zwischen 0.1.0

data/lib/zwischen/cli.rb

@@ -0,0 +1,225 @@
+# frozen_string_literal: true
+
+require "thor"
+require "json"
+require "colorize"
+require "pathname"
+
+module Zwischen
+  class CLI < Thor
+    # Disable Thor's pager to prevent help from hanging
+    def self.exit_on_failure?
+      true
+    end
+
+    # Disable pager for help output
+    def help(command = nil, subcommand = false)
+      ENV["THOR_PAGER"] = "cat" if ENV["THOR_PAGER"].nil?
+      super
+    end
+
+    desc "init", "Initialize Zwischen configuration"
+    def init
+      Setup.run
+    end
+
+    desc "doctor", "Check if required tools are installed"
+    def doctor
+      installer = Installer.new
+      puts "\n" + "=" * 60
+      puts "Zwischen Doctor - Tool Status".colorize(:bold)
+      puts "=" * 60 + "\n"
+
+      tools = {
+        "gitleaks" => "Secrets detection",
+        "semgrep" => "Static analysis"
+      }
+
+      all_installed = true
+
+      tools.each do |tool_name, description|
+        # Check both ~/.zwischen/bin/ and system PATH
+        local_path = File.join(File.expand_path("~/.zwischen/bin"), tool_name)
+        installed = File.executable?(local_path) || installer.check_tool(tool_name)
+
+        if installed
+          # Get version from the correct path
+          executable = File.executable?(local_path) ? local_path : tool_name
+          version = begin
+            `#{executable} --version 2>/dev/null`.strip.split("\n").first
+          rescue
+            nil
+          end
+
+          puts "✓ #{tool_name}".colorize(:green) + " - #{description}"
+          puts "  Version: #{version}" if version && !version.empty?
+          puts "  Location: #{executable}" if File.executable?(local_path)
+        else
+          all_installed = false
+          puts "✗ #{tool_name}".colorize(:red) + " - #{description} - NOT FOUND"
+          puts "  → #{installer.preferred_command(tool_name)}"
+        end
+        puts ""
+      end
+
+      if all_installed
+        puts "✅ All tools are installed and ready!".colorize(:green)
+      else
+        puts "⚠️  Some tools are missing. Install them using the commands above.".colorize(:yellow)
+      end
+
+      puts ""
+    end
+
+    desc "scan", "Run security scan"
+    method_option :only, type: :string, desc: "Only run specific scanners (secrets,sast)"
+    method_option :ai, type: :string, desc: "Enable AI analysis (claude)"
+    method_option :"api-key", type: :string, desc: "API key for AI provider"
+    method_option :format, type: :string, default: "terminal", desc: "Output format (terminal, json, sarif)"
+    method_option :"pre-push", type: :boolean, desc: "Pre-push mode (quiet, compact output)"
+    method_option :changed, type: :boolean, desc: "Only scan files changed since the default branch"
+    def scan
+      config = Config.load
+      project = ProjectDetector.detect
+      pre_push = options[:"pre-push"]
+      quiet = pre_push || %w[json sarif].include?(options[:format])
+
+      # Suppress scanning message in pre-push/machine-readable modes
+      unless quiet
+        puts "🔍 Scanning #{project[:primary_type] || 'project'}...\n"
+      end
+
+      changed_files = nil
+      if pre_push || options[:changed]
+        changed_files = GitDiff.changed_files
+        changed_files = changed_files.select do |path|
+          candidate = path
+          candidate = File.join(project[:root], candidate) unless Pathname.new(candidate).absolute?
+          File.file?(candidate)
+        end
+
+        if changed_files.empty?
+          puts Reporter::Sarif.report({ findings: [] }, project_root: project[:root]) if options[:format] == "sarif"
+          exit 0
+        end
+      end
+
+      # Run scanners
+      orchestrator = Scanner::Orchestrator.new(config: config)
+      findings = orchestrator.scan(project[:root], only: options[:only], pre_push: pre_push, files: changed_files)
+
+      # Filter findings to changed files in pre-push/--changed mode
