zwischen 0.1.0

data/lib/zwischen/hooks.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+require "fileutils"
+
+module Zwischen
+  class Hooks
+    HOOK_MARKER = "Zwischen pre-push hook"
+
+    def self.hook_path(project_root = Dir.pwd)
+      File.join(project_root, ".git", "hooks", "pre-push")
+    end
+
+    def self.zwischen_hook?(hook_path)
+      return false unless File.exist?(hook_path)
+
+      File.read(hook_path).include?(HOOK_MARKER)
+    end
+
+    def self.installed?(project_root = Dir.pwd)
+      path = hook_path(project_root)
+      zwischen_hook?(path)
+    end
+
+    def self.install(project_root = Dir.pwd)
+      path = hook_path(project_root)
+      hooks_dir = File.dirname(path)
+
+      # Ensure hooks directory exists
+      FileUtils.mkdir_p(hooks_dir) unless File.directory?(hooks_dir)
+
+      hook_content = <<~HOOK
+        #!/usr/bin/env bash
+        # #{HOOK_MARKER} - installed by 'zwischen init'
+
+        if [ "$ZWISCHEN_SKIP" = "1" ]; then
+          exit 0
+        fi
+
+        zwischen scan --pre-push
+        exit $?
+      HOOK
+
+      File.write(path, hook_content)
+      File.chmod(0o755, path)
+
+      true
+    end
+
+    def self.handle_existing_hook(hook_path, shell)
+      return :skip unless File.exist?(hook_path)
+      return :install if zwischen_hook?(hook_path) # Already a Zwischen hook, can overwrite
+
+      shell.say("\n⚠️  A pre-push hook already exists at #{hook_path}", :yellow)
+      choice = shell.ask("What would you like to do?", limited_to: %w[backup append skip], default: "backup")
+
+      case choice
+      when "backup"
+        backup_path = "#{hook_path}.zwischen.backup"
+        FileUtils.cp(hook_path, backup_path)
+        shell.say("  ✓ Backed up to #{backup_path}", :green)
+        :install
+      when "append"
+        existing_content = File.read(hook_path)
+        new_content = <<~APPEND
+          #{existing_content}
+
+          # #{HOOK_MARKER} - appended by 'zwischen init'
+          if [ "$ZWISCHEN_SKIP" = "1" ]; then
+            exit 0
+          fi
+
+          zwischen scan --pre-push || exit $?
+        APPEND
+        File.write(hook_path, new_content)
+        File.chmod(0o755, hook_path)
+        shell.say("  ✓ Appended Zwischen check to existing hook", :green)
+        :skip # Don't install new hook, already appended
+      when "skip"
+        shell.say("  ↳ Skipping hook installation", :yellow)
+        :skip
+      end
+    end
+
+    def self.uninstall(project_root = Dir.pwd)
+      path = hook_path(project_root)
+      return false unless File.exist?(path)
+      return false unless zwischen_hook?(path)
+
+      File.delete(path)
+      true
+    end
+  end
+end

data/lib/zwischen/installer.rb

@@ -0,0 +1,215 @@
+# frozen_string_literal: true
+
+require "open3"
+require "rbconfig"
+require "net/http"
+require "json"
+require "fileutils"
+
+module Zwischen
+  class Installer
+    ZWISCHEN_BIN_DIR = File.expand_path("~/.zwischen/bin")
+    GITLEAKS_REPO = "gitleaks/gitleaks"
+
+    PLATFORMS = {
+      darwin: "macos",
+      linux: "linux",
+      mingw: "windows",
+      mswin: "windows"
+    }.freeze
+
