diffguard 0.2.0

CLI for diff-scoped governance linting in pull requests
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116

# diffguard

Command-line interface for diff-scoped governance linting.

This crate is the workspace I/O boundary. It owns:

- CLI parsing (`clap`)
- config loading/merge (`diffguard.toml`, includes, env expansion)
- git integration (`base/head`, `--staged`, blame filtering)
- invoking `diffguard-core`
- writing receipts/reports and returning stable exit codes

## Install

```bash
# crates.io
cargo install diffguard

# workspace source
cargo install --path crates/diffguard
```

## Command Surface

`diffguard` commands:

- `check` - evaluate rules on diff-scoped lines
- `rules` - print effective rules (toml/json)
- `explain` - show details for one rule ID
- `validate` - validate config regex/globs and optional strict checks
- `init` - write starter `diffguard.toml`
- `test` - run `rule.test_cases` from config
- `trend` - summarize trend-history files
- `sarif` / `junit` / `csv` - render existing receipt files

## Quick Start

```bash
diffguard init --preset minimal

diffguard check \
  --base origin/main \
  --head HEAD \
  --config diffguard.toml \
  --out artifacts/diffguard/report.json \
  --md artifacts/diffguard/comment.md \
  --sarif artifacts/diffguard/report.sarif.json \
  --github-annotations
```

Non-git input is also supported:

```bash
diffguard check --diff-file patch.diff
git diff --cached | diffguard check --diff-file -
```

## `check` Highlights

Input selection:

- `--base <REF>` (repeatable) and `--head <REF>`
- `--staged`
- `--diff-file <PATH|->`

Policy and filtering:

- `--scope added|changed|modified|deleted`
- `--fail-on error|warn|never`
- `--max-findings <N>`
- `--paths <GLOB>` (repeatable)
- `--only-tags` / `--enable-tags` / `--disable-tags`
- `--language <LANG>` (force preprocessing language)
- `--blame-author` / `--blame-max-age-days`

Outputs:

- `--out` (JSON receipt)
- `--md`
- `--sarif`
- `--junit`
- `--csv` / `--tsv`
- `--sensor`
- `--rule-stats`
- `--false-positive-baseline`
- `--write-false-positive-baseline`
- `--trend-history` / `--trend-max-runs`
- `--github-annotations`

## Exit Codes

Stable exit code contract in standard mode:

- `0` pass
- `1` tool/runtime error
- `2` policy fail
- `3` warn-fail (when `fail_on=warn`)

`--mode cockpit` changes behavior to integration-focused semantics:

- `0` when a receipt is successfully written
- `1` only on catastrophic failure

## Presets

`diffguard init --preset ...` supports:

- `minimal`
- `rust-quality`
- `secrets`
- `js-console`
- `python-debug`

## License

Licensed under either of [Apache License, Version 2.0](../../LICENSE-APACHE) or [MIT license](../../LICENSE-MIT) at your option.