git-ward 0.1.0

package/Cargo.toml

@@ -0,0 +1,21 @@
+[package]
+name = "ward"
+version = "0.1.0"
+edition = "2021"
+authors = ["awixor"]
+description = "Local-First Git Guard for preventing secret leaks"
+repository = "https://github.com/awixor/ward"
+license = "MIT"
+keywords = ["git", "secret-scanning", "security", "cli"]
+readme = "README.md"
+[dependencies]
+clap = { version = "4.4", features = ["derive"] }
+regex = "1.10"
+serde = { version = "1.0", features = ["derive"] }
+toml = "0.8"
+ignore = "0.4"
+globset = "0.4"
+colored = "2.1"
+
+anyhow = "1.0"
+thiserror = "1.0"

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Elhoucine Aouassar
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,81 @@
+# Ward (Local-First Git Guard)
+
+**Ward** is a high-performance, zero-server CLI tool and Git hook designed to prevent developers from accidentally pushing sensitive data (Private Keys, Mnemonics, API Keys) to GitHub.
+
+## 🚀 Features
+
+- **Zero Friction:** Scans staged files in < 50ms.
+- **Privacy First:** All scanning happens locally. No data leaves your machine.
+- **Smart Detection:**
+  - **Ethereum Private Keys**
+  - **BIP-39 Mnemonics**
+  - **Generic API Keys**
+  - **High Entropy Strings** (with false positive filtering)
+- **Configurable:** Ignore specific files or patterns via `ward.toml`.
+
+## 📦 Installation
+
+### fast way (npx)
+
+```bash
+# Initialize Ward in your current repository
+npx git-ward init
+```
+
+### From Source (Rust)
+
+```bash
+cargo install --path .
+ward init
+```
+
+## 🛠 Usage
+
+Once initialized, Ward runs automatically as a `pre-commit` hook.
+
+### Automatic Scanning
+
+Just use `git commit` as normal. If you try to commit a secret:
+
+```bash
+git commit -m "oops"
+```
+
+**Output:**
+
+```
+Ward detected sensitive data in your commit:
+  ✖ secret.key:1: Ethereum Private Key
+    Code: 0x12...cdef
+  ✖ secret.key:1: High Entropy (4.05)
+    Code: 0x12...cdef
+
+Commit blocked. Remove the secrets or use 'git commit --no-verify' to bypass.
+```
+
+### Manual Scan
+
+You can also run a scan manually without committing:
+
+```bash
+ward scan
+```
+
+## ⚙️ Configuration (`ward.toml`)
+
+Create a `ward.toml` in your project root to customize behavior:
+
+```toml
+# ward.toml
+exclude = ["secrets.txt", "*.lock"]
+skip_entropy_checks = ["*.min.js", "node_modules/"]
+threshold = 4.5
+
+[[rules]]
+name = "My Custom Token"
+regex = "MYTOKEN-[0-9]{5}"
+```
+
+## License
+
+MIT

package/bin/ward.js

@@ -0,0 +1,30 @@
+#!/usr/bin/env node
+
+const { spawn } = require("child_process");
+const path = require("path");
+
+// Point to the package's Cargo.toml so we can run from anywhere
+const projectRoot = path.join(__dirname, "..");
+const manifestPath = path.join(projectRoot, "Cargo.toml");
+
+const args = process.argv.slice(2);
+const command = "cargo";
+// Use --release for production speed
+const runArgs = [
+  "run",
+  "--release",
+  "--quiet",
+  "--manifest-path",
+  manifestPath,
+  "--",
+  ...args,
+];
+
+const child = spawn(command, runArgs, {
+  stdio: "inherit",
+  shell: true,
+});
+
+child.on("exit", (code) => {
+  process.exit(code);
+});

package/package.json

@@ -0,0 +1,37 @@
+{
+  "name": "git-ward",
+  "version": "0.1.0",
+  "description": "Local-First Git Guard for preventing secret leaks",
+  "bin": {
+    "ward": "./bin/ward.js"
+  },
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1",
+    "postinstall": "cargo build --release"
+  },
+  "keywords": [
+    "git",
+    "secret-scanning",
+    "security",
+    "cli",
+    "pre-commit",
+    "ward"
+  ],
+  "author": "awixor",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/awixor/ward.git"
+  },
+  "bugs": {
+    "url": "https://github.com/awixor/ward/issues"
+  },
+  "homepage": "https://github.com/awixor/ward#readme",
+  "files": [
+    "bin",
+    "src",
+    "Cargo.toml",
+    "README.md",
+    "LICENSE"
+  ]
+}

