zwischen 0.1.0 → 0.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: beb48773e7ec58217010758614752399220a826e232e7af0c4b46a0ae603e304
-  data.tar.gz: 4bd6a34f9299e1e623843476523e13bd736c5c2c21c19b6e37029d9a63af2810
+  metadata.gz: bb7b4a9cea5d36d3f7fe7414f3034d5f3fc6eaa860cec2136b303e9bcea2877c
+  data.tar.gz: d45c2d6d9c962508996eca3a618fe54c3e0692dde54b6dad347f020d9251f346
 SHA512:
-  metadata.gz: 72d2fda3d959f4b2621e8011fb03359e70b08db713665f30bff2129a98b2c09f19d2243a191d2a07739dec397570eb13a1c924e9a2f4d4ff71331c94ede9df0a
-  data.tar.gz: 624e96024130b6ab369f2d137d294941808d98c331a6ec1f2ecb1830cdbd5a30750be67a5840d179fd05f7c8ca3b2196c2643a2e32aff2baea025fae2d5e47a7
+  metadata.gz: a02881f9e8f76961a655e5d054d91166c3f3842abb8e1ce9fa31252dc2cb742e1a4014699631dbf9116f06d5cc6ef347d54dec09c77313949a8d866b027c6646
+  data.tar.gz: bf3dd2d05ab9d21ba880f2d9990ced3d65d97ee5846ee2135d33372feedbd6a9a8c66a8f968e3750d268f475ddc1d1b090fdd1043a8567956c9072d42cbb8a01

data/.zwischen.yml.example

@@ -11,6 +11,7 @@ ai:
   ollama:
     model: llama3
     url: http://localhost:11434
+    # timeout: 180   # seconds; raise for large local models that load slowly
   
   openai:
     model: gpt-4
@@ -35,11 +36,10 @@ scanners:
   #   enabled: true
   # semgrep:
   #   enabled: true
-  #   config: p/security-audit  # Open ruleset, no login required
+  #   config: p/security-audit,p/expressjs  # Comma-separated open rulesets, no login required
   #   # Other options: p/secrets, p/owasp-top-ten, or path to custom ruleset
 
 # Ignored Paths — findings in matching paths are dropped before reporting.
-
 ignore:
   - "**/vendor/**"
   - "**/node_modules/**"

data/CHANGELOG.md

@@ -7,15 +7,44 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-## [0.1.0] - 2026-06-10
+## [0.1.1] - 2026-06-11
+
+### Fixed
+- `blocking.severity` is now honored by manual terminal scans — `critical`
+  and `none` previously behaved like `high` because the CLI never passed
+  config to the terminal reporter
+- Hooks install where git actually executes them: `core.hooksPath`
+  (husky/pre-commit setups) and linked worktrees are now resolved via
+  `git rev-parse --git-path hooks` — previously the hook was written to
+  `.git/hooks` and silently never ran under `core.hooksPath`, and
+  worktrees skipped installation entirely
+- `--format json` file paths are project-relative, matching terminal and
+  SARIF output
+- AI response parsing strips markdown code fences, so small local models
+  that wrap JSON in ``` blocks still produce annotations
+- npm/pip wrappers: `ignore:` globs are enforced, `--format json` emits
+  pure JSON with a `summary` key and relative paths, `--format sarif`
+  fails fast with a clear error, and pip `zwischen --version` no longer
+  crashes
+
+### Changed
+- `scan --changed` now includes staged and untracked files; pre-push
+  keeps committed-range semantics since only commits get pushed
+
+## [0.1.0] - 2026-06-11
 
