code-as-plan 2.0.0

package/scripts/cap-removal-checklist.md

@@ -0,0 +1,202 @@
+# CAP v2.0 -- GSD Removal Checklist
+
+<!-- @gsd-context This document defines the COMPLETE removal plan for transitioning from GSD to CAP. It is NOT executed during prototyping -- it documents what gets removed when the clean break is made. -->
+<!-- @gsd-decision Removal is documented as a checklist, not executed during prototype. This allows the current GSD infrastructure to keep working during development while clearly defining the target end state. -->
+
+<!-- @gsd-todo(ref:AC-71) All /gsd:* commands shall be removed from the codebase -->
+<!-- @gsd-todo(ref:AC-72) All gsd-* agent files shall be removed from the agents/ directory -->
+<!-- @gsd-todo(ref:AC-73) Explicitly killed agents: gsd-discuss, gsd-planner, gsd-milestone-*, gsd-executor, gsd-annotator, and all discuss/plan phase agents -->
+<!-- @gsd-todo(ref:AC-74) Artifacts no longer created or referenced: ROADMAP.md, REQUIREMENTS.md, STATE.md, MILESTONES.md, VERIFICATION.md, PLAN.md -->
+<!-- @gsd-todo(ref:AC-75) CODE-INVENTORY.md evolved into enriched FEATURE-MAP.md -- standalone file removed -->
+<!-- @gsd-todo(ref:AC-76) bin/install.js updated to reference CAP branding and commands -->
+<!-- @gsd-todo(ref:AC-77) package.json name updated to cap (or code-as-plan fallback) -->
+
+---
+
+## 1. Agent Files to Remove (AC-72, AC-73)
+
+The following agent files in `agents/` shall be deleted:
+
+### Explicitly Killed Agents (AC-73)
+
+These agents represent the discuss/plan workflow that CAP eliminates:
+
+- [ ] `agents/gsd-planner.md` -- replaced by Feature Map + cap-prototyper
+- [ ] `agents/gsd-executor.md` -- replaced by cap-prototyper (prototype/iterate modes)
+- [ ] `agents/gsd-annotator.md` -- replaced by cap-prototyper (annotate mode)
+- [ ] `agents/gsd-brainstormer.md` -- replaced by cap-brainstormer
+- [ ] `agents/gsd-roadmapper.md` -- ROADMAP.md no longer exists
+- [ ] `agents/gsd-plan-checker.md` -- no plan phase to check
+- [ ] `agents/gsd-reviewer.md` -- replaced by cap-reviewer
+- [ ] `agents/gsd-tester.md` -- replaced by cap-tester
+- [ ] `agents/gsd-debugger.md` -- replaced by cap-debugger
+
+### Supporting Agents to Remove
+
+- [ ] `agents/gsd-advisor-researcher.md`
+- [ ] `agents/gsd-arc-executor.md`
+- [ ] `agents/gsd-arc-planner.md`
+- [ ] `agents/gsd-assumptions-analyzer.md`
+- [ ] `agents/gsd-code-planner.md`
+- [ ] `agents/gsd-codebase-mapper.md`
+- [ ] `agents/gsd-integration-checker.md`
+- [ ] `agents/gsd-nyquist-auditor.md`
+- [ ] `agents/gsd-phase-researcher.md`
+- [ ] `agents/gsd-project-researcher.md`
+- [ ] `agents/gsd-prototyper.md`
+- [ ] `agents/gsd-research-synthesizer.md`
+- [ ] `agents/gsd-ui-auditor.md`
+- [ ] `agents/gsd-ui-checker.md`
+- [ ] `agents/gsd-ui-researcher.md`
+- [ ] `agents/gsd-user-profiler.md`
+- [ ] `agents/gsd-verifier.md`
+
+**Agents to KEEP (CAP v2.0 agent set per AC-67):**
+- `agents/cap-brainstormer.md`
+- `agents/cap-prototyper.md`
+- `agents/cap-tester.md`
+- `agents/cap-reviewer.md`
+- `agents/cap-debugger.md`
+
+---
+
+## 2. Command Files to Remove (AC-71)
