code-warden 3.1.1

package/tools/lib/line-count.js

@@ -0,0 +1,28 @@
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * line-count.js
+ * Shared line-counting helper for warden-lint and hook consumers.
+ *
+ * Problem with the naive split('\n').length:
+ *   "a\nb\n".split('\n') === ['a', 'b', '']  → length 3, not 2
+ * A trailing newline (standard in well-formed files) would push a file
+ * that is exactly at the limit over it, producing false positives.
+ *
+ * This helper normalises CRLF, strips the trailing newline before
+ * splitting, and treats an empty string as 0 lines.
+ */
+
+/**
+ * Count logical lines in a file's content string.
+ *
+ * @param {string} content - Raw file content (may include CRLF or trailing newline)
+ * @returns {number} Line count (0 for empty content)
+ */
+function countLines(content) {
+  if (typeof content !== 'string' || content.length === 0) return 0;
+  return content.replace(/\r\n/g, '\n').trimEnd().split('\n').length;
+}
+
+module.exports = { countLines };

package/tools/lib/secret-patterns.js

@@ -0,0 +1,57 @@
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * secret-patterns.js
+ * Canonical hardcoded-credential patterns shared across all Code-Warden
+ * scanners (CLI and hooks).
+ *
+ * Previously each consumer defined its own copy, causing drift:
+ *   - verify-secrets.js:            gh[housr]_ (separate entries per prefix)
+ *   - warden-secrets-hook.js:       gh[pousr]_
+ *   - warden-apply-patch-hook.js:   gh[posx]_   ← missed 'u' (refresh tokens)
+ *   - warden-bash-hook.js:          gh[posx]_   ← missed 'u' (refresh tokens)
+ *
+ * This module is the single source of truth. All consumers require() it.
+ *
+ * Terminology alignment (per v3.1.1 docs):
+ *   - This module implements the "hardcoded credential scanner" logic.
+ *   - The governance rule that mandates its use is the "zero-trust secrets policy".
+ */
+
+/**
+ * @typedef {{ label: string, re: RegExp }} SecretPattern
+ */
+
+/** @type {SecretPattern[]} */
+const SECRET_PATTERNS = [
+  { label: 'AWS access key',          re: /\bAKIA[0-9A-Z]{16}\b/ },
+  { label: 'OpenAI key',              re: /\bsk-[A-Za-z0-9]{32,}\b/ },
+  { label: 'GitHub token',            re: /\bgh[pousr]_[A-Za-z0-9]{36,}\b/i },
+  { label: 'Stripe secret key',       re: /\bsk_(live|test)_[A-Za-z0-9]{24,}\b/ },
+  { label: 'Slack token',             re: /\bxox[baprs]-[A-Za-z0-9\-]{10,}\b/ },
+  { label: 'SendGrid key',            re: /\bSG\.[A-Za-z0-9_\-.]{20,}\b/ },
+  { label: 'Twilio SID',              re: /\bAC[a-f0-9]{32}\b/ },
+  { label: 'generic API key',         re: /api[_-]?key\s*[:=]\s*['"]?[A-Za-z0-9_\-]{20,}/i },
+  { label: 'generic secret key',      re: /secret[_-]?key\s*[:=]\s*['"]?[A-Za-z0-9_\-]{20,}/i },
+  { label: 'password assignment',     re: /password\s*[:=]\s*['"][^'"]{8,}['"]/i },
+  { label: 'bearer token',            re: /bearer\s+[A-Za-z0-9\-._~+\/]{20,}/i },
+  { label: 'private key header',      re: /-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----/ },
+  { label: 'database URL with creds', re: /[a-z][a-z0-9+\-.]*:\/\/[^:@\s]+:[^@\s]{4,}@[^/\s]+\// },
+];
+
+/**
+ * Scan a content string against all secret patterns.
+ *
+ * @param {string} content
+ * @returns {{ label: string } | null} First matching pattern label, or null if clean.
+ */
+function scanForSecrets(content) {
+  if (typeof content !== 'string' || content.length === 0) return null;
+  for (const { label, re } of SECRET_PATTERNS) {
+    if (re.test(content)) return { label };
+  }
+  return null;
+}
+
+module.exports = { SECRET_PATTERNS, scanForSecrets };

