@vaultcompass/vault-guard-core 1.0.0

package/dist/errors.d.ts

@@ -0,0 +1,63 @@
+/**
+ * Base error class for Vault Guard errors
+ */
+export declare class VaultGuardError extends Error {
+    code: string;
+    constructor(message: string, code: string);
+}
+/**
+ * Error thrown when scanning fails
+ */
+export declare class ScanError extends VaultGuardError {
+    filePath?: string | undefined;
+    constructor(message: string, filePath?: string | undefined);
+}
+/**
+ * Error thrown when file access fails
+ */
+export declare class FileAccessError extends VaultGuardError {
+    filePath: string;
+    constructor(message: string, filePath: string);
+}
+/**
+ * Error thrown when hook installation fails
+ */
+export declare class HookError extends VaultGuardError {
+    operation: 'install' | 'uninstall';
+    constructor(message: string, operation: 'install' | 'uninstall');
+}
+/**
+ * Error thrown when a `.vault-guard.json` config file cannot be read or parsed.
+ *
+ * Why this is a distinct error: silently falling back to defaults on a typo'd
+ * config file is dangerous for a security tool — the user thinks their
+ * `severity_overrides` / `extra_patterns` are honoured when they are not.
+ * Callers (CLI, MCP) catch this, print the file path + parser message, and
+ * exit non-zero so the user can fix the config rather than ship undetected.
+ *
+ * @param message - Human-readable parse/read failure explanation.
+ * @param filePath - Absolute path to the offending `.vault-guard.json`.
+ */
+export declare class ConfigError extends VaultGuardError {
+    readonly filePath: string;
+    constructor(message: string, filePath: string);
+}
+/**
+ * Error thrown when git operations fail during a scan.
+ *
+ * Why this is a hard error: `getGitStagedFilePaths` returning `[]` on
+ * git failure would silently produce a "✅ nothing staged" result during
+ * pre-commit, allowing secrets to bypass detection without any feedback.
+ * Callers should exit 2 and display this message so the user knows whether
+ * the ✅ is genuine or git-broken.
+ *
+ * @param message - Human-readable failure details.
+ * @param command - Git command that failed.
+ * @param cause - Original thrown error (if available).
+ */
+export declare class GitError extends VaultGuardError {
+    readonly command: string;
+    readonly cause?: unknown | undefined;
+    constructor(message: string, command: string, cause?: unknown | undefined);
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,qBAAa,eAAgB,SAAQ,KAAK;IACJ,IAAI,EAAE,MAAM;gBAApC,OAAO,EAAE,MAAM,EAAS,IAAI,EAAE,MAAM;CAKjD;AAED;;GAEG;AACH,qBAAa,SAAU,SAAQ,eAAe;IACR,QAAQ,CAAC,EAAE,MAAM;gBAAzC,OAAO,EAAE,MAAM,EAAS,QAAQ,CAAC,EAAE,MAAM,YAAA;CAItD;AAED;;GAEG;AACH,qBAAa,eAAgB,SAAQ,eAAe;IACd,QAAQ,EAAE,MAAM;gBAAxC,OAAO,EAAE,MAAM,EAAS,QAAQ,EAAE,MAAM;CAIrD;AAED;;GAEG;AACH,qBAAa,SAAU,SAAQ,eAAe;IACR,SAAS,EAAE,SAAS,GAAG,WAAW;gBAA1D,OAAO,EAAE,MAAM,EAAS,SAAS,EAAE,SAAS,GAAG,WAAW;CAIvE;AAED;;;;;;;;;;;GAWG;AACH,qBAAa,WAAY,SAAQ,eAAe;aACD,QAAQ,EAAE,MAAM;gBAAjD,OAAO,EAAE,MAAM,EAAkB,QAAQ,EAAE,MAAM;CAI9D;AAED;;;;;;;;;;;;GAYG;AACH,qBAAa,QAAS,SAAQ,eAAe;aACE,OAAO,EAAE,MAAM;aAAkB,KAAK,CAAC,EAAE,OAAO;gBAAjF,OAAO,EAAE,MAAM,EAAkB,OAAO,EAAE,MAAM,EAAkB,KAAK,CAAC,EAAE,OAAO,YAAA;CAI9F"}

