security: replace diskcache with cachetools to remediate CVE-2025-69872

diskcache 5.6.3 has an unpatched vulnerability with no fix available.
Replace with cachetools.TTLCache (in-memory, thread-safe via Lock) to
eliminate the attack surface entirely. Also migrate scripts from
--license-key/ETHICORE_LICENSE_KEY to --api-key/ETHICORE_API_KEY and
fix ONNX opset detection in retrain_guardian_model.py.

Author: Oracles Technologies LLC

requirements.lock

@@ -1,15 +1,3 @@
-# requirements.lock — hash-pinned dependency lockfile for ethicore-engine-guardian
-#
-# Every package (direct and transitive) is pinned to an exact version and
-# verified by SHA-256 hash on install.  This prevents a silently-compromised
-# upstream release from being pulled in automatically.
-#
-# Usage:
-#   pip install --require-hashes -r requirements.lock   # reproducible install
-#
-# To regenerate after updating requirements.txt:
-#   pip install pip-tools
-#   pip-compile --generate-hashes --output-file=requirements.lock requirements.txt
 #
 # This file is autogenerated by pip-compile with Python 3.11
 # by the following command:
@@ -24,14 +12,14 @@ asyncio-throttle==1.0.2 \
     --hash=sha256:2675282e99d9129ecc446f917e174bc205c65e36c602aa18603b4948567fcbd4 \
     --hash=sha256:4d4c1eb3250f735f59ce842d8d92cd2927c008bd52008797ba030b5787c41f3b
     # via -r requirements.txt
+cachetools==7.0.6 \
+    --hash=sha256:4e94956cfdd3086f12042cdd29318f5ced3893014f7d0d059bf3ead3f85b7f8b \
+    --hash=sha256:e5d524d36d65703a87243a26ff08ad84f73352adbeafb1cde81e207b456aaf24
+    # via -r requirements.txt
 colorama==0.4.6 \
     --hash=sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44 \
     --hash=sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6
     # via loguru
-diskcache==5.6.3 \
-    --hash=sha256:2c3a3fa2743d8535d832ec61c2054a1641f41775aa7c556758a109941e33e4fc \
-    --hash=sha256:5e31b2d5fbad117cc363ebaf6b689474db18a1f6438bc82358b024abd4c2ca19
-    # via -r requirements.txt
 flatbuffers==25.12.19 \
     --hash=sha256:7634f50c427838bb021c2d66a3d1168e9d199b0607e6329399f04846d42e20b4
     # via onnxruntime

requirements.txt

@@ -15,7 +15,7 @@ tenacity>=8.2.0
 # google-generativeai>=0.3.0
 
 # Performance and caching
-diskcache>=5.6.0
+cachetools>=5.3.0
 asyncio-throttle>=1.0.2
 
 # Development dependencies (install with pip install -e ".[dev]")

scripts/regenerate_embeddings.py

@@ -264,12 +264,12 @@ def main(argv: list[str] | None = None) -> int:
         help="Explicit output path for threat_embeddings.json (overrides auto-resolve).",
     )
     parser.add_argument(
-        "--license-key",
+        "--api-key",
         metavar="KEY",
         default=None,
         help=(
-            "License key (overrides $ETHICORE_LICENSE_KEY env var). "
-            "Enables licensed 51-category fingerprint set."
+            "API key (overrides $ETHICORE_API_KEY env var). "
+            "Enables licensed 68-category fingerprint set."
         ),
     )
     parser.add_argument(
@@ -284,7 +284,7 @@ def main(argv: list[str] | None = None) -> int:
     args = parser.parse_args(argv)
 
     # Resolve credentials: CLI arg > env var
-    license_key = args.license_key or os.environ.get("ETHICORE_LICENSE_KEY") or None
+    license_key = args.api_key or os.environ.get("ETHICORE_API_KEY") or None
     assets_dir = args.assets_dir or os.environ.get("ETHICORE_ASSETS_DIR") or None
 
     # Trim whitespace so copy-paste from shell doesn't silently break validation

scripts/retrain_guardian_model.py

@@ -27,8 +27,8 @@
     pip install scikit-learn skl2onnx onnxruntime onnx numpy
 
 Usage:
-    # Licensed (51 categories, 444 fingerprints) — recommended:
-    ETHICORE_LICENSE_KEY="EG-PRO-..." python scripts/retrain_guardian_model.py
+    # Licensed (68 categories, 624 fingerprints) — recommended:
+    ETHICORE_API_KEY="eg-sk-..." python scripts/retrain_guardian_model.py
 
     # Community (5 categories):
     python scripts/retrain_guardian_model.py
@@ -832,7 +832,7 @@ async def _compute_semantic_embeddings(
     """
     from ethicore_guardian.analyzers.semantic_analyzer import SemanticAnalyzer
 
-    analyzer = SemanticAnalyzer(license_key=license_key, assets_dir=assets_dir)
+    analyzer = SemanticAnalyzer(api_key=license_key, assets_dir=assets_dir)
     ok = await analyzer.initialize()
     model_label = "ONNX MiniLM" if (ok and analyzer.session) else "hash-based fallback"
     print(f"  Semantic model:   {model_label}")
@@ -1094,7 +1094,13 @@ def _train_and_export(
     )
 
     # Unsqueeze axes
-    opset_version = onnx_model.opset_import[0].version if onnx_model.opset_import else 11
+    # skl2onnx may place ai.onnx.ml domain at index 0 (version ~3), which would
+    # incorrectly trigger the opset-11 path. Scan all imports for the main domain.
+    opset_version = 11  # conservative default
+    for _opset in onnx_model.opset_import:
+        if _opset.domain in ("", "ai.onnx"):
+            opset_version = _opset.version
+            break
     if opset_version >= 13:
         axes_name = "_unsqueeze_axes"
         axes_init = numpy_helper.from_array(np.array([1], dtype=np.int64), name=axes_name)
@@ -1239,8 +1245,8 @@ def main(argv=None) -> int:
                         help="Overwrite existing model without prompting.")
     parser.add_argument("--out", metavar="PATH", default=None,
                         help="Output path for guardian-model.onnx.")
-    parser.add_argument("--license-key", metavar="KEY", default=None,
-                        help="License key (overrides $ETHICORE_LICENSE_KEY).")
+    parser.add_argument("--api-key", metavar="KEY", default=None,
+                        help="API key (overrides $ETHICORE_API_KEY).")
     parser.add_argument("--assets-dir", metavar="DIR", default=None,
                         help="Asset bundle path (overrides $ETHICORE_ASSETS_DIR).")
     parser.add_argument("--samples", type=int, default=30000,
@@ -1251,7 +1257,7 @@ def main(argv=None) -> int:
                         help="Random seed (default: 42).")
     args = parser.parse_args(argv)
 
-    license_key = (args.license_key or os.environ.get("ETHICORE_LICENSE_KEY") or "").strip() or None
+    license_key = (args.api_key or os.environ.get("ETHICORE_API_KEY") or "").strip() or None
     assets_dir = (args.assets_dir or os.environ.get("ETHICORE_ASSETS_DIR") or "").strip() or None
 
     try: