@brett.buskirk/agent-gate 0.1.0

package/lib/rules/dependencies.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.dependenciesRule = void 0;
+exports.dependenciesRule = {
+    id: 'dependencies',
+    description: 'Flag added or changed entries in dependency manifests',
+    run(diff, config) {
+        const { enabled, severity, manifests } = config.rules.dependencies;
+        if (!enabled)
+            return [];
+        const findings = [];
+        for (const file of diff.files) {
+            const filename = file.path.split('/').pop() ?? file.path;
+            if (manifests.includes(filename) && (file.added > 0 || file.deleted > 0)) {
+                findings.push({
+                    ruleId: 'dependencies',
+                    severity,
+                    file: file.path,
+                    message: `Dependency manifest modified: ${file.path}`,
+                    suggestion: 'Review added or removed dependencies carefully — agents silently adding packages is a supply-chain risk.',
+                });
+            }
+        }
+        return findings;
+    },
+};

package/lib/rules/diffSize.d.ts

@@ -0,0 +1,3 @@
+import type { Rule } from './types';
+export declare const diffSizeRule: Rule;
+//# sourceMappingURL=diffSize.d.ts.map

package/lib/rules/diffSize.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"diffSize.d.ts","sourceRoot":"","sources":["../../src/rules/diffSize.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAW,MAAM,SAAS,CAAC;AAI7C,eAAO,MAAM,YAAY,EAAE,IA+B1B,CAAC"}

package/lib/rules/diffSize.js

@@ -0,0 +1,31 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.diffSizeRule = void 0;
+exports.diffSizeRule = {
+    id: 'diff_size',
+    description: 'Flag PRs that exceed file or line count thresholds',
+    run(diff, config) {
+        const { enabled, severity, max_files, max_lines } = config.rules.diff_size;
+        if (!enabled)
+            return [];
+        const findings = [];
+        const totalLines = diff.totalAdded + diff.totalDeleted;
+        if (diff.files.length > max_files) {
+            findings.push({
+                ruleId: 'diff_size',
+                severity,
+                message: `PR modifies ${diff.files.length} files (max: ${max_files})`,
+                suggestion: 'Consider splitting this PR into smaller, more focused changes.',
+            });
+        }
+        if (totalLines > max_lines) {
+            findings.push({
+                ruleId: 'diff_size',
+                severity,
+                message: `PR changes ${totalLines} lines (max: ${max_lines})`,
+                suggestion: 'Consider splitting this PR into smaller, more focused changes.',
+            });
+        }
+        return findings;
+    },
+};

package/lib/rules/index.d.ts

@@ -0,0 +1,4 @@
+import type { Rule } from './types';
+export declare const rules: Rule[];
+export type { Rule, Finding, DiffModel, DiffFile, DiffChunk, DiffLine, Severity } from './types';
+//# sourceMappingURL=index.d.ts.map

package/lib/rules/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/rules/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,SAAS,CAAC;AAQpC,eAAO,MAAM,KAAK,EAAE,IAAI,EAOvB,CAAC;AAEF,YAAY,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC"}

package/lib/rules/index.js

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.rules = void 0;
+const secrets_1 = require("./secrets");
+const scope_1 = require("./scope");
+const diffSize_1 = require("./diffSize");
+const testsRequired_1 = require("./testsRequired");
+const dependencies_1 = require("./dependencies");
+const dangerousPatterns_1 = require("./dangerousPatterns");
+exports.rules = [
+    secrets_1.secretsRule,
+    scope_1.scopeRule,
+    diffSize_1.diffSizeRule,
+    testsRequired_1.testsRequiredRule,
+    dependencies_1.dependenciesRule,
+    dangerousPatterns_1.dangerousPatternsRule,
+];

package/lib/rules/scope.d.ts

@@ -0,0 +1,3 @@
+import type { Rule } from './types';
+export declare const scopeRule: Rule;
+//# sourceMappingURL=scope.d.ts.map

package/lib/rules/scope.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scope.d.ts","sourceRoot":"","sources":["../../src/rules/scope.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAAW,MAAM,SAAS,CAAC;AAI7C,eAAO,MAAM,SAAS,EAAE,IAuCvB,CAAC"}

package/lib/rules/scope.js

@@ -0,0 +1,37 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scopeRule = void 0;
+const glob_1 = require("../utils/glob");
+exports.scopeRule = {
+    id: 'scope',
+    description: 'Flag changes to files outside the allowed scope or inside a denied path set',
+    run(diff, config) {
+        const { enabled, severity, allow, deny } = config.rules.scope;
+        if (!enabled)
+            return [];
+        const findings = [];
+        for (const file of diff.files) {
+            const { path } = file;
+            if (deny.length > 0 && (0, glob_1.matchesAny)(path, deny)) {
+                findings.push({
+                    ruleId: 'scope',
+                    severity,
+                    file: path,
+                    message: `File is in a denied path: ${path}`,
+                    suggestion: 'Remove changes to this file or update the deny list in .agentgate.yml if this is intentional.',
+                });
+                continue;
+            }
+            if (allow && allow.length > 0 && !(0, glob_1.matchesAny)(path, allow)) {
+                findings.push({
+                    ruleId: 'scope',
+                    severity,
+                    file: path,
+                    message: `File is outside the allowed scope: ${path}`,
+                    suggestion: 'Remove changes to this file or add it to the allow list in .agentgate.yml.',
+                });
+            }
+        }
+        return findings;
+    },
+};