package/dist/errors.js

@@ -0,0 +1,98 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GitError = exports.ConfigError = exports.HookError = exports.FileAccessError = exports.ScanError = exports.VaultGuardError = void 0;
+/**
+ * Base error class for Vault Guard errors
+ */
+class VaultGuardError extends Error {
+    code;
+    constructor(message, code) {
+        super(message);
+        this.code = code;
+        this.name = 'VaultGuardError';
+        Error.captureStackTrace(this, this.constructor);
+    }
+}
+exports.VaultGuardError = VaultGuardError;
+/**
+ * Error thrown when scanning fails
+ */
+class ScanError extends VaultGuardError {
+    filePath;
+    constructor(message, filePath) {
+        super(message, 'SCAN_ERROR');
+        this.filePath = filePath;
+        this.name = 'ScanError';
+    }
+}
+exports.ScanError = ScanError;
+/**
+ * Error thrown when file access fails
+ */
+class FileAccessError extends VaultGuardError {
+    filePath;
+    constructor(message, filePath) {
+        super(message, 'FILE_ACCESS_ERROR');
+        this.filePath = filePath;
+        this.name = 'FileAccessError';
+    }
+}
+exports.FileAccessError = FileAccessError;
+/**
+ * Error thrown when hook installation fails
+ */
+class HookError extends VaultGuardError {
+    operation;
+    constructor(message, operation) {
+        super(message, 'HOOK_ERROR');
+        this.operation = operation;
+        this.name = 'HookError';
+    }
+}
+exports.HookError = HookError;
+/**
+ * Error thrown when a `.vault-guard.json` config file cannot be read or parsed.
+ *
+ * Why this is a distinct error: silently falling back to defaults on a typo'd
+ * config file is dangerous for a security tool — the user thinks their
+ * `severity_overrides` / `extra_patterns` are honoured when they are not.
+ * Callers (CLI, MCP) catch this, print the file path + parser message, and
+ * exit non-zero so the user can fix the config rather than ship undetected.
+ *
+ * @param message - Human-readable parse/read failure explanation.
+ * @param filePath - Absolute path to the offending `.vault-guard.json`.
+ */
+class ConfigError extends VaultGuardError {
+    filePath;
+    constructor(message, filePath) {
+        super(message, 'CONFIG_ERROR');
+        this.filePath = filePath;
+        this.name = 'ConfigError';
+    }
+}
+exports.ConfigError = ConfigError;
+/**
+ * Error thrown when git operations fail during a scan.
+ *
+ * Why this is a hard error: `getGitStagedFilePaths` returning `[]` on
+ * git failure would silently produce a "✅ nothing staged" result during
+ * pre-commit, allowing secrets to bypass detection without any feedback.
+ * Callers should exit 2 and display this message so the user knows whether
+ * the ✅ is genuine or git-broken.
+ *
+ * @param message - Human-readable failure details.
+ * @param command - Git command that failed.
+ * @param cause - Original thrown error (if available).
+ */
+class GitError extends VaultGuardError {
+    command;
+    cause;
+    constructor(message, command, cause) {
+        super(message, 'GIT_ERROR');
+        this.command = command;
+        this.cause = cause;
+        this.name = 'GitError';
+    }
+}
+exports.GitError = GitError;
+//# sourceMappingURL=errors.js.map

package/dist/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":";;;AAAA;;GAEG;AACH,MAAa,eAAgB,SAAQ,KAAK;IACJ;IAApC,YAAY,OAAe,EAAS,IAAY;QAC9C,KAAK,CAAC,OAAO,CAAC,CAAC;QADmB,SAAI,GAAJ,IAAI,CAAQ;QAE9C,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;QAC9B,KAAK,CAAC,iBAAiB,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;IAClD,CAAC;CACF;AAND,0CAMC;AAED;;GAEG;AACH,MAAa,SAAU,SAAQ,eAAe;IACR;IAApC,YAAY,OAAe,EAAS,QAAiB;QACnD,KAAK,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QADK,aAAQ,GAAR,QAAQ,CAAS;QAEnD,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;IAC1B,CAAC;CACF;AALD,8BAKC;AAED;;GAEG;AACH,MAAa,eAAgB,SAAQ,eAAe;IACd;IAApC,YAAY,OAAe,EAAS,QAAgB;QAClD,KAAK,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;QADF,aAAQ,GAAR,QAAQ,CAAQ;QAElD,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;IAChC,CAAC;CACF;AALD,0CAKC;AAED;;GAEG;AACH,MAAa,SAAU,SAAQ,eAAe;IACR;IAApC,YAAY,OAAe,EAAS,SAAkC;QACpE,KAAK,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;QADK,cAAS,GAAT,SAAS,CAAyB;QAEpE,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;IAC1B,CAAC;CACF;AALD,8BAKC;AAED;;;;;;;;;;;GAWG;AACH,MAAa,WAAY,SAAQ,eAAe;IACD;IAA7C,YAAY,OAAe,EAAkB,QAAgB;QAC3D,KAAK,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;QADY,aAAQ,GAAR,QAAQ,CAAQ;QAE3D,IAAI,CAAC,IAAI,GAAG,aAAa,CAAC;IAC5B,CAAC;CACF;AALD,kCAKC;AAED;;;;;;;;;;;;GAYG;AACH,MAAa,QAAS,SAAQ,eAAe;IACE;IAAiC;IAA9E,YAAY,OAAe,EAAkB,OAAe,EAAkB,KAAe;QAC3F,KAAK,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;QADe,YAAO,GAAP,OAAO,CAAQ;QAAkB,UAAK,GAAL,KAAK,CAAU;QAE3F,IAAI,CAAC,IAAI,GAAG,UAAU,CAAC;IACzB,CAAC;CACF;AALD,4BAKC"}

