code-warden 3.1.1 → 3.3.0

package/tools/hooks/codex/warden-apply-patch-hook.js

@@ -1,113 +1,113 @@
-#!/usr/bin/env node
-/**
- * warden-apply-patch-hook.js — Codex PreToolUse hook
- *
- * Fires on apply_patch tool calls. Scans added lines for hardcoded credentials
- * and estimates resulting file size where the target path can be extracted.
- *
- * Codex hook payload (stdin, JSON):
- *   { tool: "apply_patch", toolInput: { patch: "<patch text>" } }
- *
- * Exit codes:
- *   0  — proceed
- *   2  — block (writes JSON deny to stdout)
- */
-
-'use strict';
-
-const fs   = require('fs');
-const path = require('path');
-const { scanForSecrets }          = require('../../lib/secret-patterns');
-const { countLines }              = require('../../lib/line-count');
-const { loadConfig }              = require('../../lib/config');
-
-const { maxFileLength: maxLines } = loadConfig();
-
-
-function deny(reason) {
-  process.stdout.write(JSON.stringify({ deny: true, message: `[CodeWarden] ${reason}` }) + '\n');
-  process.exit(2);
-}
-
-// ---------------------------------------------------------------------------
-// Patch parsing helpers
-// ---------------------------------------------------------------------------
-
-/**
- * Extract lines added by the patch (lines starting with '+', not '+++').
- */
-function extractAddedLines(patch) {
-  return patch.split('\n')
-    .filter(l => l.startsWith('+') && !l.startsWith('+++'))
-    .map(l => l.slice(1));
-}
-
-/**
- * Extract target file path from patch header (*** path or +++ path or --- path).
- * Returns null if not detectable.
- */
-function extractTargetPath(patch) {
-  for (const line of patch.split('\n')) {
-    const m = line.match(/^\+{3}\s+(.+?)(\s+\d{4}-\d{2}-\d{2}.*)?$/) ||
-              line.match(/^\*{3}\s+(.+?)(\s+\d{4}-\d{2}-\d{2}.*)?$/);
-    if (m) {
-      const p = m[1].trim();
-      if (p !== '/dev/null') return p;
-    }
-  }
-  return null;
-}
-
-/**
- * Estimate resulting line count: base file lines + added lines - removed lines.
- * Returns null if file not readable.
- */
-function estimateResultLines(patch, targetPath) {
-  let baseLines = 0;
-  if (targetPath && fs.existsSync(targetPath)) {
-    try {
-      baseLines = countLines(fs.readFileSync(targetPath, 'utf8'));
-    } catch { return null; }
-  } else if (!targetPath) {
-    return null;
-  }
-  // Count added and removed lines
-  let added = 0;
-  let removed = 0;
-  for (const line of patch.split('\n')) {
-    if (line.startsWith('+') && !line.startsWith('+++')) added++;
-    else if (line.startsWith('-') && !line.startsWith('---')) removed++;
-  }
-  return baseLines + added - removed;
-}
-
-// ---------------------------------------------------------------------------
-// Main
-// ---------------------------------------------------------------------------
-
-let raw = '';
-process.stdin.setEncoding('utf8');
-process.stdin.on('data', chunk => { raw += chunk; });
-process.stdin.on('end', () => {
-  let payload;
-  try { payload = JSON.parse(raw); } catch { process.exit(0); }
-
-  const input = payload.toolInput || payload.tool_input || {};
-  const patch  = String(input.patch || '');
-  if (!patch) process.exit(0);
-
-  // --- Secrets check on added lines ---
-  const added = extractAddedLines(patch);
-  const addedText = added.join('\n');
-  const hit = scanForSecrets(addedText);
-  if (hit) deny(`Blocked apply_patch — hardcoded credential detected (${hit.label}). Remove before patching.`);
-
-  // --- File length check ---
-  const targetPath = extractTargetPath(patch);
-  const estimated  = estimateResultLines(patch, targetPath);
-  if (estimated !== null && estimated > maxLines) {
-    deny(`Blocked apply_patch — resulting file would be ~${estimated} lines (limit ${maxLines}). Break it up first.`);
-  }
-
-  process.exit(0);
-});
+#!/usr/bin/env node
+/**
+ * warden-apply-patch-hook.js — Codex PreToolUse hook
+ *
+ * Fires on apply_patch tool calls. Scans added lines for hardcoded credentials
+ * and estimates resulting file size where the target path can be extracted.
+ *
+ * Codex hook payload (stdin, JSON):
+ *   { tool: "apply_patch", toolInput: { patch: "<patch text>" } }
+ *
+ * Exit codes:
+ *   0  — proceed
+ *   2  — block (writes JSON deny to stdout)
+ */
+
+'use strict';
+
+const fs   = require('fs');
+const path = require('path');
+const { scanForSecrets }          = require('../../lib/secret-patterns');
+const { countLines }              = require('../../lib/line-count');
+const { loadConfig }              = require('../../lib/config');
+
+const { maxFileLength: maxLines } = loadConfig();
+
+
+function deny(reason) {
+  process.stdout.write(JSON.stringify({ deny: true, message: `[CodeWarden] ${reason}` }) + '\n');
+  process.exit(2);
+}
+
+// ---------------------------------------------------------------------------
+// Patch parsing helpers
+// ---------------------------------------------------------------------------
+
+/**
+ * Extract lines added by the patch (lines starting with '+', not '+++').
+ */
+function extractAddedLines(patch) {
+  return patch.split('\n')
+    .filter(l => l.startsWith('+') && !l.startsWith('+++'))
+    .map(l => l.slice(1));
+}
+
+/**
+ * Extract target file path from patch header (*** path or +++ path or --- path).
+ * Returns null if not detectable.
+ */
+function extractTargetPath(patch) {
+  for (const line of patch.split('\n')) {
+    const m = line.match(/^\+{3}\s+(.+?)(\s+\d{4}-\d{2}-\d{2}.*)?$/) ||
+              line.match(/^\*{3}\s+(.+?)(\s+\d{4}-\d{2}-\d{2}.*)?$/);
+    if (m) {
+      const p = m[1].trim();
+      if (p !== '/dev/null') return p;
+    }
+  }
+  return null;
+}
+
+/**
+ * Estimate resulting line count: base file lines + added lines - removed lines.
+ * Returns null if file not readable.
+ */
+function estimateResultLines(patch, targetPath) {
+  let baseLines = 0;
+  if (targetPath && fs.existsSync(targetPath)) {
+    try {
+      baseLines = countLines(fs.readFileSync(targetPath, 'utf8'));
+    } catch { return null; }
+  } else if (!targetPath) {
+    return null;
+  }
+  // Count added and removed lines
+  let added = 0;
+  let removed = 0;
+  for (const line of patch.split('\n')) {
+    if (line.startsWith('+') && !line.startsWith('+++')) added++;
+    else if (line.startsWith('-') && !line.startsWith('---')) removed++;
+  }
+  return baseLines + added - removed;
+}
+
+// ---------------------------------------------------------------------------
+// Main
+// ---------------------------------------------------------------------------
+
+let raw = '';
+process.stdin.setEncoding('utf8');
+process.stdin.on('data', chunk => { raw += chunk; });
+process.stdin.on('end', () => {
+  let payload;
+  try { payload = JSON.parse(raw); } catch { process.exit(0); }
+
+  const input = payload.toolInput || payload.tool_input || {};
+  const patch  = String(input.patch || '');
+  if (!patch) process.exit(0);
+
+  // --- Secrets check on added lines ---
+  const added = extractAddedLines(patch);
+  const addedText = added.join('\n');
+  const hit = scanForSecrets(addedText);
+  if (hit) deny(`Blocked apply_patch — hardcoded credential detected (${hit.label}). Remove before patching.`);
+
+  // --- File length check ---
+  const targetPath = extractTargetPath(patch);
+  const estimated  = estimateResultLines(patch, targetPath);
+  if (estimated !== null && estimated > maxLines) {
+    deny(`Blocked apply_patch — resulting file would be ~${estimated} lines (limit ${maxLines}). Break it up first.`);
+  }
+
+  process.exit(0);
+});

