npm - code-warden - Versions diffs - 3.1.1 → 3.3.0 - Mend

code-warden 3.1.1 → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (41) hide show

package/CONFIGURE.md +39 -39
package/DECISIONS.md +107 -107
package/README.md +199 -137
package/SKILL.md +169 -169
package/bin/code-warden.js +82 -0
package/codewarden.json +14 -14
package/examples/governed-session.md +132 -132
package/install.js +399 -399
package/install.ps1 +32 -32
package/install.sh +33 -33
package/package.json +45 -2
package/references/anti-drift.md +55 -55
package/references/architecture.md +26 -26
package/references/cleanup.md +30 -30
package/references/cognition.md +36 -36
package/references/operations.md +45 -45
package/references/planning-gates.md +83 -83
package/references/research-and-fit.md +51 -51
package/references/safety.md +31 -31
package/templates/ci/github-actions.yml +83 -66
package/tools/auto-detect.js +91 -91
package/tools/auto-targets.js +104 -104
package/tools/auto-windsurf-adapter.js +75 -75
package/tools/get-context.js +50 -50
package/tools/governance-report.js +302 -0
package/tools/hooks/claude/install-hooks.js +112 -112
package/tools/hooks/claude/uninstall-hooks.js +75 -75
package/tools/hooks/claude/warden-lint-hook.js +106 -106
package/tools/hooks/claude/warden-secrets-hook.js +73 -73
package/tools/hooks/codex/install-hooks.js +100 -100
package/tools/hooks/codex/uninstall-hooks.js +53 -53
package/tools/hooks/codex/warden-apply-patch-hook.js +113 -113
package/tools/hooks/codex/warden-bash-hook.js +51 -51
package/tools/lib/config.js +49 -49
package/tools/lib/file-collection.js +72 -72
package/tools/lib/line-count.js +28 -28
package/tools/lib/secret-patterns.js +57 -57
package/tools/tests/fixtures/clean.js +9 -9
package/tools/tests/run-tests.js +210 -210
package/tools/verify-secrets.js +26 -26
package/tools/warden-lint.js +27 -27

package/examples/governed-session.md CHANGED Viewed

@@ -1,132 +1,132 @@
-# Example: Governed Session Transcript
-This is an annotated example of a code-warden governed session.
-It shows how the rules activate in practice during a real feature request.
----
-## Session: Add user authentication middleware
-**User:** Let's add JWT authentication middleware to the API. It should protect all `/api/v1/` routes.
----
-**Assistant (Re-injection Check):**
-> Before writing anything, per the Re-injection Rule, let me restate the current architecture:
-> - `src/server.ts` - Express app entry point, mounts routers
-> - `src/routes/api.ts` - All `/api/v1/` route definitions
-> - `src/middleware/` - Existing middleware directory, currently only `logger.ts`
-> - No architecture doc found -> applying Re-injection Fallback
->
-> **Research/Fit check:** User requested JWT middleware inside an existing Express API.
-> The project already has an API runtime and route structure, so adding focused
-> middleware fits better than introducing a new auth framework or reshaping the
-> app into a dashboard.
->
-> **Session scope:** Adding JWT auth middleware. Touching: `middleware/`, `routes/api.ts`, possibly `server.ts`.
-> That's 3 files, which crosses the >2 file threshold.
->
-> **[AWAITING CONFIRMATION]** - Plan before proceeding:
-> 1. Create `src/middleware/auth.ts` - JWT verification logic only
-> 2. Create `src/types/auth.types.ts` - Token payload type definition
-> 3. Patch `src/routes/api.ts` - Apply middleware to `/api/v1/` router
->
-> Blast Radius:
-> - **What might break:** Any route under `/api/v1/` that lacks a valid JWT will begin returning 401. No other routes affected.
-> - **Test strategy:** Add unit test for `auth.ts`; smoke test unauthenticated request to `/api/v1/users`.
-> - **Rollback:** `git checkout HEAD -- src/routes/api.ts && rm src/middleware/auth.ts src/types/auth.types.ts`
->
-> Confirm to proceed?
----
-**User:** Yes, go ahead.
