@id-wispera/cli 0.1.0

package/dist/commands/scan.js

@@ -0,0 +1,700 @@
+/**
+ * Scan command: idw scan [path]
+ * Supports system-wide credential scanning and provider-specific scanning
+ */
+import { Command } from 'commander';
+import ora from 'ora';
+import chalk from 'chalk';
+import { readdir, readFile, stat, access } from 'fs/promises';
+import { join, extname, relative, resolve } from 'path';
+import { homedir } from 'os';
+import { detectCredentials, mightContainCredentials, getDetectionStats } from '@id-wispera/core';
+import { error, success, warning, displayDetectionResults, info, title } from '../utils/display.js';
+// Files/directories to skip
+const SKIP_DIRS = new Set([
+    'node_modules',
+    '.git',
+    '.svn',
+    '.hg',
+    'dist',
+    'build',
+    'coverage',
+    '.next',
+    '__pycache__',
+    'vendor',
+    '.venv',
+    'venv',
+    '.turbo',
+    '.cache',
+    'Library',
+    'Applications',
+    '.Trash',
+]);
+const SKIP_EXTENSIONS = new Set([
+    '.png',
+    '.jpg',
+    '.jpeg',
+    '.gif',
+    '.ico',
+    '.svg',
+    '.woff',
+    '.woff2',
+    '.ttf',
+    '.eot',
+    '.mp3',
+    '.mp4',
+    '.avi',
+    '.zip',
+    '.tar',
+    '.gz',
+    '.pdf',
+    '.exe',
+    '.dll',
+    '.so',
+    '.dylib',
+    '.lock',
+    '.sqlite',
+    '.db',
+]);
+// Known credential locations for system scan
+const KNOWN_LOCATIONS = [
+    { path: '.openclaw', name: 'OpenClaw' },
+    { path: '.aws', name: 'AWS' },
+    { path: '.ssh', name: 'SSH' },
+    { path: '.docker', name: 'Docker' },
+    { path: '.kube', name: 'Kubernetes' },
+    { path: '.config/gcloud', name: 'Google Cloud' },
+    { path: '.azure', name: 'Azure' },
+    { path: '.npmrc', name: 'npm', isFile: true },
+    { path: '.pypirc', name: 'PyPI', isFile: true },
+    { path: '.netrc', name: 'Netrc', isFile: true },
+    { path: '.gitconfig', name: 'Git', isFile: true },
+];
+/**
+ * Check file permissions and return warning if insecure
+ */
+async function checkFilePermissions(filePath) {
+    try {
+        const stats = await stat(filePath);
+        const mode = stats.mode;
+        const worldReadable = (mode & 0o004) !== 0;
+        const groupReadable = (mode & 0o040) !== 0;
+        if (worldReadable) {
+            return `World-readable (mode: ${(mode & 0o777).toString(8)}): ${filePath}`;
+        }
+        if (groupReadable) {
+            return `Group-readable (mode: ${(mode & 0o777).toString(8)}): ${filePath}`;
+        }
+        return undefined;
+    }
+    catch {
+        return undefined;
+    }
+}
+/**
+ * Scan OpenClaw credentials specifically
+ */
+async function scanOpenClawCredentials() {
+    const result = {
+        installed: false,
+        credentials: [],
+        permissionWarnings: [],
+        unreadablePaths: [],
+    };
+    const openclawPath = join(homedir(), '.openclaw');
+    try {
+        await access(openclawPath);
+        result.installed = true;
+    }
+    catch {
+        return result;
+    }
+    // Scan WhatsApp credentials
+    const whatsappPath = join(openclawPath, 'credentials', 'whatsapp');
+    try {
+        const accounts = await readdir(whatsappPath);
+        for (const accountId of accounts) {
+            const credsPath = join(whatsappPath, accountId, 'creds.json');
+            try {
+                const content = await readFile(credsPath, 'utf-8');
+                const data = JSON.parse(content);
+                const permWarning = await checkFilePermissions(credsPath);
+                if (permWarning)
+                    result.permissionWarnings.push(permWarning);
+                result.credentials.push({
+                    name: `WhatsApp Session (accountId: ${accountId})`,
+                    type: 'Session Keys',
+                    visaType: 'Access Visa',
+                    riskLevel: 'HIGH',
+                    filePath: credsPath,
+                    rawValue: content,
+                    metadata: { accountId, botName: data.me?.name },
+                });
+            }
+            catch (err) {
+                if (err.code === 'EACCES') {
+                    result.unreadablePaths.push(credsPath);
+                }
+            }
+        }
+    }
+    catch {
+        // WhatsApp dir doesn't exist or not readable
+    }
+    // Scan auth profiles (LLM API keys)
+    const agentsPath = join(openclawPath, 'agents');
+    try {
+        const agents = await readdir(agentsPath);
+        for (const agentId of agents) {
+            const authPath = join(agentsPath, agentId, 'agent', 'auth-profiles.json');
+            try {
+                const content = await readFile(authPath, 'utf-8');
