@streamblur/mcp 0.1.0

package/README.md

@@ -0,0 +1,43 @@
+# streamblur-mcp
+
+StreamBlur MCP server that redacts API keys, tokens, credentials, and sensitive secrets from text and files.
+
+## Features
+
+- 3 MCP tools:
+  - `redact_text`: Redact secrets in a string.
+  - `redact_file`: Read a file and return redacted content without writing changes.
+  - `scan_text`: Return detected secrets with `type`, `start`, and `end` positions.
+- 50+ credential patterns including OpenAI, Anthropic, GitHub, AWS, Stripe, Twilio, Slack, SendGrid, database URLs, bearer tokens, private keys, and generic `.env` assignments.
+
+## Install
+
+```bash
+npm install
+npm run build
+```
+
+## Run
+
+```bash
+streamblur-mcp
+```
+
+or
+
+```bash
+node dist/index.js
+```
+
+## Development
+
+```bash
+npm run build
+node dist/test/redact.test.js
+```
+
+## Quick manual redaction check
+
+```bash
+node -e "const r = require('./dist/redact'); const text = require('fs').readFileSync('./test/sample-secrets.txt','utf8'); console.log('BEFORE:\n' + text); console.log('\nAFTER:\n' + r.redactText(text));"
+```

package/dist/src/index.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/src/index.js

@@ -0,0 +1,116 @@
+#!/usr/bin/env node
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const node_fs_1 = require("node:fs");
+const index_js_1 = require("@modelcontextprotocol/sdk/server/index.js");
+const stdio_js_1 = require("@modelcontextprotocol/sdk/server/stdio.js");
+const types_js_1 = require("@modelcontextprotocol/sdk/types.js");
+const redact_1 = require("./redact");
+const server = new index_js_1.Server({
+    name: "streamblur-mcp",
+    version: "0.1.0"
+}, {
+    capabilities: {
+        tools: {}
+    }
+});
+server.setRequestHandler(types_js_1.ListToolsRequestSchema, async () => {
+    return {
+        tools: [
+            {
+                name: "redact_text",
+                description: "Redacts secrets from input text and replaces them with [REDACTED:type]",
+                inputSchema: {
+                    type: "object",
+                    properties: {
+                        text: {
+                            type: "string",
+                            description: "Text to redact"
+                        }
+                    },
+                    required: ["text"],
+                    additionalProperties: false
+                }
+            },
+            {
+                name: "redact_file",
+                description: "Reads a file and returns redacted content without modifying the original file",
+                inputSchema: {
+                    type: "object",
+                    properties: {
+                        path: {
+                            type: "string",
+                            description: "Path to file"
+                        }
+                    },
+                    required: ["path"],
+                    additionalProperties: false
+                }
+            },
+            {
+                name: "scan_text",
+                description: "Scans text and returns a list of detected secrets with type and position",
+                inputSchema: {
+                    type: "object",
+                    properties: {
+                        text: {
+                            type: "string",
+                            description: "Text to scan"
+                        }
+                    },
+                    required: ["text"],
+                    additionalProperties: false
+                }
+            }
+        ]
+    };
+});
+server.setRequestHandler(types_js_1.CallToolRequestSchema, async (request) => {
+    const args = request.params.arguments ?? {};
+    switch (request.params.name) {
+        case "redact_text": {
+            const text = args.text;
+            if (typeof text !== "string") {
+                throw new types_js_1.McpError(types_js_1.ErrorCode.InvalidParams, "'text' must be a string");
+            }
+            return {
+                content: [{ type: "text", text: (0, redact_1.redactText)(text) }]
+            };
+        }
+        case "redact_file": {
+            const path = args.path;
+            if (typeof path !== "string") {
+                throw new types_js_1.McpError(types_js_1.ErrorCode.InvalidParams, "'path' must be a string");
+            }
+            const content = (0, node_fs_1.readFileSync)(path, "utf8");
+            return {
+                content: [{ type: "text", text: (0, redact_1.redactText)(content) }]
+            };
+        }
+        case "scan_text": {
+            const text = args.text;
+            if (typeof text !== "string") {
+                throw new types_js_1.McpError(types_js_1.ErrorCode.InvalidParams, "'text' must be a string");
+            }
+            const detections = (0, redact_1.scanText)(text).map((detection) => ({
+                type: detection.type,
+                start: detection.start,
+                end: detection.end
+            }));
+            return {
+                content: [{ type: "text", text: JSON.stringify(detections, null, 2) }]
+            };
+        }
+        default:
+            throw new types_js_1.McpError(types_js_1.ErrorCode.MethodNotFound, `Unknown tool: ${request.params.name}`);
+    }
+});
+async function main() {
+    const transport = new stdio_js_1.StdioServerTransport();
+    await server.connect(transport);
+}
+main().catch((error) => {
+    console.error("streamblur-mcp failed to start", error);
+    process.exit(1);
+});
+//# sourceMappingURL=index.js.map