+
+All files in `commands/gsd/` shall be deleted. Current GSD commands:
+
+- [ ] `commands/gsd/add-backlog.md`
+- [ ] `commands/gsd/add-phase.md`
+- [ ] `commands/gsd/add-tests.md`
+- [ ] `commands/gsd/add-todo.md`
+- [ ] `commands/gsd/annotate.md`
+- [ ] `commands/gsd/audit-milestone.md`
+- [ ] `commands/gsd/audit-uat.md`
+- [ ] `commands/gsd/autonomous.md`
+- [ ] `commands/gsd/brainstorm.md`
+- [ ] `commands/gsd/check-todos.md`
+- [ ] `commands/gsd/cleanup.md`
+- [ ] `commands/gsd/complete-milestone.md`
+- [ ] `commands/gsd/debug.md`
+- [ ] `commands/gsd/deep-plan.md`
+- [ ] `commands/gsd/discuss-phase.md`
+- [ ] `commands/gsd/do.md`
+- [ ] `commands/gsd/execute-phase.md`
+- [ ] `commands/gsd/extract-plan.md`
+- [ ] `commands/gsd/fast.md`
+- [ ] `commands/gsd/forensics.md`
+- [ ] All remaining `commands/gsd/*.md` files
+
+**Commands to KEEP (CAP v2.0 command set):**
+- `commands/cap/init.md`
+- `commands/cap/brainstorm.md`
+- `commands/cap/prototype.md`
+- `commands/cap/iterate.md`
+- `commands/cap/annotate.md`
+- `commands/cap/scan.md`
+- `commands/cap/test.md`
+- `commands/cap/review.md`
+- `commands/cap/debug.md`
+- `commands/cap/status.md`
+- `commands/cap/start.md`
+- `commands/cap/refresh-docs.md`
+
+---
+
+## 3. Artifact References to Remove (AC-74)
+
+These planning artifacts shall no longer be created or referenced anywhere in the codebase:
+
+- [ ] `ROADMAP.md` -- eliminated; features are in FEATURE-MAP.md
+- [ ] `REQUIREMENTS.md` -- eliminated; ACs are in FEATURE-MAP.md
+- [ ] `STATE.md` -- eliminated; state is in SESSION.json
+- [ ] `MILESTONES.md` -- eliminated; no milestone concept in CAP
+- [ ] `VERIFICATION.md` -- eliminated; review output goes to .cap/REVIEW.md
+- [ ] `PLAN.md` -- eliminated; code is the plan
+- [ ] `CODE-INVENTORY.md` -- evolved into FEATURE-MAP.md (AC-75)
+
+### Files to grep and update:
+- [ ] `CLAUDE.md` -- remove all references to gsd:* commands and GSD workflow
+- [ ] `cap/references/arc-standard.md` -- update @gsd-* references to @cap-* or archive
+- [ ] Any README or documentation referencing GSD commands
+
+---
+
+## 4. Package Configuration Changes (AC-76, AC-77)
+
+### package.json updates (AC-77)
+
+```json
+{
+  "name": "cap",
+  "description": "CAP (Code As Plan) -- AI-native development where code IS the plan",
+  "bin": {
+    "cap": "bin/install.js"
+  },
+  "keywords": [
+    "cap",
+    "code-as-plan",
+    "claude",
+    "claude-code",
+    "ai",
+    "development-workflow"
+  ]
+}
+```
+
+Fallback name if `cap` is taken on npm: `code-as-plan`
+
+### bin/install.js updates (AC-76)
+
+- [ ] Update branding strings from "GSD" / "Get Shit Done" to "CAP" / "Code As Plan"
+- [ ] Update command references from `/gsd:*` to `/cap:*`
+- [ ] Update binary name from `cap-cc` to `cap`
+- [ ] Update repository URLs if repo is renamed
+
+### npm files array update (AC-99)
+
+```json
+{
+  "files": [
+    "bin",
+    "commands/cap",
+    "cap",
+    "agents",
+    "hooks/dist",
+    "scripts"
+  ]
+}
+```
+
+Note: `commands/cap` instead of `commands` to exclude `commands/gsd/` from distribution.