package/dist/index.d.ts

@@ -0,0 +1,17 @@
+export * from './types';
+export * from './errors';
+export * from './scanners';
+export * from './utils/file-utils';
+export * from './config';
+export * from './config-validate';
+export * from './baseline';
+export { fingerprintForMatch } from './match-fingerprint';
+export * from './scan-output';
+export * from './diagnostics';
+export { shannonEntropy, DEFAULT_ENTROPY_THRESHOLD } from './utils/entropy';
+export { isPlaceholderSecret, isNonSecretConnectionString, isSampleJwt } from './utils/placeholder';
+export { getGitStagedFilePaths, isInsideGitWorkTree } from './utils/git-utils';
+export { validateRegexSafety, validateRegexLength, mapRegexSafetyReasonToDiagnosticCode, mapPatternRejectionReasonToDiagnosticCode, REGEX_REASON_TO_DIAGNOSTIC_CODE, REGEX_MAX_LENGTH, REGEX_MAX_QUANTIFIERS, } from './utils/regex-safety';
+export { scanTextFileAsync, scanTextFileSync } from './utils/scan-file';
+export { applyPathAwareSeverity, isTestFilePath } from './utils/path-severity';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,SAAS,CAAC;AACxB,cAAc,UAAU,CAAC;AACzB,cAAc,YAAY,CAAC;AAC3B,cAAc,oBAAoB,CAAC;AACnC,cAAc,UAAU,CAAC;AACzB,cAAc,mBAAmB,CAAC;AAClC,cAAc,YAAY,CAAC;AAC3B,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC1D,cAAc,eAAe,CAAC;AAC9B,cAAc,eAAe,CAAC;AAC9B,OAAO,EAAE,cAAc,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAC;AAC5E,OAAO,EAAE,mBAAmB,EAAE,2BAA2B,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AACpG,OAAO,EAAE,qBAAqB,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAC/E,OAAO,EACL,mBAAmB,EACnB,mBAAmB,EACnB,oCAAoC,EACpC,yCAAyC,EACzC,+BAA+B,EAC/B,gBAAgB,EAChB,qBAAqB,GACtB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACxE,OAAO,EAAE,sBAAsB,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC"}

package/dist/index.js

@@ -0,0 +1,53 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isTestFilePath = exports.applyPathAwareSeverity = exports.scanTextFileSync = exports.scanTextFileAsync = exports.REGEX_MAX_QUANTIFIERS = exports.REGEX_MAX_LENGTH = exports.REGEX_REASON_TO_DIAGNOSTIC_CODE = exports.mapPatternRejectionReasonToDiagnosticCode = exports.mapRegexSafetyReasonToDiagnosticCode = exports.validateRegexLength = exports.validateRegexSafety = exports.isInsideGitWorkTree = exports.getGitStagedFilePaths = exports.isSampleJwt = exports.isNonSecretConnectionString = exports.isPlaceholderSecret = exports.DEFAULT_ENTROPY_THRESHOLD = exports.shannonEntropy = exports.fingerprintForMatch = void 0;
+__exportStar(require("./types"), exports);
+__exportStar(require("./errors"), exports);
+__exportStar(require("./scanners"), exports);
+__exportStar(require("./utils/file-utils"), exports);
+__exportStar(require("./config"), exports);
+__exportStar(require("./config-validate"), exports);
+__exportStar(require("./baseline"), exports);
+var match_fingerprint_1 = require("./match-fingerprint");
+Object.defineProperty(exports, "fingerprintForMatch", { enumerable: true, get: function () { return match_fingerprint_1.fingerprintForMatch; } });
+__exportStar(require("./scan-output"), exports);
+__exportStar(require("./diagnostics"), exports);
+var entropy_1 = require("./utils/entropy");
+Object.defineProperty(exports, "shannonEntropy", { enumerable: true, get: function () { return entropy_1.shannonEntropy; } });
+Object.defineProperty(exports, "DEFAULT_ENTROPY_THRESHOLD", { enumerable: true, get: function () { return entropy_1.DEFAULT_ENTROPY_THRESHOLD; } });
+var placeholder_1 = require("./utils/placeholder");
+Object.defineProperty(exports, "isPlaceholderSecret", { enumerable: true, get: function () { return placeholder_1.isPlaceholderSecret; } });
+Object.defineProperty(exports, "isNonSecretConnectionString", { enumerable: true, get: function () { return placeholder_1.isNonSecretConnectionString; } });
+Object.defineProperty(exports, "isSampleJwt", { enumerable: true, get: function () { return placeholder_1.isSampleJwt; } });
+var git_utils_1 = require("./utils/git-utils");
+Object.defineProperty(exports, "getGitStagedFilePaths", { enumerable: true, get: function () { return git_utils_1.getGitStagedFilePaths; } });
+Object.defineProperty(exports, "isInsideGitWorkTree", { enumerable: true, get: function () { return git_utils_1.isInsideGitWorkTree; } });
+var regex_safety_1 = require("./utils/regex-safety");
+Object.defineProperty(exports, "validateRegexSafety", { enumerable: true, get: function () { return regex_safety_1.validateRegexSafety; } });
+Object.defineProperty(exports, "validateRegexLength", { enumerable: true, get: function () { return regex_safety_1.validateRegexLength; } });
+Object.defineProperty(exports, "mapRegexSafetyReasonToDiagnosticCode", { enumerable: true, get: function () { return regex_safety_1.mapRegexSafetyReasonToDiagnosticCode; } });
+Object.defineProperty(exports, "mapPatternRejectionReasonToDiagnosticCode", { enumerable: true, get: function () { return regex_safety_1.mapPatternRejectionReasonToDiagnosticCode; } });
+Object.defineProperty(exports, "REGEX_REASON_TO_DIAGNOSTIC_CODE", { enumerable: true, get: function () { return regex_safety_1.REGEX_REASON_TO_DIAGNOSTIC_CODE; } });
+Object.defineProperty(exports, "REGEX_MAX_LENGTH", { enumerable: true, get: function () { return regex_safety_1.REGEX_MAX_LENGTH; } });
+Object.defineProperty(exports, "REGEX_MAX_QUANTIFIERS", { enumerable: true, get: function () { return regex_safety_1.REGEX_MAX_QUANTIFIERS; } });
+var scan_file_1 = require("./utils/scan-file");
+Object.defineProperty(exports, "scanTextFileAsync", { enumerable: true, get: function () { return scan_file_1.scanTextFileAsync; } });
+Object.defineProperty(exports, "scanTextFileSync", { enumerable: true, get: function () { return scan_file_1.scanTextFileSync; } });
+var path_severity_1 = require("./utils/path-severity");
+Object.defineProperty(exports, "applyPathAwareSeverity", { enumerable: true, get: function () { return path_severity_1.applyPathAwareSeverity; } });
+Object.defineProperty(exports, "isTestFilePath", { enumerable: true, get: function () { return path_severity_1.isTestFilePath; } });
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAAA,0CAAwB;AACxB,2CAAyB;AACzB,6CAA2B;AAC3B,qDAAmC;AACnC,2CAAyB;AACzB,oDAAkC;AAClC,6CAA2B;AAC3B,yDAA0D;AAAjD,wHAAA,mBAAmB,OAAA;AAC5B,gDAA8B;AAC9B,gDAA8B;AAC9B,2CAA4E;AAAnE,yGAAA,cAAc,OAAA;AAAE,oHAAA,yBAAyB,OAAA;AAClD,mDAAoG;AAA3F,kHAAA,mBAAmB,OAAA;AAAE,0HAAA,2BAA2B,OAAA;AAAE,0GAAA,WAAW,OAAA;AACtE,+CAA+E;AAAtE,kHAAA,qBAAqB,OAAA;AAAE,gHAAA,mBAAmB,OAAA;AACnD,qDAQ8B;AAP5B,mHAAA,mBAAmB,OAAA;AACnB,mHAAA,mBAAmB,OAAA;AACnB,oIAAA,oCAAoC,OAAA;AACpC,yIAAA,yCAAyC,OAAA;AACzC,+HAAA,+BAA+B,OAAA;AAC/B,gHAAA,gBAAgB,OAAA;AAChB,qHAAA,qBAAqB,OAAA;AAGvB,+CAAwE;AAA/D,8GAAA,iBAAiB,OAAA;AAAE,6GAAA,gBAAgB,OAAA;AAC5C,uDAA+E;AAAtE,uHAAA,sBAAsB,OAAA;AAAE,+GAAA,cAAc,OAAA"}

