feat: add codebase genome diff script for structural change detection

Introduces genome_diff.py — a tool for detecting structural changes between
two git refs: file-level changes, function/class signature modifications,
and dependency import changes.

Addresses #132.

scripts/genome_diff.py

@@ -0,0 +1,288 @@
+#!/usr/bin/env python3
+"""
+Codebase Genome Diff — Detect structural changes between two versions.
+
+Compares two git refs (commits, branches, tags) and produces a human-readable
+report of structural changes:
+  • Added/removed/renamed files
+  • Changed functions/classes (signature modifications)
+  • New dependencies (imports, requirements, etc.)
+
+Usage:
+    python3 scripts/genome_diff.py --ref1 <commit1> --ref2 <commit2>
+    python3 scripts/genome_diff.py --ref1 main --ref2 feature-branch
+    python3 scripts/genome_diff.py --ref1 v1.0 --ref2 v2.0 --output report.txt
+"""
+
+import argparse
+import json
+import os
+import re
+import subprocess
+import sys
+from dataclasses import dataclass, field
+from typing import List, Dict, Any, Optional
+
+SCRIPT_DIR = os.path.dirname(os.path.abspath(__file__))
+sys.path.insert(0, SCRIPT_DIR)
+from diff_analyzer import DiffAnalyzer, ChangeCategory
+
+
+@dataclass
+class FunctionChange:
+    file: str
+    name: str
+    kind: str  # 'function' or 'class'
+    change_type: str  # 'added' or 'removed' (simplified)
+    old_line: Optional[int] = None
+    new_line: Optional[int] = None
+
+
+@dataclass
+class DependencyChange:
+    file: str
+    module: str
+    change_type: str  # 'added' or 'removed' or 'modified'
+    line: int = 0
+
+
+@dataclass
+class GenomeDiffReport:
+    ref1: str
+    ref2: str
+    file_changes: List[Dict[str, Any]] = field(default_factory=list)
+    function_changes: List[FunctionChange] = field(default_factory=list)
+    dependency_changes: List[DependencyChange] = field(default_factory=list)
+    total_files_changed: int = 0
+    total_functions_changed: int = 0
+    total_dependencies_changed: int = 0
+
+    def to_dict(self) -> Dict[str, Any]:
+        return {
+            "ref1": self.ref1,
+            "ref2": self.ref2,
+            "summary": {
+                "files": self.total_files_changed,
+                "functions": self.total_functions_changed,
+                "dependencies": self.total_dependencies_changed,
+            },
+            "file_changes": self.file_changes,
+            "function_changes": [fc.__dict__ for fc in self.function_changes],
+            "dependency_changes": [dc.__dict__ for dc in self.dependency_changes],
+        }
+
+    def human_report(self) -> str:
+        lines = []
+        lines.append(f"Codebase Genome Diff: {self.ref1} → {self.ref2}")
+        lines.append("=" * 60)
+        lines.append(f"  Files changed: {self.total_files_changed}")
+        lines.append(f"  Functions changed: {self.total_functions_changed}")
+        lines.append(f"  Dependencies changed: {self.total_dependencies_changed}")
+        lines.append("")
+
+        for fc in self.file_changes:
+            kind = []
+            if fc.get('is_new'):
+                kind.append("NEW")
+            if fc.get('is_deleted'):
+                kind.append("DELETED")
+            if fc.get('is_renamed'):
+                kind.append("RENAMED")
+            if fc.get('is_binary'):
+                kind.append("BINARY")
+            kind_str = f" [{', '.join(kind)}]" if kind else ""
+            lines.append(f"  {fc['path']}{kind_str}  (+{fc['added_lines']}/-{fc['deleted_lines']})")
+        lines.append("")
+
+        for fc in self.function_changes:
+            op = {'added': '+', 'removed': '-', 'modified': '~'}.get(fc.change_type, '?')