+
+---
+
+## 5. Distribution Changes (AC-97, AC-98, AC-99)
+
+- [ ] Package installable via `npx cap@latest` (AC-97)
+- [ ] Build uses esbuild following `scripts/build-hooks.js` pattern (AC-98)
+- [ ] npm `files` array includes: bin, commands/cap, agents, hooks/dist, scripts (AC-99)
+
+---
+
+## 6. Post-Removal Verification
+
+After executing the removal:
+
+1. [ ] `ls agents/` shows only 5 cap-* files
+2. [ ] `ls commands/` shows only `commands/cap/` directory
+3. [ ] `grep -r "gsd:" commands/ agents/` returns no results
+4. [ ] `grep -r "ROADMAP\|REQUIREMENTS\|STATE\.md\|MILESTONES\|VERIFICATION\|PLAN\.md" commands/ agents/` returns no results
+5. [ ] `npm test` passes
+6. [ ] `npx cap@latest` installs and runs
+7. [ ] `/cap:init` creates correct structure
+8. [ ] `/cap:scan` detects tags correctly
+
+---
+
+## Execution Notes
+
+- This removal should be executed as a SINGLE atomic operation (one commit)
+- All tests must be updated to reference CAP instead of GSD before removal
+- The `.planning/` directory contents are NOT part of the distributed package and can remain as historical reference
+- The `cap/` directory name is a legacy artifact that may be renamed in a future pass (low priority)

package/scripts/prompt-injection-scan.sh

@@ -0,0 +1,198 @@
+#!/usr/bin/env bash
+# prompt-injection-scan.sh — Scan files for prompt injection patterns
+#
+# Usage:
+#   scripts/prompt-injection-scan.sh --diff origin/main   # CI mode: scan changed .md files
+#   scripts/prompt-injection-scan.sh --file path/to/file   # Scan a single file
+#   scripts/prompt-injection-scan.sh --dir agents/          # Scan all files in a directory
+#
+# Exit codes:
+#   0 = clean
+#   1 = findings detected
+#   2 = usage error
+set -euo pipefail
+
+# ─── Patterns ────────────────────────────────────────────────────────────────
+# Each pattern is a POSIX extended regex. Keep alphabetized by category.
+
+PATTERNS=(
+  # Instruction override
+  'ignore[[:space:]]+(all[[:space:]]+)?(previous|prior|above|earlier|preceding)[[:space:]]+(instructions|prompts|rules|directives|context)'
+  'disregard[[:space:]]+(all[[:space:]]+)?(previous|prior|above)[[:space:]]+(instructions|prompts|rules)'
+  'forget[[:space:]]+(all[[:space:]]+)?(previous|prior|above)[[:space:]]+(instructions|prompts|rules|context)'
+  'override[[:space:]]+(all[[:space:]]+)?(system|previous|safety)[[:space:]]+(instructions|prompts|rules|checks|filters|guards)'
+  'override[[:space:]]+(system|safety|security)[[:space:]]'
+
+  # Role manipulation
+  'you[[:space:]]+are[[:space:]]+now[[:space:]]+(a|an|my)[[:space:]]'
+  'from[[:space:]]+now[[:space:]]+on[[:space:]]+(you|pretend|act|behave)'
+  'pretend[[:space:]]+(you[[:space:]]+are|to[[:space:]]+be)[[:space:]]'
+  'act[[:space:]]+as[[:space:]]+(a|an|if|my)[[:space:]]'
+  'roleplay[[:space:]]+as[[:space:]]'
+  'assume[[:space:]]+the[[:space:]]+role[[:space:]]+of[[:space:]]'
+
+  # System prompt extraction
+  'output[[:space:]]+(your|the)[[:space:]]+(system[[:space:]]+)?(prompt|instructions)'