package/dist/match-fingerprint.d.ts

@@ -0,0 +1,7 @@
+import type { SecretMatch } from './types';
+/**
+ * Stable fingerprint for a match location + rule id (no raw secret material).
+ * Same inputs always yield the same hex digest (SHA-256).
+ */
+export declare function fingerprintForMatch(cwd: string | null, fileAbs: string, m: SecretMatch): string;
+//# sourceMappingURL=match-fingerprint.d.ts.map

package/dist/match-fingerprint.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"match-fingerprint.d.ts","sourceRoot":"","sources":["../src/match-fingerprint.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAU3C;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,EAAE,WAAW,GAAG,MAAM,CAI/F"}

package/dist/match-fingerprint.js

@@ -0,0 +1,28 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fingerprintForMatch = fingerprintForMatch;
+const path_1 = __importDefault(require("path"));
+const crypto_1 = require("crypto");
+function relativeFingerprintKey(file, cwd) {
+    if (cwd === null)
+        return file.split(path_1.default.sep).join('/');
+    if (!path_1.default.isAbsolute(file))
+        return file.split(path_1.default.sep).join('/');
+    const rel = path_1.default.relative(cwd, file);
+    if (rel.startsWith('..') || path_1.default.isAbsolute(rel))
+        return file.split(path_1.default.sep).join('/');
+    return (rel || '.').split(path_1.default.sep).join('/');
+}
+/**
+ * Stable fingerprint for a match location + rule id (no raw secret material).
+ * Same inputs always yield the same hex digest (SHA-256).
+ */
+function fingerprintForMatch(cwd, fileAbs, m) {
+    const relKey = relativeFingerprintKey(fileAbs, cwd);
+    const payload = `${relKey}|${m.type}|${m.line}|${m.column}|${m.matchLength}`;
+    return (0, crypto_1.createHash)('sha256').update(payload, 'utf8').digest('hex');
+}
+//# sourceMappingURL=match-fingerprint.js.map

package/dist/match-fingerprint.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"match-fingerprint.js","sourceRoot":"","sources":["../src/match-fingerprint.ts"],"names":[],"mappings":";;;;;AAgBA,kDAIC;AApBD,gDAAwB;AACxB,mCAAoC;AAGpC,SAAS,sBAAsB,CAAC,IAAY,EAAE,GAAkB;IAC9D,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC,KAAK,CAAC,cAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACxD,IAAI,CAAC,cAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC,KAAK,CAAC,cAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAClE,MAAM,GAAG,GAAG,cAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IACrC,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,cAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC,KAAK,CAAC,cAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACxF,OAAO,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,cAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAChD,CAAC;AAED;;;GAGG;AACH,SAAgB,mBAAmB,CAAC,GAAkB,EAAE,OAAe,EAAE,CAAc;IACrF,MAAM,MAAM,GAAG,sBAAsB,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IACpD,MAAM,OAAO,GAAG,GAAG,MAAM,IAAI,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IAC7E,OAAO,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACpE,CAAC"}

