sentinelcodeai 0.1.0__tar.gz

sentinelcodeai-0.1.0/PKG-INFO

@@ -0,0 +1,86 @@
+Metadata-Version: 2.4
+Name: sentinelcodeai
+Version: 0.1.0
+Summary: Pre-commit security scanner — detects secrets and memory leaks before git commit.
+Home-page: https://github.com/Yuva-Deekshitha-N/sentinelcodeai.git
+Author: CodeSentinel
+Author-email: yuvadeekshithanamani@gmail.com
+Classifier: Programming Language :: Python :: 3
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: OS Independent
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+Requires-Dist: rich
+Requires-Dist: pycparser>=2.21
+Dynamic: author
+Dynamic: author-email
+Dynamic: classifier
+Dynamic: description
+Dynamic: description-content-type
+Dynamic: home-page
+Dynamic: requires-dist
+Dynamic: requires-python
+Dynamic: summary
+
+# SentinelCodeAI
+
+Static analysis tool that detects secrets, memory leaks, and sensitive context in any language — with automatic Git pre-commit hook integration.
+
+## Structure
+
+```
+src/core/secrets.py           # Regex-based secret detection (11 patterns)
+src/core/leaks.py             # AST-based memory leak detection
+src/ai/nlp.py                 # NLP keyword context analysis
+src/git_hooks/pre_commit.py   # Git pre-commit hook logic
+src/scanner.py                # Shared scan + display engine
+src/cli.py                    # CLI entry point
+install_hook.py               # One-time hook installer
+```
+
+## Setup
+
+### Option A — pip install (hook auto-installs)
+```bash
+pip install -e .
+```
+
+### Option B — clone without pip
+```bash
+pip install -r requirements.txt
+python install_hook.py
+```
+
+## Scan manually (file or folder)
+
+```bash
+# scan a single file
+sentinel --path path/to/file.py
+
+# scan an entire folder
+sentinel --path path/to/folder/
+
+# without pip install
+python -m src.cli --path path/to/file_or_folder
+```
+
+## How the pre-commit hook works
+
+Once installed, every `git commit` is automatically intercepted:
+
+```
+git commit -m "my changes"
+      |
+      v
+SentinelCodeAI scans all staged files
+      |
+      v
+HIGH risk found  --> commit BLOCKED + report shown
+All clean        --> commit goes through
+```
+
+## Run Tests
+
+```bash
+pytest tests/
+```

sentinelcodeai-0.1.0/README.md

@@ -0,0 +1,62 @@
+# SentinelCodeAI
+
+Static analysis tool that detects secrets, memory leaks, and sensitive context in any language — with automatic Git pre-commit hook integration.
+
+## Structure
+
+```
+src/core/secrets.py           # Regex-based secret detection (11 patterns)
+src/core/leaks.py             # AST-based memory leak detection
+src/ai/nlp.py                 # NLP keyword context analysis
+src/git_hooks/pre_commit.py   # Git pre-commit hook logic
+src/scanner.py                # Shared scan + display engine
+src/cli.py                    # CLI entry point
+install_hook.py               # One-time hook installer
+```
+
+## Setup
+
+### Option A — pip install (hook auto-installs)
+```bash
+pip install -e .
+```
+
+### Option B — clone without pip
+```bash
+pip install -r requirements.txt
+python install_hook.py
+```
+
+## Scan manually (file or folder)
+
+```bash
+# scan a single file
+sentinel --path path/to/file.py
+
+# scan an entire folder
+sentinel --path path/to/folder/
+
+# without pip install
+python -m src.cli --path path/to/file_or_folder
+```
+
+## How the pre-commit hook works
+
+Once installed, every `git commit` is automatically intercepted:
+
+```
+git commit -m "my changes"
+      |
+      v
+SentinelCodeAI scans all staged files
+      |
+      v
+HIGH risk found  --> commit BLOCKED + report shown
+All clean        --> commit goes through
+```
+
+## Run Tests
+
+```bash
+pytest tests/
+```

sentinelcodeai-0.1.0/sentinelcodeai.egg-info/PKG-INFO

@@ -0,0 +1,86 @@
+Metadata-Version: 2.4
+Name: sentinelcodeai
+Version: 0.1.0
+Summary: Pre-commit security scanner — detects secrets and memory leaks before git commit.
+Home-page: https://github.com/Yuva-Deekshitha-N/sentinelcodeai.git
+Author: CodeSentinel
+Author-email: yuvadeekshithanamani@gmail.com
+Classifier: Programming Language :: Python :: 3
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: OS Independent
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+Requires-Dist: rich
+Requires-Dist: pycparser>=2.21
+Dynamic: author
+Dynamic: author-email
+Dynamic: classifier
+Dynamic: description
+Dynamic: description-content-type
+Dynamic: home-page
+Dynamic: requires-dist
+Dynamic: requires-python
+Dynamic: summary
+
+# SentinelCodeAI
+
+Static analysis tool that detects secrets, memory leaks, and sensitive context in any language — with automatic Git pre-commit hook integration.
+
+## Structure
+
+```
+src/core/secrets.py           # Regex-based secret detection (11 patterns)
+src/core/leaks.py             # AST-based memory leak detection
+src/ai/nlp.py                 # NLP keyword context analysis
+src/git_hooks/pre_commit.py   # Git pre-commit hook logic
+src/scanner.py                # Shared scan + display engine
+src/cli.py                    # CLI entry point
+install_hook.py               # One-time hook installer
+```
+
+## Setup
+
+### Option A — pip install (hook auto-installs)
+```bash
+pip install -e .
+```
+
+### Option B — clone without pip
+```bash
+pip install -r requirements.txt
+python install_hook.py
+```
+
+## Scan manually (file or folder)
+
+```bash
+# scan a single file
+sentinel --path path/to/file.py
+
+# scan an entire folder
+sentinel --path path/to/folder/
+
+# without pip install
+python -m src.cli --path path/to/file_or_folder
+```
+
+## How the pre-commit hook works
+
+Once installed, every `git commit` is automatically intercepted:
+
+```
+git commit -m "my changes"
+      |
+      v
+SentinelCodeAI scans all staged files
+      |
+      v
+HIGH risk found  --> commit BLOCKED + report shown
+All clean        --> commit goes through
+```
+
+## Run Tests
+
+```bash
+pytest tests/
+```

