@streamblur/mcp 0.1.0 → 1.1.0

package/src/index.ts

@@ -1,6 +1,9 @@
 #!/usr/bin/env node
 
-import { readFileSync } from "node:fs";
+import { readFileSync, readdirSync, statSync, mkdirSync, rmSync, existsSync } from "node:fs";
+import { join, extname } from "node:path";
+import { execSync } from "node:child_process";
+import { tmpdir } from "node:os";
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import {
@@ -11,112 +14,544 @@ import {
 } from "@modelcontextprotocol/sdk/types.js";
 import { redactText, scanText } from "./redact";
 
-const server = new Server(
-  {
-    name: "streamblur-mcp",
-    version: "0.1.0"
-  },
-  {
-    capabilities: {
-      tools: {}
+// ─── Pro License Validation ────────────────────────────────────────────────
+
+const LICENSE_KEY = process.env.STREAMBLUR_LICENSE_KEY ?? "";
+let proValidated: boolean | null = null; // null = not yet checked
+
+async function checkProLicense(email: string): Promise<boolean> {
+  try {
+    const res = await fetch("https://streamblur.com/.netlify/functions/check-pro", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ email }),
+      signal: AbortSignal.timeout(5000)
+    });
+    if (!res.ok) return false;
+    const data = await res.json() as { isPro?: boolean };
+    return data.isPro === true;
+  } catch {
+    return false;
+  }
+}
+
+async function isPro(): Promise<boolean> {
+  if (proValidated !== null) return proValidated;
+  if (!LICENSE_KEY) {
+    proValidated = false;
+    return false;
+  }
+  // LICENSE_KEY can be either an email (Pro account) or a license key string
+  // Try email format first, then fall back to key-based check
+  const isEmail = LICENSE_KEY.includes("@");
+  if (isEmail) {
+    proValidated = await checkProLicense(LICENSE_KEY);
+  } else {
+    // License key format: check against validate-license endpoint
+    try {
+      const res = await fetch("https://streamblur.com/.netlify/functions/validate-license", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ licenseKey: LICENSE_KEY }),
+        signal: AbortSignal.timeout(5000)
+      });
+      if (!res.ok) {
+        proValidated = false;
+      } else {
+        const data = await res.json() as { valid?: boolean; isPro?: boolean };
+        proValidated = data.valid === true || data.isPro === true;
+      }
+    } catch {
+      proValidated = false;
+    }
+  }
+  return proValidated;
+}
+
+// ─── Directory Scanner (Pro) ───────────────────────────────────────────────
+
+const SCANNABLE_EXTENSIONS = new Set([
+  ".env", ".txt", ".js", ".ts", ".jsx", ".tsx", ".json", ".yaml", ".yml",
+  ".toml", ".ini", ".cfg", ".conf", ".sh", ".bash", ".zsh", ".py", ".rb",
+  ".go", ".rs", ".java", ".kt", ".php", ".cs", ".cpp", ".c", ".h",
+  ".tf", ".hcl", ".properties", ".xml", ".md", ".mdx"
+]);
+
+const IGNORED_DIRS = new Set([
+  "node_modules", ".git", ".next", "dist", "build", "out", ".cache",
+  "coverage", ".turbo", "vendor", "__pycache__", ".venv", "venv"
+]);
+
+interface DirectoryScanResult {
+  file: string;
+  detections: Array<{ type: string; line: number; column: number }>;
+}
+
+function scanDirectory(dirPath: string, maxFiles = 500): DirectoryScanResult[] {
+  const results: DirectoryScanResult[] = [];
+  let fileCount = 0;
+
+  function walk(current: string) {
+    if (fileCount >= maxFiles) return;
+
+    let entries;
+    try {
+      entries = readdirSync(current, { withFileTypes: true });
+    } catch {
+      return;
+    }
+
+    for (const entry of entries) {
+      if (fileCount >= maxFiles) break;
+      const fullPath = join(current, entry.name);
+
+      if (entry.isDirectory()) {
+        if (!IGNORED_DIRS.has(entry.name)) walk(fullPath);
+      } else if (entry.isFile()) {
+        const ext = extname(entry.name).toLowerCase();
+        const isEnvFile = entry.name.startsWith(".env");
+        if (!SCANNABLE_EXTENSIONS.has(ext) && !isEnvFile) continue;
+
+        let size = 0;
+        try { size = statSync(fullPath).size; } catch { continue; }
+        if (size > 500_000) continue; // skip files > 500KB
+
+        fileCount++;
+        try {
+          const content = readFileSync(fullPath, "utf8");
+          const detections = scanText(content);
+          if (detections.length > 0) {
+            const lines = content.split("\n");
+            const mapped = detections.map(d => {
+              let chars = 0;
+              let lineNum = 1;
+              let col = d.start;
+              for (const line of lines) {
+                if (chars + line.length >= d.start) {
+                  col = d.start - chars;
+                  break;
+                }
+                chars += line.length + 1;
+                lineNum++;
+              }
+              return { type: d.type, line: lineNum, column: col };
+            });
+            results.push({ file: fullPath, detections: mapped });
+          }
+        } catch {
+          // skip unreadable files
+        }
+      }
     }
   }
+
+  walk(dirPath);
+  return results;
+}
+
+// ─── Server Setup ──────────────────────────────────────────────────────────
+
+const server = new Server(
+  { name: "streamblur-mcp", version: "1.1.0" },
+  { capabilities: { tools: {} } }
 );
 