package/dist/scan-output.d.ts

@@ -0,0 +1,65 @@
+import type { SecretMatch } from './types';
+import type { Diagnostic } from './diagnostics';
+/** One file's scan outcome — shared by CLI, MCP, and SARIF/JSON formatters. */
+export interface FileScanResult {
+    file: string;
+    matches: SecretMatch[];
+}
+/** Optional machine-readable scan run metadata (JSON + SARIF driver properties). */
+export interface JsonRunMetadata {
+    duration_ms: number;
+    /** Files opened and scanned for secrets (excludes skipped binaries). */
+    files_scanned: number;
+    /** Total bytes read from disk for those scans (capped at per-file read limit when streaming). */
+    bytes_scanned: number;
+    /** Active regex rules after config (built-ins minus "off", plus accepted extra_patterns). */
+    patterns_active: number;
+    diagnostics_count?: number;
+    /** Matches removed because they appeared in `.vault-guard.baseline.json`. */
+    baseline_suppressed?: number;
+}
+export interface JsonOutput {
+    version: string;
+    scannedAt: string;
+    summary: {
+        files: number;
+        secrets: number;
+    };
+    /** Present when the caller passes {@link FormatOptions.run}. */
+    run?: JsonRunMetadata;
+    results: Array<{
+        file: string;
+        matches: Array<{
+            type: string;
+            severity: string;
+            line: number;
+            column: number;
+            /** Redacted form, e.g. `sk-a…(37c)`. Never the raw secret. */
+            value: string;
+            /** SHA-256 hex of `relPath|type|line|column|matchLength` for baselines (no raw secret). */
+            fingerprint: string;
+        }>;
+    }>;
+    /** Non-fatal scan warnings (skipped files, rejected patterns, git issues). */
+    diagnostics?: Array<{
+        code: string;
+        severity: string;
+        ctx: Record<string, unknown>;
+    }>;
+}
+export interface FormatOptions {
+    /**
+     * Base directory to render `file` paths relative to.
+     * Defaults to `process.cwd()`. Files outside this root are kept absolute.
+     * Pass `null` to skip relativization entirely.
+     */
+    cwd?: string | null;
+    /** Non-fatal diagnostics to include in structured output. */
+    diagnostics?: Diagnostic[];
+    /** Scan timing / coverage stats for JSON and SARIF `runs[].properties`. */
+    run?: JsonRunMetadata;
+}
+export declare function formatJson(results: FileScanResult[], opts?: FormatOptions): string;
+/** SARIF 2.1.0 — compatible with GitHub Code Scanning (upload-sarif action). */
+export declare function formatSarif(results: FileScanResult[], opts?: FormatOptions): string;
+//# sourceMappingURL=scan-output.d.ts.map

package/dist/scan-output.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan-output.d.ts","sourceRoot":"","sources":["../src/scan-output.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AAC3C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAGhD,+EAA+E;AAC/E,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,WAAW,EAAE,CAAC;CACxB;AAED,oFAAoF;AACpF,MAAM,WAAW,eAAe;IAC9B,WAAW,EAAE,MAAM,CAAC;IACpB,wEAAwE;IACxE,aAAa,EAAE,MAAM,CAAC;IACtB,iGAAiG;IACjG,aAAa,EAAE,MAAM,CAAC;IACtB,6FAA6F;IAC7F,eAAe,EAAE,MAAM,CAAC;IACxB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,6EAA6E;IAC7E,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;IAC5C,gEAAgE;IAChE,GAAG,CAAC,EAAE,eAAe,CAAC;IACtB,OAAO,EAAE,KAAK,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,KAAK,CAAC;YACb,IAAI,EAAE,MAAM,CAAC;YACb,QAAQ,EAAE,MAAM,CAAC;YACjB,IAAI,EAAE,MAAM,CAAC;YACb,MAAM,EAAE,MAAM,CAAC;YACf,8DAA8D;YAC9D,KAAK,EAAE,MAAM,CAAC;YACd,2FAA2F;YAC3F,WAAW,EAAE,MAAM,CAAC;SACrB,CAAC,CAAC;KACJ,CAAC,CAAC;IACH,8EAA8E;IAC9E,WAAW,CAAC,EAAE,KAAK,CAAC;QAClB,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KAC9B,CAAC,CAAC;CACJ;AAED,MAAM,WAAW,aAAa;IAC5B;;;;OAIG;IACH,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,6DAA6D;IAC7D,WAAW,CAAC,EAAE,UAAU,EAAE,CAAC;IAC3B,2EAA2E;IAC3E,GAAG,CAAC,EAAE,eAAe,CAAC;CACvB;AAmBD,wBAAgB,UAAU,CAAC,OAAO,EAAE,cAAc,EAAE,EAAE,IAAI,GAAE,aAAkB,GAAG,MAAM,CA8BtF;AAED,gFAAgF;AAChF,wBAAgB,WAAW,CAAC,OAAO,EAAE,cAAc,EAAE,EAAE,IAAI,GAAE,aAAkB,GAAG,MAAM,CAuFvF"}

