code-warden 3.1.1 → 3.3.0

package/tools/lib/secret-patterns.js

@@ -1,57 +1,57 @@
-#!/usr/bin/env node
-'use strict';
-
-/**
- * secret-patterns.js
- * Canonical hardcoded-credential patterns shared across all Code-Warden
- * scanners (CLI and hooks).
- *
- * Previously each consumer defined its own copy, causing drift:
- *   - verify-secrets.js:            gh[housr]_ (separate entries per prefix)
- *   - warden-secrets-hook.js:       gh[pousr]_
- *   - warden-apply-patch-hook.js:   gh[posx]_   ← missed 'u' (refresh tokens)
- *   - warden-bash-hook.js:          gh[posx]_   ← missed 'u' (refresh tokens)
- *
- * This module is the single source of truth. All consumers require() it.
- *
- * Terminology alignment (per v3.1.1 docs):
- *   - This module implements the "hardcoded credential scanner" logic.
- *   - The governance rule that mandates its use is the "zero-trust secrets policy".
- */
-
-/**
- * @typedef {{ label: string, re: RegExp }} SecretPattern
- */
-
-/** @type {SecretPattern[]} */
-const SECRET_PATTERNS = [
-  { label: 'AWS access key',          re: /\bAKIA[0-9A-Z]{16}\b/ },
-  { label: 'OpenAI key',              re: /\bsk-[A-Za-z0-9]{32,}\b/ },
-  { label: 'GitHub token',            re: /\bgh[pousr]_[A-Za-z0-9]{36,}\b/i },
-  { label: 'Stripe secret key',       re: /\bsk_(live|test)_[A-Za-z0-9]{24,}\b/ },
-  { label: 'Slack token',             re: /\bxox[baprs]-[A-Za-z0-9\-]{10,}\b/ },
-  { label: 'SendGrid key',            re: /\bSG\.[A-Za-z0-9_\-.]{20,}\b/ },
-  { label: 'Twilio SID',              re: /\bAC[a-f0-9]{32}\b/ },
-  { label: 'generic API key',         re: /api[_-]?key\s*[:=]\s*['"]?[A-Za-z0-9_\-]{20,}/i },
-  { label: 'generic secret key',      re: /secret[_-]?key\s*[:=]\s*['"]?[A-Za-z0-9_\-]{20,}/i },
-  { label: 'password assignment',     re: /password\s*[:=]\s*['"][^'"]{8,}['"]/i },
-  { label: 'bearer token',            re: /bearer\s+[A-Za-z0-9\-._~+\/]{20,}/i },
-  { label: 'private key header',      re: /-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----/ },
-  { label: 'database URL with creds', re: /[a-z][a-z0-9+\-.]*:\/\/[^:@\s]+:[^@\s]{4,}@[^/\s]+\// },
-];
-
-/**
- * Scan a content string against all secret patterns.
- *
- * @param {string} content
- * @returns {{ label: string } | null} First matching pattern label, or null if clean.
- */
-function scanForSecrets(content) {
-  if (typeof content !== 'string' || content.length === 0) return null;
-  for (const { label, re } of SECRET_PATTERNS) {
-    if (re.test(content)) return { label };
-  }
-  return null;
-}
-
-module.exports = { SECRET_PATTERNS, scanForSecrets };
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * secret-patterns.js
+ * Canonical hardcoded-credential patterns shared across all Code-Warden
+ * scanners (CLI and hooks).
+ *
+ * Previously each consumer defined its own copy, causing drift:
+ *   - verify-secrets.js:            gh[housr]_ (separate entries per prefix)
+ *   - warden-secrets-hook.js:       gh[pousr]_
+ *   - warden-apply-patch-hook.js:   gh[posx]_   ← missed 'u' (refresh tokens)
+ *   - warden-bash-hook.js:          gh[posx]_   ← missed 'u' (refresh tokens)
+ *
+ * This module is the single source of truth. All consumers require() it.
+ *
+ * Terminology alignment (per v3.1.1 docs):
+ *   - This module implements the "hardcoded credential scanner" logic.
+ *   - The governance rule that mandates its use is the "zero-trust secrets policy".
