zwischen-cli 0.1.0__py3-none-any.whl

zwischen/__init__.py

@@ -0,0 +1,22 @@
+"""Zwischen - AI-augmented security scanning for vibe coders."""
+
+__version__ = "0.1.0"
+
+from .scanner import scan, run_gitleaks, run_semgrep
+from .installer import install_gitleaks, get_gitleaks_path, is_gitleaks_installed
+from .config import load_config, create_config
+from .ai import analyze_with_ai
+from .detector import detect_project
+
+__all__ = [
+    "scan",
+    "run_gitleaks",
+    "run_semgrep",
+    "install_gitleaks",
+    "get_gitleaks_path",
+    "is_gitleaks_installed",
+    "load_config",
+    "create_config",
+    "analyze_with_ai",
+    "detect_project",
+]

zwischen/ai.py

@@ -0,0 +1,180 @@
+"""AI provider clients for Zwischen."""
+
+import json
+import os
+import re
+from typing import Any
+
+import requests
+
+
+def _build_prompt(findings: list[dict]) -> str:
+    """Build AI analysis prompt."""
+    def format_finding(i: int, f: dict) -> str:
+        code_line = f"   Code: {f['code_snippet']}" if f.get('code_snippet') else ""
+        return (
+            f"{i + 1}. [{(f.get('severity') or 'medium').upper()}] {f['file']}:{f['line']}\n"
+            f"   Rule: {f.get('rule_id', 'unknown')}\n"
+            f"   Message: {f.get('message', '')}\n"
+            f"{code_line}"
+        )
+
+    findings_text = "\n\n".join(format_finding(i, f) for i, f in enumerate(findings))
+
+    return f"""You are a senior security engineer reviewing security scan findings. Analyze the following findings and provide:
+
+1. Prioritization: Which findings are most critical and should be addressed first?
+2. False positives: Are any of these false positives that can be safely ignored?
+3. Fix suggestions: For each real finding, provide a clear, actionable fix suggestion.
+
+Findings:
+{findings_text}
+
+Please respond in the following JSON format for each finding (by index number):
+{{
+  "1": {{
+    "priority": "high|medium|low",
+    "is_false_positive": false,
+    "fix_suggestion": "Clear explanation of how to fix this issue",
+    "risk_explanation": "Why this is a security risk"
+  }}
+}}
+
+If a finding is a false positive, set is_false_positive to true and explain why."""
+
+
+def _call_ollama(prompt: str, config: dict) -> str:
+    """Call Ollama API."""
+    base_url = config.get("url", "http://localhost:11434")
+    model = config.get("model", "llama3")
+
+    response = requests.post(
+        f"{base_url}/api/chat",
+        json={
+            "model": model,
+            "messages": [{"role": "user", "content": prompt}],
+            "stream": False,
+        },
+        timeout=120,
+    )
+
+    if response.status_code != 200:
+        raise Exception(f"Ollama error: {response.text}")
+
+    data = response.json()
+    if "error" in data:
+        raise Exception(f"Ollama error: {data['error']}")
+
+    return data.get("message", {}).get("content", "")
+
+
+def _call_openai(prompt: str, config: dict) -> str:
+    """Call OpenAI API."""
+    api_key = config.get("api_key") or os.environ.get("OPENAI_API_KEY")
+    if not api_key:
+        raise Exception("OpenAI API key not found. Set OPENAI_API_KEY or provide --api-key")
+
+    model = config.get("model", "gpt-4o-mini")
+
+    response = requests.post(
+        "https://api.openai.com/v1/chat/completions",
+        headers={
+            "Authorization": f"Bearer {api_key}",
+            "Content-Type": "application/json",
+        },
+        json={
+            "model": model,
+            "messages": [{"role": "user", "content": prompt}],
+        },
+        timeout=120,
+    )
+
+    if response.status_code != 200:
+        raise Exception(f"OpenAI error: {response.text}")
+
+    data = response.json()
+    if "error" in data:
+        raise Exception(f"OpenAI error: {data['error']['message']}")
+
+    return data.get("choices", [{}])[0].get("message", {}).get("content", "")
+
+
+def _call_anthropic(prompt: str, config: dict) -> str:
+    """Call Anthropic API."""
+    api_key = config.get("api_key") or os.environ.get("ANTHROPIC_API_KEY")
+    if not api_key:
+        raise Exception("Anthropic API key not found. Set ANTHROPIC_API_KEY or provide --api-key")
+
+    model = config.get("model", "claude-3-haiku-20240307")
+
+    response = requests.post(
+        "https://api.anthropic.com/v1/messages",
+        headers={
+            "x-api-key": api_key,
+            "anthropic-version": "2023-06-01",
+            "Content-Type": "application/json",
+        },
+        json={
+            "model": model,
+            "max_tokens": 4096,
+            "messages": [{"role": "user", "content": prompt}],
+        },
+        timeout=120,
+    )
+
+    if response.status_code != 200:
+        raise Exception(f"Anthropic error: {response.text}")
+
+    data = response.json()
+    if "error" in data:
+        raise Exception(f"Anthropic error: {data['error']['message']}")
+
+    return data.get("content", [{}])[0].get("text", "")
+
+
+def analyze_with_ai(
+    findings: list[dict],
+    provider: str = "ollama",
+    api_key: str | None = None,
+    **config,
+) -> list[dict]:
+    """Analyze findings with AI."""
+    if not findings:
+        return findings
+
+    prompt = _build_prompt(findings)
+    config["api_key"] = api_key
+
+    provider = provider.lower()
+    if provider == "ollama":
+        response = _call_ollama(prompt, config)
+    elif provider == "openai":
+        response = _call_openai(prompt, config)
+    elif provider in ("anthropic", "claude"):
+        response = _call_anthropic(prompt, config)
+    else:
+        raise Exception(f"Unknown AI provider: {provider}")
+
+    # Parse AI response
+    try:
+        json_match = re.search(r"\{[\s\S]*\}", response)
+        if not json_match:
+            return findings
+
+        analysis = json.loads(json_match.group())
+
+        return [
+            {
+                **f,
+                "ai_priority": analysis.get(str(i + 1), {}).get("priority"),
+                "ai_false_positive": analysis.get(str(i + 1), {}).get("is_false_positive", False),
+                "ai_fix_suggestion": analysis.get(str(i + 1), {}).get("fix_suggestion"),
+                "ai_risk_explanation": analysis.get(str(i + 1), {}).get("risk_explanation"),
+            }
+            for i, f in enumerate(findings)
+        ]
+
+    except (json.JSONDecodeError, Exception) as e:
+        if os.environ.get("DEBUG"):
+            print(f"Failed to parse AI response: {e}")
+        return findings