+    # Map Ruby platform to gitleaks release naming
+    GITLEAKS_PLATFORMS = {
+      "linux" => "linux",
+      "macos" => "darwin"
+    }.freeze
+
+    GITLEAKS_ARCHS = {
+      "x86_64" => "x64",
+      "amd64" => "x64",
+      "aarch64" => "arm64",
+      "arm64" => "arm64"
+    }.freeze
+
+    INSTALL_COMMANDS = {
+      gitleaks: {
+        macos: {
+          brew: "brew install gitleaks",
+          manual: "Visit https://github.com/gitleaks/gitleaks/releases"
+        },
+        linux: {
+          brew: "brew install gitleaks",
+          manual: "Visit https://github.com/gitleaks/gitleaks/releases"
+        },
+        windows: {
+          manual: "Visit https://github.com/gitleaks/gitleaks/releases"
+        }
+      },
+      semgrep: {
+        macos: {
+          brew: "brew install semgrep",
+          pip: "pip install semgrep",
+          manual: "Visit https://semgrep.dev/docs/getting-started/"
+        },
+        linux: {
+          pip: "pip install semgrep",
+          pipx: "pipx install semgrep",
+          manual: "Visit https://semgrep.dev/docs/getting-started/"
+        },
+        windows: {
+          pip: "pip install semgrep",
+          manual: "Visit https://semgrep.dev/docs/getting-started/"
+        }
+      }
+    }.freeze
+
+    def self.platform
+      new.platform
+    end
+
+    def self.install_commands(tool, platform = nil)
+      new.install_commands(tool, platform)
+    end
+
+    def platform
+      host_os = RbConfig::CONFIG["host_os"].downcase
+      case host_os
+      when /darwin/
+        "macos"
+      when /linux/
+        "linux"
+      when /mingw|mswin/
+        "windows"
+      else
+        "unknown"
+      end
+    end
+
+    def install_commands(tool, platform = nil)
+      platform ||= self.platform
+      INSTALL_COMMANDS.dig(tool.to_sym, platform.to_sym) || {}
+    end
+
+    def preferred_command(tool, platform = nil)
+      platform ||= self.platform
+      commands = install_commands(tool, platform)
+
+      # Prefer brew on macOS, pip on Linux
+      if platform == "macos" && commands[:brew]
+        commands[:brew]
+      elsif commands[:pip]
+        commands[:pip]
+      elsif commands[:brew]
+        commands[:brew]
+      else
+        commands[:manual]
+      end
+    end
+
+    def check_tool(tool_name)
+      system("which", tool_name, out: File::NULL, err: File::NULL)
+    end
+
+    def get_version(tool_name)
+      return nil unless check_tool(tool_name)
+
+      stdout, _stderr, status = Open3.capture3(tool_name, "--version")
+      return nil unless status.success?
+
+      stdout.strip.split("\n").first
+    rescue StandardError
+      nil
+    end
+
+    # Auto-install gitleaks binary if not present
+    def auto_install_gitleaks
+      return true if gitleaks_available?
+
+      FileUtils.mkdir_p(ZWISCHEN_BIN_DIR)
+
+      release = fetch_latest_gitleaks_release
+      return false unless release
+
+      asset = find_gitleaks_asset(release)
+      return false unless asset
+
+      download_and_extract_gitleaks(asset)
+    end
+
+    # Check if gitleaks is available (local or system)
+    def gitleaks_available?
+      !gitleaks_path.nil?
