@vaultcompass/vault-guard 1.0.0

package/dist/commands/scan.js

@@ -0,0 +1,156 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scanCommand = scanCommand;
+const vault_guard_core_1 = require("@vaultcompass/vault-guard-core");
+const chalk_1 = __importDefault(require("chalk"));
+const scan_utils_1 = require("../utils/scan-utils");
+async function scanCommand(targetPath, format = 'text', staged = false) {
+    const cwd = process.cwd();
+    let config;
+    try {
+        config = (0, vault_guard_core_1.loadConfig)(cwd);
+    }
+    catch (e) {
+        if (e instanceof vault_guard_core_1.ConfigError) {
+            console.error(chalk_1.default.red('❌ Config error:'), chalk_1.default.white(e.message));
+            console.error(chalk_1.default.gray('   Fix the JSON in the file above (or remove it) and re-run. ' +
+                'Vault Guard refuses to scan with a broken config because silent ' +
+                'fallback to defaults would mask the rules you intended.\n'));
+            return 1;
+        }
+        throw e;
+    }
+    const scanner = new vault_guard_core_1.SecretScanner(config);
+    // Merge config ignore paths and patterns into a single list for file filtering.
+    const configIgnorePatterns = [
+        ...(config.ignore?.paths ?? []),
+        ...(config.ignore?.patterns ?? []),
+    ];
+    const bus = new vault_guard_core_1.DiagnosticBus();
+    const diagnostics = [];
+    const extraPatternDiagnostics = [];
+    // Surface rejected `extra_patterns` (ReDoS guard, length cap, invalid syntax).
+    for (const rej of scanner.extraPatternRejections) {
+        const ctx = {
+            patternId: rej.id,
+            reason: rej.reason,
+            detail: rej.detail,
+        };
+        extraPatternDiagnostics.push(ctx);
+        diagnostics.push({
+            code: (0, vault_guard_core_1.mapPatternRejectionReasonToDiagnosticCode)(rej.reason),
+            severity: 'warning',
+            ctx: { ...ctx },
+        });
+    }
+    if (extraPatternDiagnostics.length > 0 && format === 'text') {
+        for (const ctx of extraPatternDiagnostics) {
+            console.error(chalk_1.default.yellow('⚠️  extra_pattern rejected:'), chalk_1.default.white(`${ctx.patternId} (${ctx.reason}) — ${ctx.detail}`));
+        }
+        console.error(chalk_1.default.gray('   Set "extra_patterns_unsafe": true in .vault-guard.json only if ' +
+            'you have audited every pattern.\n'));
+    }
+    if (format === 'text' && !staged) {
+        console.log(chalk_1.default.blue('🔍 Scanning'), chalk_1.default.cyan(targetPath));
+    }
+    const stats = { filesScanned: 0, bytesScanned: 0 };
+    const t0 = Date.now();
+    try {
+        let results;
+        if (staged) {
+            if (!(0, vault_guard_core_1.isInsideGitWorkTree)(cwd)) {
+                console.error(chalk_1.default.red('❌ Error:'), chalk_1.default.white('Not a git repository (or outside a work tree).'));
+                return 1;
+            }
+            let stagedFiles;
+            try {
+                stagedFiles = (0, vault_guard_core_1.getGitStagedFilePaths)(cwd);
+            }
+            catch (e) {
+                if (e instanceof vault_guard_core_1.GitError) {
+                    console.error(chalk_1.default.red('❌ Git error:'), chalk_1.default.white(e.message));
+                    console.error(chalk_1.default.gray('   vault-guard cannot determine which files are staged.\n' +
+                        '   Refusing to produce a ✅ result that may be incorrect.\n'));
+                    return 2;
+                }
+                throw e;
+            }
+            if (format === 'text') {