zwischen/cli.py

@@ -0,0 +1,39 @@
+"""Command-line interface for Zwischen."""
+
+import click
+from .scanner import scan as do_scan
+from .init import init as do_init
+from .doctor import doctor as do_doctor
+
+
+@click.group()
+@click.version_option()
+def main():
+    """AI-augmented security scanning for vibe coders."""
+    pass
+
+
+@main.command()
+def init():
+    """Initialize Zwischen in your project."""
+    do_init()
+
+
+@main.command()
+@click.option("--ai", help="AI provider (ollama, openai, anthropic)")
+@click.option("--api-key", help="API key for AI provider")
+@click.option("--format", "output_format", default="terminal", help="Output format (terminal, json)")
+@click.option("--pre-push", is_flag=True, help="Pre-push mode (compact output)")
+def scan(ai, api_key, output_format, pre_push):
+    """Run security scan."""
+    do_scan(ai=ai, api_key=api_key, output_format=output_format, pre_push=pre_push)
+
+
+@main.command()
+def doctor():
+    """Check if required tools are installed."""
+    do_doctor()
+
+
+if __name__ == "__main__":
+    main()

zwischen/config.py

@@ -0,0 +1,103 @@
+"""Configuration handling for Zwischen."""
+
+from pathlib import Path
+from typing import Any
+import yaml
+
+DEFAULT_CONFIG = {
+    "ai": {
+        "enabled": True,
+        "pre_push_enabled": False,
+        "provider": "ollama",
+        "model": "llama3",
+    },
+    "blocking": {
+        "severity": "high",
+    },
+    "scanners": {
+        "gitleaks": {"enabled": True},
+        "semgrep": {"enabled": True, "config": "p/security-audit"},
+    },
+    "ignore": [
+        "**/node_modules/**",
+        "**/vendor/**",
+        "**/.git/**",
+        "**/dist/**",
+        "**/build/**",
+        "**/test/fixtures/**",
+    ],
+}
+
+EXAMPLE_CONFIG = """# Zwischen Configuration
+
+# AI Provider Configuration
+ai:
+  enabled: true
+  pre_push_enabled: false  # Disable AI in pre-push hooks (performance)
+  provider: ollama         # Options: ollama, openai, anthropic
+  model: llama3            # Model name for your provider
+  # url: http://localhost:11434  # For Ollama (default)
+  # api_key: null          # For OpenAI/Anthropic (or use env vars)
+
+# What blocks a push
+blocking:
+  severity: high  # block on high or critical (default)
+  # severity: critical  # only block on critical
+  # severity: none  # never block, just warn
+
+# Scanner Configuration
+scanners:
+  gitleaks: true  # Auto-installed if missing
+  semgrep: true   # Optional, install with: pip install semgrep
+
+# Ignored Paths (glob patterns)
+ignore:
+  - "**/node_modules/**"
+  - "**/vendor/**"
+  - "**/.git/**"
+  - "**/dist/**"
+  - "**/build/**"
+"""
+
+
+def deep_merge(base: dict, override: dict) -> dict:
+    """Deep merge two dictionaries."""
+    result = base.copy()
+    for key, value in override.items():
+        if (
+            key in result
+            and isinstance(result[key], dict)
+            and isinstance(value, dict)
+        ):
+            result[key] = deep_merge(result[key], value)
+        else:
+            result[key] = value
+    return result
+
+
+def load_config(project_root: str | Path = ".") -> dict:
+    """Load configuration from .zwischen.yml."""
+    config_path = Path(project_root) / ".zwischen.yml"
+
+    if not config_path.exists():
+        return DEFAULT_CONFIG.copy()
+
+    try:
+        with open(config_path) as f:
+            user_config = yaml.safe_load(f) or {}
+        return deep_merge(DEFAULT_CONFIG, user_config)
+    except Exception as e:
+        print(f"Warning: Could not parse .zwischen.yml: {e}")
+        return DEFAULT_CONFIG.copy()
+
+
+def create_config(project_root: str | Path = ".") -> bool:
+    """Create configuration file."""
+    config_path = Path(project_root) / ".zwischen.yml"
+
+    if config_path.exists():
+        return False
+
+    with open(config_path, "w") as f:
+        f.write(EXAMPLE_CONFIG)
+    return True