+    end
+
+    # Get path to gitleaks executable (local install or system)
+    def gitleaks_path
+      local = File.join(ZWISCHEN_BIN_DIR, "gitleaks")
+      return local if File.executable?(local)
+
+      check_tool("gitleaks") ? "gitleaks" : nil
+    end
+
+    private
+
+    def fetch_latest_gitleaks_release
+      uri = URI("https://api.github.com/repos/#{GITLEAKS_REPO}/releases/latest")
+      http = Net::HTTP.new(uri.host, uri.port)
+      http.use_ssl = true
+
+      request = Net::HTTP::Get.new(uri)
+      request["Accept"] = "application/vnd.github.v3+json"
+      request["User-Agent"] = "Zwischen"
+
+      response = http.request(request)
+      return nil unless response.is_a?(Net::HTTPSuccess)
+
+      JSON.parse(response.body)
+    rescue StandardError => e
+      warn "Failed to fetch gitleaks release: #{e.message}" if ENV["DEBUG"]
+      nil
+    end
+
+    def find_gitleaks_asset(release)
+      gitleaks_platform = GITLEAKS_PLATFORMS[platform]
+      return nil unless gitleaks_platform
+
+      arch = GITLEAKS_ARCHS[RbConfig::CONFIG["host_cpu"]] || "x64"
+
+      # Asset name pattern: gitleaks_8.18.0_linux_x64.tar.gz
+      pattern = /gitleaks_.*_#{gitleaks_platform}_#{arch}\.tar\.gz$/
+
+      release["assets"]&.find { |a| a["name"] =~ pattern }
+    end
+
+    def download_and_extract_gitleaks(asset)
+      require "open-uri"
+      require "rubygems/package"
+      require "zlib"
+      require "stringio"
+
+      download_url = asset["browser_download_url"]
+      target_path = File.join(ZWISCHEN_BIN_DIR, "gitleaks")
+
+      # Download tarball
+      tarball = URI.open(download_url, "User-Agent" => "Zwischen").read
+
+      # Extract gitleaks binary from tar.gz
+      Zlib::GzipReader.wrap(StringIO.new(tarball)) do |gz|
+        Gem::Package::TarReader.new(gz) do |tar|
+          tar.each do |entry|
+            if entry.full_name == "gitleaks"
+              File.open(target_path, "wb") { |f| f.write(entry.read) }
+              File.chmod(0o755, target_path)
+              return true
+            end
+          end
+        end
+      end
+
+      false
+    rescue StandardError => e
+      warn "Failed to install gitleaks: #{e.message}" if ENV["DEBUG"]
+      false
+    end
+  end
+end

data/lib/zwischen/project_detector.rb

@@ -0,0 +1,217 @@
+# frozen_string_literal: true
+
+require "json"
+require "yaml"
+
+module Zwischen
+  class ProjectDetector
+    # Base detection patterns for runtime/language
+    DETECTION_PATTERNS = {
+      "node" => ["package.json"],
+      "python" => ["requirements.txt", "pyproject.toml", "setup.py", "Pipfile", "poetry.lock"],
+      "ruby" => ["Gemfile", "Rakefile"],
+      "go" => ["go.mod", "go.sum"],
+      "java" => ["pom.xml", "build.gradle", "build.gradle.kts"],
+      "rust" => ["Cargo.toml", "Cargo.lock"],
+      "php" => ["composer.json"],
+      "dotnet" => ["*.csproj", "*.sln", "*.fsproj"]
+    }.freeze
+
+    # Framework detection in package.json dependencies
+    JS_FRAMEWORKS = {
+      "nextjs" => ["next"],
+      "react" => ["react"],
+      "vue" => ["vue"],
+      "angular" => ["@angular/core"],
+      "svelte" => ["svelte"],
+      "express" => ["express"],
+      "nestjs" => ["@nestjs/core"],
+      "nuxt" => ["nuxt"],
+      "remix" => ["@remix-run/react"],
+      "astro" => ["astro"],
+      "gatsby" => ["gatsby"]
+    }.freeze
+
+    # Framework detection in Python dependencies
+    PYTHON_FRAMEWORKS = {
+      "django" => ["django", "Django"],
+      "fastapi" => ["fastapi", "FastAPI"],
+      "flask" => ["flask", "Flask"],
+      "pyramid" => ["pyramid"],
+      "tornado" => ["tornado"],
+      "starlette" => ["starlette"],
+      "streamlit" => ["streamlit"],
+      "jupyter" => ["jupyter", "jupyterlab", "notebook"]
+    }.freeze
+
+    # Framework detection in Gemfile
+    RUBY_FRAMEWORKS = {
+      "rails" => ["rails"],
+      "sinatra" => ["sinatra"],
+      "hanami" => ["hanami"],
+      "grape" => ["grape"],
+      "roda" => ["roda"]
+    }.freeze
+
+    # Map frameworks to primary language
+    FRAMEWORK_LANGUAGES = {
+      "nextjs" => "javascript", "react" => "javascript", "vue" => "javascript",
+      "angular" => "typescript", "svelte" => "javascript", "express" => "javascript",
+      "nestjs" => "typescript", "nuxt" => "javascript", "remix" => "javascript",
+      "astro" => "javascript", "gatsby" => "javascript",
+      "django" => "python", "fastapi" => "python", "flask" => "python",
+      "pyramid" => "python", "tornado" => "python", "starlette" => "python",
+      "streamlit" => "python", "jupyter" => "python",
+      "rails" => "ruby", "sinatra" => "ruby", "hanami" => "ruby",
+      "grape" => "ruby", "roda" => "ruby"
+    }.freeze
+
+    def self.detect(project_root = Dir.pwd)
+      new(project_root).detect
+    end
+
+    def initialize(project_root = Dir.pwd)
+      @project_root = project_root
+    end
+
+    def detect
+      detected_types = detect_base_types
+      frameworks = detect_frameworks
+
+      # Determine primary type - prefer framework over base type
+      primary = frameworks.first || detected_types.first
+
+      # Determine language
+      language = if frameworks.any?
