feat(commit): add commit analyzer subsystem with visibility-aware secret scanning

Author: Gary Blankenship

commit_analyze.go

@@ -73,6 +73,8 @@ func AnalyzeCommit(ctx context.Context, opts AnalyzeOptions) (*CommitAnalysis, e
 			EarlyExit:   true,
 			EarlyReason: "no changes in working tree",
 			Complexity:  "simple",
+			Remote:      RemoteInfo{OriginURL: gs.OriginURL, Visibility: gs.Visibility},
+			Secrets:     SecretsSummary{Clean: true},
 			Refs:        refs,
 		}, nil
 	}
@@ -99,8 +101,9 @@ func AnalyzeCommit(ctx context.Context, opts AnalyzeOptions) (*CommitAnalysis, e
 	// Dep bumps.
 	bumps := detectDepBumps(ctx, root, gs.Files)
 
-	// Secrets scan.
-	findings, summary := scanSecrets(ctx, root, gs.Files)
+	// Secrets scan. Visibility is passed in so findings get a deterministic
+	// default_action that the agent can act on without per-finding LLM calls.
+	findings, summary := scanSecrets(ctx, root, gs.Files, gs.Visibility)
 	if err := writeFindings(refs.Findings, findings); err != nil {
 		return nil, fmt.Errorf("write findings: %w", err)
 	}
@@ -114,26 +117,40 @@ func AnalyzeCommit(ctx context.Context, opts AnalyzeOptions) (*CommitAnalysis, e
 	artifacts := collectArtifacts(gs.Files)
 	histStyle := classifyHistoryStyle(gs.HistoryRaw)
 
+	// Surface tag + recent subjects so the agent never needs to re-run
+	// `git log` / `git tag` just for style inference or version lookup.
+	var latestTag string
+	if len(gs.Tags) > 0 {
+		latestTag = gs.Tags[0]
+	}
+	recentSubjects := splitLines(gs.HistoryRaw)
+	if len(recentSubjects) > 5 {
+		recentSubjects = recentSubjects[:5]
+	}
+
 	// Plan file.
 	plan := renderPlan(groups)
 	if err := writeFile(refs.Plan, []byte(plan)); err != nil {
 		return nil, fmt.Errorf("write plan: %w", err)
 	}
 
 	analysis := &CommitAnalysis{
-		Version:      1,
-		Tmpdir:       tmpdir,
-		EarlyExit:    false,
-		Complexity:   classifyComplexity(gs.Files, groups),
-		Counts:       countFiles(gs.Files),
-		HistoryStyle: histStyle,
-		Secrets:      summary,
-		Artifacts:    artifacts,
-		ConfigFiles:  configFiles,
-		DepBumps:     bumps,
-		Groups:       groups,
-		PlanHash:     planHash(plan),
-		Refs:         refs,
+		Version:        1,
+		Tmpdir:         tmpdir,
+		EarlyExit:      false,
+		Complexity:     classifyComplexity(gs.Files, groups),
+		Counts:         countFiles(gs.Files),
+		HistoryStyle:   histStyle,
+		LatestTag:      latestTag,
+		RecentSubjects: recentSubjects,
+		Remote:         RemoteInfo{OriginURL: gs.OriginURL, Visibility: gs.Visibility},
+		Secrets:        summary,
+		Artifacts:      artifacts,
+		ConfigFiles:    configFiles,
+		DepBumps:       bumps,
+		Groups:         groups,
+		PlanHash:       planHash(plan),
+		Refs:           refs,
 	}
 	return analysis, nil
 }

commit_analyze_test.go

@@ -57,6 +57,10 @@ func runGitT(t *testing.T, root string, args ...string) {
 // Test_Analyze_HappyPath: a test-pair + a config change form two groups,
 // both high confidence, messages non-generic.
 func Test_Analyze_HappyPath(t *testing.T) {
+	t.Parallel()
+	if testing.Short() {
+		t.Skip("skipping integration test in short mode")
+	}
 	root := initTestRepo(t,
 		map[string]string{
 			"go.mod":          "module fixture\ngo 1.22\n",
@@ -100,6 +104,10 @@ func Test_Analyze_HappyPath(t *testing.T) {
 