zwischen/detector.py

@@ -0,0 +1,191 @@
+"""Project and framework detection for Zwischen."""
+
+import json
+from pathlib import Path
+from typing import Any
+
+# Base detection patterns
+DETECTION_PATTERNS = {
+    "node": ["package.json"],
+    "python": ["requirements.txt", "pyproject.toml", "setup.py", "Pipfile", "poetry.lock"],
+    "ruby": ["Gemfile", "Rakefile"],
+    "go": ["go.mod", "go.sum"],
+    "java": ["pom.xml", "build.gradle", "build.gradle.kts"],
+    "rust": ["Cargo.toml", "Cargo.lock"],
+    "php": ["composer.json"],
+    "dotnet": ["*.csproj", "*.sln", "*.fsproj"],
+}
+
+# JS framework detection
+JS_FRAMEWORKS = {
+    "nextjs": ["next"],
+    "react": ["react"],
+    "vue": ["vue"],
+    "angular": ["@angular/core"],
+    "svelte": ["svelte"],
+    "express": ["express"],
+    "nestjs": ["@nestjs/core"],
+    "nuxt": ["nuxt"],
+    "remix": ["@remix-run/react"],
+    "astro": ["astro"],
+    "gatsby": ["gatsby"],
+}
+
+# Python framework detection
+PYTHON_FRAMEWORKS = {
+    "django": ["django"],
+    "fastapi": ["fastapi"],
+    "flask": ["flask"],
+    "pyramid": ["pyramid"],
+    "tornado": ["tornado"],
+    "starlette": ["starlette"],
+    "streamlit": ["streamlit"],
+    "jupyter": ["jupyter", "jupyterlab", "notebook"],
+}
+
+# Ruby framework detection
+RUBY_FRAMEWORKS = {
+    "rails": ["rails"],
+    "sinatra": ["sinatra"],
+    "hanami": ["hanami"],
+    "grape": ["grape"],
+    "roda": ["roda"],
+}
+
+# Framework to language mapping
+FRAMEWORK_LANGUAGES = {
+    "nextjs": "javascript", "react": "javascript", "vue": "javascript",
+    "angular": "typescript", "svelte": "javascript", "express": "javascript",
+    "nestjs": "typescript", "nuxt": "javascript", "remix": "javascript",
+    "astro": "javascript", "gatsby": "javascript",
+    "django": "python", "fastapi": "python", "flask": "python",
+    "pyramid": "python", "tornado": "python", "starlette": "python",
+    "streamlit": "python", "jupyter": "python",
+    "rails": "ruby", "sinatra": "ruby", "hanami": "ruby",
+    "grape": "ruby", "roda": "ruby",
+}
+
+
+def detect_project(project_root: str | Path = ".") -> dict[str, Any]:
+    """Detect project type and frameworks."""
+    project_root = Path(project_root)
+
+    types = _detect_base_types(project_root)
+    frameworks = _detect_frameworks(project_root)
+
+    primary = frameworks[0] if frameworks else (types[0] if types else None)
+    language = (
+        FRAMEWORK_LANGUAGES.get(frameworks[0], types[0] if types else "unknown")
+        if frameworks
+        else (types[0] if types else "unknown")
+    )
+
+    return {
+        "types": types,
+        "primary_type": primary,
+        "language": language,
+        "frameworks": frameworks,
+        "root": str(project_root),
+    }
+
+
+def _detect_base_types(project_root: Path) -> list[str]:
+    """Detect base project types."""
+    detected = []
+
+    for type_name, patterns in DETECTION_PATTERNS.items():
+        if any(_matches_pattern(project_root, p) for p in patterns):
+            detected.append(type_name)
+
+    return detected
+
+
+def _matches_pattern(project_root: Path, pattern: str) -> bool:
+    """Check if pattern matches any file."""
+    if "*" in pattern:
+        return bool(list(project_root.glob(pattern)))
+    return (project_root / pattern).exists()
+
+
+def _detect_frameworks(project_root: Path) -> list[str]:
+    """Detect frameworks."""
+    frameworks = []
+    frameworks.extend(_detect_js_frameworks(project_root))
+    frameworks.extend(_detect_python_frameworks(project_root))
+    frameworks.extend(_detect_ruby_frameworks(project_root))
+    return list(dict.fromkeys(frameworks))  # Unique, preserve order
+
+
+def _detect_js_frameworks(project_root: Path) -> list[str]:
+    """Detect JS frameworks from package.json."""
+    package_json = project_root / "package.json"
+    if not package_json.exists():
+        return []
+
+    try:
+        with open(package_json) as f:
+            pkg = json.load(f)
+
+        all_deps = list(pkg.get("dependencies", {}).keys()) + list(
+            pkg.get("devDependencies", {}).keys()
+        )
+
+        detected = []
+        for framework, packages in JS_FRAMEWORKS.items():
+            if any(p in all_deps for p in packages):
+                detected.append(framework)
+
+        # Sort by specificity
+        priority = [
+            "nextjs", "nuxt", "remix", "gatsby", "astro",
+            "angular", "nestjs", "svelte", "vue", "react", "express"
+        ]
+        return sorted(detected, key=lambda x: priority.index(x) if x in priority else 999)
+
+    except (json.JSONDecodeError, OSError):
+        return []
+
+
+def _detect_python_frameworks(project_root: Path) -> list[str]:
+    """Detect Python frameworks."""
+    frameworks = []
+    files = ["requirements.txt", "pyproject.toml", "Pipfile"]
+
+    for filename in files:
+        filepath = project_root / filename
+        if filepath.exists():
+            try:
+                content = filepath.read_text().lower()
+                for framework, packages in PYTHON_FRAMEWORKS.items():
+                    if any(p.lower() in content for p in packages):
+                        frameworks.append(framework)
+            except OSError:
+                pass
+
+    priority = [
+        "django", "fastapi", "flask", "pyramid",
+        "tornado", "starlette", "streamlit", "jupyter"
+    ]
+    unique = list(dict.fromkeys(frameworks))
+    return sorted(unique, key=lambda x: priority.index(x) if x in priority else 999)
+
+
+def _detect_ruby_frameworks(project_root: Path) -> list[str]:
+    """Detect Ruby frameworks from Gemfile."""
+    gemfile = project_root / "Gemfile"
+    if not gemfile.exists():
+        return []
+
+    try:
+        content = gemfile.read_text().lower()
+        detected = []
+
+        for framework, gems in RUBY_FRAMEWORKS.items():
+            if any(f"gem '{g}'" in content or f'gem "{g}"' in content for g in gems):
+                detected.append(framework)
+
+        priority = ["rails", "hanami", "sinatra", "grape", "roda"]
+        return sorted(detected, key=lambda x: priority.index(x) if x in priority else 999)
+
+    except OSError:
+        return []