+  'reveal[[:space:]]+(your|the)[[:space:]]+(system[[:space:]]+)?(prompt|instructions)'
+  'show[[:space:]]+me[[:space:]]+(your|the)[[:space:]]+(system[[:space:]]+)?(prompt|instructions)'
+  'print[[:space:]]+(your|the)[[:space:]]+(system[[:space:]]+)?(prompt|instructions)'
+  'what[[:space:]]+(is|are)[[:space:]]+(your|the)[[:space:]]+(system[[:space:]]+)?(prompt|instructions)'
+  'repeat[[:space:]]+(your|the|all)[[:space:]]+(system[[:space:]]+)?(prompt|instructions|rules)'
+
+  # Fake message boundaries
+  '</?system>'
+  '</?assistant>'
+  '</?human>'
+  '\[SYSTEM\]'
+  '\[/SYSTEM\]'
+  '\[INST\]'
+  '\[/INST\]'
+  '<<SYS>>'
+  '<</SYS>>'
+
+  # Tool call injection / code execution in markdown
+  'eval[[:space:]]*\([[:space:]]*["\x27]'
+  'exec[[:space:]]*\([[:space:]]*["\x27]'
+  'Function[[:space:]]*\([[:space:]]*["\x27].*return'
+
+  # Jailbreak / DAN patterns
+  'do[[:space:]]+anything[[:space:]]+now'
+  'DAN[[:space:]]+mode'
+  'developer[[:space:]]+mode[[:space:]]+(enabled|output|activated)'
+  'jailbreak'
+  'bypass[[:space:]]+(safety|content|security)[[:space:]]+(filter|check|rule|guard)'
+)
+
+# ─── Allowlist ───────────────────────────────────────────────────────────────
+# Files that legitimately discuss injection patterns (security docs, tests, this script)
+ALLOWLIST=(
+  'scripts/prompt-injection-scan.sh'
+  'scripts/base64-scan.sh'
+  'scripts/secret-scan.sh'
+  'tests/security-scan.test.cjs'
+  'tests/security.test.cjs'
+  'tests/prompt-injection-scan.test.cjs'
+  'get-shit-done/bin/lib/security.cjs'
+  'hooks/gsd-prompt-guard.js'
+  'SECURITY.md'
+)
+
+is_allowlisted() {
+  local file="$1"
+  for allowed in "${ALLOWLIST[@]}"; do
+    if [[ "$file" == *"$allowed" ]]; then
+      return 0
+    fi
+  done
+  return 1
+}
+
+# ─── File Collection ─────────────────────────────────────────────────────────
+
+collect_files() {
+  local mode="$1"
+  shift
+
+  case "$mode" in
+    --diff)
+      local base="${1:-origin/main}"
+      # Get changed files in the diff, filter to scannable extensions
+      git diff --name-only --diff-filter=ACMR "$base"...HEAD 2>/dev/null \
+        | grep -E '\.(md|cjs|js|json|yml|yaml|sh)$' || true
+      ;;
+    --file)
+      if [[ -f "$1" ]]; then
+        echo "$1"
+      else
+        echo "Error: file not found: $1" >&2
+        exit 2
+      fi
+      ;;
+    --dir)
+      local dir="$1"
+      if [[ ! -d "$dir" ]]; then
+        echo "Error: directory not found: $dir" >&2
+        exit 2
+      fi
+      find "$dir" -type f \( -name '*.md' -o -name '*.cjs' -o -name '*.js' -o -name '*.json' -o -name '*.yml' -o -name '*.yaml' -o -name '*.sh' \) \
+        ! -path '*/node_modules/*' ! -path '*/.git/*' ! -path '*/dist/*' 2>/dev/null || true
+      ;;
+    --stdin)
+      cat
+      ;;
+    *)
+      echo "Usage: $0 --diff [base] | --file <path> | --dir <path> | --stdin" >&2
+      exit 2
+      ;;
+  esac
+}
+
+# ─── Scanner ─────────────────────────────────────────────────────────────────