+                const data = JSON.parse(content);
+                const permWarning = await checkFilePermissions(authPath);
+                if (permWarning)
+                    result.permissionWarnings.push(permWarning);
+                for (const [provider, profile] of Object.entries(data)) {
+                    if (profile.type === 'api-key' && profile.key) {
+                        const keyPreview = profile.key.substring(0, 10) + '...' + profile.key.substring(profile.key.length - 4);
+                        result.credentials.push({
+                            name: `${capitalizeFirst(provider)} API Key (${keyPreview})`,
+                            type: 'API Key',
+                            visaType: 'Privilege',
+                            riskLevel: 'CRITICAL',
+                            filePath: authPath,
+                            rawValue: profile.key,
+                            metadata: { provider, model: profile.model, agentId },
+                        });
+                    }
+                }
+            }
+            catch (err) {
+                if (err.code === 'EACCES') {
+                    result.unreadablePaths.push(authPath);
+                }
+            }
+        }
+    }
+    catch {
+        // Agents dir doesn't exist
+    }
+    // Scan OAuth tokens
+    const oauthPath = join(openclawPath, 'credentials', 'oauth.json');
+    try {
+        const content = await readFile(oauthPath, 'utf-8');
+        const data = JSON.parse(content);
+        const permWarning = await checkFilePermissions(oauthPath);
+        if (permWarning)
+            result.permissionWarnings.push(permWarning);
+        for (const [provider, tokens] of Object.entries(data)) {
+            if (tokens.access_token) {
+                const isExpired = tokens.expires_at && tokens.expires_at * 1000 < Date.now();
+                result.credentials.push({
+                    name: `${capitalizeFirst(provider)} OAuth (${tokens.access_token.substring(0, 10)}...${isExpired ? ' EXPIRED' : ''})`,
+                    type: 'OAuth Token',
+                    visaType: 'Access Visa',
+                    riskLevel: 'MEDIUM',
+                    filePath: oauthPath,
+                    rawValue: tokens.access_token,
+                    metadata: { provider, hasRefreshToken: !!tokens.refresh_token, isExpired },
+                });
+            }
+        }
+    }
+    catch {
+        // OAuth file doesn't exist
+    }
+    // Scan openclaw.json for channel tokens
+    const configPath = join(openclawPath, 'openclaw.json');
+    try {
+        const content = await readFile(configPath, 'utf-8');
+        const data = JSON.parse(content);
+        const permWarning = await checkFilePermissions(configPath);
+        if (permWarning)
+            result.permissionWarnings.push(permWarning);
+        // Telegram
+        if (data.channels?.telegram?.token) {
+            const token = data.channels.telegram.token;
+            const preview = token.substring(0, 7) + '...' + token.substring(token.length - 4);
+            result.credentials.push({
+                name: `Telegram Bot Token (${preview})`,
+                type: 'Bot Token',
+                visaType: 'Access Visa',
+                riskLevel: 'HIGH',
+                filePath: configPath,
+                rawValue: token,
+                metadata: { channel: 'telegram' },
+            });
+        }
+        // Slack
+        if (data.channels?.slack?.botToken) {
+            const token = data.channels.slack.botToken;
+            const preview = token.substring(0, 10) + '...' + token.substring(token.length - 4);
+            result.credentials.push({
+                name: `Slack Bot Token (${preview})`,
+                type: 'Bot Token',
+                visaType: 'Access Visa',
+                riskLevel: 'HIGH',
+                filePath: configPath,
+                rawValue: token,
+                metadata: { channel: 'slack' },
+            });
+        }
+        if (data.channels?.slack?.appToken) {
+            const token = data.channels.slack.appToken;
+            const preview = token.substring(0, 10) + '...' + token.substring(token.length - 4);
+            result.credentials.push({
+                name: `Slack App Token (${preview})`,
+                type: 'Bot Token',
+                visaType: 'Access Visa',
+                riskLevel: 'HIGH',
+                filePath: configPath,
+                rawValue: token,
+                metadata: { channel: 'slack' },
+            });
+        }
+        // Discord
+        if (data.channels?.discord?.token) {
+            const token = data.channels.discord.token;
+            const preview = token.substring(0, 10) + '...' + token.substring(token.length - 4);
+            result.credentials.push({
+                name: `Discord Bot Token (${preview})`,
+                type: 'Bot Token',
+                visaType: 'Access Visa',
+                riskLevel: 'HIGH',
+                filePath: configPath,
+                rawValue: token,
+                metadata: { channel: 'discord' },
+            });
+        }
+        // Gateway token
+        if (data.gateway?.token) {
+            const token = data.gateway.token;
+            const preview = token.substring(0, 6) + '...' + token.substring(token.length - 4);
+            result.credentials.push({
+                name: `Gateway Token (${preview})`,
+                type: 'Auth Token',
+                visaType: 'Privilege',
+                riskLevel: 'HIGH',
+                filePath: configPath,
+                rawValue: token,
+                metadata: { gatewayPort: data.gateway.port },
+            });
+        }
+    }
+    catch {
+        // Config file doesn't exist
+    }
+    // Scan allowlists
+    const credsPath = join(openclawPath, 'credentials');
+    try {
+        const files = await readdir(credsPath);
+        for (const file of files) {
+            if (file.endsWith('-allowFrom.json')) {
+                const filePath = join(credsPath, file);
+                try {
+                    const content = await readFile(filePath, 'utf-8');
+                    const data = JSON.parse(content);
+                    const channel = file.replace('-allowFrom.json', '');
+                    const pairedCount = Object.keys(data).length;
+                    result.credentials.push({
+                        name: `Pairing: ${channel} (${pairedCount} paired users)`,
+                        type: 'Allowlist',
+                        visaType: 'Access Visa',
+                        riskLevel: 'LOW',
+                        filePath,
+                        rawValue: content,
+                        metadata: { channel, pairedCount },
+                    });
+                }
+                catch {
+                    // Can't read file
+                }
+            }
+        }
+    }
+    catch {
+        // Credentials dir doesn't exist
+    }
+    return result;
+}
+function capitalizeFirst(str) {
+    return str.charAt(0).toUpperCase() + str.slice(1);
+}
+/**
+ * Display OpenClaw scan results in table format
+ */
+function displayOpenClawResults(result) {
+    console.log();
+    console.log(chalk.cyan.bold(`🔍 OpenClaw Installation Detected at ~/.openclaw/`));
+    console.log();
+    if (result.credentials.length === 0) {
+        success('No credentials found in OpenClaw installation.');
+        return;
+    }
+    // Sort by risk level
+    const riskOrder = { CRITICAL: 0, HIGH: 1, MEDIUM: 2, LOW: 3 };
+    result.credentials.sort((a, b) => riskOrder[a.riskLevel] - riskOrder[b.riskLevel]);
+    // Calculate column widths
+    const maxCredLen = Math.max(35, ...result.credentials.map(c => c.name.length));
+    const maxTypeLen = Math.max(13, ...result.credentials.map(c => c.type.length));
+    const maxVisaLen = Math.max(12, ...result.credentials.map(c => c.visaType.length));
+    // Header
+    const headerLine = '┌' + '─'.repeat(maxCredLen + 2) + '┬' + '─'.repeat(maxTypeLen + 2) + '┬' + '─'.repeat(maxVisaLen + 2) + '┬' + '─'.repeat(13) + '┐';
+    const headerRow = '│ ' + 'Credential'.padEnd(maxCredLen) + ' │ ' + 'Type'.padEnd(maxTypeLen) + ' │ ' + 'Visa Type'.padEnd(maxVisaLen) + ' │ ' + 'Risk Level'.padEnd(11) + ' │';
+    const separatorLine = '├' + '─'.repeat(maxCredLen + 2) + '┼' + '─'.repeat(maxTypeLen + 2) + '┼' + '─'.repeat(maxVisaLen + 2) + '┼' + '─'.repeat(13) + '┤';
+    const footerLine = '└' + '─'.repeat(maxCredLen + 2) + '┴' + '─'.repeat(maxTypeLen + 2) + '┴' + '─'.repeat(maxVisaLen + 2) + '┴' + '─'.repeat(13) + '┘';
+    console.log(headerLine);
+    console.log(headerRow);
+    console.log(separatorLine);
+    // Rows
+    for (const cred of result.credentials) {
+        const riskEmoji = cred.riskLevel === 'CRITICAL' ? '🔴' :
+            cred.riskLevel === 'HIGH' ? '⚠️ ' :
+                cred.riskLevel === 'MEDIUM' ? '⚠️ ' : 'ℹ️ ';
+        const riskColor = cred.riskLevel === 'CRITICAL' ? chalk.red :
+            cred.riskLevel === 'HIGH' ? chalk.yellow :
+                cred.riskLevel === 'MEDIUM' ? chalk.yellow : chalk.blue;
+        const row = '│ ' +
+            cred.name.padEnd(maxCredLen) + ' │ ' +
+            cred.type.padEnd(maxTypeLen) + ' │ ' +
+            cred.visaType.padEnd(maxVisaLen) + ' │ ' +
