zwischen 0.1.1 → 0.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bb7b4a9cea5d36d3f7fe7414f3034d5f3fc6eaa860cec2136b303e9bcea2877c
-  data.tar.gz: d45c2d6d9c962508996eca3a618fe54c3e0692dde54b6dad347f020d9251f346
+  metadata.gz: 837e243d24d26e3ba30d4597d89492ef6a039ef80417376176de431e951d8f61
+  data.tar.gz: daf7b174e791d29243ed7e93c3d5bc1e1bc6fa68e9c4762c9a74704f27ef7526
 SHA512:
-  metadata.gz: a02881f9e8f76961a655e5d054d91166c3f3842abb8e1ce9fa31252dc2cb742e1a4014699631dbf9116f06d5cc6ef347d54dec09c77313949a8d866b027c6646
-  data.tar.gz: bf3dd2d05ab9d21ba880f2d9990ced3d65d97ee5846ee2135d33372feedbd6a9a8c66a8f968e3750d268f475ddc1d1b090fdd1043a8567956c9072d42cbb8a01
+  metadata.gz: 91c5242e5b62143f7853f01813e106c41e0745f1e03a9ccb1831ae3c8efea3cd7699712f76a816a879e12d9ce6f25b7c78690294835db9b252e57bab1483f7da
+  data.tar.gz: 9f1a912d0ff0cd8f18c83da3a722c43d7f3ac25d2815ed969c1c5c1f32ae34e46676e3a336fecfd1f6e9834449cbf3361a44e0f6132319aa830332fc93eb9bc5

data/CHANGELOG.md

@@ -7,6 +7,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.1.2] - 2026-06-11
+
+### Added
+- `zwischen --version` (also `-v` and `zwischen version`)
+
+### Changed
+- Existing non-Zwischen pre-push hooks (husky shims, hand-written scripts)
+  are now appended to instead of replaced: the original checks keep
+  running before Zwischen's, repeat `init` never double-appends, and
+  `zwischen uninstall` strips only the appended block, restoring the
+  original hook exactly. A backup copy is still written first.
+
 ## [0.1.1] - 2026-06-11
 
 ### Fixed
@@ -45,6 +57,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Project type detection (Next.js, React, Django, Rails, and more)
 - npm (`zwischen`) and pip (`zwischen-cli`) wrapper packages
 
-[Unreleased]: https://github.com/cjordan223/zwischen/compare/v0.1.1...HEAD
+[Unreleased]: https://github.com/cjordan223/zwischen/compare/v0.1.2...HEAD
+[0.1.2]: https://github.com/cjordan223/zwischen/compare/v0.1.1...v0.1.2
 [0.1.1]: https://github.com/cjordan223/zwischen/compare/v0.1.0...v0.1.1
 [0.1.0]: https://github.com/cjordan223/zwischen/releases/tag/v0.1.0

data/DEVELOPMENT.md

@@ -89,7 +89,7 @@ Package-wrapper parity changes:
 
 ## Known Iteration Points
 
-- Ruby `Hooks.handle_existing_hook` has backup/append/skip logic, but `Setup#install_hook` currently backs up and replaces existing non-Zwischen hooks directly.
+- Existing non-Zwischen pre-push hooks (husky shims, hand-written scripts) are backed up and then appended to, not replaced — the original checks keep running, and `zwischen uninstall` strips only the appended block.
 - Ruby config exposes `severity.fail_on`, but blocking decisions use `blocking.severity`. (`ignore` globs are enforced by the orchestrator.)
 - npm and pip wrappers do not yet match Ruby feature parity. They do not support `uninstall`, `--only`, `--changed`, `--format sarif`, Ruby's changed-file pre-push filtering, or the Ruby JSON summary shape.
 - npm and pip wrappers default AI provider to Ollama, while Ruby defaults to Claude.

data/README.md

@@ -77,7 +77,7 @@ is in [docs/design.md](docs/design.md).
 