+                console.log(chalk_1.default.blue('🔍 Scanning'), chalk_1.default.cyan('git staged files'));
+                if (stagedFiles.length === 0) {
+                    console.log(chalk_1.default.green.bold('✅ SUCCESS:'), chalk_1.default.white('Nothing staged — nothing to scan\n'));
+                    return 0;
+                }
+                console.log(chalk_1.default.gray(`   ${stagedFiles.length} file(s) in the index\n`));
+            }
+            results = await (0, scan_utils_1.scanFileListAsync)(stagedFiles, scanner, {
+                verbose: format === 'text',
+                skipBinary: true,
+                progress: format === 'text',
+                bus,
+                stats,
+                configIgnorePatterns,
+            });
+        }
+        else {
+            results = await (0, scan_utils_1.scanFilesAsync)([targetPath], scanner, {
+                verbose: format === 'text',
+                skipBinary: true,
+                progress: format === 'text',
+                bus,
+                stats,
+                configIgnorePatterns,
+            });
+        }
+        // Merge bus diagnostics
+        diagnostics.push(...bus.drain());
+        const baselineLoad = (0, vault_guard_core_1.loadBaseline)(cwd);
+        if (baselineLoad.parseError) {
+            diagnostics.push({
+                code: 'baseline.invalid',
+                severity: 'warning',
+                ctx: { path: baselineLoad.sourcePath ?? '', detail: baselineLoad.parseError },
+            });
+            if (format === 'text') {
+                console.error(chalk_1.default.yellow('⚠️  Baseline file invalid:'), chalk_1.default.white(baselineLoad.parseError), chalk_1.default.gray(baselineLoad.sourcePath ? `(${baselineLoad.sourcePath})` : ''));
+            }
+        }
+        const { results: afterBaseline, suppressed: baselineSuppressed } = (0, vault_guard_core_1.filterResultsByBaseline)(process.cwd(), results, baselineLoad.fingerprints);
+        results = afterBaseline;
+        const durationMs = Date.now() - t0;
+        const run = {
+            duration_ms: durationMs,
+            files_scanned: stats.filesScanned,
+            bytes_scanned: stats.bytesScanned,
+            patterns_active: scanner.getActivePatternCount(),
+            diagnostics_count: diagnostics.length,
+            ...(baselineSuppressed > 0 ? { baseline_suppressed: baselineSuppressed } : {}),
+        };
+        if (format === 'json') {
+            process.stdout.write((0, scan_utils_1.formatJson)(results, { diagnostics, run }) + '\n');
+            return results.reduce((n, r) => n + r.matches.length, 0) === 0 ? 0 : 1;
+        }
+        if (format === 'sarif') {
+            process.stdout.write((0, scan_utils_1.formatSarif)(results, { diagnostics, run }) + '\n');
+            return results.reduce((n, r) => n + r.matches.length, 0) === 0 ? 0 : 1;
+        }
+        // Text mode: print one-line diagnostic summary when any non-fatal issues occurred
+        if (diagnostics.length > 0) {
+            console.error(chalk_1.default.yellow(`⚠️  ${diagnostics.length} warning(s) — run with --json for details`));
+        }
+        if (results.length === 0) {
+            console.log(chalk_1.default.green.bold('✅ SUCCESS:'), chalk_1.default.white('No secrets found\n'));
+            return 0;
+        }
+        (0, scan_utils_1.displayScanResults)(results);
+        return 1;
+    }
+    catch (error) {
+        console.error(chalk_1.default.red('❌ Fatal error:'), chalk_1.default.white(String(error)));
+        return 1;
+    }
+}
+//# sourceMappingURL=scan.js.map