+ */
+
+/**
+ * @typedef {{ label: string, re: RegExp }} SecretPattern
+ */
+
+/** @type {SecretPattern[]} */
+const SECRET_PATTERNS = [
+  { label: 'AWS access key',          re: /\bAKIA[0-9A-Z]{16}\b/ },
+  { label: 'OpenAI key',              re: /\bsk-[A-Za-z0-9]{32,}\b/ },
+  { label: 'GitHub token',            re: /\bgh[pousr]_[A-Za-z0-9]{36,}\b/i },
+  { label: 'Stripe secret key',       re: /\bsk_(live|test)_[A-Za-z0-9]{24,}\b/ },
+  { label: 'Slack token',             re: /\bxox[baprs]-[A-Za-z0-9\-]{10,}\b/ },
+  { label: 'SendGrid key',            re: /\bSG\.[A-Za-z0-9_\-.]{20,}\b/ },
+  { label: 'Twilio SID',              re: /\bAC[a-f0-9]{32}\b/ },
+  { label: 'generic API key',         re: /api[_-]?key\s*[:=]\s*['"]?[A-Za-z0-9_\-]{20,}/i },
+  { label: 'generic secret key',      re: /secret[_-]?key\s*[:=]\s*['"]?[A-Za-z0-9_\-]{20,}/i },
+  { label: 'password assignment',     re: /password\s*[:=]\s*['"][^'"]{8,}['"]/i },
+  { label: 'bearer token',            re: /bearer\s+[A-Za-z0-9\-._~+\/]{20,}/i },
+  { label: 'private key header',      re: /-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----/ },
+  { label: 'database URL with creds', re: /[a-z][a-z0-9+\-.]*:\/\/[^:@\s]+:[^@\s]{4,}@[^/\s]+\// },
+];
+
+/**
+ * Scan a content string against all secret patterns.
+ *
+ * @param {string} content
+ * @returns {{ label: string } | null} First matching pattern label, or null if clean.
+ */
+function scanForSecrets(content) {
+  if (typeof content !== 'string' || content.length === 0) return null;
+  for (const { label, re } of SECRET_PATTERNS) {
+    if (re.test(content)) return { label };
+  }
+  return null;
+}
+
+module.exports = { SECRET_PATTERNS, scanForSecrets };

package/tools/tests/fixtures/clean.js

@@ -1,9 +1,9 @@
-// Fixture: clean file — no secrets, well within line limit.
-// Used by: warden-lint (expect PASS) and verify-secrets (expect PASS).
-'use strict';
-
-function greet(name) {
-  return `Hello, ${name}`;
-}
-
-module.exports = { greet };
+// Fixture: clean file — no secrets, well within line limit.
+// Used by: warden-lint (expect PASS) and verify-secrets (expect PASS).
+'use strict';
+
+function greet(name) {
+  return `Hello, ${name}`;
+}
+
+module.exports = { greet };

package/tools/tests/run-tests.js

@@ -1,210 +1,210 @@
-#!/usr/bin/env node
-'use strict';
-
-/**
- * run-tests.js
- * Behavioral test suite for Code-Warden scanners and hooks.
- *
- * Verifies that enforcement tools actually enforce — not just that they exist.
- * Uses Node's built-in node:test (no external test framework required).
- *
- * Tests:
- *   CLI tools
- *   1. warden-lint     clean file    → exit 0
- *   2. warden-lint     oversized     → exit 1
- *   3. verify-secrets  clean file    → exit 0
- *   4. verify-secrets  secret file   → exit 1
- *
- *   Claude hooks (PreToolUse JSON payloads via stdin)
- *   5. warden-lint-hook    Write oversized  → exit 2
- *   6. warden-secrets-hook Write secret     → exit 2
- *
- *   Codex hooks
- *   7. warden-apply-patch-hook  patch with secret  → exit 2
- *   8. warden-bash-hook         command with secret → exit 2
- *
- * Fixture strategy:
- *   - clean.js is committed (no secrets, short).
- *   - Oversized content is generated in memory / tmpdir (committed file would
- *     trip warden-lint itself).
- *   - Secret content is generated via makeFakeSecret() which builds the
- *     pattern from parts so the scanner does not flag this source file.
- */
-
-const { test } = require('node:test');
-const assert        = require('node:assert/strict');
-const { spawnSync } = require('node:child_process');
-const path          = require('node:path');
-const fs            = require('node:fs');
-const os            = require('node:os');
-
-// ---------------------------------------------------------------------------
-// Paths
-// ---------------------------------------------------------------------------
-
-const ROOT     = path.join(__dirname, '..', '..');
-const TOOLS    = path.join(ROOT, 'tools');
-const FIXTURES = path.join(__dirname, 'fixtures');
-const CLEAN    = path.join(FIXTURES, 'clean.js');
-
-if (!fs.existsSync(CLEAN)) throw new Error(`Missing fixture: clean at ${CLEAN}`);
-
-// ---------------------------------------------------------------------------
-// Fixture generators — never committed, avoids false-positive self-scan
-// ---------------------------------------------------------------------------
-
-/**
- * Build a fake OpenAI-style key from parts so this source file does not
- * contain a string that matches the secret scanner's pattern literally.