----
-**Assistant:**
-> **Pre-flight:**
-> - **File:** `src/middleware/auth.ts` - **Lines:** ~35 / 400 max
-> - **Concern:** JWT token verification and request gating
-> - **Secrets:** env-var sourced: `JWT_SECRET`
-> - **Files changed this action:** `auth.ts` (new), `auth.types.ts` (new), `api.ts` (patch)
-**`src/middleware/auth.ts`** (new file, ~35 lines)
-```ts
-import { Request, Response, NextFunction } from 'express';
-import jwt from 'jsonwebtoken';
-import { TokenPayload } from '../types/auth.types';
-export function requireAuth(req: Request, res: Response, next: NextFunction): void {
-  const header = req.headers.authorization;
-  if (!header || !header.startsWith('Bearer ')) {
-    res.status(401).json({ error: 'Missing or malformed Authorization header' });
-    return;
-  }
-  const token = header.slice(7);
-  const secret = process.env.JWT_SECRET;
-  if (!secret) {
-    // Zero-Trust: never fall back to a default secret
-    res.status(500).json({ error: 'Server misconfiguration' });
-    return;
-  }
-  try {
-    const payload = jwt.verify(token, secret) as TokenPayload;
-    (req as any).user = payload;
-    next();
-  } catch {
-    res.status(401).json({ error: 'Invalid or expired token' });
-  }
-}
-```
-**`src/types/auth.types.ts`** (new file, ~10 lines)
-```ts
-export interface TokenPayload {
-  sub: string;
-  email: string;
-  iat: number;
-  exp: number;
-}
-```
-**Patch for `src/routes/api.ts`** (diff only):
-```diff
-+ import { requireAuth } from '../middleware/auth';
-- router.use('/api/v1', apiRouter);
-+ router.use('/api/v1', requireAuth, apiRouter);
-```
-> TECH DEBT FLAGGED: `src/routes/api.ts:14` Route file mounts all sub-routers inline.
-> Consider splitting into domain-specific router files, such as `routes/users.ts`
-> or `routes/orders.ts`, as the API grows. Do not fix now; logged for next cleanup pass.
->
-> Decision logged to DECISIONS.md because the change affects 3 files and alters request data flow.
->
-> Verification run:
-> - `npm test -- auth`
-> - Result: passing authentication middleware tests and route protection smoke test.
----
-## What this example demonstrates
-| Rule | Where it fired |
-|------|----------------|
-| Re-injection Rule | Session opened with architecture restatement |
-| Re-injection Fallback | No architecture doc found; fell back to last 3 dependencies |
-| Research and Fit | Existing Express API shape was honored instead of introducing a default stack or dashboard pattern |
-| Think Before Coding | Execution plan written before any code |
-| Human Checkpoint | `[AWAITING CONFIRMATION]` issued at >2-file change |
-| Blast Radius Check | Defined before touching existing route file |
-| Zero-Trust Secrets | `JWT_SECRET` read from `process.env`, hard failure if missing |
-| Patch-First Editing | `api.ts` change delivered as a diff, not a full rewrite |
-| Tech Debt Flagged | Inline router mounting noted in correct format |
-| Decision Log | Multi-file + data flow change triggers DECISIONS.md entry |
-| Anchor Check (Pre-Flight) | Verifiable manifest prepended before code output |
-| Verification Before Completion | Command and result reported before claiming the work is done |
+# Example: Governed Session Transcript
+This is an annotated example of a code-warden governed session.
+It shows how the rules activate in practice during a real feature request.
+---
+## Session: Add user authentication middleware
+**User:** Let's add JWT authentication middleware to the API. It should protect all `/api/v1/` routes.
+---
+**Assistant (Re-injection Check):**
+> Before writing anything, per the Re-injection Rule, let me restate the current architecture:
+> - `src/server.ts` - Express app entry point, mounts routers
+> - `src/routes/api.ts` - All `/api/v1/` route definitions
+> - `src/middleware/` - Existing middleware directory, currently only `logger.ts`
+> - No architecture doc found -> applying Re-injection Fallback
+>
+> **Research/Fit check:** User requested JWT middleware inside an existing Express API.
+> The project already has an API runtime and route structure, so adding focused
+> middleware fits better than introducing a new auth framework or reshaping the
+> app into a dashboard.
+>
+> **Session scope:** Adding JWT auth middleware. Touching: `middleware/`, `routes/api.ts`, possibly `server.ts`.
