@eddacraft/anvil-runtime 0.1.0

package/dist/gate/checks/secret/git-scanner.js

@@ -0,0 +1,90 @@
+/**
+ * Git Scanner - Scan git history for secrets in recent commits
+ *
+ * Scans git commit diffs to find secrets that may have been committed in the past.
+ */
+import { execFile } from 'node:child_process';
+import { promisify } from 'node:util';
+import { createDebugger } from '@eddacraft/anvil-core';
+import { SECRET_PATTERNS, PatternMatcher } from './secret-patterns.js';
+const log = createDebugger('check');
+const execFileAsync = promisify(execFile);
+/**
+ * Git scanner for finding secrets in repository history
+ */
+export class GitScanner {
+    matcher = new PatternMatcher();
+    /**
+     * Scan git history for secrets in recent commits
+     */
+    async scanGitHistory(workspaceRoot, config) {
+        log(`git-scanner: starting git history scan, workspace=${workspaceRoot}, depth=${config.git_history_depth}`);
+        const findings = [];
+        // Clamp depth to a sane range (1–1000)
+        const depth = Math.max(1, Math.min(1000, Math.floor(config.git_history_depth)));
+        try {
+            // Check if we're in a git repository (handles worktrees where .git is a file)
+            try {
+                await execFileAsync('git', ['rev-parse', '--git-dir'], { cwd: workspaceRoot });
+            }
+            catch {
+                log('git-scanner: not a git repository, skipping');
+                return findings;
+            }
+            // Get recent commit diffs
+            const { stdout } = await execFileAsync('git', [
+                'log',
+                '-p',
+                `-${depth}`,
+                '--all',
+                '--diff-filter=A',
+                '--',
+                '*.ts',
+                '*.js',
+                '*.json',
+                '*.env*',
+                '*.yaml',
+                '*.yml',
+            ], {
+                cwd: workspaceRoot,
+                maxBuffer: 10 * 1024 * 1024,
+                timeout: 60_000,
+            });
+            // Parse git diff output
+            const commitBlocks = stdout.split(/^commit /m).slice(1);
+            log(`git-scanner: scanning ${commitBlocks.length} commit blocks`);
+            for (const block of commitBlocks) {
+                const commitMatch = block.match(/^([a-f0-9]+)/);
+                const commitHash = commitMatch ? commitMatch[1].substring(0, 8) : 'unknown';
+                // Find added lines (starting with +)
+                const addedLines = block
+                    .split('\n')
+                    .filter((line) => line.startsWith('+') && !line.startsWith('+++'));
+                for (const addedLine of addedLines) {
+                    const lineContent = addedLine.substring(1); // Remove the + prefix
+                    // Check for pattern matches
+                    for (const pattern of SECRET_PATTERNS) {
+                        const matches = lineContent.match(pattern.pattern);
+                        if (matches && !this.matcher.isAllowlisted(matches[0], config.allowlist)) {
+                            findings.push({
+                                file: `git-history:${commitHash}`,
+                                line: 0,
+                                type: `${pattern.name} (in git history)`,
+                                match: this.matcher.redactSecret(matches[0]),
+                                context: this.matcher.redactLine(lineContent.trim()),
+                                source: 'git-history',
+                            });
+                        }
+                    }
+                }
+            }
+        }
+        catch {
+            log('git-scanner: git command failed, skipping history scan');
+            // Git command failed, likely not a git repo or git not available
+            // Silently skip git history scanning
+        }
+        log(`git-scanner: scan complete, found ${findings.length} findings`);
+        return findings;
+    }
+}

package/dist/gate/checks/secret/secret-patterns.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Secret Patterns - Pattern definitions and matching for secret detection
+ *
+ * Contains regex patterns for detecting various types of secrets and sensitive data.
+ */
+/**
+ * Secret pattern definition
+ */
+export interface SecretPattern {
+    name: string;
+    pattern: RegExp;
+}
+/**
+ * Secret patterns for common API keys, tokens, and sensitive data
+ */
+export declare const SECRET_PATTERNS: SecretPattern[];
+/**
+ * Default patterns to allowlist (common false positives)
+ */
+export declare const DEFAULT_ALLOWLIST: RegExp[];
+/**
+ * Pattern matcher for secret detection
+ */
+export declare class PatternMatcher {
+    /**
+     * Check if a string is allowlisted
+     */
+    isAllowlisted(str: string, customAllowlist: string[]): boolean;
+    /**
+     * Check if a string looks like code (not a secret)
+     */
+    looksLikeCode(str: string): boolean;
+    /**
+     * Redact secret value for safe display
+     */
+    redactSecret(secret: string): string;
+    /**
+     * Redact potential secrets in a line for safe display
+     */
+    redactLine(line: string): string;
+}
+//# sourceMappingURL=secret-patterns.d.ts.map

package/dist/gate/checks/secret/secret-patterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-patterns.d.ts","sourceRoot":"","sources":["../../../../src/gate/checks/secret/secret-patterns.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EA4C1C,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,iBAAiB,EAAE,MAAM,EAYrC,CAAC;AAEF;;GAEG;AACH,qBAAa,cAAc;IACzB;;OAEG;IACH,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,EAAE,GAAG,OAAO;IAwB9D;;OAEG;IACH,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;IAiBnC;;OAEG;IACH,YAAY,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM;IAOpC;;OAEG;IACH,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM;CAQjC"}

package/dist/gate/checks/secret/secret-patterns.js

@@ -0,0 +1,137 @@
+/**
+ * Secret Patterns - Pattern definitions and matching for secret detection
+ *
+ * Contains regex patterns for detecting various types of secrets and sensitive data.
+ */
+import { createDebugger } from '@eddacraft/anvil-core';
+const log = createDebugger('check');
+/**
+ * Secret patterns for common API keys, tokens, and sensitive data
+ */
+export const SECRET_PATTERNS = [
+    // API Keys
+    { name: 'API Key', pattern: /(?:api[_-]?key|apikey)\s*[:=]\s*['"]?[a-zA-Z0-9_-]{16,}['"]?/i },
+    // JWT Tokens
+    { name: 'JWT Token', pattern: /eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*/ },
+    // AWS Keys
+    { name: 'AWS Key', pattern: /AKIA[0-9A-Z]{16}/ },
+    {
+        name: 'AWS Secret Key',
+        pattern: /(?:aws_secret|aws_secret_access_key)\s*[:=]\s*['"]?[A-Za-z0-9/+=]{40}['"]?/i,
+    },
+    // Private Keys
+    { name: 'Private Key', pattern: /-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----/ },
+    { name: 'PGP Private Key', pattern: /-----BEGIN PGP PRIVATE KEY BLOCK-----/ },
+    // Database URLs
+    { name: 'Database URL', pattern: /(?:postgres|mysql|mongodb|redis):\/\/[^:\s]+:[^@\s]+@/ },
+    // Generic secrets
+    {
+        name: 'Generic Secret',
+        pattern: /(?:secret|password|passwd|pwd)\s*[:=]\s*['"]?[^\s'"]{8,}['"]?/i,
+    },
+    // Credit Cards (basic pattern)
+    { name: 'Credit Card', pattern: /\b\d{4}[-\s]?\d{4}[-\s]?\d{4}[-\s]?\d{4}\b/ },
+    // GitHub tokens
+    { name: 'GitHub Token', pattern: /gh[pousr]_[A-Za-z0-9_]{36,}/ },
+    // Slack tokens
+    { name: 'Slack Token', pattern: /xox[baprs]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}/ },
+    // Stripe keys
+    { name: 'Stripe Key', pattern: /sk_live_[0-9a-zA-Z]{24}/ },
+    { name: 'Stripe Test Key', pattern: /sk_test_[0-9a-zA-Z]{24}/ },
+    // Google API keys
+    { name: 'Google API Key', pattern: /AIza[0-9A-Za-z_-]{35}/ },
+    // Heroku API key
+    {
+        name: 'Heroku API Key',
+        pattern: /[h|H]eroku[a-zA-Z0-9_-]*[:=]\s*['"]?[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['"]?/,
+    },
+    // SendGrid API key
+    { name: 'SendGrid API Key', pattern: /SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}/ },
+    // Twilio API key
+    { name: 'Twilio API Key', pattern: /SK[a-f0-9]{32}/ },
+    // npm token
+    { name: 'NPM Token', pattern: /npm_[A-Za-z0-9]{36}/ },
+];
+/**
+ * Default patterns to allowlist (common false positives)
+ */
+export const DEFAULT_ALLOWLIST = [
+    /^[a-f0-9]{32}$/, // MD5 hashes
+    /^[a-f0-9]{40}$/, // SHA1 hashes
+    /^[a-f0-9]{64}$/, // SHA256 hashes
+    /^0x[a-f0-9]+$/i, // Hex literals
+    /^data:image\/[a-z]+;base64,/, // Base64 images
+    /placeholder/i,
+    /example/i,
+    /test/i,
+    /dummy/i,
+    /sample/i,
+    /lorem ipsum/i,
+];
+/**
+ * Pattern matcher for secret detection
+ */
+export class PatternMatcher {
+    /**
+     * Check if a string is allowlisted
+     */
+    isAllowlisted(str, customAllowlist) {
+        // Check default allowlist
+        for (const pattern of DEFAULT_ALLOWLIST) {
+            if (pattern.test(str)) {
+                log('secret-patterns: string allowlisted by default pattern');
+                return true;
+            }
+        }
+        // Check custom allowlist
+        for (const pattern of customAllowlist) {
+            try {
+                if (new RegExp(pattern, 'i').test(str)) {
+                    log(`secret-patterns: string allowlisted by custom pattern: ${pattern}`);
+                    return true;
+                }
+            }
+            catch {
+                continue;
+            }
+        }
+        return false;
+    }
+    /**
+     * Check if a string looks like code (not a secret)
+     */
+    looksLikeCode(str) {
+        // Common code patterns that aren't secrets
+        const codePatterns = [
+            /^[a-z][a-zA-Z0-9]*\(/, // Function call
+            /^[a-z][a-zA-Z0-9]*\.[a-z]/, // Method chain
+            /^https?:\/\//, // URLs
+            /^[a-z]+:\/\//, // Protocol URLs
+            /\.(js|ts|css|html|json|md|txt)$/, // File extensions
+            /^[A-Z][A-Z0-9_]+$/, // Constants (all caps)
+            /\s+/, // Contains whitespace
+            /^[a-z][a-z0-9]*[A-Z]/, // camelCase
+            /^[A-Z][a-z]+[A-Z]/, // PascalCase
+        ];
+        return codePatterns.some((pattern) => pattern.test(str));
+    }
+    /**
+     * Redact secret value for safe display
+     */
+    redactSecret(secret) {
+        if (secret.length <= 8)
+            return '***';
+        const prefix = secret.substring(0, 4);
+        const suffix = secret.substring(secret.length - 4);
+        return `${prefix}...${suffix}`;
+    }
+    /**
+     * Redact potential secrets in a line for safe display
+     */
+    redactLine(line) {
+        let redacted = line;
+        // Redact quoted strings that look like secrets
+        redacted = redacted.replace(/(['"])[a-zA-Z0-9_/+=-]{16,}\1/g, '$1[REDACTED]$1');
+        return redacted;
+    }
+}

