feat(commit): add secrets detection and tests for execute subcommand

Author: Gary Blankenship

commit_execute_secrets.go

@@ -0,0 +1,88 @@
+package repomap
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os"
+	"slices"
+	"strings"
+)
+
+// checkSecrets blocks execute when the plan contains any unresolved secret
+// signal. Callers must adjudicate all findings (detected and ambiguous) before
+// calling execute — execute is dumb-deterministic and never resolves findings.
+//
+// Blocking conditions:
+//
+//	FlagCount > 0           — deterministic FLAG hits (auto-fixable but not yet fixed)
+//	AmbiguousCount > 0      — REVIEW/secret findings requiring LLM adjudication
+//	!Clean && Gitleaks > 0  — gitleaks hits not captured by FlagCount (legacy plans)
+func checkSecrets(s SecretsSummary, findingsPath string) error {
+	hasDetected := s.FlagCount > 0 || (!s.Clean && s.GitleaksFindings > 0)
+	hasAmbiguous := s.AmbiguousCount > 0
+	if !hasDetected && !hasAmbiguous {
+		return nil
+	}
+
+	// Collect per-category file lists from the findings file when available.
+	detectedFiles, ambiguousFiles := loadSecretFileLists(findingsPath)
+
+	var b strings.Builder
+	fmt.Fprintf(&b, "plan has unresolved secrets — adjudicate before execute:")
+	if hasDetected {
+		fmt.Fprintf(&b, "\n  detected: %d file(s)", s.FlagCount)
+		for _, f := range detectedFiles {
+			fmt.Fprintf(&b, "\n    %s", f)
+		}
+	}
+	if hasAmbiguous {
+		fmt.Fprintf(&b, "\n  ambiguous: %d file(s)", s.AmbiguousCount)
+		for _, f := range ambiguousFiles {
+			fmt.Fprintf(&b, "\n    %s", f)
+		}
+	}
+	return errors.New(b.String())
+}
+
+// loadSecretFileLists parses a findings JSON file and returns two deduplicated,
+// sorted file lists: one for FLAG findings (detected) and one for REVIEW
+// findings with default_action=review (ambiguous). Returns empty slices when
+// the file is absent or unparseable — callers treat that as "no detail available".
+func loadSecretFileLists(findingsPath string) (detected, ambiguous []string) {
+	if findingsPath == "" {
+		return nil, nil
+	}
+	data, err := os.ReadFile(findingsPath)
+	if err != nil {
+		return nil, nil
+	}
+	var findings []Finding
+	if err := json.Unmarshal(data, &findings); err != nil {
+		return nil, nil
+	}
+	detectedSet := make(map[string]bool)
+	ambiguousSet := make(map[string]bool)
+	for _, f := range findings {
+		switch {
+		case f.Class == "FLAG":
+			detectedSet[f.File] = true
+		case f.Class == "REVIEW" && f.DefaultAction == "review":
+			ambiguousSet[f.File] = true
+		}
+	}
+	return sortedKeys(detectedSet), sortedKeys(ambiguousSet)
+}
+
+// sortedKeys returns the keys of m in sorted order.
+func sortedKeys(m map[string]bool) []string {
+	if len(m) == 0 {
+		return nil
+	}
+	out := make([]string, 0, len(m))
+	for k := range m {
+		out = append(out, k)
+	}
+	slices.Sort(out)
+	return out
+}

