code-warden 3.1.1 → 3.3.0

package/tools/hooks/claude/warden-lint-hook.js

@@ -1,106 +1,106 @@
-#!/usr/bin/env node
-/**
- * warden-lint-hook.js
- * PreToolUse Claude Code hook: blocks Write/Edit if the resulting file would
- * exceed the configured line limit.
- *
- * Payload (stdin JSON):  { tool_name, tool_input: { file_path, content|new_string, ... } }
- * On violation: exit 2 + JSON deny response to stdout.
- * On pass:      exit 0 (no output).
- */
-
-'use strict';
-
-const fs   = require('fs');
-const path = require('path');
-const { countLines } = require('../../lib/line-count');
-const { loadConfig } = require('../../lib/config');
-
-// ---------------------------------------------------------------------------
-// Config — loaded via shared module; falls back to 400 if missing
-// ---------------------------------------------------------------------------
-
-const { maxFileLength: MAX_LINES } = loadConfig();
-
-// ---------------------------------------------------------------------------
-// Skip list — file types where line counting is meaningless
-// ---------------------------------------------------------------------------
-
-const SKIP_EXTS = new Set([
-  '.png', '.jpg', '.jpeg', '.gif', '.bmp', '.ico', '.svg',
-  '.woff', '.woff2', '.ttf', '.eot', '.otf',
-  '.zip', '.tar', '.gz', '.rar', '.7z',
-  '.pdf', '.doc', '.docx', '.xls', '.xlsx',
-  '.mp3', '.mp4', '.avi', '.mov', '.wav',
-  '.map', '.lock',
-]);
-
-const SKIP_NAMES = new Set(['package-lock.json', 'yarn.lock', 'pnpm-lock.yaml']);
-
-function shouldSkip(filePath) {
-  if (!filePath) return true;
-  if (SKIP_NAMES.has(path.basename(filePath))) return true;
-  return SKIP_EXTS.has(path.extname(filePath).toLowerCase());
-}
-
-// ---------------------------------------------------------------------------
-// Response helpers
-// ---------------------------------------------------------------------------
-
-function deny(reason) {
-  process.stdout.write(JSON.stringify({
-    hookSpecificOutput: {
-      hookEventName: 'PreToolUse',
-      permissionDecision: 'deny',
-      permissionDecisionReason: reason,
-    },
-  }));
-  process.exit(2);
-}
-
-const allow = () => process.exit(0);
-
-// ---------------------------------------------------------------------------
-// Main
-// ---------------------------------------------------------------------------
-
-async function main() {
-  let payload;
-  try {
-    const chunks = [];
-    for await (const chunk of process.stdin) chunks.push(chunk);
-    payload = JSON.parse(Buffer.concat(chunks).toString('utf8'));
-  } catch {
-    allow(); // parse failure is non-blocking
-  }
-
-  const { tool_name, tool_input = {} } = payload;
-  const { file_path, content, old_string, new_string, replace_all } = tool_input;
-
-  if (tool_name === 'Write') {
-    if (shouldSkip(file_path)) allow();
-    const lines = countLines(content || '');
-    if (lines > MAX_LINES) {
-      deny(`[CodeWarden] File length gate: ${path.basename(file_path)} would be ${lines} lines (limit ${MAX_LINES}). Split into modules before writing.`);
-    }
-    allow();
-  }
-
-  if (tool_name === 'Edit') {
-    if (shouldSkip(file_path)) allow();
-    if (!fs.existsSync(file_path)) allow(); // new file — Write hook will catch it
-    const current = fs.readFileSync(file_path, 'utf8');
-    const patched  = replace_all
-      ? current.split(old_string || '').join(new_string || '')
-      : current.replace(old_string || '', new_string || '');
-    const lines = countLines(patched);
-    if (lines > MAX_LINES) {
-      deny(`[CodeWarden] File length gate: ${path.basename(file_path)} would be ${lines} lines after edit (limit ${MAX_LINES}). Split into modules before editing.`);
-    }
-    allow();
-  }
-
-  allow(); // unrecognised tool — pass through
-}
-
-main().catch(() => allow());
+#!/usr/bin/env node
+/**
+ * warden-lint-hook.js
+ * PreToolUse Claude Code hook: blocks Write/Edit if the resulting file would
+ * exceed the configured line limit.
