@pan-sec/notebooklm-mcp 1.4.0

package/dist/utils/secrets-scanner.js

@@ -0,0 +1,443 @@
+/**
+ * Secrets Scanner for NotebookLM MCP Server
+ *
+ * Detects and prevents credential exposure:
+ * - API keys
+ * - Passwords
+ * - Tokens
+ * - Private keys
+ * - Connection strings
+ *
+ * Why this matters:
+ * - Prevents accidental credential logging
+ * - Detects leaked secrets in responses
+ * - Compliance with security best practices
+ *
+ * Patterns derived from: TruffleHog, GitLeaks, MEDUSA
+ * Added by Pantheon Security for hardened fork.
+ */
+import { log } from "./logger.js";
+import { audit } from "./audit-logger.js";
+/**
+ * Secret detection patterns
+ * Based on TruffleHog, GitLeaks, and custom patterns
+ */
+const SECRET_PATTERNS = [
+    // === CRITICAL: High-value secrets ===
+    // AWS
+    {
+        name: "AWS Access Key ID",
+        pattern: /\b(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}\b/g,
+        severity: "critical",
+        description: "AWS Access Key ID",
+    },
+    {
+        name: "AWS Secret Access Key",
+        pattern: /\b[A-Za-z0-9/+=]{40}\b(?=.*aws|.*secret|.*key)/gi,
+        severity: "critical",
+        description: "Potential AWS Secret Access Key",
+    },
+    // Google
+    {
+        name: "Google API Key",
+        pattern: /\bAIza[0-9A-Za-z_-]{35}\b/g,
+        severity: "critical",
+        description: "Google API Key",
+    },
+    {
+        name: "Google OAuth Client ID",
+        pattern: /\b[0-9]+-[a-z0-9_]{32}\.apps\.googleusercontent\.com\b/g,
+        severity: "high",
+        description: "Google OAuth Client ID",
+    },
+    {
+        name: "Google OAuth Client Secret",
+        pattern: /\bGOCspx-[A-Za-z0-9_-]{28}\b/g,
+        severity: "critical",
+        description: "Google OAuth Client Secret",
+    },
+    // GitHub
+    {
+        name: "GitHub Personal Access Token",
+        pattern: /\b(ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9]{36,}\b/g,
+        severity: "critical",
+        description: "GitHub Personal Access Token",
+    },
+    {
+        name: "GitHub OAuth Token",
+        pattern: /\bgho_[A-Za-z0-9]{36}\b/g,
+        severity: "critical",
+        description: "GitHub OAuth Access Token",
+    },
+    // Slack
+    {
+        name: "Slack Bot Token",
+        pattern: /\bxoxb-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}\b/g,
+        severity: "critical",
+        description: "Slack Bot Token",
+    },
+    {
+        name: "Slack User Token",
+        pattern: /\bxoxp-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}\b/g,
+        severity: "critical",
+        description: "Slack User Token",
+    },
+    {
+        name: "Slack Webhook URL",
+        pattern: /\bhttps:\/\/hooks\.slack\.com\/services\/T[A-Z0-9]{8,}\/B[A-Z0-9]{8,}\/[a-zA-Z0-9]{24}\b/g,
+        severity: "high",
+        description: "Slack Webhook URL",
+    },
+    // Stripe
+    {
+        name: "Stripe API Key",
+        pattern: /\b(sk|pk)_(test|live)_[0-9a-zA-Z]{24,}\b/g,
+        severity: "critical",
+        description: "Stripe API Key",
+    },
+    // OpenAI
+    {
+        name: "OpenAI API Key",
+        pattern: /\bsk-[A-Za-z0-9]{48}\b/g,
+        severity: "critical",
+        description: "OpenAI API Key",
+    },
+    // Anthropic
+    {
+        name: "Anthropic API Key",
+        pattern: /\bsk-ant-[A-Za-z0-9_-]{40,}\b/g,
+        severity: "critical",
+        description: "Anthropic API Key",
+    },
+    // === HIGH: Authentication credentials ===
+    // Private Keys
+    {
+        name: "RSA Private Key",
+        pattern: /-----BEGIN RSA PRIVATE KEY-----[\s\S]*?-----END RSA PRIVATE KEY-----/g,
+        severity: "critical",
+        description: "RSA Private Key",
+    },
+    {
+        name: "EC Private Key",
+        pattern: /-----BEGIN EC PRIVATE KEY-----[\s\S]*?-----END EC PRIVATE KEY-----/g,