package/dist/commands/scan.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan.js","sourceRoot":"","sources":["../../src/commands/scan.ts"],"names":[],"mappings":";;;;;AA8BA,kCA+LC;AA7ND,qEAWwC;AACxC,kDAA0B;AAC1B,oDAM6B;AAWtB,KAAK,UAAU,WAAW,CAC/B,UAAkB,EAClB,SAAuB,MAAM,EAC7B,MAAM,GAAG,KAAK;IAEd,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;IAE1B,IAAI,MAAM,CAAC;IACX,IAAI,CAAC;QACH,MAAM,GAAG,IAAA,6BAAU,EAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,IAAI,CAAC,YAAY,8BAAW,EAAE,CAAC;YAC7B,OAAO,CAAC,KAAK,CAAC,eAAK,CAAC,GAAG,CAAC,iBAAiB,CAAC,EAAE,eAAK,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;YACpE,OAAO,CAAC,KAAK,CACX,eAAK,CAAC,IAAI,CACR,+DAA+D;gBAC7D,kEAAkE;gBAClE,2DAA2D,CAC9D,CACF,CAAC;YACF,OAAO,CAAC,CAAC;QACX,CAAC;QACD,MAAM,CAAC,CAAC;IACV,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,gCAAa,CAAC,MAAM,CAAC,CAAC;IAE1C,gFAAgF;IAChF,MAAM,oBAAoB,GAAa;QACrC,GAAG,CAAC,MAAM,CAAC,MAAM,EAAE,KAAK,IAAI,EAAE,CAAC;QAC/B,GAAG,CAAC,MAAM,CAAC,MAAM,EAAE,QAAQ,IAAI,EAAE,CAAC;KACnC,CAAC;IAEF,MAAM,GAAG,GAAG,IAAI,gCAAa,EAAE,CAAC;IAChC,MAAM,WAAW,GAAiB,EAAE,CAAC;IACrC,MAAM,uBAAuB,GAAgC,EAAE,CAAC;IAEhE,+EAA+E;IAC/E,KAAK,MAAM,GAAG,IAAI,OAAO,CAAC,sBAAsB,EAAE,CAAC;QACjD,MAAM,GAAG,GAA8B;YACrC,SAAS,EAAE,GAAG,CAAC,EAAE;YACjB,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,MAAM,EAAE,GAAG,CAAC,MAAM;SACnB,CAAC;QACF,uBAAuB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAClC,WAAW,CAAC,IAAI,CAAC;YACf,IAAI,EAAE,IAAA,4DAAyC,EAAC,GAAG,CAAC,MAAM,CAAC;YAC3D,QAAQ,EAAE,SAAS;YACnB,GAAG,EAAE,EAAE,GAAG,GAAG,EAAE;SAChB,CAAC,CAAC;IACL,CAAC;IAED,IAAI,uBAAuB,CAAC,MAAM,GAAG,CAAC,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QAC5D,KAAK,MAAM,GAAG,IAAI,uBAAuB,EAAE,CAAC;YAC1C,OAAO,CAAC,KAAK,CACX,eAAK,CAAC,MAAM,CAAC,6BAA6B,CAAC,EAC3C,eAAK,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,SAAS,KAAK,GAAG,CAAC,MAAM,OAAO,GAAG,CAAC,MAAM,EAAE,CAAC,CAChE,CAAC;QACJ,CAAC;QACD,OAAO,CAAC,KAAK,CACX,eAAK,CAAC,IAAI,CACR,oEAAoE;YAClE,mCAAmC,CACtC,CACF,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,KAAK,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;QACjC,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,eAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;IACjE,CAAC;IAED,MAAM,KAAK,GAAG,EAAE,YAAY,EAAE,CAAC,EAAE,YAAY,EAAE,CAAC,EAAE,CAAC;IACnD,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEtB,IAAI,CAAC;QACH,IAAI,OAAO,CAAC;QAEZ,IAAI,MAAM,EAAE,CAAC;YACX,IAAI,CAAC,IAAA,sCAAmB,EAAC,GAAG,CAAC,EAAE,CAAC;gBAC9B,OAAO,CAAC,KAAK,CAAC,eAAK,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,eAAK,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC,CAAC;gBACpG,OAAO,CAAC,CAAC;YACX,CAAC;YAED,IAAI,WAAqB,CAAC;YAC1B,IAAI,CAAC;gBACH,WAAW,GAAG,IAAA,wCAAqB,EAAC,GAAG,CAAC,CAAC;YAC3C,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,IAAI,CAAC,YAAY,2BAAQ,EAAE,CAAC;oBAC1B,OAAO,CAAC,KAAK,CAAC,eAAK,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,eAAK,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;oBACjE,OAAO,CAAC,KAAK,CACX,eAAK,CAAC,IAAI,CACR,2DAA2D;wBACzD,4DAA4D,CAC/D,CACF,CAAC;oBACF,OAAO,CAAC,CAAC;gBACX,CAAC;gBACD,MAAM,CAAC,CAAC;YACV,CAAC;YAED,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