 // Test_Analyze_CleanRepo: no dirty files => early_exit.
 func Test_Analyze_CleanRepo(t *testing.T) {
+	t.Parallel()
+	if testing.Short() {
+		t.Skip("skipping integration test in short mode")
+	}
 	root := initTestRepo(t,
 		map[string]string{"README.md": "# clean\n"},
 		nil,
@@ -115,6 +123,10 @@ func Test_Analyze_CleanRepo(t *testing.T) {
 
 // Test_Analyze_Secrets: a live AWS access key in a config file must FLAG.
 func Test_Analyze_Secrets(t *testing.T) {
+	t.Parallel()
+	if testing.Short() {
+		t.Skip("skipping integration test in short mode")
+	}
 	root := initTestRepo(t,
 		map[string]string{"config.yaml": "key: value\n"},
 		map[string]string{"config.yaml": "key: value\naws_access_key: AKIAIOSFODNN7EXAMPLE\n"},
@@ -133,6 +145,10 @@ func Test_Analyze_Secrets(t *testing.T) {
 
 // Test_Analyze_PlaceholderPaths: /Users/you/ should NOT flag as PII.
 func Test_Analyze_PlaceholderPaths(t *testing.T) {
+	t.Parallel()
+	if testing.Short() {
+		t.Skip("skipping integration test in short mode")
+	}
 	root := initTestRepo(t,
 		map[string]string{"docs.md": "# Docs\n"},
 		map[string]string{"docs.md": "# Docs\n\nInstall at /Users/you/bin/tool.\n"},
@@ -150,6 +166,10 @@ func Test_Analyze_PlaceholderPaths(t *testing.T) {
 
 // Test_Analyze_DepBump: go.mod version bump is detected.
 func Test_Analyze_DepBump(t *testing.T) {
+	t.Parallel()
+	if testing.Short() {
+		t.Skip("skipping integration test in short mode")
+	}
 	root := initTestRepo(t,
 		map[string]string{
 			"go.mod": "module fixture\n\ngo 1.22\n\nrequire github.com/pkg/errors v0.9.0\n",
@@ -170,6 +190,125 @@ func Test_Analyze_DepBump(t *testing.T) {
 	}
 }
 