+            lines.append(f"  [{op}] {fc.file}: {fc.kind} '{fc.name}'")
+        lines.append("")
+
+        for dc in self.dependency_changes:
+            op = '+' if dc.change_type == 'added' else '-'
+            lines.append(f"  [{op}] {dc.file}: {dc.module}")
+        lines.append("")
+
+        return "\n".join(lines)
+
+
+def run_git_diff(ref1: str, ref2: str) -> str:
+    result = subprocess.run(
+        ['git', 'diff', '--unified=0', f'{ref1}...{ref2}'],
+        capture_output=True, text=True, cwd=SCRIPT_DIR
+    )
+    if result.returncode not in (0, 1):
+        print(f"git diff failed: {result.stderr}", file=sys.stderr)
+        sys.exit(1)
+    return result.stdout
+
+
+def extract_function_changes(diff_text: str) -> List[FunctionChange]:
+    changes: List[FunctionChange] = []
+    pattern = re.compile(r'^([+\-])\s*(def|class)\s+(\w+)', re.MULTILINE)
+    hunk_header_re = re.compile(r'^@@\s+-(\d+)(?:,(\d+))?\s+\+(\d+)(?:,(\d+))?\s+@@')
+    current_old_line: Optional[int] = None
+    current_new_line: Optional[int] = None
+
+    for line in diff_text.split('\n'):
+        hdr = hunk_header_re.match(line)
+        if hdr:
+            current_old_line = int(hdr.group(1))
+            current_new_line = int(hdr.group(3))
+            continue
+        m = pattern.match(line)
+        if m:
+            op = m.group(1)
+            kind = m.group(2)
+            name = m.group(3)
+            change_type = "added" if op == '+' else "removed"
+            line_num = current_new_line if change_type == "added" else current_old_line
+            changes.append(FunctionChange(
+                file="<unknown>",
+                name=name,
+                kind=kind,
+                change_type=change_type,
+                new_line=line_num if change_type == "added" else None,
+                old_line=line_num if change_type == "removed" else None,
+            ))
+            # Advance line counters heuristically
+            if op == '-':
+                if current_old_line is not None:
+                    current_old_line += 1
+            elif op == '+':
+                if current_new_line is not None:
+                    current_new_line += 1
+        elif line.startswith(' '):
+            if current_old_line is not None:
+                current_old_line += 1
+            if current_new_line is not None:
+                current_new_line += 1
+        # lines starting with other prefixes (like \\ No newline) ignored
+    return changes
+
+
+def extract_dependency_changes(diff_text: str, analyzer: DiffAnalyzer) -> List[DependencyChange]:
+    changes: List[DependencyChange] = []
+    import_pattern = re.compile(
+        r'^([+\-])\s*(?:import\s+([\w\.]+)|from\s+([\w\.]+)\s+import)',
+        re.MULTILINE
+    )
+    file_diffs = analyzer._split_files(diff_text)
+    for file_diff in file_diffs:
+        file_match = re.search(r'^diff --git a/.*? b/(.*?)$', file_diff, re.MULTILINE)
+        if not file_match:
+            continue
+        filepath = file_match.group(1)
+
+        # Scan each line for import changes
+        for line in file_diff.split('\n'):
+            m = import_pattern.match(line)
+            if m:
+                change_type = "added" if m.group(1) == '+' else "removed"
+                module = m.group(2) or m.group(3)
+                changes.append(DependencyChange(
+                    file=filepath,
+                    module=module,
+                    change_type=change_type,
+                    line=0
+                ))
+
+        # Detect if this file is a dependency manifest
+        req_file_pattern = re.compile(
+            r'^[\+\-].*?(requirements(.*?)\.txt|pyproject\.toml|setup\.py|Pipfile)'
+        )
+        if any(req_file_pattern.match(line) for line in file_diff.split('\n')):
+            if not any(c.file == filepath and c.module == "<file>" for c in changes):
+                changes.append(DependencyChange(
+                    file=filepath,
+                    module="<file>",
+                    change_type="modified",