zwischen/doctor.py

@@ -0,0 +1,63 @@
+"""Doctor command for Zwischen."""
+
+import shutil
+import subprocess
+
+from .installer import get_gitleaks_path, BIN_DIR
+
+
+def doctor() -> None:
+    """Check if required tools are installed."""
+    print("\n" + "=" * 60)
+    print("Zwischen Doctor - Tool Status")
+    print("=" * 60 + "\n")
+
+    all_installed = True
+
+    tools = [
+        {
+            "name": "gitleaks",
+            "description": "Secrets detection",
+            "check": get_gitleaks_path,
+            "install": "Auto-installed by zwischen init",
+        },
+        {
+            "name": "semgrep",
+            "description": "Static analysis (optional)",
+            "check": lambda: shutil.which("semgrep"),
+            "install": "pip install semgrep",
+        },
+    ]
+
+    for tool in tools:
+        tool_path = tool["check"]()
+
+        if tool_path:
+            version = ""
+            try:
+                result = subprocess.run(
+                    [tool_path, "--version"],
+                    capture_output=True,
+                    text=True,
+                )
+                version = result.stdout.strip().split("\n")[0]
+            except Exception:
+                pass
+
+            print(f"\033[32m✓ {tool['name']}\033[0m - {tool['description']}")
+            if version:
+                print(f"  Version: {version}")
+            if tool_path.startswith(str(BIN_DIR)):
+                print(f"  Location: {tool_path}")
+        else:
+            if "optional" not in tool["description"]:
+                all_installed = False
+            print(f"\033[31m✗ {tool['name']}\033[0m - {tool['description']} - NOT FOUND")
+            print(f"  → {tool['install']}")
+
+        print()
+
+    if all_installed:
+        print("\033[32m✅ All required tools are installed!\033[0m\n")
+    else:
+        print('\033[33m⚠️  Some tools are missing. Run "zwischen init" to install them.\033[0m\n')

