Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
42 commits
Select commit Hold shift + click to select a range
5fa57eb
fix: meta_analyzer init outside try, add exc_info tracebacks, update …
Jun 24, 2026
1b58c65
feat: add SubprocessChatModel that routes prompts via shell command
Jun 24, 2026
202b7f6
fix: widen with_structured_output signature, fix multi-modal fallback…
Jun 24, 2026
952477d
feat: add SubprocessProvider implementing LLMProvider protocol
Jun 24, 2026
4cf507e
feat: register subprocess provider in provider selector
Jun 24, 2026
288735d
docs: document subprocess provider and SKILLSPECTOR_LLM_COMMAND in .e…
Jun 24, 2026
eb49c59
fix: Windows shlex, ValueError on missing command, dict schema suppor…
Jun 24, 2026
e23b624
fix: add DEFAULT_MODEL and SLOT_DEFAULTS class attrs to SubprocessPro…
Jun 24, 2026
0369fca
fix: standards compliance — ruff B904/F401, mypy types, pydocstyle do…
Jun 24, 2026
2a166ef
docs: add subprocess provider to README, DEVELOPMENT.md, PI_EXTENSION…
Jun 24, 2026
f9b5de2
docs: add subprocess provider acceptance test plan and results
Jun 25, 2026
24d8767
fix: baseline writes to target directory by default (Problem 8)
Jun 26, 2026
6cdc856
fix: YARA YR1/YR4 reduce confidence on negation/education context (Pr…
Jun 26, 2026
e8bdde5
fix: rephrase TP4 prompt to avoid enterprise injection-detection trig…
Jun 26, 2026
0f90f41
fix: LP1/LP3 remediation includes accepted type names and capability …
Jun 26, 2026
74d5a90
fix: subprocess exit-code-1 enterprise diagnostic + --no-llm fallback…
Jun 26, 2026
322c8e6
feat: AST4/PE3 test-fixture heuristics + --include-test-fixtures flag…
Jun 26, 2026
91c9da3
fix: add --include-test-fixtures docstring; tighten PE3 keyword scope…
Jun 26, 2026
7a61253
feat: auto-discover .skillspector-baseline.yaml + --no-baseline flag …
Jun 26, 2026
f97c1da
feat: --recursive --depth N flag + improved fallback warning (Problem 9)
Jun 26, 2026
910f503
feat: --recursive --detail flag for full findings in JSON output (Pro…
Jun 26, 2026
e2b336e
feat: offensive_security classification skips score-based recommendat…
Jun 26, 2026
d2d5d6b
feat: emit LLM progress to stderr during analysis (Problem 6)
Jun 26, 2026
35d2382
feat: --skip-meta flag to bypass meta-analyzer LLM pass (Problem 3b)
Jun 26, 2026
52d05be
feat: SQLite LLM response cache by content hash (Problem 3c)
Jun 26, 2026
8004ddd
fix: wire LLM cache to semantic analyzer nodes; move json import to m…
Jun 26, 2026
da20b39
fix: correct _cache_key return type annotation to CacheKey
Jun 26, 2026
21ec601
feat: meta-analyzer batching with SKILLSPECTOR_META_BATCH_SIZE (Probl…
Jun 27, 2026
b2f8144
fix: move Counter import to module level; isolate META_BATCH_SIZE rel…
Jun 27, 2026
680cc3c
fix: remove dead PE3 constant, add LLMResponseCache __del__, document…
Jun 27, 2026
09121cc
chore: align README tables, fix CLI formatting, add bridge/baseline/p…
Jun 29, 2026
859c29a
merge: integrate origin/main — bedrock provider, PE5, E5, builtins ev…
Jun 29, 2026
7538a51
fix: remove leftover conflict-marker lines
Jul 1, 2026
54c87ef
Merge remote-tracking branch 'origin/main' into feature/use-skillspec…
Jul 1, 2026
7f8e42c
fix: coerce plain-string prompts in subprocess provider structured ou…
Jul 1, 2026
40ef232
fix: move LLM cache outside scanned skill directory
Jul 1, 2026
1045afe
test: fix llm_cache edge-case test to actually reproduce the gap it d…
Jul 1, 2026
9230576
fix: derive LLM cache key from rendered prompt, model, and schema hash
Jul 1, 2026
bec17a6
fix: make baseline auto-discovery opt-in via --auto-baseline
Jul 1, 2026
07aa733
fix: make self-declared offensive_security classification opt-in to t…
Jul 1, 2026
045d106
test: add SARIF coverage for multi-skill --output regression
Jul 1, 2026
a35b674
chore: ruff format + fix pre-existing lint drift
Jul 1, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions .env.example
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,22 @@ ANTHROPIC_PROXY_API_KEY=
# ANTHROPIC_PROXY_API_VERSION=vertex-2023-10-16 # optional; defaults to vertex-2023-10-16
# SKILLSPECTOR_SSL_VERIFY=false # set to false for internal/self-signed CAs

# ---------------------------------------------------------------------------
# subprocess provider (SKILLSPECTOR_PROVIDER=subprocess)
# ---------------------------------------------------------------------------
# Routes every LLM prompt through a shell command via stdin.
# Use this when running SkillSpector inside Claude Code, OpenClaw, Antigravity,
# or any other AI-tool session where the AI is the session itself.
#
# Examples:
# SKILLSPECTOR_LLM_COMMAND=claude -p # Claude Code
# SKILLSPECTOR_LLM_COMMAND=antigravity ask # Antigravity
# SKILLSPECTOR_LLM_COMMAND=openclaw chat # OpenClaw
#
# The prompt is written to the command's stdin; the response is read from stdout.
# No API key is required — the session AI handles the call.
SKILLSPECTOR_LLM_COMMAND=