;gBACtB,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,eAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,CAAC;gBACvE,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBAC7B,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,eAAK,CAAC,KAAK,CAAC,oCAAoC,CAAC,CAAC,CAAC;oBAC/F,OAAO,CAAC,CAAC;gBACX,CAAC;gBACD,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,MAAM,WAAW,CAAC,MAAM,yBAAyB,CAAC,CAAC,CAAC;YAC7E,CAAC;YACD,OAAO,GAAG,MAAM,IAAA,8BAAiB,EAAC,WAAW,EAAE,OAAO,EAAE;gBACtD,OAAO,EAAE,MAAM,KAAK,MAAM;gBAC1B,UAAU,EAAE,IAAI;gBAChB,QAAQ,EAAE,MAAM,KAAK,MAAM;gBAC3B,GAAG;gBACH,KAAK;gBACL,oBAAoB;aACrB,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,MAAM,IAAA,2BAAc,EAAC,CAAC,UAAU,CAAC,EAAE,OAAO,EAAE;gBACpD,OAAO,EAAE,MAAM,KAAK,MAAM;gBAC1B,UAAU,EAAE,IAAI;gBAChB,QAAQ,EAAE,MAAM,KAAK,MAAM;gBAC3B,GAAG;gBACH,KAAK;gBACL,oBAAoB;aACrB,CAAC,CAAC;QACL,CAAC;QAED,wBAAwB;QACxB,WAAW,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC;QAEjC,MAAM,YAAY,GAAG,IAAA,+BAAY,EAAC,GAAG,CAAC,CAAC;QACvC,IAAI,YAAY,CAAC,UAAU,EAAE,CAAC;YAC5B,WAAW,CAAC,IAAI,CAAC;gBACf,IAAI,EAAE,kBAAkB;gBACxB,QAAQ,EAAE,SAAS;gBACnB,GAAG,EAAE,EAAE,IAAI,EAAE,YAAY,CAAC,UAAU,IAAI,EAAE,EAAE,MAAM,EAAE,YAAY,CAAC,UAAU,EAAE;aAC9E,CAAC,CAAC;YACH,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;gBACtB,OAAO,CAAC,KAAK,CACX,eAAK,CAAC,MAAM,CAAC,4BAA4B,CAAC,EAC1C,eAAK,CAAC,KAAK,CAAC,YAAY,CAAC,UAAU,CAAC,EACpC,eAAK,CAAC,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,YAAY,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAC1E,CAAC;YACJ,CAAC;QACH,CAAC;QAED,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,kBAAkB,EAAE,GAAG,IAAA,0CAAuB,EACxF,OAAO,CAAC,GAAG,EAAE,EACb,OAAO,EACP,YAAY,CAAC,YAAY,CAC1B,CAAC;QACF,OAAO,GAAG,aAAa,CAAC;QAExB,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC;QACnC,MAAM,GAAG,GAAG;YACV,WAAW,EAAE,UAAU;YACvB,aAAa,EAAE,KAAK,CAAC,YAAY;YACjC,aAAa,EAAE,KAAK,CAAC,YAAY;YACjC,eAAe,EAAE,OAAO,CAAC,qBAAqB,EAAE;YAChD,iBAAiB,EAAE,WAAW,CAAC,MAAM;YACrC,GAAG,CAAC,kBAAkB,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC/E,CAAC;QAEF,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YACtB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,uBAAU,EAAC,OAAO,EAAE,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;YACvE,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACzE,CAAC;QAED,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;YACvB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,wBAAW,EAAC,OAAO,EAAE,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;YACxE,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACzE,CAAC;QAED,kFAAkF;QAClF,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC3B,OAAO,CAAC,KAAK,CACX,eAAK,CAAC,MAAM,CAAC,OAAO,WAAW,CAAC,MAAM,2CAA2C,CAAC,CACnF,CAAC;QACJ,CAAC;QAED,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,eAAK,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,CAAC;YAC/E,OAAO,CAAC,CAAC;QACX,CAAC;QAED,IAAA,+BAAkB,EAAC,OAAO,CAAC,CAAC;QAC5B,OAAO,CAAC,CAAC;IACX,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,eAAK,CAAC,GAAG,CAAC,gBAAgB,CAAC,EAAE,eAAK,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACvE,OAAO,CAAC,CAAC;IACX,CAAC;AACH,CAAC"}