package/dist/src/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":";;;AAEA,qCAAuC;AACvC,wEAAmE;AACnE,wEAAiF;AACjF,iEAK4C;AAC5C,qCAAgD;AAEhD,MAAM,MAAM,GAAG,IAAI,iBAAM,CACvB;IACE,IAAI,EAAE,gBAAgB;IACtB,OAAO,EAAE,OAAO;CACjB,EACD;IACE,YAAY,EAAE;QACZ,KAAK,EAAE,EAAE;KACV;CACF,CACF,CAAC;AAEF,MAAM,CAAC,iBAAiB,CAAC,iCAAsB,EAAE,KAAK,IAAI,EAAE;IAC1D,OAAO;QACL,KAAK,EAAE;YACL;gBACE,IAAI,EAAE,aAAa;gBACnB,WAAW,EAAE,wEAAwE;gBACrF,WAAW,EAAE;oBACX,IAAI,EAAE,QAAQ;oBACd,UAAU,EAAE;wBACV,IAAI,EAAE;4BACJ,IAAI,EAAE,QAAQ;4BACd,WAAW,EAAE,gBAAgB;yBAC9B;qBACF;oBACD,QAAQ,EAAE,CAAC,MAAM,CAAC;oBAClB,oBAAoB,EAAE,KAAK;iBAC5B;aACF;YACD;gBACE,IAAI,EAAE,aAAa;gBACnB,WAAW,EAAE,+EAA+E;gBAC5F,WAAW,EAAE;oBACX,IAAI,EAAE,QAAQ;oBACd,UAAU,EAAE;wBACV,IAAI,EAAE;4BACJ,IAAI,EAAE,QAAQ;4BACd,WAAW,EAAE,cAAc;yBAC5B;qBACF;oBACD,QAAQ,EAAE,CAAC,MAAM,CAAC;oBAClB,oBAAoB,EAAE,KAAK;iBAC5B;aACF;YACD;gBACE,IAAI,EAAE,WAAW;gBACjB,WAAW,EAAE,0EAA0E;gBACvF,WAAW,EAAE;oBACX,IAAI,EAAE,QAAQ;oBACd,UAAU,EAAE;wBACV,IAAI,EAAE;4BACJ,IAAI,EAAE,QAAQ;4BACd,WAAW,EAAE,cAAc;yBAC5B;qBACF;oBACD,QAAQ,EAAE,CAAC,MAAM,CAAC;oBAClB,oBAAoB,EAAE,KAAK;iBAC5B;aACF;SACF;KACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,MAAM,CAAC,iBAAiB,CAAC,gCAAqB,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE;IAChE,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,SAAS,IAAI,EAAE,CAAC;IAE5C,QAAQ,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QAC5B,KAAK,aAAa,CAAC,CAAC,CAAC;YACnB,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;YACvB,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC7B,MAAM,IAAI,mBAAQ,CAAC,oBAAS,CAAC,aAAa,EAAE,yBAAyB,CAAC,CAAC;YACzE,CAAC;YAED,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAA,mBAAU,EAAC,IAAI,CAAC,EAAE,CAAC;aACpD,CAAC;QACJ,CAAC;QAED,KAAK,aAAa,CAAC,CAAC,CAAC;YACnB,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;YACvB,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC7B,MAAM,IAAI,mBAAQ,CAAC,oBAAS,CAAC,aAAa,EAAE,yBAAyB,CAAC,CAAC;YACzE,CAAC;YAED,MAAM,OAAO,GAAG,IAAA,sBAAY,EAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YAC3C,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAA,mBAAU,EAAC,OAAO,CAAC,EAAE,CAAC;aACvD,CAAC;QACJ,CAAC;QAED,KAAK,WAAW,CAAC,CAAC,CAAC;YACjB,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;YACvB,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC7B,MAAM,IAAI,mBAAQ,CAAC,oBAAS,CAAC,aAAa,EAAE,yBAAyB,CAAC,CAAC;YACzE,CAAC;YAED,MAAM,UAAU,GAAG,IAAA,iBAAQ,EAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;gBACpD,IAAI,EAAE,SAAS,CAAC,IAAI;gBACpB,KAAK,EAAE,SAAS,CAAC,KAAK;gBACtB,GAAG,EAAE,SAAS,CAAC,GAAG;aACnB,CAAC,CAAC,CAAC;YAEJ,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;aACvE,CAAC;QACJ,CAAC;QAED;YACE,MAAM,IAAI,mBAAQ,CAAC,oBAAS,CAAC,cAAc,EAAE,iBAAiB,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;IACzF,CAAC;AACH,CAAC,CAAC,CAAC;AAEH,KAAK,UAAU,IAAI;IACjB,MAAM,SAAS,GAAG,IAAI,+BAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;AAClC,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;IACrB,OAAO,CAAC,KAAK,CAAC,gCAAgC,EAAE,KAAK,CAAC,CAAC;IACvD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/src/patterns.d.ts

@@ -0,0 +1,5 @@
+export type CredentialPattern = {
+    type: string;
+    regex: RegExp;
+};
+export declare const credentialPatterns: CredentialPattern[];