+            riskEmoji + riskColor(cred.riskLevel.padEnd(8)) + ' │';
+        console.log(row);
+    }
+    // Summary row
+    const criticalCount = result.credentials.filter(c => c.riskLevel === 'CRITICAL').length;
+    const governed = 0; // Will be updated when we check against vault
+    console.log(separatorLine);
+    const summaryRow = '│ ' +
+        `${result.credentials.length} credentials found`.padEnd(maxCredLen) + ' │ ' +
+        `${governed} governed`.padEnd(maxTypeLen) + ' │ ' +
+        `0 passports`.padEnd(maxVisaLen) + ' │ ' +
+        chalk.red(`${criticalCount} CRITICAL`.padEnd(11)) + ' │';
+    console.log(summaryRow);
+    console.log(footerLine);
+    // Permission warnings
+    if (result.permissionWarnings.length > 0) {
+        console.log();
+        warning('Permission Issues Detected:');
+        for (const warn of result.permissionWarnings) {
+            console.log(chalk.yellow(`  ⚠ ${warn}`));
+        }
+    }
+    // Unreadable paths
+    if (result.unreadablePaths.length > 0) {
+        console.log();
+        warning('Unreadable Paths (permission denied):');
+        for (const path of result.unreadablePaths) {
+            console.log(chalk.red(`  ✗ ${path}`));
+        }
+    }
+    console.log();
+    console.log(chalk.cyan(`⚡ Import all into ID Wispera? Run: ${chalk.bold('idw import --format openclaw')}`));
+}
+/**
+ * Recursively scan a directory for files
+ */
+export async function* walkDirectory(dir, onUnreadable) {
+    try {
+        const entries = await readdir(dir, { withFileTypes: true });
+        for (const entry of entries) {
+            const fullPath = join(dir, entry.name);
+            if (entry.isDirectory()) {
+                if (!SKIP_DIRS.has(entry.name) && !entry.name.startsWith('.')) {
+                    yield* walkDirectory(fullPath, onUnreadable);
+                }
+            }
+            else if (entry.isFile()) {
+                const ext = extname(entry.name).toLowerCase();
+                if (!SKIP_EXTENSIONS.has(ext)) {
+                    yield fullPath;
+                }
+            }
+        }
+    }
+    catch (err) {
+        if (err.code === 'EACCES' && onUnreadable) {
+            onUnreadable(dir, 'Permission denied');
+        }
+    }
+}
+/**
+ * Scan a file for credentials
+ */
+export async function scanFile(filePath) {
+    try {
+        const stats = await stat(filePath);
+        // Skip large files (> 1MB)
+        if (stats.size > 1024 * 1024) {
+            return [];
+        }
+        const content = await readFile(filePath, 'utf-8');
+        // Quick check before full scan
+        if (!mightContainCredentials(content)) {
+            return [];
+        }
+        return detectCredentials(content);
+    }
+    catch {
+        // Ignore files that can't be read
+        return [];
+    }
+}
+/**
+ * Scan known credential locations (system scan)
+ */
+async function scanKnownLocations(providers, onUnreadable) {
+    const home = homedir();
+    const allResults = [];
+    for (const loc of KNOWN_LOCATIONS) {
+        // Filter by provider if specified
+        if (providers && !providers.some(p => loc.name.toLowerCase().includes(p.toLowerCase()))) {
+            continue;
+        }
+        const fullPath = join(home, loc.path);
+        try {
+            await access(fullPath);
+            if (loc.isFile) {
+                const results = await scanFile(fullPath);
+                if (results.length > 0) {
+                    allResults.push({ file: fullPath, results });
+                }
+            }
+            else {
+                for await (const filePath of walkDirectory(fullPath, onUnreadable)) {
+                    const results = await scanFile(filePath);
+                    if (results.length > 0) {
+                        allResults.push({ file: filePath, results });
+                    }
+                }
+            }
+        }
+        catch (err) {
+            if (err.code === 'EACCES') {
+                onUnreadable(fullPath, 'Permission denied');
+            }
+            // ENOENT is fine - location doesn't exist
+        }
+    }
+    return allResults;
+}
+export function createScanCommand() {
+    const command = new Command('scan')
+        .description('Scan for exposed credentials')
+        .argument('[path]', 'Path to scan (default: current directory)')
+        .option('-s, --system', 'Scan all known credential locations (fast)')
+        .option('-f, --full', 'Scan entire home directory (thorough but slower)')
+        .option('-p, --providers <list>', 'Scan specific providers (comma-separated: openclaw,aws,ssh)')
+        .option('-v, --verbose', 'Show all files scanned')
