zift 0.2.2

Scan codebases for embedded authorization logic and generate Policy as Code (Rego/OPA today)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183

use std::path::Path;

use serde::Deserialize;

use crate::error::{Result, ZiftError};

#[derive(Debug, Default, Deserialize)]
#[serde(default)]
pub struct ZiftConfig {
    pub scan: ScanConfig,
    pub deep: DeepConfig,
    pub extract: ExtractConfig,
    pub rules: RulesConfig,
}

#[derive(Debug, Default, Deserialize)]
#[serde(default)]
pub struct ScanConfig {
    pub exclude: Vec<String>,
    pub languages: Vec<String>,
    pub min_confidence: Option<String>,
}

#[derive(Debug, Default, Deserialize)]
#[serde(default)]
pub struct DeepConfig {
    /// Transport mode: `"http"` (PR 1) or `"subprocess"` (PR 3). When
    /// unset, [`crate::deep::config::resolve_mode`] infers from which
    /// other fields are populated. Default is `"http"`.
    pub mode: Option<String>,
    /// OpenAI-compatible chat-completions endpoint, e.g. "http://localhost:11434/v1".
    /// Used only when `mode = "http"`.
    pub base_url: Option<String>,
    /// Model name to send to the agent endpoint. Used only when `mode = "http"`.
    pub model: Option<String>,
    /// Shell command line invoked per request when `mode = "subprocess"`.
    /// Receives a single JSON envelope on stdin (`{system, user, schema}`)
    /// and must write a JSON object matching the deep-mode response schema
    /// to stdout. Examples: `claude -p --output-format json`,
    /// `aider --no-auto-commits`, or any user wrapper script.
    pub agent_cmd: Option<String>,
    /// Per-request timeout (seconds) for the subprocess transport. LLM
    /// CLIs are noticeably slower than HTTP — 30s+ cold starts are normal
    /// for `claude -p`. Default is 600s; tune down if your agent is
    /// faster.
    pub agent_timeout_secs: Option<u64>,
    /// Maximum spend limit in USD.
    pub max_cost: Option<f64>,
    /// USD cost per 1k input tokens. Required for `max_cost` to bind on
    /// hosted models — without this (and `cost_per_1k_output`), the spend
    /// tracker is a no-op. Subprocess transport does not report tokens,
    /// so this only affects HTTP mode in practice.
    pub cost_per_1k_input: Option<f64>,
    /// USD cost per 1k output tokens. See `cost_per_1k_input`.
    pub cost_per_1k_output: Option<f64>,
    // NOTE: api_key is intentionally NOT readable from this file — keys belong
    // in $ZIFT_AGENT_API_KEY or --api-key, not checked into source control.
}

#[derive(Debug, Default, Deserialize)]
#[serde(default)]
pub struct ExtractConfig {
    pub package_prefix: Option<String>,
    pub output_dir: Option<String>,
}

#[derive(Debug, Default, Deserialize)]
#[serde(default)]
pub struct RulesConfig {
    pub additional: Vec<String>,
}

pub fn load_config(path: &Path) -> Result<ZiftConfig> {
    if !path.exists() {
        tracing::debug!("no config file at {}, using defaults", path.display());
        return Ok(ZiftConfig::default());
    }

    let content = std::fs::read_to_string(path)?;
    let config: ZiftConfig = toml::from_str(&content).map_err(|e| ZiftError::ConfigParse {
        path: path.to_path_buf(),
        source: e,
    })?;

    tracing::debug!("loaded config from {}", path.display());
    Ok(config)
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn default_config() {
        let config = ZiftConfig::default();
        assert!(config.scan.exclude.is_empty());
        assert!(config.deep.base_url.is_none());
        assert!(config.extract.package_prefix.is_none());
    }

    #[test]
    fn parse_full_config() {
        let toml = r#"
[scan]
exclude = ["vendor/**", "node_modules/**"]
languages = ["java", "typescript"]
min_confidence = "medium"

[deep]
mode = "http"
base_url = "http://localhost:11434/v1"
model = "qwen2.5-coder:14b"
max_cost = 5.00
cost_per_1k_input = 0.00015
cost_per_1k_output = 0.0006

[extract]
package_prefix = "app.authz"
output_dir = "./policies/generated"

[rules]
additional = ["./custom-rules"]
"#;
        let config: ZiftConfig = toml::from_str(toml).unwrap();
        assert_eq!(config.scan.exclude.len(), 2);
        assert_eq!(config.scan.languages, vec!["java", "typescript"]);
        assert_eq!(config.deep.mode.as_deref(), Some("http"));
        assert_eq!(
            config.deep.base_url.as_deref(),
            Some("http://localhost:11434/v1")
        );
        assert_eq!(config.deep.model.as_deref(), Some("qwen2.5-coder:14b"));
        // HTTP mode leaves the subprocess fields unset so transport
        // selection in `deep::config::resolve_mode` stays unambiguous.
        assert!(config.deep.agent_cmd.is_none());
        assert!(config.deep.agent_timeout_secs.is_none());
        assert_eq!(config.deep.max_cost, Some(5.0));
        assert_eq!(config.deep.cost_per_1k_input, Some(0.00015));
        assert_eq!(config.deep.cost_per_1k_output, Some(0.0006));
        assert_eq!(config.extract.package_prefix.as_deref(), Some("app.authz"));
        assert_eq!(config.rules.additional, vec!["./custom-rules"]);
    }

    #[test]
    fn parse_subprocess_deep_config() {
        // Mirror of `parse_full_config` for the subprocess transport,
        // pinned so the new fields can't silently break deserialization.
        let toml = r#"
[deep]
mode = "subprocess"
agent_cmd = "claude -p --output-format json"
agent_timeout_secs = 300
"#;
        let config: ZiftConfig = toml::from_str(toml).unwrap();
        assert_eq!(config.deep.mode.as_deref(), Some("subprocess"));
        assert_eq!(
            config.deep.agent_cmd.as_deref(),
            Some("claude -p --output-format json"),
        );
        assert_eq!(config.deep.agent_timeout_secs, Some(300));
        // Subprocess mode legitimately leaves HTTP fields blank.
        assert!(config.deep.base_url.is_none());
        assert!(config.deep.model.is_none());
    }

    #[test]
    fn parse_partial_config() {
        let toml = r#"
[scan]
exclude = ["vendor/**"]
"#;
        let config: ZiftConfig = toml::from_str(toml).unwrap();
        assert_eq!(config.scan.exclude, vec!["vendor/**"]);
        assert!(config.scan.languages.is_empty());
        assert!(config.deep.base_url.is_none());
    }

    #[test]
    fn missing_config_file_returns_defaults() {
        let config = load_config(Path::new("nonexistent.toml")).unwrap();
        assert!(config.scan.exclude.is_empty());
    }
}