max_command_length: ${security_max_command_length} + allow_multiline: ${security_allow_multiline} + strict_mode: ${security_strict_mode} + blocked_commands: ${security_blocked_commands} + + # Python-specific security settings + python_specific: true + check_imports: true + validate_pip_commands: true + virtual_env_detection: true + +# Logging Configuration +logging: + level: "${logging_level}" + file: "${logging_file}" + format: "${logging_format}" + +# Validation Configuration - Enhanced for Python +validation: + enable_ai_check: ${validation_enable_ai_check} + enable_rule_check: ${validation_enable_rule_check} + require_context: ${validation_require_context} + cache_results: ${validation_cache_results} + + # Python-specific validation + check_syntax: true + validate_requirements: true + check_virtual_env: true + +# Integration Configuration +integration: + git_hooks: ${integration_git_hooks} + ci_integration: ${integration_ci_integration} + pre_commit: ${integration_pre_commit} + pre_push: ${integration_pre_push} + + # Python tool integration + pytest_integration: true + black_integration: true + pylint_integration: true + mypy_integration: true + +# Python Development Configuration +python: + version_check: true + virtual_env_required: false + package_managers: ["pip", "poetry", "conda", "pipenv"] + frameworks: ["django", "flask", "fastapi", "pytest"] + +# Environment Configuration +environment: "${environment}" +team_config: "${team_config}" \ No newline at end of file diff --git a/ai_command_auditor/templates/python/openai-prompts.yml.template b/ai_command_auditor/templates/python/openai-prompts.yml.template new file mode 100644 index 0000000..1a855b9 --- /dev/null +++ b/ai_command_auditor/templates/python/openai-prompts.yml.template @@ -0,0 +1,198 @@ +# AI Command Auditor Python OpenAI Prompts Template +# Python-specific AI prompts for enhanced analysis + +version: "1.0.0" +template: "${template_type}" + +# Python-enhanced prompts +prompts: + # Primary security analysis with Python focus + security_analysis: | + You are a Python security expert analyzing shell commands and Python code for potential risks. + + Command to analyze: {command} + Context: {context} + Environment: ${environment} + Project type: Python (${template_type}) + Project: ${project_name} + + Please analyze this command/code for Python-specific security issues: + 1. Code injection vulnerabilities (eval, exec, compile) + 2. Deserialization attacks (pickle, dill) + 3. Command injection (subprocess with shell=True, os.system) + 4. Path traversal and file system attacks + 5. Package installation security (pip, trusted hosts) + 6. Import hijacking and dynamic imports + 7. Virtual environment bypass attempts + 8. Framework-specific vulnerabilities (Django, Flask, etc.) + + Rate the security risk on a scale of 1-10 and provide: + - Risk score (1-10) + - Risk category (low/medium/high/critical) + - Python-specific concerns found + - Recommended action (allow/warn/block) + - Safer Python alternatives if blocking + + Respond in JSON format: + { + "risk_score": <1-10>, + "risk_category": "", + "action": "", + "concerns": ["", ""], + "message": "", + "alternatives": ["", ""], + "python_specific": { + "code_execution_risk": , + "deserialization_risk": , + "import_risk": , + "package_risk": + } + } + + # Python code review prompt + python_code_review: | + Analyze this Python command/code for security and quality: + + Command: {command} + File context: {file_context} + Project: ${project_name} + Virtual environment: {virtual_env} + + Check for: + - Security vulnerabilities specific to Python + - Code quality issues (PEP 8, best practices) + - Performance implications + - Dependency management issues + - Framework-specific concerns + - Testing and documentation completeness + + Provide detailed feedback with Python-specific recommendations. + + # Package management analysis + package_analysis: | + Analyze this Python package management command: + + Command: {command} + Package manager: {package_manager} + Requirements file: {requirements_file} + Virtual environment: {virtual_env} + + Evaluate: + - Package source security and trust + - Version pinning and dependency conflicts + - Virtual environment usage + - Security vulnerabilities in packages + - License compatibility + - Installation method security + + Provide recommendations for secure package management. + + # Virtual environment analysis + venv_analysis: | + Analyze this virtual environment command: + + Command: {command} + Current environment: {current_env} + Project requirements: {requirements} + + Check for: + - Proper virtual environment isolation + - System package pollution + - Permission and security issues + - Environment activation/deactivation + - Dependency isolation effectiveness + + Recommend best practices for Python environment management. + + # Framework-specific analysis + framework_analysis: | + Analyze this Python framework command: + + Command: {command} + Framework: {framework} + Project structure: {project_structure} + + Framework-specific security checks: + - Django: SQL injection, template injection, CSRF, settings security + - Flask: Template injection, session security, config management + - FastAPI: Input validation, authentication, async security + - General: Web security headers, input validation, authentication + + Provide framework-specific security recommendations. + + # Development workflow analysis + dev_workflow_analysis: | + Analyze this Python development command: + + Command: {command} + Development stage: {dev_stage} + Tools involved: {tools} + + Evaluate: + - Development tool security (pytest, black, pylint, etc.) + - CI/CD pipeline integration + - Code quality automation + - Security testing integration + - Documentation generation + - Deployment preparation + + Recommend secure development workflow practices. + + # Educational Python analysis + educational_python_analysis: | + Explain this Python command for learning purposes: + + Command: {command} + User level: {user_level} + Learning objective: {learning_objective} + + Provide: + - What the command does in Python context + - Why it might be risky from a Python perspective + - How to use it safely in Python development + - Better Python alternatives and best practices + - Learning resources for Python security + - Hands-on examples for safe usage + +# Python-specific prompt configuration +prompt_config: + max_tokens: ${ai_max_tokens} + temperature: ${ai_temperature} + model: "${ai_model}" + timeout: ${ai_timeout} + + # Python-specific model settings + python_optimized: true + code_analysis_focus: true + +# Context injection settings for Python +context: + include_environment: true + include_project_info: true + include_user_history: ${context_include_user_history} + include_file_context: ${context_include_file_context} + + # Python-specific context + include_virtual_env: true + include_requirements: true + include_python_version: true + include_framework_info: true + include_package_info: true + +# Python framework detection +frameworks: + django: + indicators: ["manage.py", "settings.py", "django", "DJANGO_SETTINGS_MODULE"] + security_focus: ["sql_injection", "template_injection", "csrf", "admin_security"] + + flask: + indicators: ["app.py", "flask", "Flask", "from flask import"] + security_focus: ["template_injection", "session_security", "config_security"] + + fastapi: + indicators: ["main.py", "fastapi", "FastAPI", "from fastapi import"] + security_focus: ["input_validation", "async_security", "auth_security"] + + pytest: + indicators: ["pytest", "test_", "conftest.py", "pytest.ini"] + security_focus: ["test_security", "fixture_security", "mock_security"] \ No newline at end of file diff --git a/ai_command_auditor/templates/python/security-rules.yml.template b/ai_command_auditor/templates/python/security-rules.yml.template new file mode 100644 index 0000000..e55536f --- /dev/null +++ b/ai_command_auditor/templates/python/security-rules.yml.template @@ -0,0 +1,204 @@ +# AI Command Auditor Python Security Rules Template +# Python-specific security rules and patterns + +version: "1.0.0" +template: "${template_type}" + +# Python-specific dangerous patterns +dangerous_patterns: + # Base patterns are inherited from base template + + # Python code execution risks + - pattern: 'eval\s*\(' + severity: critical + message: "Use of eval() function is extremely dangerous" + action: block + + - pattern: 'exec\s*\(' + severity: critical + message: "Use of exec() function is extremely dangerous" + action: block + + - pattern: '__import__\s*\(' + severity: high + message: "Dynamic import using __import__ can be dangerous" + action: warn + + - pattern: 'compile\s*\(' + severity: medium + message: "Dynamic code compilation should be reviewed" + action: warn + + # Pickle/serialization risks + - pattern: 'pickle\.loads?\s*\(' + severity: high + message: "Pickle deserialization can execute arbitrary code" + action: warn + + - pattern: 'cPickle\.loads?\s*\(' + severity: high + message: "cPickle deserialization can execute arbitrary code" + action: warn + + - pattern: 'dill\.loads?\s*\(' + severity: high + message: "Dill deserialization can execute arbitrary code" + action: warn + + # Subprocess and system command risks + - pattern: 'subprocess\.(call|check_call|check_output|run).*shell=True' + severity: high + message: "Subprocess with shell=True can lead to command injection" + action: warn + + - pattern: 'os\.system\s*\(' + severity: high + message: "os.system() is vulnerable to command injection" + action: warn + + - pattern: 'os\.popen\s*\(' + severity: medium + message: "os.popen() should be used carefully" + action: warn + + # File operation risks + - pattern: 'open.