package/tools/hooks/codex/warden-bash-hook.js

@@ -1,51 +1,51 @@
-#!/usr/bin/env node
-/**
- * warden-bash-hook.js — Codex PreToolUse hook
- *
- * Fires on Bash tool calls. Scans the command string for patterns that
- * would embed hardcoded credentials into files (e.g. echo/printf/cat with
- * secret values, curl with Authorization headers, env assignments, etc.).
- *
- * This is a best-effort surface: Bash is intentionally wide. The hook catches
- * the most common accidental secret exposure patterns; it does not attempt to
- * sandbox arbitrary shell execution.
- *
- * Codex hook payload (stdin, JSON):
- *   { tool: "Bash", toolInput: { command: "<shell command>" } }
- *
- * Exit codes:
- *   0  — proceed
- *   2  — block (writes JSON deny to stdout)
- */
-
-'use strict';
-
-const { scanForSecrets } = require('../../lib/secret-patterns');
-
-function deny(reason) {
-  process.stdout.write(JSON.stringify({ deny: true, message: `[CodeWarden] ${reason}` }) + '\n');
-  process.exit(2);
-}
-
-// ---------------------------------------------------------------------------
-// Main
-// ---------------------------------------------------------------------------
-
-let raw = '';
-process.stdin.setEncoding('utf8');
-process.stdin.on('data', chunk => { raw += chunk; });
-process.stdin.on('end', () => {
-  let payload;
-  try { payload = JSON.parse(raw); } catch { process.exit(0); }
-
-  const input   = payload.toolInput || payload.tool_input || {};
-  const command = String(input.command || '');
-  if (!command) process.exit(0);
-
-  const hit = scanForSecrets(command);
-  if (hit) {
-    deny(`Blocked Bash command — hardcoded credential detected (${hit.label}). Use environment variables or a secrets manager instead.`);
-  }
-
-  process.exit(0);
-});
+#!/usr/bin/env node
+/**
+ * warden-bash-hook.js — Codex PreToolUse hook
+ *
+ * Fires on Bash tool calls. Scans the command string for patterns that
+ * would embed hardcoded credentials into files (e.g. echo/printf/cat with
+ * secret values, curl with Authorization headers, env assignments, etc.).
+ *
+ * This is a best-effort surface: Bash is intentionally wide. The hook catches
+ * the most common accidental secret exposure patterns; it does not attempt to
+ * sandbox arbitrary shell execution.
+ *
+ * Codex hook payload (stdin, JSON):
+ *   { tool: "Bash", toolInput: { command: "<shell command>" } }
+ *
+ * Exit codes:
+ *   0  — proceed
+ *   2  — block (writes JSON deny to stdout)
+ */
+
+'use strict';
+
+const { scanForSecrets } = require('../../lib/secret-patterns');
+
+function deny(reason) {
+  process.stdout.write(JSON.stringify({ deny: true, message: `[CodeWarden] ${reason}` }) + '\n');
+  process.exit(2);
+}
+
+// ---------------------------------------------------------------------------
+// Main
+// ---------------------------------------------------------------------------
+
+let raw = '';
+process.stdin.setEncoding('utf8');
+process.stdin.on('data', chunk => { raw += chunk; });
+process.stdin.on('end', () => {
+  let payload;
+  try { payload = JSON.parse(raw); } catch { process.exit(0); }
+
+  const input   = payload.toolInput || payload.tool_input || {};
+  const command = String(input.command || '');
+  if (!command) process.exit(0);
+
+  const hit = scanForSecrets(command);
+  if (hit) {
+    deny(`Blocked Bash command — hardcoded credential detected (${hit.label}). Use environment variables or a secrets manager instead.`);
+  }
+
+  process.exit(0);
+});