package/tools/tests/fixtures/clean.js

@@ -0,0 +1,9 @@
+// Fixture: clean file — no secrets, well within line limit.
+// Used by: warden-lint (expect PASS) and verify-secrets (expect PASS).
+'use strict';
+
+function greet(name) {
+  return `Hello, ${name}`;
+}
+
+module.exports = { greet };

package/tools/tests/run-tests.js

@@ -0,0 +1,210 @@
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * run-tests.js
+ * Behavioral test suite for Code-Warden scanners and hooks.
+ *
+ * Verifies that enforcement tools actually enforce — not just that they exist.
+ * Uses Node's built-in node:test (no external test framework required).
+ *
+ * Tests:
+ *   CLI tools
+ *   1. warden-lint     clean file    → exit 0
+ *   2. warden-lint     oversized     → exit 1
+ *   3. verify-secrets  clean file    → exit 0
+ *   4. verify-secrets  secret file   → exit 1
+ *
+ *   Claude hooks (PreToolUse JSON payloads via stdin)
+ *   5. warden-lint-hook    Write oversized  → exit 2
+ *   6. warden-secrets-hook Write secret     → exit 2
+ *
+ *   Codex hooks
+ *   7. warden-apply-patch-hook  patch with secret  → exit 2
+ *   8. warden-bash-hook         command with secret → exit 2
+ *
+ * Fixture strategy:
+ *   - clean.js is committed (no secrets, short).
+ *   - Oversized content is generated in memory / tmpdir (committed file would
+ *     trip warden-lint itself).
+ *   - Secret content is generated via makeFakeSecret() which builds the
+ *     pattern from parts so the scanner does not flag this source file.
+ */
+
+const { test } = require('node:test');
+const assert        = require('node:assert/strict');
+const { spawnSync } = require('node:child_process');
+const path          = require('node:path');
+const fs            = require('node:fs');
+const os            = require('node:os');
+
+// ---------------------------------------------------------------------------
+// Paths
+// ---------------------------------------------------------------------------
+
+const ROOT     = path.join(__dirname, '..', '..');
+const TOOLS    = path.join(ROOT, 'tools');
+const FIXTURES = path.join(__dirname, 'fixtures');
+const CLEAN    = path.join(FIXTURES, 'clean.js');
+
+if (!fs.existsSync(CLEAN)) throw new Error(`Missing fixture: clean at ${CLEAN}`);
+
+// ---------------------------------------------------------------------------
+// Fixture generators — never committed, avoids false-positive self-scan
+// ---------------------------------------------------------------------------
+
+/**
+ * Build a fake OpenAI-style key from parts so this source file does not
+ * contain a string that matches the secret scanner's pattern literally.
+ */
+function makeFakeSecret() {
+  return ['sk', '-', 'a'.repeat(48)].join('');
+}
+
+/** Generate content containing a hardcoded credential. */
+function makeSecretContent() {
+  return [
+    '// Generated secret fixture — not committed to repo.',
+    "'use strict';",
+    `const KEY = '${makeFakeSecret()}';`,
+    'module.exports = { KEY };',
+  ].join('\n') + '\n';
+}
+
+/** Generate content that exceeds the 400-line limit. */
+function makeOversizedContent(limit = 400) {
+  const lines = [
+    '// Generated oversized fixture — not committed to repo.',
+    "'use strict';",
+    '',
+  ];
+  for (let i = 1; i <= limit + 15; i++) {
+    lines.push(`const line${i} = ${i}; // padding`);
+  }
+  return lines.join('\n') + '\n';
+}
+
+/** Write content to a temp file; caller is responsible for cleanup. */
+function writeTmp(name, content) {
+  const p = path.join(os.tmpdir(), `cw-fixture-${process.pid}-${name}`);
+  fs.writeFileSync(p, content);
+  return p;
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function runCLI(scriptPath, args = []) {
+  const result = spawnSync(process.execPath, [scriptPath, ...args], { encoding: 'utf8' });
+  return { code: result.status ?? result.signal, stdout: result.stdout || '', stderr: result.stderr || '' };
+}
+
+function runHook(scriptPath, payload) {
+  const result = spawnSync(process.execPath, [scriptPath], { input: JSON.stringify(payload), encoding: 'utf8' });
+  return { code: result.status ?? result.signal, stdout: result.stdout || '', stderr: result.stderr || '' };
+}
+
+// ---------------------------------------------------------------------------
+// CLI: warden-lint
+// ---------------------------------------------------------------------------
+
