i)|dZddlmZddlZddlmZmZeGddZeGddZGd d Z y) u core/evolution/axiomatic_tests.py Axiomatic test assertions compiled from GLOBAL_GENESIS_RULES.md. Any proposed architectural change is instantly rejected if it violates a Genesis axiom. Axioms enforced: AXIOM_NO_SQLITE — Rule 7: SQLite forbidden, all storage via Elestio PG/Qdrant/Redis AXIOM_NO_API_KEY_LEAK — Security: no API keys / secrets in state output AXIOM_OCC_REQUIRED — Rule 7: DB writes must include OCC version check AXIOM_NO_C_DRIVE — Rule 6: all writes must stay on E: drive, never C: AXIOM_GEMINI_AUTH — Rule 12: Gemini access requires authenticated session All methods are pure (no I/O, no external calls). 100% unit-testable. ) annotationsN) dataclassfieldc0eZdZUdZded<ded<ded<y)AxiomViolationzEA single Genesis axiom violation detected during a code/state review.straxiom_id descriptionevidenceN)__name__ __module__ __qualname____doc____annotations__7/mnt/e/genesis-system/core/evolution/axiomatic_tests.pyrrsOMMrrc8eZdZUdZded<eeZded<y) AxiomResultz1Aggregate result of running all axiomatic checks.boolpassed)default_factorylist[AxiomViolation] violationsN)r r rrrrlistrrrrrr#s; L',T'BJ$BrrceZdZdZd dZ d dZ d dZ d dZ d dZ d dZ e d ddZ y )AxiomaticTestsa; Compiled Genesis axioms extracted from GLOBAL_GENESIS_RULES.md. Usage:: checker = AxiomaticTests() result = checker.run_all(code_content="...", state_content={...}) if not result.passed: for v in result.violations: print(v.axiom_id, v.description) cg}|j|||j|||j|||j|||j ||t t |dk(|S)a Run all 5 Genesis axioms against the provided inputs. NOT fail-fast: all axioms are checked even when earlier ones fail. Returns all violations accumulated across the full run. Args: code_content: Raw source-code string to analyse. state_content: Arbitrary dict (serialised as str) to check for leaked credentials. Returns: AxiomResult with passed=True iff violations list is empty. r)rr)_check_no_sqlite_check_no_api_key_leak_check_occ_required_check_no_c_drive_check_gemini_authrlen)self code_content state_contentrs rrun_allzAxiomaticTests.run_all@su,.  lJ7 ##M:>   z: |Z8  j9z?a'!  rc gd}|D]5}||vs|jtdd|j||yy)z AXIOM_NO_SQLITE: SQLite is forbidden in Genesis. Detects: ``import sqlite3``, ``import sqlite``, plain ``sqlite3`` token. )zimport sqlite3z import sqlitesqlite3AXIOM_NO_SQLITEu_SQLite usage detected — forbidden by Rule 7. Use Elestio PostgreSQL / Qdrant / Redis instead.r r r N)appendr_extract_evidence)r%coderpatternspatterns rrzAxiomaticTests._check_no_sqlite`sVB G$!!"!2O"&!7!7g!F   rc ~t|}gd}|D])}||vs|jtdd|d|yy)z AXIOM_NO_API_KEY_LEAK: No API keys or secrets in state output. Detected patterns: ``sk-``, ``API_KEY=``, ``TELNYX_API_KEY``. )zsk-zAPI_KEY=TELNYX_API_KEYAXIOM_NO_API_KEY_LEAKz"Potential API key leak detected: 'z7' found in state output. Rotate and remove immediately.r,N)rr-r)r%stater state_strsecret_patternsr1s rr z%AxiomaticTests._check_no_api_key_leak}s`J ?& G)#!!"!8@ JKK")   rcttjd|tj}|syttjd|tj}|s|j t dddyy)z AXIOM_OCC_REQUIRED: Any INSERT or UPDATE statement must be accompanied by an Optimistic Concurrency Control (OCC) ``WHERE version =`` clause. z\b(INSERT|UPDATE)\bNzWHERE\s+version\s*=AXIOM_OCC_REQUIREDzDB write operation (INSERT/UPDATE) detected without an OCC version check ('WHERE version ='). Add optimistic concurrency control to prevent lost-update anomalies.z-INSERT/UPDATE found without 'WHERE version ='r,)rresearch IGNORECASEr-r)r%r/r has_db_writehas_version_checks rr!z"AxiomaticTests._check_occ_requireds| II,dBMM B  ! II,dBMM B !   1DM !rc gd}|D]G}tj||s|jtdd|j |dyy)z AXIOM_NO_C_DRIVE: C: drive paths are forbidden. All work on E: drive. Detected patterns: ``C:\``, ``C:/``, ``"C:``, ``'C:``. )zC:\\\\zC:/z"C:z'C:AXIOM_NO_C_DRIVEuWC: drive path detected — forbidden by Rule 6. All file paths must reside on E: drive.zC:r,N)r:r;r-rr.)r%r/rc_drive_patternsr1s rr"z AxiomaticTests._check_no_c_drives]?' Gyy$'!!"!3F"&!7!7d!C   rcd|vry|j}d|vxsd|v}|s|jtdddyy) z AXIOM_GEMINI_AUTH: Any reference to ``gemini.google.com`` must be paired with a ``login`` or ``auth`` check in the same code block. Unauthenticated Gemini sessions are forbidden by Rule 12. zgemini.google.comNloginauthAXIOM_GEMINI_AUTHugemini.google.com access detected without authentication check — forbidden by Rule 12. All Gemini sessions must be authenticated via kinan@agileadapt.com (Ultra).z1gemini.google.com found without 'login' or 'auth'r,)lowerr-r)r%r/r code_lowerhas_auths rr#z!AxiomaticTests._check_gemini_auths[ d * ZZ\ j(@Fj,@   0JQ rc|jj|j}|dk(r|Std||z }tt ||t |z|z}|||S)z Extract a short snippet of ``text`` centred on ``keyword`` for use as human-readable evidence in a violation report. Returns ``keyword`` itself if not found in ``text``. r)rFfindmaxminr$)textkeyword context_charsidxstartends rr.z AxiomaticTests._extract_evidencesgjjl 0 "9NAs]*+#d)S3w</-?@E#rN)r&rr'dictreturnr)r/rrrrUNone)r5rTrrrUrV)()rNrrOrrPintrUr) r r rrr(rr r!r"r# staticmethodr.rrrrr/s   @)  :)  :)  H)  8)  @  rr) r __future__rr: dataclassesrrrrrrrrr\sV # (   CC CXXr