code-warden 3.3.0 → 3.3.1

package/tools/hooks/codex/warden-apply-patch-hook.js

@@ -1,113 +1,113 @@
-#!/usr/bin/env node
-/**
- * warden-apply-patch-hook.js — Codex PreToolUse hook
- *
- * Fires on apply_patch tool calls. Scans added lines for hardcoded credentials
- * and estimates resulting file size where the target path can be extracted.
- *
- * Codex hook payload (stdin, JSON):
- *   { tool: "apply_patch", toolInput: { patch: "<patch text>" } }
- *
- * Exit codes:
- *   0  — proceed
- *   2  — block (writes JSON deny to stdout)
- */
-
-'use strict';
-
-const fs   = require('fs');
-const path = require('path');
-const { scanForSecrets }          = require('../../lib/secret-patterns');
-const { countLines }              = require('../../lib/line-count');
-const { loadConfig }              = require('../../lib/config');
-
-const { maxFileLength: maxLines } = loadConfig();
-
-
-function deny(reason) {
-  process.stdout.write(JSON.stringify({ deny: true, message: `[CodeWarden] ${reason}` }) + '\n');
-  process.exit(2);
-}
-
-// ---------------------------------------------------------------------------
-// Patch parsing helpers
-// ---------------------------------------------------------------------------
-
-/**
- * Extract lines added by the patch (lines starting with '+', not '+++').
- */
-function extractAddedLines(patch) {
-  return patch.split('\n')
-    .filter(l => l.startsWith('+') && !l.startsWith('+++'))
-    .map(l => l.slice(1));
-}
-
-/**
- * Extract target file path from patch header (*** path or +++ path or --- path).
- * Returns null if not detectable.
- */
-function extractTargetPath(patch) {
-  for (const line of patch.split('\n')) {
-    const m = line.match(/^\+{3}\s+(.+?)(\s+\d{4}-\d{2}-\d{2}.*)?$/) ||
-              line.match(/^\*{3}\s+(.+?)(\s+\d{4}-\d{2}-\d{2}.*)?$/);
-    if (m) {
-      const p = m[1].trim();
-      if (p !== '/dev/null') return p;
-    }
-  }
-  return null;
-}
-
-/**
- * Estimate resulting line count: base file lines + added lines - removed lines.
- * Returns null if file not readable.
- */
-function estimateResultLines(patch, targetPath) {
-  let baseLines = 0;
-  if (targetPath && fs.existsSync(targetPath)) {
-    try {
-      baseLines = countLines(fs.readFileSync(targetPath, 'utf8'));
-    } catch { return null; }
-  } else if (!targetPath) {
-    return null;
-  }
-  // Count added and removed lines
-  let added = 0;
-  let removed = 0;
-  for (const line of patch.split('\n')) {
-    if (line.startsWith('+') && !line.startsWith('+++')) added++;
-    else if (line.startsWith('-') && !line.startsWith('---')) removed++;
-  }
-  return baseLines + added - removed;
-}
-
-// ---------------------------------------------------------------------------
-// Main
-// ---------------------------------------------------------------------------
-
-let raw = '';
-process.stdin.setEncoding('utf8');
-process.stdin.on('data', chunk => { raw += chunk; });
-process.stdin.on('end', () => {
-  let payload;
-  try { payload = JSON.parse(raw); } catch { process.exit(0); }
-
-  const input = payload.toolInput || payload.tool_input || {};
-  const patch  = String(input.patch || '');
-  if (!patch) process.exit(0);
-
-  // --- Secrets check on added lines ---
-  const added = extractAddedLines(patch);
-  const addedText = added.join('\n');
-  const hit = scanForSecrets(addedText);
-  if (hit) deny(`Blocked apply_patch — hardcoded credential detected (${hit.label}). Remove before patching.`);
-
-  // --- File length check ---
-  const targetPath = extractTargetPath(patch);
-  const estimated  = estimateResultLines(patch, targetPath);
-  if (estimated !== null && estimated > maxLines) {
-    deny(`Blocked apply_patch — resulting file would be ~${estimated} lines (limit ${maxLines}). Break it up first.`);