 | Command | What it does |
 | --- | --- |
-| `zwischen init` | Installs/checks tools, creates config, installs pre-push hook (backs up an existing non-Zwischen hook). |
+| `zwischen init` | Installs/checks tools, creates config, installs pre-push hook. An existing hook (husky, hand-written) is backed up and appended to — its checks keep running. |
 | `zwischen scan` | Runs enabled scanners, prints a terminal report. |
 | `zwischen scan --changed` | Scans only files changed since the default branch, including staged and untracked files. |
 | `zwischen scan --only secrets,sast` | Limits to Gitleaks (`secrets`) and/or Semgrep (`sast`). |
@@ -86,7 +86,8 @@ is in [docs/design.md](docs/design.md).
 | `zwischen scan --format sarif` | SARIF 2.1.0 for GitHub code scanning. |
 | `zwischen scan --pre-push` | Quiet hook mode: changed files only, compact output only when blocking. |
 | `zwischen doctor` | Shows Gitleaks and Semgrep status. |
-| `zwischen uninstall` | Removes the hook, optionally config/credentials. |
+| `zwischen uninstall` | Removes the hook (or just the appended block), optionally config/credentials. |
+| `zwischen --version` | Prints the version. |
 
 Escape hatches: `git push --no-verify` or `ZWISCHEN_SKIP=1 git push`.
 
@@ -198,7 +199,7 @@ docs/                         Design write-up, triage example, demo GIF
 ## Development
 
 ```bash
-bundle exec rspec             # 212 examples
+bundle exec rspec             # 216 examples
 ./scripts/test_as_gem.sh      # install and exercise as a real gem
 ```
 

data/TESTING.md

@@ -297,7 +297,12 @@ zwischen init
 Expected for the current Ruby implementation:
 
 - Existing hook is copied to `.git/hooks/pre-push.zwischen.backup` or a timestamped variant.
-- New Zwischen hook replaces `.git/hooks/pre-push`.
+- The Zwischen check is appended to `.git/hooks/pre-push` between
+  `# >>> Zwischen pre-push hook >>>` markers; the original hook content
+  still runs first.
+- Running `zwischen init` again does not append a second block.
+- `zwischen uninstall` strips only the appended block, restoring the
+  original hook content.
 
 
 ### Test 6.3: Default Branch Detection

data/lib/zwischen/cli.rb

@@ -202,6 +202,12 @@ module Zwischen
       Setup.uninstall
     end
 
+    desc "version", "Print the Zwischen version"
+    map %w[--version -v] => :version
+    def version
+      puts "zwischen #{Zwischen::VERSION}"
+    end
+
     default_task :scan
 
     private

data/lib/zwischen/hooks.rb

@@ -34,6 +34,11 @@ module Zwischen
       zwischen_hook?(path)
     end
 
+    # Delimiters around the block we append to a pre-existing foreign hook,
+    # so uninstall can strip exactly our lines and leave the rest intact.
+    APPEND_BEGIN = "# >>> #{HOOK_MARKER} >>>"
+    APPEND_END = "# <<< #{HOOK_MARKER} <<<"
+
     def self.install(project_root = Dir.pwd)
       path = hook_path(project_root)
       hooks_dir = File.dirname(path)
@@ -41,6 +46,16 @@ module Zwischen
       # Ensure hooks directory exists
       FileUtils.mkdir_p(hooks_dir) unless File.directory?(hooks_dir)
 
+      if File.exist?(path)
+        # Already present (standalone or appended) — never overwrite, an
+        # appended hook also contains the user's own commands.
+        return true if zwischen_hook?(path)
+
+        # A foreign hook (husky shim, hand-written script, ...) keeps
+        # working: we append our check instead of replacing the user's.
+        return append_to_existing(path)
+      end
+
       hook_content = <<~HOOK
         #!/usr/bin/env bash
         # #{HOOK_MARKER} - installed by 'zwischen init'
@@ -59,39 +74,24 @@ module Zwischen
       true
     end
 
-    def self.handle_existing_hook(hook_path, shell)
-      return :skip unless File.exist?(hook_path)
-      return :install if zwischen_hook?(hook_path) # Already a Zwischen hook, can overwrite
-
-      shell.say("\n⚠️  A pre-push hook already exists at #{hook_path}", :yellow)
-      choice = shell.ask("What would you like to do?", limited_to: %w[backup append skip], default: "backup")
-
-      case choice
-      when "backup"
-        backup_path = "#{hook_path}.zwischen.backup"
-        FileUtils.cp(hook_path, backup_path)
-        shell.say("  ✓ Backed up to #{backup_path}", :green)
-        :install
-      when "append"
-        existing_content = File.read(hook_path)
-        new_content = <<~APPEND
-          #{existing_content}
-
-          # #{HOOK_MARKER} - appended by 'zwischen init'
-          if [ "$ZWISCHEN_SKIP" = "1" ]; then
-            exit 0
-          fi
+    def self.append_to_existing(path)
+      existing = File.read(path)
+      return true if existing.include?(HOOK_MARKER) # already appended
+
+      block = <<~BLOCK
 
