@rigour-labs/cli 4.1.1 → 4.2.0

package/dist/commands/hooks.d.ts

@@ -18,12 +18,18 @@ export interface HooksOptions {
     dryRun?: boolean;
     force?: boolean;
     block?: boolean;
+    /** Also generate DLP (pre-input credential interception) hooks */
+    dlp?: boolean;
 }
 export interface HooksCheckOptions {
     files?: string;
     stdin?: boolean;
     block?: boolean;
     timeout?: string;
+    /** Run in DLP mode: scan text for credentials instead of checking files */
+    mode?: 'check' | 'dlp';
+    /** Agent name for audit trail (DLP mode) */
+    agent?: string;
 }
 export declare function hooksInitCommand(cwd: string, options?: HooksOptions): Promise<void>;
 export declare function hooksCheckCommand(cwd: string, options?: HooksCheckOptions): Promise<void>;

package/dist/commands/hooks.js

@@ -17,7 +17,7 @@ import fs from 'fs-extra';
 import path from 'path';
 import chalk from 'chalk';
 import { randomUUID } from 'crypto';
-import { runHookChecker } from '@rigour-labs/core';
+import { runHookChecker, scanInputForCredentials, formatDLPAlert, createDLPAuditEntry } from '@rigour-labs/core';
 // ── Studio event logging ─────────────────────────────────────────────
 async function logStudioEvent(cwd, event) {
     try {
@@ -96,47 +96,71 @@ function resolveTools(cwd, toolFlag) {
     return detected;
 }
 // ── Per-tool hook generators ─────────────────────────────────────────
-function generateClaudeHooks(checker, block) {
+function generateClaudeHooks(checker, block, dlp = true) {
     const blockFlag = block ? ' --block' : '';
     const checkerCommand = checkerToShellCommand(checker);
-    const settings = {
-        hooks: {
-            PostToolUse: [{
-                    matcher: "Write|Edit|MultiEdit",
-                    hooks: [{
-                            type: "command",
-                            command: `${checkerCommand} --files "$TOOL_INPUT_file_path"${blockFlag}`,
-                        }]
-                }]
-        }
+    const hooks = {
+        PostToolUse: [{
+                matcher: "Write|Edit|MultiEdit",
+                hooks: [{
+                        type: "command",
+                        command: `${checkerCommand} --files "$TOOL_INPUT_file_path"${blockFlag}`,
+                    }]
+            }],
     };
+    // DLP: Add PreToolUse hook for credential interception
+    if (dlp) {
+        hooks.PreToolUse = [{
+                matcher: ".*",
+                hooks: [{
+                        type: "command",
+                        command: `${checkerCommand} --mode dlp --stdin`,
+                    }]
+            }];
+    }
+    const settings = { hooks };
     return [{
             path: '.claude/settings.json',
             content: JSON.stringify(settings, null, 4),
-            description: 'Claude Code PostToolUse hook',
+            description: dlp
+                ? 'Claude Code hooks — PostToolUse quality checks + PreToolUse DLP credential interception'
+                : 'Claude Code PostToolUse hook',
         }];
 }
-function generateCursorHooks(checker, block) {
+function generateCursorHooks(checker, block, dlp = true) {
     const blockFlag = block ? ' --block' : '';
     const checkerCommand = checkerToShellCommand(checker);
-    const hooks = {
-        version: 1,
-        hooks: { afterFileEdit: [{ command: `${checkerCommand} --stdin${blockFlag}` }] }
+    const hookEntries = {
+        afterFileEdit: [{ command: `${checkerCommand} --stdin${blockFlag}` }],
     };
+    if (dlp) {
+        hookEntries.beforeFileEdit = [{ command: `${checkerCommand} --mode dlp --stdin` }];
+    }
+    const hooks = { version: 1, hooks: hookEntries };
     return [{
             path: '.cursor/hooks.json',
             content: JSON.stringify(hooks, null, 4),
-            description: 'Cursor afterFileEdit hook config',
+            description: dlp