- */
-function makeFakeSecret() {
-  return ['sk', '-', 'a'.repeat(48)].join('');
-}
-
-/** Generate content containing a hardcoded credential. */
-function makeSecretContent() {
-  return [
-    '// Generated secret fixture — not committed to repo.',
-    "'use strict';",
-    `const KEY = '${makeFakeSecret()}';`,
-    'module.exports = { KEY };',
-  ].join('\n') + '\n';
-}
-
-/** Generate content that exceeds the 400-line limit. */
-function makeOversizedContent(limit = 400) {
-  const lines = [
-    '// Generated oversized fixture — not committed to repo.',
-    "'use strict';",
-    '',
-  ];
-  for (let i = 1; i <= limit + 15; i++) {
-    lines.push(`const line${i} = ${i}; // padding`);
-  }
-  return lines.join('\n') + '\n';
-}
-
-/** Write content to a temp file; caller is responsible for cleanup. */
-function writeTmp(name, content) {
-  const p = path.join(os.tmpdir(), `cw-fixture-${process.pid}-${name}`);
-  fs.writeFileSync(p, content);
-  return p;
-}
-
-// ---------------------------------------------------------------------------
-// Helpers
-// ---------------------------------------------------------------------------
-
-function runCLI(scriptPath, args = []) {
-  const result = spawnSync(process.execPath, [scriptPath, ...args], { encoding: 'utf8' });
-  return { code: result.status ?? result.signal, stdout: result.stdout || '', stderr: result.stderr || '' };
-}
-
-function runHook(scriptPath, payload) {
-  const result = spawnSync(process.execPath, [scriptPath], { input: JSON.stringify(payload), encoding: 'utf8' });
-  return { code: result.status ?? result.signal, stdout: result.stdout || '', stderr: result.stderr || '' };
-}
-
-// ---------------------------------------------------------------------------
-// CLI: warden-lint
-// ---------------------------------------------------------------------------
-
-test('warden-lint: clean file exits 0', () => {
-  const { code } = runCLI(path.join(TOOLS, 'warden-lint.js'), [CLEAN]);
-  assert.equal(code, 0, 'expected exit 0 for a clean, short file');
-});
-
-test('warden-lint: oversized file exits 1', () => {
-  const tmp = writeTmp('oversized.js', makeOversizedContent());
-  try {
-    const { code, stderr } = runCLI(path.join(TOOLS, 'warden-lint.js'), [tmp]);
-    assert.equal(code, 1, 'expected exit 1 for an oversized file');
-    assert.ok(stderr.includes('[FAIL]'), 'expected [FAIL] in stderr');
-  } finally {
-    fs.rmSync(tmp, { force: true });
-  }
-});
-
-// ---------------------------------------------------------------------------
-// CLI: verify-secrets
-// ---------------------------------------------------------------------------
-
-test('verify-secrets: clean file exits 0', () => {
-  const { code } = runCLI(path.join(TOOLS, 'verify-secrets.js'), [CLEAN]);
-  assert.equal(code, 0, 'expected exit 0 for a file with no secrets');
-});
-
-test('verify-secrets: secret file exits 1', () => {
-  const tmp = writeTmp('secret.js', makeSecretContent());
-  try {
-    const { code, stderr } = runCLI(path.join(TOOLS, 'verify-secrets.js'), [tmp]);
-    assert.equal(code, 1, 'expected exit 1 for a file containing a hardcoded secret');
-    assert.ok(stderr.includes('[FAIL]'), 'expected [FAIL] in stderr');
-  } finally {
-    fs.rmSync(tmp, { force: true });
-  }
-});
-
-// ---------------------------------------------------------------------------
-// Claude hook: warden-lint-hook (Write with oversized content)
-// ---------------------------------------------------------------------------
-
-test('Claude lint hook: Write oversized content exits 2', () => {
-  const payload = {
-    tool_name:  'Write',
-    tool_input: { file_path: '/tmp/test-oversized.js', content: makeOversizedContent() },
-  };
-  const { code, stdout } = runHook(path.join(TOOLS, 'hooks', 'claude', 'warden-lint-hook.js'), payload);
-  assert.equal(code, 2, 'expected exit 2 (deny) for oversized Write');
-  const response = JSON.parse(stdout);
-  assert.equal(response.hookSpecificOutput.permissionDecision, 'deny', 'expected deny decision');
-});
-
-// ---------------------------------------------------------------------------
-// Claude hook: warden-secrets-hook (Write with secret content)
-// ---------------------------------------------------------------------------
-