sentinelcodeai-0.1.0/sentinelcodeai.egg-info/SOURCES.txt

@@ -0,0 +1,22 @@
+README.md
+setup.py
+sentinelcodeai.egg-info/PKG-INFO
+sentinelcodeai.egg-info/SOURCES.txt
+sentinelcodeai.egg-info/dependency_links.txt
+sentinelcodeai.egg-info/entry_points.txt
+sentinelcodeai.egg-info/requires.txt
+sentinelcodeai.egg-info/top_level.txt
+src/__init__.py
+src/cli.py
+src/scanner.py
+src/ai/__init__.py
+src/ai/nlp.py
+src/core/__init__.py
+src/core/cpp_ast.py
+src/core/leaks.py
+src/core/secrets.py
+src/git_hooks/__init__.py
+src/git_hooks/pre_commit.py
+tests/test_ai.py
+tests/test_leaks.py
+tests/test_secrets.py

sentinelcodeai-0.1.0/sentinelcodeai.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

sentinelcodeai-0.1.0/sentinelcodeai.egg-info/entry_points.txt

@@ -0,0 +1,3 @@
+[console_scripts]
+sca = src.cli:main
+sentinel = src.cli:main

sentinelcodeai-0.1.0/sentinelcodeai.egg-info/requires.txt

@@ -0,0 +1,2 @@
+rich
+pycparser>=2.21

sentinelcodeai-0.1.0/sentinelcodeai.egg-info/top_level.txt

@@ -0,0 +1 @@
+src

sentinelcodeai-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

sentinelcodeai-0.1.0/setup.py

@@ -0,0 +1,29 @@
+from setuptools import setup, find_packages
+
+setup(
+    name="sentinelcodeai",
+    version="0.1.0",
+    author="CodeSentinel",
+    author_email="yuvadeekshithanamani@gmail.com",
+    description="Pre-commit security scanner — detects secrets and memory leaks before git commit.",
+    long_description=open("README.md", encoding="utf-8").read(),
+    long_description_content_type="text/markdown",
+    url="https://github.com/Yuva-Deekshitha-N/sentinelcodeai.git",
+    packages=find_packages(),
+    python_requires=">=3.10",
+    install_requires=[
+        "rich",
+        "pycparser>=2.21",
+    ],
+    entry_points={
+        "console_scripts": [
+            "sentinel=src.cli:main",
+            "sca=src.cli:main",
+        ]
+    },
+    classifiers=[
+        "Programming Language :: Python :: 3",
+        "License :: OSI Approved :: MIT License",
+        "Operating System :: OS Independent",
+    ],
+)

sentinelcodeai-0.1.0/src/ai/nlp.py

@@ -0,0 +1,28 @@
+import re
+
+SENSITIVE_KEYWORDS = {
+    "password":    "A variable named 'password' likely holds a plaintext credential. Plaintext passwords in code are a critical security risk.",
+    "secret":      "A variable named 'secret' may contain a cryptographic secret or API secret that should never be hardcoded.",
+    "token":       "A variable named 'token' may expose an authentication or API token that grants access to a service.",
+    "private":     "A variable named 'private' may reference a private key or sensitive private data.",
+    "credential":  "A variable named 'credential' likely holds authentication data such as a username/password pair or certificate.",
+    "api_key":     "A variable named 'api_key' almost certainly contains a service API key that should be stored in environment variables.",
+    "auth":        "A variable named 'auth' may hold authentication headers, tokens, or credentials used to access protected resources.",
+    "access_key":  "A variable named 'access_key' likely contains a cloud or service access key that grants programmatic access.",
+    "passphrase":  "A variable named 'passphrase' contains a passphrase used to protect a private key or encrypted data.",
+}
+
+
+def analyze_context(code: str) -> list[dict]:
+    findings = []
+    for line_num, line in enumerate(code.splitlines(), start=1):
+        for keyword, explanation in SENSITIVE_KEYWORDS.items():
+            if re.search(rf"\b{keyword}\b", line, re.IGNORECASE):
+                findings.append({
+                    "line": line_num,
+                    "keyword": keyword,
+                    "content": line.strip(),
+                    "risk": "MEDIUM",
+                    "explanation": explanation,
+                })
+    return findings

sentinelcodeai-0.1.0/src/cli.py

@@ -0,0 +1,85 @@
+import argparse
+import subprocess
+import sys
+from pathlib import Path
+from src.scanner import collect_files, run_scan
+from rich.console import Console
+
+console = Console()
+
+
+def install_global_hook():
+    # Global hooks folder inside SentinelCodeAI
+    hooks_dir = Path(__file__).resolve().parents[2] / "global_hooks"
+    hooks_dir.mkdir(exist_ok=True)
+
+    hook_src  = Path(__file__).resolve().parent / "git_hooks" / "pre_commit_hook.sh"
+    hook_dest = hooks_dir / "pre-commit"
+
+    if not hook_src.exists():
+        console.print("[red]ERROR: Hook source file not found.[/red]")
+        sys.exit(1)
+
+    import shutil
+    shutil.copy(str(hook_src), str(hook_dest))
+    hook_dest.chmod(0o755)
+
+    # Tell git to use this folder for hooks in every repo
+    result = subprocess.run(
+        ["git", "config", "--global", "core.hooksPath", str(hooks_dir)],
+        capture_output=True, text=True
+    )
+
+    if result.returncode != 0:
+        console.print(f"[red]ERROR: Failed to set global hooks path: {result.stderr}[/red]")
+        sys.exit(1)
+
+    console.print("[bold green]SentinelCodeAI global hook installed successfully.[/bold green]")
+    console.print(f"Hooks folder : {hooks_dir}")
+    console.print("Every git commit on this machine is now protected automatically.")
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        prog="sentinel",
+        description="SentinelCodeAI — scan a file or folder for secrets, leaks, and sensitive context.",
+    )
+    parser.add_argument(
+        "--path",
+        help="Path to a file or folder to scan.",
+    )
+    parser.add_argument(
+        "--install-global",
+        action="store_true",
+        help="Install SentinelCodeAI as a global Git hook (runs on every repo on this machine).",
+    )
+    args = parser.parse_args()
+
+    if args.install_global:
+        install_global_hook()
+        sys.exit(0)
+
+    if not args.path:
+        parser.print_help()
+        sys.exit(1)
+
+    files = collect_files(args.path)
+
+    if not files:
+        console.print("[yellow]No scannable files found.[/yellow]")
+        sys.exit(0)
+
+    console.print(f"\n[bold]Scanning {len(files)} file(s) in: {args.path}[/bold]\n")
+
+    has_high_risk = run_scan(files)
+
+    if has_high_risk:
+        console.print("\n[bold red]HIGH risk issues found. Fix them before committing.[/bold red]")
+        sys.exit(1)
+
+    console.print("\n[bold green]Scan complete. No HIGH risk issues found.[/bold green]")
+    sys.exit(0)
+
+
+if __name__ == "__main__":
+    main()

sentinelcodeai-0.1.0/src/core/cpp_ast.py

@@ -0,0 +1,235 @@
+"""
+C/C++ AST-based static analysis using pycparser.
+
+Walks the real Abstract Syntax Tree of C/C++ source files to detect:
+  - malloc() without a paired free()        → memory leak
+  - fopen() without a paired fclose()       → resource leak
+  - new without delete                      → memory leak  (regex-assisted, C++ extension)
+  - Pointer assigned then reassigned before free → dangling / lost pointer
+"""
+
+import re
+from pycparser import c_parser, c_ast, parse_file
+
+
+# ---------------------------------------------------------------------------
+# Helpers
+# ---------------------------------------------------------------------------
+
+def _strip_cpp_comments(code: str) -> str:
+    """Remove // and /* */ comments so the C parser doesn't choke."""
+    code = re.sub(r"//[^\n]*", "", code)
+    code = re.sub(r"/\*.*?\*/", "", code, flags=re.DOTALL)
+    return code
+
+
+def _remove_cpp_extensions(code: str) -> str:
+    """
+    Strip C++-only syntax that pycparser (a pure-C parser) can't handle,
+    so we can still analyse the C-style memory calls inside .cpp files.
+    """
+    # Remove #include lines
+    code = re.sub(r"^\s*#include\s*[<\"][^\n]*", "", code, flags=re.MULTILINE)
+    # Remove using namespace / using std::
+    code = re.sub(r"^\s*using\s+[^\n;]+;", "", code, flags=re.MULTILINE)
+    # Remove class / struct definitions (keep function bodies)
+    code = re.sub(r"\bclass\b", "struct", code)
+    # Remove :: scope resolution
+    code = re.sub(r"\w+::", "", code)
+    # Remove template declarations
+    code = re.sub(r"template\s*<[^>]*>", "", code)
+    # Remove C++ casts
+    code = re.sub(r"\b(static_cast|dynamic_cast|reinterpret_cast|const_cast)\s*<[^>]*>", "", code)
+    return code
+
+
+# ---------------------------------------------------------------------------
+# AST visitor — collects malloc/free/fopen/fclose call sites
+# ---------------------------------------------------------------------------
+
+class _MemoryCallVisitor(c_ast.NodeVisitor):
+    """Walk the AST and record every call to malloc/free/fopen/fclose."""
+
+    def __init__(self):
+        self.calls: list[dict] = []   # {"name": str, "line": int}
+
+    def visit_FuncCall(self, node):
+        if node.name and isinstance(node.name, c_ast.ID):
+            fn = node.name.name
+            if fn in ("malloc", "calloc", "realloc", "free", "fopen", "fclose"):
+                line = node.coord.line if node.coord else 0
+                self.calls.append({"name": fn, "line": line})
+        self.generic_visit(node)
+
+
+# ---------------------------------------------------------------------------
+# Public API
+# ---------------------------------------------------------------------------
+
+def analyze_cpp_ast(code: str) -> list[dict]:
+    """
+    Parse C/C++ source with pycparser and return AST-level findings.
+
+    Returns a list of dicts compatible with the existing leak format:
+      {type, line, content, explanation, languages, engine}
+    """
+    findings: list[dict] = []
+    lines = code.splitlines()
+
+    # ── 1. Try real AST parse ──────────────────────────────────────────────
+    ast_findings = _ast_analysis(code, lines)
+    findings.extend(ast_findings)
+
+    # ── 2. C++-only checks (new/delete, dangling ptr) via regex on raw code ─
+    findings.extend(_cpp_new_delete_analysis(code, lines))
+    findings.extend(_dangling_pointer_analysis(code, lines))
+
+    return findings
+
+
+# ---------------------------------------------------------------------------
+# AST analysis (malloc/free, fopen/fclose pairing)
+# ---------------------------------------------------------------------------
+
+def _ast_analysis(code: str, lines: list[str]) -> list[dict]:
+    findings: list[dict] = []
+
+    try:
+        clean = _strip_cpp_comments(code)
+        clean = _remove_cpp_extensions(clean)
+
+        # pycparser needs a fake libc header stub
+        parser = c_parser.CParser()
+        # Inject minimal typedefs so the parser doesn't fail on FILE*, size_t etc.
+        preamble = (
+            "typedef unsigned long size_t;\n"
+            "typedef struct _IO_FILE FILE;\n"
+            "void *malloc(size_t size);\n"
+            "void *calloc(size_t n, size_t size);\n"
+            "void *realloc(void *ptr, size_t size);\n"
+            "void  free(void *ptr);\n"
+            "FILE *fopen(const char *path, const char *mode);\n"
+            "int   fclose(FILE *stream);\n"
+        )
+        ast = parser.parse(preamble + clean, filename="<input>")
+
+        visitor = _MemoryCallVisitor()
+        visitor.visit(ast)
+
+        malloc_lines = [c["line"] for c in visitor.calls if c["name"] in ("malloc", "calloc", "realloc")]
+        free_count   = sum(1 for c in visitor.calls if c["name"] == "free")
+        fopen_lines  = [c["line"] for c in visitor.calls if c["name"] == "fopen"]
+        fclose_count = sum(1 for c in visitor.calls if c["name"] == "fclose")
+
+        # malloc without free
+        if malloc_lines and free_count == 0:
+            for ln in malloc_lines:
+                src_line = lines[ln - 1].strip() if 0 < ln <= len(lines) else ""
+                findings.append({
+                    "type": "ast_malloc_no_free",
+                    "line": ln,
+                    "content": src_line,
+                    "explanation": (
+                        "[AST] malloc/calloc/realloc detected but no free() found in this "
+                        "translation unit. Heap memory will never be returned to the OS."
+                    ),
+                    "languages": "C/C++",
+                    "engine": "AST",
+                })
+
+        # fopen without fclose
+        if fopen_lines and fclose_count == 0:
+            for ln in fopen_lines:
+                src_line = lines[ln - 1].strip() if 0 < ln <= len(lines) else ""
+                findings.append({
+                    "type": "ast_fopen_no_fclose",
+                    "line": ln,
+                    "content": src_line,
+                    "explanation": (
+                        "[AST] fopen() detected but no fclose() found in this translation unit. "
+                        "The file descriptor will leak until the process exits."
+                    ),
+                    "languages": "C/C++",
+                    "engine": "AST",
+                })
+
+    except Exception:
+        # Parser failed (complex C++ syntax) — fall back silently; regex layer still runs
+        pass
+
+    return findings
+
+
+# ---------------------------------------------------------------------------
+# C++ new / delete analysis (regex-assisted, AST-style pairing logic)
+# ---------------------------------------------------------------------------
+
+def _cpp_new_delete_analysis(code: str, lines: list[str]) -> list[dict]:
+    findings: list[dict] = []
+
+    new_lines    = [i + 1 for i, l in enumerate(lines) if re.search(r"\bnew\b", l)]
+    delete_count = sum(1 for l in lines if re.search(r"\bdelete\b", l))
+
+    if new_lines and delete_count == 0:
+        for ln in new_lines:
+            findings.append({
+                "type": "ast_new_no_delete",
+                "line": ln,
+                "content": lines[ln - 1].strip(),
+                "explanation": (
+                    "[AST] 'new' allocates heap memory but no 'delete' was found. "
+                    "Prefer smart pointers (std::unique_ptr / std::shared_ptr) to avoid leaks."
+                ),
+                "languages": "C++",
+                "engine": "AST",
+            })
+
+    return findings
+
+
+# ---------------------------------------------------------------------------
+# Dangling pointer detection
+# ---------------------------------------------------------------------------
+
+def _dangling_pointer_analysis(code: str, lines: list[str]) -> list[dict]:
+    """
+    Detect the pattern:
+        ptr = malloc(...);   ← allocation
+        ptr = something;     ← reassignment WITHOUT free → original block lost
+    """
+    findings: list[dict] = []
+
+    # Collect pointer names that were malloc'd
+    malloc_vars: dict[str, int] = {}
+    for i, line in enumerate(lines, start=1):
+        m = re.search(r"\b(\w+)\s*=\s*(?:malloc|calloc|realloc)\s*\(", line)
+        if m:
+            malloc_vars[m.group(1)] = i
+
+    # Check if any of those vars are reassigned without a free in between
+    for var, alloc_line in malloc_vars.items():
+        freed = False
+        for i, line in enumerate(lines, start=1):
+            if i <= alloc_line:
+                continue
+            if re.search(rf"\bfree\s*\(\s*{var}\s*\)", line):
+                freed = True
+                break
+            # Reassigned without free
+            if re.search(rf"\b{var}\s*=\s*(?!NULL|nullptr|0\b)", line):
+                if not freed:
+                    findings.append({
+                        "type": "ast_dangling_pointer",
+                        "line": i,
+                        "content": lines[i - 1].strip(),
+                        "explanation": (
+                            f"[AST] Pointer '{var}' (allocated at line {alloc_line}) is "
+                            "reassigned before being freed. The original heap block is lost — "
+                            "this is a classic dangling/lost-pointer memory leak."
+                        ),
+                        "languages": "C/C++",
+                        "engine": "AST",
+                    })
+                break
+
+    return findings

sentinelcodeai-0.1.0/src/core/leaks.py

@@ -0,0 +1,82 @@
+import re
+
+# Regex-based leak patterns — works across Python, C++, Java, JS, etc.
+LEAK_PATTERNS = {
+    # Python
+    "python_unclosed_file": {
+        "pattern": r"\bopen\s*\([^)]+\)(?!\s*as\b)",
+        "explanation": "open() called without a 'with' block. File handle may never be closed, leaking OS resources.",
+        "languages": "Python",
+    },
+    "python_unclosed_db": {
+        "pattern": r"\b(psycopg2|pymysql|sqlite3|cx_Oracle|pyodbc)\.connect\s*\(",
+        "explanation": "Database connection opened. If not closed or used in a context manager, the connection leaks and exhausts the DB connection pool.",
+        "languages": "Python",
+    },
+    "python_unclosed_socket": {
+        "pattern": r"\bsocket\.socket\s*\(",
+        "explanation": "Socket created without a 'with' block. Unclosed sockets leak file descriptors and can cause connection exhaustion.",
+        "languages": "Python",
+    },
+    "python_unclosed_session": {
+        "pattern": r"\brequests\.Session\s*\(\s*\)(?!\s*as\b)",
+        "explanation": "requests.Session() opened without a context manager. Unclosed sessions leak TCP connections.",
+        "languages": "Python",
+    },
+
+    # C / C++
+    "cpp_malloc_no_free": {
+        "pattern": r"\bmalloc\s*\(",
+        "explanation": "malloc() allocates heap memory. If free() is never called, this causes a memory leak that grows over time.",
+        "languages": "C/C++",
+    },
+    "cpp_new_no_delete": {
+        "pattern": r"\bnew\s+\w+",
+        "explanation": "'new' allocates heap memory. Without a matching 'delete', the memory is never returned to the OS.",
+        "languages": "C/C++",
+    },
+    "cpp_fopen_no_fclose": {
+        "pattern": r"\bfopen\s*\(",
+        "explanation": "fopen() opens a file handle. If fclose() is never called, the file descriptor leaks.",
+        "languages": "C/C++",
+    },
+
+    # Java
+    "java_unclosed_stream": {
+        "pattern": r"\bnew\s+(FileInputStream|FileOutputStream|BufferedReader|FileReader|FileWriter)\s*\(",
+        "explanation": "Java stream opened without try-with-resources. If close() is not called, the stream leaks file descriptors.",
+        "languages": "Java",
+    },
+    "java_unclosed_connection": {
+        "pattern": r"\bDriverManager\.getConnection\s*\(",
+        "explanation": "JDBC connection opened. If not closed in a finally block or try-with-resources, the DB connection leaks.",
+        "languages": "Java",
+    },
+
+    # JavaScript / TypeScript
+    "js_unclosed_fs": {
+        "pattern": r"\bfs\.open\s*\(",
+        "explanation": "fs.open() called without a corresponding fs.close(). Leaks file descriptors in Node.js.",
+        "languages": "JavaScript/TypeScript",
+    },
+    "js_event_listener": {
+        "pattern": r"\baddEventListener\s*\(",
+        "explanation": "Event listener added. If removeEventListener() is never called, it prevents garbage collection and causes memory leaks.",
+        "languages": "JavaScript/TypeScript",
+    },
+}
+
+
+def detect_leaks(code: str) -> list[dict]:
+    findings = []
+    for line_num, line in enumerate(code.splitlines(), start=1):
+        for leak_type, config in LEAK_PATTERNS.items():
+            if re.search(config["pattern"], line):
+                findings.append({
+                    "type": leak_type,
+                    "line": line_num,
+                    "content": line.strip(),
+                    "explanation": config["explanation"],
+                    "languages": config["languages"],
+                })
+    return findings

sentinelcodeai-0.1.0/src/core/secrets.py

@@ -0,0 +1,130 @@
+import re
+from typing import List, Dict
+
+#  Secret patterns with risk levels and explanations
+SECRET_PATTERNS = {
+    "aws_access_key": {
+        "pattern": r"AKIA[0-9A-Z]{16}",
+        "risk": "HIGH",
+        "explanation": "Hardcoded AWS Access Key ID detected. Attackers can use this to access your AWS account, spin up resources, steal data, or incur massive charges."
+    },
+    "aws_secret_key": {
+        "pattern": r"(?i)aws(.{0,20})?['\"][0-9a-zA-Z/+]{40}['\"]",
+        "risk": "HIGH",
+        "explanation": "Hardcoded AWS Secret Access Key detected. Combined with an Access Key ID, this grants full programmatic access to your AWS account."
+    },
+    "generic_api_key": {
+        "pattern": r"(?i)(api_key|apikey|api-key)\s*=\s*['\"][a-zA-Z0-9]{16,}['\"]",
+        "risk": "HIGH",
+        "explanation": "A hardcoded API key was found. If this key is pushed to a public repo, any third party can authenticate as you and abuse the associated service."
+    },
+    "private_key": {
+        "pattern": r"-----BEGIN (RSA|EC|DSA|OPENSSH) PRIVATE KEY-----",
+        "risk": "HIGH",
+        "explanation": "A private cryptographic key is embedded in the code. This can be used to impersonate your server, decrypt communications, or forge signatures."
+    },
+    "password": {
+        "pattern": r"(?i)(password|passwd|pwd)\s*=\s*['\"].{6,}['\"]",
+        "risk": "HIGH",
+        "explanation": "A plaintext password is hardcoded. Passwords in source code are permanently stored in Git history even after deletion and can be extracted by anyone with repo access."
+    },
+    "github_token": {
+        "pattern": r"ghp_[A-Za-z0-9]{36}",
+        "risk": "HIGH",
+        "explanation": "A GitHub Personal Access Token was found. This grants the holder read/write access to your repositories and account settings."
+    },
+    "jwt_token": {
+        "pattern": r"eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+",
+        "risk": "MEDIUM",
+        "explanation": "A JWT token is hardcoded. If unexpired, it can be replayed to authenticate as the token's subject without needing credentials."
+    },
+    "google_api_key": {
+        "pattern": r"AIza[0-9A-Za-z\-_]{35}",
+        "risk": "HIGH",
+        "explanation": "A Google API key was found. Exposure can lead to quota theft, unauthorized use of Google services, and unexpected billing on your account."
+    },
+    "slack_token": {
+        "pattern": r"xox[baprs]-[0-9a-zA-Z]{10,48}",
+        "risk": "HIGH",
+        "explanation": "A Slack token is hardcoded. This allows an attacker to read messages, post as your bot/user, and access private channels in your workspace."
+    },
+    "database_url": {
+        "pattern": r"(postgres|mysql)://.*:.*@",
+        "risk": "HIGH",
+        "explanation": "A database connection URL with embedded credentials was found. This exposes your database host, username, and password to anyone who reads the code."
+    },
+    "mongodb_url": {
+        "pattern": r"mongodb(\+srv)?://[^:]+:[^@]+@",
+        "risk": "HIGH",
+        "explanation": "A MongoDB connection string with embedded credentials was found. Exposes your database host, username, and password publicly."
+    },
+    "firebase_api_key": {
+        "pattern": r"(?i)firebase.*api.?key\s*[=:]\s*['\"][A-Za-z0-9_\-]{20,}['\"]",
+        "risk": "HIGH",
+        "explanation": "A Firebase API key was found. Exposes your Firebase project to unauthorized reads, writes, and abuse of Firebase services."
+    },
+    "firebase_db_url": {
+        "pattern": r"https://[a-z0-9-]+\.firebaseio\.com",
+        "risk": "HIGH",
+        "explanation": "A Firebase Realtime Database URL was found. If database rules are misconfigured, attackers can read or write all data."
+    },
+    "firebase_secret": {
+        "pattern": r"(?i)firebase.{0,20}secret\s*[=:]\s*['\"][A-Za-z0-9]{20,}['\"]",
+        "risk": "HIGH",
+        "explanation": "A Firebase legacy secret was found. This grants full admin access to your Firebase project."
+    },
+    "test_key": {
+        "pattern": r"(?i)test[_-]?key",
+        "risk": "LOW",
+        "explanation": "A test key identifier was found. While likely not a real secret, test keys are sometimes accidentally swapped with production keys."
+    }
+}
+
+
+def detect_secrets(code: str) -> List[Dict]:
+    """
+    Scan code and detect potential secrets.
+
+    Returns:
+        List of findings with:
+        - type
+        - risk
+        - line number
+        - matched content
+    """
+    findings = []
+
+    for line_num, line in enumerate(code.splitlines(), start=1):
+        for secret_type, config in SECRET_PATTERNS.items():
+            pattern = config["pattern"]
+            risk = config["risk"]
+
+            matches = re.findall(pattern, line)
+
+            for match in matches:
+                findings.append({
+                    "type": secret_type,
+                    "risk": risk,
+                    "line": line_num,
+                    "content": line.strip(),
+                    "matched": match if isinstance(match, str) else match[0],
+                    "explanation": config["explanation"],
+                })
+
+    return findings
+
+
+def summarize_findings(findings: List[Dict]) -> Dict:
+    """
+    Summarize findings into risk categories
+    """
+    summary = {
+        "HIGH": 0,
+        "MEDIUM": 0,
+        "LOW": 0
+    }
+
+    for f in findings:
+        summary[f["risk"]] += 1
+
+    return summary

sentinelcodeai-0.1.0/src/git_hooks/pre_commit.py

@@ -0,0 +1,66 @@
+import subprocess
+import sys
+from pathlib import Path
+from src.scanner import collect_files, run_scan
+from rich.console import Console
+
+console = Console()
+
+repo_root = Path(subprocess.run(
+    ["git", "rev-parse", "--show-toplevel"],
+    capture_output=True, text=True
+).stdout.strip()).resolve()
+
+
+# Files belonging to SentinelCodeAI itself — skip to avoid false positives
+SENTINEL_OWN_FILES = {
+    "src/core/secrets.py",
+    "src/core/leaks.py",
+    "src/ai/nlp.py",
+    "src/scanner.py",
+    "src/cli.py",
+    "src/git_hooks/pre_commit.py",
+    "README.md",
+    "tests/test_secrets.py",
+    "tests/test_leaks.py",
+    "tests/test_ai.py",
+}
+
+
+def get_staged_files() -> list[Path]:
+    try:
+        output = subprocess.check_output(
+            ["git", "diff", "--cached", "--name-only"]
+        )
+        files = []
+        for f in output.decode().splitlines():
+            if f in SENTINEL_OWN_FILES:
+                continue
+            resolved = (repo_root / f).resolve()
+            if str(resolved).startswith(str(repo_root)) and resolved.is_file():
+                files.append(resolved)
+        return files
+    except Exception:
+        return []
+
+
+def main():
+    files = get_staged_files()
+
+    if not files:
+        sys.exit(0)
+
+    console.print(f"[bold]SentinelCodeAI scanning {len(files)} staged file(s)...[/bold]\n")
+
+    has_high_risk = run_scan(files)
+
+    if has_high_risk:
+        console.print("\nCommit BLOCKED due to HIGH risk issues!", style="bold red")
+        sys.exit(1)
+
+    console.print("\nCommit Allowed", style="bold green")
+    sys.exit(0)
+
+
+if __name__ == "__main__":
+    main()

sentinelcodeai-0.1.0/src/scanner.py

@@ -0,0 +1,120 @@
+import sys
+from pathlib import Path
+from src.core.secrets import detect_secrets, summarize_findings
+from src.core.leaks import detect_leaks
+from src.core.cpp_ast import analyze_cpp_ast
+from src.ai.nlp import analyze_context
+from rich.console import Console
+
+if hasattr(sys.stdout, "reconfigure"):
+    sys.stdout.reconfigure(encoding="utf-8")
+
+console = Console()
+
+# File types to skip (binaries, media, etc.)
+SKIP_EXTENSIONS = {
+    ".png", ".jpg", ".jpeg", ".gif", ".svg", ".ico",
+    ".pdf", ".zip", ".tar", ".gz", ".exe", ".bin",
+    ".pyc", ".pyo", ".so", ".dll", ".class",
+}
+
+
+def collect_files(path: str) -> list[Path]:
+    """Return all scannable files from a file path or folder."""
+    target = Path(path).resolve()
+    if target.is_file():
+        return [target]
+    return [
+        f for f in target.rglob("*")
+        if f.is_file() and f.suffix not in SKIP_EXTENSIONS
+    ]
+
+
+CPP_EXTENSIONS = {".c", ".cpp", ".cc", ".cxx", ".h", ".hpp"}
+
+
+def scan_file(file_path: Path) -> tuple:
+    try:
+        code = file_path.read_text(encoding="utf-8", errors="ignore")
+        findings = detect_secrets(code)
+        summary = summarize_findings(findings)
+        leaks = detect_leaks(code)
+        # Run AST engine for C/C++ files
+        if file_path.suffix.lower() in CPP_EXTENSIONS:
+            leaks = leaks + analyze_cpp_ast(code)
+        nlp_findings = analyze_context(code)
+        return findings, summary, leaks, nlp_findings
+    except Exception:
+        return [], {"HIGH": 0, "MEDIUM": 0, "LOW": 0}, [], []
+
+
+def display_results(file: str, findings, summary, leaks, nlp_findings) -> bool:
+    """Print findings for one file. Returns True if HIGH risk was found."""
+    has_high = False
+
+    # 🔴 HIGH
+    if summary["HIGH"] > 0:
+        has_high = True
+        console.print(f"[bold red]>> HIGH RISK in {file}[/bold red]")
+        for f in findings:
+            if f["risk"] == "HIGH":
+                console.print(f"[red]  {f['type']} (line {f['line']})[/red]")
+                console.print(f"   Detected : {f['matched']}")
+                console.print(f"   Why      : {f['explanation']}")
+
+    # MEDIUM
+    if summary["MEDIUM"] > 0:
+        console.print(f"[bold yellow]>> MEDIUM RISK in {file}[/bold yellow]")
+        for f in findings:
+            if f["risk"] == "MEDIUM":
+                console.print(f"[yellow]  {f['type']} (line {f['line']})[/yellow]")
+                console.print(f"   Detected : {f['matched']}")
+                console.print(f"   Why      : {f['explanation']}")
+
+    # LOW
+    if summary["LOW"] > 0:
+        console.print(f"[dim yellow]>> LOW RISK in {file}[/dim yellow]")
+        for f in findings:
+            if f["risk"] == "LOW":
+                console.print(f"[yellow]  {f['type']} (line {f['line']})[/yellow]")
+                console.print(f"   Detected : {f['matched']}")
+                console.print(f"   Why      : {f['explanation']}")
+
+    # Leaks
+    if leaks:
+        console.print(f"[yellow]>> Leak Issues in {file}[/yellow]")
+        for leak in leaks:
+            engine_tag = f" [{leak.get('engine', 'regex')}]" if leak.get('engine') else ""
+            console.print(f"[yellow]  {leak['type']}{engine_tag} (line {leak['line']}) [{leak['languages']}][/yellow]")
+            console.print(f"   Code     : {leak['content']}")
+            console.print(f"   Why      : {leak['explanation']}")
+
+    # NLP
+    if nlp_findings:
+        console.print(f"[bold cyan]>> NLP Findings in {file}[/bold cyan]")
+        for n in nlp_findings:
+            console.print(f"[cyan]  '{n['keyword']}' (line {n['line']}) - {n['risk']}[/cyan]")
+            console.print(f"   Code     : {n['content']}")
+            console.print(f"   Why      : {n['explanation']}")
+
+    # ✅ SAFE
+    if (
+        summary["HIGH"] == 0
+        and summary["MEDIUM"] == 0
+        and summary["LOW"] == 0
+        and not leaks
+        and not nlp_findings
+    ):
+        console.print(f"[bold green]SAFE: {file}[/bold green]")
+
+    return has_high
+
+
+def run_scan(files: list[Path]) -> bool:
+    """Scan a list of files. Returns True if any HIGH risk found."""
+    has_high_risk = False
+    for file_path in files:
+        findings, summary, leaks, nlp_findings = scan_file(file_path)
+        if display_results(str(file_path), findings, summary, leaks, nlp_findings):
+            has_high_risk = True
+    return has_high_risk

sentinelcodeai-0.1.0/tests/test_ai.py

@@ -0,0 +1,26 @@
+import pytest
+from src.ai.nlp import analyze_context
+
+
+def test_detects_sensitive_keyword():
+    # 'token' appears as a standalone word on this line
+    code = 'token = get_token()'
+    findings = analyze_context(code)
+    assert any(f["keyword"] == "token" for f in findings)
+
+
+def test_case_insensitive():
+    code = 'PASSWORD = os.environ["DB_PASS"]'
+    findings = analyze_context(code)
+    assert any(f["keyword"] == "password" for f in findings)
+
+
+def test_no_findings_on_clean_code():
+    code = 'def add(a, b):\n    return a + b'
+    assert analyze_context(code) == []
+
+
+def test_returns_line_number():
+    code = 'x = 1\nsecret = "abc"'
+    findings = analyze_context(code)
+    assert findings[0]["line"] == 2

sentinelcodeai-0.1.0/tests/test_leaks.py

@@ -0,0 +1,21 @@
+import pytest
+from src.core.leaks import detect_leaks
+
+
+def test_detects_unclosed_file():
+    code = 'f = open("data.txt", "r")\ndata = f.read()'
+    findings = detect_leaks(code)
+    assert any(f["type"] == "python_unclosed_file" for f in findings)
+
+
+def test_no_leak_with_context_manager():
+    code = 'with open("data.txt") as f:\n    data = f.read()'
+    findings = detect_leaks(code)
+    assert findings == []
+
+
+def test_syntax_error_handled():
+    # detect_leaks is regex-based and does not raise on syntax errors
+    code = "def broken(:"
+    findings = detect_leaks(code)
+    assert isinstance(findings, list)

sentinelcodeai-0.1.0/tests/test_secrets.py

@@ -0,0 +1,25 @@
+import pytest
+from src.core.secrets import detect_secrets
+
+
+def test_detects_aws_access_key():
+    code = 'key = "AKIAIOSFODNN7EXAMPLE"'
+    findings = detect_secrets(code)
+    assert any(f["type"] == "aws_access_key" for f in findings)
+
+
+def test_detects_password():
+    code = 'password = "supersecret123"'
+    findings = detect_secrets(code)
+    assert any(f["type"] == "password" for f in findings)
+
+
+def test_no_false_positive():
+    code = 'x = 42\nprint("hello world")'
+    assert detect_secrets(code) == []
+
+
+def test_returns_correct_line_number():
+    code = "x = 1\npassword = 'mypassword'"
+    findings = detect_secrets(code)
+    assert findings[0]["line"] == 2