diff --git a/scripts/security_patch_applier.py b/scripts/security_patch_applier.py new file mode 100644 index 0000000..2126020 --- /dev/null +++ b/scripts/security_patch_applier.py @@ -0,0 +1,249 @@ +#!/usr/bin/env python3 +""" +Security Patch Applier — 5.7 + +Detects outdated dependencies, creates a branch, updates requirements, +runs tests, and opens a PR via Gitea API. + +Usage: + python3 scripts/security_patch_applier.py + python3 scripts/security_patch_applier.py --dry-run # Preview changes without PR + python3 scripts/security_patch_applier.py --pkg pytest # Target specific package + +Acceptance: + - Detects security update (checks pip list --outdated) + - Creates branch (git checkout -b step35/security/patch--) + - Updates dependency (modifies requirements.txt) + - Runs tests (python3 -m pytest) + - Opens PR (Gitea API, Closes #) +""" + +import argparse +import json +import subprocess +import sys +import urllib.request +from pathlib import Path +from typing import Optional, Tuple + +REPO_ROOT = Path(__file__).resolve().parent.parent +REQUIREMENTS_PATH = REPO_ROOT / "requirements.txt" +GITEA_TOKEN_PATH = Path.home() / ".config" / "gitea" / "token" +GITEA_API_BASE = "https://forge.alexanderwhitestone.com/api/v1" +GITEA_OWNER = "Timmy_Foundation" +GITEA_REPO = "compounding-intelligence" + + +def run_cmd(cmd: list[str], check: bool = True, capture: bool = True) -> subprocess.CompletedProcess: + """Run a subprocess, return result.""" + result = subprocess.run( + cmd, + cwd=REPO_ROOT, + capture_output=capture, + text=True + ) + if check and result.returncode != 0: + print(f"ERROR: {' '.join(cmd)} failed with code {result.returncode}") + print(result.stderr) + sys.exit(result.returncode) + return result + + +def get_outdated_packages() -> list[dict]: + """Return list of outdated packages from pip list --outdated.""" + result = run_cmd([sys.executable, "-m", "pip", "list", "--outdated", "--format=json"]) + outdated = json.loads(result.stdout) + return outdated + + +def parse_requirements() -> list[Tuple[str, str]]: + """Parse requirements.txt into list of (raw_line, package_name_lower).""" + if not REQUIREMENTS_PATH.exists(): + print(f"ERROR: requirements.txt not found at {REQUIREMENTS_PATH}") + sys.exit(1) + + lines = REQUIREMENTS_PATH.read_text().splitlines() + parsed = [] + for line in lines: + stripped = line.strip() + if not stripped or stripped.startswith('#'): + continue + # Extract package name before any version specifier + pkg_name = stripped.split()[0].split('>=')[0].split('==')[0].split('~=')[0].split('<')[0].split('>')[0].lower() + parsed.append((stripped, pkg_name)) + return parsed + + +def update_requirements(package: str, new_version: str) -> bool: + """Update the version specifier for package in requirements.txt. Return True if changed.""" + lines = REQUIREMENTS_PATH.read_text().splitlines() + updated = False + new_lines = [] + for line in lines: + stripped = line.strip() + if not stripped or stripped.startswith('#'): + new_lines.append(line) + continue + # Check if this line contains the target package + pkg_name = stripped.split()[0].split('>=')[0].split('==')[0].split('~=')[0].split('<')[0].split('>')[0].lower() + if pkg_name == package.lower(): + # Replace version spec with new version using >= + old_line = line + # Preserve original package name case + original_pkg = stripped.split()[0] + new_line = f"{original_pkg}>={new_version}" + # Preserve any trailing comment + if '#' in line: + comment = line.split('#', 1)[1] + new_line += f" #{comment}" + new_lines.append(new_line) + updated = True + else: + new_lines.append(line) + if updated: + REQUIREMENTS_PATH.write_text('\n'.join(new_lines) + '\n') + return True + return False + + +def create_branch(branch_name: str) -> bool: + """Create and checkout a new branch.""" + # Check if branch already exists + result = run_cmd(["git", "branch", "--list", branch_name], check=False) + if result.stdout.strip(): + print(f"Branch {branch_name} already exists.") + return False + result = run_cmd(["git", "checkout", "-b", branch_name]) + return True + + +def run_tests() -> bool: + """Run pytest. Return True if all pass.""" + print("\nRunning tests...") + result = run_cmd([sys.executable, "-m", "pytest", "tests/test_ci_config.py", "scripts/test_*.py", "-v"], check=False) + return result.returncode == 0 + + +def get_gitea_token() -> str: + """Read Gitea token from file.""" + if not GITEA_TOKEN_PATH.exists(): + print(f"ERROR: Gitea token not found at {GITEA_TOKEN_PATH}") + sys.exit(1) + return GITEA_TOKEN_PATH.read_text().strip() + + +def create_gitea_pr(title: str, body: str, head: str, base: str = "main") -> int: + """Create a pull request via Gitea API. Return PR number.""" + token = get_gitea_token() + payload = json.dumps({ + "title": title, + "body": body, + "head": head, + "base": base + }).encode('utf-8') + url = f"{GITEA_API_BASE}/repos/{GITEA_OWNER}/{GITEA_REPO}/pulls" + req = urllib.request.Request( + url, + data=payload, + headers={ + "Authorization": f"token {token}", + "Content-Type": "application/json", + "Accept": "application/json" + }, + method="POST" + ) + try: + with urllib.request.urlopen(req, timeout=15) as resp: + data = json.loads(resp.read()) + return data["number"] + except urllib.error.HTTPError as e: + body = e.read().decode('utf-8') + print(f"ERROR: Gitea API returned {e.code}: {body}") + sys.exit(1) + + +def main(): + parser = argparse.ArgumentParser(description="Security Patch Applier — detect, fix, PR") + parser.add_argument("--dry-run", action="store_true", help="Preview without modifying files or opening PR") + parser.add_argument("--pkg", help="Target specific package (skip detection)") + parser.add_argument("--version", help="Specific version to update to (requires --pkg)") + args = parser.parse_args() + + # Step 1: Detect outdated packages (security patches) + if args.pkg: + # Manual mode + if not args.version: + print("ERROR: --version required when using --pkg") + sys.exit(1) + outdated = [{"name": args.pkg, "latest_version": args.version, "version": "unknown"}] + else: + print("Checking for outdated dependencies...") + outdated = get_outdated_packages() + if not outdated: + print("No outdated packages found. System is up-to-date.") + sys.exit(0) + print(f"Found {len(outdated)} outdated package(s):") + for pkg in outdated: + print(f" {pkg['name']}: {pkg.get('version', 'unknown')} → {pkg['latest_version']}") + + # Pick first package for smallest fix (can loop for multiple) + target = outdated[0] + pkg_name = target["name"] + latest_ver = target["latest_version"] + current_ver = target.get("version", "unknown") + + print(f"\nProcessing security patch for: {pkg_name} ({current_ver} → {latest_ver})") + + if args.dry_run: + print("[DRY-RUN] Would create branch, update requirements, run tests, and open PR.") + sys.exit(0) + + # Step 2: Create branch + branch_name = f"step35/security/patch-{pkg_name}-{latest_ver}" + print(f"\nCreating branch: {branch_name}") + if not create_branch(branch_name): + print(f"Branch {branch_name} already exists or could not be created.") + # Continue anyway? Let's exit + sys.exit(1) + + # Step 3: Update requirements.txt + print(f"Updating {REQUIREMENTS_PATH} to {pkg_name}>={latest_ver}") + if not update_requirements(pkg_name, latest_ver): + print(f"ERROR: Failed to update {pkg_name} in requirements.txt") + sys.exit(1) + print(f"Updated requirements.txt") + + # Step 4: Run tests + if not run_tests(): + print("ERROR: Tests failed. Aborting PR creation.") + # Could revert branch? For minimal fix, just exit with error + sys.exit(1) + print("Tests passed.") + + # Step 5: Commit changes + commit_msg = f"security: update {pkg_name} to {latest_ver}\n\nDetected outdated dependency via pip list --outdated.\n\nRefs: #113" + run_cmd(["git", "add", "requirements.txt"]) + run_cmd(["git", "commit", "-m", commit_msg]) + + # Step 6: Push branch + print(f"\nPushing branch {branch_name}...") + result = run_cmd(["git", "push", "origin", branch_name], check=False) + if result.returncode != 0: + print(f"ERROR: Push failed: {result.stderr}") + sys.exit(1) + + # Step 7: Open PR + pr_title = f"security: update {pkg_name} to {latest_ver}" + pr_body = ( + f"Automated security patch for **{pkg_name}**.\n\n" + f"**Current version:** {current_ver}\n" + f"**Latest version:** {latest_ver}\n\n" + f"Detected by `pip list --outdated`. Tests passed locally.\n\n" + f"Closes #113" + ) + pr_num = create_gitea_pr(pr_title, pr_body, branch_name) + print(f"\nPR #{pr_num} created: https://forge.alexanderwhitestone.com/{GITEA_OWNER}/{GITEA_REPO}/pulls/{pr_num}") + + +if __name__ == "__main__": + main() diff --git a/scripts/test_security_patch_applier.py b/scripts/test_security_patch_applier.py new file mode 100644 index 0000000..db870ef --- /dev/null +++ b/scripts/test_security_patch_applier.py @@ -0,0 +1,21 @@ +#!/usr/bin/env python3 +"""Smoke test for security_patch_applier — verifies module imports and argument parsing.""" +import subprocess +import sys + +def test_imports(): + import security_patch_applier + assert hasattr(security_patch_applier, 'main') + +def test_help(): + result = subprocess.run( + [sys.executable, 'scripts/security_patch_applier.py', '--help'], + capture_output=True, text=True + ) + assert result.returncode == 0 + assert 'Security Patch Applier' in result.stdout or '--dry-run' in result.stdout + +if __name__ == '__main__': + test_imports() + test_help() + print("OK")