zwischen/init.py

@@ -0,0 +1,72 @@
+"""Initialization for Zwischen."""
+
+import os
+import shutil
+import stat
+from pathlib import Path
+
+from .installer import install_gitleaks, is_gitleaks_installed
+from .config import create_config
+
+PRE_PUSH_HOOK = """#!/bin/sh
+# Zwischen pre-push hook
+# Runs security scan on changed files before push
+
+zwischen scan --pre-push
+"""
+
+
+def init() -> None:
+    """Initialize Zwischen in project."""
+    project_root = Path.cwd()
+
+    print("\n🛡️  Initializing Zwischen...\n")
+
+    # 1. Install gitleaks if needed
+    if not is_gitleaks_installed():
+        print("  Installing gitleaks...")
+        if not install_gitleaks():
+            print("  ⚠️  Could not auto-install gitleaks")
+    else:
+        print("  ✓ gitleaks already installed")
+
+    # 2. Check for semgrep (optional)
+    if shutil.which("semgrep"):
+        print("  ✓ semgrep available")
+    else:
+        print("  ↳ semgrep not found (optional)")
+        print("    → pip install semgrep")
+
+    # 3. Create config file
+    if create_config(project_root):
+        print("  ✓ Created .zwischen.yml")
+    else:
+        print("  ✓ Config already exists")
+
+    # 4. Install git hook
+    git_dir = project_root / ".git"
+    if git_dir.exists():
+        hooks_dir = git_dir / "hooks"
+        hooks_dir.mkdir(parents=True, exist_ok=True)
+
+        hook_path = hooks_dir / "pre-push"
+
+        if hook_path.exists():
+            content = hook_path.read_text()
+            if "zwischen" not in content:
+                # Append to existing hook
+                with open(hook_path, "a") as f:
+                    f.write("\n" + PRE_PUSH_HOOK)
+                print("  ✓ Added to existing pre-push hook")
+            else:
+                print("  ✓ Pre-push hook already configured")
+        else:
+            hook_path.write_text(PRE_PUSH_HOOK)
+            hook_path.chmod(hook_path.stat().st_mode | stat.S_IXUSR | stat.S_IXGRP | stat.S_IXOTH)
+            print("  ✓ Installed pre-push hook")
+    else:
+        print("  ↳ Not a git repository, skipping hook installation")
+
+    print("\n✅ Zwischen initialized!\n")
+    print('Run "zwischen scan" to scan your project.')
+    print("Security checks will run automatically before each push.\n")

zwischen/installer.py

@@ -0,0 +1,122 @@
+"""Gitleaks installer for Zwischen."""
+
+import os
+import platform
+import shutil
+import stat
+import tarfile
+import tempfile
+from pathlib import Path
+from urllib.request import urlopen, Request
+import json
+
+ZWISCHEN_DIR = Path.home() / ".zwischen"
+BIN_DIR = ZWISCHEN_DIR / "bin"
+GITLEAKS_REPO = "gitleaks/gitleaks"
+
+PLATFORMS = {
+    "Darwin": "darwin",
+    "Linux": "linux",
+    "Windows": "windows",
+}
+
+ARCHS = {
+    "x86_64": "x64",
+    "AMD64": "x64",
+    "aarch64": "arm64",
+    "arm64": "arm64",
+}
+
+
+def fetch_json(url: str) -> dict:
+    """Fetch JSON from URL."""
+    req = Request(url, headers={"User-Agent": "zwischen"})
+    with urlopen(req) as response:
+        return json.loads(response.read().decode())
+
+
+def download_file(url: str, dest: Path) -> None:
+    """Download file from URL."""
+    req = Request(url, headers={"User-Agent": "zwischen"})
+    with urlopen(req) as response:
+        with open(dest, "wb") as f:
+            shutil.copyfileobj(response, f)
+
+
+def install_gitleaks() -> bool:
+    """Install gitleaks binary."""
+    plat = PLATFORMS.get(platform.system())
+    arch = ARCHS.get(platform.machine(), "x64")
+
+    if not plat:
+        print(f"Unsupported platform: {platform.system()}")
+        return False
+
+    # Ensure directories exist
+    BIN_DIR.mkdir(parents=True, exist_ok=True)
+
+    gitleaks_name = "gitleaks.exe" if plat == "windows" else "gitleaks"
+    gitleaks_path = BIN_DIR / gitleaks_name
+
+    # Check if already installed
+    if gitleaks_path.exists():
+        return True
+
+    print("  Downloading gitleaks...")
+
+    try:
+        # Get latest release
+        release = fetch_json(f"https://api.github.com/repos/{GITLEAKS_REPO}/releases/latest")
+
+        # Find matching asset
+        pattern = f"gitleaks_"
+        suffix = f"_{plat}_{arch}.tar.gz"
+        asset = next(
+            (a for a in release["assets"] if a["name"].startswith(pattern) and a["name"].endswith(suffix)),
+            None,
+        )
+
+        if not asset:
+            print(f"No gitleaks binary found for {plat}_{arch}")
+            return False
+
+        # Download and extract
+        with tempfile.TemporaryDirectory() as tmpdir:
+            tarball_path = Path(tmpdir) / "gitleaks.tar.gz"
+            download_file(asset["browser_download_url"], tarball_path)
+
+            with tarfile.open(tarball_path, "r:gz") as tar:
+                for member in tar.getmembers():
+                    if member.name == "gitleaks":
+                        member.name = gitleaks_name
+                        tar.extract(member, BIN_DIR)
+                        break
+
+        # Make executable
+        if plat != "windows":
+            gitleaks_path.chmod(gitleaks_path.stat().st_mode | stat.S_IXUSR | stat.S_IXGRP | stat.S_IXOTH)
+
+        print("  ✓ Installed gitleaks")
+        return True
+
+    except Exception as e:
+        print(f"  ✗ Failed to install gitleaks: {e}")
+        return False
+
+
+def get_gitleaks_path() -> str | None:
+    """Get path to gitleaks executable."""
+    gitleaks_name = "gitleaks.exe" if platform.system() == "Windows" else "gitleaks"
+    local_path = BIN_DIR / gitleaks_name
+
+    if local_path.exists():
+        return str(local_path)
+
+    # Check system PATH
+    system_path = shutil.which("gitleaks")
+    return system_path
+
+
+def is_gitleaks_installed() -> bool:
+    """Check if gitleaks is installed."""
+    return get_gitleaks_path() is not None

