ace-git-secrets 0.13.0

data/lib/ace/git/secrets/molecules/git_rewriter.rb

@@ -0,0 +1,199 @@
+# frozen_string_literal: true
+
+require "open3"
+require "tempfile"
+
+module Ace
+  module Git
+    module Secrets
+      module Molecules
+        # Wrapper for git-filter-repo to remove tokens from Git history
+        # Handles tool availability, filter building, and execution
+        class GitRewriter
+          FILTER_REPO_INSTALL_INSTRUCTIONS = <<~MSG
+            git-filter-repo is required for history rewriting.
+            Install with: brew install git-filter-repo
+            See: https://github.com/newren/git-filter-repo
+          MSG
+
+          attr_reader :repository_path
+
+          # @param repository_path [String] Path to git repository
+          # @raise [ArgumentError] If repository_path is not a valid git repository
+          def initialize(repository_path: ".")
+            @repository_path = File.expand_path(repository_path)
+            validate_repository_path!
+          end
+
+          # Check if git-filter-repo is available
+          # @return [Boolean]
+          def available?
+            system("which git-filter-repo > /dev/null 2>&1")
+          end
+
+          # Check if working directory is clean
+          # @return [Boolean]
+          def clean_working_directory?
+            output, status = Open3.capture2(
+              "git", "-C", repository_path, "status", "--porcelain",
+              err: File::NULL
+            )
+            status.success? && output.strip.empty?
+          end
+
+          # Rewrite history to remove specific tokens
+          # @param tokens [Array<DetectedToken>] Tokens to remove
+          # @param dry_run [Boolean] Whether to preview changes only
+          # @return [Hash] Result with :success, :message, :changes keys
+          def rewrite(tokens, dry_run: false)
+            unless available?
+              return {
+                success: false,
+                message: FILTER_REPO_INSTALL_INSTRUCTIONS,
+                changes: []
+              }
+            end
+
+            unless clean_working_directory?
+              return {
+                success: false,
+                message: "Working directory has uncommitted changes. Commit or stash before rewriting history.",
+                changes: []
+              }
+            end
+
+            if tokens.empty?
+              return {
+                success: true,
+                message: "No tokens to remove",
+                changes: []
+              }
+            end
+
+            # Build replacement expressions
+            replacements = build_replacements(tokens)
+
+            if dry_run
+              {
+                success: true,
+                dry_run: true,
+                message: "Dry run: Would remove #{tokens.size} token(s) from history",
+                changes: replacements.map { |r| {original: r[:pattern], replacement: r[:replacement]} }
+              }
+            else
+              execute_filter_repo(replacements)
+            end
+          end
+
+          # Create a backup of the repository
+          # @param backup_path [String] Path for backup
+          # @return [Boolean] Success status
+          def create_backup(backup_path)
+            _, status = Open3.capture2(
+              "git", "clone", "--mirror", repository_path, backup_path,
+              err: File::NULL
+            )
+            status.success?
+          rescue
+            false
+          end
+
+          private
+
+          # Validate that repository_path is a valid git repository
+          # @raise [ArgumentError] If path doesn't exist or isn't a git repo
+          def validate_repository_path!
+            unless Dir.exist?(repository_path)
+              raise ArgumentError, "Repository path does not exist: #{repository_path}"
+            end
+
+            git_dir = File.join(repository_path, ".git")
+            unless Dir.exist?(git_dir) || File.exist?(git_dir)
+              raise ArgumentError, "Not a git repository: #{repository_path}"
+            end
+          end
+
+          # Build replacement expressions for git-filter-repo
+          # @param tokens [Array<DetectedToken>]
+          # @return [Array<Hash>]
+          def build_replacements(tokens)
+            tokens.map do |token|
+              # Create a masked replacement value
+              masked = "[REDACTED:#{token.token_type}]"
+
+              {
+                pattern: token.raw_value,
+                replacement: masked,
+                token_type: token.token_type
+              }
+            end.uniq { |r| r[:pattern] }
+          end
+
+          # Execute git-filter-repo with replacements
+          # @param replacements [Array<Hash>]
+          # @return [Hash]
+          def execute_filter_repo(replacements)
+            # Create replacement file for git-filter-repo with secure permissions
+            # Mode 0600 ensures only the owner can read/write the file containing tokens
+            #
+            # Security: Use memory-backed tmpfs if available (Linux /dev/shm).