 ### Added
 - Initial release
 - Gitleaks and Semgrep scanner orchestration with auto-install
 - AI-powered finding triage via Ollama, OpenAI, or Anthropic
 - Pre-push git hook that blocks pushes introducing secrets or security issues
+- `--changed` flag to scan only files changed since the default branch
+- SARIF 2.1.0 output (`--format sarif`) for GitHub code scanning
+- Composite GitHub Action (`uses: cjordan223/zwischen@main`)
+- Ignore globs in `.zwischen.yml` enforced at the orchestrator level
 - Project type detection (Next.js, React, Django, Rails, and more)
 - npm (`zwischen`) and pip (`zwischen-cli`) wrapper packages
 
-[Unreleased]: https://github.com/cjordan223/zwischen/compare/v0.1.0...HEAD
+[Unreleased]: https://github.com/cjordan223/zwischen/compare/v0.1.1...HEAD
+[0.1.1]: https://github.com/cjordan223/zwischen/compare/v0.1.0...v0.1.1
 [0.1.0]: https://github.com/cjordan223/zwischen/releases/tag/v0.1.0

data/DEVELOPMENT.md

@@ -20,7 +20,7 @@ bin/zwischen
         -> Scanner::Semgrep
      -> Finding::Aggregator
      -> AI::Analyzer, when enabled
-     -> Reporter::Terminal
+     -> Reporter::Terminal (or Reporter::Sarif for --format sarif)
 ```
 
 `zwischen init` follows a separate path:
@@ -34,7 +34,7 @@ CLI#init
      -> Config.init creates .zwischen.yml
 ```
 
-`zwischen scan --pre-push` uses `GitDiff.changed_files`, passes those files to scanner adapters, filters findings to changed files again as a safety net, and only prints compact output for blocking findings.
+`zwischen scan --pre-push` uses `GitDiff.changed_files`, passes those files to scanner adapters, filters findings to changed files again as a safety net, and only prints compact output for blocking findings. `zwischen scan --changed` applies the same changed-files scoping to a manual scan with full output.
 
 ## Config Contract
 
@@ -90,8 +90,8 @@ Package-wrapper parity changes:
 ## Known Iteration Points
 
 - Ruby `Hooks.handle_existing_hook` has backup/append/skip logic, but `Setup#install_hook` currently backs up and replaces existing non-Zwischen hooks directly.
-- Ruby config exposes `ignore` and `severity.fail_on`, but scanner adapters currently do not enforce ignore globs and blocking uses `blocking.severity`.
-- npm and pip wrappers do not yet match Ruby feature parity. They do not support `uninstall`, `--only`, Ruby's changed-file pre-push filtering, or the Ruby JSON summary shape.
+- Ruby config exposes `severity.fail_on`, but blocking decisions use `blocking.severity`. (`ignore` globs are enforced by the orchestrator.)
+- npm and pip wrappers do not yet match Ruby feature parity. They do not support `uninstall`, `--only`, `--changed`, `--format sarif`, Ruby's changed-file pre-push filtering, or the Ruby JSON summary shape.
 - npm and pip wrappers default AI provider to Ollama, while Ruby defaults to Claude.
 
 ## Verification
@@ -110,12 +110,12 @@ Installed-gem workflow:
 
 Then follow `TESTING.md` from a temporary directory outside this repository.
 
-npm wrapper smoke checks:
+npm wrapper smoke checks (mirrors CI):
 
 ```bash
 cd packages/npm
-npm test
 node bin/zwischen.js --help
+npm pack --dry-run
 ```
 
 pip wrapper smoke checks:
@@ -134,21 +134,23 @@ version tag:
 ```bash
 # bump lib/zwischen/version.rb, packages/npm/package.json,
 # packages/pip/pyproject.toml, and CHANGELOG.md first
-git tag v0.1.0
-git push origin v0.1.0
+git tag vX.Y.Z
+git push origin vX.Y.Z
 ```
 
-One-time registry setup (first release only):
+Registry setup (already configured as of v0.1.0; reference for new registries
+or token rotation):
 