package/tools/lib/config.js

@@ -1,49 +1,49 @@
-#!/usr/bin/env node
-'use strict';
-
-/**
- * config.js
- * Shared codewarden.json loader.
- *
- * Previously warden-lint.js, warden-lint-hook.js, and warden-apply-patch-hook.js
- * each parsed codewarden.json independently with slightly different fallback paths.
- * This module centralises config loading with a single documented precedence.
- *
- * Resolution order for config file:
- *   1. Explicit path passed to loadConfig(configPath)
- *   2. <__dirname>/../../codewarden.json  (relative to tools/lib/ → skill root)
- */
-
-const fs   = require('fs');
-const path = require('path');
-
-const DEFAULT_CONFIG_PATH = path.join(__dirname, '..', '..', 'codewarden.json');
-
-/**
- * Load and parse codewarden.json, returning a merged config object.
- * Falls back to defaults silently if the file is missing or unparseable.
- *
- * @param {string} [configPath] - Override the config file location
- * @returns {{ maxFileLength: number }}
- */
-function loadConfig(configPath) {
-  const target = configPath || DEFAULT_CONFIG_PATH;
-  let maxFileLength = 400;
-
-  try {
-    const raw = fs.readFileSync(target, 'utf8');
-    const cfg = JSON.parse(raw);
-    const configured =
-      cfg?.thresholds?.max_file_length ??
-      cfg?.max_file_length;
-    if (typeof configured === 'number' && configured > 0) {
-      maxFileLength = configured;
-    }
-  } catch {
-    // Missing or invalid config — use defaults
-  }
-
-  return { maxFileLength };
-}
-
-module.exports = { loadConfig, DEFAULT_CONFIG_PATH };
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * config.js
+ * Shared codewarden.json loader.
+ *
+ * Previously warden-lint.js, warden-lint-hook.js, and warden-apply-patch-hook.js
+ * each parsed codewarden.json independently with slightly different fallback paths.
+ * This module centralises config loading with a single documented precedence.
+ *
+ * Resolution order for config file:
+ *   1. Explicit path passed to loadConfig(configPath)
+ *   2. <__dirname>/../../codewarden.json  (relative to tools/lib/ → skill root)
+ */
+
+const fs   = require('fs');
+const path = require('path');
+
+const DEFAULT_CONFIG_PATH = path.join(__dirname, '..', '..', 'codewarden.json');
+
+/**
+ * Load and parse codewarden.json, returning a merged config object.
+ * Falls back to defaults silently if the file is missing or unparseable.
+ *
+ * @param {string} [configPath] - Override the config file location
+ * @returns {{ maxFileLength: number }}
+ */
+function loadConfig(configPath) {
+  const target = configPath || DEFAULT_CONFIG_PATH;
+  let maxFileLength = 400;
+
+  try {
+    const raw = fs.readFileSync(target, 'utf8');
+    const cfg = JSON.parse(raw);
+    const configured =
+      cfg?.thresholds?.max_file_length ??
+      cfg?.max_file_length;
+    if (typeof configured === 'number' && configured > 0) {
+      maxFileLength = configured;
+    }
+  } catch {
+    // Missing or invalid config — use defaults
+  }
+
+  return { maxFileLength };
+}
+
+module.exports = { loadConfig, DEFAULT_CONFIG_PATH };

package/tools/lib/file-collection.js

@@ -1,72 +1,72 @@
-#!/usr/bin/env node
-'use strict';
-
-/**
- * file-collection.js
- * Shared file traversal helpers for warden-lint and verify-secrets CLI tools.
- *
- * Previously each CLI tool duplicated identical SKIP_DIRS, SKIP_EXTS,
- * collectFiles, and expandPaths logic — any change had to be made twice.
- */
-
-const fs   = require('fs');
-const path = require('path');
-
-const SKIP_DIRS = new Set(['node_modules', '.git', 'target', 'dist', '.next']);
-
-const SKIP_EXTS = new Set([
-  '.png', '.jpg', '.jpeg', '.gif', '.bmp', '.ico', '.svg', '.webp',
-  '.zip', '.tar', '.gz', '.7z', '.rar',
-  '.dll', '.exe', '.bin', '.so', '.dylib',
-  '.pdf', '.woff', '.woff2', '.ttf', '.eot', '.otf',
