codeproof 1.0.1 → 1.0.2

package/bin/codeproof.js

@@ -4,13 +4,15 @@ import { runCli } from "../commands/run.js";
 import { runReportDashboard } from "../commands/reportDashboard.js";
 import { runMoveSecret } from "../commands/moveSecret.js";
 import { runWhoAmI } from "../commands/whoami.js";
+import { runIgnore } from "../commands/ignore.js";
+import { runApply } from "../commands/apply.js";
 import { logError, logInfo } from "../utils/logger.js";
 
 const [, , command, ...args] = process.argv;
 
 async function main() {
   if (!command || command === "-h" || command === "--help") {
-    logInfo("Usage: codeproof <command>\n\nCommands:\n  init               Initialize CodeProof in a Git repository\n  run                Run CodeProof checks (stub)\n  report@dashboard   Send latest report and show dashboard link\n  move-secret        Move high-confidence secrets to .env\n  whoami             Show the local CodeProof client ID");
+    logInfo("Usage: codeproof <command>\n\nCommands:\n  init               Initialize CodeProof in a Git repository\n  run                Run CodeProof checks (stub)\n  report@dashboard   Send latest report and show dashboard link\n  move-secret        Move high-confidence secrets to .env\n  ignore             Temporarily disable commit enforcement\n  apply              Re-enable commit enforcement\n  whoami             Show the local CodeProof client ID");
     process.exit(0);
   }
 
@@ -34,6 +36,16 @@ async function main() {
     return;
   }
 
+  if (command === "ignore") {
+    await runIgnore({ args, cwd: process.cwd() });
+    return;
+  }
+
+  if (command === "apply") {
+    await runApply({ args, cwd: process.cwd() });
+    return;
+  }
+
   if (command === "whoami") {
     await runWhoAmI();
     return;

package/commands/apply.js

@@ -0,0 +1,32 @@
+import { ensureGitRepo, getGitRoot } from "../utils/git.js";
+import { logError, logInfo, logSuccess, logWarn } from "../utils/logger.js";
+import { getEnforcementState, setEnforcementState } from "../core/enforcement.js";
+
+export async function runApply({ cwd }) {
+  // Re-enable enforcement explicitly to restore pre-commit blocking.
+  ensureGitRepo(cwd);
+  const gitRoot = getGitRoot(cwd);
+
+  let current = "enabled";
+  try {
+    current = getEnforcementState(gitRoot);
+  } catch (error) {
+    logError(error?.message || "Unable to read codeproof.config.json.");
+    process.exit(1);
+  }
+
+  if (current === "enabled") {
+    logWarn("CodeProof enforcement is already enabled.");
+    return;
+  }
+
+  try {
+    setEnforcementState(gitRoot, "enabled");
+  } catch (error) {
+    logError(error?.message || "Unable to update codeproof.config.json.");
+    process.exit(1);
+  }
+
+  logSuccess("CodeProof enforcement re-enabled.");
+  logInfo("Pre-commit protection active.");
+}

package/commands/ignore.js

@@ -0,0 +1,32 @@
+import { ensureGitRepo, getGitRoot } from "../utils/git.js";
+import { logError, logInfo, logSuccess, logWarn } from "../utils/logger.js";
+import { getEnforcementState, setEnforcementState } from "../core/enforcement.js";
+
+export async function runIgnore({ cwd }) {
+  // Controlled bypass: disabling enforcement is explicit and project-scoped.
+  ensureGitRepo(cwd);
+  const gitRoot = getGitRoot(cwd);
+
+  let current = "enabled";
+  try {
+    current = getEnforcementState(gitRoot);
+  } catch (error) {
+    logError(error?.message || "Unable to read codeproof.config.json.");
+    process.exit(1);
+  }
+
+  if (current === "disabled") {
+    logWarn("CodeProof enforcement is already disabled.");
+    return;
+  }
+
+  try {
+    setEnforcementState(gitRoot, "disabled");
+  } catch (error) {
+    logError(error?.message || "Unable to update codeproof.config.json.");
+    process.exit(1);
+  }
+
+  logSuccess("CodeProof enforcement disabled.");
+  logInfo("Commits will not be blocked until `codeproof apply` is run.");
+}

package/commands/init.js

@@ -50,6 +50,7 @@ export async function runInit({ cwd }) {
       projectId: randomUUID(),
       projectType,
       scanMode: "staged",
+      enforcement: "enabled",
       features: {
         reporting: true,
         integration: false,
@@ -70,6 +71,18 @@ export async function runInit({ cwd }) {
     logSuccess("Created codeproof.config.json");
   }
 