+        severity: "critical",
+        description: "EC Private Key",
+    },
+    {
+        name: "Generic Private Key",
+        pattern: /-----BEGIN PRIVATE KEY-----[\s\S]*?-----END PRIVATE KEY-----/g,
+        severity: "critical",
+        description: "Private Key",
+    },
+    {
+        name: "PGP Private Key",
+        pattern: /-----BEGIN PGP PRIVATE KEY BLOCK-----[\s\S]*?-----END PGP PRIVATE KEY BLOCK-----/g,
+        severity: "critical",
+        description: "PGP Private Key Block",
+    },
+    // JWT
+    {
+        name: "JSON Web Token",
+        pattern: /\beyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]+\b/g,
+        severity: "high",
+        description: "JSON Web Token (JWT)",
+    },
+    // Database Connection Strings
+    {
+        name: "PostgreSQL Connection String",
+        pattern: /\bpostgres(?:ql)?:\/\/[^:]+:[^@]+@[^/]+\/[^\s]+/gi,
+        severity: "critical",
+        description: "PostgreSQL Connection String with credentials",
+    },
+    {
+        name: "MongoDB Connection String",
+        pattern: /\bmongodb(?:\+srv)?:\/\/[^:]+:[^@]+@[^/]+/gi,
+        severity: "critical",
+        description: "MongoDB Connection String with credentials",
+    },
+    {
+        name: "MySQL Connection String",
+        pattern: /\bmysql:\/\/[^:]+:[^@]+@[^/]+/gi,
+        severity: "critical",
+        description: "MySQL Connection String with credentials",
+    },
+    // === MEDIUM: Potentially sensitive ===
+    // Generic password patterns
+    {
+        name: "Password in URL",
+        pattern: /\b[a-zA-Z]+:\/\/[^:]+:([^@]+)@/g,
+        severity: "high",
+        description: "Password in URL",
+        redactFn: (match) => match.replace(/:([^@]+)@/, ":****@"),
+    },
+    {
+        name: "Password Assignment",
+        pattern: /(?:password|passwd|pwd|secret|token|api_key|apikey|api-key)\s*[:=]\s*["']?([^\s"']{8,})["']?/gi,
+        severity: "medium",
+        description: "Password or secret assignment",
+    },
+    // Generic API key patterns
+    {
+        name: "Generic API Key",
+        pattern: /\b[a-zA-Z0-9_-]*api[_-]?key[a-zA-Z0-9_-]*\s*[:=]\s*["']?([^\s"']{16,})["']?/gi,
+        severity: "medium",
+        description: "Generic API key pattern",
+    },
+    // Bearer tokens
+    {
+        name: "Bearer Token",
+        pattern: /\bBearer\s+[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\b/gi,
+        severity: "high",
+        description: "Bearer Authorization Token",
+    },
+    // Basic Auth
+    {
+        name: "Basic Auth Header",
+        pattern: /\bBasic\s+[A-Za-z0-9+/=]{20,}\b/gi,
+        severity: "high",
+        description: "Basic Authentication Header",
+    },
+    // === LOW: May need review ===
+    // High entropy strings (potential secrets)
+    {
+        name: "High Entropy String",
+        pattern: /\b[A-Za-z0-9+/]{32,}={0,2}\b/g,
+        severity: "low",
+        description: "High entropy string (possible encoded secret)",
+    },
+    // SSH keys
+    {
+        name: "SSH Private Key",
+        pattern: /-----BEGIN OPENSSH PRIVATE KEY-----[\s\S]*?-----END OPENSSH PRIVATE KEY-----/g,
+        severity: "critical",
+        description: "OpenSSH Private Key",
+    },
+    // Email with password context
+    {
+        name: "Email with Password",
+        pattern: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b.*(?:password|pwd|passwd)/gi,
+        severity: "medium",
+        description: "Email address in password context",
+    },
+];
+/**
+ * Get secrets scanner configuration
+ */
+function getSecretsConfig() {
+    const minSeverity = (process.env.NLMCP_SECRETS_MIN_SEVERITY || "low");
+    return {
+        enabled: process.env.NLMCP_SECRETS_SCANNING !== "false",
+        blockOnDetection: process.env.NLMCP_SECRETS_BLOCK === "true",
+        autoRedact: process.env.NLMCP_SECRETS_REDACT !== "false",