package/lib/rules/secrets.d.ts

@@ -0,0 +1,3 @@
+import type { Rule } from './types';
+export declare const secretsRule: Rule;
+//# sourceMappingURL=secrets.d.ts.map

package/lib/rules/secrets.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.d.ts","sourceRoot":"","sources":["../../src/rules/secrets.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAW,MAAM,SAAS,CAAC;AA8B7C,eAAO,MAAM,WAAW,EAAE,IAmCzB,CAAC"}

package/lib/rules/secrets.js

@@ -0,0 +1,60 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.secretsRule = void 0;
+const SECRET_PATTERNS = [
+    { name: 'AWS Access Key ID', pattern: /AKIA[0-9A-Z]{16}/ },
+    {
+        name: 'AWS Secret Access Key',
+        pattern: /(?:aws_secret_access_key|AWS_SECRET_ACCESS_KEY)\s*[=:]\s*['"]?[A-Za-z0-9/+=]{40}['"]?/i,
+    },
+    { name: 'GitHub Personal Access Token', pattern: /ghp_[A-Za-z0-9]{36}/ },
+    { name: 'GitHub OAuth Token', pattern: /gho_[A-Za-z0-9]{36}/ },
+    { name: 'GitHub App Token', pattern: /ghs_[A-Za-z0-9]{36}/ },
+    { name: 'GitHub Refresh Token', pattern: /ghr_[A-Za-z0-9]{76}/ },
+    { name: 'Private Key Block', pattern: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/ },
+    {
+        name: 'Generic API Key',
+        pattern: /(?:api[_-]?key|apikey)\s*[=:]\s*['"]?[A-Za-z0-9_\-]{20,}['"]?/i,
+    },
+    {
+        name: 'High-entropy secret assignment',
+        pattern: /(?:PASSWORD|SECRET|TOKEN|PASSWD)\s*=\s*['"]?[A-Za-z0-9+/!@#$%^&*]{16,}['"]?/,
+    },
+    { name: 'Slack Token', pattern: /xox[baprs]-[0-9A-Za-z\-]{10,}/ },
+    {
+        name: 'Stripe Secret Key',
+        pattern: /sk_(?:live|test)_[0-9a-zA-Z]{24,}/,
+    },
+];
+exports.secretsRule = {
+    id: 'secrets',
+    description: 'Scan added lines for leaked credentials and secrets',
+    run(diff, config) {
+        const { enabled, severity } = config.rules.secrets;
+        if (!enabled)
+            return [];
+        const findings = [];
+        for (const file of diff.files) {
+            for (const chunk of file.chunks) {
+                for (const line of chunk.lines) {
+                    if (line.type !== 'add')
+                        continue;
+                    for (const { name, pattern } of SECRET_PATTERNS) {
+                        if (pattern.test(line.content)) {
+                            findings.push({
+                                ruleId: 'secrets',
+                                severity,
+                                file: file.path,
+                                line: line.lineNumber,
+                                message: `Possible ${name} detected`,
+                                suggestion: 'Remove this secret immediately and rotate it. Use environment variables or a secrets manager instead.',
+                            });
+                            break;
+                        }
+                    }
+                }
+            }
+        }
+        return findings;
+    },
+};

package/lib/rules/testsRequired.d.ts

@@ -0,0 +1,3 @@
+import type { Rule } from './types';
+export declare const testsRequiredRule: Rule;
+//# sourceMappingURL=testsRequired.d.ts.map

package/lib/rules/testsRequired.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"testsRequired.d.ts","sourceRoot":"","sources":["../../src/rules/testsRequired.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAAW,MAAM,SAAS,CAAC;AAI7C,eAAO,MAAM,iBAAiB,EAAE,IAwB/B,CAAC"}

package/lib/rules/testsRequired.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.testsRequiredRule = void 0;
+const glob_1 = require("../utils/glob");
+exports.testsRequiredRule = {
+    id: 'tests_required',
+    description: 'Warn if source files changed but no test files were added or modified',
+    run(diff, config) {
+        const { enabled, severity, src_globs, test_globs } = config.rules.tests_required;
+        if (!enabled)
+            return [];
+        const hasSrcChanges = diff.files.some((f) => (0, glob_1.matchesAny)(f.path, src_globs));
+        const hasTestChanges = diff.files.some((f) => (0, glob_1.matchesAny)(f.path, test_globs));
+        if (hasSrcChanges && !hasTestChanges) {
+            return [
+                {
+                    ruleId: 'tests_required',
+                    severity,
+                    message: 'Source files were changed but no test files were added or modified',
+                    suggestion: 'Add or update tests to cover the changed source code.',
+                },
+            ];
+        }
+        return [];
+    },
+};