+ *
+ * Payload (stdin JSON):  { tool_name, tool_input: { file_path, content|new_string, ... } }
+ * On violation: exit 2 + JSON deny response to stdout.
+ * On pass:      exit 0 (no output).
+ */
+
+'use strict';
+
+const fs   = require('fs');
+const path = require('path');
+const { countLines } = require('../../lib/line-count');
+const { loadConfig } = require('../../lib/config');
+
+// ---------------------------------------------------------------------------
+// Config — loaded via shared module; falls back to 400 if missing
+// ---------------------------------------------------------------------------
+
+const { maxFileLength: MAX_LINES } = loadConfig();
+
+// ---------------------------------------------------------------------------
+// Skip list — file types where line counting is meaningless
+// ---------------------------------------------------------------------------
+
+const SKIP_EXTS = new Set([
+  '.png', '.jpg', '.jpeg', '.gif', '.bmp', '.ico', '.svg',
+  '.woff', '.woff2', '.ttf', '.eot', '.otf',
+  '.zip', '.tar', '.gz', '.rar', '.7z',
+  '.pdf', '.doc', '.docx', '.xls', '.xlsx',
+  '.mp3', '.mp4', '.avi', '.mov', '.wav',
+  '.map', '.lock',
+]);
+
+const SKIP_NAMES = new Set(['package-lock.json', 'yarn.lock', 'pnpm-lock.yaml']);
+
+function shouldSkip(filePath) {
+  if (!filePath) return true;
+  if (SKIP_NAMES.has(path.basename(filePath))) return true;
+  return SKIP_EXTS.has(path.extname(filePath).toLowerCase());
+}
+
+// ---------------------------------------------------------------------------
+// Response helpers
+// ---------------------------------------------------------------------------
+
+function deny(reason) {
+  process.stdout.write(JSON.stringify({
+    hookSpecificOutput: {
+      hookEventName: 'PreToolUse',
+      permissionDecision: 'deny',
+      permissionDecisionReason: reason,
+    },
+  }));
+  process.exit(2);
+}
+
+const allow = () => process.exit(0);
+
+// ---------------------------------------------------------------------------
+// Main
+// ---------------------------------------------------------------------------
+
+async function main() {
+  let payload;
+  try {
+    const chunks = [];
+    for await (const chunk of process.stdin) chunks.push(chunk);
+    payload = JSON.parse(Buffer.concat(chunks).toString('utf8'));
+  } catch {
+    allow(); // parse failure is non-blocking
+  }
+
+  const { tool_name, tool_input = {} } = payload;
+  const { file_path, content, old_string, new_string, replace_all } = tool_input;
+
+  if (tool_name === 'Write') {
+    if (shouldSkip(file_path)) allow();
+    const lines = countLines(content || '');
+    if (lines > MAX_LINES) {
+      deny(`[CodeWarden] File length gate: ${path.basename(file_path)} would be ${lines} lines (limit ${MAX_LINES}). Split into modules before writing.`);
+    }
+    allow();
+  }
+
+  if (tool_name === 'Edit') {
+    if (shouldSkip(file_path)) allow();
+    if (!fs.existsSync(file_path)) allow(); // new file — Write hook will catch it
+    const current = fs.readFileSync(file_path, 'utf8');
+    const patched  = replace_all
+      ? current.split(old_string || '').join(new_string || '')
+      : current.replace(old_string || '', new_string || '');
+    const lines = countLines(patched);
+    if (lines > MAX_LINES) {
+      deny(`[CodeWarden] File length gate: ${path.basename(file_path)} would be ${lines} lines after edit (limit ${MAX_LINES}). Split into modules before editing.`);
+    }
+    allow();
+  }
+
+  allow(); // unrecognised tool — pass through
+}
+
+main().catch(() => allow());

package/tools/hooks/claude/warden-secrets-hook.js

@@ -1,73 +1,73 @@
-#!/usr/bin/env node
-/**
- * warden-secrets-hook.js
- * PreToolUse Claude Code hook: blocks Write/Edit if content contains
- * hardcoded credentials matching zero-trust secret patterns.
