ace-git-secrets 0.13.0

data/lib/ace/git/secrets/atoms/service_api_client.rb

@@ -0,0 +1,188 @@
+# frozen_string_literal: true
+
+require "faraday"
+require "faraday/retry"
+require "json"
+
+module Ace
+  module Git
+    module Secrets
+      module Atoms
+        # HTTP API client for token revocation services
+        # Builds requests for GitHub, Anthropic, OpenAI credential revocation APIs
+        class ServiceApiClient
+          # Default GitHub Credential Revocation API (unauthenticated, rate limited)
+          DEFAULT_GITHUB_REVOKE_URL = "https://api.github.com/credentials/revoke"
+
+          # Default user agent for API requests
+          DEFAULT_USER_AGENT = "ace-git-secrets/#{Ace::Git::Secrets::VERSION}"
+
+          attr_reader :timeout, :retry_count, :github_revoke_url, :github_api_base_url, :user_agent
+
+          # @param timeout [Integer] Request timeout in seconds
+          # @param retry_count [Integer] Number of retries
+          # @param github_api_url [String, nil] Custom GitHub API URL (for GitHub Enterprise)
+          # @param user_agent [String, nil] Custom User-Agent header
+          def initialize(timeout: 30, retry_count: 3, github_api_url: nil, user_agent: nil)
+            @timeout = timeout
+            @retry_count = retry_count
+            @github_api_base_url = github_api_url&.chomp("/") || "https://api.github.com"
+            @github_revoke_url = "#{@github_api_base_url}/credentials/revoke"
+            @user_agent = user_agent || DEFAULT_USER_AGENT
+          end
+
+          # Revoke a GitHub token
+          # Uses GitHub's Credential Revocation API (unauthenticated)
+          # Connection is reused for bulk revocation efficiency
+          # @param token [String] The token to revoke
+          # @param check_rate_limit [Boolean] Whether to check rate limit before request
+          # @return [Hash] Result with :success, :message, :response keys
+          def revoke_github_token(token, check_rate_limit: false)
+            # Optionally check rate limit before attempting revocation
+            if check_rate_limit
+              rate_info = github_rate_limit
+              if rate_info[:remaining].is_a?(Integer) && rate_info[:remaining] == 0
+                reset_msg = rate_info[:reset_at] ? " Reset at #{rate_info[:reset_at]}" : ""
+                return {
+                  success: false,
+                  message: "GitHub API rate limit exceeded.#{reset_msg}",
+                  response: nil,
+                  rate_limited: true
+                }
+              end
+            end
+
+            response = github_revoke_connection.post do |req|
+              req.headers["Content-Type"] = "application/json"
+              req.headers["Accept"] = "application/json"
+              req.body = JSON.generate({credential: token})
+            end
+
+            parse_github_response(response)
+          rescue Faraday::Error => e
+            {success: false, message: "GitHub API error: #{e.message}", response: nil}
+          end
+
+          # Get cached GitHub revoke connection for bulk operations
+          # @return [Faraday::Connection]
+          def github_revoke_connection
+            @github_revoke_connection ||= build_connection(github_revoke_url)
+          end
+
+          # Build revocation request for a service
+          # @param service [String] Service name (github, anthropic, openai)
+          # @param token [String] Token to revoke
+          # @return [Hash] Request details for manual revocation if API not available
+          def build_revocation_request(service, token)
+            case service
+            when "github"
+              {
+                method: :post,
+                url: github_revoke_url,
+                headers: {"Content-Type" => "application/json"},
+                body: {credential: token},
+                notes: "GitHub tokens can be revoked via API without authentication"
+              }
+            when "anthropic"
+              {
+                method: :manual,
+                url: "https://console.anthropic.com/settings/keys",
+                notes: "Anthropic API keys must be revoked manually via the console"
+              }
+            when "openai"
+              {
+                method: :manual,
+                url: "https://platform.openai.com/api-keys",
+                notes: "OpenAI API keys must be revoked manually via the platform"
+              }
+            when "aws"
+              {
+                method: :manual,
+                url: "https://console.aws.amazon.com/iam/home#/security_credentials",
+                notes: "AWS credentials must be rotated/deleted via IAM console"
+              }
+            else
+              {
+                method: :unsupported,
+                url: nil,
+                notes: "Automatic revocation not supported for #{service}"
+              }
+            end
+          end
+
+          # Check API rate limit status for GitHub
+          # Uses configured GitHub API base URL (supports GitHub Enterprise)
+          # @return [Hash] Rate limit info
+          def github_rate_limit
+            conn = Faraday.new(url: github_api_base_url) do |f|
+              f.options.timeout = timeout
+              if retry_count > 0
+                f.request :retry, max: retry_count
+              end
+              f.adapter Faraday.default_adapter
+            end
+
+            response = conn.get("/rate_limit")
+
+            if response.success?