package/src/config.rs

@@ -0,0 +1,48 @@
+use serde::{Deserialize, Serialize};
+use std::fs;
+use std::path::Path;
+use anyhow::{Result, Context};
+
+#[derive(Debug, Deserialize, Serialize, Clone)]
+pub struct Config {
+    #[serde(default)]
+    pub exclude: Vec<String>,
+    #[serde(default)]
+    pub skip_entropy_checks: Vec<String>,
+    #[serde(default = "default_threshold")]
+    pub threshold: f32,
+    #[serde(default)]
+    pub rules: Vec<CustomRule>,
+}
+
+#[derive(Debug, Deserialize, Serialize, Clone)]
+pub struct CustomRule {
+    pub name: String,
+    pub regex: String,
+}
+
+fn default_threshold() -> f32 {
+    4.5
+}
+
+impl Default for Config {
+    fn default() -> Self {
+        Self {
+            exclude: vec!["*.lock".to_string(), "package-lock.json".to_string(), "yarn.lock".to_string()],
+            skip_entropy_checks: vec!["*.min.js".to_string(), "*.svg".to_string()],
+            threshold: 4.5,
+            rules: vec![],
+        }
+    }
+}
+
+pub fn load_config() -> Result<Config> {
+    let config_path = Path::new("ward.toml");
+    if config_path.exists() {
+        let content = fs::read_to_string(config_path).context("Failed to read ward.toml")?;
+        let config: Config = toml::from_str(&content).context("Failed to parse ward.toml")?;
+        Ok(config)
+    } else {
+        Ok(Config::default())
+    }
+}

package/src/git.rs

@@ -0,0 +1,96 @@
+use anyhow::{Result, Context};
+use std::process::Command;
+use std::path::{Path, PathBuf};
+use std::fs;
+use std::os::unix::fs::PermissionsExt;
+use colored::*;
+
+const HOOK_SCRIPT: &str = r#"
+# Ward - Local-First Git Guard
+# This hook was automatically installed by Ward.
+if command -v ward >/dev/null 2>&1; then
+    ward scan
+else
+    # Fallback to local npx if global command not found
+    if [ -f "node_modules/.bin/ward" ]; then
+        ./node_modules/.bin/ward scan
+    else
+        echo "Ward not found in path or node_modules. Skipping scan."
+    fi
+fi
+"#;
+
+pub fn install_hook() -> Result<()> {
+    // 1. Check if .git exists
+    let git_dir = Path::new(".git");
+    if !git_dir.exists() {
+        println!("{}", "Error: Not a git repository. Run 'git init' first.".red());
+        return Ok(());
+    }
+
+    let hooks_dir = git_dir.join("hooks");
+    if !hooks_dir.exists() {
+        fs::create_dir(&hooks_dir).context("Failed to create hooks directory")?;
+    }
+
+    let pre_commit_path = hooks_dir.join("pre-commit");
+    
+    // 2. Read existing hook or create new
+    let mut hook_content = if pre_commit_path.exists() {
+        fs::read_to_string(&pre_commit_path).context("Failed to read existing pre-commit hook")?
+    } else {
+        String::from("#!/bin/sh\n")
+    };
+
+    // 3. Simple prepend logic (naive for MVP, improves robust parsing later)
+    if !hook_content.contains("ward scan") {
+        // Insert after shebang if present
+        if hook_content.starts_with("#!") {
+            match hook_content.find('\n') {
+                Some(idx) => {
+                    hook_content.insert_str(idx + 1, HOOK_SCRIPT);
+                }
+                None => {
+                    hook_content.push_str(HOOK_SCRIPT);
+                }
+            }
+        } else {
+             // No shebang? Prepend one + script
+            hook_content = format!("#!/bin/sh\n{}{}", HOOK_SCRIPT, hook_content);
+        }
+    
+        fs::write(&pre_commit_path, &hook_content).context("Failed to write pre-commit hook")?;
+        
+        // Make executable
+        let mut perms = fs::metadata(&pre_commit_path)?.permissions();
+        perms.set_mode(0o755);
+        fs::set_permissions(&pre_commit_path, perms)?;
+
+        println!("{}", "✓ Ward pre-commit hook installed successfully.".green());
+    } else {
+        println!("{}", "ℹ Ward hook already exists.".yellow());
+    }
+
+    Ok(())
+}
+
+pub fn get_staged_files() -> Result<Vec<PathBuf>> {
+    let output = Command::new("git")
+        .args(&["diff", "--cached", "--name-only", "--diff-filter=ACM"])
+        .output()
+        .context("Failed to execute git diff")?;
+
+    if !output.status.success() {
+        // Handle case where no commit yet?
+        return Ok(vec![]);
+    }
+
+    let output_str = String::from_utf8(output.stdout)?;
+    let files = output_str
+        .lines()
+        .map(|s| PathBuf::from(s.trim()))
+        .filter(|p| p.exists()) // Verify file exists on disk
+        .collect();
+
+    Ok(files)
+}