 server.setRequestHandler(ListToolsRequestSchema, async () => {
-  return {
-    tools: [
-      {
-        name: "redact_text",
-        description: "Redacts secrets from input text and replaces them with [REDACTED:type]",
-        inputSchema: {
-          type: "object",
-          properties: {
-            text: {
-              type: "string",
-              description: "Text to redact"
-            }
-          },
-          required: ["text"],
-          additionalProperties: false
-        }
-      },
-      {
-        name: "redact_file",
-        description: "Reads a file and returns redacted content without modifying the original file",
-        inputSchema: {
-          type: "object",
-          properties: {
-            path: {
-              type: "string",
-              description: "Path to file"
-            }
-          },
-          required: ["path"],
-          additionalProperties: false
-        }
-      },
-      {
-        name: "scan_text",
-        description: "Scans text and returns a list of detected secrets with type and position",
-        inputSchema: {
-          type: "object",
-          properties: {
-            text: {
-              type: "string",
-              description: "Text to scan"
-            }
-          },
-          required: ["text"],
-          additionalProperties: false
-        }
+  const proActive = await isPro();
+
+  const tools = [
+    {
+      name: "redact_text",
+      description: "Redacts API keys, tokens, passwords, and credentials from text. Replaces each match with [REDACTED:type].",
+      inputSchema: {
+        type: "object",
+        properties: {
+          text: { type: "string", description: "Text to redact" }
+        },
+        required: ["text"],
+        additionalProperties: false
+      }
+    },
+    {
+      name: "scan_text",
+      description: "Scans text and returns detected secrets with type and character position. Use this to audit content before sharing.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          text: { type: "string", description: "Text to scan" }
+        },
+        required: ["text"],
+        additionalProperties: false
+      }
+    },
+    {
+      name: "redact_file",
+      description: proActive
+        ? "Reads a file and returns redacted content. Supports .env, config files, source code, and more. File is not modified."
+        : "⚡ Pro feature — reads a file and returns redacted content. Set STREAMBLUR_LICENSE_KEY to your StreamBlur Pro email or license key to unlock. Get Pro at https://streamblur.com/pricing",
+      inputSchema: {
+        type: "object",
+        properties: {
+          path: { type: "string", description: "Absolute or relative path to file" }
+        },
+        required: ["path"],
+        additionalProperties: false
+      }
+    },
+    {
+      name: "scan_directory",
+      description: proActive
+        ? "Recursively scans a directory for exposed secrets across all source files. Returns file paths, secret types, and line numbers. Skips node_modules, .git, dist, and build folders."
+        : "⚡ Pro feature — recursively scans a directory for leaked secrets. Set STREAMBLUR_LICENSE_KEY to your StreamBlur Pro email or license key to unlock. Get Pro at https://streamblur.com/pricing",
+      inputSchema: {
+        type: "object",
+        properties: {
+          path: { type: "string", description: "Directory path to scan" },
+          max_files: { type: "number", description: "Max files to scan (default 500)" }
+        },
+        required: ["path"],
+        additionalProperties: false
+      }
+    },
+    {
+      name: "scan_repo",
+      description: proActive
+        ? "Clones a GitHub repository to a temp directory, scans all source files for exposed secrets, returns findings with file paths and line numbers, then deletes the temp clone. Pro feature."
+        : "Clones a GitHub repo and scans all files for leaked secrets. Pro feature - set STREAMBLUR_LICENSE_KEY to unlock.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          repo_url: { type: "string", description: "GitHub repo URL (e.g. https://github.com/owner/repo)" },
+          max_files: { type: "number", description: "Max files to scan (default 300)" }
+        },
+        required: ["repo_url"],
+        additionalProperties: false
       }
-    ]
-  };
+    },
+    {
+      name: "audit_env_file",
+      description: "Reads a .env file and returns a full security report: detected secrets, formatting issues, placeholder values, and rotation recommendations. File is not modified.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          path: { type: "string", description: "Path to .env file" }
+        },
+        required: ["path"],
+        additionalProperties: false
+      }
+    },
+    {
+      name: "check_gitignore",
+      description: "Checks a project directory .gitignore to verify that .env files, key files, and secret directories are properly excluded. Returns a security gap report.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          path: { type: "string", description: "Project root directory path" }
+        },
+        required: ["path"],
+        additionalProperties: false
+      }
+    },
+    {
+      name: "explain_detection",
+      description: "Given a detected secret type (e.g. stripe_secret_live, aws_access_key), explains what it is, the blast radius if leaked, and exactly where to go to revoke and rotate it immediately.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          type: { type: "string", description: "Secret type string from a scan result (e.g. openai_api_key)" }
+        },
+        required: ["type"],
+        additionalProperties: false
+      }
+    },
+    {
+      name: "generate_env_template",
+      description: "Generates a safe .env.example template with placeholder values and security comments for common project types.",
+      inputSchema: {
+        type: "object",
+        properties: {
+          project_type: { type: "string", description: "Project type: nextjs, rails, django, express, nuxt, sveltekit" },
+          services: { type: "array", items: { type: "string" }, description: "Additional services: stripe, openai, anthropic, supabase, firebase, aws, sendgrid, twilio" }
+        },
+        required: ["project_type"],
+        additionalProperties: false
+      }
+    }
+  ];
+
+  return { tools };
 });
 