-  '.mp4', '.mp3', '.wav', '.ogg', '.avi', '.mov',
-  '.map', '.lock',
-]);
-
-/**
- * Recursively collect all scannable files under a directory.
- *
- * @param {string} dir
- * @param {string[]} results - accumulator (mutated)
- */
-function collectFiles(dir, results) {
-  for (const entry of fs.readdirSync(dir)) {
-    if (SKIP_DIRS.has(entry)) continue;
-    const full = path.join(dir, entry);
-    const stat = fs.statSync(full);
-    if (stat.isDirectory()) {
-      collectFiles(full, results);
-    } else if (!SKIP_EXTS.has(path.extname(entry).toLowerCase())) {
-      results.push(full);
-    }
-  }
-}
-
-/**
- * Expand a list of CLI path arguments into a flat array of file paths.
- * Directories are walked recursively; individual files are included as-is.
- * Exits with usage error if no args provided or a path is not found.
- *
- * @param {string[]} args - process.argv slice
- * @param {string} toolName - used in the usage message
- * @returns {string[]}
- */
-function expandPaths(args, toolName) {
-  if (args.length === 0) {
-    console.log(`Usage: ${toolName} <file|dir> [file|dir] ...`);
-    console.log(`       node tools/${toolName} .           # scan entire project`);
-    process.exit(1);
-  }
-  const files = [];
-  for (const arg of args) {
-    if (!fs.existsSync(arg)) {
-      console.error(`Error: path not found: ${arg}`);
-      continue;
-    }
-    if (fs.statSync(arg).isDirectory()) collectFiles(arg, files);
-    else files.push(arg);
-  }
-  return files;
-}
-
-module.exports = { collectFiles, expandPaths, SKIP_DIRS, SKIP_EXTS };
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * file-collection.js
+ * Shared file traversal helpers for warden-lint and verify-secrets CLI tools.
+ *
+ * Previously each CLI tool duplicated identical SKIP_DIRS, SKIP_EXTS,
+ * collectFiles, and expandPaths logic — any change had to be made twice.
+ */
+
+const fs   = require('fs');
+const path = require('path');
+
+const SKIP_DIRS = new Set(['node_modules', '.git', 'target', 'dist', '.next']);
+
+const SKIP_EXTS = new Set([
+  '.png', '.jpg', '.jpeg', '.gif', '.bmp', '.ico', '.svg', '.webp',
+  '.zip', '.tar', '.gz', '.7z', '.rar',
+  '.dll', '.exe', '.bin', '.so', '.dylib',
+  '.pdf', '.woff', '.woff2', '.ttf', '.eot', '.otf',
+  '.mp4', '.mp3', '.wav', '.ogg', '.avi', '.mov',
+  '.map', '.lock',
+]);
+
+/**
+ * Recursively collect all scannable files under a directory.
+ *
+ * @param {string} dir
+ * @param {string[]} results - accumulator (mutated)
+ */
+function collectFiles(dir, results) {
+  for (const entry of fs.readdirSync(dir)) {
+    if (SKIP_DIRS.has(entry)) continue;
+    const full = path.join(dir, entry);
+    const stat = fs.statSync(full);
+    if (stat.isDirectory()) {
+      collectFiles(full, results);
+    } else if (!SKIP_EXTS.has(path.extname(entry).toLowerCase())) {
+      results.push(full);
+    }
+  }
+}
+
+/**
+ * Expand a list of CLI path arguments into a flat array of file paths.
+ * Directories are walked recursively; individual files are included as-is.
+ * Exits with usage error if no args provided or a path is not found.
+ *
+ * @param {string[]} args - process.argv slice
+ * @param {string} toolName - used in the usage message
+ * @returns {string[]}
+ */
+function expandPaths(args, toolName) {
+  if (args.length === 0) {
+    console.log(`Usage: ${toolName} <file|dir> [file|dir] ...`);
+    console.log(`       node tools/${toolName} .           # scan entire project`);
+    process.exit(1);
+  }
+  const files = [];
+  for (const arg of args) {
+    if (!fs.existsSync(arg)) {
+      console.error(`Error: path not found: ${arg}`);
+      continue;
+    }
+    if (fs.statSync(arg).isDirectory()) collectFiles(arg, files);
+    else files.push(arg);
+  }
+  return files;
+}
+
+module.exports = { collectFiles, expandPaths, SKIP_DIRS, SKIP_EXTS };