+// Test_Analyze_TagAndSubjects: latest_tag + recent_subjects are emitted so the
+// agent never re-runs `git log` / `git tag` for style or version lookup.
+func Test_Analyze_TagAndSubjects(t *testing.T) {
+	t.Parallel()
+	if testing.Short() {
+		t.Skip("skipping integration test in short mode")
+	}
+	root := initTestRepo(t,
+		map[string]string{"README.md": "# Fixture\n"},
+		nil,
+	)
+	// Two more commits with conventional-style subjects; tag the last one.
+	writeFixture(t, root, "a.txt", "a\n")
+	runGitT(t, root, "add", "-A")
+	runGitT(t, root, "commit", "-q", "-m", "feat(core): add a")
+	writeFixture(t, root, "b.txt", "b\n")
+	runGitT(t, root, "add", "-A")
+	runGitT(t, root, "commit", "-q", "-m", "fix(core): patch b")
+	runGitT(t, root, "tag", "v0.2.0")
+	// Dirty the tree so analyze doesn't early-exit.
+	writeFixture(t, root, "README.md", "# Fixture\n\nchanged\n")
+
+	got, err := AnalyzeCommit(context.Background(), AnalyzeOptions{Root: root})
+	if err != nil {
+		t.Fatalf("AnalyzeCommit: %v", err)
+	}
+	if got.LatestTag != "v0.2.0" {
+		t.Errorf("LatestTag = %q, want %q", got.LatestTag, "v0.2.0")
+	}
+	if len(got.RecentSubjects) == 0 {
+		t.Fatalf("RecentSubjects empty; expected recent commit subjects")
+	}
+	if len(got.RecentSubjects) > 5 {
+		t.Errorf("RecentSubjects = %d entries, want ≤5", len(got.RecentSubjects))
+	}
+	if !strings.HasPrefix(got.RecentSubjects[0], "fix(core)") {
+		t.Errorf("RecentSubjects[0] = %q, want newest-first conventional subject", got.RecentSubjects[0])
+	}
+}
+
+// Test_Analyze_NoTag_NoHistory: fresh repo with one commit, no tags — LatestTag
+// must be empty (agent signal: propose initial v0.1.0).
+func Test_Analyze_NoTag_NoHistory(t *testing.T) {
+	t.Parallel()
+	if testing.Short() {
+		t.Skip("skipping integration test in short mode")
+	}
+	root := initTestRepo(t,
+		map[string]string{"README.md": "# fresh\n"},
+		map[string]string{"README.md": "# fresh\n\nmodified\n"},
+	)
+	got, err := AnalyzeCommit(context.Background(), AnalyzeOptions{Root: root})
+	if err != nil {
+		t.Fatalf("AnalyzeCommit: %v", err)
+	}
+	if got.LatestTag != "" {
+		t.Errorf("LatestTag = %q, want empty on untagged repo", got.LatestTag)
+	}
+}
+
+// Test_Analyze_Visibility_None_PIISafe: a personal repo with no origin should
+// get "safe" default_action on PII REVIEW findings (emails/localhost), so the
+// agent can skip per-finding adjudication.
+func Test_Analyze_Visibility_None_PIISafe(t *testing.T) {
+	t.Parallel()
+	if testing.Short() {
+		t.Skip("skipping integration test in short mode")
+	}
+	root := initTestRepo(t,
+		map[string]string{"README.md": "# readme\n"},
+		map[string]string{"README.md": "# readme\n\nping me at dev@example.com on localhost:8080\n"},
+	)
+	got, err := AnalyzeCommit(context.Background(), AnalyzeOptions{Root: root})
+	if err != nil {
+		t.Fatalf("AnalyzeCommit: %v", err)
+	}
+	if got.Remote.Visibility != "none" {
+		t.Fatalf("Remote.Visibility = %q, want %q (no origin remote)", got.Remote.Visibility, "none")
+	}
+	if got.Secrets.AmbiguousCount != 0 {
+		t.Errorf("AmbiguousCount = %d, want 0 (personal repo: PII REVIEWs should be safe)", got.Secrets.AmbiguousCount)
+	}
+	findings := readFindings(t, got.Refs.Findings)
+	if len(findings) == 0 {
+		t.Fatalf("expected PII REVIEW findings for email/localhost")
+	}
+	for _, f := range findings {
+		if f.Kind == "pii" && f.Class == "REVIEW" && f.DefaultAction != "safe" {
+			t.Errorf("PII REVIEW finding %q default_action = %q, want %q", f.Snippet, f.DefaultAction, "safe")
+		}
+	}
+}
+
+// Test_Analyze_Visibility_FlagAlwaysFix: FLAG findings always get default_action=fix
+// regardless of visibility — live secrets are never "safe".
+func Test_Analyze_Visibility_FlagAlwaysFix(t *testing.T) {
+	t.Parallel()
+	if testing.Short() {
+		t.Skip("skipping integration test in short mode")
+	}
+	root := initTestRepo(t,
+		map[string]string{"config.yaml": "key: value\n"},
+		map[string]string{"config.yaml": "key: value\naws_access_key: AKIAIOSFODNN7EXAMPLE\n"},
+	)
+	got, err := AnalyzeCommit(context.Background(), AnalyzeOptions{Root: root})
+	if err != nil {
+		t.Fatalf("AnalyzeCommit: %v", err)
+	}
+	if got.Secrets.FixCount < 1 {
+		t.Errorf("FixCount = %d, want >=1 (AKIA key must be fix)", got.Secrets.FixCount)
+	}
+	findings := readFindings(t, got.Refs.Findings)
+	for _, f := range findings {
+		if f.Class == "FLAG" && f.DefaultAction != "fix" {
+			t.Errorf("FLAG finding %q default_action = %q, want %q", f.Snippet, f.DefaultAction, "fix")
+		}
+	}
+}
+
 func containsAll(haystack []string, needles ...string) bool {
 	set := make(map[string]bool, len(haystack))
 	for _, h := range haystack {