+      # Note: This is a safety net. Scanners receive the file list and should only scan those,
+      # but some scanners (like gitleaks) may return paths in different formats. This ensures
+      # we only report findings for files the developer actually changed.
+      if changed_files
+        findings = GitDiff.filter_findings(findings: findings, changed_files: changed_files)
+      end
+
+      if findings.empty?
+        # In pre-push mode, exit silently (no output)
+        if options[:format] == "sarif"
+          puts Reporter::Sarif.report({ findings: [] }, project_root: project[:root])
+        elsif !quiet
+          puts "✅ No issues found.".colorize(:green)
+        end
+        exit 0
+      end
+
+      # Aggregate findings
+      aggregated = Finding::Aggregator.aggregate(findings)
+
+      # Determine AI provider
+      provider = if options[:ai] && !options[:ai].empty? && options[:ai] != "true"
+                   options[:ai]
+                 else
+                   config.ai_provider
+                 end
+
+      # AI analysis if enabled
+      ai_enabled = if pre_push
+        # In pre-push mode, use config to determine AI
+        config.ai_pre_push_enabled?
+      else
+        # Manual scan: use flag or config
+        !options[:ai].nil? || config.ai_enabled?
+      end
+
+      if ai_enabled
+        begin
+          unless quiet
+            puts "🤖 Analyzing findings with AI (#{provider})...\n"
+          end
+          
+          api_key = options[:"api-key"] || config.ai_api_key(provider)
+          provider_config = config.ai_provider_config(provider)
+
+          analyzer = AI::Analyzer.new(
+            provider: provider,
+            api_key: api_key,
+            config: provider_config,
+            project_context: project
+          )
+          enhanced_findings = analyzer.analyze(aggregated[:findings])
+          aggregated = Finding::Aggregator.aggregate(enhanced_findings)
+        rescue AI::Error => e
+          warn "⚠️  AI analysis unavailable: #{e.message}" unless pre_push
+          # In pre-push mode, continue silently without AI
+        end
+      end
+
+      # Report results
+      if options[:format] == "json"
+        require "json"
+        puts JSON.pretty_generate({
+          summary: aggregated[:summary],
+          findings: aggregated[:findings].map(&:to_h)
+        })
+        blocking_severity = config.blocking_severity
+        exit_code = aggregated[:findings].any? { |f| should_block?(f, blocking_severity, ai_enabled) } ? 1 : 0
+        exit exit_code
+      elsif options[:format] == "sarif"
+        puts Reporter::Sarif.report(aggregated, project_root: project[:root])
+        blocking_severity = config.blocking_severity
+        exit_code = aggregated[:findings].any? { |f| should_block?(f, blocking_severity, ai_enabled) } ? 1 : 0
+        exit exit_code
+      else
+        if pre_push
+          exit_code = Reporter::Terminal.report_compact(aggregated, config: config, ai_enabled: ai_enabled)
+        else
+          exit_code = Reporter::Terminal.report(aggregated, ai_enabled: ai_enabled)
+        end
+        exit exit_code
+      end
+    rescue StandardError => e
+      puts "❌ Error: #{e.message}".colorize(:red)
+      puts e.backtrace if ENV["DEBUG"]
+      exit 1
+    end
+
+    desc "uninstall", "Remove Zwischen git hook and optionally config"
+    def uninstall
+      Setup.uninstall
+    end
+
+    default_task :scan
+
+    private
+
+    def should_block?(finding, blocking_severity, ai_enabled)
+      return false if ai_enabled && finding.raw_data["ai_false_positive"]
+
+      case blocking_severity
+      when "critical"
+        finding.critical?
+      when "high"
+        finding.critical? || finding.high?
+      when "none"
+        false
+      else
+        # Default: block on high or critical
+        finding.critical? || finding.high?
+      end
+    end
+  end
+end