 server.setRequestHandler(CallToolRequestSchema, async (request) => {
   const args = request.params.arguments ?? {};
 
   switch (request.params.name) {
+
     case "redact_text": {
       const text = args.text;
       if (typeof text !== "string") {
         throw new McpError(ErrorCode.InvalidParams, "'text' must be a string");
       }
+      return { content: [{ type: "text", text: redactText(text) }] };
+    }
 
-      return {
-        content: [{ type: "text", text: redactText(text) }]
-      };
+    case "scan_text": {
+      const text = args.text;
+      if (typeof text !== "string") {
+        throw new McpError(ErrorCode.InvalidParams, "'text' must be a string");
+      }
+      const detections = scanText(text).map(d => ({
+        type: d.type,
+        start: d.start,
+        end: d.end
+      }));
+      return { content: [{ type: "text", text: JSON.stringify(detections, null, 2) }] };
     }
 
     case "redact_file": {
+      const proActive = await isPro();
+      if (!proActive) {
+        return {
+          content: [{
+            type: "text",
+            text: "⚡ redact_file is a StreamBlur Pro feature.\n\nSet the STREAMBLUR_LICENSE_KEY environment variable to your StreamBlur Pro email or license key.\n\nGet Pro at https://streamblur.com/pricing — $2.99 one-time."
+          }]
+        };
+      }
       const path = args.path;
       if (typeof path !== "string") {
         throw new McpError(ErrorCode.InvalidParams, "'path' must be a string");
       }
+      try {
+        const content = readFileSync(path, "utf8");
+        return { content: [{ type: "text", text: redactText(content) }] };
+      } catch (err: unknown) {
+        const msg = err instanceof Error ? err.message : String(err);
+        throw new McpError(ErrorCode.InternalError, `Could not read file: ${msg}`);
+      }
+    }
 