package/dist/commands/statusline.d.ts

@@ -0,0 +1,2 @@
+export declare function statuslineCommand(asJson: boolean): void;
+//# sourceMappingURL=statusline.d.ts.map

package/dist/commands/statusline.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"statusline.d.ts","sourceRoot":"","sources":["../../src/commands/statusline.ts"],"names":[],"mappings":"AAEA,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,OAAO,GAAG,IAAI,CA4BvD"}

package/dist/commands/statusline.js

@@ -0,0 +1,34 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.statuslineCommand = statuslineCommand;
+const vault_guard_telemetry_1 = require("@vaultcompass/vault-guard-telemetry");
+function statuslineCommand(asJson) {
+    let store;
+    try {
+        store = new vault_guard_telemetry_1.TelemetryStore();
+    }
+    catch (e) {
+        if (e instanceof vault_guard_telemetry_1.TelemetryUnavailableError) {
+            if (asJson) {
+                process.stdout.write(`${JSON.stringify({ error: 'telemetry_unavailable', message: e.message })}\n`);
+            }
+            else {
+                process.stderr.write(`vault-guard statusline: telemetry unavailable — ${e.message}\n`);
+            }
+            return;
+        }
+        throw e;
+    }
+    try {
+        const payload = store.getStatuslinePayload();
+        if (asJson) {
+            process.stdout.write(`${JSON.stringify(payload)}\n`);
+            return;
+        }
+        process.stdout.write(`Vault Guard (today UTC): secrets=${payload.secrets_today} tokens in/out=${payload.tokens_today_input}/${payload.tokens_today_output} est_cost_usd≈${payload.est_cost_usd} model=${payload.model ?? '—'}\n`);
+    }
+    finally {
+        store.close();
+    }
+}
+//# sourceMappingURL=statusline.js.map

package/dist/commands/statusline.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"statusline.js","sourceRoot":"","sources":["../../src/commands/statusline.ts"],"names":[],"mappings":";;AAEA,8CA4BC;AA9BD,+EAAgG;AAEhG,SAAgB,iBAAiB,CAAC,MAAe;IAC/C,IAAI,KAAqB,CAAC;IAC1B,IAAI,CAAC;QACH,KAAK,GAAG,IAAI,sCAAc,EAAE,CAAC;IAC/B,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,IAAI,CAAC,YAAY,iDAAyB,EAAE,CAAC;YAC3C,IAAI,MAAM,EAAE,CAAC;gBACX,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,IAAI,CAAC,CAAC;YACtG,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mDAAmD,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC;YACzF,CAAC;YACD,OAAO;QACT,CAAC;QACD,MAAM,CAAC,CAAC;IACV,CAAC;IAED,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,KAAK,CAAC,oBAAoB,EAAE,CAAC;QAC7C,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YACrD,OAAO;QACT,CAAC;QACD,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,oCAAoC,OAAO,CAAC,aAAa,kBAAkB,OAAO,CAAC,kBAAkB,IAAI,OAAO,CAAC,mBAAmB,iBAAiB,OAAO,CAAC,YAAY,UAAU,OAAO,CAAC,KAAK,IAAI,GAAG,IAAI,CAC5M,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,KAAK,CAAC,KAAK,EAAE,CAAC;IAChB,CAAC;AACH,CAAC"}

package/dist/commands/suggest-model.d.ts

@@ -0,0 +1,6 @@
+export declare function suggestModelCommand(options: {
+    json: boolean;
+    cwd?: string;
+    language?: string;
+}): void;
+//# sourceMappingURL=suggest-model.d.ts.map

package/dist/commands/suggest-model.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"suggest-model.d.ts","sourceRoot":"","sources":["../../src/commands/suggest-model.ts"],"names":[],"mappings":"AAEA,wBAAgB,mBAAmB,CAAC,OAAO,EAAE;IAC3C,IAAI,EAAE,OAAO,CAAC;IACd,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GAAG,IAAI,CAgCP"}

package/dist/commands/suggest-model.js

@@ -0,0 +1,38 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.suggestModelCommand = suggestModelCommand;
+const vault_guard_telemetry_1 = require("@vaultcompass/vault-guard-telemetry");
+function suggestModelCommand(options) {
+    let store;
+    try {
+        store = new vault_guard_telemetry_1.TelemetryStore();
+    }
+    catch (e) {
+        if (e instanceof vault_guard_telemetry_1.TelemetryUnavailableError) {
+            if (options.json) {
+                process.stdout.write(`${JSON.stringify({ error: 'telemetry_unavailable', message: e.message }, null, 2)}\n`);
+            }
+            else {
+                process.stderr.write(`vault-guard suggest-model: telemetry unavailable — ${e.message}\n`);
+            }
+            return;
+        }
+        throw e;
+    }
+    try {
+        const s = store.suggestModel({ cwd: options.cwd, language: options.language });
+        if (options.json) {
+            process.stdout.write(`${JSON.stringify(s, null, 2)}\n`);
+            return;
+        }
+        if (!s.suggested_model) {
+            process.stdout.write(`${s.reason}\n`);
+            return;
+        }
+        process.stdout.write(`Suggested model: ${s.suggested_model}\n${s.reason}\n`);
+    }
+    finally {
+        store.close();
+    }
+}
+//# sourceMappingURL=suggest-model.js.map

package/dist/commands/suggest-model.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"suggest-model.js","sourceRoot":"","sources":["../../src/commands/suggest-model.ts"],"names":[],"mappings":";;AAEA,kDAoCC;AAtCD,+EAAgG;AAEhG,SAAgB,mBAAmB,CAAC,OAInC;IACC,IAAI,KAAqB,CAAC;IAC1B,IAAI,CAAC;QACH,KAAK,GAAG,IAAI,sCAAc,EAAE,CAAC;IAC/B,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,IAAI,CAAC,YAAY,iDAAyB,EAAE,CAAC;YAC3C,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;gBACjB,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CACvF,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,sDAAsD,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC;YAC5F,CAAC;YACD,OAAO;QACT,CAAC;QACD,MAAM,CAAC,CAAC;IACV,CAAC;IAED,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,KAAK,CAAC,YAAY,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,QAAQ,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC/E,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;YACxD,OAAO;QACT,CAAC;QACD,IAAI,CAAC,CAAC,CAAC,eAAe,EAAE,CAAC;YACvB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC;YACtC,OAAO;QACT,CAAC;QACD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,eAAe,KAAK,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC;IAC/E,CAAC;YAAS,CAAC;QACT,KAAK,CAAC,KAAK,EAAE,CAAC;IAChB,CAAC;AACH,CAAC"}

package/dist/commands/tokens.d.ts

@@ -0,0 +1,2 @@
+export declare function tokensCommand(): Promise<void>;
+//# sourceMappingURL=tokens.d.ts.map

package/dist/commands/tokens.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokens.d.ts","sourceRoot":"","sources":["../../src/commands/tokens.ts"],"names":[],"mappings":"AAGA,wBAAsB,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC,CAgBnD"}

package/dist/commands/tokens.js

@@ -0,0 +1,22 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.tokensCommand = tokensCommand;
+const vault_guard_core_1 = require("@vaultcompass/vault-guard-core");
+const chalk_1 = __importDefault(require("chalk"));
+async function tokensCommand() {
+    console.log(chalk_1.default.magenta.bold('💰 Token Usage\n'));
+    const counter = new vault_guard_core_1.TokenCounter();
+    const report = counter.generateReport(process.cwd());
+    console.log(chalk_1.default.white.bold('Total Tokens:'), chalk_1.default.magenta.bold(report.totalTokens.toLocaleString()));
+    console.log(chalk_1.default.white.bold('Estimated Cost:'), chalk_1.default.magenta.bold(`$${report.estimatedCost.toFixed(2)}`));
+    console.log(chalk_1.default.white.bold('\nBreakdown by file type:'));
+    for (const [ext, tokens] of Object.entries(report.breakdown)) {
+        const percentage = ((tokens / report.totalTokens) * 100).toFixed(1);
+        console.log(`  ${chalk_1.default.cyan(ext)}: ${chalk_1.default.magenta(tokens.toLocaleString())} tokens (${chalk_1.default.gray(percentage + '%')})`);
+    }
+    console.log(chalk_1.default.gray('\n💡 Tip: Use with AI coding tools to track token usage'));
+}
+//# sourceMappingURL=tokens.js.map