-  }
-
-  process.exit(0);
-});
+#!/usr/bin/env node
+/**
+ * warden-apply-patch-hook.js — Codex PreToolUse hook
+ *
+ * Fires on apply_patch tool calls. Scans added lines for hardcoded credentials
+ * and estimates resulting file size where the target path can be extracted.
+ *
+ * Codex hook payload (stdin, JSON):
+ *   { tool: "apply_patch", toolInput: { patch: "<patch text>" } }
+ *
+ * Exit codes:
+ *   0  — proceed
+ *   2  — block (writes JSON deny to stdout)
+ */
+
+'use strict';
+
+const fs   = require('fs');
+const path = require('path');
+const { scanForSecrets }          = require('../../lib/secret-patterns');
+const { countLines }              = require('../../lib/line-count');
+const { loadConfig }              = require('../../lib/config');
+
+const { maxFileLength: maxLines } = loadConfig();
+
+
+function deny(reason) {
+  process.stdout.write(JSON.stringify({ deny: true, message: `[CodeWarden] ${reason}` }) + '\n');
+  process.exit(2);
+}
+
+// ---------------------------------------------------------------------------
+// Patch parsing helpers
+// ---------------------------------------------------------------------------
+
+/**
+ * Extract lines added by the patch (lines starting with '+', not '+++').
+ */
+function extractAddedLines(patch) {
+  return patch.split('\n')
+    .filter(l => l.startsWith('+') && !l.startsWith('+++'))
+    .map(l => l.slice(1));
+}
+
+/**
+ * Extract target file path from patch header (*** path or +++ path or --- path).
+ * Returns null if not detectable.
+ */
+function extractTargetPath(patch) {
+  for (const line of patch.split('\n')) {
+    const m = line.match(/^\+{3}\s+(.+?)(\s+\d{4}-\d{2}-\d{2}.*)?$/) ||
+              line.match(/^\*{3}\s+(.+?)(\s+\d{4}-\d{2}-\d{2}.*)?$/);
+    if (m) {
+      const p = m[1].trim();
+      if (p !== '/dev/null') return p;
+    }
+  }
+  return null;
+}
+
+/**
+ * Estimate resulting line count: base file lines + added lines - removed lines.
+ * Returns null if file not readable.
+ */
+function estimateResultLines(patch, targetPath) {
+  let baseLines = 0;
+  if (targetPath && fs.existsSync(targetPath)) {
+    try {
+      baseLines = countLines(fs.readFileSync(targetPath, 'utf8'));
+    } catch { return null; }
+  } else if (!targetPath) {
+    return null;
+  }
+  // Count added and removed lines
+  let added = 0;
+  let removed = 0;
+  for (const line of patch.split('\n')) {
+    if (line.startsWith('+') && !line.startsWith('+++')) added++;
+    else if (line.startsWith('-') && !line.startsWith('---')) removed++;
+  }
+  return baseLines + added - removed;
+}
+
+// ---------------------------------------------------------------------------
+// Main
+// ---------------------------------------------------------------------------
+
+let raw = '';
+process.stdin.setEncoding('utf8');
+process.stdin.on('data', chunk => { raw += chunk; });
+process.stdin.on('end', () => {
+  let payload;
+  try { payload = JSON.parse(raw); } catch { process.exit(0); }
+
+  const input = payload.toolInput || payload.tool_input || {};
+  const patch  = String(input.patch || '');
+  if (!patch) process.exit(0);
+
+  // --- Secrets check on added lines ---
+  const added = extractAddedLines(patch);
+  const addedText = added.join('\n');
+  const hit = scanForSecrets(addedText);
+  if (hit) deny(`Blocked apply_patch — hardcoded credential detected (${hit.label}). Remove before patching.`);
+
+  // --- File length check ---
+  const targetPath = extractTargetPath(patch);
+  const estimated  = estimateResultLines(patch, targetPath);
+  if (estimated !== null && estimated > maxLines) {
+    deny(`Blocked apply_patch — resulting file would be ~${estimated} lines (limit ${maxLines}). Break it up first.`);
+  }
+
+  process.exit(0);
+});

