@kairosinternational/watchman 0.1.0

package/dist/scanners/runtime-monitor/rules/process-spawn.rule.js

@@ -0,0 +1,55 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.processSpawnRule = void 0;
+const promises_1 = require("node:fs/promises");
+const CODE_EXTENSIONS = new Set(['.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs']);
+function isCodeFile(file) {
+    const dot = file.lastIndexOf('.');
+    return dot !== -1 && CODE_EXTENSIONS.has(file.slice(dot).toLowerCase());
+}
+const SPAWN_PATTERNS = [
+    { pattern: /child_process.*(?:exec|execSync|spawn|spawnSync|fork)\s*\(/g, label: 'child_process' },
+    { pattern: /\bexec\s*\(\s*['"`]/g, label: 'exec-string' },
+    { pattern: /\beval\s*\(\s*[^)]/g, label: 'eval' },
+    { pattern: /new\s+Function\s*\(/g, label: 'Function-constructor' },
+    { pattern: /child_process.*\bexec\s*\(\s*(?:req\.|params\.|query\.|body\.)/g, label: 'user-input-exec' },
+    { pattern: /\.exec\s*\(\s*`[^`]*\$\{/g, label: 'template-exec' },
+];
+exports.processSpawnRule = {
+    id: 'process-spawn',
+    name: 'Process Spawn Detection',
+    description: 'Flags shell command execution and dynamic code evaluation patterns',
+    async run(ctx) {
+        const codeFiles = ctx.files.filter(isCodeFile);
+        for (const file of codeFiles) {
+            let content;
+            try {
+                content = await (0, promises_1.readFile)(file, 'utf-8');
+            }
+            catch {
+                continue;
+            }
+            const lines = content.split('\n');
+            for (let i = 0; i < lines.length; i++) {
+                const line = lines[i];
+                for (const { pattern, label } of SPAWN_PATTERNS) {
+                    pattern.lastIndex = 0;
+                    if (pattern.test(line)) {
+                        const isUserInput = label === 'user-input-exec' || label === 'template-exec';
+                        ctx.addFinding({
+                            rule: 'process-spawn',
+                            severity: isUserInput ? 'critical' : 'medium',
+                            message: `Process spawn/eval detected: ${label}`,
+                            location: { file, line: i + 1 },
+                            evidence: line.trim().slice(0, 200),
+                            suggestion: isUserInput
+                                ? 'CRITICAL: User input flows into shell execution. This is a command injection vulnerability.'
+                                : 'Review whether this shell execution is necessary. Prefer native Node.js APIs.',
+                        });
+                    }
+                }
+            }
+        }
+    },
+};
+//# sourceMappingURL=process-spawn.rule.js.map

package/dist/scanners/runtime-monitor/rules/process-spawn.rule.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"process-spawn.rule.js","sourceRoot":"","sources":["../../../../src/scanners/runtime-monitor/rules/process-spawn.rule.ts"],"names":[],"mappings":";;;AAAA,+CAA4C;AAG5C,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;AAEhF,SAAS,UAAU,CAAC,IAAY;IAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IAClC,OAAO,GAAG,KAAK,CAAC,CAAC,IAAI,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;AAC1E,CAAC;AAED,MAAM,cAAc,GAAG;IACrB,EAAE,OAAO,EAAE,6DAA6D,EAAE,KAAK,EAAE,eAAe,EAAE;IAClG,EAAE,OAAO,EAAE,sBAAsB,EAAE,KAAK,EAAE,aAAa,EAAE;IACzD,EAAE,OAAO,EAAE,qBAAqB,EAAE,KAAK,EAAE,MAAM,EAAE;IACjD,EAAE,OAAO,EAAE,sBAAsB,EAAE,KAAK,EAAE,sBAAsB,EAAE;IAClE,EAAE,OAAO,EAAE,iEAAiE,EAAE,KAAK,EAAE,iBAAiB,EAAE;IACxG,EAAE,OAAO,EAAE,2BAA2B,EAAE,KAAK,EAAE,eAAe,EAAE;CACjE,CAAC;AAEW,QAAA,gBAAgB,GAAS;IACpC,EAAE,EAAE,eAAe;IACnB,IAAI,EAAE,yBAAyB;IAC/B,WAAW,EAAE,oEAAoE;IAEjF,KAAK,CAAC,GAAG,CAAC,GAAgB;QACxB,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QAE/C,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,IAAI,OAAe,CAAC;YACpB,IAAI,CAAC;gBACH,OAAO,GAAG,MAAM,IAAA,mBAAQ,EAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC1C,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;YAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAClC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,cAAc,EAAE,CAAC;oBAChD,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;oBACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBACvB,MAAM,WAAW,GAAG,KAAK,KAAK,iBAAiB,IAAI,KAAK,KAAK,eAAe,CAAC;wBAC7E,GAAG,CAAC,UAAU,CAAC;4BACb,IAAI,EAAE,eAAe;4BACrB,QAAQ,EAAE,WAAW,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ;4BAC7C,OAAO,EAAE,gCAAgC,KAAK,EAAE;4BAChD,QAAQ,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,EAAE;4BAC/B,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;4BACnC,UAAU,EAAE,WAAW;gCACrB,CAAC,CAAC,6FAA6F;gCAC/F,CAAC,CAAC,+EAA+E;yBACpF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;CACF,CAAC"}

package/dist/scanners/runtime-monitor/rules/resource-anomaly.rule.d.ts

@@ -0,0 +1,3 @@
+import type { Rule } from '../../../types/index.js';
+export declare const resourceAnomalyRule: Rule;
+//# sourceMappingURL=resource-anomaly.rule.d.ts.map