+            # Tempfiles in memory are harder to recover than disk-based temps.
+            # macOS doesn't have /dev/shm but has encrypted swap; this is defense in depth.
+            temp_dir = Dir.exist?("/dev/shm") ? "/dev/shm" : Dir.tmpdir
+            replacement_file = Tempfile.new(
+              ["git-filter-repo-replacements", ".txt"],
+              temp_dir,
+              mode: File::RDWR | File::CREAT | File::EXCL,
+              perm: 0o600
+            )
+
+            begin
+              # Write replacements in git-filter-repo format
+              # Format: literal:ORIGINAL==>literal:REPLACEMENT
+              replacements.each do |r|
+                replacement_file.puts("literal:#{r[:pattern]}==>literal:#{r[:replacement]}")
+              end
+              replacement_file.close
+
+              cmd = [
+                "git-filter-repo",
+                "--replace-text", replacement_file.path,
+                "--force"
+              ]
+
+              Dir.chdir(repository_path) do
+                stdout, stderr, status = Open3.capture3(*cmd)
+
+                if status.success?
+                  {
+                    success: true,
+                    message: "Successfully removed #{replacements.size} token(s) from history",
+                    changes: replacements.map { |r| {token_type: r[:token_type], status: "removed"} },
+                    stdout: stdout,
+                    stderr: stderr
+                  }
+                else
+                  {
+                    success: false,
+                    message: "git-filter-repo failed: #{stderr}",
+                    changes: [],
+                    stdout: stdout,
+                    stderr: stderr
+                  }
+                end
+              end
+            ensure
+              replacement_file.unlink
+            end
+          rescue => e
+            {
+              success: false,
+              message: "Error executing git-filter-repo: #{e.message}",
+              changes: []
+            }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/ace/git/secrets/molecules/history_scanner.rb

@@ -0,0 +1,155 @@
+# frozen_string_literal: true
+
+require "open3"
+
+module Ace
+  module Git
+    module Secrets
+      module Molecules
+        # Scans Git history for authentication tokens using gitleaks
+        #
+        # This is a thin wrapper around GitleaksRunner that adds:
+        # - File exclusion filtering
+        # - Confidence level filtering
+        # - ScanReport generation
+        #
+        # Gitleaks is required - install with: brew install gitleaks
+        class HistoryScanner
+          attr_reader :repository_path, :gitleaks_runner, :exclusions
+
+          # @param repository_path [String] Path to git repository
+          # @param gitleaks_config [String, nil] Path to gitleaks config
+          # @param exclusions [Array<String>, nil] Glob patterns for files to exclude
+          def initialize(repository_path: ".", gitleaks_config: nil, exclusions: nil)
+            @repository_path = File.expand_path(repository_path)
+            @gitleaks_runner = Atoms::GitleaksRunner.new(config_path: gitleaks_config)
+            @exclusions = exclusions || Ace::Git::Secrets.exclusions
+          end
+
+          # Scan repository history for tokens
+          # @param since [String, nil] Start commit or date
+          # @param min_confidence [String] Minimum confidence level
+          # @return [Models::ScanReport]
+          def scan(since: nil, min_confidence: "low")
+            # Ensure gitleaks is available
+            Atoms::GitleaksRunner.ensure_available!