package/tools/hooks/codex/warden-bash-hook.js

@@ -1,51 +1,51 @@
-#!/usr/bin/env node
-/**
- * warden-bash-hook.js — Codex PreToolUse hook
- *
- * Fires on Bash tool calls. Scans the command string for patterns that
- * would embed hardcoded credentials into files (e.g. echo/printf/cat with
- * secret values, curl with Authorization headers, env assignments, etc.).
- *
- * This is a best-effort surface: Bash is intentionally wide. The hook catches
- * the most common accidental secret exposure patterns; it does not attempt to
- * sandbox arbitrary shell execution.
- *
- * Codex hook payload (stdin, JSON):
- *   { tool: "Bash", toolInput: { command: "<shell command>" } }
- *
- * Exit codes:
- *   0  — proceed
- *   2  — block (writes JSON deny to stdout)
- */
-
-'use strict';
-
-const { scanForSecrets } = require('../../lib/secret-patterns');
-
-function deny(reason) {
-  process.stdout.write(JSON.stringify({ deny: true, message: `[CodeWarden] ${reason}` }) + '\n');
-  process.exit(2);
-}
-
-// ---------------------------------------------------------------------------
-// Main
-// ---------------------------------------------------------------------------
-
-let raw = '';
-process.stdin.setEncoding('utf8');
-process.stdin.on('data', chunk => { raw += chunk; });
-process.stdin.on('end', () => {
-  let payload;
-  try { payload = JSON.parse(raw); } catch { process.exit(0); }
-
-  const input   = payload.toolInput || payload.tool_input || {};
-  const command = String(input.command || '');
-  if (!command) process.exit(0);
-
-  const hit = scanForSecrets(command);
-  if (hit) {
-    deny(`Blocked Bash command — hardcoded credential detected (${hit.label}). Use environment variables or a secrets manager instead.`);
-  }
-
-  process.exit(0);
-});
+#!/usr/bin/env node
+/**
+ * warden-bash-hook.js — Codex PreToolUse hook
+ *
+ * Fires on Bash tool calls. Scans the command string for patterns that
+ * would embed hardcoded credentials into files (e.g. echo/printf/cat with
+ * secret values, curl with Authorization headers, env assignments, etc.).
+ *
+ * This is a best-effort surface: Bash is intentionally wide. The hook catches
+ * the most common accidental secret exposure patterns; it does not attempt to
+ * sandbox arbitrary shell execution.
+ *
+ * Codex hook payload (stdin, JSON):
+ *   { tool: "Bash", toolInput: { command: "<shell command>" } }
+ *
+ * Exit codes:
+ *   0  — proceed
+ *   2  — block (writes JSON deny to stdout)
+ */
+
+'use strict';
+
+const { scanForSecrets } = require('../../lib/secret-patterns');
+
+function deny(reason) {
+  process.stdout.write(JSON.stringify({ deny: true, message: `[CodeWarden] ${reason}` }) + '\n');
+  process.exit(2);
+}
+
+// ---------------------------------------------------------------------------
+// Main
+// ---------------------------------------------------------------------------
+
+let raw = '';
+process.stdin.setEncoding('utf8');
+process.stdin.on('data', chunk => { raw += chunk; });
+process.stdin.on('end', () => {
+  let payload;
+  try { payload = JSON.parse(raw); } catch { process.exit(0); }
+
+  const input   = payload.toolInput || payload.tool_input || {};
+  const command = String(input.command || '');
+  if (!command) process.exit(0);
+
+  const hit = scanForSecrets(command);
+  if (hit) {
+    deny(`Blocked Bash command — hardcoded credential detected (${hit.label}). Use environment variables or a secrets manager instead.`);
+  }
+
+  process.exit(0);
+});