package/dist/scanners/runtime-monitor/rules/resource-anomaly.rule.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resource-anomaly.rule.d.ts","sourceRoot":"","sources":["../../../../src/scanners/runtime-monitor/rules/resource-anomaly.rule.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAAe,MAAM,yBAAyB,CAAC;AA0CjE,eAAO,MAAM,mBAAmB,EAAE,IAmCjC,CAAC"}

package/dist/scanners/runtime-monitor/rules/resource-anomaly.rule.js

@@ -0,0 +1,76 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resourceAnomalyRule = void 0;
+const promises_1 = require("node:fs/promises");
+const CODE_EXTENSIONS = new Set(['.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs']);
+function isCodeFile(file) {
+    const dot = file.lastIndexOf('.');
+    return dot !== -1 && CODE_EXTENSIONS.has(file.slice(dot).toLowerCase());
+}
+const ANOMALY_PATTERNS = [
+    {
+        pattern: /while\s*\(\s*true\s*\)/g,
+        label: 'infinite-loop',
+        severity: 'medium',
+        message: 'Infinite loop detected — potential denial of service',
+    },
+    {
+        pattern: /setInterval\s*\([^,]+,\s*\d{1,3}\s*\)/g,
+        label: 'tight-interval',
+        severity: 'medium',
+        message: 'Very short setInterval (< 1s) — potential resource exhaustion',
+    },
+    {
+        pattern: /Buffer\.alloc(?:Unsafe)?\s*\(\s*(?:\d{8,}|[a-zA-Z_$][\w$]*\s*\*\s*[a-zA-Z_$][\w$]*)\s*\)/g,
+        label: 'large-buffer',
+        severity: 'medium',
+        message: 'Large buffer allocation — potential memory exhaustion attack',
+    },
+    {
+        pattern: /new\s+RegExp\s*\(\s*(?:req\.|params\.|query\.|body\.|args\.)/g,
+        label: 'user-regex',
+        severity: 'high',
+        message: 'User input used in RegExp constructor — ReDoS vulnerability',
+    },
+    {
+        pattern: /crypto\.(?:pbkdf2|scrypt).*(?:iterations|cost)\s*[:=]\s*(?:req\.|params\.|query\.|body\.)/g,
+        label: 'user-controlled-crypto',
+        severity: 'high',
+        message: 'User input controls crypto parameters — potential algorithmic complexity attack',
+    },
+];
+exports.resourceAnomalyRule = {
+    id: 'resource-anomaly',
+    name: 'Resource Anomaly Detection',
+    description: 'Detects patterns that could cause resource exhaustion or denial of service',
+    async run(ctx) {
+        const codeFiles = ctx.files.filter(isCodeFile);
+        for (const file of codeFiles) {
+            let content;
+            try {
+                content = await (0, promises_1.readFile)(file, 'utf-8');
+            }
+            catch {
+                continue;
+            }
+            const lines = content.split('\n');
+            for (let i = 0; i < lines.length; i++) {
+                const line = lines[i];
+                for (const anomaly of ANOMALY_PATTERNS) {
+                    anomaly.pattern.lastIndex = 0;
+                    if (anomaly.pattern.test(line)) {
+                        ctx.addFinding({
+                            rule: 'resource-anomaly',
+                            severity: anomaly.severity,
+                            message: anomaly.message,
+                            location: { file, line: i + 1 },
+                            evidence: line.trim().slice(0, 200),
+                            suggestion: 'Review this pattern for potential resource exhaustion.',
+                        });
+                    }
+                }
+            }
+        }
+    },
+};
+//# sourceMappingURL=resource-anomaly.rule.js.map

package/dist/scanners/runtime-monitor/rules/resource-anomaly.rule.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resource-anomaly.rule.js","sourceRoot":"","sources":["../../../../src/scanners/runtime-monitor/rules/resource-anomaly.rule.ts"],"names":[],"mappings":";;;AAAA,+CAA4C;AAG5C,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;AAEhF,SAAS,UAAU,CAAC,IAAY;IAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IAClC,OAAO,GAAG,KAAK,CAAC,CAAC,IAAI,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;AAC1E,CAAC;AAED,MAAM,gBAAgB,GAAG;IACvB;QACE,OAAO,EAAE,yBAAyB;QAClC,KAAK,EAAE,eAAe;QACtB,QAAQ,EAAE,QAAiB;QAC3B,OAAO,EAAE,sDAAsD;KAChE;IACD;QACE,OAAO,EAAE,wCAAwC;QACjD,KAAK,EAAE,gBAAgB;QACvB,QAAQ,EAAE,QAAiB;QAC3B,OAAO,EAAE,+DAA+D;KACzE;IACD;QACE,OAAO,EAAE,2FAA2F;QACpG,KAAK,EAAE,cAAc;QACrB,QAAQ,EAAE,QAAiB;QAC3B,OAAO,EAAE,8DAA8D;KACxE;IACD;QACE,OAAO,EAAE,+DAA+D;QACxE,KAAK,EAAE,YAAY;QACnB,QAAQ,EAAE,MAAe;QACzB,OAAO,EAAE,6DAA6D;KACvE;IACD;QACE,OAAO,EAAE,4FAA4F;QACrG,KAAK,EAAE,wBAAwB;QAC/B,QAAQ,EAAE,MAAe;QACzB,OAAO,EAAE,iFAAiF;KAC3F;CACF,CAAC;AAEW,QAAA,mBAAmB,GAAS;IACvC,EAAE,EAAE,kBAAkB;IACtB,IAAI,EAAE,4BAA4B;IAClC,WAAW,EAAE,4EAA4E;IAEzF,KAAK,CAAC,GAAG,CAAC,GAAgB;QACxB,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QAE/C,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,IAAI,OAAe,CAAC;YACpB,IAAI,CAAC;gBACH,OAAO,GAAG,MAAM,IAAA,mBAAQ,EAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC1C,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;YAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAClC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,KAAK,MAAM,OAAO,IAAI,gBAAgB,EAAE,CAAC;oBACvC,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;oBAC9B,IAAI,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC/B,GAAG,CAAC,UAAU,CAAC;4BACb,IAAI,EAAE,kBAAkB;4BACxB,QAAQ,EAAE,OAAO,CAAC,QAAQ;4BAC1B,OAAO,EAAE,OAAO,CAAC,OAAO;4BACxB,QAAQ,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,EAAE;4BAC/B,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;4BACnC,UAAU,EAAE,wDAAwD;yBACrE,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;CACF,CAAC"}

package/dist/scanners/runtime-monitor/scanner.d.ts

@@ -0,0 +1,3 @@
+import type { Scanner } from '../../types/index.js';
+export declare const runtimeMonitorScanner: Scanner;
+//# sourceMappingURL=scanner.d.ts.map

package/dist/scanners/runtime-monitor/scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../../../src/scanners/runtime-monitor/scanner.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAqB,MAAM,sBAAsB,CAAC;AAavE,eAAO,MAAM,qBAAqB,EAAE,OAanC,CAAC"}

package/dist/scanners/runtime-monitor/scanner.js

@@ -0,0 +1,28 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runtimeMonitorScanner = void 0;
+const process_spawn_rule_js_1 = require("./rules/process-spawn.rule.js");
+const filesystem_access_rule_js_1 = require("./rules/filesystem-access.rule.js");
+const outbound_network_rule_js_1 = require("./rules/outbound-network.rule.js");
+const resource_anomaly_rule_js_1 = require("./rules/resource-anomaly.rule.js");
+const rules = [
+    process_spawn_rule_js_1.processSpawnRule,
+    filesystem_access_rule_js_1.filesystemAccessRule,
+    outbound_network_rule_js_1.outboundNetworkRule,
+    resource_anomaly_rule_js_1.resourceAnomalyRule,
+];
+exports.runtimeMonitorScanner = {
+    id: 'runtime-monitor',
+    name: 'Runtime Monitor',
+    description: 'Detects suspicious runtime behavior: process spawning, filesystem access, network calls, resource anomalies',
+    rules,
+    async scan(ctx) {
+        for (const rule of rules) {
+            const ruleConfig = ctx.scannerConfig.rules?.[rule.id];
+            if (ruleConfig?.enabled === false)
+                continue;
+            await rule.run(ctx);
+        }
+    },
+};
+//# sourceMappingURL=scanner.js.map

package/dist/scanners/runtime-monitor/scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.js","sourceRoot":"","sources":["../../../src/scanners/runtime-monitor/scanner.ts"],"names":[],"mappings":";;;AACA,yEAAiE;AACjE,iFAAyE;AACzE,+EAAuE;AACvE,+EAAuE;AAEvE,MAAM,KAAK,GAAW;IACpB,wCAAgB;IAChB,gDAAoB;IACpB,8CAAmB;IACnB,8CAAmB;CACpB,CAAC;AAEW,QAAA,qBAAqB,GAAY;IAC5C,EAAE,EAAE,iBAAiB;IACrB,IAAI,EAAE,iBAAiB;IACvB,WAAW,EAAE,6GAA6G;IAC1H,KAAK;IAEL,KAAK,CAAC,IAAI,CAAC,GAAgB;QACzB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,UAAU,GAAG,GAAG,CAAC,aAAa,CAAC,KAAK,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACtD,IAAI,UAAU,EAAE,OAAO,KAAK,KAAK;gBAAE,SAAS;YAC5C,MAAM,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;CACF,CAAC"}

package/dist/scanners/secrets-exposure/index.d.ts

@@ -0,0 +1,2 @@
+export { secretsExposureScanner } from './scanner.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/scanners/secrets-exposure/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/scanners/secrets-exposure/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAC"}

package/dist/scanners/secrets-exposure/index.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.secretsExposureScanner = void 0;
+var scanner_js_1 = require("./scanner.js");
+Object.defineProperty(exports, "secretsExposureScanner", { enumerable: true, get: function () { return scanner_js_1.secretsExposureScanner; } });
+//# sourceMappingURL=index.js.map

package/dist/scanners/secrets-exposure/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/scanners/secrets-exposure/index.ts"],"names":[],"mappings":";;;AAAA,2CAAsD;AAA7C,oHAAA,sBAAsB,OAAA"}

package/dist/scanners/secrets-exposure/patterns/secret-signatures.d.ts

@@ -0,0 +1,7 @@
+export interface SecretSignature {
+    pattern: RegExp;
+    label: string;
+    description: string;
+}
+export declare const SECRET_SIGNATURES: SecretSignature[];
+//# sourceMappingURL=secret-signatures.d.ts.map

package/dist/scanners/secrets-exposure/patterns/secret-signatures.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-signatures.d.ts","sourceRoot":"","sources":["../../../../src/scanners/secrets-exposure/patterns/secret-signatures.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,eAAO,MAAM,iBAAiB,EAAE,eAAe,EAuE9C,CAAC"}