package/dist/src/patterns.js

@@ -0,0 +1,73 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.credentialPatterns = void 0;
+exports.credentialPatterns = [
+    { type: "anthropic_api_key", regex: /sk-ant-api03-[A-Za-z0-9_-]{20,120}/g },
+    { type: "openai_project_key", regex: /sk-proj-[A-Za-z0-9_-]{20,120}/g },
+    { type: "openai_api_key", regex: /\bsk-[A-Za-z0-9]{20,120}\b/g },
+    { type: "github_pat", regex: /github_pat_[A-Za-z0-9_]{20,255}/g },
+    { type: "github_token_ghp", regex: /\bghp_[A-Za-z0-9]{20,255}\b/g },
+    { type: "github_token_gho", regex: /\bgho_[A-Za-z0-9]{20,255}\b/g },
+    { type: "github_token_ghs", regex: /\bghs_[A-Za-z0-9]{20,255}\b/g },
+    { type: "aws_access_key", regex: /\b(?:AKIA|ASIA)[A-Z0-9]{16}\b/g },
+    { type: "aws_secret_key", regex: /\b(?:AWS_SECRET_ACCESS_KEY|aws_secret_access_key)\s*[:=]\s*['\"]?[A-Za-z0-9\/+=]{40}['\"]?/g },
+    { type: "aws_secret_key_raw", regex: /\b[A-Za-z0-9\/+=]{40}\b/g },
+    { type: "google_api_key", regex: /\bAIza[0-9A-Za-z_-]{35}\b/g },
+    { type: "stripe_secret_live", regex: /\bsk_live_[A-Za-z0-9]{16,120}\b/g },
+    { type: "stripe_publishable_live", regex: /\bpk_live_[A-Za-z0-9]{16,120}\b/g },
+    { type: "stripe_secret_test", regex: /\bsk_test_[A-Za-z0-9]{16,120}\b/g },
+    { type: "stripe_restricted_live", regex: /\brk_live_[A-Za-z0-9]{16,120}\b/g },
+    { type: "twilio_sid", regex: /\bAC[a-f0-9]{32}\b/gi },
+    { type: "twilio_api_key", regex: /\bSK[a-f0-9]{32}\b/gi },
+    { type: "twilio_auth_token", regex: /\b(?:TWILIO_AUTH_TOKEN|twilio_auth_token)\s*[:=]\s*['\"]?[A-Fa-f0-9]{32}['\"]?/g },
+    { type: "sendgrid_api_key", regex: /\bSG\.[A-Za-z0-9_-]{20,120}\b/g },
+    { type: "slack_bot_token", regex: /\bxoxb-[0-9A-Za-z-]{20,120}\b/g },
+    { type: "slack_user_token", regex: /\bxoxp-[0-9A-Za-z-]{20,120}\b/g },
+    { type: "slack_session_token", regex: /\bxoxs-[0-9A-Za-z-]{20,120}\b/g },
+    { type: "discord_bot_token", regex: /\b[A-Za-z\d_-]{24}\.[A-Za-z\d_-]{6}\.[A-Za-z\d_-]{27}\b/g },
+    { type: "jwt_token", regex: /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/g },
+    { type: "postgres_url", regex: /\bpostgres(?:ql)?:\/\/[^\s'"`]+:[^\s'"`]+@[^\s'"`]+\b/g },
+    { type: "mysql_url", regex: /\bmysql:\/\/[^\s'"`]+:[^\s'"`]+@[^\s'"`]+\b/g },
+    { type: "mongodb_url", regex: /\bmongodb(?:\+srv)?:\/\/[^\s'"`]+:[^\s'"`]+@[^\s'"`]+\b/g },
+    { type: "redis_url", regex: /\bredis(?:s)?:\/\/[^\s'"`]*:[^\s'"`]+@[^\s'"`]+\b/g },
+    { type: "http_basic_auth_url", regex: /\bhttps?:\/\/[^\s:@\/]+:[^\s@\/]+@[^\s'"`]+\b/g },
+    { type: "rsa_private_key", regex: /-----BEGIN RSA PRIVATE KEY-----[\s\S]+?-----END RSA PRIVATE KEY-----/g },
+    { type: "ec_private_key", regex: /-----BEGIN EC PRIVATE KEY-----[\s\S]+?-----END EC PRIVATE KEY-----/g },
+    { type: "generic_private_key", regex: /-----BEGIN PRIVATE KEY-----[\s\S]+?-----END PRIVATE KEY-----/g },
+    { type: "openssh_private_key", regex: /-----BEGIN OPENSSH PRIVATE KEY-----[\s\S]+?-----END OPENSSH PRIVATE KEY-----/g },
+    { type: "dsa_private_key", regex: /-----BEGIN DSA PRIVATE KEY-----[\s\S]+?-----END DSA PRIVATE KEY-----/g },
+    { type: "authorization_bearer", regex: /Authorization\s*:\s*Bearer\s+[A-Za-z0-9._-]{12,}/gi },
+    { type: "firebase_web_api_key", regex: /\bAIza[0-9A-Za-z_-]{35}\b/g },
+    { type: "firebase_db_url", regex: /\bhttps:\/\/[a-z0-9-]+\.firebaseio\.com\b/gi },
+    { type: "firebase_service_account", regex: /"type"\s*:\s*"service_account"[\s\S]*?"private_key"\s*:\s*"-----BEGIN PRIVATE KEY-----[\s\S]*?-----END PRIVATE KEY-----\\n"/g },
+    { type: "netlify_token", regex: /\bnfp_[A-Za-z0-9]{20,120}\b/g },
+    { type: "vercel_token", regex: /\b(?:vercel|VERCEL)_[A-Za-z0-9_]*TOKEN\s*[:=]\s*['\"]?[A-Za-z0-9]{20,120}['\"]?/g },
+    { type: "vercel_pat", regex: /\b[A-Za-z0-9]{24}_[A-Za-z0-9]{24}\b/g },
+    { type: "env_api_key", regex: /\bAPI_KEY\s*[:=]\s*['\"]?[^\s'\"]{8,}['\"]?/g },
+    { type: "env_openai_api_key", regex: /\bOPENAI_API_KEY\s*[:=]\s*['\"]?[^\s'\"]+['\"]?/g },
+    { type: "env_anthropic_api_key", regex: /\bANTHROPIC_API_KEY\s*[:=]\s*['\"]?[^\s'\"]+['\"]?/g },
+    { type: "env_github_token", regex: /\bGITHUB_TOKEN\s*[:=]\s*['\"]?[^\s'\"]+['\"]?/g },
+    { type: "env_secret_key", regex: /\bSECRET_KEY\s*[:=]\s*['\"]?[^\s'\"]{8,}['\"]?/g },
+    { type: "env_access_token", regex: /\bACCESS_TOKEN\s*[:=]\s*['\"]?[^\s'\"]{8,}['\"]?/g },
+    { type: "env_password", regex: /\bPASSWORD\s*[:=]\s*['\"]?[^\s'\"]{6,}['\"]?/g },
+    { type: "env_db_password", regex: /\bDB_PASSWORD\s*[:=]\s*['\"]?[^\s'\"]{6,}['\"]?/g },
+    { type: "env_database_url", regex: /\bDATABASE_URL\s*[:=]\s*['\"]?[^\s'\"]+['\"]?/g },
+    { type: "env_redis_url", regex: /\bREDIS_URL\s*[:=]\s*['\"]?[^\s'\"]+['\"]?/g },
+    { type: "env_sendgrid_api_key", regex: /\bSENDGRID_API_KEY\s*[:=]\s*['\"]?[^\s'\"]+['\"]?/g },
+    { type: "env_slack_token", regex: /\bSLACK(?:_BOT)?_TOKEN\s*[:=]\s*['\"]?[^\s'\"]+['\"]?/g },
+    { type: "env_stripe_key", regex: /\bSTRIPE(?:_SECRET)?_KEY\s*[:=]\s*['\"]?[^\s'\"]+['\"]?/g },
+    { type: "env_aws_access_key_id", regex: /\bAWS_ACCESS_KEY_ID\s*[:=]\s*['\"]?[A-Z0-9]{16,32}['\"]?/g },
+    { type: "env_aws_secret_access_key", regex: /\bAWS_SECRET_ACCESS_KEY\s*[:=]\s*['\"]?[A-Za-z0-9\/+=]{20,80}['\"]?/g },
+    { type: "env_twilio_auth_token", regex: /\bTWILIO_AUTH_TOKEN\s*[:=]\s*['\"]?[A-Fa-f0-9]{32}['\"]?/g },
+    { type: "env_private_key", regex: /\bPRIVATE_KEY\s*[:=]\s*['\"]?-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]+?-----END [A-Z ]*PRIVATE KEY-----['\"]?/g },
+    { type: "generic_token_assignment", regex: /\b(?:token|secret|passwd|password|api[_-]?key|client[_-]?secret)\b\s*[:=]\s*['\"]?[A-Za-z0-9._\-\/+=]{8,}['\"]?/gi },
+    { type: "npm_token", regex: /\bnpm_[A-Za-z0-9]{20,120}\b/g },
+    { type: "github_fine_grained_token", regex: /\bghu_[A-Za-z0-9]{20,255}\b/g },
+    { type: "azure_storage_key", regex: /\bDefaultEndpointsProtocol=https;AccountName=[^;]+;AccountKey=[A-Za-z0-9+/=]{40,};EndpointSuffix=core\.windows\.net\b/g },
+    { type: "gcp_service_account_json_key", regex: /"private_key_id"\s*:\s*"[a-f0-9]{30,}"/g },
+    { type: "oauth_refresh_token", regex: /\b1\/\/[A-Za-z0-9_-]{20,}\b/g },
+    { type: "mailgun_api_key", regex: /\bkey-[A-Za-z0-9]{32}\b/g },
+    { type: "shopify_access_token", regex: /\bshpat_[A-Za-z0-9]{20,120}\b/g },
+    { type: "gitlab_token", regex: /\bglpat-[A-Za-z0-9_-]{20,120}\b/g }
+];
+//# sourceMappingURL=patterns.js.map