+              data = JSON.parse(response.body)
+              resources = data["resources"]["core"]
+              {
+                limit: resources["limit"],
+                remaining: resources["remaining"],
+                reset_at: Time.at(resources["reset"])
+              }
+            else
+              {limit: 60, remaining: "unknown", reset_at: nil}
+            end
+          rescue
+            {limit: 60, remaining: "unknown", reset_at: nil}
+          end
+
+          private
+
+          # Build Faraday connection
+          # @param url [String] Base URL
+          # @return [Faraday::Connection]
+          def build_connection(url)
+            Faraday.new(url: url) do |f|
+              f.options.timeout = timeout
+              f.headers["User-Agent"] = user_agent
+              # Only add retry middleware if retry_count > 0
+              # (Faraday 2.x requires faraday-retry gem for this)
+              if retry_count > 0
+                f.request :retry, max: retry_count, interval: 0.5,
+                  exceptions: [Faraday::TimeoutError, Faraday::ConnectionFailed]
+              end
+              f.adapter Faraday.default_adapter
+            end
+          end
+
+          # Parse GitHub API response
+          # @param response [Faraday::Response]
+          # @return [Hash]
+          def parse_github_response(response)
+            case response.status
+            when 200, 204
+              {success: true, message: "Token revoked successfully", response: response}
+            when 404
+              {success: false, message: "Token not found or already revoked", response: response}
+            when 422
+              {success: false, message: "Invalid token format", response: response}
+            when 429
+              {success: false, message: "Rate limit exceeded. Try again later.", response: response}
+            else
+              body = response.body.to_s
+              message = begin
+                JSON.parse(body)["message"]
+              rescue
+                body
+              end
+              {success: false, message: "GitHub API error: #{message}", response: response}
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/ace/git/secrets/cli/commands/check_release.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Ace
+  module Git
+    module Secrets
+      module CLI
+        module Commands
+          # ace-support-cli command for pre-release security check
+          #
+          # Exit codes:
+          # - 0: Passed (no tokens detected)
+          # - 1: Failed (tokens detected)
+          # - 2: Error occurred
+          class CheckRelease < Ace::Support::Cli::Command
+            include Ace::Support::Cli::Base
+
+            desc "Pre-release security validation check"
+
+            option :strict, type: :boolean, default: false,
+              desc: "Fail on medium confidence matches"
+            option :format, type: :string, aliases: ["f"], default: "table",
+              desc: "Output format (table, json)"
+            option :debug, type: :boolean, default: false,
+              desc: "Show debug output"
+
+            def call(**options)
+              debug_log("Starting check-release with options: #{format_pairs(options)}", options)
+
+              # Delegate to existing CheckReleaseCommand logic
+              exit_code = Ace::Git::Secrets::Commands::CheckReleaseCommand.execute(options)
+              raise Ace::Support::Cli::Error.new("Pre-release check failed", exit_code: exit_code) if exit_code != 0
+            rescue => e
+              debug_log(e.full_message, options) if debug?(options)
+              raise Ace::Support::Cli::Error.new(e.message)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/ace/git/secrets/cli/commands/revoke.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module Ace
+  module Git
+    module Secrets
+      module CLI
+        module Commands
+          # ace-support-cli command for revoking tokens via provider APIs
+          #
+          # Exit codes:
+          # - 0: Success (all tokens revoked)
+          # - 1: Partial success or failure
+          # - 2: Error occurred
+          class Revoke < Ace::Support::Cli::Command
+            include Ace::Support::Cli::Base
+
+            desc "Revoke detected tokens via provider APIs"
+
+            option :service, type: :string, aliases: ["s"],
+              desc: "Revoke for specific service"
+            option :token, type: :string, aliases: ["t"],
+              desc: "Revoke specific token"
+            option :scan_file, type: :string,
+              desc: "Use previous scan results file"
+            option :debug, type: :boolean, default: false,
+              desc: "Show debug output"
+
+            def call(**options)
+              debug_log("Starting revoke with options: #{format_pairs(options)}", options)
+
+              exit_code = Ace::Git::Secrets::Commands::RevokeCommand.execute(options)
+              raise Ace::Support::Cli::Error.new("Revocation failed", exit_code: exit_code) if exit_code != 0