package/dist/gate/checks/secret.check.d.ts

@@ -0,0 +1,56 @@
+import { BaseCheck } from '../check.interface.js';
+import { CheckContext, GateResult } from '../../types/gate.types.js';
+import { z } from 'zod';
+export interface SecretFinding {
+    file: string;
+    line: number;
+    type: string;
+    match: string;
+    context: string;
+    entropy?: number;
+    source?: 'pattern' | 'entropy' | 'git-history';
+}
+/**
+ * Zod schema for SecretCheckConfig with runtime validation
+ */
+export declare const SecretCheckConfigSchema: z.ZodObject<{
+    enable_entropy: z.ZodOptional<z.ZodBoolean>;
+    entropy_threshold: z.ZodOptional<z.ZodNumber>;
+    min_entropy_length: z.ZodOptional<z.ZodNumber>;
+    scan_git_history: z.ZodOptional<z.ZodBoolean>;
+    git_history_depth: z.ZodOptional<z.ZodNumber>;
+    allowlist: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    skip_extensions: z.ZodOptional<z.ZodArray<z.ZodString>>;
+}, z.core.$strip>;
+export type SecretCheckConfig = z.infer<typeof SecretCheckConfigSchema>;
+export declare class SecretCheck extends BaseCheck {
+    name: string;
+    description: string;
+    private matcher;
+    private entropyDetector;
+    private gitScanner;
+    run(context: CheckContext): Promise<GateResult>;
+    /**
+     * Get configuration with defaults
+     */
+    private getConfig;
+    /**
+     * Check if a file should be skipped based on extension
+     */
+    private shouldSkipFile;
+    /**
+     * Scan file content for secrets using both patterns and entropy
+     */
+    private scanFileContent;
+    /**
+  
+     * Remove duplicate findings
+     */
+    private deduplicateFindings;
+    private getFilesFromPlan;
+    /**
+     * Get all files for full codebase scan
+     */
+    private getFilesForFullScan;
+}
+//# sourceMappingURL=secret.check.d.ts.map