package/dist/scan-output.js

@@ -0,0 +1,140 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.formatJson = formatJson;
+exports.formatSarif = formatSarif;
+const path_1 = __importDefault(require("path"));
+const match_fingerprint_1 = require("./match-fingerprint");
+/**
+ * Normalize a file path for output: cwd-relative when inside `cwd`, absolute
+ * otherwise (so we never emit `../../..` traversals).
+ *
+ * Why this matters: absolute paths in JSON / SARIF leak the developer's home
+ * directory and OS username when the output is shared (PR comments, GitHub
+ * Code Scanning UI, support tickets, screenshots).
+ */
+function normalizeFilePath(file, cwd) {
+    if (cwd === null)
+        return file;
+    const base = cwd ?? process.cwd();
+    if (!path_1.default.isAbsolute(file))
+        return file;
+    const rel = path_1.default.relative(base, file);
+    if (rel.startsWith('..') || path_1.default.isAbsolute(rel))
+        return file;
+    return rel || '.';
+}
+function formatJson(results, opts = {}) {
+    const fpCwd = opts.cwd === undefined ? process.cwd() : opts.cwd;
+    const output = {
+        version: '1',
+        scannedAt: new Date().toISOString(),
+        summary: {
+            files: results.length,
+            secrets: results.reduce((n, r) => n + r.matches.length, 0),
+        },
+        ...(opts.run ? { run: opts.run } : {}),
+        results: results.map(({ file, matches }) => ({
+            file: normalizeFilePath(file, opts.cwd),
+            matches: matches.map(m => ({
+                type: m.type,
+                severity: m.severity,
+                line: m.line,
+                column: m.column,
+                value: m.value,
+                fingerprint: (0, match_fingerprint_1.fingerprintForMatch)(fpCwd, file, m),
+            })),
+        })),
+    };
+    if (opts.diagnostics && opts.diagnostics.length > 0) {
+        output.diagnostics = opts.diagnostics.map(d => ({
+            code: d.code,
+            severity: d.severity,
+            ctx: d.ctx,
+        }));
+    }
+    return JSON.stringify(output, null, 2);
+}
+/** SARIF 2.1.0 — compatible with GitHub Code Scanning (upload-sarif action). */
+function formatSarif(results, opts = {}) {
+    const rules = [
+        ...new Set(results.flatMap(r => r.matches.map(m => m.type))),
+    ].map(id => ({
+        id,
+        name: id
+            .split(/[-_]/)
+            .map(p => p.charAt(0).toUpperCase() + p.slice(1))
+            .join(''),
+        shortDescription: { text: `Secret detected: ${id}` },
+        helpUri: `https://github.com/vaultcompasshq/vault-guard/blob/main/docs/rules/${id}.md`,
+        properties: { tags: ['security', 'secrets'] },
+    }));
+    const sarifResults = results.flatMap(({ file, matches }) => matches.map(m => ({
+        ruleId: m.type,
+        level: m.severity === 'critical' ? 'error' : m.severity === 'high' ? 'warning' : 'note',
+        // Intentionally do NOT include the masked value here. Reviewers have the
+        // exact byte region (startLine/startColumn/endColumn) and the rule id;
+        // the masked prefix adds no signal and grows the leak surface area.
+        message: { text: `Possible secret of type '${m.type}'` },
+        locations: [
+            {
+                physicalLocation: {
+                    artifactLocation: { uri: normalizeFilePath(file, opts.cwd), uriBaseId: '%SRCROOT%' },
+                    region: {
+                        startLine: m.line,
+                        startColumn: m.column + 1,
+                        endColumn: m.column + m.matchLength + 1,
+                    },
+                },
+            },
+        ],
+    })));
+    // Diagnostics are emitted as SARIF notifications (tool/driver/notifications)
+    // so they appear in the GitHub Code Scanning UI as tool warnings rather than
+    // results. This keeps the results array clean for triage.
+    const notifications = opts.diagnostics && opts.diagnostics.length > 0
+        ? opts.diagnostics.map(d => ({
+            id: d.code,
+            level: d.severity === 'error' ? 'error' : 'warning',
+            message: { text: `${d.code}: ${JSON.stringify(d.ctx)}` },
+        }))
+        : undefined;
+    const runProps = opts.run !== undefined
+        ? {
+            vault_guard_run: {
+                duration_ms: opts.run.duration_ms,
+                files_scanned: opts.run.files_scanned,
+                bytes_scanned: opts.run.bytes_scanned,
+                patterns_active: opts.run.patterns_active,
+                ...(opts.run.diagnostics_count !== undefined
+                    ? { diagnostics_count: opts.run.diagnostics_count }
+                    : {}),
+                ...(opts.run.baseline_suppressed !== undefined
+                    ? { baseline_suppressed: opts.run.baseline_suppressed }
+                    : {}),
+            },
+        }
+        : undefined;
+    const sarif = {
+        $schema: 'https://json.schemastore.org/sarif-2.1.0',
+        version: '2.1.0',
+        runs: [
+            {
+                ...(runProps ? { properties: runProps } : {}),
+                tool: {
+                    driver: {
+                        name: 'vault-guard',
+                        informationUri: 'https://github.com/vaultcompasshq/vault-guard',
+                        rules,
+                        ...(notifications ? { notifications } : {}),
+                    },
+                },
+                results: sarifResults,
+            },
+        ],
+    };
+    return JSON.stringify(sarif, null, 2);
+}
+//# sourceMappingURL=scan-output.js.map