package/src/main.rs

@@ -0,0 +1,91 @@
+use clap::{Parser, Subcommand};
+use colored::*;
+use anyhow::Result;
+use std::process::exit;
+
+mod config;
+mod git;
+mod scanner;
+
+#[derive(Parser)]
+#[command(author, version, about, long_about = None)]
+#[command(propagate_version = true)]
+struct Cli {
+    #[command(subcommand)]
+    command: Commands,
+}
+
+#[derive(Subcommand)]
+enum Commands {
+    /// Initialize Ward in the current repository
+    Init,
+    /// Scan staged files for secrets
+    Scan,
+    /// Check for updates (stub)
+    CheckUpdates,
+}
+
+fn main() -> Result<()> {
+    let cli = Cli::parse();
+
+    match &cli.command {
+        Commands::Init => {
+            println!("{}", "Initializing Ward...".blue());
+            git::install_hook()?;
+        }
+        Commands::Scan => {
+             // 1. Load Config
+            let config = config::load_config().unwrap_or_else(|e| {
+                println!("{}", format!("Warning: Failed to load config: {}", e).yellow());
+                config::Config::default()
+            });
+
+            // 2. Get Staged Files
+            let files = git::get_staged_files()?;
+            if files.is_empty() {
+                return Ok(());
+            }
+
+            // 3. Scan
+            let scanner = scanner::Scanner::new(config);
+            let mut all_violations = vec![];
+
+            for file in files {
+                match scanner.scan_file(&file) {
+                    Ok(mut v) => all_violations.append(&mut v),
+                    Err(e) => eprintln!("Error scanning {:?}: {}", file, e),
+                }
+            }
+
+            // 4. Report
+            if !all_violations.is_empty() {
+                println!("\n{}", "Ward detected sensitive data in your commit:".red().bold());
+                for v in all_violations {
+                    let masked_snippet = if v.snippet.len() <= 8 {
+                        "[REDACTED]".to_string()
+                    } else {
+                        format!("{}...{}", &v.snippet[..4], &v.snippet[v.snippet.len()-4..])
+                    };
+
+                    println!(
+                        "  {} {}:{}: {}", 
+                        "✖".red(), 
+                        v.file.display(), 
+                        v.line.to_string().cyan(), 
+                        v.rule.yellow()
+                    );
+                    println!("    Code: {}", masked_snippet.dimmed());
+                }
+                println!("\n{}", "Commit blocked. Remove the secrets or use 'git commit --no-verify' to bypass.".red());
+                exit(1);
+            } else {
+                 println!("{}", "✓ Ward scan clean".green());
+            }
+        }
+        Commands::CheckUpdates => {
+            println!("You are running the latest version of Ward.");
+        }
+    }
+
+    Ok(())
+}