package/dist/gate/checks/secret.check.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret.check.d.ts","sourceRoot":"","sources":["../../../src/gate/checks/secret.check.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,UAAU,EAAuB,MAAM,2BAA2B,CAAC;AAG1F,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAOxB,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,SAAS,GAAG,SAAS,GAAG,aAAa,CAAC;CAChD;AAED;;GAEG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;iBAelC,CAAC;AAEH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAoBxE,qBAAa,WAAY,SAAQ,SAAS;IACxC,IAAI,SAAY;IAChB,WAAW,SAAuF;IAElG,OAAO,CAAC,OAAO,CAAwB;IACvC,OAAO,CAAC,eAAe,CAAyB;IAChD,OAAO,CAAC,UAAU,CAAoB;IAEhC,GAAG,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,UAAU,CAAC;IAoFrD;;OAEG;IACH,OAAO,CAAC,SAAS;IAkBjB;;OAEG;IACH,OAAO,CAAC,cAAc;IAKtB;;OAEG;IACH,OAAO,CAAC,eAAe;IAsDvB;;;OAGG;IACH,OAAO,CAAC,mBAAmB;IAU3B,OAAO,CAAC,gBAAgB;IAMxB;;OAEG;YACW,mBAAmB;CA6ClC"}

package/dist/gate/checks/secret.check.js

@@ -0,0 +1,245 @@
+import { BaseCheck } from '../check.interface.js';
+import { getFilesFromContext } from '../../types/gate.types.js';
+import { createDebugger } from '@eddacraft/anvil-core';
+import { readFileSync, existsSync } from 'node:fs';
+import { z } from 'zod';
+import { SECRET_PATTERNS, PatternMatcher } from './secret/secret-patterns.js';
+import { EntropyDetector } from './secret/entropy-detector.js';
+import { GitScanner } from './secret/git-scanner.js';
+const log = createDebugger('check');
+/**
+ * Zod schema for SecretCheckConfig with runtime validation
+ */
+export const SecretCheckConfigSchema = z.object({
+    /** Enable entropy-based detection (default: true) */
+    enable_entropy: z.boolean().optional(),
+    /** Minimum entropy threshold for detection (default: 4.5) */
+    entropy_threshold: z.number().optional(),
+    /** Minimum string length for entropy analysis (default: 16) */
+    min_entropy_length: z.number().optional(),
+    /** Enable git history scanning (default: false) */
+    scan_git_history: z.boolean().optional(),
+    /** Number of commits to scan in git history (default: 10) */
+    git_history_depth: z.number().optional(),
+    /** Patterns to allowlist (reduce false positives) */
+    allowlist: z.array(z.string()).optional(),
+    /** File extensions to skip */
+    skip_extensions: z.array(z.string()).optional(),
+});
+/** File extensions to skip by default */
+const DEFAULT_SKIP_EXTENSIONS = [
+    '.lock',
+    '.min.js',
+    '.min.css',
+    '.map',
+    '.svg',
+    '.png',
+    '.jpg',
+    '.jpeg',
+    '.gif',
+    '.ico',
+    '.woff',
+    '.woff2',
+    '.ttf',
+    '.eot',
+];
+export class SecretCheck extends BaseCheck {
+    name = 'secret';
+    description = 'Scan for potential secrets and sensitive data using patterns and entropy analysis';
+    matcher = new PatternMatcher();
+    entropyDetector = new EntropyDetector();
+    gitScanner = new GitScanner();
+    async run(context) {
+        log(`secret check starting, workspace=${context.workspace_root}, fullScan=${context.fullScan}`);
+        try {
+            const config = this.getConfig(context);
+            log(`secret check config: entropy=${config.enable_entropy}, threshold=${config.entropy_threshold}, gitHistory=${config.scan_git_history}, depth=${config.git_history_depth}`);
+            const files = context.fullScan
+                ? await this.getFilesForFullScan(context.workspace_root, config)
+                : this.getFilesFromPlan(context);
+            log(`secret check: scanning ${files.length} files`);
+            const findings = [];
+            // Scan files for pattern-based secrets
+            for (const file of files) {
+                if (this.shouldSkipFile(file, config)) {
+                    continue;
+                }
+                if (existsSync(file)) {
+                    const content = readFileSync(file, 'utf-8');