data/lib/zwischen/config.rb

@@ -0,0 +1,159 @@
+# frozen_string_literal: true
+
+require "yaml"
+require "fileutils"
+
+module Zwischen
+  class Config
+    DEFAULT_CONFIG = {
+      "ai" => {
+        "enabled" => true,
+        "pre_push_enabled" => false,
+        "provider" => "claude",
+        "api_key" => nil,
+        "ollama" => {
+          "model" => "llama3",
+          "url" => "http://localhost:11434/api/chat"
+        },
+        "openai" => {
+          "model" => "gpt-4"
+        }
+      },
+      "blocking" => {
+        "severity" => "high"  # high, critical, or none
+      },
+      "scanners" => {
+        "gitleaks" => { "enabled" => true },
+        "semgrep" => { "enabled" => true, "config" => "p/security-audit" }
+      },
+      "ignore" => [
+        "**/node_modules/**",
+        "**/vendor/**",
+        "**/.git/**",
+        "**/dist/**",
+        "**/build/**",
+        "**/test/fixtures/**"
+      ],
+      "severity" => {
+        "fail_on" => ["critical", "high"]
+      }
+    }.freeze
+
+    CONFIG_FILE = ".zwischen.yml"
+
+    def self.load(project_root = Dir.pwd)
+      config_path = File.join(project_root, CONFIG_FILE)
+      config = DEFAULT_CONFIG.dup
+
+      if File.exist?(config_path)
+        user_config = YAML.safe_load(File.read(config_path))
+        config = deep_merge(config, user_config) if user_config
+      end
+
+      new(config)
+    end
+
+    def self.init(project_root = Dir.pwd, quiet: false)
+      config_path = File.join(project_root, CONFIG_FILE)
+      example_path = File.join(File.dirname(__dir__), "..", ".zwischen.yml.example")
+
+      if File.exist?(config_path)
+        puts "Configuration file already exists at #{config_path}" unless quiet
+        return false
+      end
+
+      if File.exist?(example_path)
+        FileUtils.cp(example_path, config_path)
+        puts "Created #{config_path} from example" unless quiet
+      else
+        File.write(config_path, DEFAULT_CONFIG.to_yaml)
+        puts "Created #{config_path} with default configuration" unless quiet
+      end
+
+      true
+    end
+
+    def initialize(config = {})
+      @config = DEFAULT_CONFIG.merge(config)
+    end
+
+    def ai_provider
+      @config.dig("ai", "provider") || "claude"
+    end
+
+    def ai_enabled?
+      # Default to true if provider is set, otherwise check explicit enabled flag
+      provider = ai_provider
+      enabled = @config.dig("ai", "enabled")
+      enabled.nil? ? !provider.nil? : enabled
+    end
+
+    def ai_pre_push_enabled?
+      @config.dig("ai", "pre_push_enabled") == true
+    end
+
+    def ai_api_key(provider = ai_provider)
+      # Check credentials first, then config
+      begin
+        require_relative "credentials"
+        api_key = Credentials.get_api_key(provider)
+        return api_key if api_key
+      rescue LoadError, NameError
+        # Credentials not available, fall through to config
+      end
+      @config.dig("ai", "api_key")
+    end
+
+    def ai_provider_config(provider = ai_provider)
+      @config.dig("ai", provider) || {}
+    end
+
+    def blocking_severity
+      @config.dig("blocking", "severity") || "high"
+    end
+
+    def scanner_enabled?(scanner)
+      scanner_config = @config.dig("scanners", scanner.to_s)
+      # Handle both formats: "gitleaks: true" (boolean) and "gitleaks: { enabled: true }" (hash)
+      case scanner_config
+      when true, false
+        scanner_config
+      when Hash
+        scanner_config["enabled"] != false
+      else
+        # Default to enabled if not specified
+        true
+      end
+    end
+
+    def semgrep_config
+      semgrep_config = @config.dig("scanners", "semgrep")
+      # Handle both formats: "semgrep: true" (boolean) and "semgrep: { enabled: true, config: '...' }" (hash)
+      if semgrep_config.is_a?(Hash)
+        semgrep_config["config"] || "p/security-audit"
+      else
+        "p/security-audit"
+      end
+    end
+
+    def ignored_paths
+      @config["ignore"] || []
+    end
+
+    def fail_on_severities
+      @config.dig("severity", "fail_on") || ["critical", "high"]
+    end
+
+    private
+
+    def self.deep_merge(base, override)
+      base.merge(override) do |_key, base_val, override_val|
+        if base_val.is_a?(Hash) && override_val.is_a?(Hash)
+          deep_merge(base_val, override_val)
+        else
+          override_val
+        end
+      end
+    end
+  end
+end