+        minSeverity,
+        customPatterns: [],
+        ignoredPatterns: (process.env.NLMCP_SECRETS_IGNORE || "").split(",").filter(Boolean),
+    };
+}
+/**
+ * Severity level ordering
+ */
+const SEVERITY_ORDER = {
+    critical: 4,
+    high: 3,
+    medium: 2,
+    low: 1,
+};
+/**
+ * Secrets Scanner Class
+ */
+export class SecretsScanner {
+    config;
+    patterns;
+    stats = {
+        scanned: 0,
+        secretsFound: 0,
+        blocked: 0,
+        redacted: 0,
+    };
+    constructor(config) {
+        this.config = { ...getSecretsConfig(), ...config };
+        this.patterns = [...SECRET_PATTERNS, ...this.config.customPatterns].filter((p) => !this.config.ignoredPatterns.includes(p.name));
+    }
+    /**
+     * Scan text for secrets
+     */
+    scan(text) {
+        if (!this.config.enabled || !text) {
+            return [];
+        }
+        this.stats.scanned++;
+        const matches = [];
+        const minSeverityLevel = SEVERITY_ORDER[this.config.minSeverity];
+        for (const pattern of this.patterns) {
+            // Skip if below minimum severity
+            if (SEVERITY_ORDER[pattern.severity] < minSeverityLevel) {
+                continue;
+            }
+            // Reset regex state
+            pattern.pattern.lastIndex = 0;
+            let match;
+            while ((match = pattern.pattern.exec(text)) !== null) {
+                const matchedText = match[0];
+                // Calculate line and column
+                const beforeMatch = text.substring(0, match.index);
+                const lines = beforeMatch.split("\n");
+                const line = lines.length;
+                const column = lines[lines.length - 1].length + 1;
+                // Generate redacted version
+                const redacted = pattern.redactFn
+                    ? pattern.redactFn(matchedText)
+                    : this.defaultRedact(matchedText, pattern.name);
+                matches.push({
+                    type: pattern.name,
+                    pattern: pattern.description,
+                    match: matchedText,
+                    redacted,
+                    line,
+                    column,
+                    severity: pattern.severity,
+                });
+                this.stats.secretsFound++;
+            }
+        }
+        return matches;
+    }
+    /**
+     * Scan and optionally redact secrets
+     */
+    async scanAndRedact(text) {
+        const secrets = this.scan(text);
+        if (secrets.length === 0) {
+            return { clean: text, secrets: [], blocked: false };
+        }
+        // Log the detection
+        const criticalCount = secrets.filter((s) => s.severity === "critical").length;
+        const highCount = secrets.filter((s) => s.severity === "high").length;
+        if (criticalCount > 0 || highCount > 0) {
+            log.warning(`🔐 Secrets detected: ${criticalCount} critical, ${highCount} high`);
+            for (const secret of secrets.filter((s) => s.severity === "critical" || s.severity === "high")) {
+                log.warning(`   - ${secret.type} at line ${secret.line}`);
+            }
+        }
+        // Audit log
+        await audit.security("secrets_detected", criticalCount > 0 ? "critical" : "warning", {
+            count: secrets.length,
+            types: [...new Set(secrets.map((s) => s.type))],
+            severities: {
+                critical: criticalCount,
+                high: highCount,
+                medium: secrets.filter((s) => s.severity === "medium").length,
+                low: secrets.filter((s) => s.severity === "low").length,
+            },
+        });
+        // Check if we should block
+        if (this.config.blockOnDetection && (criticalCount > 0 || highCount > 0)) {
+            this.stats.blocked++;
+            return {
+                clean: "[BLOCKED: Sensitive data detected]",
+                secrets,
+                blocked: true,
+            };
+        }
+        // Redact if enabled
+        let clean = text;
+        if (this.config.autoRedact) {
+            // Sort by position descending to avoid offset issues
+            const sortedSecrets = [...secrets].sort((a, b) => {
+                const posA = text.indexOf(a.match);
+                const posB = text.indexOf(b.match);
+                return posB - posA;
+            });
+            for (const secret of sortedSecrets) {
+                clean = clean.replace(secret.match, secret.redacted);
+                this.stats.redacted++;
+            }
+        }
+        return { clean, secrets, blocked: false };
+    }
+    /**
+     * Default redaction function
+     */
+    defaultRedact(value, type) {
+        if (value.length <= 8) {
+            return `[REDACTED:${type}]`;
+        }
+        // Show first 4 and last 4 characters
+        const prefix = value.substring(0, 4);
+        const suffix = value.substring(value.length - 4);
+        const middleLength = value.length - 8;
+        return `${prefix}${"*".repeat(Math.min(middleLength, 8))}${suffix}`;
+    }
+    /**
+     * Add a custom pattern
+     */
+    addPattern(pattern) {
+        this.patterns.push(pattern);
+        this.config.customPatterns.push(pattern);
+    }
+    /**
+     * Ignore a pattern by name
+     */
+    ignorePattern(name) {
+        this.config.ignoredPatterns.push(name);
+        this.patterns = this.patterns.filter((p) => p.name !== name);
+    }
+    /**
+     * Get scanning statistics
+     */
+    getStats() {
+        return {
+            ...this.stats,
+            patterns: this.patterns.length,
+        };
+    }
+    /**
+     * Reset statistics
+     */
+    resetStats() {
+        this.stats = {
+            scanned: 0,
+            secretsFound: 0,
+            blocked: 0,
+            redacted: 0,
+        };
+    }
+    /**
+     * Update configuration
+     */
+    updateConfig(config) {
+        this.config = { ...this.config, ...config };
+    }
+    /**
+     * Check if scanning is enabled
+     */
+    isEnabled() {
+        return this.config.enabled;
+    }
+}
+/**
+ * Global secrets scanner instance
+ */
+let globalScanner = null;
+/**
+ * Get or create the global secrets scanner
+ */
+export function getSecretsScanner() {
+    if (!globalScanner) {
+        globalScanner = new SecretsScanner();
+    }
+    return globalScanner;
+}
+/**
+ * Convenience function to scan text for secrets
+ */
+export function scanForSecrets(text) {
+    return getSecretsScanner().scan(text);
+}
+/**
+ * Convenience function to scan and redact secrets
+ */
+export async function scanAndRedactSecrets(text) {
+    return getSecretsScanner().scanAndRedact(text);
+}
+//# sourceMappingURL=secrets-scanner.js.map

package/dist/utils/secrets-scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets-scanner.js","sourceRoot":"","sources":["../../src/utils/secrets-scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,GAAG,EAAE,MAAM,aAAa,CAAC;AAClC,OAAO,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AA0B1C;;;GAGG;AACH,MAAM,eAAe,GAAoB;IACvC,uCAAuC;IAEvC,MAAM;IACN;QACE,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,wEAAwE;QACjF,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,mBAAmB;KACjC;IACD;QACE,IAAI,EAAE,uBAAuB;QAC7B,OAAO,EAAE,kDAAkD;QAC3D,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,iCAAiC;KAC/C;IAED,SAAS;IACT;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,4BAA4B;QACrC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,gBAAgB;KAC9B;IACD;QACE,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,yDAAyD;QAClE,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,wBAAwB;KACtC;IACD;QACE,IAAI,EAAE,4BAA4B;QAClC,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,4BAA4B;KAC1C;IAED,SAAS;IACT;QACE,IAAI,EAAE,8BAA8B;QACpC,OAAO,EAAE,6CAA6C;QACtD,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,8BAA8B;KAC5C;IACD;QACE,IAAI,EAAE,oBAAoB;QAC1B,OAAO,EAAE,0BAA0B;QACnC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,2BAA2B;KACzC;IAED,QAAQ;IACR;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,qDAAqD;QAC9D,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,iBAAiB;KAC/B;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,qDAAqD;QAC9D,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,kBAAkB;KAChC;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,2FAA2F;QACpG,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,mBAAmB;KACjC;IAED,SAAS;IACT;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,2CAA2C;QACpD,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,gBAAgB;KAC9B;IAED,SAAS;IACT;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,yBAAyB;QAClC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,gBAAgB;KAC9B;IAED,YAAY;IACZ;QACE,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,gCAAgC;QACzC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,mBAAmB;KACjC;IAED,2CAA2C;IAE3C,eAAe;IACf;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,uEAAuE;QAChF,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,iBAAiB;KAC/B;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,qEAAqE;QAC9E,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,gBAAgB;KAC9B;IACD;QACE,IAAI,EAAE,qBAAqB;QAC3B,OAAO,EAAE,+DAA+D;QACxE,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,aAAa;KAC3B;IACD;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,mFAAmF;QAC5F,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,uBAAuB;KACrC;IAED,MAAM;IACN;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,2DAA2D;QACpE,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,sBAAsB;KACpC;IAED,8BAA8B;IAC9B;QACE,IAAI,EAAE,8BAA8B;QACpC,OAAO,EAAE,mDAAmD;QAC5D,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,+CAA+C;KAC7D;IACD;QACE,IAAI,EAAE,2BAA2B;QACjC,OAAO,EAAE,6CAA6C;QACtD,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,4CAA4C;KAC1D;IACD;QACE,IAAI,EAAE,yBAAyB;QAC/B,OAAO,EAAE,iCAAiC;QAC1C,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,0CAA0C;KACxD;IAED,wCAAwC;IAExC,4BAA4B;IAC5B;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,iCAAiC;QAC1C,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,iBAAiB;QAC9B,QAAQ,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,WAAW,EAAE,QAAQ,CAAC;KAC1D;IACD;QACE,IAAI,EAAE,qBAAqB;QAC3B,OAAO,EAAE,gGAAgG;QACzG,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,+BAA+B;KAC7C;IAED,2BAA2B;IAC3B;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,+EAA+E;QACxF,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,yBAAyB;KACvC;IAED,gBAAgB;IAChB;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,+DAA+D;QACxE,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,4BAA4B;KAC1C;IAED,aAAa;IACb;QACE,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,mCAAmC;QAC5C,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,6BAA6B;KAC3C;IAED,+BAA+B;IAE/B,2CAA2C;IAC3C;QACE,IAAI,EAAE,qBAAqB;QAC3B,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,+CAA+C;KAC7D;IAED,WAAW;IACX;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,+EAA+E;QACxF,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,qBAAqB;KACnC;IAED,8BAA8B;IAC9B;QACE,IAAI,EAAE,qBAAqB;QAC3B,OAAO,EAAE,gFAAgF;QACzF,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,mCAAmC;KACjD;CACF,CAAC;AAoBF;;GAEG;AACH,SAAS,gBAAgB;IACvB,MAAM,WAAW,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,0BAA0B,IAAI,KAAK,CAAiC,CAAC;IACtG,OAAO;QACL,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,sBAAsB,KAAK,OAAO;QACvD,gBAAgB,EAAE,OAAO,CAAC,GAAG,CAAC,mBAAmB,KAAK,MAAM;QAC5D,UAAU,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAoB,KAAK,OAAO;QACxD,WAAW;QACX,cAAc,EAAE,EAAE;QAClB,eAAe,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