+
+            result = gitleaks_runner.scan_history(
+              path: repository_path,
+              since: since
+            )
+
+            detected_tokens = result[:findings].map do |f|
+              # Apply exclusions
+              next if excluded_file?(f[:file_path])
+
+              Models::DetectedToken.new(
+                token_type: f[:token_type],
+                pattern_name: f[:pattern_name],
+                confidence: f[:confidence],
+                commit_hash: f[:commit_hash],
+                file_path: f[:file_path],
+                line_number: f[:line_number],
+                raw_value: f[:matched_value],
+                detected_by: "gitleaks"
+              )
+            end.compact
+
+            # Filter by confidence
+            detected_tokens = filter_by_confidence(detected_tokens, min_confidence)
+
+            Models::ScanReport.new(
+              tokens: detected_tokens,
+              repository_path: repository_path,
+              scanned_at: Time.now,
+              scan_options: {since: since, min_confidence: min_confidence},
+              commits_scanned: count_commits(since: since),
+              detection_method: "gitleaks"
+            )
+          end
+
+          # Scan only current files (no history)
+          # @param min_confidence [String] Minimum confidence level
+          # @return [Models::ScanReport]
+          def scan_files(min_confidence: "low")
+            # Ensure gitleaks is available
+            Atoms::GitleaksRunner.ensure_available!
+
+            result = gitleaks_runner.scan_files(path: repository_path)
+
+            detected_tokens = result[:findings].map do |f|
+              # Apply exclusions
+              next if excluded_file?(f[:file_path])
+
+              Models::DetectedToken.new(
+                token_type: f[:token_type],
+                pattern_name: f[:pattern_name],
+                confidence: f[:confidence],
+                commit_hash: "HEAD",
+                file_path: f[:file_path],
+                line_number: f[:line_number],
+                raw_value: f[:matched_value],
+                detected_by: "gitleaks"
+              )
+            end.compact
+
+            detected_tokens = filter_by_confidence(detected_tokens, min_confidence)
+
+            Models::ScanReport.new(
+              tokens: detected_tokens,
+              repository_path: repository_path,
+              scanned_at: Time.now,
+              scan_options: {files_only: true, min_confidence: min_confidence},
+              commits_scanned: 0,
+              detection_method: "gitleaks"
+            )
+          end
+
+          private
+
+          # Check if file path matches any exclusion pattern
+          # @param path [String] File path to check
+          # @return [Boolean] true if file should be excluded
+          def excluded_file?(path)
+            exclusions.any? do |pattern|
+              File.fnmatch?(pattern, path, File::FNM_PATHNAME | File::FNM_EXTGLOB)
+            end
+          end
+
+          # Count commits in repository
+          # @param since [String, nil] Start commit or date
+          # @return [Integer]
+          def count_commits(since: nil)
+            cmd = ["git", "-C", repository_path, "rev-list", "--count", "HEAD"]
+            cmd.insert(-2, "--since=#{since}") if since
+
+            output, status = Open3.capture2(*cmd, err: File::NULL)
+            status.success? ? output.strip.to_i : 0
+          rescue
+            0
+          end
+
+          # Filter tokens by minimum confidence
+          # @param tokens [Array<DetectedToken>]
+          # @param min_confidence [String]
+          # @return [Array<DetectedToken>]
+          def filter_by_confidence(tokens, min_confidence)
+            confidence_order = {"high" => 3, "medium" => 2, "low" => 1}
+
+            unless confidence_order.key?(min_confidence)
+              warn "Warning: Invalid confidence level '#{min_confidence}'. " \
+                   "Valid values: high, medium, low. Defaulting to 'low'."
+            end
+
+            min_level = confidence_order[min_confidence] || 1
+
+            tokens.select do |token|
+              level = confidence_order[token.confidence] || 1
+              level >= min_level
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/ace/git/secrets/molecules/token_revoker.rb

@@ -0,0 +1,100 @@
+# frozen_string_literal: true
+
+module Ace
+  module Git
+    module Secrets
+      module Molecules
+        # Orchestrates token revocation across multiple services
+        # Routes tokens to appropriate service handlers
+        class TokenRevoker
+          attr_reader :api_client
+
+          # @param api_client [Atoms::ServiceApiClient, nil] API client for revocation
+          def initialize(api_client: nil)
+            @api_client = api_client || Atoms::ServiceApiClient.new
+          end
+
+          # Revoke multiple tokens
+          # @param tokens [Array<DetectedToken>] Tokens to revoke
+          # @param services [Array<String>, nil] Filter to specific services
+          # @return [Array<Models::RevocationResult>]
+          def revoke_all(tokens, services: nil)
+            tokens.map do |token|
+              next unless token.revocable?