package/dist/src/patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../src/patterns.ts"],"names":[],"mappings":";;;AAKa,QAAA,kBAAkB,GAAwB;IACrD,EAAE,IAAI,EAAE,mBAAmB,EAAE,KAAK,EAAE,qCAAqC,EAAE;IAC3E,EAAE,IAAI,EAAE,oBAAoB,EAAE,KAAK,EAAE,gCAAgC,EAAE;IACvE,EAAE,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,6BAA6B,EAAE;IAEhE,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,kCAAkC,EAAE;IACjE,EAAE,IAAI,EAAE,kBAAkB,EAAE,KAAK,EAAE,8BAA8B,EAAE;IACnE,EAAE,IAAI,EAAE,kBAAkB,EAAE,KAAK,EAAE,8BAA8B,EAAE;IACnE,EAAE,IAAI,EAAE,kBAAkB,EAAE,KAAK,EAAE,8BAA8B,EAAE;IAEnE,EAAE,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,gCAAgC,EAAE;IACnE,EAAE,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,6FAA6F,EAAE;IAChI,EAAE,IAAI,EAAE,oBAAoB,EAAE,KAAK,EAAE,0BAA0B,EAAE;IAEjE,EAAE,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,4BAA4B,EAAE;IAE/D,EAAE,IAAI,EAAE,oBAAoB,EAAE,KAAK,EAAE,kCAAkC,EAAE;IACzE,EAAE,IAAI,EAAE,yBAAyB,EAAE,KAAK,EAAE,kCAAkC,EAAE;IAC9E,EAAE,IAAI,EAAE,oBAAoB,EAAE,KAAK,EAAE,kCAAkC,EAAE;IACzE,EAAE,IAAI,EAAE,wBAAwB,EAAE,KAAK,EAAE,kCAAkC,EAAE;IAE7E,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,sBAAsB,EAAE;IACrD,EAAE,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,sBAAsB,EAAE;IACzD,EAAE,IAAI,EAAE,mBAAmB,EAAE,KAAK,EAAE,iFAAiF,EAAE;IAEvH,EAAE,IAAI,EAAE,kBAAkB,EAAE,KAAK,EAAE,gCAAgC,EAAE;IAErE,EAAE,IAAI,EAAE,iBAAiB,EAAE,KAAK,EAAE,gCAAgC,EAAE;IACpE,EAAE,IAAI,EAAE,kBAAkB,EAAE,KAAK,EAAE,gCAAgC,EAAE;IACrE,EAAE,IAAI,EAAE,qBAAqB,EAAE,KAAK,EAAE,gCAAgC,EAAE;IAExE,EAAE,IAAI,EAAE,mBAAmB,EAAE,KAAK,EAAE,0DAA0D,EAAE;IAEhG,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,oEAAoE,EAAE;IAElG,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,wDAAwD,EAAE;IACzF,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,8CAA8C,EAAE;IAC5E,EAAE,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,0DAA0D,EAAE;IAC1F,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,oDAAoD,EAAE;IAElF,EAAE,IAAI,EAAE,qBAAqB,EAAE,KAAK,EAAE,gDAAgD,EAAE;IAExF,EAAE,IAAI,EAAE,iBAAiB,EAAE,KAAK,EAAE,uEAAuE,EAAE;IAC3G,EAAE,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,qEAAqE,EAAE;IACxG,EAAE,IAAI,EAAE,qBAAqB,EAAE,KAAK,EAAE,+DAA+D,EAAE;IACvG,EAAE,IAAI,EAAE,qBAAqB,EAAE,KAAK,EAAE,+EAA+E,EAAE;IACvH,EAAE,IAAI,EAAE,iBAAiB,EAAE,KAAK,EAAE,uEAAuE,EAAE;IAE3G,EAAE,IAAI,EAAE,sBAAsB,EAAE,KAAK,EAAE,oDAAoD,EAAE;IAE7F,EAAE,IAAI,EAAE,sBAAsB,EAAE,KAAK,EAAE,4BAA4B,EAAE;IACrE,EAAE,IAAI,EAAE,iBAAiB,EAAE,KAAK,EAAE,6CAA6C,EAAE;IACjF,EAAE,IAAI,EAAE,0BAA0B,EAAE,KAAK,EAAE,8HAA8H,EAAE;IAE3K,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,8BAA8B,EAAE;IAChE,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,kFAAkF,EAAE;IACnH,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,sCAAsC,EAAE;IAErE,EAAE,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,8CAA8C,EAAE;IAC9E,EAAE,IAAI,EAAE,oBAAoB,EAAE,KAAK,EAAE,kDAAkD,EAAE;IACzF,EAAE,IAAI,EAAE,uBAAuB,EAAE,KAAK,EAAE,qDAAqD,EAAE;IAC/F,EAAE,IAAI,EAAE,kBAAkB,EAAE,KAAK,EAAE,gDAAgD,EAAE;IACrF,EAAE,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,iDAAiD,EAAE;IACpF,EAAE,IAAI,EAAE,kBAAkB,EAAE,KAAK,EAAE,mDAAmD,EAAE;IACxF,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,+CAA+C,EAAE;IAChF,EAAE,IAAI,EAAE,iBAAiB,EAAE,KAAK,EAAE,kDAAkD,EAAE;IACtF,EAAE,IAAI,EAAE,kBAAkB,EAAE,KAAK,EAAE,gDAAgD,EAAE;IACrF,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,6CAA6C,EAAE;IAC/E,EAAE,IAAI,EAAE,sBAAsB,EAAE,KAAK,EAAE,oDAAoD,EAAE;IAC7F,EAAE,IAAI,EAAE,iBAAiB,EAAE,KAAK,EAAE,wDAAwD,EAAE;IAC5F,EAAE,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,0DAA0D,EAAE;IAC7F,EAAE,IAAI,EAAE,uBAAuB,EAAE,KAAK,EAAE,2DAA2D,EAAE;IACrG,EAAE,IAAI,EAAE,2BAA2B,EAAE,KAAK,EAAE,sEAAsE,EAAE;IACpH,EAAE,IAAI,EAAE,uBAAuB,EAAE,KAAK,EAAE,2DAA2D,EAAE;IACrG,EAAE,IAAI,EAAE,iBAAiB,EAAE,KAAK,EAAE,gHAAgH,EAAE;IAEpJ,EAAE,IAAI,EAAE,0BAA0B,EAAE,KAAK,EAAE,mHAAmH,EAAE;IAChK,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,8BAA8B,EAAE;IAC5D,EAAE,IAAI,EAAE,2BAA2B,EAAE,KAAK,EAAE,8BAA8B,EAAE;IAC5E,EAAE,IAAI,EAAE,mBAAmB,EAAE,KAAK,EAAE,wHAAwH,EAAE;IAC9J,EAAE,IAAI,EAAE,8BAA8B,EAAE,KAAK,EAAE,yCAAyC,EAAE;IAC1F,EAAE,IAAI,EAAE,qBAAqB,EAAE,KAAK,EAAE,8BAA8B,EAAE;IACtE,EAAE,IAAI,EAAE,iBAAiB,EAAE,KAAK,EAAE,0BAA0B,EAAE;IAC9D,EAAE,IAAI,EAAE,sBAAsB,EAAE,KAAK,EAAE,gCAAgC,EAAE;IACzE,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,kCAAkC,EAAE;CACpE,CAAC"}

package/dist/src/redact.d.ts

@@ -0,0 +1,9 @@
+export type SecretDetection = {
+    type: string;
+    value: string;
+    start: number;
+    end: number;
+};
+export declare function scanText(text: string): SecretDetection[];
+export declare function redactText(text: string): string;
+export declare function redactFile(filePath: string): string;

package/dist/src/redact.js

@@ -0,0 +1,64 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scanText = scanText;
+exports.redactText = redactText;
+exports.redactFile = redactFile;
+const node_fs_1 = require("node:fs");
+const patterns_1 = require("./patterns");
+function runPatternScan(text) {
+    const hits = [];
+    for (const pattern of patterns_1.credentialPatterns) {
+        const regex = new RegExp(pattern.regex.source, pattern.regex.flags);
+        regex.lastIndex = 0;
+        let match;
+        while ((match = regex.exec(text)) !== null) {
+            const value = match[0];
+            const start = match.index;
+            const end = start + value.length;
+            hits.push({ type: pattern.type, value, start, end });
+            if (value.length === 0) {
+                regex.lastIndex += 1;
+            }
+        }
+    }
+    return hits;
+}
+function collapseOverlaps(detections) {
+    const sorted = [...detections].sort((a, b) => {
+        if (a.start !== b.start) {
+            return a.start - b.start;
+        }
+        return b.end - a.end;
+    });
+    const accepted = [];
+    for (const detection of sorted) {
+        const previous = accepted[accepted.length - 1];
+        if (!previous || detection.start >= previous.end) {
+            accepted.push(detection);
+        }
+    }
+    return accepted;
+}
+function scanText(text) {
+    return collapseOverlaps(runPatternScan(text));
+}
+function redactText(text) {
+    const detections = scanText(text);
+    if (detections.length === 0) {
+        return text;
+    }
+    let result = "";
+    let cursor = 0;
+    for (const detection of detections) {
+        result += text.slice(cursor, detection.start);
+        result += `[REDACTED:${detection.type}]`;
+        cursor = detection.end;
+    }
+    result += text.slice(cursor);
+    return result;
+}
+function redactFile(filePath) {
+    const content = (0, node_fs_1.readFileSync)(filePath, "utf8");
+    return redactText(content);
+}
+//# sourceMappingURL=redact.js.map

package/dist/src/redact.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redact.js","sourceRoot":"","sources":["../../src/redact.ts"],"names":[],"mappings":";;AAoDA,4BAEC;AAED,gCAiBC;AAED,gCAGC;AA9ED,qCAAuC;AACvC,yCAAgD;AAShD,SAAS,cAAc,CAAC,IAAY;IAClC,MAAM,IAAI,GAAsB,EAAE,CAAC;IAEnC,KAAK,MAAM,OAAO,IAAI,6BAAkB,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACpE,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC;QAEpB,IAAI,KAA6B,CAAC;QAClC,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC3C,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACvB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC;YAC1B,MAAM,GAAG,GAAG,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC;YACjC,IAAI,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;YAErD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACvB,KAAK,CAAC,SAAS,IAAI,CAAC,CAAC;YACvB,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,gBAAgB,CAAC,UAA6B;IACrD,MAAM,MAAM,GAAG,CAAC,GAAG,UAAU,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QAC3C,IAAI,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,KAAK,EAAE,CAAC;YACxB,OAAO,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC;QAC3B,CAAC;QACD,OAAO,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC;IACvB,CAAC,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAsB,EAAE,CAAC;IACvC,KAAK,MAAM,SAAS,IAAI,MAAM,EAAE,CAAC;QAC/B,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAC/C,IAAI,CAAC,QAAQ,IAAI,SAAS,CAAC,KAAK,IAAI,QAAQ,CAAC,GAAG,EAAE,CAAC;YACjD,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAgB,QAAQ,CAAC,IAAY;IACnC,OAAO,gBAAgB,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC;AAChD,CAAC;AAED,SAAgB,UAAU,CAAC,IAAY;IACrC,MAAM,UAAU,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC;IAClC,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,IAAI,MAAM,GAAG,CAAC,CAAC;IAEf,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,MAAM,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC;QAC9C,MAAM,IAAI,aAAa,SAAS,CAAC,IAAI,GAAG,CAAC;QACzC,MAAM,GAAG,SAAS,CAAC,GAAG,CAAC;IACzB,CAAC;IAED,MAAM,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAC7B,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAgB,UAAU,CAAC,QAAgB;IACzC,MAAM,OAAO,GAAG,IAAA,sBAAY,EAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC/C,OAAO,UAAU,CAAC,OAAO,CAAC,CAAC;AAC7B,CAAC"}

package/dist/test/redact.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/test/redact.test.js

@@ -0,0 +1,29 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const node_assert_1 = require("node:assert");
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const redact_1 = require("../src/redact");
+function run() {
+    const fixturePath = (0, node_path_1.join)(__dirname, "..", "test", "sample-secrets.txt");
+    const fixture = (0, node_fs_1.readFileSync)(fixturePath, "utf8");
+    const detections = (0, redact_1.scanText)(fixture);
+    node_assert_1.strict.ok(detections.length >= 10, "should detect multiple secrets");
+    const redacted = (0, redact_1.redactText)(fixture);
+    node_assert_1.strict.ok(redacted.includes("[REDACTED:openai_project_key]"));
+    node_assert_1.strict.ok(redacted.includes("[REDACTED:anthropic_api_key]"));
+    node_assert_1.strict.ok(redacted.includes("[REDACTED:github_token_ghp]"));
+    node_assert_1.strict.ok(redacted.includes("[REDACTED:aws_access_key]"));
+    node_assert_1.strict.ok(redacted.includes("[REDACTED:sendgrid_api_key]"));
+    const fromFile = (0, redact_1.redactFile)(fixturePath);
+    node_assert_1.strict.equal(fromFile, redacted, "redactFile should match redactText output");
+    const codeFixturePath = (0, node_path_1.join)(__dirname, "..", "test", "sample-code.ts");
+    const codeFixture = (0, node_fs_1.readFileSync)(codeFixturePath, "utf8");
+    const codeRedacted = (0, redact_1.redactText)(codeFixture);
+    node_assert_1.strict.ok(codeRedacted.includes("[REDACTED:openai_project_key]"));
+    node_assert_1.strict.ok(codeRedacted.includes("[REDACTED:github_token_ghp]"));
+    node_assert_1.strict.ok(codeRedacted.includes("[REDACTED:postgres_url]"));
+    console.log("All redact tests passed.");
+}
+run();
+//# sourceMappingURL=redact.test.js.map

package/dist/test/redact.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redact.test.js","sourceRoot":"","sources":["../../test/redact.test.ts"],"names":[],"mappings":";;AAAA,6CAA+C;AAC/C,qCAAuC;AACvC,yCAAiC;AACjC,0CAAiE;AAEjE,SAAS,GAAG;IACV,MAAM,WAAW,GAAG,IAAA,gBAAI,EAAC,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,oBAAoB,CAAC,CAAC;IACxE,MAAM,OAAO,GAAG,IAAA,sBAAY,EAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IAElD,MAAM,UAAU,GAAG,IAAA,iBAAQ,EAAC,OAAO,CAAC,CAAC;IACrC,oBAAM,CAAC,EAAE,CAAC,UAAU,CAAC,MAAM,IAAI,EAAE,EAAE,gCAAgC,CAAC,CAAC;IAErE,MAAM,QAAQ,GAAG,IAAA,mBAAU,EAAC,OAAO,CAAC,CAAC;IACrC,oBAAM,CAAC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,+BAA+B,CAAC,CAAC,CAAC;IAC9D,oBAAM,CAAC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,8BAA8B,CAAC,CAAC,CAAC;IAC7D,oBAAM,CAAC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,6BAA6B,CAAC,CAAC,CAAC;IAC5D,oBAAM,CAAC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,2BAA2B,CAAC,CAAC,CAAC;IAC1D,oBAAM,CAAC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,6BAA6B,CAAC,CAAC,CAAC;IAE5D,MAAM,QAAQ,GAAG,IAAA,mBAAU,EAAC,WAAW,CAAC,CAAC;IACzC,oBAAM,CAAC,KAAK,CAAC,QAAQ,EAAE,QAAQ,EAAE,2CAA2C,CAAC,CAAC;IAE9E,MAAM,eAAe,GAAG,IAAA,gBAAI,EAAC,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,gBAAgB,CAAC,CAAC;IACxE,MAAM,WAAW,GAAG,IAAA,sBAAY,EAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IAC1D,MAAM,YAAY,GAAG,IAAA,mBAAU,EAAC,WAAW,CAAC,CAAC;IAC7C,oBAAM,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,+BAA+B,CAAC,CAAC,CAAC;IAClE,oBAAM,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,6BAA6B,CAAC,CAAC,CAAC;IAChE,oBAAM,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,yBAAyB,CAAC,CAAC,CAAC;IAE5D,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;AAC1C,CAAC;AAED,GAAG,EAAE,CAAC"}