-      const content = readFileSync(path, "utf8");
-      return {
-        content: [{ type: "text", text: redactText(content) }]
-      };
+    case "scan_directory": {
+      const proActive = await isPro();
+      if (!proActive) {
+        return {
+          content: [{
+            type: "text",
+            text: "⚡ scan_directory is a StreamBlur Pro feature.\n\nSet the STREAMBLUR_LICENSE_KEY environment variable to your StreamBlur Pro email or license key.\n\nGet Pro at https://streamblur.com/pricing — $2.99 one-time."
+          }]
+        };
+      }
+      const dirPath = args.path;
+      if (typeof dirPath !== "string") {
+        throw new McpError(ErrorCode.InvalidParams, "'path' must be a string");
+      }
+      const maxFiles = typeof args.max_files === "number" ? args.max_files : 500;
+      try {
+        const results = scanDirectory(dirPath, maxFiles);
+        if (results.length === 0) {
+          return { content: [{ type: "text", text: "✅ No secrets detected in directory." }] };
+        }
+        const summary = results.map(r =>
+          `${r.file}\n${r.detections.map(d => `  Line ${d.line}:${d.column} — ${d.type}`).join("\n")}`
+        ).join("\n\n");
+        return {
+          content: [{
+            type: "text",
+            text: `⚠️ Found secrets in ${results.length} file(s):\n\n${summary}`
+          }]
+        };
+      } catch (err: unknown) {
+        const msg = err instanceof Error ? err.message : String(err);
+        throw new McpError(ErrorCode.InternalError, `Could not scan directory: ${msg}`);
+      }
     }
 
-    case "scan_text": {
-      const text = args.text;
-      if (typeof text !== "string") {
-        throw new McpError(ErrorCode.InvalidParams, "'text' must be a string");
+    case "scan_repo": {
+      const proActive = await isPro();
+      if (!proActive) {
+        return {
+          content: [{
+            type: "text",
+            text: "scan_repo is a StreamBlur Pro feature.\n\nSet STREAMBLUR_LICENSE_KEY to your Pro email or license key.\nGet Pro at https://streamblur.com/pricing - $2.99 one-time."
+          }]
+        };
+      }
+      const repoUrl = args.repo_url;
+      if (typeof repoUrl !== "string" || !repoUrl.startsWith("http")) {
+        throw new McpError(ErrorCode.InvalidParams, "'repo_url' must be a valid GitHub URL");
+      }
+      const maxFiles = typeof args.max_files === "number" ? args.max_files : 300;
+      const tmpDir = join(tmpdir(), "streamblur-scan-" + Date.now());
+      try {
+        mkdirSync(tmpDir, { recursive: true });
+        execSync(`git clone --depth 1 "${repoUrl}" "${tmpDir}"`, { timeout: 60000, stdio: "pipe" });
+        const results = scanDirectory(tmpDir, maxFiles);
+        if (results.length === 0) {
+          return { content: [{ type: "text", text: `No secrets detected in ${repoUrl}` }] };
+        }
+        const summary = results.map(r =>
+          `${r.file.replace(tmpDir + "/", "")}\n${r.detections.map((d: { line: number; column: number; type: string }) => `  Line ${d.line}:${d.column} - ${d.type}`).join("\n")}`
+        ).join("\n\n");
+        return {
+          content: [{
+            type: "text",
+            text: `Found secrets in ${results.length} file(s) in ${repoUrl}:\n\n${summary}`
+          }]
+        };
+      } catch (err: unknown) {
+        const msg = err instanceof Error ? err.message : String(err);
+        throw new McpError(ErrorCode.InternalError, `Repo scan failed: ${msg}`);
+      } finally {
+        try { rmSync(tmpDir, { recursive: true, force: true }); } catch { /* cleanup */ }
       }
+    }
 