package/dist/commands/tokens.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokens.js","sourceRoot":"","sources":["../../src/commands/tokens.ts"],"names":[],"mappings":";;;;;AAGA,sCAgBC;AAnBD,qEAA8D;AAC9D,kDAA0B;AAEnB,KAAK,UAAU,aAAa;IACjC,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,OAAO,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,CAAC;IAEpD,MAAM,OAAO,GAAG,IAAI,+BAAY,EAAE,CAAC;IACnC,MAAM,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IAErD,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,EAAE,eAAK,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC;IACxG,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,EAAE,eAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,MAAM,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAE5G,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,KAAK,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC,CAAC;IAC3D,KAAK,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC;QAC7D,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,GAAG,MAAM,CAAC,WAAW,CAAC,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QACpE,OAAO,CAAC,GAAG,CAAC,KAAK,eAAK,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,eAAK,CAAC,OAAO,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC,YAAY,eAAK,CAAC,IAAI,CAAC,UAAU,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IAC1H,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,yDAAyD,CAAC,CAAC,CAAC;AACrF,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+export { buildCli } from './cli';
+export * from './commands';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,OAAO,CAAC;AACjC,cAAc,YAAY,CAAC"}

package/dist/index.js

@@ -0,0 +1,21 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildCli = void 0;
+var cli_1 = require("./cli");
+Object.defineProperty(exports, "buildCli", { enumerable: true, get: function () { return cli_1.buildCli; } });
+__exportStar(require("./commands"), exports);
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAAA,6BAAiC;AAAxB,+FAAA,QAAQ,OAAA;AACjB,6CAA2B"}

package/dist/utils/index.d.ts

@@ -0,0 +1,2 @@
+export * from './scan-utils';
+//# sourceMappingURL=index.d.ts.map

package/dist/utils/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":"AAAA,cAAc,cAAc,CAAC"}

package/dist/utils/index.js

@@ -0,0 +1,18 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./scan-utils"), exports);
+//# sourceMappingURL=index.js.map

package/dist/utils/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,+CAA6B"}