+              next if services && !services.include?(token.revocation_service)
+
+              revoke_token(token)
+            end.compact
+          end
+
+          # Revoke a single token
+          # @param token [DetectedToken] Token to revoke
+          # @return [Models::RevocationResult]
+          def revoke_token(token)
+            service = token.revocation_service
+
+            unless service
+              return Models::RevocationResult.unsupported(token: token)
+            end
+
+            case service
+            when "github"
+              revoke_github(token)
+            when "anthropic", "openai", "aws"
+              # These services don't have public revocation APIs
+              manual_revocation_result(token, service)
+            else
+              Models::RevocationResult.unsupported(token: token, service: service)
+            end
+          end
+
+          # Get revocation instructions for a token
+          # @param token [DetectedToken] Token to get instructions for
+          # @return [Hash] Instructions hash
+          def revocation_instructions(token)
+            service = token.revocation_service
+            api_client.build_revocation_request(service, token.raw_value)
+          end
+
+          private
+
+          # Revoke GitHub token via API
+          # @param token [DetectedToken]
+          # @return [Models::RevocationResult]
+          def revoke_github(token)
+            result = api_client.revoke_github_token(token.raw_value)
+
+            if result[:success]
+              Models::RevocationResult.success(
+                token: token,
+                service: "github",
+                message: result[:message]
+              )
+            else
+              Models::RevocationResult.failure(
+                token: token,
+                service: "github",
+                message: result[:message]
+              )
+            end
+          end
+
+          # Create result for services requiring manual revocation
+          # @param token [DetectedToken]
+          # @param service [String]
+          # @return [Models::RevocationResult]
+          def manual_revocation_result(token, service)
+            instructions = api_client.build_revocation_request(service, token.raw_value)
+
+            Models::RevocationResult.new(
+              token: token,
+              service: service,
+              status: "skipped",
+              message: "Manual revocation required. #{instructions[:notes]} Visit: #{instructions[:url]}"
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/lib/ace/git/secrets/organisms/history_cleaner.rb

@@ -0,0 +1,201 @@
+# frozen_string_literal: true
+
+require "ace/b36ts"
+
+module Ace
+  module Git
+    module Secrets
+      module Organisms
+        # Orchestrates the history cleaning workflow
+        # Combines scanning, confirmation, backup, and rewriting
+        #
+        # Requires gitleaks to be installed: brew install gitleaks
+        class HistoryCleaner
+          CONFIRMATION_TEXT = "REWRITE HISTORY"
+
+          attr_reader :rewriter, :scanner, :repository_path
+
+          # @param repository_path [String] Path to git repository
+          # @param gitleaks_config [String, nil] Path to gitleaks config file
+          # @param exclusions [Array<String>, nil] Glob patterns for files to exclude
+          def initialize(repository_path: ".", gitleaks_config: nil, exclusions: nil)
+            @repository_path = File.expand_path(repository_path)
+            @rewriter = Molecules::GitRewriter.new(repository_path: @repository_path)
+            @scanner = Molecules::HistoryScanner.new(
+              repository_path: @repository_path,
+              gitleaks_config: gitleaks_config,
+              exclusions: exclusions
+            )
+          end
+
+          # Clean tokens from history
+          # @param tokens [Array<DetectedToken>, nil] Tokens to remove (scans if nil)
+          # @param dry_run [Boolean] Preview only
+          # @param force [Boolean] Skip confirmation
+          # @param create_backup [Boolean] Create backup before rewriting
+          # @param backup_path [String, nil] Custom backup path
+          # @return [Hash] Result with :success, :message, :report keys
+          def clean(tokens: nil, dry_run: false, force: false, create_backup: true, backup_path: nil)
+            # Scan if tokens not provided (needed for both dry-run and actual run)
+            if tokens.nil?