+                ? 'Cursor hooks — afterFileEdit quality checks + beforeFileEdit DLP credential interception'
+                : 'Cursor afterFileEdit hook config',
         }];
 }
-function generateClineHooks(checker, block) {
-    const script = buildClineScript(checker, block);
-    return [{
+function generateClineHooks(checker, block, dlp = true) {
+    const files = [{
             path: '.clinerules/hooks/PostToolUse',
-            content: script,
+            content: buildClineScript(checker, block),
             executable: true,
-            description: 'Cline PostToolUse executable hook',
+            description: 'Cline PostToolUse executable hook — quality checks after file writes',
         }];
+    if (dlp) {
+        files.push({
+            path: '.clinerules/hooks/PreToolUse',
+            content: buildClineDLPScript(checker),
+            executable: true,
+            description: 'Cline PreToolUse DLP hook — credential interception before agent execution',
+        });
+    }
+    return files;
 }
 function buildClineScript(checker, block) {
     const blockArgLiteral = block ? `, '--block'` : '';
@@ -195,17 +219,79 @@ process.stdin.on('end', async () => {
 });
 `;
 }
-function generateWindsurfHooks(checker, block) {
+function buildClineDLPScript(checker) {
+    return `#!/usr/bin/env node
+/**
+ * Cline PreToolUse DLP hook for Rigour.
+ * Scans tool input for credentials BEFORE agent execution.
+ */
+let data = '';
+process.stdin.on('data', chunk => { data += chunk; });
+process.stdin.on('end', async () => {
+    try {
+        const payload = JSON.parse(data);
+        const textsToScan = [];
+        if (payload.toolInput) {
+            for (const [key, value] of Object.entries(payload.toolInput)) {
+                if (typeof value === 'string' && value.length > 5) {
+                    textsToScan.push(value);
+                }
+            }
+        }
+        if (textsToScan.length === 0) {
+            process.stdout.write(JSON.stringify({}));
+            return;
+        }
+
+        const { spawnSync } = require('child_process');
+        const command = ${JSON.stringify(checker.command)};
+        const baseArgs = ${JSON.stringify(checker.args)};
+        const proc = spawnSync(
+            command,
+            [...baseArgs, '--mode', 'dlp', '--stdin'],
+            { input: textsToScan.join('\\n'), encoding: 'utf-8', timeout: 3000 }
+        );
+        if (proc.error) throw proc.error;
+        const raw = (proc.stdout || '').trim();
+        if (!raw) {
+            process.stdout.write(JSON.stringify({}));
+            return;
+        }
+        const result = JSON.parse(raw);
+        if (result.status === 'blocked') {
+            const msgs = result.detections
+                .map(d => \`[rigour/dlp/\${d.type}] \${d.description} → \${d.recommendation}\`)
+                .join('\\n');
+            process.stdout.write(JSON.stringify({
+                contextModification: \`\\n🛑 [Rigour DLP] \${result.detections.length} credential(s) BLOCKED:\\n\${msgs}\\nReplace with environment variable references.\`,
+            }));
+            process.exit(2);
+        } else {
+            process.stdout.write(JSON.stringify({}));
+        }
+    } catch (err) {
+        process.stderr.write(\`Rigour DLP hook error: \${err.message}\\n\`);
+        process.stdout.write(JSON.stringify({}));
+    }
+});
+`;
+}
+function generateWindsurfHooks(checker, block, dlp = true) {
     const blockFlag = block ? ' --block' : '';
     const checkerCommand = checkerToShellCommand(checker);
-    const hooks = {
-        version: 1,
-        hooks: { post_write_code: [{ command: `${checkerCommand} --stdin${blockFlag}` }] }
+    const hookEntries = {
+        post_write_code: [{ command: `${checkerCommand} --stdin${blockFlag}` }],
     };
+    if (dlp) {
+        hookEntries.pre_write_code = [{ command: `${checkerCommand} --mode dlp --stdin` }];