;KACrF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,cAAc,GAA2B;IAC7C,QAAQ,EAAE,CAAC;IACX,IAAI,EAAE,CAAC;IACP,MAAM,EAAE,CAAC;IACT,GAAG,EAAE,CAAC;CACP,CAAC;AAEF;;GAEG;AACH,MAAM,OAAO,cAAc;IACjB,MAAM,CAAgB;IACtB,QAAQ,CAAkB;IAC1B,KAAK,GAAG;QACd,OAAO,EAAE,CAAC;QACV,YAAY,EAAE,CAAC;QACf,OAAO,EAAE,CAAC;QACV,QAAQ,EAAE,CAAC;KACZ,CAAC;IAEF,YAAY,MAA+B;QACzC,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,gBAAgB,EAAE,EAAE,GAAG,MAAM,EAAE,CAAC;QACnD,IAAI,CAAC,QAAQ,GAAG,CAAC,GAAG,eAAe,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,MAAM,CACxE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CACrD,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,IAAI,CAAC,IAAY;QACf,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,CAAC,IAAI,EAAE,CAAC;YAClC,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;QACrB,MAAM,OAAO,GAAkB,EAAE,CAAC;QAClC,MAAM,gBAAgB,GAAG,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAEjE,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpC,iCAAiC;YACjC,IAAI,cAAc,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,gBAAgB,EAAE,CAAC;gBACxD,SAAS;YACX,CAAC;YAED,oBAAoB;YACpB,OAAO,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YAE9B,IAAI,KAA6B,CAAC;YAClC,OAAO,CAAC,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBACrD,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBAE7B,4BAA4B;gBAC5B,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;gBACnD,MAAM,KAAK,GAAG,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,MAAM,CAAC;gBAC1B,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;gBAElD,4BAA4B;gBAC5B,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ;oBAC/B,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;oBAC/B,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,WAAW,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;gBAElD,OAAO,CAAC,IAAI,CAAC;oBACX,IAAI,EAAE,OAAO,CAAC,IAAI;oBAClB,OAAO,EAAE,OAAO,CAAC,WAAW;oBAC5B,KAAK,EAAE,WAAW;oBAClB,QAAQ;oBACR,IAAI;oBACJ,MAAM;oBACN,QAAQ,EAAE,OAAO,CAAC,QAAQ;iBAC3B,CAAC,CAAC;gBAEH,IAAI,CAAC,KAAK,CAAC,YAAY,EAAE,CAAC;YAC5B,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,IAAY;QAK9B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAEhC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;QACtD,CAAC;QAED,oBAAoB;QACpB,MAAM,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM,CAAC;QAC9E,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;QAEtE,IAAI,aAAa,GAAG,CAAC,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC;YACvC,GAAG,CAAC,OAAO,CAAC,wBAAwB,aAAa,cAAc,SAAS,OAAO,CAAC,CAAC;YACjF,KAAK,MAAM,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,EAAE,CAAC;gBAC/F,GAAG,CAAC,OAAO,CAAC,QAAQ,MAAM,CAAC,IAAI,YAAY,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;YAC5D,CAAC;QACH,CAAC;QAED,YAAY;QACZ,MAAM,KAAK,CAAC,QAAQ,CAAC,kBAAkB,EAAE,aAAa,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,EAAE;YACnF,KAAK,EAAE,OAAO,CAAC,MAAM;YACrB,KAAK,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;YAC/C,UAAU,EAAE;gBACV,QAAQ,EAAE,aAAa;gBACvB,IAAI,EAAE,SAAS;gBACf,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,MAAM;gBAC7D,GAAG,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,MAAM;aACxD;SACF,CAAC,CAAC;QAEH,2BAA2B;QAC3B,IAAI,IAAI,CAAC,MAAM,CAAC,gBAAgB,IAAI,CAAC,aAAa,GAAG,CAAC,IAAI,SAAS,GAAG,CAAC,CAAC,EAAE,CAAC;YACzE,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;YACrB,OAAO;gBACL,KAAK,EAAE,oCAAoC;gBAC3C,OAAO;gBACP,OAAO,EAAE,IAAI;aACd,CAAC;QACJ,CAAC;QAED,oBAAoB;QACpB,IAAI,KAAK,GAAG,IAAI,CAAC;QACjB,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;YAC3B,qDAAqD;YACrD,MAAM,aAAa,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;gBAC/C,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;gBACnC,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;gBACnC,OAAO,IAAI,GAAG,IAAI,CAAC;YACrB,CAAC,CAAC,CAAC;YAEH,KAAK,MAAM,MAAM,IAAI,aAAa,EAAE,CAAC;gBACnC,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;gBACrD,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;YACxB,CAAC;QACH,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC5C,CAAC;IAED;;OAEG;IACK,aAAa,CAAC,KAAa,EAAE,IAAY;QAC/C,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YACtB,OAAO,aAAa,IAAI,GAAG,CAAC;QAC9B,CAAC;QAED,qCAAqC;QACrC,MAAM,MAAM,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QACrC,MAAM,MAAM,GAAG,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACjD,MAAM,YAAY,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;QAEtC,OAAO,GAAG,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,GAAG,MAAM,EAAE,CAAC;IACtE,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,OAAsB;QAC/B,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC5B,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC3C,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,IAAY;QACxB,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvC,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IAC/D,CAAC;IAED;;OAEG;IACH,QAAQ;QACN,OAAO;YACL,GAAG,IAAI,CAAC,KAAK;YACb,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,MAAM;SAC/B,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,UAAU;QACR,IAAI,CAAC,KAAK,GAAG;YACX,OAAO,EAAE,CAAC;YACV,YAAY,EAAE,CAAC;YACf,OAAO,EAAE,CAAC;YACV,QAAQ,EAAE,CAAC;SACZ,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,YAAY,CAAC,MAA8B;QACzC,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC;IAC9C,CAAC;IAED;;OAEG;IACH,SAAS;QACP,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC;IAC7B,CAAC;CACF;AAED;;GAEG;AACH,IAAI,aAAa,GAA0B,IAAI,CAAC;AAEhD;;GAEG;AACH,MAAM,UAAU,iBAAiB;IAC/B,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,aAAa,GAAG,IAAI,cAAc,EAAE,CAAC;IACvC,CAAC;IACD,OAAO,aAAa,CAAC;AACvB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,IAAY;IACzC,OAAO,iBAAiB,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACxC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,IAAY;IAKrD,OAAO,iBAAiB,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC;AACjD,CAAC"}

package/dist/utils/secure-memory.d.ts

@@ -0,0 +1,130 @@
+/**
+ * Secure Memory Utilities for NotebookLM MCP Server
+ *
+ * Provides secure handling of sensitive data in memory:
+ * - Zero-fill buffers and strings after use
+ * - Secure string class that auto-wipes
+ * - Memory-safe credential handling
+ *
+ * Why this matters:
+ * - Prevents memory dump attacks
+ * - Reduces credential exposure window
+ * - Mitigates cold boot attacks
+ *
+ * Added by Pantheon Security for hardened fork.
+ */
+/**
+ * Securely zero-fill a Buffer
+ * Uses crypto.randomFill first to prevent compiler optimization removal
+ */
+export declare function zeroBuffer(buffer: Buffer): void;
+/**
+ * Securely zero-fill a Uint8Array
+ */
+export declare function zeroUint8Array(arr: Uint8Array): void;
+/**
+ * Create a secure string that can be wiped
+ * Note: JavaScript strings are immutable, so we use a Buffer internally
+ */
+export declare class SecureString {
+    private buffer;
+    private wiped;
+    constructor(value: string);
+    /**
+     * Get the string value (creates new string each time)
+     */
+    toString(): string;
+    /**
+     * Get the underlying buffer (for crypto operations)
+     */
+    toBuffer(): Buffer;
+    /**
+     * Get length without exposing content
+     */
+    get length(): number;
+    /**
+     * Securely wipe the string from memory
+     */
+    wipe(): void;
+    /**
+     * Check if already wiped
+     */
+    isWiped(): boolean;
+}
+/**
+ * Secure credential holder with automatic wiping
+ */
+export declare class SecureCredential {
+    private value;
+    private createdAt;
+    private maxAgeMs;
+    private autoWipeTimer?;
+    constructor(credential: string, maxAgeMs?: number);
+    /**
+     * Get the credential value
+     */
+    getValue(): string;
+    /**
+     * Check if credential has expired
+     */
+    isExpired(): boolean;
+    /**