+              report = scanner.scan
+              tokens = report.tokens
+            end
+
+            if tokens.empty?
+              return {
+                success: true,
+                message: "No tokens found to remove. Repository is clean.",
+                tokens_removed: 0
+              }
+            end
+
+            # Dry run - just show what would be removed (no rewriter needed)
+            if dry_run
+              return dry_run_result(tokens)
+            end
+
+            # Check prerequisites (only needed for actual rewrite)
+            unless rewriter.available?
+              return {
+                success: false,
+                message: Molecules::GitRewriter::FILTER_REPO_INSTALL_INSTRUCTIONS
+              }
+            end
+
+            unless rewriter.clean_working_directory?
+              return {
+                success: false,
+                message: "Working directory has uncommitted changes. Commit or stash first."
+              }
+            end
+
+            # Require confirmation unless forced
+            unless force
+              return {
+                success: false,
+                requires_confirmation: true,
+                message: confirmation_warning(tokens),
+                confirmation_text: CONFIRMATION_TEXT
+              }
+            end
+
+            # Create backup if requested
+            if create_backup
+              backup_result = create_repository_backup(backup_path)
+              unless backup_result[:success]
+                return {
+                  success: false,
+                  message: "Failed to create backup: #{backup_result[:message]}"
+                }
+              end
+              puts "Backup created at: #{backup_result[:path]}"
+            end
+
+            # Execute rewrite
+            result = rewriter.rewrite(tokens)
+
+            if result[:success]
+              {
+                success: true,
+                message: result[:message],
+                tokens_removed: tokens.size,
+                next_steps: post_rewrite_instructions
+              }
+            else
+              {
+                success: false,
+                message: result[:message]
+              }
+            end
+          end
+
+          # Validate confirmation text
+          # @param input [String] User input
+          # @return [Boolean]
+          def valid_confirmation?(input)
+            input.strip == CONFIRMATION_TEXT
+          end
+
+          private
+
+          # Generate dry run result
+          def dry_run_result(tokens)
+            {
+              success: true,
+              dry_run: true,
+              message: "Dry run: Would remove #{tokens.size} token(s) from history",
+              tokens: tokens.map do |t|
+                {
+                  type: t.token_type,
+                  masked_value: t.masked_value,
+                  file: t.file_path,
+                  commit: t.short_commit
+                }
+              end
+            }
+          end
+
+          # Generate confirmation warning
+          def confirmation_warning(tokens)
+            <<~WARNING
+              WARNING: This operation will rewrite Git history.
+
+              This action:
+              - Is IRREVERSIBLE (without backup)
+              - Will change commit SHAs
+              - Requires all collaborators to re-clone after completion
+              - Should only be done after revoking the tokens
+
+              Tokens to be removed: #{tokens.size}
+
+              To proceed, type exactly: #{CONFIRMATION_TEXT}
+            WARNING
+          end
+
+          # Create repository backup
+          def create_repository_backup(custom_path)
+            backup_path = custom_path || generate_backup_path
+
+            if rewriter.create_backup(backup_path)
+              {success: true, path: backup_path}
+            else
+              {success: false, message: "Could not create mirror clone"}
+            end
+          end
+
+          # Generate default backup path
+          def generate_backup_path
+            session_id = Ace::B36ts.encode(Time.now)
+            repo_name = File.basename(repository_path)
+            File.join(File.dirname(repository_path), "#{repo_name}-backup-#{session_id}.git")
+          end
+
+          # Instructions after successful rewrite
+          def post_rewrite_instructions
+            <<~INSTRUCTIONS
+
+              History has been rewritten successfully.
+
+              IMPORTANT: Complete these steps:
+
+              1. Verify the changes:
+                 git log --oneline -20
+
+              2. Force push to remote:
+                 git push --force-with-lease origin <branch>
+
+              3. Notify all collaborators to:
+                 - Delete their local clones
+                 - Re-clone the repository
+
+              4. If you created a backup, you can safely delete it after
+                 confirming everything works correctly.
+
+            INSTRUCTIONS
+          end
+        end
+      end
+    end
+  end
+end