+        #{APPEND_BEGIN}
+        # appended by 'zwischen init' - your original hook above still runs
+        if [ "$ZWISCHEN_SKIP" != "1" ]; then
           zwischen scan --pre-push || exit $?
-        APPEND
-        File.write(hook_path, new_content)
-        File.chmod(0o755, hook_path)
-        shell.say("  ✓ Appended Zwischen check to existing hook", :green)
-        :skip # Don't install new hook, already appended
-      when "skip"
-        shell.say("  ↳ Skipping hook installation", :yellow)
-        :skip
-      end
+        fi
+        #{APPEND_END}
+      BLOCK
+
+      File.write(path, existing.chomp + "\n" + block)
+      File.chmod(0o755, path)
+
+      true
     end
 
     def self.uninstall(project_root = Dir.pwd)
@@ -99,7 +99,15 @@ module Zwischen
       return false unless File.exist?(path)
       return false unless zwischen_hook?(path)
 
-      File.delete(path)
+      content = File.read(path)
+      if content.include?(APPEND_BEGIN)
+        # We were appended to someone else's hook: strip only our block.
+        stripped = content.gsub(/\n?#{Regexp.escape(APPEND_BEGIN)}.*?#{Regexp.escape(APPEND_END)}\n?/m, "\n")
+        File.write(path, stripped)
+      else
+        # The whole file is ours.
+        File.delete(path)
+      end
       true
     end
   end

data/lib/zwischen/setup.rb

@@ -126,12 +126,14 @@ module Zwischen
         @shell.say("  ↳ Git hooks are redirected (core.hooksPath or worktree); installing to #{hook_path}", :yellow)
       end
 
+      appending = false
       if File.exist?(hook_path)
         if Hooks.zwischen_hook?(hook_path)
           @shell.say("  ✓ Pre-push hook already installed", :green)
           return true
         end
 
+        appending = true
         backup_path = "#{hook_path}.zwischen.backup"
         if File.exist?(backup_path)
           timestamp = Time.now.strftime("%Y%m%d%H%M%S")
@@ -142,7 +144,11 @@ module Zwischen
       end
 
       if Hooks.install(project_root)
-        @shell.say("  ✓ Installing pre-push hook", :green)
+        if appending
+          @shell.say("  ✓ Added Zwischen to your existing pre-push hook (original checks still run)", :green)
+        else
+          @shell.say("  ✓ Installing pre-push hook", :green)
+        end
         true
       else
         @shell.say("  ✗ Failed to install hook", :red)

data/lib/zwischen/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Zwischen
-  VERSION = "0.1.1"
+  VERSION = "0.1.2"
 end

