@vibecheck-ai/mcp 24.6.9 → 24.6.12

package/dist/chunk-5DADZJ3D.js

@@ -0,0 +1,650 @@
+import { createRequire } from 'module';
+import { fileURLToPath } from 'url';
+import * as path from 'path';
+import { dirname } from 'path';
+
+createRequire(import.meta.url);
+const __filename$1 = fileURLToPath(import.meta.url);
+dirname(__filename$1);
+function deterministicId(uri, line, ruleId, patternName) {
+  const input = `cred:${uri}::${line}::${ruleId}::${patternName}`;
+  let hash = 2166136261;
+  for (let i = 0; i < input.length; i++) {
+    hash ^= input.charCodeAt(i);
+    hash = hash * 16777619 >>> 0;
+  }
+  return `cred-${hash.toString(16).padStart(8, "0")}`;
+}
+function inferCredentialLang(delta) {
+  const lid = delta.documentLanguage.toLowerCase();
+  if (lid.includes("python")) return "python";
+  if (lid.includes("go") || lid === "gomod") return "go";
+  const uriPath = delta.documentUri.replace(/^file:\/\//, "");
+  const ext = path.extname(uriPath).toLowerCase();
+  if (ext === ".py" || ext === ".pyi") return "python";
+  if (ext === ".go") return "go";
+  if (ext === ".ts" || ext === ".tsx" || ext === ".js" || ext === ".jsx" || ext === ".mjs" || ext === ".cjs" || ext === ".mts" || ext === ".cts") {
+    return "javascript";
+  }
+  return "other";
+}
+function isTestFile(uri) {
+  const u = uri.replace(/^file:\/\//, "");
+  if (/(?:^|[\\/])test_[\w.-]+\.py$/i.test(u) || /(?:^|[\\/])[\w.-]+_test\.py$/i.test(u) || /(?:^|[\\/])conftest\.py$/i.test(u))
+    return true;
+  if (/[^\\/]+_test\.go$/i.test(u)) return true;
+  return /\.(test|spec)\.(ts|tsx|js|jsx)$/i.test(u) || /(?:^|[\\/])(?:__tests__|__mocks__|tests?|fixtures?|e2e|spec|cypress|playwright|__snapshots__|__fixtures__|stubs?|mocks?|test[-_]?data|test[-_]?helpers?|test[-_]?utils?)[\\/]/i.test(u) || /\.(?:mock|fixture|stub)\.[^\\/]*$/i.test(u);
+}
+function isExampleFile(uri) {
+  return /\.(?:example|sample|template)\b/.test(uri) || /\.env\.(?:example|sample)\b/.test(uri);
+}
+var FAKE_VALUE_PATTERNS = /(?:test|example|sample|dummy|fake|placeholder|xxx+|your[-_]|changeme|todo|mock|fixture|replace[-_]?me|insert[-_]?here|fill[-_]?in|update[-_]?me|secret|password|change[-_]?this|put[-_]?here|add[-_]?your|enter[-_]?your|sk[-_]test|pk[-_]test|demo|default|replace|temp|tmp|foobar|foo|bar|baz|qux|lorem|ipsum|abc|1234|0000)/i;
+function hasLowEntropy(value) {
+  const unique = new Set(value.toLowerCase()).size;
+  return unique <= 4 && value.length >= 8;
+}
+function isFakeCredentialValue(value) {
+  if (value.length < 8) return true;
+  if (FAKE_VALUE_PATTERNS.test(value)) return true;
+  if (hasLowEntropy(value)) return true;
+  if (value.length < 16 && /^[a-z_-]+$/.test(value)) return true;
+  return false;
+}
+function isCriticalPath(uri) {
+  const u = uri.replace(/^file:\/\//, "");
+  return /[\\/]api[\\/]|[\\/]auth[\\/]|[\\/]payment|[\\/]billing|[\\/]admin|[\\/]checkout|[\\/]webhook|[\\/]security/.test(u) || /middleware\.(ts|js|go|py)$/.test(u) || /[\\/]lib[\\/]auth|[\\/]lib[\\/]db|[\\/]lib[\\/]stripe/.test(u) || /(?:^|[\\/])(?:settings|urls)\.py$/i.test(u) || /[\\/](?:internal[\\/]auth|internal[\\/]api|handlers)(?:[\\/]|$)/i.test(u);
+}
+function localizeCredentialSuggestion(suggestion, lang) {
+  if (lang === "javascript" || lang === "other") return suggestion;
+  if (lang === "python") {
+    return suggestion.replace(/\bprocess\.env\.([A-Z_][A-Z0-9_]*)\b/g, 'os.environ["$1"]').replace(/\bimport\.meta\.env\.([A-Z_][A-Z0-9_]*)\b/g, 'os.environ["$1"]');
+  }
+  if (lang === "go") {
+    return suggestion.replace(/\bprocess\.env\.([A-Z_][A-Z0-9_]*)\b/g, 'os.Getenv("$1")').replace(/\bimport\.meta\.env\.([A-Z_][A-Z0-9_]*)\b/g, 'os.Getenv("$1")');
+  }
+  return suggestion;
+}
+function escalate(severity, critical) {
+  if (!critical) return severity;
+  const up = {
+    low: "medium",
+    medium: "high",
+    high: "critical",
+    critical: "critical"
+  };
+  return up[severity] ?? severity;
+}
+function maskEvidence(evidence) {
+  return evidence.replace(/(sk_(?:live|test)_)[a-zA-Z0-9]{4,}/g, "$1****").replace(/(pk_(?:live|test)_)[a-zA-Z0-9]{4,}/g, "$1****").replace(/(AKIA)[0-9A-Z]{12,}/g, "$1****").replace(/(sk-(?:ant-)?)[a-zA-Z0-9-]{8,}/g, "$1****").replace(/(gh[po]_)[a-zA-Z0-9]{4,}/g, "$1****").replace(/(xox[bpoas]-)[0-9a-zA-Z-]{4,}/g, "$1****").replace(/(SG\.)[a-zA-Z0-9_-]{4,}/g, "$1****").replace(/(npm_)[a-zA-Z0-9]{4,}/g, "$1****").replace(/(hf_)[a-zA-Z0-9]{4,}/g, "$1****").replace(/(AIza)[0-9A-Za-z_-]{4,}/g, "$1****").replace(/(pscale_(?:tkn|pw)_)[a-zA-Z0-9_]{4,}/g, "$1****").replace(/(dapi)[a-f0-9]{4,}/g, "$1****").replace(/(key-)[a-f0-9]{4,}/g, "$1****").replace(/(phc_)[a-zA-Z0-9]{4,}/g, "$1****").replace(/(lin_api_)[a-zA-Z0-9]{4,}/g, "$1****").replace(/(re_)[a-zA-Z0-9]{4,}/g, "$1****").replace(/([MN][A-Za-z\d]{23,})\.[^'"` ]{6,}/g, "$1.****").replace(/:\/\/([^:]+):([^@]{4,})@/g, "://$1:****@").replace(/['"`]([a-zA-Z0-9+/=_-]{32,})['"`]/g, (m, val) => m.replace(val, val.slice(0, 4) + "****"));
+}
+var PATTERNS = [
+  // ── Stripe ──
+  {
+    name: "stripe-live-secret",
+    ruleId: "CRED001",
+    regex: /(?:['"`](sk_live_[a-zA-Z0-9]{20,})['"`]|(?:^|[\s=])(sk_live_[a-zA-Z0-9]{20,})(?:\s|$))/m,
+    severity: "critical",
+    message: "Stripe live secret key hardcoded",
+    suggestion: "Move to process.env.STRIPE_SECRET_KEY and add to .env (gitignored).",
+    confidence: 99,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  {
+    name: "stripe-live-publishable",
+    ruleId: "CRED001",
+    regex: /['"`](pk_live_[a-zA-Z0-9]{20,})['"`]/,
+    severity: "high",
+    message: "Stripe live publishable key hardcoded",
+    suggestion: "Use process.env.NEXT_PUBLIC_STRIPE_KEY",
+    confidence: 95,
+    flagInTests: false,
+    skipInExamples: true
+  },
+  {
+    name: "stripe-test-secret",
+    ruleId: "CRED001",
+    regex: /['"`](sk_test_[a-zA-Z0-9]{20,})['"`]/,
+    severity: "high",
+    message: "Stripe test secret key hardcoded \u2014 use env var even for test keys",
+    suggestion: "Use process.env.STRIPE_TEST_KEY",
+    confidence: 90,
+    flagInTests: false,
+    skipInExamples: true
+  },
+  // ── AWS ──
+  {
+    name: "aws-access-key",
+    ruleId: "CRED001",
+    regex: /['"`](AKIA[0-9A-Z]{16})['"`]/,
+    severity: "critical",