data/lib/zwischen/credentials.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require "yaml"
+require "fileutils"
+
+module Zwischen
+  class Credentials
+    PROVIDER_ENV_VARS = {
+      "claude" => "ANTHROPIC_API_KEY",
+      "openai" => "OPENAI_API_KEY"
+    }.freeze
+
+    PROVIDER_KEYS = {
+      "claude" => "anthropic_api_key",
+      "openai" => "openai_api_key"
+    }.freeze
+
+    def self.credentials_path
+      File.join(Dir.home, ".zwischen", "credentials")
+    end
+
+    def self.ensure_directory
+      dir = File.dirname(credentials_path)
+      FileUtils.mkdir_p(dir) unless File.directory?(dir)
+    end
+
+    def self.load
+      return {} unless File.exist?(credentials_path)
+
+      YAML.safe_load(File.read(credentials_path)) || {}
+    rescue StandardError => e
+      warn "Failed to load credentials: #{e.message}"
+      {}
+    end
+
+    def self.save(provider: "claude", api_key:)
+      ensure_directory
+
+      credentials = load
+      
+      key_name = PROVIDER_KEYS[provider]
+      if key_name
+        credentials[key_name] = api_key
+      else
+        warn "Unknown provider: #{provider}"
+      end
+
+      File.write(credentials_path, credentials.to_yaml)
+      File.chmod(0o600, credentials_path)
+    rescue StandardError => e
+      warn "Failed to save credentials: #{e.message}"
+      raise
+    end
+
+    def self.get_api_key(provider = "claude")
+      # Priority: ENV var > credentials file
+      env_var = PROVIDER_ENV_VARS[provider]
+      env_value = env_var && ENV[env_var]
+      return env_value if env_value && !env_value.strip.empty?
+
+      key_name = PROVIDER_KEYS[provider]
+      return nil unless key_name
+
+      credentials = load
+      credentials[key_name]
+    end
+  end
+end

data/lib/zwischen/finding/aggregator.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require_relative "finding"
+
+module Zwischen
+  module Finding
+    class Aggregator
+      SEVERITY_ORDER = { "critical" => 0, "high" => 1, "medium" => 2, "low" => 3, "info" => 4 }.freeze
+
+      def self.aggregate(findings)
+        new.aggregate(findings)
+      end
+
+      def aggregate(findings)
+        normalized = normalize_severities(findings)
+        deduplicated = deduplicate(normalized)
+        sorted = sort_by_severity(deduplicated)
+        grouped = group_by_file(sorted)
+
+        {
+          findings: sorted,
+          grouped: grouped,
+          summary: build_summary(sorted)
+        }
+      end
+
+      private
+
+      def normalize_severities(findings)
+        findings.map do |finding|
+          # Severity is already normalized in Finding class
+          finding
+        end
+      end
+
+      def deduplicate(findings)
+        seen = {}
+        findings.select do |finding|
+          key = "#{finding.file}:#{finding.line}:#{finding.rule_id}"
+          if seen[key]
+            false
+          else
+            seen[key] = true
+            true
+          end
+        end
+      end
+
+      def sort_by_severity(findings)
+        findings.sort_by do |finding|
+          [
+            SEVERITY_ORDER[finding.severity] || 99,
+            finding.file,
+            finding.line || 0
+          ]
+        end
+      end
+
+      def group_by_file(findings)
+        findings.group_by(&:file)
+      end
+
+      def build_summary(findings)
+        summary = {
+          total: findings.length,
+          by_severity: {}
+        }
+
+        Finding::SEVERITY_LEVELS.each do |severity|
+          count = findings.count { |f| f.severity == severity }
+          summary[:by_severity][severity] = count if count > 0
+        end
+
+        summary
+      end
+    end
+  end
+end