*\/.*w' + severity: medium + message: "Writing to absolute paths should be reviewed" + action: warn + + - pattern: 'shutil\.rmtree\s*\(' + severity: high + message: "Recursive directory deletion" + action: warn + + # Network and web risks + - pattern: 'urllib\.request\.urlopen\s*\(' + severity: low + message: "URL requests should validate input" + action: log + + - pattern: 'requests\.(get|post|put|delete)\s*\(' + severity: low + message: "HTTP requests should validate URLs" + action: log + + # Package installation risks + - pattern: 'pip\s+install.*--trusted-host' + severity: high + message: "Installing from untrusted hosts is dangerous" + action: block + + - pattern: 'pip\s+install.*-i\s+http://' + severity: high + message: "Installing from HTTP sources is insecure" + action: block + + - pattern: 'easy_install\s+' + severity: medium + message: "easy_install is deprecated and less secure" + action: warn + +# Python-specific suspicious patterns +suspicious_patterns: + # Code obfuscation + - pattern: 'base64\.b64decode\s*\(' + severity: medium + message: "Base64 decoding may indicate obfuscated code" + action: warn + + - pattern: 'codecs\.decode\s*\(' + severity: medium + message: "Codec decoding may indicate obfuscated code" + action: warn + + # Dynamic attribute access + - pattern: 'getattr\s*\(' + severity: low + message: "Dynamic attribute access should be reviewed" + action: log + + - pattern: 'setattr\s*\(' + severity: low + message: "Dynamic attribute setting should be reviewed" + action: log + + - pattern: 'hasattr\s*\(' + severity: low + message: "Dynamic attribute checking should be reviewed" + action: log + + # Input handling + - pattern: 'input\s*\(' + severity: low + message: "User input should be validated" + action: log + + - pattern: 'raw_input\s*\(' + severity: low + message: "User input should be validated" + action: log + +# Virtual environment and package management +package_management: + # Safe package installation patterns + safe_patterns: + - 'pip install -r requirements\.txt' + - 'pip install --user' + - 'poetry install' + - 'conda install' + + # Dangerous package operations + dangerous_patterns: + - pattern: 'pip install.*--break-system-packages' + severity: high + message: "Breaking system packages can cause system instability" + action: warn + + - pattern: 'pip uninstall.*--yes' + severity: medium + message: "Automated package removal should be reviewed" + action: warn + +# Framework-specific rules +frameworks: + django: + - pattern: 'django\.db\.connection\.cursor\(\)\.execute\(' + severity: high + message: "Raw SQL execution can lead to SQL injection" + action: warn + + flask: + - pattern: 'render_template_string\s*\(' + severity: high + message: "Template string rendering can lead to SSTI" + action: warn + +# Development tool integration +development_tools: + # Code formatting and linting + safe_commands: + - 'black .' + - 'isort .' + - 'pylint' + - 'mypy' + - 'flake8' + + # Testing + test_commands: + - 'pytest' + - 'python -m pytest' + - 'unittest' + - 'nose2' + +# Security policy configuration +policy: + block_on_critical: ${policy_block_on_critical} + warn_on_high: ${policy_warn_on_high} + log_all_matches: ${policy_log_all_matches} + require_approval_for: ${policy_require_approval_for} + + # Python-specific policies + require_virtual_env: false + validate_requirements_txt: true + check_setup_py: true \ No newline at end of file diff --git a/docs/planning/task-planning/task-8.3-configuration-template-system.md b/docs/planning/task-planning/task-8.3-configuration-template-system.md new file mode 100644 index 0000000..0df0599 --- /dev/null +++ b/docs/planning/task-planning/task-8.3-configuration-template-system.md @@ -0,0 +1,304 @@ +# Task 8.3: Configuration Template System Implementation + +## Overview + +Task 8.3 focuses on creating a comprehensive configuration template system that allows users to easily customize AI Command Auditor for different project types. This builds on the CLI interface from task 8.2 and creates the foundation for the installer script in task 8.4. + +## Task Breakdown + +| Sub-Task | Description | Definition of Done | Status | +|----------|-------------|-------------------|--------| +| 8.3.1 | **Template Structure Creation** - Create the internal template system within the ai_command_auditor package | `ai_command_auditor/templates/` directory with organized template files for config, rules, prompts, and hooks | Complete | +| 8.3.2 | **Enhanced Template Engine** - Improve the existing template system from the CLI to be more robust and flexible | Template engine supports variable substitution, conditional