+
+scan_file() {
+  local file="$1"
+  local found=0
+
+  if is_allowlisted "$file"; then
+    return 0
+  fi
+
+  for pattern in "${PATTERNS[@]}"; do
+    # Use grep -iE for case-insensitive extended regex
+    # -n for line numbers, -c for count mode first to check
+    local matches
+    matches=$(grep -inE -e "$pattern" "$file" 2>/dev/null || true)
+    if [[ -n "$matches" ]]; then
+      if [[ $found -eq 0 ]]; then
+        echo "FAIL: $file"
+        found=1
+      fi
+      echo "$matches" | while IFS= read -r line; do
+        echo "  $line"
+      done
+    fi
+  done
+
+  return $found
+}
+
+# ─── Main ────────────────────────────────────────────────────────────────────
+
+main() {
+  if [[ $# -eq 0 ]]; then
+    echo "Usage: $0 --diff [base] | --file <path> | --dir <path>" >&2
+    exit 2
+  fi
+
+  local mode="$1"
+  shift
+
+  local files
+  files=$(collect_files "$mode" "$@")
+
+  if [[ -z "$files" ]]; then
+    echo "prompt-injection-scan: no files to scan"
+    exit 0
+  fi
+
+  local total=0
+  local failed=0
+
+  while IFS= read -r file; do
+    [[ -z "$file" ]] && continue
+    total=$((total + 1))
+    if ! scan_file "$file"; then
+      failed=$((failed + 1))
+    fi
+  done <<< "$files"
+
+  echo ""
+  echo "prompt-injection-scan: scanned $total files, $failed with findings"
+
+  if [[ $failed -gt 0 ]]; then
+    exit 1
+  fi
+  exit 0
+}
+
+main "$@"

package/scripts/run-tests.cjs

@@ -0,0 +1,29 @@
+#!/usr/bin/env node
+// Cross-platform test runner — resolves test file globs via Node
+// instead of relying on shell expansion (which fails on Windows PowerShell/cmd).
+// Propagates NODE_V8_COVERAGE so c8 collects coverage from the child process.
+'use strict';
+
+const { readdirSync } = require('fs');
+const { join } = require('path');
+const { execFileSync } = require('child_process');
+
+const testDir = join(__dirname, '..', 'tests');
+const files = readdirSync(testDir)
+  .filter(f => f.endsWith('.test.cjs'))
+  .sort()
+  .map(f => join('tests', f));
+
+if (files.length === 0) {
+  console.error('No test files found in tests/');
+  process.exit(1);
+}
+
+try {
+  execFileSync(process.execPath, ['--test', ...files], {
+    stdio: 'inherit',
+    env: { ...process.env },
+  });
+} catch (err) {
+  process.exit(err.status || 1);
+}

package/scripts/secret-scan.sh

@@ -0,0 +1,227 @@
+#!/usr/bin/env bash
+# secret-scan.sh — Check files for accidentally committed secrets/credentials
+#
+# Usage:
+#   scripts/secret-scan.sh --diff origin/main   # CI mode: scan changed files
+#   scripts/secret-scan.sh --file path/to/file   # Scan a single file
+#   scripts/secret-scan.sh --dir agents/          # Scan all files in a directory
+#
+# Exit codes:
+#   0 = clean
+#   1 = findings detected
+#   2 = usage error
+set -euo pipefail
+
+# ─── Secret Patterns ─────────────────────────────────────────────────────────
+# Format: "LABEL:::REGEX"
+# Each entry is a human label paired with a POSIX extended regex.
