Metadata-Version: 2.4
Name: wrg-devguard
Version: 0.1.0
Summary: Developer-first AI safety checks: prompt-policy lint + secret scanning. Zero-dep CLI + GitHub Action + Claude Skill + Cursor Rule.
Author: Yakuphan Yucel
License-Expression: MIT
Project-URL: Homepage, https://github.com/yakuphanycl/wrg-devguard
Project-URL: Repository, https://github.com/yakuphanycl/wrg-devguard
Project-URL: Issues, https://github.com/yakuphanycl/wrg-devguard/issues
Project-URL: Changelog, https://github.com/yakuphanycl/wrg-devguard/releases
Keywords: security,secret-scanning,policy-lint,ai-safety,prompt-security,devsecops,pre-commit,github-action,claude-skill,cursor-rule
Classifier: Development Status :: 4 - Beta
Classifier: Intended Audience :: Developers
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Quality Assurance
Classifier: Topic :: Software Development :: Testing
Requires-Python: >=3.11
Description-Content-Type: text/markdown
License-File: LICENSE
Provides-Extra: yaml
Requires-Dist: PyYAML>=6.0; extra == "yaml"
Provides-Extra: dev
Requires-Dist: pytest>=8; extra == "dev"
Dynamic: license-file

# wrg-devguard

**Developer-first AI safety checks: prompt-policy lint + secret scanning.**

Zero-dependency Python CLI that scans a repository for two classes of issues
before your PR lands:

1. **Leaked secrets** — API keys, private keys, tokens, common credential
   formats in tracked files.
2. **Prompt-policy violations** — deny-listed patterns in prompts, system
   messages, and AI-facing text assets (configurable via JSON policy).

Ships as:

- A Python package (`pip install wrg-devguard`)
- A GitHub Action (drop-in composite action for any repo)
- A Claude Code skill (`.claude/skills/wrg-devguard/`)
- A Cursor rule (`.cursor/rules/wrg-devguard.mdc`)

No external dependencies in the core scanner (stdlib only). Optional `[yaml]`
extra for YAML policy files. Optional `bandit` subcommand for Python security
scanning.

## Install

```bash
pip install wrg-devguard
```

For YAML policy support:

```bash
pip install "wrg-devguard[yaml]"
```

## Quick start

```bash
# Run both checks and fail on any high-severity finding
wrg-devguard check --path . --fail-on error

# Scan only for leaked secrets
wrg-devguard scan-secrets --path .

# Lint AI-facing text assets against a policy
wrg-devguard lint-policy --path . --profile strict

# Emit a JSON report for CI
wrg-devguard check --path . --json-out wrg-devguard-report.json
```

## GitHub Action

```yaml
# .github/workflows/security.yml
name: security
on: [pull_request, push]

jobs:
  wrg-devguard:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: yakuphanycl/wrg-devguard@v1
        with:
          profile: strict
          fail-on: error
```

See [`action.yml`](./action.yml) for all inputs.

## Claude Code skill

Drop the skill into your workspace:

```bash
mkdir -p .claude/skills/wrg-devguard
curl -L https://raw.githubusercontent.com/yakuphanycl/wrg-devguard/main/.claude/skills/wrg-devguard/SKILL.md \
  -o .claude/skills/wrg-devguard/SKILL.md
```

Claude Code will surface the skill automatically when you ask things like
"scan for secrets", "is this safe to commit", or "check for leaks".

## Cursor rule

Drop the rule into your workspace:

```bash
mkdir -p .cursor/rules
curl -L https://raw.githubusercontent.com/yakuphanycl/wrg-devguard/main/.cursor/rules/wrg-devguard.mdc \
  -o .cursor/rules/wrg-devguard.mdc
```

Cursor will apply the rule before suggesting any `git commit` command.

## Policy file

Default lookup order:

1. `--policy <path>` argument if provided
2. `.wrg/policy.json` at the repo root
3. Built-in defaults

Profiles:

- `default` → PR-friendly baseline (recommended for CI)
- `strict` → stricter local/release audits (use `--profile strict`)

Place custom policies in `.wrg/policy.json` (JSON) or `.wrg/policy.yaml`
(requires `[yaml]` extra).

## Commands

```
wrg-devguard profiles                           # list available profiles
wrg-devguard lint-policy --path .               # policy lint only
wrg-devguard scan-secrets --path .              # secret scan only
wrg-devguard check --path .                     # both, single JSON report
wrg-devguard check --path . --profile strict
wrg-devguard check --path . --json-out report.json
wrg-devguard check --path . --fail-on warning
wrg-devguard check --path . --allowlist .wrg/allowlist.json
wrg-devguard bandit --path src/                 # optional: bandit wrapper
```

## Exit codes

- `0` — no findings above threshold
- `1` — findings at or above `--fail-on` threshold
- `2` — configuration or input error

## Why another secret scanner?

- **Zero runtime deps** — the core scanner is stdlib only, so `pip install` is
  instant and works in any sandbox.
- **Policy lint in the same tool** — most scanners only do secrets. We also
  catch prompt-policy violations (deny-listed patterns, hardcoded system
  prompts, PII in AI-facing text).
- **AI-native UX** — ships with a Claude skill and a Cursor rule so the
  scanner runs automatically inside your AI coding assistant, not just in CI.
- **Stable JSON schema** — `check --json-out` emits a versioned schema that
  never breaks.

## Development

```bash
git clone https://github.com/yakuphanycl/wrg-devguard.git
cd wrg-devguard
pip install -e ".[dev]"
pytest -q
```

## License

MIT. See [LICENSE](./LICENSE).

## Contributing

Issues and PRs welcome. For substantial changes, open an issue first to
discuss scope.

---

Part of the [WinstonRedGuard](https://github.com/yakuphanycl/WinstonRedGuard)
ecosystem. The monorepo at `apps/wrg_devguard/` is the canonical source; this
repo is a distribution mirror kept in sync on every release.