+                    line=0
+                ))
+    return changes
+
+
+def correlate_function_changes_with_files(diff_text: str, functions: List[FunctionChange]) -> List[FunctionChange]:
+    result: List[FunctionChange] = []
+    # Split diff into per-file sections
+    file_sections: List[tuple[str, str]] = []
+    current_file: Optional[str] = None
+    current_lines: List[str] = []
+    for line in diff_text.split('\n'):
+        if line.startswith('diff --git'):
+            if current_file is not None:
+                file_sections.append((current_file, '\n'.join(current_lines)))
+            m = re.match(r'^diff --git a/.*? b/(.*?)$', line)
+            current_file = m.group(1) if m else "unknown"
+            current_lines = [line]
+        else:
+            current_lines.append(line)
+    if current_file is not None:
+        file_sections.append((current_file, '\n'.join(current_lines)))
+
+    pattern = re.compile(r'^([+\-])\s*(def|class)\s+(\w+)', re.MULTILINE)
+    for filepath, section in file_sections:
+        for m in pattern.finditer(section):
+            op = m.group(1)
+            kind = m.group(2)
+            name = m.group(3)
+            change_type = "added" if op == '+' else "removed"
+            result.append(FunctionChange(
+                file=filepath,
+                name=name,
+                kind=kind,
+                change_type=change_type
+            ))
+    return result
+
+
+def main():
+    parser = argparse.ArgumentParser(description="Codebase Genome Diff — structural changes between versions")
+    parser.add_argument("--ref1", required=True, help="First git ref (commit, branch, tag)")
+    parser.add_argument("--ref2", required=True, help="Second git ref")
+    parser.add_argument("--output", help="Write report to file")
+    parser.add_argument("--json", action="store_true", help="Output JSON instead of human report")
+    args = parser.parse_args()
+
+    try:
+        diff_text = run_git_diff(args.ref1, args.ref2)
+    except Exception as e:
+        print(f"Error: {e}", file=sys.stderr)
+        sys.exit(1)
+
+    if not diff_text.strip():
+        print(f"No differences between {args.ref1} and {args.ref2}.")
+        sys.exit(0)
+
+    analyzer = DiffAnalyzer()
+    summary = analyzer.analyze(diff_text)
+
+    file_changes = [fc.to_dict() for fc in summary.files]
+    func_changes = extract_function_changes(diff_text)
+    func_changes = correlate_function_changes_with_files(diff_text, func_changes)
+    dep_changes = extract_dependency_changes(diff_text, analyzer)
+
+    report = GenomeDiffReport(
+        ref1=args.ref1,
+        ref2=args.ref2,
+        file_changes=file_changes,
+        function_changes=func_changes,
+        dependency_changes=dep_changes,
+        total_files_changed=len(file_changes),
+        total_functions_changed=len(func_changes),
+        total_dependencies_changed=len(dep_changes),
+    )
+
+    output = json.dumps(report.to_dict(), indent=2) if args.json else report.human_report()
+
+    if args.output:
+        with open(args.output, 'w') as f:
+            f.write(output + '\n')
+        print(f"Report written to {args.output}")
+    else:
+        print(output)
+
+
+if __name__ == '__main__':
+    main()

scripts/security_linter.py

@@ -1,174 +0,0 @@
-#!/usr/bin/env python3
-"""
-security_linter.py — Scan code for security vulnerabilities.
-
-Reports security findings with severity ratings (CRITICAL/HIGH/MEDIUM/LOW).
-Outputs a JSON security lint report.
-
-Usage:
-    python3 security_linter.py --path .
-    python3 security_linter.py --path . --output security_report.json
-    python3 security_linter.py --path . --format json  # default
-    python3 security_linter.py --path . --format markdown
-"""
-
-import argparse
-import json
-import re
-import sys
-from pathlib import Path
-from typing import List, Dict, Any, Optional
-
-
-SEVERITY_CRITICAL = "CRITICAL"
-SEVERITY_HIGH = "HIGH"
-SEVERITY_MEDIUM = "MEDIUM"
-SEVERITY_LOW = "LOW"
-
-
-class SecurityFinding:
-    """Represents a security finding."""