commit_gitstate.go

@@ -22,6 +22,8 @@ type gitState struct {
 	CoChange    map[string]map[string]int // file -> file -> co-commit count (last 500 commits)
 	Tags        []string                  // descending semver
 	HasUpstream bool
+	OriginURL   string // origin remote URL; empty if no origin
+	Visibility  string // public | private | none | unknown
 }
 
 // collectGitState shells the git commands we need. Returns an error only for
@@ -81,9 +83,81 @@ func collectGitState(ctx context.Context, root string) (*gitState, error) {
 		}
 	}
 
+	// Origin + visibility. Drives Finding.DefaultAction strictness: no remote =
+	// personal repo (lenient); public remote = strict; unknown = strict.
+	gs.OriginURL, gs.Visibility = detectVisibility(ctx, root)
+
 	return gs, nil
 }
 
+// detectVisibility classifies the origin remote. Logic:
+//   - no origin                         → ("", "none")
+//   - origin exists, `gh` authenticated → probe gh repo view for github.com URLs
+//   - otherwise                         → (url, "unknown")  — caller treats as strict
+//
+// Network-light: gh probe is skipped when origin is not github.com or gh is
+// missing; both paths short-circuit to "unknown" so analyze never stalls on
+// flaky network.
+func detectVisibility(ctx context.Context, root string) (url, vis string) {
+	out, err := runGit(ctx, root, "remote", "get-url", "origin")
+	if err != nil {
+		return "", "none"
+	}
+	url = strings.TrimSpace(out)
+	if url == "" {
+		return "", "none"
+	}
+	if !isGitHubURL(url) {
+		return url, "unknown"
+	}
+	slug := githubSlug(url)
+	if slug == "" {
+		return url, "unknown"
+	}
+	if _, err := exec.LookPath("gh"); err != nil {
+		return url, "unknown"
+	}
+	cmd := exec.CommandContext(ctx, "gh", "repo", "view", slug, "--json", "visibility", "-q", ".visibility")
+	raw, err := cmd.Output()
+	if err != nil {
+		return url, "unknown"
+	}
+	switch strings.ToLower(strings.TrimSpace(string(raw))) {
+	case "public":
+		return url, "public"
+	case "private", "internal":
+		return url, "private"
+	}
+	return url, "unknown"
+}
+
+// isGitHubURL returns true for SSH or HTTPS origins on github.com.
+func isGitHubURL(url string) bool {
+	return strings.Contains(url, "github.com:") || strings.Contains(url, "github.com/")
+}
+
+// githubSlug extracts "owner/repo" from a github.com URL.
+// Handles: git@github.com:owner/repo.git, https://github.com/owner/repo(.git),
+// ssh://git@github.com/owner/repo.
+func githubSlug(url string) string {
+	rest := url
+	switch {
+	case strings.HasPrefix(rest, "git@github.com:"):
+		rest = strings.TrimPrefix(rest, "git@github.com:")
+	case strings.Contains(rest, "github.com/"):
+		_, rest, _ = strings.Cut(rest, "github.com/")
+	default:
+		return ""
+	}
+	rest = strings.TrimSuffix(rest, ".git")
+	rest = strings.TrimSuffix(rest, "/")
+	parts := strings.Split(rest, "/")
+	if len(parts) < 2 {
+		return ""
+	}
+	return parts[0] + "/" + parts[1]
+}
+
 // runGit invokes git with the given args inside root, returns stdout.
 func runGit(ctx context.Context, root string, args ...string) (string, error) {
 	cmd := exec.CommandContext(ctx, "git", append([]string{"-C", root}, args...)...)