gac 1.2.6__tar.gz → 1.3.1__tar.gz

{gac-1.2.6 → gac-1.3.1}/.gitignore

@@ -210,3 +210,4 @@ scripts/changelog_prompt.md
 .plandex-v2/
 .vscode/
 .serena/
+.crush.json

{gac-1.2.6 → gac-1.3.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: gac
-Version: 1.2.6
+Version: 1.3.1
 Summary: AI-powered Git commit message generator with multi-provider support
 Project-URL: Homepage, https://github.com/cellwebb/gac
 Project-URL: Documentation, https://github.com/cellwebb/gac#readme
@@ -62,6 +62,7 @@ Description-Content-Type: text/markdown
 - **Streamlined Workflow Commands:** Boost your productivity with convenient options to stage all changes (`-a`), auto-confirm commits (`-y`), and push to your remote repository (`-p`) in a single step.
 - **Interactive Reroll with Feedback:** Not satisfied with the generated commit message? Use `r` for a simple regeneration, or `r <feedback>` to provide specific improvement suggestions (e.g., `r make it shorter`, `r focus on the bug fix`).
 - **Token Usage Tracking:** Display token consumption statistics (prompt, completion, and total tokens).
+- **Security Scanner:** Built-in detection of secrets and API keys in staged changes to prevent accidental commits of sensitive information.
 
 ## How It Works
 
@@ -200,6 +201,30 @@ Once installed and configured, using `gac` is straightforward:
 - Add a hint for the AI: `gac -h "Fixed the authentication bug"`
 - Push the commit (requires accepting the commit message): `gac -p`
 - Advanced usage: Add all, auto-confirm, push a one-liner with a hint: `gac -aypo -h "update for release"`
+- Skip security scan: `gac --skip-secret-scan` (use with caution)
+
+### Security Features
+
+GAC includes a built-in security scanner to prevent accidental commits of sensitive information:
+
+- **Automatic Scanning**: By default, scans all staged changes for potential secrets and API keys
+- **Interactive Protection**: When secrets are detected, you can:
+  - Abort the commit (recommended)
+  - Continue anyway (not recommended)
+  - Remove affected files and continue
+- **Wide Coverage**: Detects AWS keys, GitHub tokens, OpenAI API keys, database URLs, private keys, and more
+- **Smart Filtering**: Ignores example keys, placeholders, and test values to reduce false positives
+
+To disable the security scan (not recommended unless you know what you're doing):
+
+```sh
+# Skip scan for one command
+gac --skip-secret-scan
+
+# Or disable via environment variable
+export GAC_SKIP_SECRET_SCAN=true
+gac
+```
 
 For a full list of CLI flags, advanced options, and example workflows, see [USAGE.md](USAGE.md).
 

{gac-1.2.6 → gac-1.3.1}/README.md

@@ -20,6 +20,7 @@
 - **Streamlined Workflow Commands:** Boost your productivity with convenient options to stage all changes (`-a`), auto-confirm commits (`-y`), and push to your remote repository (`-p`) in a single step.
 - **Interactive Reroll with Feedback:** Not satisfied with the generated commit message? Use `r` for a simple regeneration, or `r <feedback>` to provide specific improvement suggestions (e.g., `r make it shorter`, `r focus on the bug fix`).
 - **Token Usage Tracking:** Display token consumption statistics (prompt, completion, and total tokens).
+- **Security Scanner:** Built-in detection of secrets and API keys in staged changes to prevent accidental commits of sensitive information.
 
 ## How It Works
 
@@ -158,6 +159,30 @@ Once installed and configured, using `gac` is straightforward:
 - Add a hint for the AI: `gac -h "Fixed the authentication bug"`
 - Push the commit (requires accepting the commit message): `gac -p`
 - Advanced usage: Add all, auto-confirm, push a one-liner with a hint: `gac -aypo -h "update for release"`
+- Skip security scan: `gac --skip-secret-scan` (use with caution)
+
+### Security Features
+
+GAC includes a built-in security scanner to prevent accidental commits of sensitive information:
+
+- **Automatic Scanning**: By default, scans all staged changes for potential secrets and API keys
+- **Interactive Protection**: When secrets are detected, you can:
+  - Abort the commit (recommended)
+  - Continue anyway (not recommended)
+  - Remove affected files and continue
+- **Wide Coverage**: Detects AWS keys, GitHub tokens, OpenAI API keys, database URLs, private keys, and more
+- **Smart Filtering**: Ignores example keys, placeholders, and test values to reduce false positives
+
+To disable the security scan (not recommended unless you know what you're doing):
+
+```sh
+# Skip scan for one command
+gac --skip-secret-scan
+
+# Or disable via environment variable
+export GAC_SKIP_SECRET_SCAN=true
+gac
+```
 
 For a full list of CLI flags, advanced options, and example workflows, see [USAGE.md](USAGE.md).
 

