Merge pull request #106 from swarit-stepsecurity/swarit/chore/gate-features

chore: add feature gate to disable/enable features

Author: ashishkurmi

cmd/stepsecurity-dev-machine-guard/main.go

@@ -20,6 +20,7 @@ import (
 	"github.com/step-security/dev-machine-guard/internal/detector/configaudit"
 	"github.com/step-security/dev-machine-guard/internal/device"
 	"github.com/step-security/dev-machine-guard/internal/executor"
+	"github.com/step-security/dev-machine-guard/internal/featuregate"
 	"github.com/step-security/dev-machine-guard/internal/launchd"
 	"github.com/step-security/dev-machine-guard/internal/output"
 	"github.com/step-security/dev-machine-guard/internal/paths"
@@ -47,6 +48,12 @@ func main() {
 	// minimal config.Load (just enough for the upload gate) so this branch
 	// stays free of the rest of main's setup work.
 	if len(os.Args) >= 2 && os.Args[1] == "_hook" {
+		// Gated: silently no-op so any pre-existing hook entry that points
+		// at this binary stays harmless until the feature ships. Override
+		// flows in via STEPSECURITY_OVERRIDE_GATE since Parse hasn't run.
+		if !featuregate.IsEnabled(featuregate.FeatureAIAgentHooks) {
+			os.Exit(0)
+		}
 		os.Exit(aiagentscli.RunHook(os.Stdin, os.Stdout, os.Stderr, os.Args[2:]))
 	}
 
@@ -59,6 +66,10 @@ func main() {
 		os.Exit(1)
 	}
 
+	if cfg.OverrideGate {
+		featuregate.EnableOverride()
+	}
+
 	// Apply saved config values if CLI didn't explicitly override them.
 	// CLI flags always win over config file values (same as the shell script).
 	if len(config.SearchDirs) > 0 && len(cfg.SearchDirs) == 1 && cfg.SearchDirs[0] == "$HOME" {
@@ -298,22 +309,38 @@ func main() {
 		}
 
 	case "hooks install":
+		if !featuregate.IsEnabled(featuregate.FeatureAIAgentHooks) {
+			fmt.Fprintln(os.Stderr, featuregate.UnavailableMessage("hooks install"))
+			os.Exit(1)
+		}
 		os.Exit(aiagentscli.RunInstall(context.Background(), exec, cfg.HooksAgent, os.Stdout, os.Stderr))
 
 	case "hooks uninstall":
+		if !featuregate.IsEnabled(featuregate.FeatureAIAgentHooks) {
+			fmt.Fprintln(os.Stderr, featuregate.UnavailableMessage("hooks uninstall"))
+			os.Exit(1)
+		}
 		os.Exit(aiagentscli.RunUninstall(context.Background(), exec, cfg.HooksAgent, os.Stdout, os.Stderr))
 
 	default:
 		// --npmrc and --pipconfig: focused, verbose pretty audits that
 		// bypass everything else for a fast (~1s) deep dive.
 		if cfg.NPMRCOnly {
+			if !featuregate.IsEnabled(featuregate.FeatureNPMRCAudit) {
+				fmt.Fprintln(os.Stderr, featuregate.UnavailableMessage("--npmrc"))
+				os.Exit(1)
+			}
 			if err := runNPMRCOnly(exec, cfg); err != nil {
 				log.Error("%v", err)
 				os.Exit(1)
 			}
 			return
 		}
 		if cfg.PipConfigOnly {
+			if !featuregate.IsEnabled(featuregate.FeaturePipConfigAudit) {
+				fmt.Fprintln(os.Stderr, featuregate.UnavailableMessage("--pipconfig"))
+				os.Exit(1)
+			}
 			if err := runPipConfigOnly(exec, cfg); err != nil {
 				log.Error("%v", err)
 				os.Exit(1)
@@ -432,6 +459,10 @@ func findLegacyLeftovers(legacy string) []string {
 // in community mode (enterprise config missing) — the existing scan
 // path stays unaffected. Failures are logged but never crash main.
 func runHookStateReconcile(exec executor.Executor, log *progress.Logger) {
+	if !featuregate.IsEnabled(featuregate.FeatureAIAgentHooks) {
+		log.Debug("hook-state reconcile: skipped (feature gated)")
+		return
+	}
 	cfg, ok := ingest.Snapshot()
 	if !ok {
 		log.Debug("hook-state reconcile: skipped (no enterprise config)")