package/dist/scan-output.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan-output.js","sourceRoot":"","sources":["../src/scan-output.ts"],"names":[],"mappings":";;;;;AAkFA,gCA8BC;AAGD,kCAuFC;AA1MD,gDAAwB;AAGxB,2DAA0D;AA8D1D;;;;;;;GAOG;AACH,SAAS,iBAAiB,CAAC,IAAY,EAAE,GAA8B;IACrE,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAC9B,MAAM,IAAI,GAAG,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IAClC,IAAI,CAAC,cAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACxC,MAAM,GAAG,GAAG,cAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IACtC,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,cAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9D,OAAO,GAAG,IAAI,GAAG,CAAC;AACpB,CAAC;AAED,SAAgB,UAAU,CAAC,OAAyB,EAAE,OAAsB,EAAE;IAC5E,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC;IAChE,MAAM,MAAM,GAAe;QACzB,OAAO,EAAE,GAAG;QACZ,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,OAAO,EAAE;YACP,KAAK,EAAE,OAAO,CAAC,MAAM;YACrB,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;SAC3D;QACD,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACtC,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC,CAAC;YAC3C,IAAI,EAAE,iBAAiB,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC;YACvC,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;gBACzB,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,QAAQ,EAAE,CAAC,CAAC,QAAQ;gBACpB,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,MAAM,EAAE,CAAC,CAAC,MAAM;gBAChB,KAAK,EAAE,CAAC,CAAC,KAAK;gBACd,WAAW,EAAE,IAAA,uCAAmB,EAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;aACjD,CAAC,CAAC;SACJ,CAAC,CAAC;KACJ,CAAC;IACF,IAAI,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpD,MAAM,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YAC9C,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,GAAG,EAAE,CAAC,CAAC,GAAG;SACX,CAAC,CAAC,CAAC;IACN,CAAC;IACD,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACzC,CAAC;AAED,gFAAgF;AAChF,SAAgB,WAAW,CAAC,OAAyB,EAAE,OAAsB,EAAE;IAC7E,MAAM,KAAK,GAAG;QACZ,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;KAC7D,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;QACX,EAAE;QACF,IAAI,EAAE,EAAE;aACL,KAAK,CAAC,MAAM,CAAC;aACb,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;aAChD,IAAI,CAAC,EAAE,CAAC;QACX,gBAAgB,EAAE,EAAE,IAAI,EAAE,oBAAoB,EAAE,EAAE,EAAE;QACpD,OAAO,EAAE,sEAAsE,EAAE,KAAK;QACtF,UAAU,EAAE,EAAE,IAAI,EAAE,CAAC,UAAU,EAAE,SAAS,CAAC,EAAE;KAC9C,CAAC,CAAC,CAAC;IAEJ,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,CACzD,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAChB,MAAM,EAAE,CAAC,CAAC,IAAI;QACd,KAAK,EAAE,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM;QACvF,yEAAyE;QACzE,uEAAuE;QACvE,oEAAoE;QACpE,OAAO,EAAE,EAAE,IAAI,EAAE,4BAA4B,CAAC,CAAC,IAAI,GAAG,EAAE;QACxD,SAAS,EAAE;YACT;gBACE,gBAAgB,EAAE;oBAChB,gBAAgB,EAAE,EAAE,GAAG,EAAE,iBAAiB,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,EAAE,SAAS,EAAE,WAAW,EAAE;oBACpF,MAAM,EAAE;wBACN,SAAS,EAAE,CAAC,CAAC,IAAI;wBACjB,WAAW,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC;wBACzB,SAAS,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,WAAW,GAAG,CAAC;qBACxC;iBACF;aACF;SACF;KACF,CAAC,CAAC,CACJ,CAAC;IAEF,6EAA6E;IAC7E,6EAA6E;IAC7E,0DAA0D;IAC1D,MAAM,aAAa,GACjB,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC;QAC7C,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACzB,EAAE,EAAE,CAAC,CAAC,IAAI;YACV,KAAK,EAAE,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;YACnD,OAAO,EAAE,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,EAAE;SACzD,CAAC,CAAC;QACL,CAAC,CAAC,SAAS,CAAC;IAEhB,MAAM,QAAQ,GACZ,IAAI,CAAC,GAAG,KAAK,SAAS;QACpB,CAAC,CAAC;YACE,eAAe,EAAE;gBACf,WAAW,EAAE,IAAI,CAAC,GAAG,CAAC,WAAW;gBACjC,aAAa,EAAE,IAAI,CAAC,GAAG,CAAC,aAAa;gBACrC,aAAa,EAAE,IAAI,CAAC,GAAG,CAAC,aAAa;gBACrC,eAAe,EAAE,IAAI,CAAC,GAAG,CAAC,eAAe;gBACzC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,iBAAiB,KAAK,SAAS;oBAC1C,CAAC,CAAC,EAAE,iBAAiB,EAAE,IAAI,CAAC,GAAG,CAAC,iBAAiB,EAAE;oBACnD,CAAC,CAAC,EAAE,CAAC;gBACP,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,mBAAmB,KAAK,SAAS;oBAC5C,CAAC,CAAC,EAAE,mBAAmB,EAAE,IAAI,CAAC,GAAG,CAAC,mBAAmB,EAAE;oBACvD,CAAC,CAAC,EAAE,CAAC;aACR;SACF;QACH,CAAC,CAAC,SAAS,CAAC;IAEhB,MAAM,KAAK,GAAG;QACZ,OAAO,EAAE,0CAA0C;QACnD,OAAO,EAAE,OAAO;QAChB,IAAI,EAAE;YACJ;gBACE,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC7C,IAAI,EAAE;oBACJ,MAAM,EAAE;wBACN,IAAI,EAAE,aAAa;wBACnB,cAAc,EAAE,+CAA+C;wBAC/D,KAAK;wBACL,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;qBAC5C;iBACF;gBACD,OAAO,EAAE,YAAY;aACtB;SACF;KACF,CAAC;IAEF,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACxC,CAAC"}