+
+SECRET_PATTERNS=(
+  # AWS
+  "AWS Access Key:::AKIA[0-9A-Z]{16}"
+  "AWS Secret Key:::aws_secret_access_key[[:space:]]*=[[:space:]]*[A-Za-z0-9/+=]{40}"
+
+  # OpenAI / Anthropic / AI providers
+  "OpenAI API Key:::sk-[A-Za-z0-9]{20,}"
+  "Anthropic API Key:::sk-ant-[A-Za-z0-9_-]{20,}"
+
+  # GitHub
+  "GitHub PAT:::ghp_[A-Za-z0-9]{36}"
+  "GitHub OAuth:::gho_[A-Za-z0-9]{36}"
+  "GitHub App Token:::ghs_[A-Za-z0-9]{36}"
+  "GitHub Fine-grained PAT:::github_pat_[A-Za-z0-9_]{20,}"
+
+  # Stripe
+  "Stripe Secret Key:::sk_live_[A-Za-z0-9]{24,}"
+  "Stripe Publishable Key:::pk_live_[A-Za-z0-9]{24,}"
+
+  # Generic patterns
+  "Private Key Header:::-----BEGIN[[:space:]]+(RSA|EC|DSA|OPENSSH)?[[:space:]]*PRIVATE[[:space:]]+KEY-----"
+  "Generic API Key Assignment:::api[_-]?key[[:space:]]*[:=][[:space:]]*['\"][A-Za-z0-9_-]{20,}['\"]"
+  "Generic Secret Assignment:::secret[[:space:]]*[:=][[:space:]]*['\"][A-Za-z0-9_-]{20,}['\"]"
+  "Generic Token Assignment:::token[[:space:]]*[:=][[:space:]]*['\"][A-Za-z0-9_-]{20,}['\"]"
+  "Generic Password Assignment:::password[[:space:]]*[:=][[:space:]]*['\"][^'\"]{8,}['\"]"
+
+  # Slack
+  "Slack Bot Token:::xoxb-[0-9]{10,}-[A-Za-z0-9]{20,}"
+  "Slack Webhook:::hooks\.slack\.com/services/T[A-Z0-9]{8,}/B[A-Z0-9]{8,}/[A-Za-z0-9]{24}"
+
+  # Google
+  "Google API Key:::AIza[A-Za-z0-9_-]{35}"
+
+  # NPM
+  "NPM Token:::npm_[A-Za-z0-9]{36}"
+
+  # .env file content (key=value with sensitive-looking keys)
+  "Env Variable Leak:::(DATABASE_URL|DB_PASSWORD|REDIS_URL|MONGO_URI|JWT_SECRET|SESSION_SECRET|ENCRYPTION_KEY)[[:space:]]*=[[:space:]]*[^[:space:]]{8,}"
+)
+
+# ─── Ignorelist ──────────────────────────────────────────────────────────────
+
+IGNOREFILE=".secretscanignore"
+IGNORED_FILES=()
+
+load_ignorelist() {
+  if [[ -f "$IGNOREFILE" ]]; then
+    while IFS= read -r line; do
+      [[ "$line" =~ ^[[:space:]]*# ]] && continue
+      [[ -z "${line// }" ]] && continue
+      IGNORED_FILES+=("$line")
+    done < "$IGNOREFILE"
+  fi
+}
+
+is_ignored() {
+  local file="$1"
+  if [[ ${#IGNORED_FILES[@]} -eq 0 ]]; then
+    return 1
+  fi
+  for pattern in "${IGNORED_FILES[@]}"; do
+    # Support glob-style matching
+    # shellcheck disable=SC2254
+    case "$file" in
+      $pattern) return 0 ;;
+    esac
+  done
+  return 1
+}
+
+# ─── Skip Rules ──────────────────────────────────────────────────────────────
+
+should_skip_file() {
+  local file="$1"
+  # Skip binary files
+  case "$file" in
+    *.png|*.jpg|*.jpeg|*.gif|*.ico|*.woff|*.woff2|*.ttf|*.eot|*.otf) return 0 ;;
+    *.zip|*.tar|*.gz|*.bz2|*.xz|*.7z) return 0 ;;
+    *.pdf|*.doc|*.docx|*.xls|*.xlsx) return 0 ;;
+  esac
+  # Skip lockfiles and node_modules
+  case "$file" in
+    */node_modules/*) return 0 ;;
+    */package-lock.json) return 0 ;;