{gac-1.2.6 → gac-1.3.1}/src/gac/__version__.py

@@ -1,3 +1,3 @@
 """Version information for gac package."""
 
-__version__ = "1.2.6"
+__version__ = "1.3.1"

{gac-1.2.6 → gac-1.3.1}/src/gac/ai_utils.py

@@ -93,7 +93,7 @@ def generate_with_retries(
     provider, model_name = model.split(":", 1)
 
     # Validate provider
-    supported_providers = ["anthropic", "openai", "groq", "cerebras", "ollama", "openrouter"]
+    supported_providers = ["anthropic", "openai", "groq", "cerebras", "ollama", "openrouter", "zai"]
     if provider not in supported_providers:
         raise AIError.model_error(f"Unsupported provider: {provider}. Supported providers: {supported_providers}")
 

{gac-1.2.6 → gac-1.3.1}/src/gac/cli.py

@@ -54,6 +54,7 @@ logger = logging.getLogger(__name__)
 )
 # Advanced options
 @click.option("--no-verify", is_flag=True, help="Skip pre-commit hooks when committing")
+@click.option("--skip-secret-scan", is_flag=True, help="Skip security scan for secrets in staged changes")
 # Other options
 @click.option("--version", is_flag=True, help="Show the version of the Git Auto Commit (gac) tool")
 @click.pass_context
@@ -73,6 +74,7 @@ def cli(
     dry_run: bool = False,
     verbose: bool = False,
     no_verify: bool = False,
+    skip_secret_scan: bool = False,
 ) -> None:
     """Git Auto Commit - Generate commit messages with AI."""
     if ctx.invoked_subcommand is None:
@@ -103,6 +105,7 @@ def cli(
                 quiet=quiet,
                 dry_run=dry_run,
                 no_verify=no_verify,
+                skip_secret_scan=skip_secret_scan or bool(config.get("skip_secret_scan", False)),
             )
         except Exception as e:
             handle_error(e, exit_program=True)
@@ -125,6 +128,7 @@ def cli(
             "dry_run": dry_run,
             "verbose": verbose,
             "no_verify": no_verify,
+            "skip_secret_scan": skip_secret_scan,
         }
 
 

{gac-1.2.6 → gac-1.3.1}/src/gac/config.py

@@ -35,6 +35,8 @@ def load_config() -> dict[str, str | int | float | bool]:
         "warning_limit_tokens": int(os.getenv("GAC_WARNING_LIMIT_TOKENS", EnvDefaults.WARNING_LIMIT_TOKENS)),
         "always_include_scope": os.getenv("GAC_ALWAYS_INCLUDE_SCOPE", str(EnvDefaults.ALWAYS_INCLUDE_SCOPE)).lower()
         in ("true", "1", "yes", "on"),
+        "skip_secret_scan": os.getenv("GAC_SKIP_SECRET_SCAN", str(EnvDefaults.SKIP_SECRET_SCAN)).lower()
+        in ("true", "1", "yes", "on"),
     }
 
     return config

{gac-1.2.6 → gac-1.3.1}/src/gac/constants.py

@@ -24,6 +24,7 @@ class EnvDefaults:
     MAX_OUTPUT_TOKENS: int = 512
     WARNING_LIMIT_TOKENS: int = 16384
     ALWAYS_INCLUDE_SCOPE: bool = False
+    SKIP_SECRET_SCAN: bool = False
 
 
 class Logging:
@@ -39,6 +40,7 @@ class Utility:
     DEFAULT_ENCODING: str = "cl100k_base"  # llm encoding
     DEFAULT_DIFF_TOKEN_LIMIT: int = 15000  # Maximum tokens for diff processing
     MAX_WORKERS: int = os.cpu_count() or 4  # Maximum number of parallel workers
+    MAX_DISPLAYED_SECRET_LENGTH: int = 50  # Maximum length for displaying secrets
 
 
 class FilePatterns:

{gac-1.2.6 → gac-1.3.1}/src/gac/errors.py

@@ -107,6 +107,12 @@ class FormattingError(GacError):
     exit_code = 5
 
 
+class SecurityError(GacError):
+    """Error related to security issues (e.g., detected secrets)."""
+
+    exit_code = 6
+
+
 # Simplified error hierarchy - we use a single AIError class with error codes
 # instead of multiple subclasses for better maintainability
 
@@ -135,6 +141,8 @@ def handle_error(error: Exception, exit_program: bool = False, quiet: bool = Fal
         logger.error("Git operation failed. Please check your repository status.")
     elif isinstance(error, AIError):
         logger.error("AI operation failed. Please check your configuration and API keys.")
+    elif isinstance(error, SecurityError):
+        logger.error("Security scan detected potential secrets in staged changes.")
     else:
         logger.error("An unexpected error occurred.")
 
@@ -175,6 +183,7 @@ def format_error_for_user(error: Exception) -> str:
         ConfigError: "Please check your configuration settings.",
         GitError: "Please ensure Git is installed and you're in a valid Git repository.",
         FormattingError: "Please check that required formatters are installed.",
+        SecurityError: "Please remove or secure any detected secrets before committing.",
     }
 
     # Generic remediation for unexpected errors

{gac-1.2.6 → gac-1.3.1}/src/gac/init_cli.py

@@ -45,4 +45,14 @@ def init() -> None:
         set_key(str(GAC_ENV_PATH), f"{provider_key.upper()}_API_KEY", api_key)
         click.echo(f"Set {provider_key.upper()}_API_KEY (hidden)")
 
+    # Ask about ZAI coding plan if Z.AI provider was selected
+    if provider_key == "zai":
+        use_coding_api = questionary.confirm(
+            "Are you using a Z.AI coding plan? (uses different API endpoint)",
+            default=False,
+        ).ask()
+        if use_coding_api:
+            set_key(str(GAC_ENV_PATH), "GAC_ZAI_USE_CODING_PLAN", "true")
+            click.echo("Set GAC_ZAI_USE_CODING_PLAN=true")
+
     click.echo(f"\ngac environment setup complete. You can edit {GAC_ENV_PATH} to update values later.")

{gac-1.2.6 → gac-1.3.1}/src/gac/main.py

@@ -23,10 +23,12 @@ from gac.git import (
 )
 from gac.preprocess import preprocess_diff
 from gac.prompt import build_prompt, clean_commit_message
+from gac.security import get_affected_files, scan_staged_diff
 
 logger = logging.getLogger(__name__)
 
 config = load_config()
+console = Console()  # Initialize console globally to prevent undefined access
 
 
 def main(
@@ -41,6 +43,7 @@ def main(
     quiet: bool = False,
     dry_run: bool = False,
     no_verify: bool = False,
+    skip_secret_scan: bool = False,
 ) -> None:
     """Main application logic for gac."""
     try:
@@ -72,7 +75,6 @@ def main(
     # Check for staged files
     staged_files = get_staged_files(existing_only=False)
     if not staged_files:
-        console = Console()
         console.print(
             "[yellow]No staged changes found. Stage your changes with git add first or use --add-all.[/yellow]"
         )
@@ -81,7 +83,6 @@ def main(
     # Run pre-commit hooks before doing expensive operations
     if not no_verify and not dry_run:
         if not run_pre_commit_hooks():
-            console = Console()
             console.print("[red]Pre-commit hooks failed. Please fix the issues and try again.[/red]")
             console.print("[yellow]You can use --no-verify to skip pre-commit hooks.[/yellow]")
             sys.exit(1)
@@ -90,6 +91,72 @@ def main(
     diff = run_git_command(["diff", "--staged"])
     diff_stat = " " + run_git_command(["diff", "--stat", "--cached"])
 
