# bandit - Doramagic AI Context Pack

> Purpose: pre-work context for the user's host AI. This pack does not prove that the project has been installed, run, or validated.

## Project

- canonical_name: `PyCQA/bandit`
- capability: Bandit is a tool designed to find common security issues in Python code.
- expected_user_outcome: Bandit is a tool designed to find common security issues in Python code.

## Operating Boundaries

- Do not claim that the project has been installed, run, called through an API, or used on local files unless separate evidence proves it.
- Project facts must come from repo evidence, Claim Graph, or explicit source references.
- When a capability is not verified, mark it as unverified instead of completing it as fact.
- publish_status: `publishable`
- blocking_gaps: none

---

## Doramagic Context Augmentation

The following sections strengthen the repository context for a host AI. Human Manual data is a reading route, and pitfall notes become operating constraints.

## Human Manual Outline

Usage rule: this is only a reading route and salience signal, not factual authority. Concrete claims must still return to repo evidence or Claim Graph.

Host AI hard rules:
- Do not treat page titles, section order, summaries, or importance values as factual project evidence.
- When explaining the Human Manual outline, state that it is only a reading route or salience signal.
- Capability, installation, compatibility, runtime state, and risk claims must cite repo evidence, source paths, or Claim Graph.

- **Overview, Installation & CLI Usage**: importance `high`
  - source_paths: bandit/cli/main.py, bandit/cli/baseline.py, bandit/cli/config_generator.py, bandit/__main__.py, bandit/__init__.py
- **Core Engine Architecture & Data Flow**: importance `high`
  - source_paths: bandit/core/manager.py, bandit/core/node_visitor.py, bandit/core/meta_ast.py, bandit/core/test_set.py, bandit/core/tester.py
- **Security Plugins & Built-in Checks**: importance `high`
  - source_paths: bandit/plugins/__init__.py, bandit/plugins/asserts.py, bandit/plugins/exec.py, bandit/plugins/general_hardcoded_password.py, bandit/plugins/injection_shell.py
- **Configuration, Output Formatters & Extensibility**: importance `high`
  - source_paths: bandit/core/config.py, bandit/core/constants.py, bandit/core/utils.py, bandit/core/blacklisting.py, bandit/core/docs_utils.py

## Repo Inspection Evidence

- repo_clone_verified: true
- repo_inspection_verified: true
- repo_commit: `c4bfccf6fdf80559f2aad937246fb1b0c607a423`
- inspected_files: `README.rst`, `requirements.txt`, `examples/__init__.py`, `examples/assert.py`, `examples/binding.py`, `examples/cipher-modes.py`, `examples/ciphers.py`, `examples/crypto-md5.py`, `examples/dill.py`, `examples/django_sql_injection_extra.py`, `examples/django_sql_injection_raw.py`, `examples/eval.py`, `examples/exec.py`, `examples/flask_debug.py`, `examples/ftplib.py`, `examples/hardcoded-passwords.py`, `examples/hardcoded-tmp.py`, `examples/hashlib_new_insecure_functions.py`, `examples/httpoxy_cgihandler.py`, `examples/httpoxy_twisted_directory.py`

Host AI hard rules:
- Without repo_clone_verified=true, do not claim that the source code has been read.
- Without repo_inspection_verified=true, do not write README, docs, or package-file conclusions as facts.
- Without quick_start_verified=true, do not claim that the Quick Start path has run successfully.

## Doramagic Pitfall Constraints

These rules come from Doramagic discovery, validation, or compilation findings. The host AI must treat them as operating constraints, not background notes.

### Constraint 1: Security or permission risk requires verification

- Trigger: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow.
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/PyCQA/bandit/issues/1397
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 2: Capability evidence risk requires verification

- Trigger: README/documentation is current enough for a first validation pass.
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: capability.assumptions | https://github.com/PyCQA/bandit
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 3: Maintenance risk requires verification

- Trigger: Project evidence flags a maintenance risk. Review the linked source before relying on this workflow.
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: evidence.maintainer_signals | https://github.com/PyCQA/bandit
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 4: Security or permission risk requires verification

- Trigger: no_demo
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: downstream_validation.risk_items | https://github.com/PyCQA/bandit
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 5: Security or permission risk requires verification

- Trigger: no_demo
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: risks.scoring_risks | https://github.com/PyCQA/bandit
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 6: Security or permission risk requires verification

- Trigger: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow.
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: community_evidence:github | https://github.com/PyCQA/bandit/issues/1432
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 7: Maintenance risk requires verification

- Trigger: issue_or_pr_quality=unknown。
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: evidence.maintainer_signals | https://github.com/PyCQA/bandit
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 8: Maintenance risk requires verification

- Trigger: release_recency=unknown。
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: evidence.maintainer_signals | https://github.com/PyCQA/bandit
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.