feat: add hook uninstall, init aliases, and CLI subcommands

CHANGELOG.md

@@ -4,6 +4,26 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Changed
+
+- Simplified distribution to a single shipped binary: `key-watch`
+- Git hook installation now supports first-class global hooks via `core.hooksPath`
+- Installation guidance is now cargo-first, with manual GitHub Releases setup documented step by step
+- CLI moved from flat top-level flags to subcommands: `scan`, `hook install|uninstall`, `init`, and `verify-integrity`
+- Local hook installation now resolves Git's hooks directory directly, improving worktree and submodule compatibility
+
+### Added
+
+- Hook uninstall support for local and global Git hooks
+- `init bash|zsh|fish|posix` to print shell aliases for `keywatch` and `kw`
+- README now documents uninstall steps for both `cargo install` and manual GitHub Releases installs
+- Regression coverage for overlapping scan roots with root-relative exclude patterns
+
+### Removed
+
+- Duplicate Cargo binary wrappers for `keywatch` and `watch`
+- `scripts/install.sh` in favor of documented `cargo install` and manual release-binary setup
+
 ## [1.1.0] - 2026-05-05
 
 ### Added

Cargo.toml

@@ -10,19 +10,6 @@ homepage = "https://github.com/pixincreate/KeyWatch"
 keywords = ["secret-scanner", "security", "credentials", "lint"]
 
 license = "GPL-3.0-only"
-license-file = "LICENSE"
-
-[[bin]]
-name = "key-watch"
-path = "src/main.rs"
-
-[[bin]]
-name = "keywatch"
-path = "src/bin/keywatch.rs"
-
-[[bin]]
-name = "watch"
-path = "src/bin/watch.rs"
 
 [dependencies]
 clap = { version = "4.6.1", features = ["derive"] }

README.md

@@ -4,65 +4,163 @@ A fast secret scanner for files and directories.
 
 ## Install
 
+### Recommended: cargo install
+
 ```sh
-# Recommended
-cargo install --git https://github.com/pixincreate/KeyWatch.git
+cargo install key-watch
+key-watch --version
+
+# Enable aliases for your current shell session
+eval "$(key-watch init bash)"
+```
 
-# Or use the install script
-./scripts/install.sh
+To make aliases persistent, add the init line to your shell config file:
+
+```sh
+# bash
+echo 'eval "$(key-watch init bash)"' >> ~/.bashrc
 
-# Manual: download binary, add to PATH
+# zsh
+echo 'eval "$(key-watch init zsh)"' >> ~/.zshrc
+```
+
+### Manual install from GitHub Releases
+
+1. Download the correct binary for your OS/architecture from GitHub Releases.
+2. Move it to a directory on your `PATH`, for example `~/.local/bin`.
+3. Make it executable.
+4. Verify it runs.
+5. Enable aliases with `init`.
+
+```sh
+mkdir -p ~/.local/bin
+mv ~/Downloads/key-watch ~/.local/bin/key-watch
+chmod +x ~/.local/bin/key-watch
+~/.local/bin/key-watch --version
+
+# Enable aliases for current shell session
+eval "$(~/.local/bin/key-watch init bash)"
 ```
 
 Requires Rust 1.85+ (edition 2024) when building from source.
 
+The canonical command is `key-watch`.
+`keywatch` and `kw` are optional shell aliases exposed via `key-watch init ...`.
+
+## Uninstall
+
+### If installed with `cargo install`
+
+```sh
+cargo uninstall key-watch
+```
+
+If you added aliases to your shell config, remove the init line you added earlier, for example:
+
+```sh
+# bash
+sed -i.bak '/key-watch init bash/d' ~/.bashrc
+
+# zsh
+sed -i.bak '/key-watch init zsh/d' ~/.zshrc
+```
+
+### If installed manually from GitHub Releases
+
+1. Remove the `key-watch` binary from your `PATH` directory.
+2. Remove any shell init line you added for aliases.
+3. Restart your shell or reload your shell config.
+
+```sh
+rm -f ~/.local/bin/key-watch
+
+# If you added aliases for the current shell config, remove that line manually
+# then reload your shell config, for example:
+source ~/.bashrc
+```
+
 ## Usage
 
 ```sh
 # Scan a file
-keywatch --file secrets.txt
+key-watch scan secrets.txt
 
 # Scan a directory
-keywatch --dir .
+key-watch scan .
 
 # Verbose output (JSON)
-keywatch --file secrets.txt --verbose
+key-watch scan secrets.txt --verbose
 
 # Install git hook
-keywatch --install-hook pre-commit
-keywatch --install-hook pre-push
+key-watch hook install pre-commit
+key-watch hook install pre-push
+
+# Remove git hook
+key-watch hook uninstall pre-commit
+key-watch hook uninstall pre-push
+
+# Install git hook globally via core.hooksPath
+key-watch hook install pre-commit --global
+key-watch hook install pre-push --global
+
+# Remove global hook
+key-watch hook uninstall pre-commit --global
+key-watch hook uninstall pre-push --global
+
+# Print shell aliases
+eval "$(key-watch init bash)"
+
+# Verify binary integrity
+key-watch verify-integrity
 ```
 