+            rescue Ace::Support::Cli::Error
+              raise
+            rescue => e
+              debug_log(e.full_message, options) if debug?(options)
+              raise Ace::Support::Cli::Error.new(e.message, exit_code: 2)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/ace/git/secrets/cli/commands/rewrite.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module Ace
+  module Git
+    module Secrets
+      module CLI
+        module Commands
+          # ace-support-cli command for rewriting Git history to remove tokens
+          #
+          # Exit codes:
+          # - 0: Success
+          # - 1: Failure
+          # - 2: Error occurred
+          class Rewrite < Ace::Support::Cli::Command
+            include Ace::Support::Cli::Base
+
+            desc "Remove detected tokens from Git history"
+
+            option :dry_run, type: :boolean, aliases: ["n"], default: false,
+              desc: "Show what would be rewritten"
+            option :backup, type: :boolean, default: true,
+              desc: "Create backup before rewrite"
+            option :force, type: :boolean, default: false,
+              desc: "Skip confirmation prompt"
+            option :scan_file, type: :string,
+              desc: "Use previous scan results file"
+            option :debug, type: :boolean, default: false,
+              desc: "Show debug output"
+
+            def call(**options)
+              debug_log("Starting rewrite-history with options: #{format_pairs(options)}", options)
+
+              exit_code = Ace::Git::Secrets::Commands::RewriteCommand.execute(options)
+              raise Ace::Support::Cli::Error.new("Rewrite failed", exit_code: exit_code) if exit_code != 0
+            rescue Ace::Support::Cli::Error
+              raise
+            rescue => e
+              debug_log(e.full_message, options) if debug?(options)
+              raise Ace::Support::Cli::Error.new(e.message, exit_code: 2)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/ace/git/secrets/cli/commands/scan.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module Ace
+  module Git
+    module Secrets
+      module CLI
+        module Commands
+          # ace-support-cli command for scanning repository for tokens
+          #
+          # Requires gitleaks to be installed (brew install gitleaks)
+          #
+          # Exit codes:
+          # - 0: Clean (no tokens found)
+          # - 1: Tokens detected
+          # - 2: Error occurred
+          class Scan < Ace::Support::Cli::Command
+            include Ace::Support::Cli::Base
+
+            desc "Scan Git history for authentication tokens"
+
+            option :since, type: :string, desc: "Start scanning from commit or date"
+            option :format, type: :string, aliases: ["f"], default: "table",
+              desc: "Stdout format when --verbose is used (table, json, yaml)"
+            option :report_format, type: :string, aliases: ["r"], default: "json",
+              desc: "Format for saved report file (json, markdown)"
+            option :confidence, type: :string, aliases: ["c"], default: "low",
+              desc: "Minimum confidence (high, medium, low)"
+            option :verbose, type: :boolean, default: false,
+              desc: "Enable verbose output with full report to stdout"
+            option :quiet, type: :boolean, aliases: ["q"], default: false,
+              desc: "Suppress non-essential output"
+            option :debug, type: :boolean, default: false,
+              desc: "Show debug output"
+
+            def call(**options)
+              debug_log("Starting scan with options: #{format_pairs(options)}", options)
+
+              exit_code = Ace::Git::Secrets::Commands::ScanCommand.execute(options)
+              raise Ace::Support::Cli::Error.new("Tokens detected", exit_code: exit_code) if exit_code != 0
+            rescue Ace::Support::Cli::Error
+              raise
+            rescue => e
+              debug_log(e.full_message, options) if debug?(options)
+              raise Ace::Support::Cli::Error.new(e.message, exit_code: 2)
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/ace/git/secrets/cli.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+require "ace/support/cli"
+require "ace/core"
+require_relative "../secrets"
+# Business logic command objects
+require_relative "commands/scan_command"
+require_relative "commands/rewrite_command"
+require_relative "commands/revoke_command"
+require_relative "commands/check_release_command"
+# ace-support-cli command wrappers (Hanami pattern: CLI::Commands::)
+require_relative "cli/commands/scan"
+require_relative "cli/commands/rewrite"
+require_relative "cli/commands/revoke"
+require_relative "cli/commands/check_release"
+require_relative "version"
+
+module Ace
+  module Git
+    module Secrets
+      # ace-support-cli based CLI registry for ace-git-secrets
+      #
+      # This replaces the Thor-based CLI with ace-support-cli while maintaining
+      # complete command parity and user-facing behavior.