-      const detections = scanText(text).map((detection) => ({
-        type: detection.type,
-        start: detection.start,
-        end: detection.end
-      }));
+    case "audit_env_file": {
+      const filePath = args.path;
+      if (typeof filePath !== "string") {
+        throw new McpError(ErrorCode.InvalidParams, "'path' must be a string");
+      }
+      try {
+        const content = readFileSync(filePath, "utf8");
+        const lines = content.split("\n");
+        const issues: string[] = [];
+        const secrets: string[] = [];
+        const placeholders: string[] = [];
+
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i].trim();
+          if (!line || line.startsWith("#")) continue;
+          const eqIdx = line.indexOf("=");
+          if (eqIdx === -1) { issues.push(`Line ${i+1}: Missing = sign: ${line}`); continue; }
+          const key = line.slice(0, eqIdx).trim();
+          const val = line.slice(eqIdx + 1).trim();
+          if (/\s/.test(key)) issues.push(`Line ${i+1}: Key has spaces: ${key}`);
+          if (val === "" || val === '""' || val === "''") issues.push(`Line ${i+1}: Empty value for ${key}`);
+          if (/^(your[_-]|xxx|placeholder|changeme|todo|replace|insert|example)/i.test(val.replace(/['"]/g, ""))) {
+            placeholders.push(`Line ${i+1}: ${key} has placeholder value`);
+          }
+          const detected = scanText(line);
+          if (detected.length > 0) {
+            secrets.push(`Line ${i+1}: ${key} - detected as ${detected.map((d: { type: string }) => d.type).join(", ")}`);
+          }
+        }
 