- *
- * Write: scans full content.
- * Edit:  scans new_string only (old content was already committed).
- *
- * On violation: exit 2 + JSON deny response to stdout.
- * On pass:      exit 0 (no output).
- */
-
-'use strict';
-
-const path = require('path');
-const { scanForSecrets } = require('../../lib/secret-patterns');
-
-// ---------------------------------------------------------------------------
-// Response helpers
-// ---------------------------------------------------------------------------
-
-function deny(reason) {
-  process.stdout.write(JSON.stringify({
-    hookSpecificOutput: {
-      hookEventName: 'PreToolUse',
-      permissionDecision: 'deny',
-      permissionDecisionReason: reason,
-    },
-  }));
-  process.exit(2);
-}
-
-const allow = () => process.exit(0);
-
-// ---------------------------------------------------------------------------
-// Main
-// ---------------------------------------------------------------------------
-
-async function main() {
-  let payload;
-  try {
-    const chunks = [];
-    for await (const chunk of process.stdin) chunks.push(chunk);
-    payload = JSON.parse(Buffer.concat(chunks).toString('utf8'));
-  } catch {
-    allow();
-  }
-
-  const { tool_name, tool_input = {} } = payload;
-
-  if (tool_name === 'Write') {
-    const hit = scanForSecrets(tool_input.content || '');
-    if (hit) {
-      const file = path.basename(tool_input.file_path || 'file');
-      deny(`[CodeWarden] Hardcoded credential scanner: ${hit.label} detected in ${file}. Use environment variables — no hardcoded credentials.`);
-    }
-    allow();
-  }
-
-  if (tool_name === 'Edit') {
-    const hit = scanForSecrets(tool_input.new_string || '');
-    if (hit) {
-      const file = path.basename(tool_input.file_path || 'file');
-      deny(`[CodeWarden] Hardcoded credential scanner: ${hit.label} detected in replacement for ${file}. Use environment variables — no hardcoded credentials.`);
-    }
-    allow();
-  }
-
-  allow();
-}
-
-main().catch(() => allow());
+#!/usr/bin/env node
+/**
+ * warden-secrets-hook.js
+ * PreToolUse Claude Code hook: blocks Write/Edit if content contains
+ * hardcoded credentials matching zero-trust secret patterns.
+ *
+ * Write: scans full content.
+ * Edit:  scans new_string only (old content was already committed).
+ *
+ * On violation: exit 2 + JSON deny response to stdout.
+ * On pass:      exit 0 (no output).
+ */
+
+'use strict';
+
+const path = require('path');
+const { scanForSecrets } = require('../../lib/secret-patterns');
+
+// ---------------------------------------------------------------------------
+// Response helpers
+// ---------------------------------------------------------------------------
+
+function deny(reason) {
+  process.stdout.write(JSON.stringify({
+    hookSpecificOutput: {
+      hookEventName: 'PreToolUse',
+      permissionDecision: 'deny',
+      permissionDecisionReason: reason,
+    },
+  }));
+  process.exit(2);
+}
+
+const allow = () => process.exit(0);
+
+// ---------------------------------------------------------------------------
+// Main
+// ---------------------------------------------------------------------------
+
+async function main() {
+  let payload;
+  try {
+    const chunks = [];
+    for await (const chunk of process.stdin) chunks.push(chunk);
+    payload = JSON.parse(Buffer.concat(chunks).toString('utf8'));
+  } catch {
+    allow();
+  }
+
+  const { tool_name, tool_input = {} } = payload;
+
+  if (tool_name === 'Write') {
+    const hit = scanForSecrets(tool_input.content || '');
+    if (hit) {
+      const file = path.basename(tool_input.file_path || 'file');
+      deny(`[CodeWarden] Hardcoded credential scanner: ${hit.label} detected in ${file}. Use environment variables — no hardcoded credentials.`);
+    }
+    allow();
+  }
+
+  if (tool_name === 'Edit') {
+    const hit = scanForSecrets(tool_input.new_string || '');
+    if (hit) {
+      const file = path.basename(tool_input.file_path || 'file');
+      deny(`[CodeWarden] Hardcoded credential scanner: ${hit.label} detected in replacement for ${file}. Use environment variables — no hardcoded credentials.`);
+    }
+    allow();
+  }
+
+  allow();
+}
+
+main().catch(() => allow());

package/tools/hooks/codex/install-hooks.js

@@ -1,100 +1,100 @@
-#!/usr/bin/env node
-/**
- * install-hooks.js — Codex PreToolUse hook installer
- *
- * Merges code-warden hook entries into ~/.codex/hooks.json.