+                    const fileFindings = this.scanFileContent(file, content, context.workspace_root, config);
+                    findings.push(...fileFindings);
+                }
+            }
+            // Scan git history if enabled
+            if (config.scan_git_history) {
+                log(`secret check: scanning git history (depth=${config.git_history_depth ?? 10})`);
+                const historyFindings = await this.gitScanner.scanGitHistory(context.workspace_root, {
+                    git_history_depth: config.git_history_depth ?? 10,
+                    allowlist: config.allowlist ?? [],
+                });
+                findings.push(...historyFindings);
+            }
+            // Deduplicate findings
+            const uniqueFindings = this.deduplicateFindings(findings);
+            const passed = uniqueFindings.length === 0;
+            const patternCount = uniqueFindings.filter((f) => f.source === 'pattern').length;
+            const entropyCount = uniqueFindings.filter((f) => f.source === 'entropy').length;
+            const gitHistoryCount = uniqueFindings.filter((f) => f.source === 'git-history').length;
+            log(`secret check result: passed=${passed}, total=${uniqueFindings.length} (pattern=${patternCount}, entropy=${entropyCount}, git=${gitHistoryCount})`);
+            let message;
+            if (passed) {
+                message = 'No secrets detected';
+            }
+            else {
+                const parts = [];
+                if (patternCount > 0)
+                    parts.push(`${patternCount} pattern match(es)`);
+                if (entropyCount > 0)
+                    parts.push(`${entropyCount} high-entropy string(s)`);
+                if (gitHistoryCount > 0)
+                    parts.push(`${gitHistoryCount} in git history`);
+                message = `Found ${uniqueFindings.length} potential secret(s): ${parts.join(', ')}`;
+            }
+            return this.createResult(passed, message, passed ? 100 : Math.max(0, 100 - uniqueFindings.length * 10), {
+                findings: uniqueFindings,
+                summary: {
+                    total: uniqueFindings.length,
+                    by_pattern: patternCount,
+                    by_entropy: entropyCount,
+                    by_git_history: gitHistoryCount,
+                },
+            });
+        }
+        catch (error) {
+            log(`secret check error: ${error instanceof Error ? error.message : 'Unknown error'}`);
+            return this.createFailure('Secret scan failed', error instanceof Error ? error.message : 'Unknown error');
+        }
+    }
+    /**
+     * Get configuration with defaults
+     */
+    getConfig(context) {
+        // Parse and validate check_config using Zod schema
+        const parseResult = SecretCheckConfigSchema.safeParse(context.check_config);
+        // If parsing fails, use empty config (all defaults will be applied)
+        const checkConfig = parseResult.success ? parseResult.data : {};
+        return {
+            enable_entropy: checkConfig.enable_entropy ?? true,
+            entropy_threshold: checkConfig.entropy_threshold ?? 4.5,
+            min_entropy_length: checkConfig.min_entropy_length ?? 16,
+            scan_git_history: checkConfig.scan_git_history ?? false,
+            git_history_depth: checkConfig.git_history_depth ?? 10,
+            allowlist: checkConfig.allowlist ?? [],
+            skip_extensions: checkConfig.skip_extensions ?? [],
+        };
+    }
+    /**
+     * Check if a file should be skipped based on extension
+     */
+    shouldSkipFile(file, config) {
+        const skipExtensions = [...DEFAULT_SKIP_EXTENSIONS, ...(config.skip_extensions || [])];
+        return skipExtensions.some((ext) => file.endsWith(ext));
+    }
+    /**
+     * Scan file content for secrets using both patterns and entropy
+     */