+        let report = `Env File Audit: ${filePath}\n${"=".repeat(40)}\n`;
+        report += `Lines: ${lines.length} | Variables: ${lines.filter(l => l.includes("=") && !l.startsWith("#")).length}\n\n`;
+        if (secrets.length > 0) report += `SECRETS DETECTED (${secrets.length}):\n${secrets.join("\n")}\n\n`;
+        if (issues.length > 0) report += `FORMAT ISSUES (${issues.length}):\n${issues.join("\n")}\n\n`;
+        if (placeholders.length > 0) report += `PLACEHOLDERS (${placeholders.length}):\n${placeholders.join("\n")}\n\n`;
+        if (secrets.length === 0 && issues.length === 0) report += `No issues found. File looks clean.\n`;
+        report += `\nReminder: ensure this file is in .gitignore and never committed to version control.`;
+
+        return { content: [{ type: "text", text: report }] };
+      } catch (err: unknown) {
+        const msg = err instanceof Error ? err.message : String(err);
+        throw new McpError(ErrorCode.InternalError, `Could not read file: ${msg}`);
+      }
+    }
+
+    case "check_gitignore": {
+      const dirPath = args.path;
+      if (typeof dirPath !== "string") {
+        throw new McpError(ErrorCode.InvalidParams, "'path' must be a string");
+      }
+      const gitignorePath = join(dirPath, ".gitignore");
+      const mustIgnore = [".env", ".env.local", ".env.production", ".env.*.local", "*.pem", "*.key", ".secret"];
+      const shouldIgnore = [".env.development", ".env.staging", "secrets/", "credentials/"];
+
+      try {
+        if (!existsSync(gitignorePath)) {
+          return {
+            content: [{
+              type: "text",
+              text: `No .gitignore found in ${dirPath}.\n\nCRITICAL: Create a .gitignore immediately and add:\n${mustIgnore.join("\n")}`
+            }]
+          };
+        }
+        const content = readFileSync(gitignorePath, "utf8");
+        const missing = mustIgnore.filter(p => !content.includes(p));
+        const suggested = shouldIgnore.filter(p => !content.includes(p));
+        let report = `.gitignore Audit: ${gitignorePath}\n${"=".repeat(40)}\n`;
+        if (missing.length === 0) {
+          report += `All critical patterns are covered.\n`;
+        } else {
+          report += `CRITICAL - Missing patterns (add these NOW):\n${missing.map(p => `  ${p}`).join("\n")}\n\n`;
+        }
+        if (suggested.length > 0) {
+          report += `Recommended additions:\n${suggested.map(p => `  ${p}`).join("\n")}\n`;
+        }
+        return { content: [{ type: "text", text: report }] };
+      } catch (err: unknown) {
+        const msg = err instanceof Error ? err.message : String(err);
+        throw new McpError(ErrorCode.InternalError, `Could not check gitignore: ${msg}`);
+      }
+    }
+
+    case "explain_detection": {
+      const detectionType = args.type;
+      if (typeof detectionType !== "string") {
+        throw new McpError(ErrorCode.InvalidParams, "'type' must be a string");
+      }
+      const explanations: Record<string, { name: string; risk: string; action: string; url: string }> = {
+        openai_api_key: { name: "OpenAI API Key", risk: "HIGH - Full API access. Attacker can run unlimited GPT-4 requests at your expense. Costs can hit thousands of dollars within hours.", action: "1. Go to platform.openai.com/api-keys\n2. Delete the exposed key immediately\n3. Create a new key\n4. Update all services using the old key", url: "https://platform.openai.com/api-keys" },
+        anthropic_api_key: { name: "Anthropic API Key", risk: "HIGH - Full Claude API access. Unauthorized usage billed to your account.", action: "1. Go to console.anthropic.com/settings/keys\n2. Delete the exposed key\n3. Generate a new key\n4. Update environment variables", url: "https://console.anthropic.com/settings/keys" },
+        stripe_secret_live: { name: "Stripe Live Secret Key", risk: "CRITICAL - Full access to your Stripe account. Attacker can create charges, issue refunds, access customer data, and drain your balance.", action: "1. Go to dashboard.stripe.com/apikeys\n2. Roll (rotate) the key immediately\n3. Update all integrations", url: "https://dashboard.stripe.com/apikeys" },
+        aws_access_key: { name: "AWS Access Key ID", risk: "CRITICAL - Combined with secret key, gives full AWS account access. Can spin up infrastructure, access S3 data, and incur massive costs.", action: "1. Go to AWS IAM console\n2. Deactivate the key immediately\n3. Create new credentials\n4. Check CloudTrail for unauthorized activity", url: "https://console.aws.amazon.com/iam/home#/security_credentials" },
+        github_pat: { name: "GitHub Personal Access Token", risk: "HIGH - Can access private repos, commit code, read secrets in Actions, and depending on scope, full org access.", action: "1. Go to github.com/settings/tokens\n2. Delete the exposed token immediately\n3. Audit recent activity on affected repos", url: "https://github.com/settings/tokens" },
+        discord_bot_token: { name: "Discord Bot Token", risk: "MEDIUM-HIGH - Full control of the bot. Can read all messages the bot has access to, send messages as the bot, manage channels.", action: "1. Go to discord.com/developers/applications\n2. Select your app > Bot > Reset Token\n3. Update your deployment with the new token", url: "https://discord.com/developers/applications" },