data/zwischen-test-report-round2.md

@@ -0,0 +1,137 @@
+# Zwischen v0.1.1 Round 2 Testing Report
+
+Test root: `/tmp/zw2-4u4Pyb`
+
+Round 2 was run against published packages from Rubygems, npm, and PyPI. Product source was not modified; this report is the only repo file changed.
+
+## 1. Environment
+
+| Item | Observed |
+| --- | --- |
+| OS | Darwin 25.5.0, arm64 |
+| Git | 2.50.1 (Apple Git-155) |
+| Ruby | Homebrew Ruby 4.0.3 |
+| Ruby 3.3 floor | rbenv Ruby 3.3.11 installed during this run |
+| Node / npm | Node v25.9.0 / npm 11.12.1 |
+| Python | 3.14.5 |
+| Docker | 29.1.3, daemon available |
+| act | Not installed |
+| Semgrep | 1.165.0 |
+| Ollama | `127.0.0.1:11434`, model `llama3.2:latest` |
+| Ruby package | `zwischen` 0.1.1 |
+| npm package | `zwischen` 0.1.1 |
+| PyPI package | `zwischen-cli` 0.1.1 |
+
+Note: as in round 1, Homebrew Semgrep fails inside the filesystem sandbox with a macOS trust-anchor error. Semgrep-dependent tests were run outside the sandbox, with all test repos and HOME values still under `/tmp/zw2-4u4Pyb`.
+
+## 2. Scorecard
+
+| ID | Result | Notes |
+| --- | --- | --- |
+| Registry gate | PASS | Ruby, npm, and PyPI all installed 0.1.1. |
+| A1 | PASS | `blocking.severity: critical` with high-only AWS finding exited 0. |
+| A2 | PASS | `blocking.severity: none` exited 0 and still printed the high finding. |
+| A3 | PASS | `blocking.severity: high` exited 1 for the high finding. |
+| A4 | PASS | npm and pip wrappers honored `ignore:` and omitted `ignored.env`. |
+| A5 | PASS | npm and pip JSON stdout parsed directly, included `summary` and `findings`, and used relative `file` paths. |
+| A6 | PASS | npm and pip SARIF requests exited 2, wrote clear unsupported-wrapper errors to stderr, and left stdout empty. |
+| A7 | PASS | pip `zwischen --version` printed `zwischen, version 0.1.1` and exited 0. |
+| A8 | PASS | Ruby JSON `findings[*].file` values were project-relative. |
+| A9 | PASS | Ruby `scan --changed` reported committed-ahead, staged-only, and untracked secret files. |
+| A10 | PASS | Ollama finding count stayed 10. Attempt 2 produced `Fix`/`Risk` annotations; parse-failure attempts warned and preserved raw findings. Dead-port fail-open preserved findings and exit code. |
+| B1 | PASS | Custom `core.hooksPath` and linked worktree pushes were blocked. Real Husky push was blocked after bypassing Husky's generated failing pre-commit for commit creation. |
+| B2 | PASS | Ruby 3.3.11 installed the gem, `init` installed gitleaks, and demo scan returned 10 findings. |
+| B3 | PASS | Linux Ruby container auto-installed gitleaks, found the secret, and blocked a local push. Node and pip wrapper containers found the planted secret. |
+| B4 | PASS | Offline init exited 0 with manual install hints and created config/hook. Offline scan warned `No scanners available` without crashing. |
+| B5 | PASS with caveat | Generated SARIF validated against SchemaStore SARIF 2.1.0. The exact OASIS raw URL from the test plan returned 404. |
+| B6 | FAIL | Express scans were fine, but 20-file clean pre-push median was 5.14s, above the ~3s budget. |
+| B7 | SKIPPED | `act` is not installed. |
+
+## 3. Benchmarks
+
+| Benchmark | Round 1 | Round 2 | Change |
+| --- | ---: | ---: | ---: |
+| Ruby gem install | 3.984s | 4.18s | +4.9% |
+| npm install | 1.116s | 1.18s | +5.7% |
+| pip install | 2.560s | 2.34s | -8.6% |
+| Demo gitleaks-only scan median | 0.408s | 0.387s | -5.1% |
+| Demo gitleaks+Semgrep scan median | 2.096s | 2.292s | +9.4% |
+| Ollama AI scan | 24.936s | 13.210s annotated run | -47.0% |
+| Dead-port AI fail-open | 2.796s | 2.226s | -20.4% |
+| Huge 50MB file scan | 4.609s | not repeated | n/a |
+| Clean pre-push hook, 1-file median | 1.786s | not repeated | n/a |
+| Express full scan, gitleaks-only | n/a | 0.37s, max RSS 82 MB | n/a |