+                   FRAMEWORK_LANGUAGES[frameworks.first] || detected_types.first
+                 else
+                   detected_types.first
+                 end
+
+      {
+        types: detected_types,
+        primary_type: primary,
+        language: language || "unknown",
+        frameworks: frameworks,
+        root: @project_root
+      }
+    end
+
+    private
+
+    def detect_base_types
+      detected = []
+
+      DETECTION_PATTERNS.each do |type, patterns|
+        if patterns.any? { |pattern| matches_pattern?(pattern) }
+          detected << type
+        end
+      end
+
+      detected
+    end
+
+    def detect_frameworks
+      frameworks = []
+
+      # Detect JS frameworks from package.json
+      frameworks.concat(detect_js_frameworks)
+
+      # Detect Python frameworks
+      frameworks.concat(detect_python_frameworks)
+
+      # Detect Ruby frameworks
+      frameworks.concat(detect_ruby_frameworks)
+
+      frameworks.uniq
+    end
+
+    def detect_js_frameworks
+      package_json_path = File.join(@project_root, "package.json")
+      return [] unless File.exist?(package_json_path)
+
+      begin
+        package = JSON.parse(File.read(package_json_path))
+        all_deps = (package["dependencies"] || {}).keys +
+                   (package["devDependencies"] || {}).keys
+
+        detected = []
+        JS_FRAMEWORKS.each do |framework, packages|
+          if packages.any? { |pkg| all_deps.include?(pkg) }
+            detected << framework
+          end
+        end
+
+        # Sort by specificity (Next.js before React, etc.)
+        sort_by_specificity(detected, %w[nextjs nuxt remix gatsby astro angular nestjs svelte vue react express])
+      rescue JSON::ParserError
+        []
+      end
+    end
+
+    def detect_python_frameworks
+      frameworks = []
+
+      # Check requirements.txt
+      req_path = File.join(@project_root, "requirements.txt")
+      if File.exist?(req_path)
+        content = File.read(req_path).downcase
+        frameworks.concat(match_python_deps(content))
+      end
+
+      # Check pyproject.toml
+      pyproject_path = File.join(@project_root, "pyproject.toml")
+      if File.exist?(pyproject_path)
+        content = File.read(pyproject_path).downcase
+        frameworks.concat(match_python_deps(content))
+      end
+
+      # Check Pipfile
+      pipfile_path = File.join(@project_root, "Pipfile")
+      if File.exist?(pipfile_path)
+        content = File.read(pipfile_path).downcase
+        frameworks.concat(match_python_deps(content))
+      end
+
+      sort_by_specificity(frameworks.uniq, %w[django fastapi flask pyramid tornado starlette streamlit jupyter])
+    end
+
+    def match_python_deps(content)
+      detected = []
+      PYTHON_FRAMEWORKS.each do |framework, packages|
+        if packages.any? { |pkg| content.include?(pkg.downcase) }
+          detected << framework
+        end
+      end
+      detected
+    end
+
+    def detect_ruby_frameworks
+      gemfile_path = File.join(@project_root, "Gemfile")
+      return [] unless File.exist?(gemfile_path)
+
+      content = File.read(gemfile_path).downcase
+      detected = []
+
+      RUBY_FRAMEWORKS.each do |framework, gems|
+        if gems.any? { |gem| content.include?("gem '#{gem}'") || content.include?("gem \"#{gem}\"") }
+          detected << framework
+        end
+      end
+
+      sort_by_specificity(detected, %w[rails hanami sinatra grape roda])
+    end
+
+    def sort_by_specificity(detected, priority_order)
+      detected.sort_by { |f| priority_order.index(f) || 999 }
+    end
+
+    def matches_pattern?(pattern)
+      if pattern.include?("*")
+        Dir.glob(File.join(@project_root, pattern)).any?