+        stripe_secret_test: { name: "Stripe Test Secret Key", risk: "LOW - Test mode only, no real money. Best practice to rotate anyway.", action: "1. Go to dashboard.stripe.com/apikeys\n2. Roll the test key", url: "https://dashboard.stripe.com/apikeys" },
+        google_api_key: { name: "Google API Key", risk: "MEDIUM-HIGH - Depending on enabled APIs, can incur costs or expose data.", action: "1. Go to console.cloud.google.com/apis/credentials\n2. Delete or restrict the key\n3. Create a new restricted key", url: "https://console.cloud.google.com/apis/credentials" },
+        huggingface_token: { name: "Hugging Face Token", risk: "MEDIUM - Access to models, datasets, and spaces under your account.", action: "1. Go to huggingface.co/settings/tokens\n2. Delete the exposed token\n3. Create a new one", url: "https://huggingface.co/settings/tokens" },
+        supabase_service_role_key: { name: "Supabase Service Role Key", risk: "CRITICAL - Bypasses Row Level Security entirely. Full read/write access to all database tables.", action: "1. Go to supabase.com/dashboard > Project Settings > API\n2. Rotate the service role key\n3. Update all server-side integrations", url: "https://supabase.com/dashboard" },
+      };
+
+      const info = explanations[detectionType];
+      if (!info) {
+        return {
+          content: [{
+            type: "text",
+            text: `Detection type: ${detectionType}\n\nNo specific guidance available for this type yet.\n\nGeneral advice:\n- Treat it as potentially sensitive\n- Search your provider dashboard for API keys or tokens section\n- Revoke/rotate the value immediately\n- Check logs for unauthorized usage\n- Update all services using the old value`
+          }]
+        };
+      }
       return {
-        content: [{ type: "text", text: JSON.stringify(detections, null, 2) }]
+        content: [{
+          type: "text",
+          text: `${info.name}\n${"=".repeat(info.name.length)}\n\nRisk: ${info.risk}\n\nImmediate action:\n${info.action}\n\nDashboard: ${info.url}`
+        }]
+      };
+    }
+
+    case "generate_env_template": {
+      const projectType = (args.project_type as string || "nextjs").toLowerCase();
+      const services = Array.isArray(args.services) ? args.services as string[] : [];
+
+      const templates: Record<string, string> = {
+        nextjs: `# Next.js Environment Variables\n# Copy to .env.local - NEVER commit .env.local to git\n\n# App\nNEXT_PUBLIC_APP_URL=http://localhost:3000\nNEXT_PUBLIC_APP_NAME=your-app-name\n\n# Database\nDATABASE_URL=postgresql://user:password@localhost:5432/dbname`,
+        express: `# Express Environment Variables\n# Copy to .env - NEVER commit .env to git\n\nNODE_ENV=development\nPORT=3000\n\n# Database\nDATABASE_URL=postgresql://user:password@localhost:5432/dbname\n\n# Session\nSESSION_SECRET=replace-with-random-32-char-string`,
+        django: `# Django Environment Variables\n# Copy to .env - NEVER commit .env to git\n\nDJANGO_SECRET_KEY=replace-with-50-char-random-string\nDEBUG=True\nALLOWED_HOSTS=localhost,127.0.0.1\n\n# Database\nDATABASE_URL=postgresql://user:password@localhost:5432/dbname`,
+        rails: `# Rails Environment Variables\n# Copy to .env - NEVER commit .env to git\n\nRAILS_ENV=development\nSECRET_KEY_BASE=replace-with-rails-credentials-output\n\n# Database\nDATABASE_URL=postgresql://user:password@localhost:5432/dbname`,
+        nuxt: `# Nuxt Environment Variables\n# Copy to .env - NEVER commit .env to git\n\nNUXT_PUBLIC_SITE_URL=http://localhost:3000\nNUXT_SECRET_KEY=replace-with-random-32-char-string`,
+        sveltekit: `# SvelteKit Environment Variables\n# Copy to .env - NEVER commit .env to git\n\nPUBLIC_APP_URL=http://localhost:5173\nPRIVATE_SECRET_KEY=replace-with-random-32-char-string`,
+      };
+
+      const serviceAdditions: Record<string, string> = {
+        stripe: `\n# Stripe\nSTRIPE_SECRET_KEY=sk_test_replace-with-your-stripe-test-key\nSTRIPE_PUBLISHABLE_KEY=pk_test_replace-with-your-stripe-publishable-key\nSTRIPE_WEBHOOK_SECRET=whsec_replace-with-your-webhook-secret`,
+        openai: `\n# OpenAI\nOPENAI_API_KEY=sk-proj-replace-with-your-openai-key`,
+        anthropic: `\n# Anthropic\nANTHROPIC_API_KEY=sk-ant-replace-with-your-anthropic-key`,
+        supabase: `\n# Supabase\nNEXT_PUBLIC_SUPABASE_URL=https://your-project.supabase.co\nNEXT_PUBLIC_SUPABASE_ANON_KEY=eyJ-replace-with-anon-key\nSUPABASE_SERVICE_ROLE_KEY=eyJ-replace-with-service-role-key-KEEP-SECRET`,
+        firebase: `\n# Firebase\nFIREBASE_PROJECT_ID=your-project-id\nFIREBASE_CLIENT_EMAIL=firebase-adminsdk@your-project.iam.gserviceaccount.com\nFIREBASE_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\\nreplace\\n-----END PRIVATE KEY-----\\n"`,
+        aws: `\n# AWS\nAWS_ACCESS_KEY_ID=AKIA-replace-with-your-key\nAWS_SECRET_ACCESS_KEY=replace-with-your-secret\nAWS_REGION=us-east-1`,
+        sendgrid: `\n# SendGrid\nSENDGRID_API_KEY=SG.replace-with-your-sendgrid-key`,
+        twilio: `\n# Twilio\nTWILIO_ACCOUNT_SID=AC-replace-with-your-account-sid\nTWILIO_AUTH_TOKEN=replace-with-your-auth-token`,
       };
+
+      const base = templates[projectType] || templates["nextjs"];
+      const additions = services.map((s: string) => serviceAdditions[s] || "").join("");
+      const result = base + additions + "\n\n# Add this file to .gitignore:\n# echo '.env.local' >> .gitignore";
+
+      return { content: [{ type: "text", text: result }] };
     }
 