+    scanFileContent(file, content, workspaceRoot, config) {
+        const findings = [];
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            const lineNumber = i + 1;
+            // Pattern-based detection
+            for (const pattern of SECRET_PATTERNS) {
+                const matches = line.match(pattern.pattern);
+                if (matches && !this.matcher.isAllowlisted(matches[0], config.allowlist ?? [])) {
+                    findings.push({
+                        file: file.replace(workspaceRoot, ''),
+                        line: lineNumber,
+                        type: pattern.name,
+                        match: this.matcher.redactSecret(matches[0]),
+                        context: this.matcher.redactLine(line.trim()),
+                        source: 'pattern',
+                    });
+                }
+            }
+            // Entropy-based detection (if enabled)
+            if (config.enable_entropy) {
+                const entropyFindings = this.entropyDetector.detectHighEntropyStrings(line, lineNumber, file.replace(workspaceRoot, ''), {
+                    entropy_threshold: config.entropy_threshold ?? 4.5,
+                    min_entropy_length: config.min_entropy_length ?? 16,
+                    allowlist: config.allowlist ?? [],
+                });
+                // Filter out findings that were already detected by pattern matching
+                const newEntropyFindings = entropyFindings.filter(() => {
+                    const alreadyDetected = SECRET_PATTERNS.some((p) => p.pattern.test(line));
+                    return !alreadyDetected;
+                });
+                findings.push(...newEntropyFindings);
+            }
+        }
+        return findings;
+    }
+    /**
+  
+     * Remove duplicate findings
+     */
+    deduplicateFindings(findings) {
+        const seen = new Set();
+        return findings.filter((finding) => {
+            const key = `${finding.file}:${finding.line}:${finding.type}:${finding.match}`;
+            if (seen.has(key))
+                return false;
+            seen.add(key);
+            return true;
+        });
+    }
+    getFilesFromPlan(context) {
+        // Use unified helper for both planless and plan-based modes
+        // This ensures consistent path normalisation and existence checking
+        return getFilesFromContext(context);
+    }
+    /**
+     * Get all files for full codebase scan
+     */
+    async getFilesForFullScan(workspaceRoot, config) {
+        const { glob } = await import('glob');
+        const files = [];
+        // Scan common file types that might contain secrets
+        const patterns = [
+            '**/*.ts',
+            '**/*.tsx',
+            '**/*.js',
+            '**/*.jsx',
+            '**/*.json',
+            '**/*.yaml',
+            '**/*.yml',
+            '**/*.env*',
+            '**/*.config.*',
+        ];
+        for (const pattern of patterns) {
+            try {
+                const matches = await glob(pattern, {
+                    cwd: workspaceRoot,
+                    absolute: true,
+                    ignore: [
+                        '**/node_modules/**',
+                        '**/dist/**',
+                        '**/build/**',
+                        '**/.git/**',
+                        '**/coverage/**',
+                        '**/*.lock',
+                        '**/package-lock.json',
+                    ],
+                });
+                files.push(...matches);
+            }
+            catch (error) {
+                // Log glob errors to stderr for debugging but continue scanning
+                console.error(`[SecretCheck] Glob error for pattern ${pattern}:`, error);
+            }
+        }
+        // Filter out skipped extensions
+        return files.filter((file) => !this.shouldSkipFile(file, config));
+    }
+}