+    # Security scan for secrets
+    if not skip_secret_scan:
+        logger.info("Scanning staged changes for potential secrets...")
+        secrets = scan_staged_diff(diff)
+        if secrets:
+            if not quiet:
+                console.print("\n[bold red]⚠️  SECURITY WARNING: Potential secrets detected![/bold red]")
+                console.print("[red]The following sensitive information was found in your staged changes:[/red]\n")
+
+            for secret in secrets:
+                location = f"{secret.file_path}:{secret.line_number}" if secret.line_number else secret.file_path
+                if not quiet:
+                    console.print(f"  • [yellow]{secret.secret_type}[/yellow] in [cyan]{location}[/cyan]")
+                    console.print(f"    Match: [dim]{secret.matched_text}[/dim]\n")
+
+            if not quiet:
+                console.print("\n[bold]Options:[/bold]")
+                console.print("  \\[a] Abort commit (recommended)")
+                console.print("  \\[c] [yellow]Continue anyway[/yellow] (not recommended)")
+                console.print("  \\[r] Remove affected file(s) and continue")
+
+            try:
+                choice = (
+                    click.prompt(
+                        "\nChoose an option",
+                        type=click.Choice(["a", "c", "r"], case_sensitive=False),
+                        default="a",
+                        show_choices=True,
+                        show_default=True,
+                    )
+                    .strip()
+                    .lower()
+                )
+            except (EOFError, KeyboardInterrupt):
+                console.print("\n[red]Aborted by user.[/red]")
+                sys.exit(0)
+
+            if choice == "a":
+                console.print("[yellow]Commit aborted.[/yellow]")
+                sys.exit(0)
+            elif choice == "c":
+                console.print("[bold yellow]⚠️  Continuing with potential secrets in commit...[/bold yellow]")
+                logger.warning("User chose to continue despite detected secrets")
+            elif choice == "r":
+                affected_files = get_affected_files(secrets)
+                for file_path in affected_files:
+                    try:
+                        run_git_command(["reset", "HEAD", file_path])
+                        console.print(f"[green]Unstaged: {file_path}[/green]")
+                    except GitError as e:
+                        console.print(f"[red]Failed to unstage {file_path}: {e}[/red]")
+
+                # Check if there are still staged files
+                remaining_staged = get_staged_files(existing_only=False)
+                if not remaining_staged:
+                    console.print("[yellow]No files remain staged. Commit aborted.[/yellow]")
+                    sys.exit(0)
+
+                console.print(f"[green]Continuing with {len(remaining_staged)} staged file(s)...[/green]")
+                # Refresh all git state variables after removing files
+                status = run_git_command(["status"])
+                diff = run_git_command(["diff", "--staged"])
+                diff_stat = " " + run_git_command(["diff", "--stat", "--cached"])
+        else:
+            logger.info("No secrets detected in staged changes")
+
     # Preprocess the diff before passing to build_prompt
     logger.debug(f"Preprocessing diff ({len(diff)} characters)")
     model_id = model or config["model"]
@@ -106,7 +173,6 @@ def main(
     )
 
     if show_prompt:
-        console = Console()
         # Show both system and user prompts
         full_prompt = f"SYSTEM PROMPT:\n{system_prompt}\n\nUSER PROMPT:\n{user_prompt}"
         console.print(
@@ -123,7 +189,6 @@ def main(
 
         warning_limit = config.get("warning_limit_tokens", EnvDefaults.WARNING_LIMIT_TOKENS)
         if warning_limit and prompt_tokens > warning_limit:
-            console = Console()
             console.print(
                 f"[yellow]⚠️  WARNING: Prompt contains {prompt_tokens} tokens, which exceeds the warning limit of "
                 f"{warning_limit} tokens.[/yellow]"
@@ -147,8 +212,6 @@ def main(
         logger.info("Generated commit message:")
         logger.info(commit_message)
 
-        console = Console()
-
         # Reroll loop
         while True:
             console.print("[bold green]Generated commit message:[/bold green]")
@@ -250,7 +313,6 @@ def main(
             console.print("[green]Commit created successfully[/green]")
     except AIError as e:
         logger.error(str(e))
-        console = Console()
         console.print(f"[red]Failed to generate commit message: {str(e)}[/red]")
         sys.exit(1)
 