zwischen/scanner.py

@@ -0,0 +1,256 @@
+"""Security scanners for Zwischen."""
+
+import json
+import os
+import re
+import shutil
+import subprocess
+import sys
+from pathlib import Path
+from typing import Any
+
+from .installer import get_gitleaks_path
+from .config import load_config
+from .ai import analyze_with_ai
+from .detector import detect_project
+
+
+def run_gitleaks(project_root: str = ".", files: list[str] | None = None) -> list[dict]:
+    """Run gitleaks scanner."""
+    gitleaks_path = get_gitleaks_path()
+    if not gitleaks_path:
+        return []
+
+    findings = []
+
+    try:
+        if files:
+            # Scan specific files
+            for file in files:
+                file_path = Path(project_root) / file
+                if not file_path.exists():
+                    continue
+
+                result = subprocess.run(
+                    [
+                        gitleaks_path,
+                        "detect",
+                        "--source", str(file_path),
+                        "--report-format", "json",
+                        "--report-path", "-",
+                        "--no-git",
+                    ],
+                    capture_output=True,
+                    text=True,
+                    cwd=project_root,
+                )
+
+                if result.stdout:
+                    try:
+                        parsed = json.loads(result.stdout)
+                        findings.extend(parsed if isinstance(parsed, list) else [])
+                    except json.JSONDecodeError:
+                        pass
+        else:
+            # Scan entire project
+            result = subprocess.run(
+                [
+                    gitleaks_path,
+                    "detect",
+                    "--source", project_root,
+                    "--report-format", "json",
+                    "--report-path", "-",
+                    "--no-git",
+                ],
+                capture_output=True,
+                text=True,
+                cwd=project_root,
+            )
+
+            if result.stdout:
+                try:
+                    parsed = json.loads(result.stdout)
+                    findings.extend(parsed if isinstance(parsed, list) else [])
+                except json.JSONDecodeError:
+                    pass
+
+    except Exception as e:
+        if os.environ.get("DEBUG"):
+            print(f"Gitleaks error: {e}", file=sys.stderr)
+
+    return [
+        {
+            "type": "secret",
+            "scanner": "gitleaks",
+            "severity": _map_gitleaks_severity(f.get("RuleID", "")),
+            "file": f.get("File", ""),
+            "line": f.get("StartLine", 0),
+            "message": f.get("RuleID", "Secret detected"),
+            "rule_id": f.get("RuleID", ""),
+            "code_snippet": f.get("Secret", ""),
+            "raw": f,
+        }
+        for f in findings
+    ]
+
+
+def _map_gitleaks_severity(rule_id: str) -> str:
+    """Map gitleaks rule to severity."""
+    rule_id = rule_id.lower()
+    if re.search(r"aws.*key|api.*key|private.*key|secret.*key", rule_id):
+        return "critical"
+    if re.search(r"password|token|credential", rule_id):
+        return "high"
+    return "medium"
+
+
+def run_semgrep(project_root: str = ".", files: list[str] | None = None) -> list[dict]:
+    """Run semgrep scanner."""
+    if not shutil.which("semgrep"):
+        return []
+
+    findings = []
+
+    try:
+        args = ["semgrep", "--json", "--config", "p/security-audit"]
+        if files:
+            args.extend(files)
+        else:
+            args.append(project_root)
+
+        result = subprocess.run(
+            args,
+            capture_output=True,
+            text=True,
+            cwd=project_root,
+        )
+
+        if result.stdout:
+            try:
+                parsed = json.loads(result.stdout)
+                for r in parsed.get("results", []):
+                    findings.append({
+                        "type": "vulnerability",
+                        "scanner": "semgrep",