+    }
+    const hooks = { version: 1, hooks: hookEntries };
     return [{
             path: '.windsurf/hooks.json',
             content: JSON.stringify(hooks, null, 4),
-            description: 'Windsurf post_write_code hook config',
+            description: dlp
+                ? 'Windsurf hooks — post_write_code quality checks + pre_write_code DLP credential interception'
+                : 'Windsurf post_write_code hook config',
         }];
 }
 const GENERATORS = {
@@ -268,15 +354,17 @@ export async function hooksInitCommand(cwd, options = {}) {
     await logStudioEvent(cwd, {
         type: 'tool_call',
         tool: 'rigour_hooks_init',
-        arguments: { tool: options.tool, dryRun: options.dryRun },
+        arguments: { tool: options.tool, dryRun: options.dryRun, dlp: options.dlp },
     });
     const tools = resolveTools(cwd, options.tool);
     const checker = resolveCheckerCommand(cwd);
     const block = !!options.block;
-    // Collect generated files from all tools
+    // DLP is ON by default — user must explicitly pass --no-dlp to disable
+    const dlp = options.dlp !== false;
+    // Collect generated files — each generator includes DLP hooks in the SAME config file
     const allFiles = [];
     for (const tool of tools) {
-        allFiles.push(...GENERATORS[tool](checker, block));
+        allFiles.push(...GENERATORS[tool](checker, block, dlp));
     }
     if (options.dryRun) {
         printDryRun(allFiles);
@@ -291,11 +379,16 @@ export async function hooksInitCommand(cwd, options = {}) {
         console.log(chalk.yellow(`Skipped ${skipped} existing file(s).`));
     }
     printNextSteps(tools);
+    if (dlp) {
+        console.log(chalk.red.bold('  🛑 DLP Protection ACTIVE'));
+        console.log(chalk.dim('  Credentials will be intercepted BEFORE reaching AI agents.'));
+        console.log(chalk.dim('  Coverage: AWS keys, API tokens, database URLs, private keys, JWTs, passwords.\n'));
+    }
     await logStudioEvent(cwd, {
         type: 'tool_response',
         tool: 'rigour_hooks_init',
         status: 'success',
-        content: [{ type: 'text', text: `Generated hooks for: ${tools.join(', ')}` }],
+        content: [{ type: 'text', text: `Generated hooks for: ${tools.join(', ')}${options.dlp ? ' (+ DLP)' : ''}` }],
     });
 }
 async function readStdin() {
@@ -330,6 +423,39 @@ function parseStdinFiles(input) {
     }
 }
 export async function hooksCheckCommand(cwd, options = {}) {
+    // ── DLP Mode: Scan text for credentials ──────────────────
+    if (options.mode === 'dlp') {
+        const input = options.stdin
+            ? await readStdin()
+            : (options.files ?? ''); // Reuse files param as text in DLP mode
+        if (!input) {
+            process.stdout.write(JSON.stringify({ status: 'clean', detections: [], duration_ms: 0, scanned_length: 0 }));
+            return;
+        }
+        const result = scanInputForCredentials(input, {
+            enabled: true,
+            block_on_detection: options.block ?? true,
+        });
+        process.stdout.write(JSON.stringify(result));
+        if (result.status !== 'clean') {
+            process.stderr.write('\n' + formatDLPAlert(result) + '\n');
+            // Audit trail
+            try {
+                const auditEntry = createDLPAuditEntry(result, {
+                    agent: options.agent ?? 'hook',
+                });
+                await logStudioEvent(cwd, auditEntry);
+            }
+            catch {
+                // Silent
+            }
+            if (result.status === 'blocked') {
+                process.exitCode = 2;
+            }
+        }
+        return;
+    }
+    // ── Standard Mode: Check files ───────────────────────────
     const timeout = options.timeout ? Number(options.timeout) : 5000;
     const files = options.stdin
         ? parseStdinFiles(await readStdin())