{gac-1.2.6 → gac-1.3.1}/src/gac/providers/openrouter.py

@@ -32,6 +32,20 @@ def call_openrouter_api(model: str, messages: list[dict], temperature: float, ma
         response_data = response.json()
         return response_data["choices"][0]["message"]["content"]
     except httpx.HTTPStatusError as e:
-        raise AIError.model_error(f"OpenRouter API error: {e.response.status_code} - {e.response.text}") from e
+        # Handle specific HTTP status codes
+        status_code = e.response.status_code
+        error_text = e.response.text
+
+        # Rate limiting
+        if status_code == 429:
+            raise AIError.rate_limit_error(f"OpenRouter API rate limit exceeded: {error_text}") from e
+        # Service unavailable
+        elif status_code in (502, 503):
+            raise AIError.connection_error(f"OpenRouter API service unavailable: {status_code} - {error_text}") from e
+        # Other HTTP errors
+        else:
+            raise AIError.model_error(f"OpenRouter API error: {status_code} - {error_text}") from e
+    except httpx.ConnectError as e:
+        raise AIError.connection_error(f"OpenRouter API connection error: {str(e)}") from e
     except Exception as e:
         raise AIError.model_error(f"Error calling OpenRouter API: {str(e)}") from e

{gac-1.2.6 → gac-1.3.1}/src/gac/providers/zai.py

@@ -13,7 +13,13 @@ def call_zai_api(model: str, messages: list[dict], temperature: float, max_token
     if not api_key:
         raise AIError.model_error("ZAI_API_KEY not found in environment variables")
 
-    url = "https://api.z.ai/api/paas/v4/chat/completions"
+    # Support both regular and coding API endpoints
+    use_coding_api = os.getenv("GAC_ZAI_USE_CODING_PLAN", "false").lower() in ("true", "1", "yes", "on")
+    if use_coding_api:
+        url = "https://api.z.ai/api/coding/paas/v4/chat/completions"
+    else:
+        url = "https://api.z.ai/api/paas/v4/chat/completions"
+
     headers = {"Authorization": f"Bearer {api_key}", "Content-Type": "application/json"}
 
     data = {"model": model, "messages": messages, "temperature": temperature, "max_tokens": max_tokens}