internal/cli/cli.go

@@ -57,6 +57,12 @@ type Config struct {
 	// custom actions and other unattended orchestrators set this so a
 	// transient network hiccup doesn't roll back the whole install.
 	IgnoreTelemetryError bool
+
+	// OverrideGate disables feature gating for this invocation, letting
+	// every capability run regardless of the featuregate allowlist.
+	// Internal — not advertised in --help. Equivalent env var:
+	// STEPSECURITY_OVERRIDE_GATE=1.
+	OverrideGate bool
 }
 
 // supportedHookAgents lists the agent names accepted by `hooks --agent <name>` and `_hook <agent> ...`.
@@ -211,6 +217,8 @@ func Parse(args []string) (*Config, error) {
 			cfg.ConfigScanFrequency = strings.TrimPrefix(arg, "--scan-frequency=")
 		case arg == "--verbose":
 			cfg.Verbose = true
+		case arg == "--override-gate":
+			cfg.OverrideGate = true
 		case strings.HasPrefix(arg, "--log-level="):
 			level := strings.ToLower(strings.TrimPrefix(arg, "--log-level="))
 			switch level {
@@ -312,6 +320,8 @@ func parseHooks(args []string) (*Config, error) {
 			}
 			cfg.InstallDir = rest[i]
 			cfg.InstallDirSet = true
+		case arg == "--override-gate":
+			cfg.OverrideGate = true
 		case arg == "-h" || arg == "--help":
 			printHooksHelp()
 			os.Exit(0)

internal/cli/cli_test.go

@@ -66,6 +66,24 @@ func TestParse_Verbose(t *testing.T) {
 	}
 }
 
+func TestParse_OverrideGate(t *testing.T) {
+	cfg, err := Parse([]string{"--override-gate"})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if !cfg.OverrideGate {
+		t.Error("expected OverrideGate=true on top-level parse")
+	}
+
+	cfg, err = Parse([]string{"hooks", "install", "--override-gate"})
+	if err != nil {
+		t.Fatalf("parseHooks should accept --override-gate: %v", err)
+	}
+	if !cfg.OverrideGate {
+		t.Error("expected OverrideGate=true on hooks parse")
+	}
+}
+
 func TestParse_Color(t *testing.T) {
 	for _, mode := range []string{"auto", "always", "never"} {
 		cfg, err := Parse([]string{"--color=" + mode})

internal/featuregate/featuregate.go

@@ -0,0 +1,55 @@
+// Package featuregate gates capabilities whose corresponding backend
+// support has not yet shipped. Each Feature constant maps 1:1 to a
+// product capability and stays inert until its entry is added to the
+// allowlist below.
+//
+// Bypass for internal dogfooding: pass --override-gate on the CLI or set
+// STEPSECURITY_OVERRIDE_GATE=1 in the environment. The env-var form is
+// the only way to flip the gate before cli.Parse runs, which the _hook
+// hot path relies on (main returns before Parse for that subcommand).
+package featuregate
+
+import (
+	"fmt"
+	"os"
+)
+
+type Feature string
+
+const (
+	FeatureAIAgentHooks   Feature = "ai-agent-hooks"
+	FeatureNPMRCAudit     Feature = "npmrc-audit"
+	FeaturePipConfigAudit Feature = "pipconfig-audit"
+)
+
+// enabled lists features safe to ship today. Uncomment a line once its
+// backend support has merged.
+var enabled = map[Feature]bool{
+	// FeatureAIAgentHooks:   true,
+	// FeatureNPMRCAudit:     true,
+	// FeaturePipConfigAudit: true,
+}
+
+var override bool
+
+func init() {
+	if v := os.Getenv("STEPSECURITY_OVERRIDE_GATE"); v == "1" || v == "true" {
+		override = true
+	}
+}
+
+// EnableOverride turns on the global override. main calls this when
+// --override-gate is present on the command line.
+func EnableOverride() { override = true }
+
+// IsEnabled reports whether a feature should run.
+func IsEnabled(f Feature) bool {
+	return override || enabled[f]
+}
+
+// UnavailableMessage returns the user-facing string printed when a gated
+// command is invoked. Kept here so the wording stays identical across
+// every visible command site.
+func UnavailableMessage(command string) string {
+	return fmt.Sprintf("%s is available only in beta and not yet generally available", command)
+}