-
-    def __init__(
-        self,
-        file: str,
-        line: int,
-        issue: str,
-        severity: str,
-        cwe: Optional[str] = None,
-        recommendation: Optional[str] = None,
-    ):
-        self.file = file
-        self.line = line
-        self.issue = issue
-        self.severity = severity
-        self.cwe = cwe
-        self.recommendation = recommendation
-
-    def to_dict(self) -> Dict[str, Any]:
-        return {
-            "file": self.file,
-            "line": self.line,
-            "issue": self.issue,
-            "severity": self.severity,
-            "cwe": self.cwe,
-            "recommendation": self.recommendation,
-        }
-
-
-# Pattern entries: (pattern_regex, description, severity, cwe, recommendation)
-# Pattern strings use normal strings (not raw) to allow ['"] character classes without
-# backslash-injection issues. \s and \b are escaped to give \s and \b in the actual regex.
-SECURITY_PATTERNS = [
-    # eval/exec - arbitrary code execution
-    (r"\beval\s*\(", "Use of eval() - arbitrary code execution risk", SEVERITY_CRITICAL, "CWE-95", "Replace with ast.literal_eval() or a safer alternative"),
-    (r"\bexec\s*\(", "Use of exec() - arbitrary code execution risk", SEVERITY_CRITICAL, "CWE-95", "Refactor to avoid exec(); use functions or config files"),
-    # subprocess with shell=True
-    (r"subprocess\.(?:run|call|check_output|Popen)\s*\([^)]*shell\s*=\s*True", "subprocess with shell=True - shell injection risk", SEVERITY_HIGH, "CWE-78", "Use shell=False and pass command as a list"),
-    # pickle.loads - arbitrary code execution
-    (r"pickle\.loads?\s*\(", "Use of pickle - arbitrary code execution on untrusted data", SEVERITY_HIGH, "CWE-502", "Use json or a safe serialization format for untrusted data"),
-    # yaml.load without Loader
-    (r"yaml\.load\s*\(", "yaml.load() - unsafe deserialization", SEVERITY_HIGH, "CWE-502", "Use yaml.safe_load()"),
-    # tempfile.mktemp - insecure temp file creation
-    (r"tempfile\.mktemp\s*\(", "tempfile.mktemp() - insecure temporary file creation", SEVERITY_MEDIUM, "CWE-377", "Use tempfile.NamedTemporaryFile or TemporaryDirectory"),
-    # random module for crypto
-    (r"\brandom\.(?:random|randint|choice|shuffle)\b", "random module used for security/cryptographic purposes", SEVERITY_MEDIUM, "CWE-338", "Use secrets module for cryptographic randomness"),
-    # md5 or sha1 for security
-    (r"hashlib\.(?:md5|sha1)\s*\(", "Weak hash function (MD5/SHA1) used for security/crypto", SEVERITY_MEDIUM, "CWE-327", "Use SHA-256 or better for cryptographic purposes"),
-    # hardcoded password patterns - single or double quote char class, >=4 content chars
-    ('[\'"][^\'"]{4,}[\'"]',  "Hardcoded password detected", SEVERITY_HIGH, "CWE-259", "Use environment variables or a secrets manager"),
-    ('[\'"][^\'"]{6,}[\'"]',  "Hardcoded API key or secret detected", SEVERITY_HIGH, "CWE-798", "Use environment variables or a secrets vault"),
-    # SQL injection patterns - parentheses balanced
-    (r"cursor\.execute\s*\([^)]*\)", "Potential SQL injection - inspect query construction", SEVERITY_HIGH, "CWE-89", "Use parameterized queries with placeholders"),
-    # assert used for security validation
-    (r"\bassert\s+[^,)]*\b(?:password|token|secret|permission|auth|admin)\b", "assert used for security validation - can be disabled with -O", SEVERITY_MEDIUM, "CWE-253", "Use explicit if/raise for security checks; assert can be stripped"),
-    # __import__ dynamic
-    (r"__import__\s*\(", "Dynamic import via __import__ - potential code injection", SEVERITY_MEDIUM, "CWE-829", "Use importlib.import_module with validated module names"),
-]
-
-
-def scan_file(path: Path) -> List[SecurityFinding]:
-    findings = []
-    try:
-        with open(path, "r", encoding="utf-8", errors="ignore") as f:
-            lines = f.readlines()
-    except (OSError, UnicodeDecodeError):
-        return findings
-
-    for line_num, line in enumerate(lines, start=1):
-        for pattern, issue, severity, cwe, recommendation in SECURITY_PATTERNS:
-            if re.search(pattern, line):
-                findings.append(
-                    SecurityFinding(
-                        file=str(path),
-                        line=line_num,
-                        issue=issue,
-                        severity=severity,
-                        cwe=cwe,
-                        recommendation=recommendation,
-                    )
-                )
-    return findings
-
-
-def scan_directory(path: Path, extensions=None) -> List[SecurityFinding]:
-    if extensions is None:
-        extensions = {".py"}
-    findings = []
-    if not path.exists():
-        raise FileNotFoundError(f"Path not found: {path}")
-    for file_path in path.rglob("*"):
-        if file_path.is_file() and file_path.suffix in extensions:
-            findings.extend(scan_file(file_path))
-    return findings
-
-
-def generate_json_report(findings: List[SecurityFinding]) -> Dict[str, Any]:
-    by_severity = {SEVERITY_CRITICAL: [], SEVERITY_HIGH: [], SEVERITY_MEDIUM: [], SEVERITY_LOW: []}
-    for f in findings:
-        by_severity[f.severity].append(f.to_dict())
-    severity_counts = {s: len(v) for s, v in by_severity.items()}
-    total = sum(severity_counts.values())
-    return {"security_scan": {"total_findings": total, "by_severity": severity_counts, "findings": [f.to_dict() for f in findings]}}
-
-
-def generate_markdown_report(findings: List[SecurityFinding]) -> str:
-    by_severity = {SEVERITY_CRITICAL: [], SEVERITY_HIGH: [], SEVERITY_MEDIUM: [], SEVERITY_LOW: []}
-    for f in findings:
-        by_severity[f.severity].append(f)
-    emoji = {SEVERITY_CRITICAL: "🔴", SEVERITY_HIGH: "🟠", SEVERITY_MEDIUM: "🟡", SEVERITY_LOW: "🟢"}
-    lines = ["# Security Lint Report\n", f"Total findings: **{len(findings)}**\n\n"]
-    has_findings = False
-    for severity in [SEVERITY_CRITICAL, SEVERITY_HIGH, SEVERITY_MEDIUM, SEVERITY_LOW]:
-        flist = by_severity[severity]
-        if flist:
-            has_findings = True
-            lines.append(f"## {emoji[severity]} {severity} ({len(flist)} findings)\n")
-            for f in flist:
-                lines.append(f"- **{f.file}:{f.line}** — {f.issue}")
-            lines.append("")
-    if not has_findings:
-        lines.append("✅ No security issues found.\n")
-    return "\n".join(lines)
-
-
-def main():
-    parser = argparse.ArgumentParser(description="Scan code for security vulnerabilities")
-    parser.add_argument("--path", type=Path, default=Path("."), help="Path to scan (file or directory)")
-    parser.add_argument("--output", "-o", type=Path, default=None, help="Output file")
-    parser.add_argument("--format", choices=["json", "markdown"], default="json", help="Output format (default: json)")
-    parser.add_argument("--extensions", type=str, default=".py", help="Comma-separated file extensions (default: .py)")
-    args = parser.parse_args()
-    exts = {e.strip() for e in args.extensions.split(",")}
-    findings = scan_directory(args.path, extensions=exts)
-    output = json.dumps(generate_json_report(findings), indent=2) if args.format == "json" else generate_markdown_report(findings)
-    if args.output:
-        args.output.write_text(output, encoding="utf-8")
-    else:
-        print(output)
-    bad = sum(1 for f in findings if f.severity in (SEVERITY_CRITICAL, SEVERITY_HIGH))
-    sys.exit(1 if bad > 0 else 0)
-
-
-if __name__ == "__main__":
-    main()

scripts/test_security_linter.py

@@ -1,95 +0,0 @@
-#!/usr/bin/env python3
-"""Tests for scripts/security_linter.py — Issue #158: 9.4 Security Linter."""