package/dist/scanners/secrets-exposure/patterns/secret-signatures.js

@@ -0,0 +1,76 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SECRET_SIGNATURES = void 0;
+exports.SECRET_SIGNATURES = [
+    {
+        pattern: /sk-ant-api\d{2}-[A-Za-z0-9_-]{20,}/,
+        label: 'anthropic-api-key',
+        description: 'Anthropic API key',
+    },
+    {
+        pattern: /sk-[A-Za-z0-9]{48,}/,
+        label: 'openai-api-key',
+        description: 'OpenAI API key',
+    },
+    {
+        pattern: /ghp_[A-Za-z0-9]{36,}/,
+        label: 'github-pat',
+        description: 'GitHub personal access token',
+    },
+    {
+        pattern: /gho_[A-Za-z0-9]{36,}/,
+        label: 'github-oauth',
+        description: 'GitHub OAuth access token',
+    },
+    {
+        pattern: /github_pat_[A-Za-z0-9_]{20,}/,
+        label: 'github-fine-grained-pat',
+        description: 'GitHub fine-grained personal access token',
+    },
+    {
+        pattern: /xoxb-[0-9]{10,}-[0-9]{10,}-[A-Za-z0-9]{24,}/,
+        label: 'slack-bot-token',
+        description: 'Slack bot token',
+    },
+    {
+        pattern: /xoxp-[0-9]{10,}-[0-9]{10,}-[A-Za-z0-9]{24,}/,
+        label: 'slack-user-token',
+        description: 'Slack user token',
+    },
+    {
+        pattern: /eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,}/,
+        label: 'supabase-jwt',
+        description: 'Supabase JWT (anon or service_role key)',
+    },
+    {
+        pattern: /AKIA[0-9A-Z]{16}/,
+        label: 'aws-access-key',
+        description: 'AWS access key ID',
+    },
+    {
+        pattern: /npm_[A-Za-z0-9]{36,}/,
+        label: 'npm-token',
+        description: 'npm access token',
+    },
+    {
+        pattern: /sk_live_[A-Za-z0-9]{24,}/,
+        label: 'stripe-secret-key',
+        description: 'Stripe secret key',
+    },
+    {
+        pattern: /sq0csp-[A-Za-z0-9_-]{43}/,
+        label: 'square-oauth-secret',
+        description: 'Square OAuth secret',
+    },
+    {
+        pattern: /SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}/,
+        label: 'sendgrid-api-key',
+        description: 'SendGrid API key',
+    },
+    {
+        pattern: /-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----/,
+        label: 'private-key',
+        description: 'Private key file',
+    },
+];
+//# sourceMappingURL=secret-signatures.js.map

package/dist/scanners/secrets-exposure/patterns/secret-signatures.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-signatures.js","sourceRoot":"","sources":["../../../../src/scanners/secrets-exposure/patterns/secret-signatures.ts"],"names":[],"mappings":";;;AAMa,QAAA,iBAAiB,GAAsB;IAClD;QACE,OAAO,EAAE,oCAAoC;QAC7C,KAAK,EAAE,mBAAmB;QAC1B,WAAW,EAAE,mBAAmB;KACjC;IACD;QACE,OAAO,EAAE,qBAAqB;QAC9B,KAAK,EAAE,gBAAgB;QACvB,WAAW,EAAE,gBAAgB;KAC9B;IACD;QACE,OAAO,EAAE,sBAAsB;QAC/B,KAAK,EAAE,YAAY;QACnB,WAAW,EAAE,8BAA8B;KAC5C;IACD;QACE,OAAO,EAAE,sBAAsB;QAC/B,KAAK,EAAE,cAAc;QACrB,WAAW,EAAE,2BAA2B;KACzC;IACD;QACE,OAAO,EAAE,8BAA8B;QACvC,KAAK,EAAE,yBAAyB;QAChC,WAAW,EAAE,2CAA2C;KACzD;IACD;QACE,OAAO,EAAE,6CAA6C;QACtD,KAAK,EAAE,iBAAiB;QACxB,WAAW,EAAE,iBAAiB;KAC/B;IACD;QACE,OAAO,EAAE,6CAA6C;QACtD,KAAK,EAAE,kBAAkB;QACzB,WAAW,EAAE,kBAAkB;KAChC;IACD;QACE,OAAO,EAAE,8EAA8E;QACvF,KAAK,EAAE,cAAc;QACrB,WAAW,EAAE,yCAAyC;KACvD;IACD;QACE,OAAO,EAAE,kBAAkB;QAC3B,KAAK,EAAE,gBAAgB;QACvB,WAAW,EAAE,mBAAmB;KACjC;IACD;QACE,OAAO,EAAE,sBAAsB;QAC/B,KAAK,EAAE,WAAW;QAClB,WAAW,EAAE,kBAAkB;KAChC;IACD;QACE,OAAO,EAAE,0BAA0B;QACnC,KAAK,EAAE,mBAAmB;QAC1B,WAAW,EAAE,mBAAmB;KACjC;IACD;QACE,OAAO,EAAE,0BAA0B;QACnC,KAAK,EAAE,qBAAqB;QAC5B,WAAW,EAAE,qBAAqB;KACnC;IACD;QACE,OAAO,EAAE,0CAA0C;QACnD,KAAK,EAAE,kBAAkB;QACzB,WAAW,EAAE,kBAAkB;KAChC;IACD;QACE,OAAO,EAAE,6CAA6C;QACtD,KAAK,EAAE,aAAa;QACpB,WAAW,EAAE,kBAAkB;KAChC;CACF,CAAC"}

package/dist/scanners/secrets-exposure/rules/entropy-check.rule.d.ts

@@ -0,0 +1,3 @@
+import type { Rule } from '../../../types/index.js';
+export declare const entropyCheckRule: Rule;
+//# sourceMappingURL=entropy-check.rule.d.ts.map

package/dist/scanners/secrets-exposure/rules/entropy-check.rule.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"entropy-check.rule.d.ts","sourceRoot":"","sources":["../../../../src/scanners/secrets-exposure/rules/entropy-check.rule.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,IAAI,EAAe,MAAM,yBAAyB,CAAC;AAiCjE,eAAO,MAAM,gBAAgB,EAAE,IA2C9B,CAAC"}

package/dist/scanners/secrets-exposure/rules/entropy-check.rule.js

@@ -0,0 +1,77 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.entropyCheckRule = void 0;
+const promises_1 = require("node:fs/promises");
+const node_path_1 = require("node:path");
+const CODE_EXTENSIONS = new Set([
+    '.ts', '.tsx', '.js', '.jsx', '.json', '.yaml', '.yml',
+    '.toml', '.cfg', '.ini', '.env',
+]);
+function isTargetFile(file) {
+    const dot = file.lastIndexOf('.');
+    if (dot === -1)
+        return (0, node_path_1.basename)(file).startsWith('.env');
+    return CODE_EXTENSIONS.has(file.slice(dot).toLowerCase());
+}
+function shannonEntropy(s) {
+    if (s.length === 0)
+        return 0;
+    const freq = new Map();
+    for (const ch of s) {
+        freq.set(ch, (freq.get(ch) ?? 0) + 1);
+    }
+    let entropy = 0;
+    for (const count of freq.values()) {
+        const p = count / s.length;
+        entropy -= p * Math.log2(p);
+    }
+    return entropy;
+}
+// Match assignment-like patterns: KEY=value, "key": "value", key: value
+const ASSIGNMENT_PATTERN = /(?:['"]?(?:key|token|secret|password|api_key|apikey|auth|credential|private)['"_\s]*[:=]\s*['"]?)([A-Za-z0-9+/=_-]{16,})/gi;
+const ENTROPY_THRESHOLD = 4.5;
+const MIN_LENGTH = 16;
+exports.entropyCheckRule = {
+    id: 'entropy-check',
+    name: 'High Entropy String Detection',
+    description: 'Flags high-entropy strings in assignment contexts that may be hardcoded secrets',
+    async run(ctx) {
+        for (const file of ctx.files) {
+            if (!isTargetFile(file))
+                continue;
+            let content;
+            try {
+                content = await (0, promises_1.readFile)(file, 'utf-8');
+            }
+            catch {
+                continue;
+            }
+            const lines = content.split('\n');
+            for (let i = 0; i < lines.length; i++) {
+                const line = lines[i];
+                if (/^\s*#/.test(line) || /^\s*\/\//.test(line))
+                    continue;
+                ASSIGNMENT_PATTERN.lastIndex = 0;
+                let match;
+                while ((match = ASSIGNMENT_PATTERN.exec(line)) !== null) {
+                    const value = match[1];
+                    if (value.length < MIN_LENGTH)
+                        continue;
+                    const entropy = shannonEntropy(value);
+                    if (entropy >= ENTROPY_THRESHOLD) {
+                        ctx.addFinding({
+                            rule: 'entropy-check',
+                            severity: 'high',
+                            message: `High-entropy string (${entropy.toFixed(2)} bits) in secret-like assignment`,
+                            location: { file, line: i + 1 },
+                            evidence: value.slice(0, 8) + '...[REDACTED]',
+                            suggestion: 'This looks like a hardcoded credential. Move it to an environment variable.',
+                            metadata: { entropy },
+                        });
+                    }
+                }
+            }
+        }
+    },
+};
+//# sourceMappingURL=entropy-check.rule.js.map

package/dist/scanners/secrets-exposure/rules/entropy-check.rule.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"entropy-check.rule.js","sourceRoot":"","sources":["../../../../src/scanners/secrets-exposure/rules/entropy-check.rule.ts"],"names":[],"mappings":";;;AAAA,+CAA4C;AAC5C,yCAAqC;AAGrC,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC;IAC9B,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM;IACtD,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;CAChC,CAAC,CAAC;AAEH,SAAS,YAAY,CAAC,IAAY;IAChC,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,GAAG,KAAK,CAAC,CAAC;QAAE,OAAO,IAAA,oBAAQ,EAAC,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IACzD,OAAO,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,cAAc,CAAC,CAAS;IAC/B,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAC7B,MAAM,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,KAAK,MAAM,EAAE,IAAI,CAAC,EAAE,CAAC;QACnB,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACxC,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC,MAAM,CAAC;QAC3B,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,wEAAwE;AACxE,MAAM,kBAAkB,GAAG,4HAA4H,CAAC;AAExJ,MAAM,iBAAiB,GAAG,GAAG,CAAC;AAC9B,MAAM,UAAU,GAAG,EAAE,CAAC;AAET,QAAA,gBAAgB,GAAS;IACpC,EAAE,EAAE,eAAe;IACnB,IAAI,EAAE,+BAA+B;IACrC,WAAW,EAAE,iFAAiF;IAE9F,KAAK,CAAC,GAAG,CAAC,GAAgB;QACxB,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;YAC7B,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC;gBAAE,SAAS;YAElC,IAAI,OAAe,CAAC;YACpB,IAAI,CAAC;gBACH,OAAO,GAAG,MAAM,IAAA,mBAAQ,EAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC1C,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;YAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAClC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;oBAAE,SAAS;gBAE1D,kBAAkB,CAAC,SAAS,GAAG,CAAC,CAAC;gBACjC,IAAI,KAA6B,CAAC;gBAClC,OAAO,CAAC,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;oBACxD,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBACvB,IAAI,KAAK,CAAC,MAAM,GAAG,UAAU;wBAAE,SAAS;oBAExC,MAAM,OAAO,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;oBACtC,IAAI,OAAO,IAAI,iBAAiB,EAAE,CAAC;wBACjC,GAAG,CAAC,UAAU,CAAC;4BACb,IAAI,EAAE,eAAe;4BACrB,QAAQ,EAAE,MAAM;4BAChB,OAAO,EAAE,wBAAwB,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,kCAAkC;4BACrF,QAAQ,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,EAAE;4BAC/B,QAAQ,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,eAAe;4BAC7C,UAAU,EAAE,6EAA6E;4BACzF,QAAQ,EAAE,EAAE,OAAO,EAAE;yBACtB,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;CACF,CAAC"}

package/dist/scanners/secrets-exposure/rules/known-patterns.rule.d.ts

@@ -0,0 +1,3 @@
+import type { Rule } from '../../../types/index.js';
+export declare const knownPatternsRule: Rule;
+//# sourceMappingURL=known-patterns.rule.d.ts.map

package/dist/scanners/secrets-exposure/rules/known-patterns.rule.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"known-patterns.rule.d.ts","sourceRoot":"","sources":["../../../../src/scanners/secrets-exposure/rules/known-patterns.rule.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,IAAI,EAAe,MAAM,yBAAyB,CAAC;AAqBjE,eAAO,MAAM,iBAAiB,EAAE,IAwC/B,CAAC"}

package/dist/scanners/secrets-exposure/rules/known-patterns.rule.js

@@ -0,0 +1,62 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.knownPatternsRule = void 0;
+const promises_1 = require("node:fs/promises");
+const node_path_1 = require("node:path");
+const secret_signatures_js_1 = require("../patterns/secret-signatures.js");
+const SKIP_FILES = new Set([
+    'package-lock.json', 'yarn.lock', 'pnpm-lock.yaml',
+    '.gitignore', '.dockerignore',
+]);
+const BINARY_EXTENSIONS = new Set([
+    '.png', '.jpg', '.jpeg', '.gif', '.ico', '.woff', '.woff2',
+    '.ttf', '.eot', '.zip', '.tar', '.gz', '.pdf',
+]);
+function shouldSkip(file) {
+    const name = (0, node_path_1.basename)(file);
+    if (SKIP_FILES.has(name))
+        return true;
+    const dot = file.lastIndexOf('.');
+    if (dot !== -1 && BINARY_EXTENSIONS.has(file.slice(dot).toLowerCase()))
+        return true;
+    return false;
+}
+exports.knownPatternsRule = {
+    id: 'known-patterns',
+    name: 'Known Secret Patterns',
+    description: 'Matches known API key and credential patterns in source files',
+    async run(ctx) {
+        for (const file of ctx.files) {
+            if (shouldSkip(file))
+                continue;
+            let content;
+            try {
+                content = await (0, promises_1.readFile)(file, 'utf-8');
+            }
+            catch {
+                continue;
+            }
+            const lines = content.split('\n');
+            for (let i = 0; i < lines.length; i++) {
+                const line = lines[i];
+                // Skip lines that are env template placeholders
+                if (/^\s*#/.test(line) || /=\s*$/.test(line) || /YOUR_.*_HERE/.test(line)) {
+                    continue;
+                }
+                for (const sig of secret_signatures_js_1.SECRET_SIGNATURES) {
+                    if (sig.pattern.test(line)) {
+                        ctx.addFinding({
+                            rule: 'known-patterns',
+                            severity: 'critical',
+                            message: `${sig.description} found in source code`,
+                            location: { file, line: i + 1 },
+                            evidence: line.trim().slice(0, 40) + '...[REDACTED]',
+                            suggestion: `Move this ${sig.label} to an environment variable. Never commit secrets to source control.`,
+                        });
+                    }
+                }
+            }
+        }
+    },
+};
+//# sourceMappingURL=known-patterns.rule.js.map

package/dist/scanners/secrets-exposure/rules/known-patterns.rule.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"known-patterns.rule.js","sourceRoot":"","sources":["../../../../src/scanners/secrets-exposure/rules/known-patterns.rule.ts"],"names":[],"mappings":";;;AAAA,+CAA4C;AAC5C,yCAAqC;AAErC,2EAAqE;AAErE,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC;IACzB,mBAAmB,EAAE,WAAW,EAAE,gBAAgB;IAClD,YAAY,EAAE,eAAe;CAC9B,CAAC,CAAC;AAEH,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IAChC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ;IAC1D,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM;CAC9C,CAAC,CAAC;AAEH,SAAS,UAAU,CAAC,IAAY;IAC9B,MAAM,IAAI,GAAG,IAAA,oBAAQ,EAAC,IAAI,CAAC,CAAC;IAC5B,IAAI,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACtC,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,GAAG,KAAK,CAAC,CAAC,IAAI,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;QAAE,OAAO,IAAI,CAAC;IACpF,OAAO,KAAK,CAAC;AACf,CAAC;AAEY,QAAA,iBAAiB,GAAS;IACrC,EAAE,EAAE,gBAAgB;IACpB,IAAI,EAAE,uBAAuB;IAC7B,WAAW,EAAE,+DAA+D;IAE5E,KAAK,CAAC,GAAG,CAAC,GAAgB;QACxB,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;YAC7B,IAAI,UAAU,CAAC,IAAI,CAAC;gBAAE,SAAS;YAE/B,IAAI,OAAe,CAAC;YACpB,IAAI,CAAC;gBACH,OAAO,GAAG,MAAM,IAAA,mBAAQ,EAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC1C,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;YAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAClC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBAEtB,gDAAgD;gBAChD,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC1E,SAAS;gBACX,CAAC;gBAED,KAAK,MAAM,GAAG,IAAI,wCAAiB,EAAE,CAAC;oBACpC,IAAI,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC3B,GAAG,CAAC,UAAU,CAAC;4BACb,IAAI,EAAE,gBAAgB;4BACtB,QAAQ,EAAE,UAAU;4BACpB,OAAO,EAAE,GAAG,GAAG,CAAC,WAAW,uBAAuB;4BAClD,QAAQ,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,EAAE;4BAC/B,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,eAAe;4BACpD,UAAU,EAAE,aAAa,GAAG,CAAC,KAAK,sEAAsE;yBACzG,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;CACF,CAAC"}

package/dist/scanners/secrets-exposure/rules/response-echo.rule.d.ts

@@ -0,0 +1,3 @@
+import type { Rule } from '../../../types/index.js';
+export declare const responseEchoRule: Rule;
+//# sourceMappingURL=response-echo.rule.d.ts.map

package/dist/scanners/secrets-exposure/rules/response-echo.rule.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"response-echo.rule.d.ts","sourceRoot":"","sources":["../../../../src/scanners/secrets-exposure/rules/response-echo.rule.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAAe,MAAM,yBAAyB,CAAC;AAiCjE,eAAO,MAAM,gBAAgB,EAAE,IAmC9B,CAAC"}

package/dist/scanners/secrets-exposure/rules/response-echo.rule.js

@@ -0,0 +1,67 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.responseEchoRule = void 0;
+const promises_1 = require("node:fs/promises");
+const CODE_EXTENSIONS = new Set(['.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs']);
+function isCodeFile(file) {
+    const dot = file.lastIndexOf('.');
+    return dot !== -1 && CODE_EXTENSIONS.has(file.slice(dot).toLowerCase());
+}
+// Patterns where env vars are passed into responses, logs, or error messages
+const ECHO_PATTERNS = [
+    {
+        pattern: /(?:res\.(?:json|send|write)|console\.(?:log|error|warn))\s*\([^)]*process\.env\.[A-Z_]*(?:KEY|SECRET|TOKEN|PASSWORD)/g,
+        label: 'env-var-in-response',
+        description: 'Environment variable containing a secret echoed in response or log',
+    },
+    {
+        pattern: /(?:JSON\.stringify|toString)\s*\([^)]*process\.env\b/g,
+        label: 'env-serialization',
+        description: 'process.env serialized — may leak all environment variables',
+    },
+    {
+        pattern: /(?:res\.(?:json|send))\s*\(\s*\{\s*\.\.\.(?:process\.env|req\.)/g,
+        label: 'spread-leak',
+        description: 'Object spread may leak sensitive fields into response',
+    },
+    {
+        pattern: /error\.stack|err\.stack/g,
+        label: 'stack-trace-exposure',
+        description: 'Stack trace exposed — may reveal file paths and internal structure',
+    },
+];
+exports.responseEchoRule = {
+    id: 'response-echo',
+    name: 'Response Echo Detection',
+    description: 'Detects secrets or sensitive data being echoed in HTTP responses or logs',
+    async run(ctx) {
+        const codeFiles = ctx.files.filter(isCodeFile);
+        for (const file of codeFiles) {
+            let content;
+            try {
+                content = await (0, promises_1.readFile)(file, 'utf-8');
+            }
+            catch {
+                continue;
+            }
+            const lines = content.split('\n');
+            for (let i = 0; i < lines.length; i++) {
+                const line = lines[i];
+                for (const { pattern, label, description } of ECHO_PATTERNS) {
+                    pattern.lastIndex = 0;
+                    if (pattern.test(line)) {
+                        ctx.addFinding({
+                            rule: 'response-echo',
+                            severity: label === 'stack-trace-exposure' ? 'medium' : 'high',
+                            message: description,
+                            location: { file, line: i + 1 },
+                            evidence: line.trim().slice(0, 200),
+                            suggestion: 'Never echo secrets or full env objects in responses. Sanitize output.',
+                        });
+                    }
+                }
+            }
+        }
+    },
+};
+//# sourceMappingURL=response-echo.rule.js.map

package/dist/scanners/secrets-exposure/rules/response-echo.rule.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"response-echo.rule.js","sourceRoot":"","sources":["../../../../src/scanners/secrets-exposure/rules/response-echo.rule.ts"],"names":[],"mappings":";;;AAAA,+CAA4C;AAG5C,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;AAEhF,SAAS,UAAU,CAAC,IAAY;IAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IAClC,OAAO,GAAG,KAAK,CAAC,CAAC,IAAI,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;AAC1E,CAAC;AAED,6EAA6E;AAC7E,MAAM,aAAa,GAAG;IACpB;QACE,OAAO,EAAE,uHAAuH;QAChI,KAAK,EAAE,qBAAqB;QAC5B,WAAW,EAAE,oEAAoE;KAClF;IACD;QACE,OAAO,EAAE,uDAAuD;QAChE,KAAK,EAAE,mBAAmB;QAC1B,WAAW,EAAE,6DAA6D;KAC3E;IACD;QACE,OAAO,EAAE,kEAAkE;QAC3E,KAAK,EAAE,aAAa;QACpB,WAAW,EAAE,uDAAuD;KACrE;IACD;QACE,OAAO,EAAE,0BAA0B;QACnC,KAAK,EAAE,sBAAsB;QAC7B,WAAW,EAAE,oEAAoE;KAClF;CACF,CAAC;AAEW,QAAA,gBAAgB,GAAS;IACpC,EAAE,EAAE,eAAe;IACnB,IAAI,EAAE,yBAAyB;IAC/B,WAAW,EAAE,0EAA0E;IAEvF,KAAK,CAAC,GAAG,CAAC,GAAgB;QACxB,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QAE/C,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,IAAI,OAAe,CAAC;YACpB,IAAI,CAAC;gBACH,OAAO,GAAG,MAAM,IAAA,mBAAQ,EAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC1C,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;YAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAClC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,IAAI,aAAa,EAAE,CAAC;oBAC5D,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;oBACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBACvB,GAAG,CAAC,UAAU,CAAC;4BACb,IAAI,EAAE,eAAe;4BACrB,QAAQ,EAAE,KAAK,KAAK,sBAAsB,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM;4BAC9D,OAAO,EAAE,WAAW;4BACpB,QAAQ,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,EAAE;4BAC/B,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;4BACnC,UAAU,EAAE,uEAAuE;yBACpF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;CACF,CAAC"}

package/dist/scanners/secrets-exposure/scanner.d.ts

@@ -0,0 +1,3 @@
+import type { Scanner } from '../../types/index.js';
+export declare const secretsExposureScanner: Scanner;
+//# sourceMappingURL=scanner.d.ts.map

package/dist/scanners/secrets-exposure/scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../../../src/scanners/secrets-exposure/scanner.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAqB,MAAM,sBAAsB,CAAC;AAWvE,eAAO,MAAM,sBAAsB,EAAE,OAapC,CAAC"}

package/dist/scanners/secrets-exposure/scanner.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.secretsExposureScanner = void 0;
+const entropy_check_rule_js_1 = require("./rules/entropy-check.rule.js");
+const known_patterns_rule_js_1 = require("./rules/known-patterns.rule.js");
+const response_echo_rule_js_1 = require("./rules/response-echo.rule.js");
+const rules = [
+    known_patterns_rule_js_1.knownPatternsRule,
+    entropy_check_rule_js_1.entropyCheckRule,
+    response_echo_rule_js_1.responseEchoRule,
+];
+exports.secretsExposureScanner = {
+    id: 'secrets-exposure',
+    name: 'Secrets Exposure',
+    description: 'Detects hardcoded secrets, high-entropy strings, and response echo vulnerabilities',
+    rules,
+    async scan(ctx) {
+        for (const rule of rules) {
+            const ruleConfig = ctx.scannerConfig.rules?.[rule.id];
+            if (ruleConfig?.enabled === false)
+                continue;
+            await rule.run(ctx);
+        }
+    },
+};
+//# sourceMappingURL=scanner.js.map

package/dist/scanners/secrets-exposure/scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.js","sourceRoot":"","sources":["../../../src/scanners/secrets-exposure/scanner.ts"],"names":[],"mappings":";;;AACA,yEAAiE;AACjE,2EAAmE;AACnE,yEAAiE;AAEjE,MAAM,KAAK,GAAW;IACpB,0CAAiB;IACjB,wCAAgB;IAChB,wCAAgB;CACjB,CAAC;AAEW,QAAA,sBAAsB,GAAY;IAC7C,EAAE,EAAE,kBAAkB;IACtB,IAAI,EAAE,kBAAkB;IACxB,WAAW,EAAE,oFAAoF;IACjG,KAAK;IAEL,KAAK,CAAC,IAAI,CAAC,GAAgB;QACzB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,UAAU,GAAG,GAAG,CAAC,aAAa,CAAC,KAAK,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACtD,IAAI,UAAU,EAAE,OAAO,KAAK,KAAK;gBAAE,SAAS;YAC5C,MAAM,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;CACF,CAAC"}

package/dist/types/config.types.d.ts

@@ -0,0 +1,22 @@
+export type Severity = 'critical' | 'high' | 'medium' | 'low' | 'info';
+export type ScannerId = 'ai-tool-integrity' | 'secrets-exposure' | 'dependency-integrity' | 'runtime-monitor';
+export interface RuleConfig {
+    enabled: boolean;
+    severity?: Severity;
+    options?: Record<string, unknown>;
+}
+export interface ScannerConfig {
+    enabled: boolean;
+    rules?: Record<string, RuleConfig>;
+}
+export interface WatchmanConfig {
+    projectRoot: string;
+    scanners: Partial<Record<ScannerId, ScannerConfig>>;
+    include?: string[];
+    exclude?: string[];
+    failOn?: Severity;
+    quiet?: boolean;
+    maxFindings?: number;
+}
+export declare const DEFAULT_CONFIG: Omit<WatchmanConfig, 'projectRoot'>;
+//# sourceMappingURL=config.types.d.ts.map

package/dist/types/config.types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.types.d.ts","sourceRoot":"","sources":["../../src/types/config.types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,QAAQ,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;AAEvE,MAAM,MAAM,SAAS,GACjB,mBAAmB,GACnB,kBAAkB,GAClB,sBAAsB,GACtB,iBAAiB,CAAC;AAEtB,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,QAAQ,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;CACpC;AAED,MAAM,WAAW,cAAc;IAC7B,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,CAAC;IACpD,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,MAAM,CAAC,EAAE,QAAQ,CAAC;IAClB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,eAAO,MAAM,cAAc,EAAE,IAAI,CAAC,cAAc,EAAE,aAAa,CAU9D,CAAC"}