package/src/scanner.rs

@@ -0,0 +1,129 @@
+use crate::config::Config;
+use regex::Regex;
+use globset::{Glob, GlobSet, GlobSetBuilder};
+use std::fs;
+use std::path::{Path, PathBuf};
+use std::collections::HashMap;
+use anyhow::Result;
+
+#[derive(Debug)]
+pub struct Violation {
+    pub file: PathBuf,
+    pub line: usize,
+    pub rule: String,
+    pub snippet: String,
+}
+
+pub struct Scanner {
+    config: Config,
+    patterns: Vec<(String, Regex)>,
+    exclude_globnet: GlobSet,
+}
+
+fn shannon_entropy(s: &str) -> f32 {
+    let mut map = HashMap::new();
+    let len = s.len() as f32;
+
+    for c in s.chars() {
+        *map.entry(c).or_insert(0.0) += 1.0;
+    }
+
+    map.values().fold(0.0, |acc, &count| {
+        let p = count / len;
+        acc - p * p.log2()
+    })
+}
+
+impl Scanner {
+    pub fn new(config: Config) -> Self {
+        let mut patterns = vec![
+            ("Ethereum Private Key".to_string(), Regex::new(r"(?i)0x[a-fA-F0-9]{64}").unwrap()),
+            ("BIP-39 Mnemonic".to_string(), Regex::new(r"(?i)(\b[a-z]{3,}\b\s){11,}\b[a-z]{3,}\b").unwrap()),
+            ("Generic API Key".to_string(), Regex::new(r#"(?i)(api_key|access_token|secret_key)[\s:=]+['""]?[a-zA-Z0-9_\-]{20,}"#).unwrap()),
+        ];
+        
+        // Add custom rules
+        for rule in &config.rules {
+            if let Ok(re) = Regex::new(&rule.regex) {
+                patterns.push((rule.name.clone(), re));
+            }
+        }
+
+        // Build GlobSet for excludes
+        let mut builder = GlobSetBuilder::new();
+        for pattern in &config.exclude {
+            if let Ok(glob) = Glob::new(pattern) {
+                builder.add(glob);
+            }
+        }
+        let exclude_globnet = builder.build().unwrap_or_else(|_| GlobSet::empty());
+
+        Self { config, patterns, exclude_globnet }
+    }
+
+    pub fn scan_file(&self, path: &Path) -> Result<Vec<Violation>> {
+        if self.exclude_globnet.is_match(path) {
+            return Ok(vec![]);
+        }
+
+        let mut violations = vec![];
+        
+        // Skip binary check (basic)
+        // In a real impl, we'd read first 1024 bytes to check for nulls
+        let content = match fs::read_to_string(path) {
+            Ok(c) => c,
+            Err(_) => return Ok(vec![]), // Skip binary or unreadable
+        };
+
+        for (i, line) in content.lines().enumerate() {
+            let line_idx = i + 1;
+
+            // 1. Regex Check
+            for (name, re) in &self.patterns {
+                if re.is_match(line) {
+                     violations.push(Violation {
+                        file: path.to_path_buf(),
+                        line: line_idx,
+                        rule: name.clone(),
+                        snippet: line.trim().chars().take(50).collect(),
+                    });
+                    continue; // Detected, move to next line
+                }
+            }
+
+            // 2. Entropy Check
+            // Verify if we should skip this file for entropy
+            let skip_entropy = self.config.skip_entropy_checks.iter().any(|pattern| {
+                 // Simple contains check for MVP, glob matching TODO
+                 path.to_string_lossy().contains(pattern.trim_start_matches('*')) 
+            });
+
+            if !skip_entropy {
+               // Only check words/tokens > 20 chars
+               for word in line.split_whitespace() {
+                   // Clean common wrapping punctuation from the word
+                   let clean_word = word.trim_matches(|c| "()[]{}\";',".contains(c));
+                   
+                   if clean_word.len() > 20 {
+                        // Skip if it looks like code function calls or paths
+                        if clean_word.contains("::") || clean_word.contains("->") {
+                            continue;
+                        }
+
+                        let entropy = shannon_entropy(clean_word);
+                        if entropy > self.config.threshold {
+                             violations.push(Violation {
+                                file: path.to_path_buf(),
+                                line: line_idx,
+                                rule: format!("High Entropy ({:.2})", entropy),
+                                snippet: clean_word.chars().take(20).collect(), // truncated
+                            });
+                        }
+                   }
+               }
+            }
+        }
+
+        Ok(violations)
+    }
+}