gac-1.3.1/src/gac/security.py

@@ -0,0 +1,293 @@
+#!/usr/bin/env python3
+"""Security utilities for detecting secrets and API keys in git diffs.
+
+This module provides functions to scan staged changes for potential secrets,
+API keys, and other sensitive information that should not be committed.
+"""
+
+import logging
+import re
+from dataclasses import dataclass
+
+logger = logging.getLogger(__name__)
+
+
+@dataclass
+class DetectedSecret:
+    """Represents a detected secret in a file."""
+
+    file_path: str
+    line_number: int | None
+    secret_type: str
+    matched_text: str
+    context: str | None = None
+
+
+class SecretPatterns:
+    """Regex patterns for detecting various types of secrets and API keys."""
+
+    # AWS Access Keys
+    AWS_ACCESS_KEY_ID = re.compile(r"(?:AWS_ACCESS_KEY_ID|aws_access_key_id)[\s:=\"']+([A-Z0-9]{20})", re.IGNORECASE)
+    AWS_SECRET_ACCESS_KEY = re.compile(
+        r"(?:AWS_SECRET_ACCESS_KEY|aws_secret_access_key)[\s:=\"']+([A-Za-z0-9/+=]{40})", re.IGNORECASE
+    )
+    AWS_SESSION_TOKEN = re.compile(r"(?:AWS_SESSION_TOKEN|aws_session_token)[\s:=\"']+([A-Za-z0-9/+=]+)", re.IGNORECASE)
+
+    # Generic API Keys
+    GENERIC_API_KEY = re.compile(
+        r"(?:api[-_]?key|api[-_]?secret|access[-_]?key|secret[-_]?key)[\s:=\"']+([A-Za-z0-9_\-]{20,})", re.IGNORECASE
+    )
+
+    # GitHub Tokens
+    GITHUB_TOKEN = re.compile(r"(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9]{36,}")
+
+    # OpenAI API Keys
+    OPENAI_API_KEY = re.compile(r"sk-[A-Za-z0-9]{20,}")
+
+    # Anthropic API Keys
+    ANTHROPIC_API_KEY = re.compile(r"sk-ant-[A-Za-z0-9\-_]{95,}")
+
+    # Stripe Keys
+    STRIPE_KEY = re.compile(r"(?:sk|pk|rk)_(?:live|test)_[A-Za-z0-9]{24,}")
+
+    # Private Keys (PEM format)
+    PRIVATE_KEY = re.compile(r"-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----")
+
+    # Bearer Tokens (require actual token with specific characteristics)
+    BEARER_TOKEN = re.compile(r"Bearer\s+[A-Za-z0-9]{20,}[/=]*\s", re.IGNORECASE)
+
+    # JWT Tokens
+    JWT_TOKEN = re.compile(r"eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+")
+
+    # Database URLs with credentials
+    DATABASE_URL = re.compile(
+        r"(?:postgresql|mysql|mongodb|redis)://[A-Za-z0-9_-]+:[A-Za-z0-9_@!#$%^&*()+-=]+@[A-Za-z0-9.-]+",
+        re.IGNORECASE,
+    )
+
+    # SSH Private Keys
+    SSH_PRIVATE_KEY = re.compile(r"-----BEGIN (?:RSA|DSA|EC|OPENSSH) PRIVATE KEY-----")
+
+    # Slack Tokens
+    SLACK_TOKEN = re.compile(r"xox[baprs]-[A-Za-z0-9-]+")
+
+    # Google API Keys
+    GOOGLE_API_KEY = re.compile(r"AIza[0-9A-Za-z_-]{35}")
+
+    # Twilio API Keys
+    TWILIO_API_KEY = re.compile(r"SK[a-f0-9]{32}")
+
+    # Generic Password Fields
+    PASSWORD = re.compile(r"(?:password|passwd|pwd)[\s:=\"']+([^\s\"']{8,})", re.IGNORECASE)
+
+    # Excluded patterns (common false positives)
+    EXCLUDED_PATTERNS = [
+        re.compile(r"(?:example|sample|dummy|placeholder|your[-_]?api[-_]?key)", re.IGNORECASE),
+        re.compile(r"(?:xxx+|yyy+|zzz+)", re.IGNORECASE),
+        re.compile(r"\b(?:123456|password|changeme|secret|testpass|admin)\b", re.IGNORECASE),  # Word boundaries
+        re.compile(r"ghp_[a-f0-9]{16}", re.IGNORECASE),  # Short GitHub tokens (examples)
+        re.compile(r"sk-[a-f0-9]{16}", re.IGNORECASE),  # Short OpenAI keys (examples)
+        re.compile(r"Bearer Token", re.IGNORECASE),  # Documentation text
+        re.compile(r"Add Bearer Token", re.IGNORECASE),  # Documentation text
+        re.compile(r"Test Bearer Token", re.IGNORECASE),  # Documentation text
+    ]
+
+    @classmethod
+    def get_all_patterns(cls) -> dict[str, re.Pattern]:
+        """Get all secret detection patterns.
+
+        Returns:
+            Dictionary mapping pattern names to compiled regex patterns
+        """
+        patterns = {}
+        for name, value in vars(cls).items():
+            if isinstance(value, re.Pattern) and not name.startswith("EXCLUDED"):
+                # Convert pattern name to human-readable format
+                readable_name = name.replace("_", " ").title()
+                patterns[readable_name] = value
+        return patterns
+
+
+def is_false_positive(matched_text: str, file_path: str = "") -> bool:
+    """Check if a matched secret is likely a false positive.
+
+    Args:
+        matched_text: The text that matched a secret pattern
+        file_path: The file path where the match was found (for context-based filtering)
+
+    Returns:
+        True if the match is likely a false positive
+    """
+    # Check against excluded patterns
+    for pattern in SecretPatterns.EXCLUDED_PATTERNS:
+        if pattern.search(matched_text):
+            return True
+
+    # Check for all-same characters (e.g., "xxxxxxxxxxxxxxxx")
+    if len(set(matched_text.lower())) <= 3 and len(matched_text) > 10:
+        return True
+
+    # Special handling for .env.example, .env.template, .env.sample files
+    if any(example_file in file_path for example_file in [".env.example", ".env.template", ".env.sample"]):
+        return True
+
+    return False
+
+