content, and project-specific customizations | Complete | +| 8.3.3 | **Project Type Templates** - Create specialized templates for different programming languages and use cases | Complete templates for python, node, rust, general, and security project types with appropriate rules and configurations | Complete | +| 8.3.4 | **Advanced Configuration Options** - Add support for more sophisticated configuration scenarios | Support for environment-specific configs, team configurations, and advanced security policies | Complete | +| 8.3.5 | **Template Validation and Testing** - Ensure all templates work correctly and provide meaningful defaults | All templates validated, produce working configurations, and include comprehensive documentation | Complete | + +## Detailed Implementation Plan + +### 8.3.1 Template Structure Creation + +**Goal**: Organize and enhance the template system within the package structure. + +**Current State**: Basic template functionality exists in the CLI `_create_config_files` function. + +**Target State**: Comprehensive template system with organized files. + +**Implementation**: + +1. **Create Template Directory Structure**: + ``` + ai_command_auditor/templates/ + ├── __init__.py + ├── base/ + │ ├── auditor.yml.template + │ ├── security-rules.yml.template + │ ├── openai-prompts.yml.template + │ └── README.md.template + ├── python/ + │ ├── auditor.yml.template + │ ├── security-rules.yml.template + │ ├── openai-prompts.yml.template + │ └── pyproject.toml.template + ├── node/ + │ ├── auditor.yml.template + │ ├── security-rules.yml.template + │ ├── openai-prompts.yml.template + │ └── package.json.template + ├── rust/ + │ ├── auditor.yml.template + │ ├── security-rules.yml.template + │ ├── openai-prompts.yml.template + │ └── Cargo.toml.template + ├── security/ + │ ├── auditor.yml.template + │ ├── security-rules.yml.template + │ ├── openai-prompts.yml.template + │ └── compliance-rules.yml.template + └── general/ + ├── auditor.yml.template + ├── security-rules.yml.template + ├── openai-prompts.yml.template + └── README.md.template + ``` + +2. **Create Template Engine Module**: + - `ai_command_auditor/core/templates.py` + - Template loading and rendering functionality + - Variable substitution system + - Validation helpers + +### 8.3.2 Enhanced Template Engine + +**Goal**: Create a robust template engine that supports advanced features. + +**Features to Implement**: + +1. **Variable Substitution**: + - Project name, language, team preferences + - Environment-specific values + - User-defined variables + +2. **Conditional Content**: + - Include/exclude sections based on project type + - Environment-specific configurations + - Optional security policies + +3. **Template Inheritance**: + - Base templates with specialized overrides + - Composition of multiple template sources + - Merge strategies for conflicting settings + +4. **Validation System**: + - Schema validation for generated configs + - Template consistency checks + - Error reporting with helpful messages + +### 8.3.3 Project Type Templates + +**Goal**: Create comprehensive templates for major programming languages and use cases. + +**Python Template Features**: +- Python-specific security rules (eval, exec, pickle) +- Virtual environment detection +- Package management integration (pip, poetry, conda) +- Django/Flask-specific rules +- Testing framework integration + +**Node.js Template Features**: +- npm/yarn security scanning +- Node.js version-specific rules +- Framework-specific rules (Express, React, Vue) +- Package.json validation +- Environment variable handling + +**Rust Template Features**: +- Cargo.toml validation +- Rust-specific security patterns +- Memory safety checks +- Dependency audit integration +- Cross-compilation considerations + +**Security Template Features**: +- Stricter validation rules +- Compliance framework integration +- Audit logging configuration +- Advanced threat detection +- Incident response procedures + +**General Template Features**: +- Language-agnostic rules +- Universal security patterns +- Documentation templates +- Basic CI/CD integration + +### 8.3.4 Advanced Configuration Options + +**Goal**: Support sophisticated configuration scenarios for enterprise and team use. + +**Team Configuration**: +- Shared rule sets across projects +- Team-specific validation policies +- Role-based configuration access +- Configuration inheritance + +**Environment-Specific Configs**: +- Development vs. production rules +- Staging environment considerations +- Test environment optimizations +- CI/CD pipeline integration + +**Advanced Security Policies**: +- Industry-specific compliance (SOC2, HIPAA, PCI-DSS) +- Custom threat models +- Integration with security tools +- Automated incident reporting + +### 