package/tools/lib/config.js

@@ -1,49 +1,49 @@
-#!/usr/bin/env node
-'use strict';
-
-/**
- * config.js
- * Shared codewarden.json loader.
- *
- * Previously warden-lint.js, warden-lint-hook.js, and warden-apply-patch-hook.js
- * each parsed codewarden.json independently with slightly different fallback paths.
- * This module centralises config loading with a single documented precedence.
- *
- * Resolution order for config file:
- *   1. Explicit path passed to loadConfig(configPath)
- *   2. <__dirname>/../../codewarden.json  (relative to tools/lib/ → skill root)
- */
-
-const fs   = require('fs');
-const path = require('path');
-
-const DEFAULT_CONFIG_PATH = path.join(__dirname, '..', '..', 'codewarden.json');
-
-/**
- * Load and parse codewarden.json, returning a merged config object.
- * Falls back to defaults silently if the file is missing or unparseable.
- *
- * @param {string} [configPath] - Override the config file location
- * @returns {{ maxFileLength: number }}
- */
-function loadConfig(configPath) {
-  const target = configPath || DEFAULT_CONFIG_PATH;
-  let maxFileLength = 400;
-
-  try {
-    const raw = fs.readFileSync(target, 'utf8');
-    const cfg = JSON.parse(raw);
-    const configured =
-      cfg?.thresholds?.max_file_length ??
-      cfg?.max_file_length;
-    if (typeof configured === 'number' && configured > 0) {
-      maxFileLength = configured;
-    }
-  } catch {
-    // Missing or invalid config — use defaults
-  }
-
-  return { maxFileLength };
-}
-
-module.exports = { loadConfig, DEFAULT_CONFIG_PATH };
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * config.js
+ * Shared codewarden.json loader.
+ *
+ * Previously warden-lint.js, warden-lint-hook.js, and warden-apply-patch-hook.js
+ * each parsed codewarden.json independently with slightly different fallback paths.
+ * This module centralises config loading with a single documented precedence.
+ *
+ * Resolution order for config file:
+ *   1. Explicit path passed to loadConfig(configPath)
+ *   2. <__dirname>/../../codewarden.json  (relative to tools/lib/ → skill root)
+ */
+
+const fs   = require('fs');
+const path = require('path');
+
+const DEFAULT_CONFIG_PATH = path.join(__dirname, '..', '..', 'codewarden.json');
+
+/**
+ * Load and parse codewarden.json, returning a merged config object.
+ * Falls back to defaults silently if the file is missing or unparseable.
+ *
+ * @param {string} [configPath] - Override the config file location
+ * @returns {{ maxFileLength: number }}
+ */
+function loadConfig(configPath) {
+  const target = configPath || DEFAULT_CONFIG_PATH;
+  let maxFileLength = 400;
+
+  try {
+    const raw = fs.readFileSync(target, 'utf8');
+    const cfg = JSON.parse(raw);
+    const configured =
+      cfg?.thresholds?.max_file_length ??
+      cfg?.max_file_length;
+    if (typeof configured === 'number' && configured > 0) {
+      maxFileLength = configured;
+    }
+  } catch {
+    // Missing or invalid config — use defaults
+  }
+
+  return { maxFileLength };
+}
+
+module.exports = { loadConfig, DEFAULT_CONFIG_PATH };

package/tools/lib/file-collection.js

@@ -30,10 +30,13 @@ const SKIP_EXTS = new Set([
  * @param {string[]} results - accumulator (mutated)
  */
 function collectFiles(dir, results) {
-  for (const entry of fs.readdirSync(dir)) {
+  let entries;
+  try { entries = fs.readdirSync(dir); } catch { return; }
+  for (const entry of entries) {
     if (SKIP_DIRS.has(entry)) continue;
     const full = path.join(dir, entry);
-    const stat = fs.statSync(full);
+    let stat;
+    try { stat = fs.statSync(full); } catch { continue; }
     if (stat.isDirectory()) {
       collectFiles(full, results);
     } else if (!SKIP_EXTS.has(path.extname(entry).toLowerCase())) {