-test('Claude secrets hook: Write secret content exits 2', () => {
-  const payload = {
-    tool_name:  'Write',
-    tool_input: { file_path: '/tmp/test-secret.js', content: makeSecretContent() },
-  };
-  const { code, stdout } = runHook(path.join(TOOLS, 'hooks', 'claude', 'warden-secrets-hook.js'), payload);
-  assert.equal(code, 2, 'expected exit 2 (deny) for Write containing secret');
-  const response = JSON.parse(stdout);
-  assert.equal(response.hookSpecificOutput.permissionDecision, 'deny', 'expected deny decision');
-});
-
-// ---------------------------------------------------------------------------
-// Codex hook: warden-apply-patch-hook (patch adding a secret)
-// ---------------------------------------------------------------------------
-
-test('Codex apply_patch hook: patch with secret exits 2', () => {
-  const patch = [
-    '*** /dev/null',
-    '+++ tmp/secret-patch.js',
-    '@@ -0,0 +1,2 @@',
-    `+const KEY = '${makeFakeSecret()}';`,
-    '+module.exports = { KEY };',
-  ].join('\n');
-
-  const { code, stdout } = runHook(
-    path.join(TOOLS, 'hooks', 'codex', 'warden-apply-patch-hook.js'),
-    { tool: 'apply_patch', toolInput: { patch } }
-  );
-  assert.equal(code, 2, 'expected exit 2 (deny) for apply_patch with hardcoded secret');
-  assert.ok(JSON.parse(stdout).deny === true, 'expected deny:true');
-});
-
-// ---------------------------------------------------------------------------
-// Codex hook: warden-bash-hook (command containing a secret)
-// ---------------------------------------------------------------------------
-
-test('Codex Bash hook: command with secret exits 2', () => {
-  const { code, stdout } = runHook(
-    path.join(TOOLS, 'hooks', 'codex', 'warden-bash-hook.js'),
-    { tool: 'Bash', toolInput: { command: `echo ${makeFakeSecret()}` } }
-  );
-  assert.equal(code, 2, 'expected exit 2 (deny) for Bash command with hardcoded secret');
-  assert.ok(JSON.parse(stdout).deny === true, 'expected deny:true');
-});
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * run-tests.js
+ * Behavioral test suite for Code-Warden scanners and hooks.
+ *
+ * Verifies that enforcement tools actually enforce — not just that they exist.
+ * Uses Node's built-in node:test (no external test framework required).
+ *
+ * Tests:
+ *   CLI tools
+ *   1. warden-lint     clean file    → exit 0
+ *   2. warden-lint     oversized     → exit 1
+ *   3. verify-secrets  clean file    → exit 0
+ *   4. verify-secrets  secret file   → exit 1
+ *
+ *   Claude hooks (PreToolUse JSON payloads via stdin)
+ *   5. warden-lint-hook    Write oversized  → exit 2
+ *   6. warden-secrets-hook Write secret     → exit 2
+ *
+ *   Codex hooks
+ *   7. warden-apply-patch-hook  patch with secret  → exit 2
+ *   8. warden-bash-hook         command with secret → exit 2
+ *
+ * Fixture strategy:
+ *   - clean.js is committed (no secrets, short).
+ *   - Oversized content is generated in memory / tmpdir (committed file would
+ *     trip warden-lint itself).
+ *   - Secret content is generated via makeFakeSecret() which builds the
+ *     pattern from parts so the scanner does not flag this source file.
+ */
+
+const { test } = require('node:test');
+const assert        = require('node:assert/strict');
+const { spawnSync } = require('node:child_process');
+const path          = require('node:path');
+const fs            = require('node:fs');
+const os            = require('node:os');
+
+// ---------------------------------------------------------------------------
+// Paths
+// ---------------------------------------------------------------------------
+
+const ROOT     = path.join(__dirname, '..', '..');
+const TOOLS    = path.join(ROOT, 'tools');
+const FIXTURES = path.join(__dirname, 'fixtures');
+const CLEAN    = path.join(FIXTURES, 'clean.js');
+
+if (!fs.existsSync(CLEAN)) throw new Error(`Missing fixture: clean at ${CLEAN}`);
+
+// ---------------------------------------------------------------------------
+// Fixture generators — never committed, avoids false-positive self-scan
+// ---------------------------------------------------------------------------
+
+/**
+ * Build a fake OpenAI-style key from parts so this source file does not
+ * contain a string that matches the secret scanner's pattern literally.