- *
- * Codex hooks.json schema:
- *   { "PreToolUse": [ { "matcher": "...", "description": "...", "command": "...", "args": [...] } ] }
- *
- * Idempotent: strips existing code-warden entries by description marker,
- * then appends current entries. Ensures paths stay current after reinstalls.
- *
- * Requires the skill to already be installed at skillDir.
- */
-
-'use strict';
-
-const fs   = require('fs');
-const path = require('path');
-const os   = require('os');
-
-const MARKER_PREFIX = 'code-warden:';
-const HOOKS_PATH    = path.join(os.homedir(), '.codex', 'hooks.json');
-
-// ---------------------------------------------------------------------------
-// Hooks file I/O
-// ---------------------------------------------------------------------------
-
-function readHooks() {
-  if (!fs.existsSync(HOOKS_PATH)) return {};
-  try {
-    return JSON.parse(fs.readFileSync(HOOKS_PATH, 'utf8'));
-  } catch (err) {
-    throw new Error(`hooks.json exists but could not be parsed (${HOOKS_PATH}): ${err.message}`);
-  }
-}
-
-function writeHooks(hooks) {
-  const tmp = `${HOOKS_PATH}.tmp`;
-  fs.mkdirSync(path.dirname(HOOKS_PATH), { recursive: true });
-  fs.writeFileSync(tmp, JSON.stringify(hooks, null, 2) + '\n', 'utf8');
-  fs.renameSync(tmp, HOOKS_PATH);
-}
-
-// ---------------------------------------------------------------------------
-// Hook entry helpers
-// ---------------------------------------------------------------------------
-
-function stripCodeWardenHooks(entries) {
-  return (entries || []).filter(
-    e => !String(e.description || '').startsWith(MARKER_PREFIX)
-  );
-}
-
-function buildEntries(skillDir) {
-  return [
-    {
-      matcher:     'apply_patch',
-      command:     'node',
-      args:        [path.join(skillDir, 'tools', 'hooks', 'codex', 'warden-apply-patch-hook.js')],
-      description: 'code-warden: apply_patch secrets + size gate',
-    },
-    {
-      matcher:     'Bash',
-      command:     'node',
-      args:        [path.join(skillDir, 'tools', 'hooks', 'codex', 'warden-bash-hook.js')],
-      description: 'code-warden: bash secrets gate',
-    },
-  ];
-}
-
-// ---------------------------------------------------------------------------
-// Install
-// ---------------------------------------------------------------------------
-
-function installHooks(skillDir) {
-  // Guard: skill must be installed before hooks are written
-  const required = [
-    path.join(skillDir, 'SKILL.md'),
-    path.join(skillDir, 'tools', 'hooks', 'codex', 'warden-apply-patch-hook.js'),
-    path.join(skillDir, 'tools', 'hooks', 'codex', 'warden-bash-hook.js'),
-  ];
-  for (const p of required) {
-    if (!fs.existsSync(p)) {
-      console.error('[CodeWarden] Hooks require an installed Codex target.');
-      console.error(`[CodeWarden] Missing: ${p}`);
-      console.error('[CodeWarden] Run: node install.js --target=codex --all');
-      process.exit(1);
-    }
-  }
-
-  const hooks = readHooks();
-  const cleaned = stripCodeWardenHooks(hooks.PreToolUse);
-  hooks.PreToolUse = [...cleaned, ...buildEntries(skillDir)];
-
-  writeHooks(hooks);
-  return HOOKS_PATH;
-}
-
-module.exports = { installHooks };
+#!/usr/bin/env node
+/**
+ * install-hooks.js — Codex PreToolUse hook installer
+ *
+ * Merges code-warden hook entries into ~/.codex/hooks.json.
