@rigour-labs/core 5.2.8 → 5.2.9

package/dist/hooks/input-validator.js

@@ -243,6 +243,80 @@ function shannonEntropy(str) {
         return sum - p * Math.log2(p);
     }, 0);
 }
+/**
+ * Smart context filter — decides if a detection is a real credential or a false positive.
+ *
+ * The challenge: build logs can contain BOTH false positives (variable names mentioned
+ * in npm warnings) AND real leaks (a password accidentally echoed in CI output).
+ *
+ * Strategy:
+ * 1. If the match has an actual SECRET VALUE (high entropy, long random string) → KEEP IT
+ * 2. If the match is just a variable NAME reference with no real value → SKIP IT
+ * 3. If the match is in a documentation/comment context → SKIP IT
+ */
+function isLikelyFalsePositive(detection, input) {
+    const { match, type, position } = detection;
+    // Provider-specific prefixed keys are ALWAYS real (AKIA*, sk-*, ghp_*, etc.)
+    const prefixedTypes = [
+        'aws_access_key', 'openai_key', 'anthropic_key', 'github_token',
+        'stripe_key', 'slack_token', 'sendgrid_key', 'private_key',
+        'private_key_full', 'jwt_token', 'bearer_token', 'database_url',
+        'credentials_in_url', 'gcp_service_account',
+    ];
+    if (prefixedTypes.includes(type))
+        return false;
+    // Get the line containing the match
+    const lineStart = input.lastIndexOf('\n', (position?.start ?? 0)) + 1;
+    const lineEnd = input.indexOf('\n', (position?.end ?? match.length));
+    const line = input.slice(lineStart, lineEnd === -1 ? undefined : lineEnd).trim();
+    // npm notice/warn lines mentioning variable names (not values)
+    if (/^npm\s+(?:notice|warn|WARN|ERR!)/i.test(line))
+        return true;
+    // Docker build step output referencing env var names
+    if (/^#\d+\s+[\d.]+\s/.test(line)) {
+        // But if there's an actual assignment with a value, keep it
+        if (/[:=]\s*['"]?[A-Za-z0-9+/=_-]{20,}/.test(match))
+            return false;
+        return true;
+    }
+    // "digest:", "hash:", "checksum:" followed by hex — not credentials
+    if (/(?:digest|hash|checksum|sha256|sha1|md5)\s*[:=]/i.test(line))
+        return true;
+    // Error messages referencing env var names without values
+    if (/(?:missing|undefined|not set|not found|required)\s+.*(?:NPM_TOKEN|DOCKER_PASSWORD|PYPI_TOKEN)/i.test(line))
+        return true;
+    // For generic patterns (password_assignment, env_variable, ci_secret, base64/hex_secret):
+    // Check if the captured VALUE has enough entropy to be a real secret
+    const genericTypes = ['password_assignment', 'env_variable', 'ci_secret', 'base64_secret', 'hex_secret', 'high_entropy_secret'];
+    if (genericTypes.includes(type)) {
+        // Extract the value portion (after = or : )
+        const valueMatch = match.match(/[:=]\s*['"]?(.+?)['"]?\s*$/);
+        if (valueMatch) {
+            const value = valueMatch[1];
+            const entropy = shannonEntropyForFilter(value);
+            // Low entropy + short = likely a placeholder, example, or variable name
+            if (entropy < 3.0 && value.length < 16)
+                return true;
+            // Pure numeric strings in log context (build numbers, timestamps)
+            if (/^\d+$/.test(value))
+                return true;
+        }
+    }
+    return false;
+}
+/** Shannon entropy helper for the context filter */
+function shannonEntropyForFilter(str) {
+    if (str.length === 0)
+        return 0;
+    const freq = {};
+    for (const c of str)
+        freq[c] = (freq[c] || 0) + 1;
+    const len = str.length;
+    return Object.values(freq).reduce((sum, f) => {
+        const p = f / len;
+        return sum - p * Math.log2(p);
+    }, 0);
+}
 // ── Core Scanner ──────────────────────────────────────────────────
 /**
  * Redact a matched credential for safe display.
@@ -361,8 +435,10 @@ export function scanInputForCredentials(input, config = {}) {
             }
         }
     }
+    // ── Context filter: remove false positives from log/doc/CI output ──
+    const filtered = detections.filter(d => !isLikelyFalsePositive(d, input));
     // Deduplicate overlapping detections (keep highest severity)
-    const deduped = deduplicateDetections(detections);
+    const deduped = deduplicateDetections(filtered);
     // Sort by severity (critical first)
     const severityOrder = { critical: 0, high: 1, medium: 2 };
     deduped.sort((a, b) => severityOrder[a.severity] - severityOrder[b.severity]);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rigour-labs/core",
-  "version": "5.2.8",
+  "version": "5.2.9",
   "description": "AI-native quality gate engine with local Bayesian learning. AST analysis, drift detection, Fix Packet generation, and agent self-healing across TypeScript, JavaScript, Python, Go, Ruby, and C#.",
   "license": "MIT",
   "homepage": "https://rigour.run",
@@ -66,11 +66,11 @@
     "@xenova/transformers": "^2.17.2",
     "sqlite3": "^5.1.7",
     "openai": "^4.104.0",
-    "@rigour-labs/brain-darwin-arm64": "5.2.8",
-    "@rigour-labs/brain-darwin-x64": "5.2.8",
-    "@rigour-labs/brain-linux-x64": "5.2.8",
-    "@rigour-labs/brain-linux-arm64": "5.2.8",
-    "@rigour-labs/brain-win-x64": "5.2.8"
+    "@rigour-labs/brain-darwin-arm64": "5.2.9",
+    "@rigour-labs/brain-linux-arm64": "5.2.9",
+    "@rigour-labs/brain-linux-x64": "5.2.9",
+    "@rigour-labs/brain-darwin-x64": "5.2.9",
+    "@rigour-labs/brain-win-x64": "5.2.9"
   },
   "devDependencies": {
     "@types/fs-extra": "^11.0.4",