+     * Get time remaining before auto-wipe (ms)
+     */
+    getTimeRemaining(): number;
+    /**
+     * Securely wipe the credential
+     */
+    wipe(): void;
+    /**
+     * Check if already wiped
+     */
+    isWiped(): boolean;
+}
+/**
+ * Secure object that wipes all string/buffer properties on dispose
+ */
+export declare class SecureObject<T extends Record<string, unknown>> {
+    private data;
+    private disposed;
+    constructor(data: T);
+    /**
+     * Get a property value
+     */
+    get<K extends keyof T>(key: K): T[K];
+    /**
+     * Get all data (use carefully)
+     */
+    getData(): T;
+    /**
+     * Dispose and wipe all sensitive data
+     */
+    dispose(): void;
+    /**
+     * Check if disposed
+     */
+    isDisposed(): boolean;
+}
+/**
+ * Execute a function with a secure credential, auto-wiping after use
+ */
+export declare function withSecureCredential<T>(credential: string, fn: (cred: SecureCredential) => Promise<T>): Promise<T>;
+/**
+ * Execute a function with a secure buffer, auto-wiping after use
+ */
+export declare function withSecureBuffer<T>(data: Buffer, fn: (buffer: Buffer) => Promise<T>): Promise<T>;
+export declare function createSecureBuffer(size: number): Buffer;
+export declare function createSecureBuffer(data: string, encoding?: BufferEncoding): Buffer;
+/**
+ * Secure comparison to prevent timing attacks
+ */
+export declare function secureCompare(a: string | Buffer, b: string | Buffer): boolean;
+/**
+ * Generate a secure random string
+ */
+export declare function secureRandomString(length: number, encoding?: BufferEncoding): string;
+/**
+ * Mask sensitive data for logging (doesn't expose real length)
+ */
+export declare function maskSensitive(value: string, showChars?: number): string;
+//# sourceMappingURL=secure-memory.d.ts.map

package/dist/utils/secure-memory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secure-memory.d.ts","sourceRoot":"","sources":["../../src/utils/secure-memory.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAIH;;;GAGG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAO/C;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,UAAU,GAAG,IAAI,CAMpD;AAED;;;GAGG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,KAAK,CAAkB;gBAEnB,KAAK,EAAE,MAAM;IAIzB;;OAEG;IACH,QAAQ,IAAI,MAAM;IAOlB;;OAEG;IACH,QAAQ,IAAI,MAAM;IAOlB;;OAEG;IACH,IAAI,MAAM,IAAI,MAAM,CAEnB;IAED;;OAEG;IACH,IAAI,IAAI,IAAI;IAOZ;;OAEG;IACH,OAAO,IAAI,OAAO;CAGnB;AAED;;GAEG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,KAAK,CAAe;IAC5B,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,aAAa,CAAC,CAAiB;gBAE3B,UAAU,EAAE,MAAM,EAAE,QAAQ,GAAE,MAAe;IAWzD;;OAEG;IACH,QAAQ,IAAI,MAAM;IAQlB;;OAEG;IACH,SAAS,IAAI,OAAO;IAIpB;;OAEG;IACH,gBAAgB,IAAI,MAAM;IAK1B;;OAEG;IACH,IAAI,IAAI,IAAI;IAQZ;;OAEG;IACH,OAAO,IAAI,OAAO;CAGnB;AAED;;GAEG;AACH,qBAAa,YAAY,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IACzD,OAAO,CAAC,IAAI,CAAI;IAChB,OAAO,CAAC,QAAQ,CAAkB;gBAEtB,IAAI,EAAE,CAAC;IAInB;;OAEG;IACH,GAAG,CAAC,CAAC,SAAS,MAAM,CAAC,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAOpC;;OAEG;IACH,OAAO,IAAI,CAAC;IAOZ;;OAEG;IACH,OAAO,IAAI,IAAI;IAuBf;;OAEG;IACH,UAAU,IAAI,OAAO;CAGtB;AAED;;GAEG;AACH,wBAAsB,oBAAoB,CAAC,CAAC,EAC1C,UAAU,EAAE,MAAM,EAClB,EAAE,EAAE,CAAC,IAAI,EAAE,gBAAgB,KAAK,OAAO,CAAC,CAAC,CAAC,GACzC,OAAO,CAAC,CAAC,CAAC,CAOZ;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,CAAC,EACtC,IAAI,EAAE,MAAM,EACZ,EAAE,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,GACjC,OAAO,CAAC,CAAC,CAAC,CAMZ;AAUD,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC;AACzD,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,cAAc,GAAG,MAAM,CAAC;AAiBpF;;GAEG;AACH,wBAAgB,aAAa,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAW7E;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,GAAE,cAA4B,GAAG,MAAM,CAGjG;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,GAAE,MAAU,GAAG,MAAM,CAK1E"}