+        .option('--output <file>', 'Save results to JSON file')
+        .option('--min-confidence <level>', 'Minimum confidence threshold (0-1)', '0.5')
+        .option('--include-low', 'Include low confidence results')
+        .action(async (scanPath, options) => {
+        const minConfidence = parseFloat(options.minConfidence);
+        const unreadablePaths = [];
+        const onUnreadable = (path, error) => {
+            unreadablePaths.push({ path, error });
+        };
+        console.log();
+        // Determine scan mode
+        const providerList = options.providers ? options.providers.split(',').map((p) => p.trim()) : null;
+        // OpenClaw-specific scan
+        if (providerList?.includes('openclaw') || options.system) {
+            const openclawResult = await scanOpenClawCredentials();
+            if (openclawResult.installed) {
+                displayOpenClawResults(openclawResult);
+                // If only scanning OpenClaw, we're done
+                if (providerList?.length === 1 && providerList[0] === 'openclaw') {
+                    return;
+                }
+            }
+            else if (providerList?.includes('openclaw')) {
+                info('OpenClaw is not installed at ~/.openclaw/');
+            }
+        }
+        // System-wide scan of known locations
+        if (options.system && !scanPath) {
+            title('System Credential Scan');
+            info('Scanning known credential locations...');
+            console.log();
+            const spinner = ora('Scanning known locations...').start();
+            const allResults = await scanKnownLocations(providerList, onUnreadable);
+            spinner.stop();
+            if (allResults.length === 0) {
+                success('No additional credentials detected in known locations.');
+            }
+            else {
+                displayGenericResults(allResults, unreadablePaths, minConfidence, options);
+            }
+            // Show unreadable paths
+            if (unreadablePaths.length > 0) {
+                console.log();
+                warning('Unreadable Paths:');
+                for (const { path, error } of unreadablePaths) {
+                    console.log(chalk.red(`  ✗ ${path}: ${error}`));
+                }
+            }
+            return;
+        }
+        // Full home directory scan
+        if (options.full) {
+            const home = homedir();
+            title('Full Home Directory Scan');
+            console.log(chalk.yellow('⚠ This will scan your entire home directory and may take a while.'));
+            info(`Path: ${home}`);
+            console.log();
+            const spinner = ora('Scanning files...').start();
+            const allResults = [];
+            let filesScanned = 0;
+            for await (const filePath of walkDirectory(home, onUnreadable)) {
+                filesScanned++;
+                if (filesScanned % 500 === 0) {
+                    spinner.text = `Scanned ${filesScanned} files...`;
+                }
+                const results = await scanFile(filePath);
+                const filteredResults = options.includeLow
+                    ? results
+                    : results.filter(r => r.confidence >= minConfidence);
+                if (filteredResults.length > 0) {
+                    allResults.push({ file: filePath, results: filteredResults });
+                }
+            }
+            spinner.stop();
+            console.log(chalk.dim(`Scanned ${filesScanned} files`));
+            displayGenericResults(allResults, unreadablePaths, minConfidence, options);
+            // Show unreadable paths
+            if (unreadablePaths.length > 0) {
+                console.log();
+                warning(`${unreadablePaths.length} paths were unreadable (permission denied)`);
+                if (options.verbose) {
+                    for (const { path } of unreadablePaths) {
+                        console.log(chalk.red(`  ✗ ${path}`));
+                    }
+                }
+            }
+            return;
+        }
+        // Default: scan specified path or current directory
+        // Use resolve() to handle both relative and absolute paths correctly
+        const absolutePath = scanPath ? resolve(scanPath) : process.cwd();
+        title('Scanning for Credentials');
+        info(`Path: ${absolutePath}`);
+        console.log();
+        const spinner = ora('Scanning files...').start();
+        const allResults = [];
+        let filesScanned = 0;
+        let filesWithCredentials = 0;
+        try {
+            const pathStats = await stat(absolutePath);