+  try {
+    const raw = fs.readFileSync(configPath, "utf8");
+    const existing = JSON.parse(raw);
+    if (!existing.enforcement) {
+      existing.enforcement = "enabled";
+      fs.writeFileSync(configPath, JSON.stringify(existing, null, 2) + "\n", "utf8");
+      logSuccess("Added enforcement=enabled to codeproof.config.json");
+    }
+  } catch {
+    logWarn("Unable to update enforcement in codeproof.config.json.");
+  }
+
   installPreCommitHook(gitRoot);
   logSuccess("Pre-commit hook installed.");
 

package/commands/moveSecret.js

@@ -8,6 +8,7 @@ import { ensureEnvFile, readEnvKeys, appendEnvEntries } from "../utils/envManage
 import { backupFileOnce, extractSecretValueFromLine, replaceSecretInFile } from "../utils/fileRewriter.js";
 import { resolveFeatureFlags, isVerbose } from "../core/featureFlags.js";
 import { reportFeatureDisabled, warnExperimentalOnce } from "../core/safetyGuards.js";
+import { readLatestReport } from "../reporting/reportReader.js";
 
 const TEST_PATH_HINTS = [
   "test",
@@ -37,24 +38,6 @@ function isIgnoredPath(filePath, excludes) {
   return false;
 }
 
-function readLatestReport(reportPath) {
-  if (!fs.existsSync(reportPath)) {
-    return null;
-  }
-
-  const content = fs.readFileSync(reportPath, "utf8");
-  const lines = content.split(/\r?\n/).filter(Boolean);
-  if (lines.length === 0) {
-    return null;
-  }
-
-  try {
-    return JSON.parse(lines[lines.length - 1]);
-  } catch {
-    return null;
-  }
-}
-
 function confirmProceed(message) {
   return new Promise((resolve) => {
     const rl = readline.createInterface({
@@ -73,7 +56,6 @@ export async function runMoveSecret({ cwd }) {
   // Boundary: remediation reads reports only and must not depend on analysis state.
   ensureGitRepo(cwd);
   const gitRoot = getGitRoot(cwd);
-  const reportPath = path.join(gitRoot, "codeproof-report.log");
   const configPath = path.join(gitRoot, "codeproof.config.json");
   let config = {};
   try {
@@ -92,7 +74,7 @@ export async function runMoveSecret({ cwd }) {
   }
 
   warnExperimentalOnce("Experimental feature enabled: move-secret.", logWarn);
-  const latestReport = readLatestReport(reportPath);
+  const latestReport = readLatestReport(gitRoot)?.report || null;
 
   if (!latestReport || !Array.isArray(latestReport.findings)) {
     logWarn("No reports found. Run 'codeproof run' first.");

package/commands/run.js

@@ -12,6 +12,7 @@ import { writeReport } from "../reporting/reportWriter.js";
 import { sendReportToServer } from "../utils/apiClient.js";
 import { resolveFeatureFlags, isVerbose } from "../core/featureFlags.js";
 import { getClientId } from "../core/identity.js";
+import { getEnforcementState } from "../core/enforcement.js";
 import {
     reportFeatureDisabled,
     warnExperimentalOnce,
@@ -36,7 +37,7 @@ function readConfig(configPath) {
     }
 }
 
-export async function runCli({ cwd }) {
+export async function runCli({ args = [], cwd }) {
     // Boundary: CLI orchestration only. Avoid importing this module in lower layers.
     logInfo("CodeProof run started.");
 
@@ -46,6 +47,20 @@ export async function runCli({ cwd }) {
     const config = readConfig(configPath);
     const features = resolveFeatureFlags(config);
     const verbose = isVerbose(config);
+    let enforcement = "enabled";
+    try {
+        enforcement = getEnforcementState(gitRoot);
+    } catch (error) {
+        logError(error?.message || "Unable to read enforcement state.");
+        process.exit(1);
+    }
+    const isPreCommit = args.includes("--precommit") || Boolean(process.env.CODEPROOF_PRECOMMIT);
+
+    if (isPreCommit && enforcement === "disabled") {
+        logWarn("CodeProof enforcement is temporarily disabled.");
+        logInfo("Commit allowed.");
+        process.exit(0);
+    }
 
     if (!config.scanMode) {
         logError("Config missing scanMode. Expected 'staged' or 'full'.");