+| Express full scan, gitleaks+Semgrep | n/a | 2.82s, max RSS 354 MB | n/a |
+| Express clean pre-push, 20 files | n/a | median 5.14s, max RSS 247-297 MB | over ~3s budget |
+
+No directly comparable round-1 benchmark regressed by more than 25%. The new B6 20-file hook benchmark misses the design budget.
+
+## 4. Bugs / Findings
+
+### Major: 20-file clean pre-push latency exceeds budget
+
+Repro:
+
+1. Clone `expressjs/express`.
+2. Configure Zwischen with gitleaks and Semgrep enabled.
+3. Push five clean commits, each changing 20 files, to a local bare origin.
+4. Time each `git push` with `/usr/bin/time -l`.
+
+Expected: hook stays near the documented ~3s budget.
+
+Actual: runs were 5.50s, 5.19s, 5.11s, 5.07s, and 5.14s; median 5.14s.
+
+Evidence: `/tmp/zw2-4u4Pyb/b6_scale.log`.
+
+### Observation: Husky hook is backed up and replaced, not merged
+
+In a real Husky v9 setup, `core.hooksPath` was `.husky/_`. `zwischen init` backed up `.husky/_/pre-push` to `.husky/_/pre-push.zwischen.backup` and replaced `.husky/_/pre-push` with the Zwischen hook. A secret push was blocked, and `.husky/pre-commit` remained. This satisfies the blocking assertion, but it is replacement-with-backup rather than inline coexistence.
+
+Evidence: `/tmp/zw2-4u4Pyb/b1_hooks.log`, `/tmp/zw2-4u4Pyb/b1_husky_followup.log`.
+
+### External test-plan issue: OASIS SARIF schema URL returns 404
+
+The requested URL `https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json` returned 404, as did the same path on `main`. The generated SARIF validated successfully against `https://www.schemastore.org/sarif-2.1.0.json`.
+
+Evidence: `/tmp/zw2-4u4Pyb/b5_sarif.log`, `/tmp/zw2-4u4Pyb/b5_schemastore_validation.log`.
+
+## 5. Docs Drift
+
+| Claim | Observed |
+| --- | --- |
+| Round-1 fixed bugs should pass in v0.1.1 | Confirmed for A1-A10. |
+| Hook-manager coexistence | Blocking works for custom hooksPath, real Husky, and linked worktree. Real Husky's generated pre-push shim is backed up and replaced. |
+| SARIF official schema URL in test plan | The exact OASIS raw URL returns 404; SchemaStore validation passes. |
+| Hook budget around 3s | New 20-file Express benchmark median is 5.14s. |
+
+## 6. Wrapper Parity Matrix
+
+| Feature | Ruby gem | npm wrapper | pip wrapper |
+| --- | --- | --- | --- |
+| Published install at 0.1.1 | PASS | PASS | PASS |
+| `--version` | Falls back to `gem list` | PASS | PASS |
+| `init` | PASS | PASS | PASS |
+| `scan` | PASS | PASS | PASS |
+| `doctor` | PASS | PASS | PASS |
+| `scan --format json` | PASS, pure JSON with relative paths | PASS, pure JSON with `summary` | PASS, pure JSON with `summary` |
+| `scan --format sarif` | PASS | PASS, exits 2 unsupported | PASS, exits 2 unsupported |
+| `ignore:` globs | PASS | PASS | PASS |
+| `uninstall` | PASS | Not supported, accepted gap | Not supported, accepted gap |
+| `--only` | PASS | Not supported, accepted gap | Not supported, accepted gap |
+| `--changed` | PASS | Not supported, accepted gap | Not supported, accepted gap |
+
+## 7. Raw Evidence
+
+Key logs and outputs:
+
+- `/tmp/zw2-4u4Pyb/a_regressions.log`
+- `/tmp/zw2-4u4Pyb/b1_hooks.log`
+- `/tmp/zw2-4u4Pyb/b1_husky_followup.log`
+- `/tmp/zw2-4u4Pyb/b2_ruby33.log`
+- `/tmp/zw2-4u4Pyb/b3_docker.log`
+- `/tmp/zw2-4u4Pyb/b3_ruby_followup.log`
+- `/tmp/zw2-4u4Pyb/b4_offline.log`
+- `/tmp/zw2-4u4Pyb/b5_sarif.log`
+- `/tmp/zw2-4u4Pyb/b5_schemastore_validation.log`
+- `/tmp/zw2-4u4Pyb/b6_scale.log`
+- `/tmp/zw2-4u4Pyb/round1_compare_bench.log`

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: zwischen
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.2
 platform: ruby
 authors:
 - Conner Jordan
@@ -117,6 +117,7 @@ files:
 - lib/zwischen/scanner/semgrep.rb
 - lib/zwischen/setup.rb
 - lib/zwischen/version.rb
+- zwischen-test-report-round2.md
 - zwischen.gemspec
 homepage: https://github.com/cjordan223/zwischen
 licenses: