wrg-devguard 0.1.0__tar.gz

wrg_devguard-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Yakuphan
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

wrg_devguard-0.1.0/PKG-INFO

@@ -0,0 +1,197 @@
+Metadata-Version: 2.4
+Name: wrg-devguard
+Version: 0.1.0
+Summary: Developer-first AI safety checks: prompt-policy lint + secret scanning. Zero-dep CLI + GitHub Action + Claude Skill + Cursor Rule.
+Author: Yakuphan Yucel
+License-Expression: MIT
+Project-URL: Homepage, https://github.com/yakuphanycl/wrg-devguard
+Project-URL: Repository, https://github.com/yakuphanycl/wrg-devguard
+Project-URL: Issues, https://github.com/yakuphanycl/wrg-devguard/issues
+Project-URL: Changelog, https://github.com/yakuphanycl/wrg-devguard/releases
+Keywords: security,secret-scanning,policy-lint,ai-safety,prompt-security,devsecops,pre-commit,github-action,claude-skill,cursor-rule
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Quality Assurance
+Classifier: Topic :: Software Development :: Testing
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Provides-Extra: yaml
+Requires-Dist: PyYAML>=6.0; extra == "yaml"
+Provides-Extra: dev
+Requires-Dist: pytest>=8; extra == "dev"
+Dynamic: license-file
+
+# wrg-devguard
+
+**Developer-first AI safety checks: prompt-policy lint + secret scanning.**
+
+Zero-dependency Python CLI that scans a repository for two classes of issues
+before your PR lands:
+
+1. **Leaked secrets** — API keys, private keys, tokens, common credential
+   formats in tracked files.
+2. **Prompt-policy violations** — deny-listed patterns in prompts, system
+   messages, and AI-facing text assets (configurable via JSON policy).
+
+Ships as:
+
+- A Python package (`pip install wrg-devguard`)
+- A GitHub Action (drop-in composite action for any repo)
+- A Claude Code skill (`.claude/skills/wrg-devguard/`)
+- A Cursor rule (`.cursor/rules/wrg-devguard.mdc`)
+
+No external dependencies in the core scanner (stdlib only). Optional `[yaml]`
+extra for YAML policy files. Optional `bandit` subcommand for Python security
+scanning.
+
+## Install
+
+```bash
+pip install wrg-devguard
+```
+
+For YAML policy support:
+
+```bash
+pip install "wrg-devguard[yaml]"
+```
+
+## Quick start
+
+```bash
+# Run both checks and fail on any high-severity finding
+wrg-devguard check --path . --fail-on error
+
+# Scan only for leaked secrets
+wrg-devguard scan-secrets --path .
+
+# Lint AI-facing text assets against a policy
+wrg-devguard lint-policy --path . --profile strict
+
+# Emit a JSON report for CI
+wrg-devguard check --path . --json-out wrg-devguard-report.json
+```
+
+## GitHub Action
+
+```yaml
+# .github/workflows/security.yml
+name: security
+on: [pull_request, push]
+
+jobs:
+  wrg-devguard:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: yakuphanycl/wrg-devguard@v1
+        with:
+          profile: strict
+          fail-on: error
+```
+
+See [`action.yml`](./action.yml) for all inputs.
+
+## Claude Code skill
+
+Drop the skill into your workspace:
+
+```bash
+mkdir -p .claude/skills/wrg-devguard
+curl -L https://raw.githubusercontent.com/yakuphanycl/wrg-devguard/main/.claude/skills/wrg-devguard/SKILL.md \
+  -o .claude/skills/wrg-devguard/SKILL.md
+```
+
+Claude Code will surface the skill automatically when you ask things like
+"scan for secrets", "is this safe to commit", or "check for leaks".
+
+## Cursor rule
+
+Drop the rule into your workspace:
+
+```bash
+mkdir -p .cursor/rules
+curl -L https://raw.githubusercontent.com/yakuphanycl/wrg-devguard/main/.cursor/rules/wrg-devguard.mdc \
+  -o .cursor/rules/wrg-devguard.mdc
+```
+
+Cursor will apply the rule before suggesting any `git commit` command.
+
+## Policy file
+
+Default lookup order:
+
+1. `--policy <path>` argument if provided
+2. `.wrg/policy.json` at the repo root
+3. Built-in defaults
+
+Profiles:
+
+- `default` → PR-friendly baseline (recommended for CI)
+- `strict` → stricter local/release audits (use `--profile strict`)
+
+Place custom policies in `.wrg/policy.json` (JSON) or `.wrg/policy.yaml`
+(requires `[yaml]` extra).
+
+## Commands
+
+```
+wrg-devguard profiles                           # list available profiles
+wrg-devguard lint-policy --path .               # policy lint only
+wrg-devguard scan-secrets --path .              # secret scan only
+wrg-devguard check --path .                     # both, single JSON report
+wrg-devguard check --path . --profile strict
+wrg-devguard check --path . --json-out report.json
+wrg-devguard check --path . --fail-on warning
+wrg-devguard check --path . --allowlist .wrg/allowlist.json
+wrg-devguard bandit --path src/                 # optional: bandit wrapper
+```
+
+## Exit codes
+
+- `0` — no findings above threshold
+- `1` — findings at or above `--fail-on` threshold
+- `2` — configuration or input error
+
+## Why another secret scanner?
+
+- **Zero runtime deps** — the core scanner is stdlib only, so `pip install` is
+  instant and works in any sandbox.
+- **Policy lint in the same tool** — most scanners only do secrets. We also
+  catch prompt-policy violations (deny-listed patterns, hardcoded system
+  prompts, PII in AI-facing text).
+- **AI-native UX** — ships with a Claude skill and a Cursor rule so the
+  scanner runs automatically inside your AI coding assistant, not just in CI.
+- **Stable JSON schema** — `check --json-out` emits a versioned schema that
+  never breaks.
+
+## Development
+
+```bash
+git clone https://github.com/yakuphanycl/wrg-devguard.git
+cd wrg-devguard
+pip install -e ".[dev]"
+pytest -q
+```
+
+## License
+
+MIT. See [LICENSE](./LICENSE).
+
+## Contributing
+
+Issues and PRs welcome. For substantial changes, open an issue first to
+discuss scope.
+
+---
+
+Part of the [WinstonRedGuard](https://github.com/yakuphanycl/WinstonRedGuard)
+ecosystem. The monorepo at `apps/wrg_devguard/` is the canonical source; this
+repo is a distribution mirror kept in sync on every release.

wrg_devguard-0.1.0/README.md

@@ -0,0 +1,167 @@
+# wrg-devguard
+
+**Developer-first AI safety checks: prompt-policy lint + secret scanning.**
+
+Zero-dependency Python CLI that scans a repository for two classes of issues
+before your PR lands:
+
+1. **Leaked secrets** — API keys, private keys, tokens, common credential
+   formats in tracked files.
+2. **Prompt-policy violations** — deny-listed patterns in prompts, system
+   messages, and AI-facing text assets (configurable via JSON policy).
+
+Ships as:
+
+- A Python package (`pip install wrg-devguard`)
+- A GitHub Action (drop-in composite action for any repo)
+- A Claude Code skill (`.claude/skills/wrg-devguard/`)
+- A Cursor rule (`.cursor/rules/wrg-devguard.mdc`)
+
+No external dependencies in the core scanner (stdlib only). Optional `[yaml]`
+extra for YAML policy files. Optional `bandit` subcommand for Python security
+scanning.
+
+## Install
+
+```bash
+pip install wrg-devguard
+```
+
+For YAML policy support:
+
+```bash
+pip install "wrg-devguard[yaml]"
+```
+
+## Quick start
+
+```bash
+# Run both checks and fail on any high-severity finding
+wrg-devguard check --path . --fail-on error
+
+# Scan only for leaked secrets
+wrg-devguard scan-secrets --path .
+
+# Lint AI-facing text assets against a policy
+wrg-devguard lint-policy --path . --profile strict
+
+# Emit a JSON report for CI
+wrg-devguard check --path . --json-out wrg-devguard-report.json
+```
+
+## GitHub Action
+
+```yaml
+# .github/workflows/security.yml
+name: security
+on: [pull_request, push]
+
+jobs:
+  wrg-devguard:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: yakuphanycl/wrg-devguard@v1
+        with:
+          profile: strict
+          fail-on: error
+```
+
+See [`action.yml`](./action.yml) for all inputs.
+
+## Claude Code skill
+
+Drop the skill into your workspace:
+
+```bash
+mkdir -p .claude/skills/wrg-devguard
+curl -L https://raw.githubusercontent.com/yakuphanycl/wrg-devguard/main/.claude/skills/wrg-devguard/SKILL.md \
+  -o .claude/skills/wrg-devguard/SKILL.md
+```
+
+Claude Code will surface the skill automatically when you ask things like
+"scan for secrets", "is this safe to commit", or "check for leaks".
+
+## Cursor rule
+
+Drop the rule into your workspace:
+
+```bash
+mkdir -p .cursor/rules
+curl -L https://raw.githubusercontent.com/yakuphanycl/wrg-devguard/main/.cursor/rules/wrg-devguard.mdc \
+  -o .cursor/rules/wrg-devguard.mdc
+```
+
+Cursor will apply the rule before suggesting any `git commit` command.
+
+## Policy file
+
+Default lookup order:
+
+1. `--policy <path>` argument if provided
+2. `.wrg/policy.json` at the repo root
+3. Built-in defaults
+
+Profiles:
+
+- `default` → PR-friendly baseline (recommended for CI)
+- `strict` → stricter local/release audits (use `--profile strict`)
+
+Place custom policies in `.wrg/policy.json` (JSON) or `.wrg/policy.yaml`
+(requires `[yaml]` extra).
+
+## Commands
+
+```
+wrg-devguard profiles                           # list available profiles
+wrg-devguard lint-policy --path .               # policy lint only
+wrg-devguard scan-secrets --path .              # secret scan only
+wrg-devguard check --path .                     # both, single JSON report
+wrg-devguard check --path . --profile strict
+wrg-devguard check --path . --json-out report.json
+wrg-devguard check --path . --fail-on warning
+wrg-devguard check --path . --allowlist .wrg/allowlist.json
+wrg-devguard bandit --path src/                 # optional: bandit wrapper
+```
+
+## Exit codes
+
+- `0` — no findings above threshold
+- `1` — findings at or above `--fail-on` threshold
+- `2` — configuration or input error
+
+## Why another secret scanner?
+
+- **Zero runtime deps** — the core scanner is stdlib only, so `pip install` is
+  instant and works in any sandbox.
+- **Policy lint in the same tool** — most scanners only do secrets. We also
+  catch prompt-policy violations (deny-listed patterns, hardcoded system
+  prompts, PII in AI-facing text).
+- **AI-native UX** — ships with a Claude skill and a Cursor rule so the
+  scanner runs automatically inside your AI coding assistant, not just in CI.
+- **Stable JSON schema** — `check --json-out` emits a versioned schema that
+  never breaks.
+
+## Development
+
+```bash
+git clone https://github.com/yakuphanycl/wrg-devguard.git
+cd wrg-devguard
+pip install -e ".[dev]"
+pytest -q
+```
+
+## License
+
+MIT. See [LICENSE](./LICENSE).
+
+## Contributing
+
+Issues and PRs welcome. For substantial changes, open an issue first to
+discuss scope.
+
+---
+
+Part of the [WinstonRedGuard](https://github.com/yakuphanycl/WinstonRedGuard)
+ecosystem. The monorepo at `apps/wrg_devguard/` is the canonical source; this
+repo is a distribution mirror kept in sync on every release.

wrg_devguard-0.1.0/pyproject.toml

@@ -0,0 +1,70 @@
+[build-system]
+requires = ["setuptools>=68"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "wrg-devguard"
+version = "0.1.0"
+description = "Developer-first AI safety checks: prompt-policy lint + secret scanning. Zero-dep CLI + GitHub Action + Claude Skill + Cursor Rule."
+readme = "README.md"
+license = "MIT"
+license-files = ["LICENSE"]
+authors = [
+    { name = "Yakuphan Yucel" },
+]
+requires-python = ">=3.11"
+keywords = [
+    "security",
+    "secret-scanning",
+    "policy-lint",
+    "ai-safety",
+    "prompt-security",
+    "devsecops",
+    "pre-commit",
+    "github-action",
+    "claude-skill",
+    "cursor-rule",
+]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Intended Audience :: Developers",
+    "Operating System :: OS Independent",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Topic :: Security",
+    "Topic :: Software Development :: Quality Assurance",
+    "Topic :: Software Development :: Testing",
+]
+dependencies = []
+
+[project.optional-dependencies]
+yaml = [
+    "PyYAML>=6.0",
+]
+dev = [
+    "pytest>=8",
+]
+
+[project.urls]
+Homepage = "https://github.com/yakuphanycl/wrg-devguard"
+Repository = "https://github.com/yakuphanycl/wrg-devguard"
+Issues = "https://github.com/yakuphanycl/wrg-devguard/issues"
+Changelog = "https://github.com/yakuphanycl/wrg-devguard/releases"
+
+[project.scripts]
+wrg-devguard = "wrg_devguard.cli:main"
+
+[tool.setuptools]
+package-dir = {"" = "src"}
+
+[tool.setuptools.packages.find]
+where = ["src"]
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+markers = [
+    "unit: isolated unit test (no network, no real services)",
+    "integration: exercises a real external service or SDK",
+]

wrg_devguard-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

wrg_devguard-0.1.0/src/wrg_devguard/__init__.py

@@ -0,0 +1,6 @@
+"""wrg_devguard package."""
+
+from __future__ import annotations
+
+__version__ = "0.1.0"
+