+ *
+ * Codex hooks.json schema:
+ *   { "PreToolUse": [ { "matcher": "...", "description": "...", "command": "...", "args": [...] } ] }
+ *
+ * Idempotent: strips existing code-warden entries by description marker,
+ * then appends current entries. Ensures paths stay current after reinstalls.
+ *
+ * Requires the skill to already be installed at skillDir.
+ */
+
+'use strict';
+
+const fs   = require('fs');
+const path = require('path');
+const os   = require('os');
+
+const MARKER_PREFIX = 'code-warden:';
+const HOOKS_PATH    = path.join(os.homedir(), '.codex', 'hooks.json');
+
+// ---------------------------------------------------------------------------
+// Hooks file I/O
+// ---------------------------------------------------------------------------
+
+function readHooks() {
+  if (!fs.existsSync(HOOKS_PATH)) return {};
+  try {
+    return JSON.parse(fs.readFileSync(HOOKS_PATH, 'utf8'));
+  } catch (err) {
+    throw new Error(`hooks.json exists but could not be parsed (${HOOKS_PATH}): ${err.message}`);
+  }
+}
+
+function writeHooks(hooks) {
+  const tmp = `${HOOKS_PATH}.tmp`;
+  fs.mkdirSync(path.dirname(HOOKS_PATH), { recursive: true });
+  fs.writeFileSync(tmp, JSON.stringify(hooks, null, 2) + '\n', 'utf8');
+  fs.renameSync(tmp, HOOKS_PATH);
+}
+
+// ---------------------------------------------------------------------------
+// Hook entry helpers
+// ---------------------------------------------------------------------------
+
+function stripCodeWardenHooks(entries) {
+  return (entries || []).filter(
+    e => !String(e.description || '').startsWith(MARKER_PREFIX)
+  );
+}
+
+function buildEntries(skillDir) {
+  return [
+    {
+      matcher:     'apply_patch',
+      command:     'node',
+      args:        [path.join(skillDir, 'tools', 'hooks', 'codex', 'warden-apply-patch-hook.js')],
+      description: 'code-warden: apply_patch secrets + size gate',
+    },
+    {
+      matcher:     'Bash',
+      command:     'node',
+      args:        [path.join(skillDir, 'tools', 'hooks', 'codex', 'warden-bash-hook.js')],
+      description: 'code-warden: bash secrets gate',
+    },
+  ];
+}
+
+// ---------------------------------------------------------------------------
+// Install
+// ---------------------------------------------------------------------------
+
+function installHooks(skillDir) {
+  // Guard: skill must be installed before hooks are written
+  const required = [
+    path.join(skillDir, 'SKILL.md'),
+    path.join(skillDir, 'tools', 'hooks', 'codex', 'warden-apply-patch-hook.js'),
+    path.join(skillDir, 'tools', 'hooks', 'codex', 'warden-bash-hook.js'),
+  ];
+  for (const p of required) {
+    if (!fs.existsSync(p)) {
+      console.error('[CodeWarden] Hooks require an installed Codex target.');
+      console.error(`[CodeWarden] Missing: ${p}`);
+      console.error('[CodeWarden] Run: node install.js --target=codex --all');
+      process.exit(1);
+    }
+  }
+
+  const hooks = readHooks();
+  const cleaned = stripCodeWardenHooks(hooks.PreToolUse);
+  hooks.PreToolUse = [...cleaned, ...buildEntries(skillDir)];
+
+  writeHooks(hooks);
+  return HOOKS_PATH;
+}
+
+module.exports = { installHooks };

package/tools/hooks/codex/uninstall-hooks.js

@@ -1,53 +1,53 @@
-#!/usr/bin/env node
-/**
- * uninstall-hooks.js — Codex PreToolUse hook remover
- *
- * Removes all code-warden entries from ~/.codex/hooks.json.