package/dist/scanners/index.d.ts

@@ -0,0 +1,5 @@
+export * from '../types';
+export * from './secret-scanner';
+export * from './token-counter';
+export * from './pre-commit-hook';
+//# sourceMappingURL=index.d.ts.map

package/dist/scanners/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/scanners/index.ts"],"names":[],"mappings":"AAAA,cAAc,UAAU,CAAC;AACzB,cAAc,kBAAkB,CAAC;AACjC,cAAc,iBAAiB,CAAC;AAChC,cAAc,mBAAmB,CAAC"}

package/dist/scanners/index.js

@@ -0,0 +1,21 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("../types"), exports);
+__exportStar(require("./secret-scanner"), exports);
+__exportStar(require("./token-counter"), exports);
+__exportStar(require("./pre-commit-hook"), exports);
+//# sourceMappingURL=index.js.map

package/dist/scanners/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/scanners/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,2CAAyB;AACzB,mDAAiC;AACjC,kDAAgC;AAChC,oDAAkC"}

package/dist/scanners/pre-commit-hook.d.ts

@@ -0,0 +1,41 @@
+export type HookManager = 'native' | 'husky' | 'lefthook' | 'precommit';
+export interface InstallHookOptions {
+    manager?: HookManager;
+    /** Working directory (git repo root). Defaults to `process.cwd()`. */
+    cwd?: string;
+}
+export declare class PreCommitHook {
+    /**
+     * Resolve the directory where Git expects the \`pre-commit\` executable.
+     * Honors \`core.hooksPath\` (local then global). Relative paths are resolved
+     * against the **.git** directory, per Git documentation.
+     */
+    getEffectiveHooksDir(cwd: string): {
+        hooksDir: string;
+        viaHooksPath: boolean;
+    };
+    /**
+     * Absolute path to the \`pre-commit\` hook file for the given manager.
+     */
+    getPreCommitHookPath(cwd: string, manager?: HookManager): string;
+    install(options?: InstallHookOptions): {
+        success: boolean;
+        message: string;
+        hookPath?: string;
+    };
+    uninstall(options?: InstallHookOptions): {
+        success: boolean;
+        message: string;
+    };
+    isInstalled(options?: InstallHookOptions): boolean;
+    private installNative;
+    private uninstallNative;
+    private installHusky;
+    private uninstallHusky;
+    private installLefthook;
+    private uninstallLefthook;
+    private installPreCommitFramework;
+    private uninstallPreCommitFramework;
+    private resolveGitDir;
+}
+//# sourceMappingURL=pre-commit-hook.d.ts.map

package/dist/scanners/pre-commit-hook.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pre-commit-hook.d.ts","sourceRoot":"","sources":["../../src/scanners/pre-commit-hook.ts"],"names":[],"mappings":"AAKA,MAAM,MAAM,WAAW,GAAG,QAAQ,GAAG,OAAO,GAAG,UAAU,GAAG,WAAW,CAAC;AAExE,MAAM,WAAW,kBAAkB;IACjC,OAAO,CAAC,EAAE,WAAW,CAAC;IACtB,sEAAsE;IACtE,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAqED,qBAAa,aAAa;IACxB;;;;OAIG;IACH,oBAAoB,CAAC,GAAG,EAAE,MAAM,GAAG;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,OAAO,CAAA;KAAE;IA4B9E;;OAEG;IACH,oBAAoB,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,GAAE,WAAsB,GAAG,MAAM;IAO1E,OAAO,CAAC,OAAO,GAAE,kBAAuB,GAAG;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE;IAsBnG,SAAS,CAAC,OAAO,GAAE,kBAAuB,GAAG;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE;IAsBlF,WAAW,CAAC,OAAO,GAAE,kBAAuB,GAAG,OAAO;IActD,OAAO,CAAC,aAAa;IAiCrB,OAAO,CAAC,eAAe;IAyBvB,OAAO,CAAC,YAAY;IAqCpB,OAAO,CAAC,cAAc;IA4BtB,OAAO,CAAC,eAAe;IA2BvB,OAAO,CAAC,iBAAiB;IA6BzB,OAAO,CAAC,yBAAyB;IA4BjC,OAAO,CAAC,2BAA2B;IAyBnC,OAAO,CAAC,aAAa;CAYtB"}