+ */
+function makeFakeSecret() {
+  return ['sk', '-', 'a'.repeat(48)].join('');
+}
+
+/** Generate content containing a hardcoded credential. */
+function makeSecretContent() {
+  return [
+    '// Generated secret fixture — not committed to repo.',
+    "'use strict';",
+    `const KEY = '${makeFakeSecret()}';`,
+    'module.exports = { KEY };',
+  ].join('\n') + '\n';
+}
+
+/** Generate content that exceeds the 400-line limit. */
+function makeOversizedContent(limit = 400) {
+  const lines = [
+    '// Generated oversized fixture — not committed to repo.',
+    "'use strict';",
+    '',
+  ];
+  for (let i = 1; i <= limit + 15; i++) {
+    lines.push(`const line${i} = ${i}; // padding`);
+  }
+  return lines.join('\n') + '\n';
+}
+
+/** Write content to a temp file; caller is responsible for cleanup. */
+function writeTmp(name, content) {
+  const p = path.join(os.tmpdir(), `cw-fixture-${process.pid}-${name}`);
+  fs.writeFileSync(p, content);
+  return p;
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function runCLI(scriptPath, args = []) {
+  const result = spawnSync(process.execPath, [scriptPath, ...args], { encoding: 'utf8' });
+  return { code: result.status ?? result.signal, stdout: result.stdout || '', stderr: result.stderr || '' };
+}
+
+function runHook(scriptPath, payload) {
+  const result = spawnSync(process.execPath, [scriptPath], { input: JSON.stringify(payload), encoding: 'utf8' });
+  return { code: result.status ?? result.signal, stdout: result.stdout || '', stderr: result.stderr || '' };
+}
+
+// ---------------------------------------------------------------------------
+// CLI: warden-lint
+// ---------------------------------------------------------------------------
+
+test('warden-lint: clean file exits 0', () => {
+  const { code } = runCLI(path.join(TOOLS, 'warden-lint.js'), [CLEAN]);
+  assert.equal(code, 0, 'expected exit 0 for a clean, short file');
+});
+
+test('warden-lint: oversized file exits 1', () => {
+  const tmp = writeTmp('oversized.js', makeOversizedContent());
+  try {
+    const { code, stderr } = runCLI(path.join(TOOLS, 'warden-lint.js'), [tmp]);
+    assert.equal(code, 1, 'expected exit 1 for an oversized file');
+    assert.ok(stderr.includes('[FAIL]'), 'expected [FAIL] in stderr');
+  } finally {
+    fs.rmSync(tmp, { force: true });
+  }
+});
+
+// ---------------------------------------------------------------------------
+// CLI: verify-secrets
+// ---------------------------------------------------------------------------
+
+test('verify-secrets: clean file exits 0', () => {
+  const { code } = runCLI(path.join(TOOLS, 'verify-secrets.js'), [CLEAN]);
+  assert.equal(code, 0, 'expected exit 0 for a file with no secrets');
+});
+
+test('verify-secrets: secret file exits 1', () => {
+  const tmp = writeTmp('secret.js', makeSecretContent());
+  try {
+    const { code, stderr } = runCLI(path.join(TOOLS, 'verify-secrets.js'), [tmp]);
+    assert.equal(code, 1, 'expected exit 1 for a file containing a hardcoded secret');
+    assert.ok(stderr.includes('[FAIL]'), 'expected [FAIL] in stderr');
+  } finally {
+    fs.rmSync(tmp, { force: true });
+  }
+});
+
+// ---------------------------------------------------------------------------
+// Claude hook: warden-lint-hook (Write with oversized content)
+// ---------------------------------------------------------------------------
+
+test('Claude lint hook: Write oversized content exits 2', () => {
+  const payload = {
+    tool_name:  'Write',
+    tool_input: { file_path: '/tmp/test-oversized.js', content: makeOversizedContent() },
+  };
+  const { code, stdout } = runHook(path.join(TOOLS, 'hooks', 'claude', 'warden-lint-hook.js'), payload);
+  assert.equal(code, 2, 'expected exit 2 (deny) for oversized Write');
+  const response = JSON.parse(stdout);
+  assert.equal(response.hookSpecificOutput.permissionDecision, 'deny', 'expected deny decision');
+});
+