internal/featuregate/featuregate_test.go

@@ -0,0 +1,42 @@
+package featuregate
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestIsEnabled_DefaultDeny(t *testing.T) {
+	resetOverride(t)
+	for _, f := range []Feature{FeatureAIAgentHooks, FeatureNPMRCAudit, FeaturePipConfigAudit} {
+		if IsEnabled(f) {
+			t.Errorf("%s should be gated by default", f)
+		}
+	}
+}
+
+func TestIsEnabled_OverrideEnablesEverything(t *testing.T) {
+	resetOverride(t)
+	EnableOverride()
+	for _, f := range []Feature{FeatureAIAgentHooks, FeatureNPMRCAudit, FeaturePipConfigAudit} {
+		if !IsEnabled(f) {
+			t.Errorf("%s should be enabled when override is set", f)
+		}
+	}
+}
+
+func TestUnavailableMessage(t *testing.T) {
+	msg := UnavailableMessage("hooks install")
+	if !strings.Contains(msg, "hooks install") {
+		t.Errorf("message %q should name the command", msg)
+	}
+	if !strings.Contains(msg, "beta") {
+		t.Errorf("message %q should mention beta", msg)
+	}
+}
+
+func resetOverride(t *testing.T) {
+	t.Helper()
+	prev := override
+	t.Cleanup(func() { override = prev })
+	override = false
+}

internal/scan/scanner.go

@@ -11,6 +11,7 @@ import (
 	"github.com/step-security/dev-machine-guard/internal/detector/configaudit"
 	"github.com/step-security/dev-machine-guard/internal/device"
 	"github.com/step-security/dev-machine-guard/internal/executor"
+	"github.com/step-security/dev-machine-guard/internal/featuregate"
 	"github.com/step-security/dev-machine-guard/internal/model"
 	"github.com/step-security/dev-machine-guard/internal/output"
 	"github.com/step-security/dev-machine-guard/internal/progress"
@@ -208,20 +209,28 @@ func Run(exec executor.Executor, log *progress.Logger, cfg *cli.Config) error {
 	}
 
 	// npm config audit — surface-only inventory of every .npmrc on the host
-	// plus the merged effective view npm itself would resolve. Always on;
-	// the audit is cheap (a few stat calls and at most two npm invocations).
-	log.StepStart("Auditing npm configuration")
-	start = time.Now()
+	// plus the merged effective view npm itself would resolve. The audit is
+	// cheap (a few stat calls and at most two npm invocations) but stays
+	// inert until the feature ships; zero-value structs flow through to the
+	// output so JSON/HTML keep emitting the audit shape.
 	loggedInUser, _ := exec.LoggedInUser()
-	npmrcAudit := configaudit.NewNPMRCDetector(exec).Detect(ctx, searchDirs, loggedInUser)
-	log.StepDone(time.Since(start))
+	var npmrcAudit model.NPMRCAudit
+	if featuregate.IsEnabled(featuregate.FeatureNPMRCAudit) {
+		log.StepStart("Auditing npm configuration")
+		start = time.Now()
+		npmrcAudit = configaudit.NewNPMRCDetector(exec).Detect(ctx, searchDirs, loggedInUser)
+		log.StepDone(time.Since(start))
+	}
 
 	// pip config audit — same shape: every pip.conf / pip.ini discovered,
 	// merged effective view, env-var snapshot, and a fixed finding catalog.
-	log.StepStart("Auditing pip configuration")
-	start = time.Now()
-	pipAudit := configaudit.NewPipConfigDetector(exec).Detect(ctx, loggedInUser)
-	log.StepDone(time.Since(start))
+	var pipAudit model.PipAudit
+	if featuregate.IsEnabled(featuregate.FeaturePipConfigAudit) {
+		log.StepStart("Auditing pip configuration")
+		start = time.Now()
+		pipAudit = configaudit.NewPipConfigDetector(exec).Detect(ctx, loggedInUser)
+		log.StepDone(time.Since(start))
+	}
 
 	// Ensure no nil slices (JSON must emit [] not null)
 	if aiTools == nil {