+                        "severity": r.get("extra", {}).get("severity", "medium"),
+                        "file": r.get("path", ""),
+                        "line": r.get("start", {}).get("line", 0),
+                        "message": r.get("extra", {}).get("message", r.get("check_id", "")),
+                        "rule_id": r.get("check_id", ""),
+                        "code_snippet": r.get("extra", {}).get("lines", ""),
+                        "raw": r,
+                    })
+            except json.JSONDecodeError:
+                pass
+
+    except Exception as e:
+        if os.environ.get("DEBUG"):
+            print(f"Semgrep error: {e}", file=sys.stderr)
+
+    return findings
+
+
+def scan(
+    ai: str | None = None,
+    api_key: str | None = None,
+    output_format: str = "terminal",
+    pre_push: bool = False,
+) -> None:
+    """Run security scan."""
+    project_root = os.getcwd()
+    config = load_config(project_root)
+    project = detect_project(project_root)
+
+    if not pre_push:
+        framework_info = (
+            f"{project['frameworks'][0]} ({project['language']})"
+            if project['frameworks']
+            else project['primary_type'] or 'project'
+        )
+        print(f"\n🔍 Scanning {framework_info}...\n")
+
+    # Run scanners
+    gitleaks_findings = run_gitleaks(project_root)
+    semgrep_findings = run_semgrep(project_root)
+    findings = gitleaks_findings + semgrep_findings
+
+    if not findings:
+        if not pre_push:
+            print("✅ No security issues found!\n")
+        sys.exit(0)
+
+    # AI analysis if requested
+    if ai:
+        if not pre_push:
+            print(f"🤖 Analyzing with AI ({ai})...\n")
+        try:
+            findings = analyze_with_ai(
+                findings,
+                provider=ai,
+                api_key=api_key or config.get("ai", {}).get("api_key"),
+            )
+        except Exception as e:
+            if not pre_push:
+                print(f"⚠️  AI analysis unavailable: {e}")
+
+    # Report findings
+    if output_format == "json":
+        print(json.dumps({"findings": findings}, indent=2))
+    else:
+        _report_findings(findings, pre_push)
+
+    # Exit with error if blocking findings
+    blocking_severity = config.get("blocking", {}).get("severity", "high")
+    has_blocking = any(_should_block(f, blocking_severity) for f in findings)
+    sys.exit(1 if has_blocking else 0)
+
+
+def _should_block(finding: dict, blocking_severity: str) -> bool:
+    """Check if finding should block."""
+    if finding.get("ai_false_positive"):
+        return False
+
+    severity = (finding.get("severity") or "medium").lower()
+    if blocking_severity == "critical":
+        return severity == "critical"
+    if blocking_severity == "high":
+        return severity in ("critical", "high")
+    if blocking_severity == "none":
+        return False
+    return severity in ("critical", "high")
+
+
+def _report_findings(findings: list[dict], compact: bool = False) -> None:
+    """Report findings to terminal."""
+    by_severity = {"critical": [], "high": [], "medium": [], "low": []}
+
+    for f in findings:
+        sev = (f.get("severity") or "medium").lower()
+        if sev in by_severity:
+            by_severity[sev].append(f)
+        else:
+            by_severity["medium"].append(f)
+
+    print("🛡️  Security Scan Results\n")
+    print(f"Found {len(findings)} issue(s):\n")
+
+    colors = {
+        "critical": "\033[31m",  # red
+        "high": "\033[33m",      # yellow
+        "medium": "\033[36m",    # cyan
+        "low": "\033[37m",       # white
+    }
+    reset = "\033[0m"
+
+    for severity, items in by_severity.items():
+        if not items:
+            continue
+
+        print(f"{colors[severity]}{severity.upper()} ({len(items)}){reset}")
+
+        for f in items:
+            fp = " [FALSE POSITIVE]" if f.get("ai_false_positive") else ""
+            print(f"  {f['file']}:{f['line']} - {f['message']}{fp}")
+            if f.get("ai_fix_suggestion") and not compact:
+                print(f"    💡 {f['ai_fix_suggestion']}")
+        print()