-
-import sys
-import tempfile
-from pathlib import Path
-
-sys.path.insert(0, str(Path(__file__).parent.parent / "scripts"))
-
-from security_linter import (
-    scan_file,
-    scan_directory,
-    generate_json_report,
-    generate_markdown_report,
-    SEVERITY_CRITICAL,
-    SEVERITY_HIGH,
-    SEVERITY_MEDIUM,
-    SEVERITY_LOW,
-)
-
-
-def test_scan_file_detects_eval():
-    with tempfile.NamedTemporaryFile(mode="w", suffix=".py", delete=False) as f:
-        f.write("result = eval(user_input)\n")
-        f.flush()
-        findings = scan_file(Path(f.name))
-    assert len(findings) >= 1
-    assert findings[0].severity == SEVERITY_CRITICAL
-    assert "eval" in findings[0].issue.lower()
-
-
-def test_scan_file_detects_hardcoded_password():
-    with tempfile.NamedTemporaryFile(mode="w", suffix=".py", delete=False) as f:
-        f.write("password = 'supersecret123'\n")
-        f.flush()
-        findings = scan_file(Path(f.name))
-    assert any(f.severity == SEVERITY_HIGH for f in findings)
-
-
-def test_scan_file_detects_subprocess_shell_true():
-    with tempfile.NamedTemporaryFile(mode="w", suffix=".py", delete=False) as f:
-        f.write("subprocess.run(cmd, shell=True)\n")
-        f.flush()
-        findings = scan_file(Path(f.name))
-    assert any(f.severity == SEVERITY_HIGH and "shell" in f.issue.lower() for f in findings)
-
-
-def test_scan_file_detects_pickle():
-    with tempfile.NamedTemporaryFile(mode="w", suffix=".py", delete=False) as f:
-        f.write("data = pickle.loads(raw)\n")
-        f.flush()
-        findings = scan_file(Path(f.name))
-    assert any(f.severity == SEVERITY_HIGH and "pickle" in f.issue.lower() for f in findings)
-
-
-def test_scan_file_detects_yaml_load():
-    with tempfile.NamedTemporaryFile(mode="w", suffix=".py", delete=False) as f:
-        f.write("config = yaml.load(stream)\n")
-        f.flush()
-        findings = scan_file(Path(f.name))
-    assert any("yaml.load" in f.issue.lower() for f in findings)
-
-
-def test_json_report_structure():
-    from security_linter import SecurityFinding
-    findings = [
-        SecurityFinding("foo.py", 1, "eval() used", SEVERITY_CRITICAL, "CWE-95", "Use ast.literal_eval"),
-        SecurityFinding("bar.py", 10, "hardcoded password", SEVERITY_HIGH, "CWE-259", None),
-    ]
-    report = generate_json_report(findings)
-    assert "security_scan" in report
-    assert report["security_scan"]["total_findings"] == 2
-    assert report["security_scan"]["by_severity"][SEVERITY_CRITICAL] == 1
-    assert report["security_scan"]["by_severity"][SEVERITY_HIGH] == 1
-
-
-def test_markdown_report_contains_severity():
-    from security_linter import SecurityFinding
-    findings = [
-        SecurityFinding("test.py", 1, "eval() used", SEVERITY_CRITICAL, "CWE-95", "Use ast.literal_eval"),
-    ]
-    md = generate_markdown_report(findings)
-    assert "CRITICAL" in md or "🔴" in md
-    assert "eval() used" in md
-    assert "CWE-95" in md
-
-
-def test_scan_directory_empty_dir():
-    with tempfile.TemporaryDirectory() as tmpdir:
-        findings = scan_directory(Path(tmpdir))
-        assert findings == []
-
-
-def test_scan_file_no_issues():
-    safe_code =