-1. **RubyGems** — add a *pending trusted publisher* for the `zwischen` gem at
-   <https://rubygems.org/profile/oidc/pending_trusted_publishers>:
+1. **RubyGems** — trusted publisher on the `zwischen` gem:
    repository `cjordan223/zwischen`, workflow `release.yml`, environment `release`.
-2. **PyPI** — add a *pending trusted publisher* for the `zwischen-cli` project at
-   <https://pypi.org/manage/account/publishing/> with the same repository,
-   workflow, and environment. (The bare `zwischen` name is taken on PyPI by an
-   unrelated package, so the distribution is `zwischen-cli`; the installed
-   command is still `zwischen`.)
-3. **npm** — create an automation token at npmjs.com and save it as the
-   `NPM_TOKEN` repository secret.
-4. **GitHub** — create a `release` environment in the repo settings
-   (Settings → Environments) so the OIDC claims match.
+2. **PyPI** — trusted publisher on the `zwischen-cli` project, same
+   repository, workflow, and environment. (The bare `zwischen` name is taken
+   on PyPI by an unrelated package, so the distribution is `zwischen-cli`;
+   the installed command is still `zwischen`.)
+3. **npm** — granular access token saved as the `NPM_TOKEN` repository
+   secret. Must have read/write on the `zwischen` package and **bypass 2FA**
+   enabled, or CI publishes fail with `EOTP`. When rotating, set the secret
+   via the interactive prompt (`gh secret set NPM_TOKEN`) — never pass the
+   token as a command argument.
+4. **GitHub** — the `release` environment in repo settings, so OIDC claims
+   match the workflows.

data/README.md

@@ -67,8 +67,11 @@ model via Ollama.
 
 Manual scans use AI when `--ai` is passed or config enables it. Pre-push
 scans stay scanner-only unless `ai.pre_push_enabled: true` — blocking
-decisions should be fast and deterministic. The design rationale is in
-[docs/design.md](docs/design.md).
+decisions should be fast and deterministic. Annotation quality is
+model-dependent: larger models give reliably structured, accurate triage,
+while very small local models may fail to annotate. If AI is unavailable or
+unparseable, scans always fall back to raw findings. The design rationale
+is in [docs/design.md](docs/design.md).
 
 ## Commands
 
@@ -76,7 +79,7 @@ decisions should be fast and deterministic. The design rationale is in
 | --- | --- |
 | `zwischen init` | Installs/checks tools, creates config, installs pre-push hook (backs up an existing non-Zwischen hook). |
 | `zwischen scan` | Runs enabled scanners, prints a terminal report. |
-| `zwischen scan --changed` | Scans only files changed since the default branch. |
+| `zwischen scan --changed` | Scans only files changed since the default branch, including staged and untracked files. |
 | `zwischen scan --only secrets,sast` | Limits to Gitleaks (`secrets`) and/or Semgrep (`sast`). |
 | `zwischen scan --ai <provider>` | Adds AI prioritization, fix suggestions, false-positive detection. |
 | `zwischen scan --format json` | Machine-readable summary + findings. |
@@ -195,7 +198,7 @@ docs/                         Design write-up, triage example, demo GIF
 ## Development
 
 ```bash
-bundle exec rspec             # 196+ examples
+bundle exec rspec             # 212 examples
 ./scripts/test_as_gem.sh      # install and exercise as a real gem
 ```
 

data/TESTING.md

@@ -177,6 +177,30 @@ Expected:
 - Pre-push mode only reports findings from files returned by `GitDiff.changed_files`.
 - Uncommitted files outside that diff are not reported.
 