package/core/enforcement.js

@@ -0,0 +1,51 @@
+import fs from "fs";
+import path from "path";
+
+const ENFORCEMENT_ENABLED = "enabled";
+const ENFORCEMENT_DISABLED = "disabled";
+
+function getConfigPath(gitRoot) {
+  return path.join(gitRoot, "codeproof.config.json");
+}
+
+function readConfig(gitRoot) {
+  const configPath = getConfigPath(gitRoot);
+  if (!fs.existsSync(configPath)) {
+    const error = new Error("Missing codeproof.config.json. Run codeproof init first.");
+    error.code = "CODEPROOF_CONFIG_MISSING";
+    throw error;
+  }
+
+  try {
+    const raw = fs.readFileSync(configPath, "utf8");
+    return JSON.parse(raw);
+  } catch {
+    const error = new Error("Invalid codeproof.config.json. Please fix the file.");
+    error.code = "CODEPROOF_CONFIG_INVALID";
+    throw error;
+  }
+}
+
+function writeConfig(gitRoot, config) {
+  const configPath = getConfigPath(gitRoot);
+  fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n", "utf8");
+}
+
+export function getEnforcementState(gitRoot) {
+  const config = readConfig(gitRoot);
+  const enforcement = String(config.enforcement || ENFORCEMENT_ENABLED).toLowerCase();
+  return enforcement === ENFORCEMENT_DISABLED ? ENFORCEMENT_DISABLED : ENFORCEMENT_ENABLED;
+}
+
+export function setEnforcementState(gitRoot, nextState) {
+  const config = readConfig(gitRoot);
+  const normalized = String(nextState || "").toLowerCase();
+  const enforcement = normalized === ENFORCEMENT_DISABLED
+    ? ENFORCEMENT_DISABLED
+    : ENFORCEMENT_ENABLED;
+
+  // Security: explicit state keeps this a reversible bypass, not a silent disable.
+  const updated = { ...config, enforcement };
+  writeConfig(gitRoot, updated);
+  return enforcement;
+}

package/hooks/preCommit.js

@@ -12,7 +12,20 @@ function getHookBlock() {
   return [
     "",
     HOOK_MARKER,
-    "codeproof run",
+    "GIT_ROOT=$(git rev-parse --show-toplevel 2>/dev/null)",
+    "if [ -n \"$GIT_ROOT\" ]; then",
+    "  cd \"$GIT_ROOT\" || exit 1",
+    "fi",
+    "CONFIG_PATH=\"$GIT_ROOT/codeproof.config.json\"",
+    "if [ -f \"$CONFIG_PATH\" ]; then",
+    "  ENFORCEMENT=$(node -e \"const fs=require('fs');try{const c=JSON.parse(fs.readFileSync('$CONFIG_PATH','utf8'));console.log((c.enforcement||'enabled').toLowerCase());}catch(e){console.log('enabled');}\")",
+    "  if [ \"$ENFORCEMENT\" = \"disabled\" ]; then",
+    "    echo \"CodeProof enforcement is temporarily disabled.\"",
+    "    echo \"Commit allowed.\"",
+    "    exit 0",
+    "  fi",
+    "fi",
+    "CODEPROOF_PRECOMMIT=1 codeproof run --precommit",
     "RESULT=$?",
     "if [ $RESULT -ne 0 ]; then",
     "  echo \"CodeProof checks failed. Commit blocked.\"",
@@ -36,7 +49,20 @@ export function installPreCommitHook(gitRoot) {
       "#!/bin/sh",
       "", 
       "# Auto-generated by CodeProof",
-      "codeproof run",
+      "GIT_ROOT=$(git rev-parse --show-toplevel 2>/dev/null)",
+      "if [ -n \"$GIT_ROOT\" ]; then",
+      "  cd \"$GIT_ROOT\" || exit 1",
+      "fi",
+      "CONFIG_PATH=\"$GIT_ROOT/codeproof.config.json\"",
+      "if [ -f \"$CONFIG_PATH\" ]; then",
+      "  ENFORCEMENT=$(node -e \"const fs=require('fs');try{const c=JSON.parse(fs.readFileSync('$CONFIG_PATH','utf8'));console.log((c.enforcement||'enabled').toLowerCase());}catch(e){console.log('enabled');}\")",
+      "  if [ \"$ENFORCEMENT\" = \"disabled\" ]; then",
+      "    echo \"CodeProof enforcement is temporarily disabled.\"",
+      "    echo \"Commit allowed.\"",
+      "    exit 0",
+      "  fi",
+      "fi",
+      "CODEPROOF_PRECOMMIT=1 codeproof run --precommit",
       "RESULT=$?",
       "if [ $RESULT -ne 0 ]; then",
       "  echo \"CodeProof checks failed. Commit blocked.\"",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeproof",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "description": "CodeProof CLI",
   "type": "module",
   "bin": {