package/tools/lib/line-count.js

@@ -1,28 +1,28 @@
-#!/usr/bin/env node
-'use strict';
-
-/**
- * line-count.js
- * Shared line-counting helper for warden-lint and hook consumers.
- *
- * Problem with the naive split('\n').length:
- *   "a\nb\n".split('\n') === ['a', 'b', '']  → length 3, not 2
- * A trailing newline (standard in well-formed files) would push a file
- * that is exactly at the limit over it, producing false positives.
- *
- * This helper normalises CRLF, strips the trailing newline before
- * splitting, and treats an empty string as 0 lines.
- */
-
-/**
- * Count logical lines in a file's content string.
- *
- * @param {string} content - Raw file content (may include CRLF or trailing newline)
- * @returns {number} Line count (0 for empty content)
- */
-function countLines(content) {
-  if (typeof content !== 'string' || content.length === 0) return 0;
-  return content.replace(/\r\n/g, '\n').trimEnd().split('\n').length;
-}
-
-module.exports = { countLines };
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * line-count.js
+ * Shared line-counting helper for warden-lint and hook consumers.
+ *
+ * Problem with the naive split('\n').length:
+ *   "a\nb\n".split('\n') === ['a', 'b', '']  → length 3, not 2
+ * A trailing newline (standard in well-formed files) would push a file
+ * that is exactly at the limit over it, producing false positives.
+ *
+ * This helper normalises CRLF, strips the trailing newline before
+ * splitting, and treats an empty string as 0 lines.
+ */
+
+/**
+ * Count logical lines in a file's content string.
+ *
+ * @param {string} content - Raw file content (may include CRLF or trailing newline)
+ * @returns {number} Line count (0 for empty content)
+ */
+function countLines(content) {
+  if (typeof content !== 'string' || content.length === 0) return 0;
+  return content.replace(/\r\n/g, '\n').trimEnd().split('\n').length;
+}
+
+module.exports = { countLines };

