@hatem427/code-guard-ci 3.5.7 → 3.5.9

package/scripts/cli.ts

@@ -453,6 +453,9 @@ function initProject(): void {
   saveManifest(cwd, manifest);
   console.log(`  ${c.green('✓')} Saved manifest to .code-guardian/manifest.json\n`);
 
+  // ── Update .gitignore for .code-guardian/ ────────────────────────────────
+  ensureCodeGuardianGitignore(cwd);
+
   // ── Done! ─────────────────────────────────────────────────────────────────
   console.log(c.bold(c.green('═══════════════════════════════════════════════════════════')));
   console.log(c.bold(c.green('  ✅ Code Guardian initialized successfully!')));
@@ -483,6 +486,124 @@ function initProject(): void {
   console.log('');
 }
 
+// ── .gitignore management for .code-guardian/ ───────────────────────────────
+
+/**
+ * Best-practice .gitignore management for .code-guardian/.
+ *
+ * SENSITIVE — never commit (passwords, generated reports):
+ *   .code-guardian/bypass-password.hash
+ *   .code-guardian/admin-password.hash
+ *   .code-guardian/CODE_GUARDIAN_REPORT.md
+ *
+ * TRACKED — must be committed (team config, audit trail):
+ *   .code-guardian/custom-rules.json
+ *   .code-guardian/structure-rules.json
+ *   .code-guardian/naming-rules.json
+ *   .code-guardian/manifest.json
+ *   .code-guardian/bypass-log.json
+ *
+ * STRATEGY:
+ *   If `.code-guardian` is broadly ignored → replace with surgical pattern:
+ *     .code-guardian/*                    (ignore everything inside …)
+ *     !.code-guardian/custom-rules.json   (… except tracked files)
+ *     …
+ *   Always add sensitive files to ignore if not present.
+ */
+function ensureCodeGuardianGitignore(cwd: string): void {
+  const gitignorePath = path.join(cwd, '.gitignore');
+
+  const sensitiveFiles = [
+    '.code-guardian/bypass-password.hash',
+    '.code-guardian/admin-password.hash',
+    '.code-guardian/CODE_GUARDIAN_REPORT.md',
+  ];
+
+  const trackedFiles = [
+    '.code-guardian/custom-rules.json',
+    '.code-guardian/structure-rules.json',
+    '.code-guardian/naming-rules.json',
+    '.code-guardian/manifest.json',
+    '.code-guardian/bypass-log.json',
+  ];
+
+  let content = fs.existsSync(gitignorePath)
+    ? fs.readFileSync(gitignorePath, 'utf-8')
+    : '';
+
+  let changed = false;
+  const messages: string[] = [];
+
+  // ── 1. Replace broad .code-guardian ignore with surgical pattern ─────────
+  const broadPattern = /^\.code-guardian\/?$/m;
+  const broadMatch = broadPattern.exec(content);
+  if (broadMatch) {
+    const surgicalLines = [
+      '.code-guardian/*',
+      ...trackedFiles.map(f => `!${f}`),
+    ];
+    content = content.replace(broadPattern, surgicalLines.join('\n'));
+    changed = true;
+    messages.push(
+      `  ${c.green('✓')} .gitignore: replaced broad \`.code-guardian\` with surgical pattern:\n` +
+      surgicalLines.map(l =>
+        `      ${l.startsWith('!') ? c.green(l) + ' (tracked)' : c.dim(l) + ' (ignored)'}`
+      ).join('\n')
+    );
+  }
+
+  // ── 2. Always ensure sensitive files are explicitly ignored ──────────────
+  const toIgnore = sensitiveFiles.filter(f => !content.includes(f));
+  if (toIgnore.length > 0) {
+    content += [
+      '',
+      '# Code Guardian — sensitive/generated (do not commit)',
+      ...toIgnore,
+      '',
+    ].join('\n');
+    changed = true;
+    messages.push(
+      `  ${c.green('✓')} .gitignore: sensitive files added:\n` +
+      toIgnore.map(f => `      ${c.dim(f)}`).join('\n')
+    );
+  }
+
+  // ── 3. Ensure tracked files are negated if the dir is still pattern-ignored
+  if (!broadMatch) {
+    // Dir wasn't broadly ignored — check if individual tracked files are ignored
+    // and add negations for any that are
+    const negationsNeeded = trackedFiles
+      .filter(f => {
+        const r = spawnSync('git', ['check-ignore', '--no-index', '-q', f], {
+          cwd, stdio: 'pipe',
+        });
+        return r.status === 0; // ignored
+      })
+      .map(f => `!${f}`)
+      .filter(neg => !content.includes(neg));
+
+    if (negationsNeeded.length > 0) {
+      content += [
+        '',
+        '# Code Guardian — team config files (must be tracked)',
+        ...negationsNeeded,
+        '',
+      ].join('\n');
+      changed = true;
+      messages.push(
+        `  ${c.green('✓')} .gitignore: un-ignored tracked config files:\n` +
+        negationsNeeded.map(l => `      ${c.green(l)}`).join('\n')
+      );
+    }
+  }
+
+  if (changed) {
+    fs.writeFileSync(gitignorePath, content, 'utf-8');
+    messages.forEach(m => console.log(m));
+    console.log('');
+  }
+}
+
 // ── Setup Git Hooks ─────────────────────────────────────────────────────────
 
 function setupGitHooks(cwd: string): void {

package/scripts/config-generators/ai-config-generator.ts

@@ -21,6 +21,7 @@
 
 import * as fs from 'fs';
 import * as path from 'path';
+import { spawnSync } from 'child_process';
 import { DetectionResult, ProjectType } from '../utils/project-detector';
 import { AIConfigRegistry, AIConfigTemplate, defaultRegistry } from '../utils/ai-config-registry';
 
