@runa-ai/runa-cli 0.5.46 → 0.5.48

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/dist/commands/ci/machine/machine.d.ts +1 -1
  2. package/dist/index.js +42 -11
  3. package/dist/internal/vuln-checker/analyzers/secret-analyzer.d.ts.map +1 -1
  4. package/package.json +1 -1
package/dist/commands/ci/machine/machine.d.ts CHANGED
@@ -240,7 +240,7 @@ export declare const ciMachine: import("xstate").StateMachine<CiContext, CiEvent
240
240
  summaryPath?: string | undefined;
241
241
  error?: string | undefined;
242
242
  }, import("xstate").EventObject, import("xstate").MetaObject, {
243
- id: "ciMachine";
243
+ id: "ci";
244
244
  states: {
245
245
  readonly idle: {};
246
246
  readonly setup: {
package/dist/index.js CHANGED
@@ -929,7 +929,7 @@ var CLI_VERSION, HAS_ADMIN_COMMAND;
929
929
  var init_version = __esm({
930
930
  "src/version.ts"() {
931
931
  init_esm_shims();
932
- CLI_VERSION = "0.5.46";
932
+ CLI_VERSION = "0.5.48";
933
933
  HAS_ADMIN_COMMAND = false;
934
934
  }
935
935
  });
@@ -1905,6 +1905,14 @@ function calculateConfidence(pattern) {
1905
1905
  "github-token",
1906
1906
  // ghp_/gho_/etc prefix is unique
1907
1907
  "github-oauth",
1908
+ "openai-api-key",
1909
+ // sk- prefix with length constraint
1910
+ "openai-project-key",
1911
+ // sk-proj- prefix is unique
1912
+ "anthropic-api-key",
1913
+ // sk-ant-api prefix is unique
1914
+ "google-api-key",
1915
+ // AIza prefix is unique to Google (Gemini, Vertex AI, etc.)
1908
1916
  "stripe-secret",
1909
1917
  // sk_live_ prefix is unique
1910
1918
  "stripe-test",
@@ -1926,8 +1934,6 @@ function calculateConfidence(pattern) {
1926
1934
  return 0.95;
1927
1935
  }
1928
1936
  const mediumConfidencePatterns = [
1929
- "google-api-key",
1930
- // AIza prefix is fairly unique
1931
1937
  "google-oauth",
1932
1938
  "database-url",
1933
1939
  // Has structure but could be example
@@ -2150,13 +2156,13 @@ var init_secret_analyzer = __esm({
2150
2156
  description: "GitHub OAuth Token detected",
2151
2157
  cweId: CWE.HARDCODED_CREDENTIALS
2152
2158
  },
2153
- // Google
2159
+ // Google / Gemini
2154
2160
  {
2155
2161
  id: "google-api-key",
2156
- name: "Google API Key",
2162
+ name: "Google / Gemini API Key",
2157
2163
  pattern: /AIza[0-9A-Za-z\-_]{35}/g,
2158
- severity: "high",
2159
- description: "Google API Key detected",
2164
+ severity: "critical",
2165
+ description: "Google API Key detected (used by Gemini, Vertex AI, Maps, etc.)",
2160
2166
  cweId: CWE.HARDCODED_CREDENTIALS
2161
2167
  },
2162
2168
  {
@@ -2190,7 +2196,12 @@ var init_secret_analyzer = __esm({
2190
2196
  {
2191
2197
  id: "supabase-service-role",
2192
2198
  name: "Supabase Service Role Key",
2193
- pattern: /eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6Ilth-z0-9XXsyMH0iLCJyb2xlIjoic2VydmljZV9yb2xlIi/g,
2199
+ // Supabase JWT: header.payload.signature
2200
+ // Header: {"alg":"HS256","typ":"JWT"} (fixed)
2201
+ // Payload prefix: {"iss":"supabase","ref": (24 bytes, 3-byte aligned = stable base64url)
2202
+ // Service role marker: role":"service_role" = cm9sZSI6InNlcnZpY2Vfcm9sZSI (stable)
2203
+ // Variable content between prefix and marker covers the encoded project ref
2204
+ pattern: /eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6[A-Za-z0-9_-]+cm9sZSI6InNlcnZpY2Vfcm9sZSI[A-Za-z0-9_-]*\.[A-Za-z0-9_-]+/g,
2194
2205
  severity: "critical",
2195