package/package.json

@@ -0,0 +1,24 @@
+{
+  "name": "@streamblur/mcp",
+  "version": "0.1.0",
+  "description": "StreamBlur MCP server - redact API keys, tokens, and secrets from text and files",
+  "main": "dist/src/index.js",
+  "bin": {
+    "streamblur-mcp": "./dist/src/index.js"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "start": "node dist/src/index.js",
+    "test": "node dist/test/redact.test.js"
+  },
+  "keywords": ["mcp", "security", "redact", "api-keys", "secrets", "privacy", "streamblur"],
+  "author": "StreamBlur",
+  "license": "MIT",
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.0.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "typescript": "^5.0.0"
+  }
+}

package/src/index.ts

@@ -0,0 +1,135 @@
+#!/usr/bin/env node
+
+import { readFileSync } from "node:fs";
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import {
+  CallToolRequestSchema,
+  ErrorCode,
+  ListToolsRequestSchema,
+  McpError
+} from "@modelcontextprotocol/sdk/types.js";
+import { redactText, scanText } from "./redact";
+
+const server = new Server(
+  {
+    name: "streamblur-mcp",
+    version: "0.1.0"
+  },
+  {
+    capabilities: {
+      tools: {}
+    }
+  }
+);
+
+server.setRequestHandler(ListToolsRequestSchema, async () => {
+  return {
+    tools: [
+      {
+        name: "redact_text",
+        description: "Redacts secrets from input text and replaces them with [REDACTED:type]",
+        inputSchema: {
+          type: "object",
+          properties: {
+            text: {
+              type: "string",
+              description: "Text to redact"
+            }
+          },
+          required: ["text"],
+          additionalProperties: false
+        }
+      },
+      {
+        name: "redact_file",
+        description: "Reads a file and returns redacted content without modifying the original file",
+        inputSchema: {
+          type: "object",
+          properties: {
+            path: {
+              type: "string",
+              description: "Path to file"
+            }
+          },
+          required: ["path"],
+          additionalProperties: false
+        }
+      },
+      {
+        name: "scan_text",
+        description: "Scans text and returns a list of detected secrets with type and position",
+        inputSchema: {
+          type: "object",
+          properties: {
+            text: {
+              type: "string",
+              description: "Text to scan"
+            }
+          },
+          required: ["text"],
+          additionalProperties: false
+        }
+      }
+    ]
+  };
+});
+
+server.setRequestHandler(CallToolRequestSchema, async (request) => {
+  const args = request.params.arguments ?? {};
+
+  switch (request.params.name) {
+    case "redact_text": {
+      const text = args.text;
+      if (typeof text !== "string") {
+        throw new McpError(ErrorCode.InvalidParams, "'text' must be a string");
+      }
+
+      return {
+        content: [{ type: "text", text: redactText(text) }]
+      };
+    }
+
+    case "redact_file": {
+      const path = args.path;
+      if (typeof path !== "string") {
+        throw new McpError(ErrorCode.InvalidParams, "'path' must be a string");
+      }
+
+      const content = readFileSync(path, "utf8");
+      return {
+        content: [{ type: "text", text: redactText(content) }]
+      };
+    }
+
+    case "scan_text": {
+      const text = args.text;
+      if (typeof text !== "string") {
+        throw new McpError(ErrorCode.InvalidParams, "'text' must be a string");
+      }
+
+      const detections = scanText(text).map((detection) => ({
+        type: detection.type,
+        start: detection.start,
+        end: detection.end
+      }));
+
+      return {
+        content: [{ type: "text", text: JSON.stringify(detections, null, 2) }]
+      };
+    }
+
+    default:
+      throw new McpError(ErrorCode.MethodNotFound, `Unknown tool: ${request.params.name}`);
+  }
+});
+
+async function main(): Promise<void> {
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+}
+
+main().catch((error) => {
+  console.error("streamblur-mcp failed to start", error);
+  process.exit(1);
+});