package/tools/lib/line-count.js

@@ -1,28 +1,28 @@
-#!/usr/bin/env node
-'use strict';
-
-/**
- * line-count.js
- * Shared line-counting helper for warden-lint and hook consumers.
- *
- * Problem with the naive split('\n').length:
- *   "a\nb\n".split('\n') === ['a', 'b', '']  → length 3, not 2
- * A trailing newline (standard in well-formed files) would push a file
- * that is exactly at the limit over it, producing false positives.
- *
- * This helper normalises CRLF, strips the trailing newline before
- * splitting, and treats an empty string as 0 lines.
- */
-
-/**
- * Count logical lines in a file's content string.
- *
- * @param {string} content - Raw file content (may include CRLF or trailing newline)
- * @returns {number} Line count (0 for empty content)
- */
-function countLines(content) {
-  if (typeof content !== 'string' || content.length === 0) return 0;
-  return content.replace(/\r\n/g, '\n').trimEnd().split('\n').length;
-}
-
-module.exports = { countLines };
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * line-count.js
+ * Shared line-counting helper for warden-lint and hook consumers.
+ *
+ * Problem with the naive split('\n').length:
+ *   "a\nb\n".split('\n') === ['a', 'b', '']  → length 3, not 2
+ * A trailing newline (standard in well-formed files) would push a file
+ * that is exactly at the limit over it, producing false positives.
+ *
+ * This helper normalises CRLF, strips the trailing newline before
+ * splitting, and treats an empty string as 0 lines.
+ */
+
+/**
+ * Count logical lines in a file's content string.
+ *
+ * @param {string} content - Raw file content (may include CRLF or trailing newline)
+ * @returns {number} Line count (0 for empty content)
+ */
+function countLines(content) {
+  if (typeof content !== 'string' || content.length === 0) return 0;
+  return content.replace(/\r\n/g, '\n').trimEnd().split('\n').length;
+}
+
+module.exports = { countLines };