package/lib/rules/types.d.ts

@@ -0,0 +1,18 @@
+import type { DiffModel } from '../diff/parse';
+import type { Config } from '../config/schema';
+export type { DiffModel, DiffFile, DiffChunk, DiffLine } from '../diff/parse';
+export type Severity = 'error' | 'warning' | 'info';
+export interface Finding {
+    ruleId: string;
+    severity: Severity;
+    file?: string;
+    line?: number;
+    message: string;
+    suggestion?: string;
+}
+export interface Rule {
+    id: string;
+    description: string;
+    run(diff: DiffModel, config: Config): Finding[];
+}
+//# sourceMappingURL=types.d.ts.map

package/lib/rules/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/rules/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAE/C,YAAY,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAE9E,MAAM,MAAM,QAAQ,GAAG,OAAO,GAAG,SAAS,GAAG,MAAM,CAAC;AAEpD,MAAM,WAAW,OAAO;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,QAAQ,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,IAAI;IACnB,EAAE,EAAE,MAAM,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,GAAG,CAAC,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,EAAE,CAAC;CACjD"}

package/lib/rules/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/lib/utils/glob.d.ts

@@ -0,0 +1,3 @@
+export declare function matchGlob(filePath: string, glob: string): boolean;
+export declare function matchesAny(filePath: string, globs: string[]): boolean;
+//# sourceMappingURL=glob.d.ts.map

package/lib/utils/glob.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"glob.d.ts","sourceRoot":"","sources":["../../src/utils/glob.ts"],"names":[],"mappings":"AAEA,wBAAgB,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CA8BjE;AAED,wBAAgB,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO,CAErE"}

package/lib/utils/glob.js

@@ -0,0 +1,42 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.matchGlob = matchGlob;
+exports.matchesAny = matchesAny;
+const SPECIAL = new Set(['.', '+', '^', '$', '{', '}', '(', ')', '|', '[', ']', '\\']);
+function matchGlob(filePath, glob) {
+    let pattern = '';
+    let i = 0;
+    while (i < glob.length) {
+        if (glob[i] === '*' && glob[i + 1] === '*' && glob[i + 2] === '/') {
+            // **/ — matches any path prefix including none
+            pattern += '(?:.+/)?';
+            i += 3;
+        }
+        else if (glob[i] === '*' && glob[i + 1] === '*') {
+            // ** at end — matches anything (including path separators)
+            pattern += '.*';
+            i += 2;
+        }
+        else if (glob[i] === '*') {
+            // * — matches anything within a single path segment
+            pattern += '[^/]*';
+            i += 1;
+        }
+        else if (glob[i] === '?') {
+            pattern += '[^/]';
+            i += 1;
+        }
+        else if (SPECIAL.has(glob[i])) {
+            pattern += '\\' + glob[i];
+            i += 1;
+        }
+        else {
+            pattern += glob[i];
+            i += 1;
+        }
+    }
+    return new RegExp(`^${pattern}$`).test(filePath);
+}
+function matchesAny(filePath, globs) {
+    return globs.some((glob) => matchGlob(filePath, glob));
+}

package/package.json

@@ -0,0 +1,66 @@
+{
+  "name": "@brett.buskirk/agent-gate",
+  "version": "0.1.0",
+  "description": "Guardrail checks for AI-agent-generated pull requests",
+  "type": "commonjs",
+  "bin": {
+    "agent-gate": "./bin/agent-gate.js",
+    "agentgate": "./bin/agent-gate.js"
+  },
+  "main": "./lib/engine.js",
+  "files": [
+    "bin",
+    "lib",
+    "action.yml"
+  ],
+  "scripts": {
+    "build": "tsc -p tsconfig.build.json",
+    "build:action": "ncc build src/action.ts -o dist --source-map --license licenses.txt",
+    "typecheck": "tsc --noEmit",
+    "test": "vitest run",
+    "test:coverage": "vitest run --coverage",
+    "lint": "eslint src test",
+    "lint:fix": "eslint src test --fix",
+    "format": "prettier --write .",
+    "format:check": "prettier --check ."
+  },
+  "dependencies": {
+    "@actions/core": "^1.11.1",
+    "@actions/github": "^6.0.0",
+    "commander": "^13.1.0",
+    "js-yaml": "^4.1.0",
+    "zod": "^3.24.2"
+  },
+  "devDependencies": {
+    "@typescript-eslint/eslint-plugin": "^8.0.0",
+    "@typescript-eslint/parser": "^8.0.0",
+    "@types/js-yaml": "^4.0.9",
+    "@types/node": "^20.0.0",
+    "@vercel/ncc": "^0.38.3",
+    "eslint": "^9.0.0",
+    "prettier": "^3.3.0",
+    "typescript": "^5.4.0",
+    "vitest": "^2.0.0"
+  },
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "keywords": [
+    "ai-agents",
+    "github-action",
+    "code-review",
+    "security",
+    "ci",
+    "guardrails"
+  ],
+  "author": "Brett Buskirk",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/brett-buskirk/agent-gate.git"
+  },
+  "bugs": {
+    "url": "https://github.com/brett-buskirk/agent-gate/issues"
+  },
+  "homepage": "https://github.com/brett-buskirk/agent-gate#readme"
+}