+> That's 3 files, which crosses the >2 file threshold.
+>
+> **[AWAITING CONFIRMATION]** - Plan before proceeding:
+> 1. Create `src/middleware/auth.ts` - JWT verification logic only
+> 2. Create `src/types/auth.types.ts` - Token payload type definition
+> 3. Patch `src/routes/api.ts` - Apply middleware to `/api/v1/` router
+>
+> Blast Radius:
+> - **What might break:** Any route under `/api/v1/` that lacks a valid JWT will begin returning 401. No other routes affected.
+> - **Test strategy:** Add unit test for `auth.ts`; smoke test unauthenticated request to `/api/v1/users`.
+> - **Rollback:** `git checkout HEAD -- src/routes/api.ts && rm src/middleware/auth.ts src/types/auth.types.ts`
+>
+> Confirm to proceed?
+---
+**User:** Yes, go ahead.
+---
+**Assistant:**
+> **Pre-flight:**
+> - **File:** `src/middleware/auth.ts` - **Lines:** ~35 / 400 max
+> - **Concern:** JWT token verification and request gating
+> - **Secrets:** env-var sourced: `JWT_SECRET`
+> - **Files changed this action:** `auth.ts` (new), `auth.types.ts` (new), `api.ts` (patch)
+**`src/middleware/auth.ts`** (new file, ~35 lines)
+```ts
+import { Request, Response, NextFunction } from 'express';
+import jwt from 'jsonwebtoken';
+import { TokenPayload } from '../types/auth.types';
+export function requireAuth(req: Request, res: Response, next: NextFunction): void {
+  const header = req.headers.authorization;
+  if (!header || !header.startsWith('Bearer ')) {
+    res.status(401).json({ error: 'Missing or malformed Authorization header' });
+    return;
+  }
+  const token = header.slice(7);
+  const secret = process.env.JWT_SECRET;
+  if (!secret) {
+    // Zero-Trust: never fall back to a default secret
+    res.status(500).json({ error: 'Server misconfiguration' });
+    return;
+  }
+  try {
+    const payload = jwt.verify(token, secret) as TokenPayload;
+    (req as any).user = payload;
+    next();
+  } catch {
+    res.status(401).json({ error: 'Invalid or expired token' });
+  }
+}
+```
+**`src/types/auth.types.ts`** (new file, ~10 lines)
+```ts
+export interface TokenPayload {
+  sub: string;
+  email: string;
+  iat: number;
+  exp: number;
+}
+```
+**Patch for `src/routes/api.ts`** (diff only):
+```diff
++ import { requireAuth } from '../middleware/auth';
+- router.use('/api/v1', apiRouter);
++ router.use('/api/v1', requireAuth, apiRouter);
+```
+> TECH DEBT FLAGGED: `src/routes/api.ts:14` Route file mounts all sub-routers inline.
+> Consider splitting into domain-specific router files, such as `routes/users.ts`
+> or `routes/orders.ts`, as the API grows. Do not fix now; logged for next cleanup pass.
+>
+> Decision logged to DECISIONS.md because the change affects 3 files and alters request data flow.
+>
+> Verification run:
+> - `npm test -- auth`
+> - Result: passing authentication middleware tests and route protection smoke test.
+---
+## What this example demonstrates
+| Rule | Where it fired |
+|------|----------------|
+| Re-injection Rule | Session opened with architecture restatement |
+| Re-injection Fallback | No architecture doc found; fell back to last 3 dependencies |
+| Research and Fit | Existing Express API shape was honored instead of introducing a default stack or dashboard pattern |
+| Think Before Coding | Execution plan written before any code |
+| Human Checkpoint | `[AWAITING CONFIRMATION]` issued at >2-file change |
+| Blast Radius Check | Defined before touching existing route file |
+| Zero-Trust Secrets | `JWT_SECRET` read from `process.env`, hard failure if missing |
+| Patch-First Editing | `api.ts` change delivered as a diff, not a full rewrite |
+| Tech Debt Flagged | Inline router mounting noted in correct format |
+| Decision Log | Multi-file + data flow change triggers DECISIONS.md entry |
+| Anchor Check (Pre-Flight) | Verifiable manifest prepended before code output |
+| Verification Before Completion | Command and result reported before claiming the work is done |