Command: cargo capsec watch
Value proposition: Catch ambient authority introduction at the moment of authorship, not in CI ten minutes later. Like cargo clippy --fix running in the background, but for capability boundaries.
Could maybe be an IDE plugin
Devil's Advocate:
Why not just add a pre-commit hook and call it a day?
User stories:
- As a developer working on a sans-IO core module, I want immediate feedback when I accidentally add a
std::fs::read call, so I can fix it before committing.
- As a team lead, I want developers to see capability violations in their terminal while coding, so the audit becomes part of the development loop rather than a CI gate.
Tasks
2.1 — File watcher integration
Add notify (or watchexec-events) as an optional dependency behind a watch feature flag. Watch src/ directories for .rs file changes.
#[derive(clap::Args)]
pub struct WatchArgs {
/// Path to workspace root
#[arg(short, long, default_value = ".")]
pub path: PathBuf,
/// Minimum risk level to report
#[arg(long, default_value = "low")]
pub min_risk: String,
/// Clear terminal on each re-scan
#[arg(long)]
pub clear: bool,
/// Debounce interval in milliseconds
#[arg(long, default_value_t = 300)]
pub debounce_ms: u64,
}2.2 — Incremental scanning
Don't re-scan the entire workspace on every file save. Maintain a cache of ParsedFile + Vec<Finding> per source file. When a file changes:
- Re-parse only that file.
- Re-run detection on only that file.
- Merge findings with the cached results from other files.
- Re-render output.
Data structure:
struct WatchState {
/// file path → (parsed, findings, last_modified)
file_cache: HashMap<PathBuf, (ParsedFile, Vec<Finding>, SystemTime)>,
/// Aggregate findings across all files
all_findings: Vec<Finding>,
}2.3 — Terminal output for watch mode
Use a compact, continuously-updated output format. Show:
- A status line:
Watching 42 files | 7 findings (2 new) | last scan: 0.3s ago
- Only new/changed findings since the last successful scan, highlighted.
- A full summary on first run or when
--clear is set.
Consider using crossterm or ratatui for cursor control, but a simple clear-and-reprint approach works fine for v1.
2.4 — Integration with cargo capsec audit --diff
When watch mode detects a new finding that didn't exist in the baseline, highlight it differently. This makes the baseline-driven workflow seamless: save a baseline, start watch mode, see only regressions.
Command:
cargo capsec watchValue proposition: Catch ambient authority introduction at the moment of authorship, not in CI ten minutes later. Like
cargo clippy --fixrunning in the background, but for capability boundaries.Could maybe be an IDE plugin
Devil's Advocate:
Why not just add a pre-commit hook and call it a day?
User stories:
std::fs::readcall, so I can fix it before committing.Tasks
2.1 — File watcher integration
Add
notify(orwatchexec-events) as an optional dependency behind awatchfeature flag. Watchsrc/directories for.rsfile changes.2.2 — Incremental scanning
Don't re-scan the entire workspace on every file save. Maintain a cache of
ParsedFile+Vec<Finding>per source file. When a file changes:Data structure:
2.3 — Terminal output for watch mode
Use a compact, continuously-updated output format. Show:
Watching 42 files | 7 findings (2 new) | last scan: 0.3s ago--clearis set.Consider using
crosstermorratatuifor cursor control, but a simple clear-and-reprint approach works fine for v1.2.4 — Integration with
cargo capsec audit --diffWhen watch mode detects a new finding that didn't exist in the baseline, highlight it differently. This makes the baseline-driven workflow seamless: save a baseline, start watch mode, see only regressions.