package/tools/lib/secret-patterns.js

@@ -1,57 +1,57 @@
-#!/usr/bin/env node
-'use strict';
-
-/**
- * secret-patterns.js
- * Canonical hardcoded-credential patterns shared across all Code-Warden
- * scanners (CLI and hooks).
- *
- * Previously each consumer defined its own copy, causing drift:
- *   - verify-secrets.js:            gh[housr]_ (separate entries per prefix)
- *   - warden-secrets-hook.js:       gh[pousr]_
- *   - warden-apply-patch-hook.js:   gh[posx]_   ← missed 'u' (refresh tokens)
- *   - warden-bash-hook.js:          gh[posx]_   ← missed 'u' (refresh tokens)
- *
- * This module is the single source of truth. All consumers require() it.
- *
- * Terminology alignment (per v3.1.1 docs):
- *   - This module implements the "hardcoded credential scanner" logic.
- *   - The governance rule that mandates its use is the "zero-trust secrets policy".
- */
-
-/**
- * @typedef {{ label: string, re: RegExp }} SecretPattern
- */
-
-/** @type {SecretPattern[]} */
-const SECRET_PATTERNS = [
-  { label: 'AWS access key',          re: /\bAKIA[0-9A-Z]{16}\b/ },
-  { label: 'OpenAI key',              re: /\bsk-[A-Za-z0-9]{32,}\b/ },
-  { label: 'GitHub token',            re: /\bgh[pousr]_[A-Za-z0-9]{36,}\b/i },
-  { label: 'Stripe secret key',       re: /\bsk_(live|test)_[A-Za-z0-9]{24,}\b/ },
-  { label: 'Slack token',             re: /\bxox[baprs]-[A-Za-z0-9\-]{10,}\b/ },
-  { label: 'SendGrid key',            re: /\bSG\.[A-Za-z0-9_\-.]{20,}\b/ },
-  { label: 'Twilio SID',              re: /\bAC[a-f0-9]{32}\b/ },
-  { label: 'generic API key',         re: /api[_-]?key\s*[:=]\s*['"]?[A-Za-z0-9_\-]{20,}/i },
-  { label: 'generic secret key',      re: /secret[_-]?key\s*[:=]\s*['"]?[A-Za-z0-9_\-]{20,}/i },
-  { label: 'password assignment',     re: /password\s*[:=]\s*['"][^'"]{8,}['"]/i },
-  { label: 'bearer token',            re: /bearer\s+[A-Za-z0-9\-._~+\/]{20,}/i },
-  { label: 'private key header',      re: /-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----/ },
-  { label: 'database URL with creds', re: /[a-z][a-z0-9+\-.]*:\/\/[^:@\s]+:[^@\s]{4,}@[^/\s]+\// },
-];
-
-/**
- * Scan a content string against all secret patterns.
- *
- * @param {string} content
- * @returns {{ label: string } | null} First matching pattern label, or null if clean.
- */
-function scanForSecrets(content) {
-  if (typeof content !== 'string' || content.length === 0) return null;
-  for (const { label, re } of SECRET_PATTERNS) {
-    if (re.test(content)) return { label };
-  }
-  return null;
-}
-
-module.exports = { SECRET_PATTERNS, scanForSecrets };
+#!/usr/bin/env node
+'use strict';
+
+/**
+ * secret-patterns.js
+ * Canonical hardcoded-credential patterns shared across all Code-Warden
+ * scanners (CLI and hooks).
+ *
+ * Previously each consumer defined its own copy, causing drift:
+ *   - verify-secrets.js:            gh[housr]_ (separate entries per prefix)
+ *   - warden-secrets-hook.js:       gh[pousr]_
+ *   - warden-apply-patch-hook.js:   gh[posx]_   ← missed 'u' (refresh tokens)
+ *   - warden-bash-hook.js:          gh[posx]_   ← missed 'u' (refresh tokens)
+ *
+ * This module is the single source of truth. All consumers require() it.
+ *
+ * Terminology alignment (per v3.1.1 docs):
+ *   - This module implements the "hardcoded credential scanner" logic.
+ *   - The governance rule that mandates its use is the "zero-trust secrets policy".
+ */
+
+/**
+ * @typedef {{ label: string, re: RegExp }} SecretPattern
+ */
+
+/** @type {SecretPattern[]} */
+const SECRET_PATTERNS = [
+  { label: 'AWS access key',          re: /\bAKIA[0-9A-Z]{16}\b/ },
+  { label: 'OpenAI key',              re: /\bsk-[A-Za-z0-9]{32,}\b/ },
+  { label: 'GitHub token',            re: /\bgh[pousr]_[A-Za-z0-9]{36,}\b/i },
+  { label: 'Stripe secret key',       re: /\bsk_(live|test)_[A-Za-z0-9]{24,}\b/ },
+  { label: 'Slack token',             re: /\bxox[baprs]-[A-Za-z0-9\-]{10,}\b/ },
+  { label: 'SendGrid key',            re: /\bSG\.[A-Za-z0-9_\-.]{20,}\b/ },
+  { label: 'Twilio SID',              re: /\bAC[a-f0-9]{32}\b/ },
+  { label: 'generic API key',         re: /api[_-]?key\s*[:=]\s*['"]?[A-Za-z0-9_\-]{20,}/i },
+  { label: 'generic secret key',      re: /secret[_-]?key\s*[:=]\s*['"]?[A-Za-z0-9_\-]{20,}/i },
+  { label: 'password assignment',     re: /password\s*[:=]\s*['"][^'"]{8,}['"]/i },
+  { label: 'bearer token',            re: /bearer\s+[A-Za-z0-9\-._~+\/]{20,}/i },
+  { label: 'private key header',      re: /-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----/ },
+  { label: 'database URL with creds', re: /[a-z][a-z0-9+\-.]*:\/\/[^:@\s]+:[^@\s]{4,}@[^/\s]+\// },
+];
+
+/**
+ * Scan a content string against all secret patterns.
+ *
+ * @param {string} content
+ * @returns {{ label: string } | null} First matching pattern label, or null if clean.
+ */
+function scanForSecrets(content) {
+  if (typeof content !== 'string' || content.length === 0) return null;
+  for (const { label, re } of SECRET_PATTERNS) {
+    if (re.test(content)) return { label };
+  }
+  return null;
+}
+
+module.exports = { SECRET_PATTERNS, scanForSecrets };

package/tools/tests/fixtures/clean.js

@@ -1,9 +1,9 @@
-// Fixture: clean file — no secrets, well within line limit.
-// Used by: warden-lint (expect PASS) and verify-secrets (expect PASS).
-'use strict';
-
-function greet(name) {
-  return `Hello, ${name}`;
-}
-
-module.exports = { greet };
+// Fixture: clean file — no secrets, well within line limit.
+// Used by: warden-lint (expect PASS) and verify-secrets (expect PASS).
+'use strict';
+
+function greet(name) {
+  return `Hello, ${name}`;
+}
+
+module.exports = { greet };