+test('warden-lint: clean file exits 0', () => {
+  const { code } = runCLI(path.join(TOOLS, 'warden-lint.js'), [CLEAN]);
+  assert.equal(code, 0, 'expected exit 0 for a clean, short file');
+});
+
+test('warden-lint: oversized file exits 1', () => {
+  const tmp = writeTmp('oversized.js', makeOversizedContent());
+  try {
+    const { code, stderr } = runCLI(path.join(TOOLS, 'warden-lint.js'), [tmp]);
+    assert.equal(code, 1, 'expected exit 1 for an oversized file');
+    assert.ok(stderr.includes('[FAIL]'), 'expected [FAIL] in stderr');
+  } finally {
+    fs.rmSync(tmp, { force: true });
+  }
+});
+
+// ---------------------------------------------------------------------------
+// CLI: verify-secrets
+// ---------------------------------------------------------------------------
+
+test('verify-secrets: clean file exits 0', () => {
+  const { code } = runCLI(path.join(TOOLS, 'verify-secrets.js'), [CLEAN]);
+  assert.equal(code, 0, 'expected exit 0 for a file with no secrets');
+});
+
+test('verify-secrets: secret file exits 1', () => {
+  const tmp = writeTmp('secret.js', makeSecretContent());
+  try {
+    const { code, stderr } = runCLI(path.join(TOOLS, 'verify-secrets.js'), [tmp]);
+    assert.equal(code, 1, 'expected exit 1 for a file containing a hardcoded secret');
+    assert.ok(stderr.includes('[FAIL]'), 'expected [FAIL] in stderr');
+  } finally {
+    fs.rmSync(tmp, { force: true });
+  }
+});
+
+// ---------------------------------------------------------------------------
+// Claude hook: warden-lint-hook (Write with oversized content)
+// ---------------------------------------------------------------------------
+
+test('Claude lint hook: Write oversized content exits 2', () => {
+  const payload = {
+    tool_name:  'Write',
+    tool_input: { file_path: '/tmp/test-oversized.js', content: makeOversizedContent() },
+  };
+  const { code, stdout } = runHook(path.join(TOOLS, 'hooks', 'claude', 'warden-lint-hook.js'), payload);
+  assert.equal(code, 2, 'expected exit 2 (deny) for oversized Write');
+  const response = JSON.parse(stdout);
+  assert.equal(response.hookSpecificOutput.permissionDecision, 'deny', 'expected deny decision');
+});
+
+// ---------------------------------------------------------------------------
+// Claude hook: warden-secrets-hook (Write with secret content)
+// ---------------------------------------------------------------------------
+
+test('Claude secrets hook: Write secret content exits 2', () => {
+  const payload = {
+    tool_name:  'Write',
+    tool_input: { file_path: '/tmp/test-secret.js', content: makeSecretContent() },
+  };
+  const { code, stdout } = runHook(path.join(TOOLS, 'hooks', 'claude', 'warden-secrets-hook.js'), payload);
+  assert.equal(code, 2, 'expected exit 2 (deny) for Write containing secret');
+  const response = JSON.parse(stdout);
+  assert.equal(response.hookSpecificOutput.permissionDecision, 'deny', 'expected deny decision');
+});
+
+// ---------------------------------------------------------------------------
+// Codex hook: warden-apply-patch-hook (patch adding a secret)
+// ---------------------------------------------------------------------------
+
+test('Codex apply_patch hook: patch with secret exits 2', () => {
+  const patch = [
+    '*** /dev/null',
+    '+++ tmp/secret-patch.js',
+    '@@ -0,0 +1,2 @@',
+    `+const KEY = '${makeFakeSecret()}';`,
+    '+module.exports = { KEY };',
+  ].join('\n');
+
+  const { code, stdout } = runHook(
+    path.join(TOOLS, 'hooks', 'codex', 'warden-apply-patch-hook.js'),
+    { tool: 'apply_patch', toolInput: { patch } }
+  );
+  assert.equal(code, 2, 'expected exit 2 (deny) for apply_patch with hardcoded secret');
+  assert.ok(JSON.parse(stdout).deny === true, 'expected deny:true');
+});
+
+// ---------------------------------------------------------------------------
+// Codex hook: warden-bash-hook (command containing a secret)
+// ---------------------------------------------------------------------------
+
+test('Codex Bash hook: command with secret exits 2', () => {
+  const { code, stdout } = runHook(
+    path.join(TOOLS, 'hooks', 'codex', 'warden-bash-hook.js'),
+    { tool: 'Bash', toolInput: { command: `echo ${makeFakeSecret()}` } }
+  );
+  assert.equal(code, 2, 'expected exit 2 (deny) for Bash command with hardcoded secret');
+  assert.ok(JSON.parse(stdout).deny === true, 'expected deny:true');
+});