package/dist/utils/scan-utils.d.ts

@@ -0,0 +1,65 @@
+import { SecretScanner, type JsonOutput, type JsonRunMetadata, type FileScanResult, type Diagnostic, type DiagnosticBus } from '@vaultcompass/vault-guard-core';
+export type { JsonOutput, JsonRunMetadata };
+export interface ScanFormatOptions {
+    diagnostics?: Diagnostic[];
+    run?: JsonRunMetadata;
+}
+export declare function formatJson(results: ScanResult[], opts?: ScanFormatOptions): string;
+export declare function formatSarif(results: ScanResult[], opts?: ScanFormatOptions): string;
+export type ScanResult = FileScanResult;
+/** Filled by scan runners when provided (files opened for secret scanning, bytes read). */
+export interface ScanTelemetryStats {
+    filesScanned: number;
+    bytesScanned: number;
+}
+export interface ScanOptions {
+    verbose?: boolean;
+    maxSize?: number;
+    skipBinary?: boolean;
+    progress?: boolean;
+    concurrency?: number;
+    bus?: DiagnosticBus;
+    stats?: ScanTelemetryStats;
+    /**
+     * Combined gitignore-style patterns from `config.ignore.paths` and
+     * `config.ignore.patterns`. Applied to every file before scanning so that
+     * `.vault-guard.json` `ignore` entries are honoured uniformly across
+     * directory scans and staged-file scans.
+     */
+    configIgnorePatterns?: string[];
+}
+/**
+ * Scan an explicit list of files (e.g. paths from \`git diff --cached\`).
+ * Skips missing paths and non-files silently.
+ */
+export declare function scanFileListAsync(files: string[], scanner: SecretScanner, options?: ScanOptions): Promise<ScanResult[]>;
+/**
+ * Check if a file is binary based on extension
+ */
+export declare function isBinaryFile(filePath: string): boolean;
+/**
+ * Scan files with proper filtering and error handling (async version)
+ * This is the shared scanning logic used by both scan and check commands
+ */
+export declare function scanFilesAsync(targetPaths: string[], scanner: SecretScanner, options?: ScanOptions): Promise<ScanResult[]>;
+/**
+ * Scan files with proper filtering and error handling (sync version for backwards compatibility)
+ * This is the shared scanning logic used by both scan and check commands
+ */
+export declare function scanFiles(targetPaths: string[], scanner: SecretScanner, options?: ScanOptions): ScanResult[];
+/**
+ * Display scan results with proper formatting.
+ *
+ * Output format: `<path>:<line>:<col>  <severity>  <type>  <redacted>`
+ *
+ * Why this layout:
+ *   - Most modern terminals (iTerm2, Windows Terminal, VS Code, JetBrains)
+ *     auto-link `path:line:col` so users can cmd/ctrl-click directly to the
+ *     source — no copy-paste, no greppable secret value needed.
+ *   - Paths are cwd-relative for the same reason JSON/SARIF are: avoids
+ *     leaking the developer's home dir / username when output is shared.
+ *   - The redacted match value (`sk-a…(37c)`) is shown last and intentionally
+ *     low-information.
+ */
+export declare function displayScanResults(results: ScanResult[]): void;
+//# sourceMappingURL=scan-utils.d.ts.map

package/dist/utils/scan-utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan-utils.d.ts","sourceRoot":"","sources":["../../src/utils/scan-utils.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,aAAa,EAQb,KAAK,UAAU,EACf,KAAK,eAAe,EACpB,KAAK,cAAc,EACnB,KAAK,UAAU,EACf,KAAK,aAAa,EACnB,MAAM,gCAAgC,CAAC;AAGxC,YAAY,EAAE,UAAU,EAAE,eAAe,EAAE,CAAC;AAC5C,MAAM,WAAW,iBAAiB;IAChC,WAAW,CAAC,EAAE,UAAU,EAAE,CAAC;IAC3B,GAAG,CAAC,EAAE,eAAe,CAAC;CACvB;AAED,wBAAgB,UAAU,CAAC,OAAO,EAAE,UAAU,EAAE,EAAE,IAAI,GAAE,iBAAsB,GAAG,MAAM,CAMtF;AACD,wBAAgB,WAAW,CAAC,OAAO,EAAE,UAAU,EAAE,EAAE,IAAI,GAAE,iBAAsB,GAAG,MAAM,CAMvF;AASD,MAAM,MAAM,UAAU,GAAG,cAAc,CAAC;AAExC,2FAA2F;AAC3F,MAAM,WAAW,kBAAkB;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,WAAW;IAC1B,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,GAAG,CAAC,EAAE,aAAa,CAAC;IACpB,KAAK,CAAC,EAAE,kBAAkB,CAAC;IAC3B;;;;;OAKG;IACH,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;CACjC;AAED;;;GAGG;AACH,wBAAsB,iBAAiB,CACrC,KAAK,EAAE,MAAM,EAAE,EACf,OAAO,EAAE,aAAa,EACtB,OAAO,GAAE,WAAgB,GACxB,OAAO,CAAC,UAAU,EAAE,CAAC,CAiFvB;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAGtD;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAClC,WAAW,EAAE,MAAM,EAAE,EACrB,OAAO,EAAE,aAAa,EACtB,OAAO,GAAE,WAAgB,GACxB,OAAO,CAAC,UAAU,EAAE,CAAC,CA4GvB;AAED;;;GAGG;AACH,wBAAgB,SAAS,CACvB,WAAW,EAAE,MAAM,EAAE,EACrB,OAAO,EAAE,aAAa,EACtB,OAAO,GAAE,WAAgB,GACxB,UAAU,EAAE,CAoFd;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,UAAU,EAAE,GAAG,IAAI,CAyB9D"}