package/dist/commands/hooks.test.js

@@ -87,6 +87,51 @@ describe('hooksInitCommand', () => {
         expect(clineScript).toContain('--block');
     });
 });
+describe('hooksInitCommand — DLP integration', () => {
+    let testDir;
+    beforeEach(() => {
+        testDir = fs.mkdtempSync(path.join(os.tmpdir(), 'hooks-dlp-test-'));
+        fs.writeFileSync(path.join(testDir, 'rigour.yml'), yaml.stringify({
+            version: 1,
+            gates: { max_file_lines: 500 },
+        }));
+        vi.spyOn(console, 'log').mockImplementation(() => { });
+        vi.spyOn(console, 'error').mockImplementation(() => { });
+    });
+    afterEach(() => {
+        fs.rmSync(testDir, { recursive: true, force: true });
+        vi.restoreAllMocks();
+    });
+    it('should generate Claude hooks with DLP (PreToolUse) by default', async () => {
+        await hooksInitCommand(testDir, { tool: 'claude', force: true });
+        const settingsPath = path.join(testDir, '.claude', 'settings.json');
+        const settings = JSON.parse(fs.readFileSync(settingsPath, 'utf-8'));
+        expect(settings.hooks.PostToolUse).toBeDefined();
+        expect(settings.hooks.PreToolUse).toBeDefined();
+        expect(settings.hooks.PreToolUse[0].hooks[0].command).toContain('--mode dlp');
+    });
+    it('should generate Cursor hooks with DLP (beforeFileEdit) by default', async () => {
+        await hooksInitCommand(testDir, { tool: 'cursor', force: true });
+        const hooksPath = path.join(testDir, '.cursor', 'hooks.json');
+        const hooks = JSON.parse(fs.readFileSync(hooksPath, 'utf-8'));
+        expect(hooks.hooks.afterFileEdit).toBeDefined();
+        expect(hooks.hooks.beforeFileEdit).toBeDefined();
+    });
+    it('should generate Windsurf hooks with DLP by default', async () => {
+        await hooksInitCommand(testDir, { tool: 'windsurf', force: true });
+        const hooksPath = path.join(testDir, '.windsurf', 'hooks.json');
+        const hooks = JSON.parse(fs.readFileSync(hooksPath, 'utf-8'));
+        expect(hooks.hooks.post_write_code).toBeDefined();
+        expect(hooks.hooks.pre_write_code).toBeDefined();
+    });
+    it('should skip DLP hooks when dlp: false', async () => {
+        await hooksInitCommand(testDir, { tool: 'claude', force: true, dlp: false });
+        const settingsPath = path.join(testDir, '.claude', 'settings.json');
+        const settings = JSON.parse(fs.readFileSync(settingsPath, 'utf-8'));
+        expect(settings.hooks.PostToolUse).toBeDefined();
+        expect(settings.hooks.PreToolUse).toBeUndefined();
+    });
+});
 describe('hooksCheckCommand', () => {
     let testDir;
     beforeEach(() => {

package/dist/commands/init.js

@@ -467,7 +467,8 @@ async function initHooksForDetectedTools(cwd, detectedIDE) {
     }
     try {
         console.log(chalk.dim(`\n   Setting up real-time hooks for ${detectedIDE}...`));
-        await hooksInitCommand(cwd, { tool: hookTool });
+        await hooksInitCommand(cwd, { tool: hookTool, dlp: true });
+        console.log(chalk.dim(`   🛑 DLP protection active — credentials intercepted before reaching agents`));
     }
     catch {
         // Non-fatal — hooks are a bonus, not a requirement

package/dist/utils/cli-version.js

@@ -1,12 +1,14 @@
 import fs from 'fs';
 import path from 'path';
+import { fileURLToPath } from 'url';
 /**
  * Resolve CLI version from local package.json at runtime.
  * Works for source and built dist paths.
  */
 export function getCliVersion(fallback = '0.0.0') {
     try {
-        const pkgPath = path.resolve(path.dirname(new URL(import.meta.url).pathname), '../../package.json');
+        const modulePath = fileURLToPath(import.meta.url);
+        const pkgPath = path.resolve(path.dirname(modulePath), '../../package.json');
         if (fs.existsSync(pkgPath)) {
             const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
             if (pkg.version && pkg.version.trim().length > 0) {

package/dist/utils/cli-version.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/utils/cli-version.test.js

@@ -0,0 +1,9 @@
+import { describe, expect, it } from 'vitest';
+import { getCliVersion } from './cli-version.js';
+describe('getCliVersion', () => {
+    it('resolves package version at runtime', () => {
+        const version = getCliVersion();
+        expect(version).toMatch(/^\d+\.\d+\.\d+/);
+        expect(version).not.toBe('0.0.0');
+    });
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rigour-labs/cli",
-  "version": "4.1.1",
+  "version": "4.2.0",
   "description": "CLI quality gates for AI-generated code. Forces AI agents (Claude, Cursor, Copilot) to meet strict engineering standards with PASS/FAIL enforcement.",
   "license": "MIT",
   "homepage": "https://rigour.run",
@@ -44,7 +44,7 @@
     "inquirer": "9.2.16",
     "ora": "^8.0.1",
     "yaml": "^2.8.2",
-    "@rigour-labs/core": "4.1.1"
+    "@rigour-labs/core": "4.2.0"
   },
   "devDependencies": {
     "@types/fs-extra": "^11.0.4",