+    */yarn.lock) return 0 ;;
+    */pnpm-lock.yaml) return 0 ;;
+  esac
+  # Skip the scan scripts themselves and test files
+  case "$file" in
+    */secret-scan.sh) return 0 ;;
+    */security-scan.test.cjs) return 0 ;;
+  esac
+  return 1
+}
+
+# ─── File Collection ─────────────────────────────────────────────────────────
+
+collect_files() {
+  local mode="$1"
+  shift
+
+  case "$mode" in
+    --diff)
+      local base="${1:-origin/main}"
+      git diff --name-only --diff-filter=ACMR "$base"...HEAD 2>/dev/null \
+        | grep -vE '\.(png|jpg|jpeg|gif|ico|woff|woff2|ttf|eot|otf|zip|tar|gz|pdf)$' || true
+      ;;
+    --file)
+      if [[ -f "$1" ]]; then
+        echo "$1"
+      else
+        echo "Error: file not found: $1" >&2
+        exit 2
+      fi
+      ;;
+    --dir)
+      local dir="$1"
+      if [[ ! -d "$dir" ]]; then
+        echo "Error: directory not found: $dir" >&2
+        exit 2
+      fi
+      find "$dir" -type f ! -path '*/node_modules/*' ! -path '*/.git/*' ! -path '*/dist/*' \
+        ! -name '*.png' ! -name '*.jpg' ! -name '*.gif' ! -name '*.woff*' 2>/dev/null || true
+      ;;
+    --stdin)
+      cat
+      ;;
+    *)
+      echo "Usage: $0 --diff [base] | --file <path> | --dir <path> | --stdin" >&2
+      exit 2
+      ;;
+  esac
+}
+
+# ─── Scanner ─────────────────────────────────────────────────────────────────
+
+scan_file() {
+  local file="$1"
+  local found=0
+
+  if is_ignored "$file"; then
+    return 0
+  fi
+
+  for entry in "${SECRET_PATTERNS[@]}"; do
+    local label="${entry%%:::*}"
+    local pattern="${entry#*:::}"
+
+    local matches
+    matches=$(grep -nE -e "$pattern" "$file" 2>/dev/null || true)
+    if [[ -n "$matches" ]]; then
+      if [[ $found -eq 0 ]]; then
+        echo "FAIL: $file"
+        found=1
+      fi
+      echo "$matches" | while IFS= read -r line; do
+        echo "  [$label] $line"
+      done
+    fi
+  done
+
+  return $found
+}
+
+# ─── Main ────────────────────────────────────────────────────────────────────
+
+main() {
+  if [[ $# -eq 0 ]]; then
+    echo "Usage: $0 --diff [base] | --file <path> | --dir <path>" >&2
+    exit 2
+  fi
+
+  load_ignorelist
+
+  local mode="$1"
+  shift
+
+  local files
+  files=$(collect_files "$mode" "$@")
+
+  if [[ -z "$files" ]]; then
+    echo "secret-scan: no files to scan"
+    exit 0
+  fi
+
+  local total=0
+  local failed=0
+
+  while IFS= read -r file; do
+    [[ -z "$file" ]] && continue
+    if should_skip_file "$file"; then
+      continue
+    fi
+    total=$((total + 1))
+    if ! scan_file "$file"; then
+      failed=$((failed + 1))
+    fi
+  done <<< "$files"
+
+  echo ""
+  echo "secret-scan: scanned $total files, $failed with findings"
+
+  if [[ $failed -gt 0 ]]; then
+    exit 1
+  fi
+  exit 0
+}
+
+main "$@"