@@ -49,6 +50,9 @@ export function generateAIConfigs(project: DetectionResult, customRulesText?: st
 
   // Clean up deprecated .agent/ directory (replaced by AGENTS.md)
   cleanupDeprecatedAgentDir(project.rootDir);
+
+  // Ensure .gitignore doesn't swallow the generated AI config files
+  ensureGitignoreAllowsAIConfigs(project.rootDir, templates);
 }
 
 /**
@@ -188,6 +192,135 @@ function cleanupDeprecatedAgentDir(rootDir: string): void {
     }
   }
 }
+/**
+ * Check every generated AI config file against .gitignore and add negation
+ * patterns so the files are tracked by git even when their parent directory
+ * is ignored (e.g. .cursor is often in .gitignore).
+ */
+/**
+ * Best-practice .gitignore management for AI config files.
+ *
+ * STRATEGY: Instead of piling negation hacks on top of broad ignores, we
+ * replace the broad pattern with a surgical one that:
+ *   - keeps personal/IDE files ignored  (e.g. .cursor/*)
+ *   - explicitly tracks the shared rules folder (e.g. !.cursor/rules/)
+ *
+ * Example — if .gitignore contains `.cursor`, we replace it with:
+ *   .cursor/*
+ *   !.cursor/rules/
+ *
+ * If the broad pattern can't be replaced safely (e.g. it's inside a complex
+ * block), we fall back to appending negation patterns and warn the user.
+ */
+function ensureGitignoreAllowsAIConfigs(
+  rootDir: string,
+  templates: AIConfigTemplate[]
+): void {
+  const gitignorePath = path.join(rootDir, '.gitignore');
+  if (!fs.existsSync(gitignorePath)) return;
+
+  let content = fs.readFileSync(gitignorePath, 'utf-8');
+  let changed = false;
+  const advisories: string[] = [];
+
+  // Collect unique top-level directories used by templates
+  // e.g. '.cursor', '.github', '.windsurf'
+  const topDirs = new Set<string>();
+  for (const t of templates) {
+    if (t.directory) {
+      topDirs.add(t.directory.split('/')[0]);
+    }
+  }
+
+  for (const dir of topDirs) {
+    // Check if a broad pattern ignores this directory.
+    // Matches bare `.cursor`, `.cursor/`, `.cursor/*` on its own line.
+    const broadPattern = new RegExp(
+      `^(\.?${escapeRegex(dir)})\\/?\\*?$`,
+      'm'
+    );
+    const match = broadPattern.exec(content);
+    if (!match) continue;
+
+    // Find all rule sub-directories that belong to this top-level dir.
+    // e.g. for '.cursor' → ['.cursor/rules']
+    const ruleDirs = [...new Set(
+      templates
+        .filter(t => t.directory?.startsWith(dir + '/'))
+        .map(t => t.directory!)
+    )];
+
+    // Build the surgical replacement:
+    //   .cursor/*          ← ignore everything inside
+    //   !.cursor/rules/    ← except the shared rules folder
+    const surgicalLines = [
+      `${dir}/*`,
+      ...ruleDirs.map(d => `!${d}/`),
+    ];
+
+    const replacement = surgicalLines.join('\n');
+    const newContent = content.replace(broadPattern, replacement);
+
+    if (newContent !== content) {
+      content = newContent;
+      changed = true;
+      advisories.push(
+        `   ✅ .gitignore: replaced broad \`${match[0]}\` with surgical pattern:\n` +
+        surgicalLines.map(l => `      ${l}`).join('\n')
+      );
+    }
+  }
+
+  // For any file still ignored after the surgical replacements, fall back to
+  // appending explicit negations (rare edge case).
+  const fallbackNegations: string[] = [];
+  // Write changes so far before running git check-ignore
+  if (changed) fs.writeFileSync(gitignorePath, content, 'utf-8');
+
+  for (const template of templates) {
+    const relativePath = template.directory
+      ? `${template.directory}/${template.fileName}`
+      : template.fileName;
+
+    const result = spawnSync('git', ['check-ignore', '--no-index', '-q', relativePath], {
+      cwd: rootDir,
+      stdio: 'pipe',
+    });
+
+    if (result.status !== 0) continue; // not ignored — all good
+
+    // Still ignored — add explicit negation as fallback
+    const neg = `!${relativePath}`;
+    if (!content.includes(neg) && !fallbackNegations.includes(neg)) {
+      fallbackNegations.push(neg);
+    }
+  }
+
+  if (fallbackNegations.length > 0) {
+    const section = [
+      '',
+      '# Code Guardian — AI config files (shared with team, un-ignored)',
+      ...fallbackNegations,
+      '',
+    ].join('\n');
+    content += section;
+    changed = true;
+    advisories.push(
+      `   ⚠️  Some AI config files were still gitignored — added explicit negations:\n` +
+      fallbackNegations.map(l => `      ${l}`).join('\n')
+    );
+  }
+
+  if (changed) {
+    fs.writeFileSync(gitignorePath, content, 'utf-8');
+    advisories.forEach(msg => console.log(msg));
+  }
+}
+
+function escapeRegex(s: string): string {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
 /**
  * Generate content for .cursor/rules/cursor.mdc
  */

package/scripts/utils/report-generator.ts

@@ -76,11 +76,6 @@ export function generateReport(
   const content = buildReportContent(report, options);
   fs.writeFileSync(reportPath, content, 'utf-8');
 
-  // Attempt to open in VS Code  
-  if (options.autoOpen !== false) {
-    openInEditor(reportPath);
-  }
-
   return reportPath;
 }