+def extract_file_path_from_diff_section(section: str) -> str | None:
+    """Extract the file path from a git diff section.
+
+    Args:
+        section: A git diff section
+
+    Returns:
+        The file path or None if not found
+    """
+    match = re.search(r"diff --git a/(.*?) b/", section)
+    if match:
+        return match.group(1)
+    return None
+
+
+def extract_line_number_from_hunk(line: str, hunk_header: str | None) -> int | None:
+    """Extract the line number from a diff hunk.
+
+    Args:
+        line: The diff line containing the secret
+        hunk_header: The most recent hunk header (e.g., "@@ -1,4 +1,5 @@")
+
+    Returns:
+        The line number or None if not determinable
+    """
+    if not hunk_header:
+        return None
+
+    # Parse hunk header to get starting line number: @@ -old_start,old_count +new_start,new_count @@
+    match = re.search(r"@@ -\d+(?:,\d+)? \+(\d+)", hunk_header)
+    if not match:
+        return None
+
+    return int(match.group(1))
+
+
+def scan_diff_section(section: str) -> list[DetectedSecret]:
+    """Scan a single git diff section for secrets.
+
+    Args:
+        section: A git diff section to scan
+
+    Returns:
+        List of detected secrets
+    """
+    secrets = []
+    file_path = extract_file_path_from_diff_section(section)
+
+    if not file_path:
+        return secrets
+
+    patterns = SecretPatterns.get_all_patterns()
+    lines = section.split("\n")
+    line_counter = 0
+
+    for line in lines:
+        # Track hunk headers for line number extraction
+        if line.startswith("@@"):
+            # Reset line counter based on hunk header (this is the starting line number in the new file)
+            match = re.search(r"@@ -\d+(?:,\d+)? \+(\d+)", line)
+            if match:
+                line_counter = int(match.group(1)) - 1  # Start one line before, will increment correctly
+            continue
+
+        # Skip metadata lines
+        if line.startswith("+++") or line.startswith("---"):
+            continue
+
+        # Increment line counter for both added and context lines
+        if line.startswith("+") or line.startswith(" "):
+            line_counter += 1
+
+        # Only scan added lines (starting with '+')
+        if line.startswith("+") and not line.startswith("+++"):
+            # Check each pattern
+            content = line[1:]  # Remove the '+' prefix for pattern matching
+            for pattern_name, pattern in patterns.items():
+                matches = pattern.finditer(content)
+                for match in matches:
+                    matched_text = match.group(0)
+
+                    # Skip false positives
+                    if is_false_positive(matched_text, file_path):
+                        logger.debug(f"Skipping false positive: {matched_text}")
+                        continue
+
+                    # Truncate matched text for display (avoid showing full secrets)
+                    from gac.constants import Utility
+
+                    display_text = (
+                        matched_text[: Utility.MAX_DISPLAYED_SECRET_LENGTH] + "..."
+                        if len(matched_text) > Utility.MAX_DISPLAYED_SECRET_LENGTH
+                        else matched_text
+                    )
+
+                    secrets.append(
+                        DetectedSecret(
+                            file_path=file_path,
+                            line_number=line_counter,
+                            secret_type=pattern_name,
+                            matched_text=display_text,
+                            context=content.strip(),
+                        )
+                    )
+
+    return secrets
+
+
+def scan_staged_diff(diff: str) -> list[DetectedSecret]:
+    """Scan staged git diff for secrets and API keys.
+
+    Args:
+        diff: The staged git diff to scan
+
+    Returns:
+        List of detected secrets
+    """
+    if not diff:
+        return []
+
+    # Split diff into sections (one per file)
+    sections = re.split(r"(?=^diff --git )", diff, flags=re.MULTILINE)
+    all_secrets = []
+
+    for section in sections:
+        if not section.strip():
+            continue
+
+        # Validate that this is a real git diff section
+        # Real diff sections must have diff --git header followed by --- and +++ lines
+        if not re.search(r"^diff --git ", section, flags=re.MULTILINE):
+            continue
+
+        if not re.search(r"^--- ", section, flags=re.MULTILINE):
+            continue
+
+        if not re.search(r"^\+\+\+ ", section, flags=re.MULTILINE):
+            continue
+
+        secrets = scan_diff_section(section)
+        all_secrets.extend(secrets)
+
+    logger.info(f"Secret scan complete: found {len(all_secrets)} potential secrets")
+    return all_secrets
+
+
+def get_affected_files(secrets: list[DetectedSecret]) -> list[str]:
+    """Get unique list of files containing detected secrets.
+
+    Args:
+        secrets: List of detected secrets
+
+    Returns:
+        Sorted list of unique file paths
+    """
+    files = {secret.file_path for secret in secrets}
+    return sorted(files)