+### Test 3.5: SARIF Output
+
+```bash
+zwischen scan --format sarif
+```
+
+Expected:
+
+- Prints valid SARIF 2.1.0 JSON (`version`, `runs[0].tool.driver.name == "Zwischen"`).
+- File URIs are project-relative.
+- Exit code still reflects configured blocking behavior.
+- With no findings, prints an empty SARIF document and exits `0`.
+
+### Test 3.6: Changed-Only Manual Scan
+
+```bash
+zwischen scan --changed
+```
+
+Expected:
+
+- Only files changed since the default branch are scanned and reported.
+- Exits `0` silently when there are no changed files.
+
 ## Test Suite 4: Blocking Configuration
 
 ### Test 4.1: Default Blocking
@@ -347,6 +371,8 @@ Expected:
 - Test 3.2:
 - Test 3.3:
 - Test 3.4:
+- Test 3.5:
+- Test 3.6:
 - Test 4.1:
 - Test 4.2:
 - Test 4.3:

data/lib/zwischen/ai/analyzer.rb

@@ -80,9 +80,11 @@ module Zwischen
       end
 
       def enhance_findings(findings, ai_response)
-        # Try to parse JSON from the response
-        # Look for JSON object in the response
-        json_match = ai_response.match(/\{[\s\S]*\}/m)
+        # Models (especially small local ones) often wrap JSON in markdown
+        # fences or prose; strip fences first, then extract the outermost
+        # JSON object.
+        cleaned = ai_response.to_s.gsub(/```(?:json)?/i, "")
+        json_match = cleaned.match(/\{[\s\S]*\}/m)
         return findings unless json_match
 
         ai_analysis = JSON.parse(json_match[0])

data/lib/zwischen/cli.rb

@@ -91,7 +91,7 @@ module Zwischen
 
       changed_files = nil
       if pre_push || options[:changed]
-        changed_files = GitDiff.changed_files
+        changed_files = GitDiff.changed_files(include_working_tree: !pre_push)
         changed_files = changed_files.select do |path|
           candidate = path
           candidate = File.join(project[:root], candidate) unless Pathname.new(candidate).absolute?
@@ -173,7 +173,7 @@ module Zwischen
         require "json"
         puts JSON.pretty_generate({
           summary: aggregated[:summary],
-          findings: aggregated[:findings].map(&:to_h)
+          findings: aggregated[:findings].map { |f| f.to_h.merge(file: relative_path(f.file, project[:root])) }
         })
         blocking_severity = config.blocking_severity
         exit_code = aggregated[:findings].any? { |f| should_block?(f, blocking_severity, ai_enabled) } ? 1 : 0
@@ -187,7 +187,7 @@ module Zwischen
         if pre_push
           exit_code = Reporter::Terminal.report_compact(aggregated, config: config, ai_enabled: ai_enabled)
         else
-          exit_code = Reporter::Terminal.report(aggregated, ai_enabled: ai_enabled)
+          exit_code = Reporter::Terminal.report(aggregated, config: config, ai_enabled: ai_enabled)
         end
         exit exit_code
       end
@@ -206,6 +206,18 @@ module Zwischen
 
     private
 
+    # Scanners may emit absolute (and symlink-resolved) paths; report
+    # machine-readable output relative to the project root like the
+    # terminal and SARIF reporters do.
+    def relative_path(path, project_root)
+      expanded = File.expand_path(path.to_s)
+      roots = [project_root, (File.realpath(project_root) rescue project_root)].uniq
+      roots.each do |root|
+        return expanded.delete_prefix("#{root}/") if expanded.start_with?("#{root}/")
+      end
+      path.to_s
+    end
+
     def should_block?(finding, blocking_severity, ai_enabled)
       return false if ai_enabled && finding.raw_data["ai_false_positive"]
 

data/lib/zwischen/git_diff.rb

@@ -17,19 +17,31 @@ module Zwischen
       "HEAD"
     end
 
-    def self.changed_files(remote: nil, local: "HEAD")
+    # include_working_tree: also count staged and untracked files. Used by
+    # manual `scan --changed`; pre-push keeps committed-range semantics
+    # because only committed changes get pushed.
+    def self.changed_files(remote: nil, local: "HEAD", include_working_tree: false)
       branch = remote || default_branch
       remote_ref = "origin/#{branch}"
 