data/lib/zwischen/finding/finding.rb

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+module Zwischen
+  module Finding
+    class Finding
+      attr_reader :type, :scanner, :severity, :file, :line, :message, :rule_id, :code_snippet, :raw_data
+
+      SEVERITY_LEVELS = %w[critical high medium low info].freeze
+
+      def initialize(
+        type:,
+        scanner:,
+        severity:,
+        file:,
+        line: nil,
+        message:,
+        rule_id: nil,
+        code_snippet: nil,
+        raw_data: {}
+      )
+        @type = type.to_s
+        @scanner = scanner.to_s
+        @severity = normalize_severity(severity)
+        @file = file.to_s
+        @line = line
+        @message = message.to_s
+        @rule_id = rule_id.to_s if rule_id
+        @code_snippet = code_snippet
+        @raw_data = raw_data
+      end
+
+      def to_h
+        {
+          type: @type,
+          scanner: @scanner,
+          severity: @severity,
+          file: @file,
+          line: @line,
+          message: @message,
+          rule_id: @rule_id,
+          code_snippet: @code_snippet,
+          raw_data: @raw_data
+        }
+      end
+
+      def to_json(*args)
+        require "json" unless defined?(JSON)
+        to_h.to_json(*args)
+      end
+
+      def critical?
+        @severity == "critical"
+      end
+
+      def high?
+        @severity == "high"
+      end
+
+      def should_fail?
+        critical? || high?
+      end
+
+      private
+
+      def normalize_severity(severity)
+        sev = severity.to_s.downcase
+        return sev if SEVERITY_LEVELS.include?(sev)
+
+        # Map common variations
+        case sev
+        when /critical|error|fatal/
+          "critical"
+        when /high|major/
+          "high"
+        when /medium|moderate|warning/
+          "medium"
+        when /low|minor|info/
+          "low"
+        else
+          "info"
+        end
+      end
+    end
+  end
+end

data/lib/zwischen/git_diff.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+require "pathname"
+
+module Zwischen
+  class GitDiff
+    def self.default_branch
+      # Try remote HEAD first (most reliable)
+      result = `git remote show origin 2>/dev/null | grep 'HEAD branch'`.strip
+      return result.split.last if $?.success? && !result.empty?
+
+      # Fallback: check if main or master exists locally
+      return "main" if system("git show-ref --verify --quiet refs/heads/main >/dev/null 2>&1")
+      return "master" if system("git show-ref --verify --quiet refs/heads/master >/dev/null 2>&1")
+
+      # Last resort
+      "HEAD"
+    end
+
+    def self.changed_files(remote: nil, local: "HEAD")
+      branch = remote || default_branch
+      remote_ref = "origin/#{branch}"
+
+      # Try remote diff first
+      files = `git diff --name-only #{remote_ref}...#{local} 2>/dev/null`.strip.split("\n")
+      return files.reject(&:empty?) if $?.success? && !files.empty?
+
+      # Fallback: local diff
+      files = `git diff --name-only HEAD@{1}...#{local} 2>/dev/null`.strip.split("\n")
+      return files.reject(&:empty?) if $?.success?
+
+      []
+    rescue StandardError => e
+      warn "Failed to get changed files: #{e.message}" if ENV["DEBUG"]
+      []
+    end
+
+    def self.filter_findings(findings:, changed_files:)
+      return findings if changed_files.empty?
+
+      # Normalize paths for comparison
+      # - Remove leading ./
+      # - Convert backslashes to forward slashes
+      # - Make relative to project root if absolute
+      project_root = Dir.pwd
+      normalized_changed = changed_files.map do |f|
+        path = f.sub(/^\.\//, "").gsub("\\", "/")
+        # If absolute, make relative to project root
+        if Pathname.new(path).absolute?
+          begin
+            Pathname.new(path).relative_path_from(Pathname.new(project_root)).to_s
+          rescue ArgumentError
+            path
+          end
+        else
+          path
+        end
+      end
+
+      findings.select do |f|
+        file_path = f.file.sub(/^\.\//, "").gsub("\\", "/")
+        # If absolute, make relative to project root
+        if Pathname.new(file_path).absolute?
+          begin
+            file_path = Pathname.new(file_path).relative_path_from(Pathname.new(project_root)).to_s
+          rescue ArgumentError
+            # Keep original if can't make relative
+          end
+        end
+        normalized_changed.include?(file_path)
+      end
+    end
+  end
+end