+// ---------------------------------------------------------------------------
+// Claude hook: warden-secrets-hook (Write with secret content)
+// ---------------------------------------------------------------------------
+
+test('Claude secrets hook: Write secret content exits 2', () => {
+  const payload = {
+    tool_name:  'Write',
+    tool_input: { file_path: '/tmp/test-secret.js', content: makeSecretContent() },
+  };
+  const { code, stdout } = runHook(path.join(TOOLS, 'hooks', 'claude', 'warden-secrets-hook.js'), payload);
+  assert.equal(code, 2, 'expected exit 2 (deny) for Write containing secret');
+  const response = JSON.parse(stdout);
+  assert.equal(response.hookSpecificOutput.permissionDecision, 'deny', 'expected deny decision');
+});
+
+// ---------------------------------------------------------------------------
+// Codex hook: warden-apply-patch-hook (patch adding a secret)
+// ---------------------------------------------------------------------------
+
+test('Codex apply_patch hook: patch with secret exits 2', () => {
+  const patch = [
+    '*** /dev/null',
+    '+++ tmp/secret-patch.js',
+    '@@ -0,0 +1,2 @@',
+    `+const KEY = '${makeFakeSecret()}';`,
+    '+module.exports = { KEY };',
+  ].join('\n');
+
+  const { code, stdout } = runHook(
+    path.join(TOOLS, 'hooks', 'codex', 'warden-apply-patch-hook.js'),
+    { tool: 'apply_patch', toolInput: { patch } }
+  );
+  assert.equal(code, 2, 'expected exit 2 (deny) for apply_patch with hardcoded secret');
+  assert.ok(JSON.parse(stdout).deny === true, 'expected deny:true');
+});
+
+// ---------------------------------------------------------------------------
+// Codex hook: warden-bash-hook (command containing a secret)
+// ---------------------------------------------------------------------------
+
+test('Codex Bash hook: command with secret exits 2', () => {
+  const { code, stdout } = runHook(
+    path.join(TOOLS, 'hooks', 'codex', 'warden-bash-hook.js'),
+    { tool: 'Bash', toolInput: { command: `echo ${makeFakeSecret()}` } }
+  );
+  assert.equal(code, 2, 'expected exit 2 (deny) for Bash command with hardcoded secret');
+  assert.ok(JSON.parse(stdout).deny === true, 'expected deny:true');
+});

package/tools/verify-secrets.js

@@ -1,26 +1,26 @@
-#!/usr/bin/env node
-'use strict';
-
-const fs = require('fs');
-const { scanForSecrets } = require('./lib/secret-patterns');
-const { expandPaths }    = require('./lib/file-collection');
-
-const filePaths = expandPaths(process.argv.slice(2), 'verify-secrets.js');
-let hasErrors = false;
-
-for (const filePath of filePaths) {
-  const content = fs.readFileSync(filePath, 'utf8');
-  const hit = scanForSecrets(content);
-
-  if (hit) {
-    console.error(`[FAIL] [CodeWarden] Hardcoded credential detected in ${filePath} - pattern: ${hit.label}`);
-    console.error('    Rule: All secrets must be sourced from an environment variable (e.g., process.env)');
-    hasErrors = true;
-  } else {
-    console.log(`[PASS] [CodeWarden] ${filePath} passed hardcoded credential scan.`);
-  }
-}
-
-if (hasErrors) {
-  process.exit(1);
-}
+#!/usr/bin/env node
+'use strict';
+
+const fs = require('fs');
+const { scanForSecrets } = require('./lib/secret-patterns');
+const { expandPaths }    = require('./lib/file-collection');
+
+const filePaths = expandPaths(process.argv.slice(2), 'verify-secrets.js');
+let hasErrors = false;
+
+for (const filePath of filePaths) {
+  const content = fs.readFileSync(filePath, 'utf8');
+  const hit = scanForSecrets(content);
+
+  if (hit) {
+    console.error(`[FAIL] [CodeWarden] Hardcoded credential detected in ${filePath} - pattern: ${hit.label}`);
+    console.error('    Rule: All secrets must be sourced from an environment variable (e.g., process.env)');
+    hasErrors = true;
+  } else {
+    console.log(`[PASS] [CodeWarden] ${filePath} passed hardcoded credential scan.`);
+  }
+}
+
+if (hasErrors) {
+  process.exit(1);
+}