+      else
+        File.exist?(File.join(@project_root, pattern))
+      end
+    end
+  end
+end

data/lib/zwischen/reporter/sarif.rb

@@ -0,0 +1,115 @@
+# frozen_string_literal: true
+
+require "json"
+require_relative "../version"
+
+module Zwischen
+  module Reporter
+    # Renders findings as SARIF 2.1.0 for GitHub code scanning and other
+    # SARIF consumers (zwischen scan --format sarif).
+    class Sarif
+      SCHEMA = "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json"
+
+      SEVERITY_LEVELS = {
+        "critical" => "error",
+        "high" => "error",
+        "medium" => "warning",
+        "low" => "note",
+        "info" => "note"
+      }.freeze
+
+      # GitHub uses security-severity to bucket alerts (9.0+ critical, 7.0+ high...)
+      SECURITY_SEVERITY = {
+        "critical" => "9.5",
+        "high" => "8.0",
+        "medium" => "5.0",
+        "low" => "3.0",
+        "info" => "1.0"
+      }.freeze
+
+      def self.report(aggregated_results, project_root: Dir.pwd)
+        new(aggregated_results, project_root: project_root).render
+      end
+
+      def initialize(aggregated_results, project_root: Dir.pwd)
+        @findings = aggregated_results[:findings]
+        @project_root = project_root
+      end
+
+      def render
+        JSON.pretty_generate(
+          "$schema" => SCHEMA,
+          "version" => "2.1.0",
+          "runs" => [run]
+        )
+      end
+
+      private
+
+      def run
+        {
+          "tool" => {
+            "driver" => {
+              "name" => "Zwischen",
+              "version" => Zwischen::VERSION,
+              "informationUri" => "https://github.com/cjordan223/zwischen",
+              "rules" => rules
+            }
+          },
+          "results" => results
+        }
+      end
+
+      def rules
+        @findings.map { |f| rule_id(f) }.uniq.map do |id|
+          finding = @findings.find { |f| rule_id(f) == id }
+          {
+            "id" => id,
+            "shortDescription" => { "text" => finding.message },
+            "properties" => {
+              "security-severity" => SECURITY_SEVERITY.fetch(finding.severity, "5.0"),
+              "tags" => ["security", finding.type]
+            }
+          }
+        end
+      end
+
+      def results
+        @findings.map do |finding|
+          {
+            "ruleId" => rule_id(finding),
+            "level" => SEVERITY_LEVELS.fetch(finding.severity, "warning"),
+            "message" => { "text" => message_for(finding) },
+            "locations" => [{
+              "physicalLocation" => {
+                "artifactLocation" => { "uri" => relative_uri(finding.file) },
+                "region" => { "startLine" => [finding.line || 1, 1].max }
+              }
+            }]
+          }
+        end
+      end
+
+      def rule_id(finding)
+        finding.rule_id || "#{finding.scanner}/#{finding.type}"
+      end
+
+      def message_for(finding)
+        parts = [finding.message]
+        if finding.raw_data["ai_fix_suggestion"]
+          parts << "Fix: #{finding.raw_data['ai_fix_suggestion']}"
+        end
+        parts.join(" ")
+      end
+
+      def relative_uri(path)
+        expanded = File.expand_path(path.to_s)
+        roots = [@project_root, (File.realpath(@project_root) rescue @project_root)].uniq
+        roots.each do |root|
+          return expanded.delete_prefix("#{root}/") if expanded.start_with?("#{root}/")
+        end
+        path.to_s
+      end
+    end
+  end
+end