# SkillSpector config
SKILLSPECTOR_MODEL= # leave empty to use the active provider's bundled default (see README); set to override (e.g. gpt-5.2)
# SKILLSPECTOR_MODEL_REGISTRY=./model_registry.yaml # optional override; defaults to each provider's bundled YAML in src/skillspector/providers/
Expand Down
5 changes: 5 additions & 0 deletions .skillspector-baseline.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# SkillSpector baseline — findings listed here are suppressed on future scans.
# Edit 'reason' fields and add glob 'rules' as needed. See docs/SUPPRESSION.md.
version: 1
rules: []
fingerprints: []
291 changes: 150 additions & 141 deletions README.md

Large diffs are not rendered by default.

7 changes: 4 additions & 3 deletions docs/DEVELOPMENT.md
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,8 @@ make install-dev

- **Python**: 3.12+ (see [pyproject.toml](../pyproject.toml)). `make install` and `make install-dev` use **uv** if available (`uv sync` / `uv sync --all-extras`), otherwise **pip** (`pip install -e .` / `pip install -e ".[dev]"`). You must create and activate the virtual environment yourself before running any make target.
- **Environment**: Optional `.env` in the project root. The LangGraph dev server loads it (see [langgraph.json](../langgraph.json) `"env": ".env"`). Key variables:
- **`SKILLSPECTOR_PROVIDER`**: Selects the active LLM provider — `openai`, `anthropic`, or `nv_build`. Defaults to `nv_build` when unset.
- **Provider credential**: depends on the active provider — `NVIDIA_INFERENCE_KEY` (NVIDIA), `OPENAI_API_KEY` (OpenAI), or `ANTHROPIC_API_KEY` (Anthropic). See [llm_utils.py](../src/skillspector/llm_utils.py).
- **`SKILLSPECTOR_PROVIDER`**: Selects the active LLM provider — `openai`, `anthropic`, `anthropic_proxy`, `nv_build`, or `subprocess`. Defaults to `nv_build` when unset.
- **Provider credential**: depends on the active provider — `NVIDIA_INFERENCE_KEY` (NVIDIA), `OPENAI_API_KEY` (OpenAI), `ANTHROPIC_API_KEY` (Anthropic), or `SKILLSPECTOR_LLM_COMMAND` (subprocess — no API key required; routes prompts through a shell command). See [llm_utils.py](../src/skillspector/llm_utils.py).
- **`OPENAI_BASE_URL`**: Override the OpenAI endpoint (e.g. point at Ollama).
- **`SKILLSPECTOR_MODEL`**: Override default model; see [constants.py](../src/skillspector/constants.py).

Expand Down Expand Up @@ -265,11 +265,12 @@ Copy [.env.example](../.env.example) to `.env` in the project root and set value

| Variable | Description | Example |
|----------|-------------|---------|
| `SKILLSPECTOR_PROVIDER` | Active LLM provider: `openai` \| `anthropic` \| `nv_build` \| `claude_cli` \| `codex_cli`. Defaults to `nv_build`. | `claude_cli` |
| `SKILLSPECTOR_PROVIDER` | Active LLM provider: `openai` \| `anthropic` \| `anthropic_proxy` \| `nv_build` \| `subprocess` \| `claude_cli` \| `codex_cli`. Defaults to `nv_build`. | `openai` |
| `NVIDIA_INFERENCE_KEY` | Credential for `nv_build`. | `nvapi-...` |
| `OPENAI_API_KEY` | Credential for `SKILLSPECTOR_PROVIDER=openai`. Also tier-2 fallback for non-OpenAI providers. | `sk-...` |
| `OPENAI_BASE_URL` | Override the OpenAI endpoint (e.g. point at Ollama). | `http://localhost:11434/v1` |
| `ANTHROPIC_API_KEY` | Credential for `SKILLSPECTOR_PROVIDER=anthropic`. | `sk-ant-...` |
| `SKILLSPECTOR_LLM_COMMAND` | Shell command for `SKILLSPECTOR_PROVIDER=subprocess`. Prompt is piped via stdin; response read from stdout. No API key needed — the current AI session handles the call. | `claude -p` |
| `SKILLSPECTOR_MODEL` | Override the active provider's bundled default model (see [README.md](../README.md) for per-provider defaults). For `claude_cli`, this is passed as `--model` to the `claude` binary. | `gpt-5.2` |

> **CLI providers** (`claude_cli`, `codex_cli`): no credential env var is needed. Authentication is managed by the agent CLI's own session (`claude auth login` / `codex login`). The subprocess is heavily sandboxed — see [providers/_agent_cli.py](../src/skillspector/providers/_agent_cli.py).
Expand Down
2 changes: 1 addition & 1 deletion docs/PI_EXTENSION.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ Equivalent CLI:
- `format`: `terminal`, `json`, `markdown`, or `sarif`. Default: `terminal`.
- `output`: optional report path.
- `noLlm`: default `true`.
- `provider`: optional `openai`, `anthropic`, `anthropic_proxy`, `nv_build`, or `nv_inference`.
- `provider`: optional `openai`, `anthropic`, `anthropic_proxy`, `nv_build`, `nv_inference`, or `subprocess`.
- `model`: optional model override.
- `yaraRulesDir`: optional directory of extra YARA rules.
- `verbose`: optional detailed progress.
Expand Down
Loading