commit_execute_secrets_test.go

@@ -0,0 +1,135 @@
+package repomap
+
+import (
+	"context"
+	"encoding/json"
+	"os"
+	"strings"
+	"testing"
+)
+
+// makePlanFileWithSecrets builds a plan file with the given SecretsSummary.
+func makePlanFileWithSecrets(t *testing.T, groups []CommitGroup, secrets SecretsSummary) string {
+	t.Helper()
+	a := CommitAnalysis{
+		Version: 1,
+		Secrets: secrets,
+		Groups:  groups,
+	}
+	data, err := json.Marshal(a)
+	if err != nil {
+		t.Fatalf("marshal plan: %v", err)
+	}
+	f, err := os.CreateTemp(t.TempDir(), "plan-*.json")
+	if err != nil {
+		t.Fatalf("create plan file: %v", err)
+	}
+	if _, err := f.Write(data); err != nil {
+		t.Fatalf("write plan: %v", err)
+	}
+	f.Close()
+	return f.Name()
+}
+
+// Test_Execute_BadTagExitCode verifies that an invalid tag returns an execError
+// with code 2 and makes no commits.
+func Test_Execute_BadTagExitCode(t *testing.T) {
+	t.Parallel()
+	root := initTestRepo(t,
+		map[string]string{"a.go": "package fixture\n"},
+		map[string]string{"a.go": "package fixture\n// changed\n"},
+	)
+	groups := []CommitGroup{
+		{ID: "g1", SuggestedMsg: "feat: update a", Files: []string{"a.go"}},
+	}
+	planFile := makePlanFile(t, groups)
+	beforeCount := gitLogCount(t, root)
+
+	_, err := ExecuteCommit(context.Background(), ExecuteOptions{
+		Root:     root,
+		PlanFile: planFile,
+		Tag:      "not-semver",
+		SkipFix:  true,
+	})
+	if err == nil {
+		t.Fatal("expected error for invalid tag, got nil")
+	}
+	if code := ExecExitCode(err); code != 2 {
+		t.Errorf("ExecExitCode = %d, want 2", code)
+	}
+	if after := gitLogCount(t, root); after != beforeCount {
+		t.Errorf("commits landed despite validation failure: before=%d after=%d", beforeCount, after)
+	}
+}
+
+// Test_Execute_AmbiguousSecretsRefused verifies that a plan with
+// ambiguous_count > 0 is refused with exit code 2, before any git work.
+func Test_Execute_AmbiguousSecretsRefused(t *testing.T) {
+	t.Parallel()
+	root := initTestRepo(t,
+		map[string]string{"a.go": "package fixture\n"},
+		map[string]string{"a.go": "package fixture\n// changed\n"},
+	)
+	groups := []CommitGroup{
+		{ID: "g1", SuggestedMsg: "feat: update a", Files: []string{"a.go"}},
+	}
+	planFile := makePlanFileWithSecrets(t, groups, SecretsSummary{
+		Clean:          true,
+		AmbiguousCount: 1,
+	})
+	beforeCount := gitLogCount(t, root)
+
+	_, err := ExecuteCommit(context.Background(), ExecuteOptions{
+		Root:     root,
+		PlanFile: planFile,
+		SkipFix:  true,
+	})
+	if err == nil {
+		t.Fatal("expected error for ambiguous secrets, got nil")
+	}
+	if code := ExecExitCode(err); code != 2 {
+		t.Errorf("ExecExitCode = %d, want 2", code)
+	}
+	if !strings.Contains(err.Error(), "ambiguous") {
+		t.Errorf("error message missing 'ambiguous': %v", err)
+	}
+	if after := gitLogCount(t, root); after != beforeCount {
+		t.Errorf("commits landed despite secrets gate: before=%d after=%d", beforeCount, after)
+	}
+}
+
+// Test_Execute_DetectedSecretsRefused verifies that a plan with flag_count > 0
+// is refused with exit code 2, before any git work.
+func Test_Execute_DetectedSecretsRefused(t *testing.T) {
+	t.Parallel()
+	root := initTestRepo(t,
+		map[string]string{"a.go": "package fixture\n"},
+		map[string]string{"a.go": "package fixture\n// changed\n"},
+	)
+	groups := []CommitGroup{
+		{ID: "g1", SuggestedMsg: "feat: update a", Files: []string{"a.go"}},
+	}
+	planFile := makePlanFileWithSecrets(t, groups, SecretsSummary{
+		Clean:     false,
+		FlagCount: 1,
+	})
+	beforeCount := gitLogCount(t, root)
+
+	_, err := ExecuteCommit(context.Background(), ExecuteOptions{
+		Root:     root,
+		PlanFile: planFile,
+		SkipFix:  true,
+	})
+	if err == nil {
+		t.Fatal("expected error for detected secrets, got nil")
+	}
+	if code := ExecExitCode(err); code != 2 {
+		t.Errorf("ExecExitCode = %d, want 2", code)
+	}
+	if !strings.Contains(err.Error(), "detected") {
+		t.Errorf("error message missing 'detected': %v", err)
+	}
+	if after := gitLogCount(t, root); after != beforeCount {
+		t.Errorf("commits landed despite secrets gate: before=%d after=%d", beforeCount, after)
+	}
+}