8.3.5 Template Validation and Testing + +**Goal**: Ensure all templates produce working, well-documented configurations. + +**Validation Requirements**: +- YAML syntax validation +- Schema compliance checking +- Cross-reference validation +- Performance impact assessment + +**Testing Strategy**: +- Unit tests for template engine +- Integration tests for each template type +- End-to-end testing with real projects +- Performance and security testing + +**Documentation Requirements**: +- Template usage documentation +- Customization guides +- Best practices documentation +- Troubleshooting guides + +## Technical Implementation Details + +### Template Engine Architecture + +```python +class TemplateEngine: + def __init__(self, template_dir: Path): + self.template_dir = template_dir + self.variables = {} + + def load_template(self, template_type: str, file_name: str) -> str: + """Load a template file with inheritance support.""" + + def render_template(self, template: str, variables: Dict[str, Any]) -> str: + """Render template with variable substitution.""" + + def validate_output(self, content: str, schema: Dict[str, Any]) -> bool: + """Validate rendered template against schema.""" + + def apply_template(self, project_dir: Path, template_type: str) -> None: + """Apply complete template set to project directory.""" +``` + +### Configuration Schema + +```yaml +# Template variable schema +template_variables: + project_name: { type: string, required: true } + language: { type: string, enum: [python, node, rust, general] } + security_level: { type: string, enum: [basic, standard, strict] } + team_config: { type: object, required: false } + environment: { type: string, default: development } + +# Template inheritance schema +inheritance: + base_template: general + overrides: + - security-rules.yml + - openai-prompts.yml +``` + +### Integration with CLI + +The enhanced template system will integrate seamlessly with the existing CLI: + +- `ai-auditor init --template python` uses Python template +- `ai-auditor init --template security --security-level strict` applies strict security template +- `ai-auditor update-config --template node` switches to Node.js template with migration + +## Success Criteria + +### Functional Requirements + +- [ ] Template engine loads and renders all template types correctly +- [ ] Variable substitution works for all supported variables +- [ ] Generated configurations are valid and functional +- [ ] All project types have comprehensive, working templates +- [ ] Advanced features (inheritance, conditional content) work correctly + +### Quality Requirements + +- [ ] All templates pass validation tests +- [ ] Generated configurations follow best practices +- [ ] Templates are well-documented with examples +- [ ] Performance is acceptable for large projects +- [ ] Error messages are clear and actionable + +### Integration Requirements + +- [ ] CLI commands work with new template system +- [ ] Backward compatibility with existing configurations +- [ ] Smooth migration path from basic to advanced templates +- [ ] Integration with existing security and validation modules + +## Dependencies + +### Internal Dependencies + +- ✅ Task 8.1: Package structure (provides foundation) +- ✅ Task 8.2: CLI interface (provides integration point) +- Existing configuration and security modules + +### External Dependencies + +- PyYAML for template processing +- Jinja2 or similar for advanced templating (if needed) +- Existing Python dependencies + +## Risk Assessment + +### Low Risk +- Basic template creation and organization +- Variable substitution for simple cases +- Integration with existing CLI + +### Medium Risk +- Advanced templating features (inheritance, conditionals) +- Complex validation scenarios +- Performance with large template sets + +### Mitigation Strategies +- Start with simple templates and add complexity incrementally +- Comprehensive testing at each stage +- Performance benchmarking with realistic projects +- Clear fallback to basic templates if advanced features fail + +## Implementation Timeline + +**Session 1**: Template structure and basic engine (8.3.1, 8.3.2 basic) +**Session 2**: Project type templates (8.3.3) +**Session 3**: Advanced features and validation (8.3.4, 8.3.5) + +**Total Estimated Time**: 3 implementation sessions + +## Next Steps + +1. **Create template directory structure** +2. **Implement basic template engine** +3. **Create project type templates** +4. **Add advanced configuration options** +5. **Implement comprehensive testing** +6. **Update CLI integration** +7. **Create documentation** + +This comprehensive template system will provide users with powerful, flexible configuration options while maintaining ease of use for common scenarios. \ No newline at end of file