 ## Options
 
-- `--file <path>` - Scan a single file
-- `--dir <path>` - Scan a directory recursively
-- `--output <path>` - Save report to file
-- `--verbose` - Print full JSON output
-- `--exclude <patterns>` - Comma-separated glob patterns to exclude
-- `--exit-mode <mode>` - Exit behavior: `always` (always pass), `critical` (fail on HIGH only), `strict` (fail on any finding, default)
-- `--install-hook <type>` - Install pre-commit or pre-push hook
-- `--verify-integrity` - Check binary hasn't been tampered with
-- `--allowed-repos <urls>` - Whitelist repos (pre-push)
-- `--blocked-repos <urls>` - Block repos (pre-push)
+- `scan <path>...` - Scan one or more files or directories
+- `scan --output <path>` - Save report to file
+- `scan --verbose` - Print full JSON output
+- `scan --exclude <patterns>` - Comma-separated glob patterns to exclude
+- `scan --exit-mode <mode>` - Exit behavior: `always` (always pass), `critical` (fail on HIGH only), `strict` (fail on any finding, default)
+- `hook install <pre-commit|pre-push> [--global]` - Install a git hook
+- `hook uninstall <pre-commit|pre-push> [--global]` - Remove a git hook
+- `hook install pre-push --allowed-repos <urls>` - Whitelist repos for pre-push hooks
+- `hook install pre-push --blocked-repos <urls>` - Block repos for pre-push hooks
+- `hook install pre-commit --exclude <patterns>` - Exclude patterns for pre-commit scans
+- `init <shell>` - Print shell aliases for `keywatch` and `kw`
+- `verify-integrity` - Check binary hasn't been tampered with
 
 ## Aliases
 
-`key-watch`, `keywatch`, `watch` are equivalent.
+- `key-watch` is the only shipped binary.
+- `keywatch` and `kw` are optional aliases.
+- `key-watch init bash|zsh|fish|posix` prints shell aliases you can eval in your shell.
+- `watch` is intentionally not used, to avoid colliding with the standard Unix `watch` command.
 
 ## Exit Codes
 
-| Code | Meaning                                    |
-| ---- | ------------------------------------------ |
-| 0    | No secrets found (or `--exit-mode always`) |
-| 1    | Secret found (in strict/critical mode)     |
-| 2    | Runtime/configuration error                |
+| Code | Meaning                                         |
+| ---- | ----------------------------------------------- |
+| 0    | No secrets found (or `scan --exit-mode always`) |
+| 1    | Secret found (in strict/critical mode)          |
+| 2    | Runtime/configuration error                     |
 
 ## Default Behavior
 
 - **Repos**: All allowed (no restrictions)
 - **Exit mode**: strict (fail on any finding)
 
+## Git Hooks
+
+- `hook install pre-commit|pre-push` installs a repo-local hook into `.git/hooks/`
+- `hook uninstall pre-commit|pre-push` removes a KeyWatch hook from the same target
+- `hook install ... --global` installs into Git's global hooks directory
+- `hook uninstall ... --global` removes the hook from Git's global hooks directory
+- Local hook paths are resolved via `git rev-parse --git-path hooks`, so installs work in worktrees and submodules too
+- If `core.hooksPath` is already configured, KeyWatch installs into that directory
+- Otherwise KeyWatch creates a managed hooks directory and configures `git config --global core.hooksPath`
+- KeyWatch refuses to overwrite a non-KeyWatch global hook file
+- KeyWatch also refuses to remove a non-KeyWatch global hook file
+
 ## Development
 
 ```sh