Documentation
¶
Index ¶
Constants ¶
const PathPrefix = ".commitbrief/"
PathPrefix is the trigger condition: any diff file whose path starts with this string (i.e., lives under the .commitbrief/ directory) prompts the user. Root-level COMMITBRIEF.md and .commitbriefignore are intentionally excluded — they are team-shared by design (ADR-0007).
Variables ¶
This section is empty.
Functions ¶
func SecretPatternNames ¶ added in v0.8.0
func SecretPatternNames() []string
SecretPatternNames returns the labels of every pattern the scanner knows about, sorted alphabetically. Used by docs/tests as the authoritative list — keeps drift between the table here and the CHANGELOG/README description detectable.
Types ¶
type Options ¶
type Options struct {
AssumeYes bool
NonInteractive bool
Writer io.Writer
Reader io.Reader
// Interactive routes the confirm through ui.Confirm's arrow-key
// Yes/No toggle (huh) instead of reading a line off Reader. CLI
// callers set it from ui.IsStdinTTY(os.Stdin); tests leave it
// false so the deterministic line path (Reader) still drives them.
Interactive bool
// Catalog plumbs i18n into the .commitbrief/* write-guard so the
// user-visible warning, file lines, prompt, and abort messages
// honour the active locale. Nil → English defaults (legacy
// behaviour). Every CLI caller should pass app.Catalog so
// Turkish users actually see Turkish here (UC-15).
Catalog *i18n.Catalog
}
type SecretMatch ¶ added in v0.8.0
type SecretMatch struct {
Line int // 1-based line number within the diff string
Patterns []string // alphabetised pattern names that matched this line
}
SecretMatch describes a single line in the diff that looks like it might contain a credential the user shouldn't ship to an LLM. Only the line number and the matched-pattern names are recorded — never the matched substring itself, so the scanner's own output can't become a secondary leak vector via logs, stderr, or cache files.
func ScanForSecrets ¶ added in v0.8.0
func ScanForSecrets(diff string) []SecretMatch
ScanForSecrets walks the diff and reports any added line (prefixed with a single `+`, excluding the `+++ b/path` header) that matches one or more of the credential patterns. Removed and context lines are skipped — the goal is to catch *new* leaks, not to re-flag historical content that's already on disk somewhere.
Returns a slice of matches sorted by line number. An empty diff or a diff with no `+` lines returns nil — callers can rely on `len(out) == 0` as the "all clear" signal.
func ScanText ¶ added in v0.9.1
func ScanText(content string) []SecretMatch
ScanText runs the same credential patterns against arbitrary text (no diff prefixes). Used to scan rules content like COMMITBRIEF.md and the output template before they get embedded into the system prompt and shipped to the provider. UC-05 in PATCH_ROADMAP. Empty input returns nil so callers can rely on len(out)==0 as the "all clear" signal.
Source Files