package/src/patterns.ts

@@ -0,0 +1,91 @@
+export type CredentialPattern = {
+  type: string;
+  regex: RegExp;
+};
+
+export const credentialPatterns: CredentialPattern[] = [
+  { type: "anthropic_api_key", regex: /sk-ant-api03-[A-Za-z0-9_-]{20,120}/g },
+  { type: "openai_project_key", regex: /sk-proj-[A-Za-z0-9_-]{20,120}/g },
+  { type: "openai_api_key", regex: /\bsk-[A-Za-z0-9]{20,120}\b/g },
+
+  { type: "github_pat", regex: /github_pat_[A-Za-z0-9_]{20,255}/g },
+  { type: "github_token_ghp", regex: /\bghp_[A-Za-z0-9]{20,255}\b/g },
+  { type: "github_token_gho", regex: /\bgho_[A-Za-z0-9]{20,255}\b/g },
+  { type: "github_token_ghs", regex: /\bghs_[A-Za-z0-9]{20,255}\b/g },
+
+  { type: "aws_access_key", regex: /\b(?:AKIA|ASIA)[A-Z0-9]{16}\b/g },
+  { type: "aws_secret_key", regex: /\b(?:AWS_SECRET_ACCESS_KEY|aws_secret_access_key)\s*[:=]\s*['\"]?[A-Za-z0-9\/+=]{40}['\"]?/g },
+  { type: "aws_secret_key_raw", regex: /\b[A-Za-z0-9\/+=]{40}\b/g },
+
+  { type: "google_api_key", regex: /\bAIza[0-9A-Za-z_-]{35}\b/g },
+
+  { type: "stripe_secret_live", regex: /\bsk_live_[A-Za-z0-9]{16,120}\b/g },
+  { type: "stripe_publishable_live", regex: /\bpk_live_[A-Za-z0-9]{16,120}\b/g },
+  { type: "stripe_secret_test", regex: /\bsk_test_[A-Za-z0-9]{16,120}\b/g },
+  { type: "stripe_restricted_live", regex: /\brk_live_[A-Za-z0-9]{16,120}\b/g },
+
+  { type: "twilio_sid", regex: /\bAC[a-f0-9]{32}\b/gi },
+  { type: "twilio_api_key", regex: /\bSK[a-f0-9]{32}\b/gi },
+  { type: "twilio_auth_token", regex: /\b(?:TWILIO_AUTH_TOKEN|twilio_auth_token)\s*[:=]\s*['\"]?[A-Fa-f0-9]{32}['\"]?/g },
+
+  { type: "sendgrid_api_key", regex: /\bSG\.[A-Za-z0-9_-]{20,120}\b/g },
+
+  { type: "slack_bot_token", regex: /\bxoxb-[0-9A-Za-z-]{20,120}\b/g },
+  { type: "slack_user_token", regex: /\bxoxp-[0-9A-Za-z-]{20,120}\b/g },
+  { type: "slack_session_token", regex: /\bxoxs-[0-9A-Za-z-]{20,120}\b/g },
+
+  { type: "discord_bot_token", regex: /\b[A-Za-z\d_-]{24}\.[A-Za-z\d_-]{6}\.[A-Za-z\d_-]{27}\b/g },
+
+  { type: "jwt_token", regex: /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/g },
+
+  { type: "postgres_url", regex: /\bpostgres(?:ql)?:\/\/[^\s'"`]+:[^\s'"`]+@[^\s'"`]+\b/g },
+  { type: "mysql_url", regex: /\bmysql:\/\/[^\s'"`]+:[^\s'"`]+@[^\s'"`]+\b/g },
+  { type: "mongodb_url", regex: /\bmongodb(?:\+srv)?:\/\/[^\s'"`]+:[^\s'"`]+@[^\s'"`]+\b/g },
+  { type: "redis_url", regex: /\bredis(?:s)?:\/\/[^\s'"`]*:[^\s'"`]+@[^\s'"`]+\b/g },
+
+  { type: "http_basic_auth_url", regex: /\bhttps?:\/\/[^\s:@\/]+:[^\s@\/]+@[^\s'"`]+\b/g },
+
+  { type: "rsa_private_key", regex: /-----BEGIN RSA PRIVATE KEY-----[\s\S]+?-----END RSA PRIVATE KEY-----/g },
+  { type: "ec_private_key", regex: /-----BEGIN EC PRIVATE KEY-----[\s\S]+?-----END EC PRIVATE KEY-----/g },
+  { type: "generic_private_key", regex: /-----BEGIN PRIVATE KEY-----[\s\S]+?-----END PRIVATE KEY-----/g },
+  { type: "openssh_private_key", regex: /-----BEGIN OPENSSH PRIVATE KEY-----[\s\S]+?-----END OPENSSH PRIVATE KEY-----/g },
+  { type: "dsa_private_key", regex: /-----BEGIN DSA PRIVATE KEY-----[\s\S]+?-----END DSA PRIVATE KEY-----/g },
+
+  { type: "authorization_bearer", regex: /Authorization\s*:\s*Bearer\s+[A-Za-z0-9._-]{12,}/gi },
+
+  { type: "firebase_web_api_key", regex: /\bAIza[0-9A-Za-z_-]{35}\b/g },
+  { type: "firebase_db_url", regex: /\bhttps:\/\/[a-z0-9-]+\.firebaseio\.com\b/gi },
+  { type: "firebase_service_account", regex: /"type"\s*:\s*"service_account"[\s\S]*?"private_key"\s*:\s*"-----BEGIN PRIVATE KEY-----[\s\S]*?-----END PRIVATE KEY-----\\n"/g },
+
+  { type: "netlify_token", regex: /\bnfp_[A-Za-z0-9]{20,120}\b/g },
+  { type: "vercel_token", regex: /\b(?:vercel|VERCEL)_[A-Za-z0-9_]*TOKEN\s*[:=]\s*['\"]?[A-Za-z0-9]{20,120}['\"]?/g },
+  { type: "vercel_pat", regex: /\b[A-Za-z0-9]{24}_[A-Za-z0-9]{24}\b/g },
+
+  { type: "env_api_key", regex: /\bAPI_KEY\s*[:=]\s*['\"]?[^\s'\"]{8,}['\"]?/g },
+  { type: "env_openai_api_key", regex: /\bOPENAI_API_KEY\s*[:=]\s*['\"]?[^\s'\"]+['\"]?/g },
+  { type: "env_anthropic_api_key", regex: /\bANTHROPIC_API_KEY\s*[:=]\s*['\"]?[^\s'\"]+['\"]?/g },
+  { type: "env_github_token", regex: /\bGITHUB_TOKEN\s*[:=]\s*['\"]?[^\s'\"]+['\"]?/g },
+  { type: "env_secret_key", regex: /\bSECRET_KEY\s*[:=]\s*['\"]?[^\s'\"]{8,}['\"]?/g },
+  { type: "env_access_token", regex: /\bACCESS_TOKEN\s*[:=]\s*['\"]?[^\s'\"]{8,}['\"]?/g },
+  { type: "env_password", regex: /\bPASSWORD\s*[:=]\s*['\"]?[^\s'\"]{6,}['\"]?/g },
+  { type: "env_db_password", regex: /\bDB_PASSWORD\s*[:=]\s*['\"]?[^\s'\"]{6,}['\"]?/g },
+  { type: "env_database_url", regex: /\bDATABASE_URL\s*[:=]\s*['\"]?[^\s'\"]+['\"]?/g },
+  { type: "env_redis_url", regex: /\bREDIS_URL\s*[:=]\s*['\"]?[^\s'\"]+['\"]?/g },
+  { type: "env_sendgrid_api_key", regex: /\bSENDGRID_API_KEY\s*[:=]\s*['\"]?[^\s'\"]+['\"]?/g },
+  { type: "env_slack_token", regex: /\bSLACK(?:_BOT)?_TOKEN\s*[:=]\s*['\"]?[^\s'\"]+['\"]?/g },
+  { type: "env_stripe_key", regex: /\bSTRIPE(?:_SECRET)?_KEY\s*[:=]\s*['\"]?[^\s'\"]+['\"]?/g },
+  { type: "env_aws_access_key_id", regex: /\bAWS_ACCESS_KEY_ID\s*[:=]\s*['\"]?[A-Z0-9]{16,32}['\"]?/g },
+  { type: "env_aws_secret_access_key", regex: /\bAWS_SECRET_ACCESS_KEY\s*[:=]\s*['\"]?[A-Za-z0-9\/+=]{20,80}['\"]?/g },
+  { type: "env_twilio_auth_token", regex: /\bTWILIO_AUTH_TOKEN\s*[:=]\s*['\"]?[A-Fa-f0-9]{32}['\"]?/g },
+  { type: "env_private_key", regex: /\bPRIVATE_KEY\s*[:=]\s*['\"]?-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]+?-----END [A-Z ]*PRIVATE KEY-----['\"]?/g },
+
+  { type: "generic_token_assignment", regex: /\b(?:token|secret|passwd|password|api[_-]?key|client[_-]?secret)\b\s*[:=]\s*['\"]?[A-Za-z0-9._\-\/+=]{8,}['\"]?/gi },
+  { type: "npm_token", regex: /\bnpm_[A-Za-z0-9]{20,120}\b/g },
+  { type: "github_fine_grained_token", regex: /\bghu_[A-Za-z0-9]{20,255}\b/g },
+  { type: "azure_storage_key", regex: /\bDefaultEndpointsProtocol=https;AccountName=[^;]+;AccountKey=[A-Za-z0-9+/=]{40,};EndpointSuffix=core\.windows\.net\b/g },
+  { type: "gcp_service_account_json_key", regex: /"private_key_id"\s*:\s*"[a-f0-9]{30,}"/g },
+  { type: "oauth_refresh_token", regex: /\b1\/\/[A-Za-z0-9_-]{20,}\b/g },
+  { type: "mailgun_api_key", regex: /\bkey-[A-Za-z0-9]{32}\b/g },
+  { type: "shopify_access_token", regex: /\bshpat_[A-Za-z0-9]{20,120}\b/g },
+  { type: "gitlab_token", regex: /\bglpat-[A-Za-z0-9_-]{20,120}\b/g }
+];

package/src/redact.ts

@@ -0,0 +1,79 @@
+import { readFileSync } from "node:fs";
+import { credentialPatterns } from "./patterns";
+
+export type SecretDetection = {
+  type: string;
+  value: string;
+  start: number;
+  end: number;
+};
+
+function runPatternScan(text: string): SecretDetection[] {
+  const hits: SecretDetection[] = [];
+
+  for (const pattern of credentialPatterns) {
+    const regex = new RegExp(pattern.regex.source, pattern.regex.flags);
+    regex.lastIndex = 0;
+
+    let match: RegExpExecArray | null;
+    while ((match = regex.exec(text)) !== null) {
+      const value = match[0];
+      const start = match.index;
+      const end = start + value.length;
+      hits.push({ type: pattern.type, value, start, end });
+
+      if (value.length === 0) {
+        regex.lastIndex += 1;
+      }
+    }
+  }
+
+  return hits;
+}
+
+function collapseOverlaps(detections: SecretDetection[]): SecretDetection[] {
+  const sorted = [...detections].sort((a, b) => {
+    if (a.start !== b.start) {
+      return a.start - b.start;
+    }
+    return b.end - a.end;
+  });
+
+  const accepted: SecretDetection[] = [];
+  for (const detection of sorted) {
+    const previous = accepted[accepted.length - 1];
+    if (!previous || detection.start >= previous.end) {
+      accepted.push(detection);
+    }
+  }
+
+  return accepted;
+}
+
+export function scanText(text: string): SecretDetection[] {
+  return collapseOverlaps(runPatternScan(text));
+}
+
+export function redactText(text: string): string {
+  const detections = scanText(text);
+  if (detections.length === 0) {
+    return text;
+  }
+
+  let result = "";
+  let cursor = 0;
+
+  for (const detection of detections) {
+    result += text.slice(cursor, detection.start);
+    result += `[REDACTED:${detection.type}]`;
+    cursor = detection.end;
+  }
+
+  result += text.slice(cursor);
+  return result;
+}
+
+export function redactFile(filePath: string): string {
+  const content = readFileSync(filePath, "utf8");
+  return redactText(content);
+}

package/test/redact.test.ts

@@ -0,0 +1,33 @@
+import { strict as assert } from "node:assert";
+import { readFileSync } from "node:fs";
+import { join } from "node:path";
+import { redactFile, redactText, scanText } from "../src/redact";
+
+function run(): void {
+  const fixturePath = join(__dirname, "..", "test", "sample-secrets.txt");
+  const fixture = readFileSync(fixturePath, "utf8");
+
+  const detections = scanText(fixture);
+  assert.ok(detections.length >= 10, "should detect multiple secrets");
+
+  const redacted = redactText(fixture);
+  assert.ok(redacted.includes("[REDACTED:openai_project_key]"));
+  assert.ok(redacted.includes("[REDACTED:anthropic_api_key]"));
+  assert.ok(redacted.includes("[REDACTED:github_token_ghp]"));
+  assert.ok(redacted.includes("[REDACTED:aws_access_key]"));
+  assert.ok(redacted.includes("[REDACTED:sendgrid_api_key]"));
+
+  const fromFile = redactFile(fixturePath);
+  assert.equal(fromFile, redacted, "redactFile should match redactText output");
+
+  const codeFixturePath = join(__dirname, "..", "test", "sample-code.ts");
+  const codeFixture = readFileSync(codeFixturePath, "utf8");
+  const codeRedacted = redactText(codeFixture);
+  assert.ok(codeRedacted.includes("[REDACTED:openai_project_key]"));
+  assert.ok(codeRedacted.includes("[REDACTED:github_token_ghp]"));
+  assert.ok(codeRedacted.includes("[REDACTED:postgres_url]"));
+
+  console.log("All redact tests passed.");
+}
+
+run();

package/test/sample-code.ts

@@ -0,0 +1,4 @@
+const openaiKey = 'sk-proj-xK9mR2vNqL4pW8yT3uC7aE1sD6fH5jB0nZwQ';
+const githubToken = 'ghp_xK9mR2vNqL4pW8yT3uC7aE1sD6fH5jB0nZ';
+headers: { 'Authorization': 'Bearer sk-proj-xK9mR2vNqL4pW8yT3uC7aE1sD6fH5jB0nZwQ' }
+const db = new Database('postgres://admin:SuperSecret123!@db.example.com:5432/proddb');

package/test/sample-secrets.txt

@@ -0,0 +1,10 @@
+OPENAI_API_KEY=sk-proj-xK9mR2vNqL4pW8yT3uC7aE1sD6fH5jB0nZwQ
+ANTHROPIC_API_KEY=sk-ant-api03-xK9mR2vNqL4pW8yT3uC7aE1sD6fH5jB0nZwQabcdef1234567890abcdef12
+GITHUB_TOKEN=ghp_xK9mR2vNqL4pW8yT3uC7aE1sD6fH5jB0nZ
+AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
+AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+STRIPE_SECRET_KEY=sk_live_xK9mR2vNqL4pW8yT3uC7aE1sD6fH5jB0nZ
+DATABASE_URL=postgres://admin:SuperSecret123!@db.example.com:5432/proddb
+REDIS_URL=redis://:myredispassword@redis.example.com:6379
+SLACK_BOT_TOKEN=xoxb-1234567890-1234567890123-xK9mR2vNqL4pW8yT3uC7
+SENDGRID_API_KEY=SG.xK9mR2vNqL4pW8yT3uC7aE1sD6fH5jB0nZwQabcdef12

package/tsconfig.json

@@ -0,0 +1,16 @@
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "CommonJS",
+    "moduleResolution": "Node",
+    "outDir": "dist",
+    "rootDir": ".",
+    "strict": true,
+    "esModuleInterop": true,
+    "forceConsistentCasingInFileNames": true,
+    "skipLibCheck": true,
+    "declaration": true,
+    "sourceMap": true
+  },
+  "include": ["src/**/*.ts", "test/redact.test.ts"]
+}