package/dist/gate/config/command-safety-config.d.ts

@@ -0,0 +1,5 @@
+import type { CommandRule, CommandSafetyConfig, ResolvedCommandSafetyConfig } from '../rules/types.js';
+export declare function loadCommandSafetyRules(config: CommandSafetyConfig): CommandRule[];
+export declare function resolveCommandSafetyConfig(userConfig?: CommandSafetyConfig): ResolvedCommandSafetyConfig;
+export declare const DEFAULT_COMMAND_SAFETY_CONFIG: ResolvedCommandSafetyConfig;
+//# sourceMappingURL=command-safety-config.d.ts.map

package/dist/gate/config/command-safety-config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"command-safety-config.d.ts","sourceRoot":"","sources":["../../../src/gate/config/command-safety-config.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,WAAW,EACX,mBAAmB,EACnB,2BAA2B,EAG5B,MAAM,mBAAmB,CAAC;AAiB3B,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,mBAAmB,GAAG,WAAW,EAAE,CAmCjF;AAED,wBAAgB,0BAA0B,CACxC,UAAU,CAAC,EAAE,mBAAmB,GAC/B,2BAA2B,CAmB7B;AAED,eAAO,MAAM,6BAA6B,EAAE,2BAM3C,CAAC"}

package/dist/gate/config/command-safety-config.js

@@ -0,0 +1,69 @@
+import { DEFAULT_GIT_RULES, DEFAULT_FILESYSTEM_RULES } from '../rules/index.js';
+import { createDebugger } from '@eddacraft/anvil-core';
+const debug = createDebugger('gate');
+const DEFAULT_WORKING_DIRECTORY = {
+    allowDeleteInCwd: false,
+    tempDirPatterns: ['/tmp', '/var/tmp'],
+};
+const DEFAULT_OUTPUT = {
+    verbose: true,
+    showSuggestions: true,
+    showReferences: true,
+};
+export function loadCommandSafetyRules(config) {
+    debug('loadCommandSafetyRules: loading default rules');
+    let rules = [...DEFAULT_GIT_RULES, ...DEFAULT_FILESYSTEM_RULES];
+    if (config.rules?.disabled && config.rules.disabled.length > 0) {
+        debug(`loadCommandSafetyRules: disabling ${config.rules.disabled.length} rules`);
+        const disabledSet = new Set(config.rules.disabled);
+        rules = rules.filter((r) => !disabledSet.has(r.id));
+    }
+    if (config.rules?.overrides && config.rules.overrides.length > 0) {
+        debug(`loadCommandSafetyRules: applying ${config.rules.overrides.length} overrides`);
+        for (const override of config.rules.overrides) {
+            const ruleIndex = rules.findIndex((r) => r.id === override.id);
+            if (ruleIndex !== -1) {
+                if (override.action === 'disable') {
+                    rules.splice(ruleIndex, 1);
+                }
+                else {
+                    rules[ruleIndex] = {
+                        ...rules[ruleIndex],
+                        ...(override.action && { action: override.action }),
+                        ...(override.severity && { severity: override.severity }),
+                    };
+                }
+            }
+        }
+    }
+    if (config.rules?.custom && config.rules.custom.length > 0) {
+        debug(`loadCommandSafetyRules: adding ${config.rules.custom.length} custom rules`);
+        rules.push(...config.rules.custom);
+    }
+    debug(`loadCommandSafetyRules: total rules=${rules.length}`);
+    return rules;
+}
+export function resolveCommandSafetyConfig(userConfig) {
+    const config = userConfig ?? {};
+    debug(`resolveCommandSafetyConfig: enabled=${config.enabled ?? true} strict=${config.strict ?? false}`);
+    return {
+        enabled: config.enabled ?? true,
+        strict: config.strict ?? false,
+        rules: loadCommandSafetyRules(config),
+        workingDirectory: {
+            ...DEFAULT_WORKING_DIRECTORY,
+            ...config.workingDirectory,
+        },
+        output: {
+            ...DEFAULT_OUTPUT,
+            ...config.output,
+        },
+    };
+}
+export const DEFAULT_COMMAND_SAFETY_CONFIG = {
+    enabled: true,
+    strict: false,
+    rules: [...DEFAULT_GIT_RULES, ...DEFAULT_FILESYSTEM_RULES],
+    workingDirectory: DEFAULT_WORKING_DIRECTORY,
+    output: DEFAULT_OUTPUT,
+};

package/dist/gate/config/index.d.ts

@@ -0,0 +1,2 @@
+export { loadCommandSafetyRules, resolveCommandSafetyConfig, DEFAULT_COMMAND_SAFETY_CONFIG, } from './command-safety-config.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/gate/config/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/gate/config/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,sBAAsB,EACtB,0BAA0B,EAC1B,6BAA6B,GAC9B,MAAM,4BAA4B,CAAC"}

package/dist/gate/config/index.js

@@ -0,0 +1 @@
+export { loadCommandSafetyRules, resolveCommandSafetyConfig, DEFAULT_COMMAND_SAFETY_CONFIG, } from './command-safety-config.js';