2206
  description: "Supabase Service Role Key detected",
2196
2207
  cweId: CWE.HARDCODED_CREDENTIALS
@@ -2354,6 +2365,26 @@ var init_secret_analyzer = __esm({
2354
2365
  // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
2355
2366
  // AI Service API Keys (2024-2026 patterns)
2356
2367
  // ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
2368
+ {
2369
+ id: "openai-api-key",
2370
+ name: "OpenAI API Key",
2371
+ // Format: sk-{48+ alphanumeric chars} (real keys are typically 51 chars)
2372
+ // SECURITY: Bounded quantifier to prevent ReDoS
2373
+ pattern: /sk-[a-zA-Z0-9]{48,200}/g,
2374
+ severity: "critical",
2375
+ description: "OpenAI API key detected",
2376
+ cweId: CWE.HARDCODED_CREDENTIALS
2377
+ },
2378
+ {
2379
+ id: "openai-project-key",
2380
+ name: "OpenAI Project Key",
2381
+ // Format: sk-proj-{48+ alphanumeric/dash/underscore chars}
2382
+ // SECURITY: Bounded quantifier to prevent ReDoS
2383
+ pattern: /sk-proj-[a-zA-Z0-9_-]{48,200}/g,
2384
+ severity: "critical",
2385
+ description: "OpenAI Project API key detected",
2386
+ cweId: CWE.HARDCODED_CREDENTIALS
2387
+ },
2357
2388
  {
2358
2389
  id: "anthropic-api-key",
2359
2390
  name: "Anthropic API Key",
@@ -14905,7 +14936,7 @@ var ciMachine = setup({
14905
14936
  allTestsPassed: ({ context }) => allTestsPassed(context)
14906
14937
  }
14907
14938
  }).createMachine({
14908
- id: "ciMachine",
14939
+ id: "ci",
14909
14940
  initial: "idle",
14910
14941
  context: ({ input: input3 }) => createInitialContext(input3),
14911
14942
  states: {
@@ -14969,7 +15000,7 @@ var ciMachine = setup({
14969
15000
  })
14970
15001
  },
14971
15002
  onError: {
14972
- target: "#ciMachine.failed",
15003
+ target: "#ci.failed",
14973
15004
  actions: assign({
14974
15005
  error: ({ event }) => extractErrorMessage2(event, "Local setup failed")
14975
15006
  })
@@ -15013,7 +15044,7 @@ var ciMachine = setup({
15013
15044
  })
15014
15045
  },
15015
15046
  onError: {
15016
- target: "#ciMachine.failed",
15047
+ target: "#ci.failed",
15017
15048
  actions: assign({
15018
15049
  error: ({ event }) => extractErrorMessage2(event, "PR local setup failed")
15019
15050
  })
package/dist/internal/vuln-checker/analyzers/secret-analyzer.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"secret-analyzer.d.ts","sourceRoot":"","sources":["../../../../src/internal/vuln-checker/analyzers/secret-analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAKH,OAAO,KAAK,EAAE,QAAQ,EAAE,eAAe,EAAE,QAAQ,EAAE,OAAO,EAAoB,MAAM,aAAa,CAAC;AA2jClG;;GAEG;AACH,qBAAa,cAAe,YAAW,QAAQ;IAC7C,IAAI,SAAoB;IACxB,UAAU,EAAE,QAAQ,EAAE,CAAc;IAE9B,OAAO,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;YAkB7C,cAAc;IAY5B,OAAO,CAAC,UAAU;CAGnB"}
1
+ {"version":3,"file":"secret-analyzer.d.ts","sourceRoot":"","sources":["../../../../src/internal/vuln-checker/analyzers/secret-analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAKH,OAAO,KAAK,EAAE,QAAQ,EAAE,eAAe,EAAE,QAAQ,EAAE,OAAO,EAAoB,MAAM,aAAa,CAAC;AAulClG;;GAEG;AACH,qBAAa,cAAe,YAAW,QAAQ;IAC7C,IAAI,SAAoB;IACxB,UAAU,EAAE,QAAQ,EAAE,CAAc;IAE9B,OAAO,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;YAkB7C,cAAc;IAY5B,OAAO,CAAC,UAAU;CAGnB"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@runa-ai/runa-cli",
3
- "version": "0.5.46",
3
+ "version": "0.5.48",
4
4
  "private": false,
5
5
  "description": "AI-powered DevOps CLI",
6
6
  "type": "module",