+            if (pathStats.isFile()) {
+                const results = await scanFile(absolutePath);
+                if (results.length > 0) {
+                    allResults.push({ file: absolutePath, results });
+                    filesWithCredentials++;
+                }
+                filesScanned = 1;
+            }
+            else {
+                for await (const filePath of walkDirectory(absolutePath, onUnreadable)) {
+                    filesScanned++;
+                    if (options.verbose) {
+                        spinner.text = `Scanning: ${relative(absolutePath, filePath)}`;
+                    }
+                    else if (filesScanned % 100 === 0) {
+                        spinner.text = `Scanned ${filesScanned} files...`;
+                    }
+                    const results = await scanFile(filePath);
+                    const filteredResults = options.includeLow
+                        ? results
+                        : results.filter(r => r.confidence >= minConfidence);
+                    if (filteredResults.length > 0) {
+                        allResults.push({ file: filePath, results: filteredResults });
+                        filesWithCredentials++;
+                    }
+                }
+            }
+            spinner.stop();
+            console.log(chalk.dim(`Scanned ${filesScanned} files`));
+            console.log();
+            if (allResults.length === 0) {
+                success('No credentials detected!');
+            }
+            else {
+                displayGenericResults(allResults, unreadablePaths, minConfidence, options, absolutePath);
+            }
+            // Show unreadable paths
+            if (unreadablePaths.length > 0) {
+                console.log();
+                warning('Unreadable Paths:');
+                for (const { path, error } of unreadablePaths) {
+                    console.log(chalk.red(`  ✗ ${path}: ${error}`));
+                }
+            }
+            // Export if requested
+            if (options.output && allResults.length > 0) {
+                const exportData = {
+                    scannedAt: new Date().toISOString(),
+                    path: absolutePath,
+                    filesScanned,
+                    results: allResults.map(({ file, results }) => ({
+                        file: relative(absolutePath, file),
+                        detections: results.map(r => ({
+                            type: r.type,
+                            line: r.line,
+                            column: r.column,
+                            confidence: r.confidence,
+                            pattern: r.pattern,
+                        })),
+                    })),
+                };
+                const fs = await import('fs/promises');
+                await fs.writeFile(options.output, JSON.stringify(exportData, null, 2), 'utf-8');
+                console.log();
+                info(`Results saved to ${options.output}`);
+            }
+            console.log();
+            info('Run `idw import <file>` to import detected credentials as passports.');
+        }
+        catch (err) {
+            spinner.fail('Scan failed');
+            error(err instanceof Error ? err.message : 'Unknown error');
+            process.exit(1);
+        }
+    });
+    return command;
+}
+/**
+ * Display generic scan results
+ */
+function displayGenericResults(allResults, _unreadablePaths, _minConfidence, _options, basePath) {
+    if (allResults.length === 0) {
+        success('No credentials detected!');
+        return;
+    }
+    warning(`Found potential credentials in ${allResults.length} file(s):`);
+    console.log();
+    let totalCredentials = 0;
+    for (const { file, results } of allResults) {
+        const displayPath = basePath ? relative(basePath, file) || file : file;
+        console.log(chalk.bold(chalk.cyan(displayPath)));
+        console.log(displayDetectionResults(results, displayPath));
+        totalCredentials += results.length;
+    }
+    // Summary
+    console.log();
+    title('Summary');
+    const allDetections = allResults.flatMap(r => r.results);
+    const stats = getDetectionStats(allDetections);
+    console.log(`  Total detections: ${chalk.yellow(stats.total)}`);
+    console.log(`  High confidence: ${chalk.red(stats.highConfidence)}`);
+    console.log(`  Files affected: ${chalk.yellow(allResults.length)}`);
+    console.log();
+    console.log('  By type:');
+    for (const [type, count] of Object.entries(stats.byType)) {
+        if (count > 0) {
+            console.log(`    ${type}: ${count}`);
+        }
+    }
+}
+//# sourceMappingURL=scan.js.map