package/tools/verify-secrets.js

@@ -0,0 +1,26 @@
+#!/usr/bin/env node
+'use strict';
+
+const fs = require('fs');
+const { scanForSecrets } = require('./lib/secret-patterns');
+const { expandPaths }    = require('./lib/file-collection');
+
+const filePaths = expandPaths(process.argv.slice(2), 'verify-secrets.js');
+let hasErrors = false;
+
+for (const filePath of filePaths) {
+  const content = fs.readFileSync(filePath, 'utf8');
+  const hit = scanForSecrets(content);
+
+  if (hit) {
+    console.error(`[FAIL] [CodeWarden] Hardcoded credential detected in ${filePath} - pattern: ${hit.label}`);
+    console.error('    Rule: All secrets must be sourced from an environment variable (e.g., process.env)');
+    hasErrors = true;
+  } else {
+    console.log(`[PASS] [CodeWarden] ${filePath} passed hardcoded credential scan.`);
+  }
+}
+
+if (hasErrors) {
+  process.exit(1);
+}

package/tools/warden-lint.js

@@ -0,0 +1,27 @@
+#!/usr/bin/env node
+'use strict';
+
+const fs = require('fs');
+const { countLines }            = require('./lib/line-count');
+const { expandPaths }           = require('./lib/file-collection');
+const { loadConfig }            = require('./lib/config');
+
+const { maxFileLength } = loadConfig();
+const filePaths = expandPaths(process.argv.slice(2), 'warden-lint.js');
+let hasErrors = false;
+
+for (const filePath of filePaths) {
+  const content = fs.readFileSync(filePath, 'utf8');
+  const lines = countLines(content);
+
+  if (lines > maxFileLength) {
+    console.error(`[FAIL] [CodeWarden] File ${filePath} exceeds the maximum length of ${maxFileLength} lines (${lines} lines). Please refactor into smaller modules.`);
+    hasErrors = true;
+  } else {
+    console.log(`[PASS] [CodeWarden] ${filePath} (${lines} lines) complies with the length restriction.`);
+  }
+}
+
+if (hasErrors) {
+  process.exit(1);
+}