zwischen_cli-0.1.0.dist-info/METADATA

@@ -0,0 +1,108 @@
+Metadata-Version: 2.4
+Name: zwischen-cli
+Version: 0.1.0
+Summary: AI-augmented security scanning for vibe coders. Zero-config secrets detection and vulnerability scanning.
+Author-email: Conner Jordan <connercharlesjordan@gmail.com>
+License: MIT
+Project-URL: Homepage, https://github.com/cjordan223/zwischen
+Project-URL: Repository, https://github.com/cjordan223/zwischen.git
+Project-URL: Issues, https://github.com/cjordan223/Zwischen/issues
+Keywords: security,scanner,secrets,gitleaks,semgrep,ai,vulnerability,sast
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Quality Assurance
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+Requires-Dist: click>=8.0.0
+Requires-Dist: pyyaml>=6.0
+Requires-Dist: requests>=2.28.0
+
+# Zwischen Python Package
+
+Python wrapper for Zwischen, an AI-augmented security scanning CLI. This package exposes a Python implementation of the core workflow for Python users.
+
+The Ruby gem in the repository root is currently the canonical implementation. This wrapper has a smaller command surface and may not match every Ruby feature.
+
+## Installation
+
+```bash
+pip install zwischen-cli
+```
+
+The PyPI distribution is named `zwischen-cli` (the bare `zwischen` name is taken by an unrelated project), but the installed command is still `zwischen`.
+
+For local development:
+
+```bash
+cd packages/pip
+python -m pip install -e .
+zwischen --help
+```
+
+## Commands
+
+```bash
+zwischen init
+zwischen scan
+zwischen scan --ai ollama
+zwischen scan --ai openai --api-key "$OPENAI_API_KEY"
+zwischen scan --format json
+zwischen scan --pre-push
+zwischen doctor
+```
+
+Supported scan flags:
+
+- `--ai`: `ollama`, `openai`, or `anthropic`
+- `--api-key`: provider API key
+- `--format`: `terminal` or `json`
+- `--pre-push`: compact hook mode
+
+Not currently supported in this wrapper:
+
+- `zwischen uninstall`
+- `zwischen scan --only ...`
+- Ruby's changed-file filtering for `--pre-push`
+
+## Behavior
+
+`zwischen init` tries to install Gitleaks into `~/.zwischen/bin`, creates `.zwischen.yml`, checks whether Semgrep is available, and installs or appends a Git `pre-push` hook when run inside a Git repository.
+
+Semgrep is optional:
+
+```bash
+pip install semgrep
+```
+
+## Configuration
+
+The Python wrapper creates this shape:
+
+```yaml
+ai:
+  enabled: true
+  pre_push_enabled: false
+  provider: ollama
+  model: llama3
+
+blocking:
+  severity: high
+
+scanners:
+  gitleaks: true
+  semgrep: true
+```
+
+Blocking severities are `high`, `critical`, or `none`.
+
+## License
+
+MIT

zwischen_cli-0.1.0.dist-info/RECORD

@@ -0,0 +1,14 @@
+zwischen/__init__.py,sha256=N6G1NuwIh46p0j4idknMZiJDyuwQBQKWqqrHSs0Zad4,569
+zwischen/ai.py,sha256=5-H3ZI1c9ot9gfEFOOuAPVfH9ivXLam_rLg3sIMvyNE,5628
+zwischen/cli.py,sha256=c4v6LG83eBoc255OaOVpivWlxf8nZZ9pkpt1scJRPQk,1007
+zwischen/config.py,sha256=h4dfWcjv0r3tCQULEc331BauZI-2vNUpXG0t7N9Scdg,2721
+zwischen/detector.py,sha256=gGoWAk_AbZTq43SY84NYOo-a3-4AShhy9mmqrX7Y_b8,5999
+zwischen/doctor.py,sha256=y_52789eOj_aTzWU18_1OKMNxPChtz4vDxqPjymu8HI,1882
+zwischen/init.py,sha256=rAiiLmyXO3-gDwOZCybYOIo2AWnhWcXCNtC_SZZeT1Q,2224
+zwischen/installer.py,sha256=fjFmsM4DZl2Gx8qWyNN42BjREqPBHpKvNjgfiAQ01WU,3391
+zwischen/scanner.py,sha256=0d7xGqnS0845V4RQV-tWYR52o5UyqXQ1hfVx3723_HY,7985
+zwischen_cli-0.1.0.dist-info/METADATA,sha256=ikLON5_loDFQ-UMuM6z4shjs5GyDnijvujZCM3CaR2E,2920
+zwischen_cli-0.1.0.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
+zwischen_cli-0.1.0.dist-info/entry_points.txt,sha256=3o6AOoPmXjKI0kU9Fe1FQMB8-tckSGe-TN8PrsiA6F0,47
+zwischen_cli-0.1.0.dist-info/top_level.txt,sha256=kR82MS5v9Jb4vxpDB0CbGycvBXRvLTQgeLIMmJJVnPk,9
+zwischen_cli-0.1.0.dist-info/RECORD,,

zwischen_cli-0.1.0.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (82.0.1)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

zwischen_cli-0.1.0.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+zwischen = zwischen.cli:main

zwischen_cli-0.1.0.dist-info/top_level.txt

@@ -0,0 +1 @@
+zwischen