- * Cleans up empty PreToolUse array and empty top-level object if nothing remains.
- */
-
-'use strict';
-
-const fs   = require('fs');
-const path = require('path');
-const os   = require('os');
-
-const MARKER_PREFIX = 'code-warden:';
-const HOOKS_PATH    = path.join(os.homedir(), '.codex', 'hooks.json');
-
-function uninstallHooks() {
-  if (!fs.existsSync(HOOKS_PATH)) {
-    console.log('[CodeWarden] ~/.codex/hooks.json not found — nothing to remove.');
-    return;
-  }
-
-  let hooks;
-  try {
-    hooks = JSON.parse(fs.readFileSync(HOOKS_PATH, 'utf8'));
-  } catch (err) {
-    console.error(`[CodeWarden] hooks.json could not be parsed: ${err.message}`);
-    process.exit(1);
-  }
-
-  const before = (hooks.PreToolUse || []).length;
-  hooks.PreToolUse = (hooks.PreToolUse || []).filter(
-    e => !String(e.description || '').startsWith(MARKER_PREFIX)
-  );
-  const removed = before - hooks.PreToolUse.length;
-
-  // Clean empty array
-  if (hooks.PreToolUse.length === 0) delete hooks.PreToolUse;
-
-  // Write back (or remove file if completely empty)
-  if (Object.keys(hooks).length === 0) {
-    fs.unlinkSync(HOOKS_PATH);
-    console.log(`[CodeWarden] Removed ${removed} hook(s) — hooks.json is now empty, file removed.`);
-  } else {
-    const tmp = `${HOOKS_PATH}.tmp`;
-    fs.writeFileSync(tmp, JSON.stringify(hooks, null, 2) + '\n', 'utf8');
-    fs.renameSync(tmp, HOOKS_PATH);
-    console.log(`[CodeWarden] Removed ${removed} code-warden hook(s) from ~/.codex/hooks.json.`);
-  }
-}
-
-module.exports = { uninstallHooks };
+#!/usr/bin/env node
+/**
+ * uninstall-hooks.js — Codex PreToolUse hook remover
+ *
+ * Removes all code-warden entries from ~/.codex/hooks.json.
+ * Cleans up empty PreToolUse array and empty top-level object if nothing remains.
+ */
+
+'use strict';
+
+const fs   = require('fs');
+const path = require('path');
+const os   = require('os');
+
+const MARKER_PREFIX = 'code-warden:';
+const HOOKS_PATH    = path.join(os.homedir(), '.codex', 'hooks.json');
+
+function uninstallHooks() {
+  if (!fs.existsSync(HOOKS_PATH)) {
+    console.log('[CodeWarden] ~/.codex/hooks.json not found — nothing to remove.');
+    return;
+  }
+
+  let hooks;
+  try {
+    hooks = JSON.parse(fs.readFileSync(HOOKS_PATH, 'utf8'));
+  } catch (err) {
+    console.error(`[CodeWarden] hooks.json could not be parsed: ${err.message}`);
+    process.exit(1);
+  }
+
+  const before = (hooks.PreToolUse || []).length;
+  hooks.PreToolUse = (hooks.PreToolUse || []).filter(
+    e => !String(e.description || '').startsWith(MARKER_PREFIX)
+  );
+  const removed = before - hooks.PreToolUse.length;
+
+  // Clean empty array
+  if (hooks.PreToolUse.length === 0) delete hooks.PreToolUse;
+
+  // Write back (or remove file if completely empty)
+  if (Object.keys(hooks).length === 0) {
+    fs.unlinkSync(HOOKS_PATH);
+    console.log(`[CodeWarden] Removed ${removed} hook(s) — hooks.json is now empty, file removed.`);
+  } else {
+    const tmp = `${HOOKS_PATH}.tmp`;
+    fs.writeFileSync(tmp, JSON.stringify(hooks, null, 2) + '\n', 'utf8');
+    fs.renameSync(tmp, HOOKS_PATH);
+    console.log(`[CodeWarden] Removed ${removed} code-warden hook(s) from ~/.codex/hooks.json.`);
+  }
+}
+
+module.exports = { uninstallHooks };