     default:

package/src/patterns.ts

@@ -87,5 +87,28 @@ export const credentialPatterns: CredentialPattern[] = [
   { type: "oauth_refresh_token", regex: /\b1\/\/[A-Za-z0-9_-]{20,}\b/g },
   { type: "mailgun_api_key", regex: /\bkey-[A-Za-z0-9]{32}\b/g },
   { type: "shopify_access_token", regex: /\bshpat_[A-Za-z0-9]{20,120}\b/g },
-  { type: "gitlab_token", regex: /\bglpat-[A-Za-z0-9_-]{20,120}\b/g }
+  { type: "gitlab_token", regex: /\bglpat-[A-Za-z0-9_-]{20,120}\b/g },
+
+  // AI/ML platforms
+  { type: "huggingface_token", regex: /\bhf_[A-Za-z0-9]{20,120}\b/g },
+  { type: "replicate_token", regex: /\br8_[A-Za-z0-9]{20,120}\b/g },
+  { type: "together_ai_key", regex: /\b(?:TOGETHER_API_KEY|together_api_key)\s*[:=]\s*['"\\]?[A-Za-z0-9]{32,120}['"\\]?/g },
+  { type: "groq_api_key", regex: /\bgsk_[A-Za-z0-9]{20,120}\b/g },
+  { type: "cohere_api_key", regex: /\b(?:COHERE_API_KEY|co-[A-Za-z0-9]{32,120})\b/g },
+  { type: "elevenlabs_api_key", regex: /\b(?:ELEVENLABS_API_KEY|XI_API_KEY)\s*[:=]\s*['"\\]?[A-Za-z0-9]{32,120}['"\\]?/g },
+  { type: "pinecone_api_key", regex: /\b(?:PINECONE_API_KEY)\s*[:=]\s*['"\\]?[A-Za-z0-9-]{20,120}['"\\]?/g },
+
+  // Database/infra platforms
+  { type: "supabase_service_role_key", regex: /\b(?:SUPABASE_SERVICE_ROLE_KEY|supabase_service_role_key)\s*[:=]\s*['"\\]?eyJ[A-Za-z0-9_-]{50,}['"\\]?/g },
+  { type: "planetscale_token", regex: /\bpscale_tkn_[A-Za-z0-9]{20,120}\b/g },
+  { type: "railway_token", regex: /\b(?:RAILWAY_TOKEN|RAILWAY_API_KEY)\s*[:=]\s*['"\\]?[A-Za-z0-9-]{20,120}['"\\]?/g },
+
+  // Dev tools
+  { type: "resend_api_key", regex: /\bre_[A-Za-z0-9]{20,120}\b/g },
+  { type: "linear_api_key", regex: /\blin_api_[A-Za-z0-9]{20,120}\b/g },
+  { type: "notion_api_key", regex: /\bsecret_[A-Za-z0-9]{40,120}\b/g },
+  { type: "airtable_api_key", regex: /\bpat[A-Za-z0-9]{14}\.[A-Za-z0-9]{64}\b/g },
+  { type: "doppler_token", regex: /\bdp\.pt\.[A-Za-z0-9]{40,120}\b/g },
+  { type: "pulumi_access_token", regex: /\bpul-[A-Za-z0-9]{40,120}\b/g },
+  { type: "cursor_session_token", regex: /\b(?:CURSOR_SESSION_TOKEN|cursor_session)\s*[:=]\s*['"\\]?[A-Za-z0-9._-]{20,120}['"\\]?/g }
 ];