+      files = []
+
       # Try remote diff first
-      files = `git diff --name-only #{remote_ref}...#{local} 2>/dev/null`.strip.split("\n")
-      return files.reject(&:empty?) if $?.success? && !files.empty?
+      committed = `git diff --name-only #{remote_ref}...#{local} 2>/dev/null`.strip.split("\n")
+      if $?.success? && !committed.empty?
+        files = committed
+      else
+        # Fallback: local diff
+        local_diff = `git diff --name-only HEAD@{1}...#{local} 2>/dev/null`.strip.split("\n")
+        files = local_diff if $?.success?
+      end
 
-      # Fallback: local diff
-      files = `git diff --name-only HEAD@{1}...#{local} 2>/dev/null`.strip.split("\n")
-      return files.reject(&:empty?) if $?.success?
+      if include_working_tree
+        working = `git status --porcelain 2>/dev/null`.strip.split("\n").map { |l| l[3..]&.strip }.compact
+        files |= working if $?.success?
+      end
 
-      []
+      files.reject { |f| f.nil? || f.empty? }
     rescue StandardError => e
       warn "Failed to get changed files: #{e.message}" if ENV["DEBUG"]
       []

data/lib/zwischen/hooks.rb

@@ -1,12 +1,25 @@
 # frozen_string_literal: true
 
 require "fileutils"
+require "open3"
 
 module Zwischen
   class Hooks
     HOOK_MARKER = "Zwischen pre-push hook"
 
+    # Resolve the hooks directory through git itself so the hook lands where
+    # git will actually execute it — this respects core.hooksPath (husky,
+    # pre-commit framework, etc.) and linked worktrees, where .git is a file.
     def self.hook_path(project_root = Dir.pwd)
+      stdout, _stderr, status = Open3.capture3(
+        "git", "rev-parse", "--git-path", "hooks", chdir: project_root
+      )
+      hooks_dir = status.success? ? stdout.strip : nil
+      hooks_dir = File.join(".git", "hooks") if hooks_dir.nil? || hooks_dir.empty?
+      hooks_dir = File.expand_path(hooks_dir, project_root)
+
+      File.join(hooks_dir, "pre-push")
+    rescue StandardError
       File.join(project_root, ".git", "hooks", "pre-push")
     end
 

data/lib/zwischen/reporter/terminal.rb

@@ -22,8 +22,8 @@ module Zwischen
         "info" => "ℹ️  INFO"
       }.freeze
 
-      def self.report(aggregated_results, ai_enabled: false)
-        new(aggregated_results, ai_enabled: ai_enabled).report
+      def self.report(aggregated_results, config: nil, ai_enabled: false)
+        new(aggregated_results, ai_enabled: ai_enabled, config: config).report
       end
 
       def self.report_compact(aggregated_results, config:, ai_enabled: false)

data/lib/zwischen/setup.rb

@@ -113,14 +113,18 @@ module Zwischen
 
     def install_hook
       project_root = Dir.pwd
-      git_dir = File.join(project_root, ".git")
 
-      unless File.directory?(git_dir)
+      # File check alone breaks linked worktrees, where .git is a file
+      unless File.exist?(File.join(project_root, ".git"))
         @shell.say("  ⚠️  No .git directory found. Skipping hook installation.", :yellow)
         return false
       end
 
       hook_path = Hooks.hook_path(project_root)
+      default_path = File.expand_path(File.join(project_root, ".git", "hooks", "pre-push"))
+      if File.expand_path(hook_path) != default_path
+        @shell.say("  ↳ Git hooks are redirected (core.hooksPath or worktree); installing to #{hook_path}", :yellow)
+      end
 
       if File.exist?(hook_path)
         if Hooks.zwischen_hook?(hook_path)

data/lib/zwischen/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Zwischen
-  VERSION = "0.1.0"
+  VERSION = "0.1.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: zwischen
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.1
 platform: ruby
 authors:
 - Conner Jordan