+      module CLI
+        extend Ace::Support::Cli::RegistryDsl
+
+        PROGRAM_NAME = "ace-git-secrets"
+
+        REGISTERED_COMMANDS = [
+          ["scan", "Scan Git history for authentication tokens"],
+          ["rewrite-history", "Rewrite Git history to remove leaked tokens"],
+          ["revoke", "Revoke leaked tokens via provider APIs"],
+          ["check-release", "Check repository readiness for release"]
+        ].freeze
+
+        HELP_EXAMPLES = [
+          "ace-git-secrets scan --staged         # Pre-commit check",
+          "ace-git-secrets check-release         # Verify before publish",
+          "ace-git-secrets revoke --token TOKEN  # Revoke leaked credential"
+        ].freeze
+
+        # Register the scan command (default) - Hanami pattern: CLI::Commands::
+        register "scan", CLI::Commands::Scan.new
+
+        # Register the rewrite-history command
+        register "rewrite-history", CLI::Commands::Rewrite.new
+
+        # Register the revoke command
+        register "revoke", CLI::Commands::Revoke.new
+
+        # Register the check-release command
+        register "check-release", CLI::Commands::CheckRelease.new
+
+        # Register version command
+        version_cmd = Ace::Support::Cli::VersionCommand.build(
+          gem_name: "ace-git-secrets",
+          version: Ace::Git::Secrets::VERSION
+        )
+        register "version", version_cmd
+        register "--version", version_cmd
+
+        help_cmd = Ace::Support::Cli::HelpCommand.build(
+          program_name: PROGRAM_NAME,
+          version: Ace::Git::Secrets::VERSION,
+          commands: REGISTERED_COMMANDS,
+          examples: HELP_EXAMPLES
+        )
+        register "help", help_cmd
+        register "--help", help_cmd
+        register "-h", help_cmd
+      end
+    end
+  end
+end

data/lib/ace/git/secrets/commands/check_release_command.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module Ace
+  module Git
+    module Secrets
+      module Commands
+        # CLI command for pre-release security check
+        class CheckReleaseCommand
+          # Execute check-release command
+          # @param options [Hash] Command options
+          # @return [Integer] Exit code (0=passed, 1=failed, 2=error)
+          def self.execute(options)
+            new(options).execute
+          end
+
+          def initialize(options)
+            @options = options
+          end
+
+          def execute
+            # Ensure gitleaks is available
+            Atoms::GitleaksRunner.ensure_available!
+
+            puts "Performing pre-release security check..."
+            puts
+
+            gate = Organisms::ReleaseGate.new(
+              repository_path: ".",
+              strict: @options[:strict],
+              gitleaks_config: Ace::Git::Secrets.gitleaks_config_path
+            )
+
+            result = gate.check
+
+            # Output formatted result
+            puts gate.format_result(result, format: @options[:format] || "table")
+
+            result[:exit_code]
+          rescue => e
+            puts "Error: #{e.message}"
+            puts e.backtrace.first(5).join("\n") if ENV["DEBUG"]
+            2
+          end
+        end
+      end
+    end
+  end
+end