+    message: "AWS Access Key ID hardcoded",
+    suggestion: "Use AWS SDK credential chain or AWS_ACCESS_KEY_ID env var.",
+    confidence: 99,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  {
+    name: "aws-secret-key",
+    ruleId: "CRED001",
+    regex: /aws_secret_access_key\s*[:=]\s*['"`]([^'"`]{20,})['"`]/i,
+    severity: "critical",
+    message: "AWS Secret Access Key hardcoded",
+    suggestion: "Use AWS_SECRET_ACCESS_KEY environment variable.",
+    confidence: 98,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  // ── AI providers ──
+  {
+    name: "openai-key",
+    ruleId: "CRED001",
+    regex: /['"`](sk-[a-zA-Z0-9]{32,})['"`]/,
+    severity: "critical",
+    message: "OpenAI API key hardcoded",
+    suggestion: "Use process.env.OPENAI_API_KEY",
+    confidence: 92,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  {
+    name: "anthropic-key",
+    ruleId: "CRED001",
+    regex: /['"`](sk-ant-[a-zA-Z0-9-]{20,})['"`]/,
+    severity: "critical",
+    message: "Anthropic API key hardcoded",
+    suggestion: "Use process.env.ANTHROPIC_API_KEY",
+    confidence: 98,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  // ── GitHub ──
+  {
+    name: "github-pat",
+    ruleId: "CRED001",
+    regex: /['"`](ghp_[a-zA-Z0-9]{36,})['"`]/,
+    severity: "critical",
+    message: "GitHub personal access token hardcoded",
+    suggestion: "Use process.env.GITHUB_TOKEN",
+    confidence: 99,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  {
+    name: "github-oauth",
+    ruleId: "CRED001",
+    regex: /['"`](gho_[a-zA-Z0-9]{36,})['"`]/,
+    severity: "critical",
+    message: "GitHub OAuth token hardcoded",
+    suggestion: "Use process.env.GITHUB_OAUTH_TOKEN",
+    confidence: 99,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  // ── Google ──
+  {
+    name: "google-api-key",
+    ruleId: "CRED001",
+    regex: /['"`](AIza[0-9A-Za-z_-]{35,})['"`]/,
+    severity: "high",
+    message: "Google API key hardcoded",
+    suggestion: "Use process.env.GOOGLE_API_KEY",
+    confidence: 95,
+    flagInTests: false,
+    skipInExamples: false
+  },
+  // ── Generic secrets ──
+  {
+    name: "jwt-secret",
+    ruleId: "CRED003",
+    regex: /(?:jwt[_-]?secret|JWT_SECRET)\s*[:=]\s*['"`]([^'"`]{8,})['"`]/i,
+    severity: "critical",
+    message: "JWT signing secret hardcoded \u2014 anyone with this can forge auth tokens",
+    suggestion: "Store in JWT_SECRET environment variable and rotate regularly.",
+    confidence: 90,
+    flagInTests: false,
+    skipInExamples: true
+  },
+  {
+    name: "generic-password",
+    ruleId: "CRED002",
+    regex: /(?:password|passwd|pwd)\s*[:=]\s*['"`]([^'"`]{4,})['"`]/i,
+    severity: "high",
+    message: "Hardcoded password detected",
+    suggestion: "Use an environment variable or secrets manager (Vault, AWS Secrets Manager).",
+    confidence: 75,
+    flagInTests: false,
+    skipInExamples: true
+  },
+  {
+    name: "generic-secret",
+    ruleId: "CRED002",
+    regex: /(?:secret|api[_-]?key|auth[_-]?token)\s*[:=]\s*['"`]([^'"`]{8,})['"`]/i,
+    severity: "high",
+    message: "Hardcoded secret / token detected",
+    suggestion: "Use an environment variable.",
+    confidence: 70,
+    flagInTests: false,
+    skipInExamples: true
+  },
+  {
+    name: "private-key-pem",
+    ruleId: "CRED004",
+    regex: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/,
+    severity: "critical",
+    message: "Private key embedded in source code",
+    suggestion: "Store key in a file and reference its path via env var.",
+    confidence: 99,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  {
+    name: "connection-string",
+    ruleId: "CRED005",
+    regex: /['"`](?:mongodb(?:\+srv)?|postgres(?:ql)?|mysql|redis|amqp):\/\/[^'"`\s]{10,}['"`]/i,
+    severity: "critical",
+    message: "Database connection string with credentials in source",
+    suggestion: "Use DATABASE_URL environment variable.",
+    confidence: 92,
+    flagInTests: false,
+    skipInExamples: true
+  },
+  // ── SaaS tokens ──
+  {
+    name: "slack-token",
+    ruleId: "CRED001",
+    regex: /['"`](xox[bpoas]-[0-9a-zA-Z-]{10,})['"`]/,
+    severity: "critical",
+    message: "Slack token hardcoded",
+    suggestion: "Use process.env.SLACK_TOKEN",
+    confidence: 97,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  {
+    name: "sendgrid-key",
+    ruleId: "CRED001",
+    regex: /['"`](SG\.[a-zA-Z0-9_-]{22,}\.[a-zA-Z0-9_-]{43,})['"`]/,
+    severity: "critical",
+    message: "SendGrid API key hardcoded",
+    suggestion: "Use process.env.SENDGRID_API_KEY",
+    confidence: 99,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  {
+    name: "twilio-key",
+    ruleId: "CRED001",
+    regex: /['"`](SK[a-f0-9]{32})['"`]/,
+    severity: "high",
+    message: "Twilio API key hardcoded",
+    suggestion: "Use process.env.TWILIO_API_KEY",
+    confidence: 85,
+    flagInTests: false,
+    skipInExamples: true
+  },
+  {
+    name: "npm-token",
+    ruleId: "CRED001",
+    regex: /['"`](npm_[a-zA-Z0-9]{36,})['"`]/,
+    severity: "critical",
+    message: "npm auth token hardcoded",
+    suggestion: "Use .npmrc with env var interpolation: //registry.npmjs.org/:_authToken=${NPM_TOKEN}",
+    confidence: 98,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  {
+    name: "huggingface-token",
+    ruleId: "CRED001",
+    regex: /['"`](hf_[a-zA-Z0-9]{30,})['"`]/,
+    severity: "critical",
+    message: "HuggingFace API token hardcoded",
+    suggestion: "Use process.env.HUGGINGFACE_TOKEN",
+    confidence: 97,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  // ── Additional SaaS tokens ──
+  {
+    name: "supabase-service-key",
+    ruleId: "CRED001",
+    regex: /['"`](eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[a-zA-Z0-9_-]{50,}\.[a-zA-Z0-9_-]{20,})['"`]/,
+    severity: "critical",
+    message: "Supabase service role key hardcoded \u2014 grants admin access to your database",
+    suggestion: "Use process.env.SUPABASE_SERVICE_ROLE_KEY. Never expose service role keys client-side.",
+    confidence: 88,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  {
+    name: "clerk-secret-key",
+    ruleId: "CRED001",
+    regex: /['"`](sk_(?:live|test)_[a-zA-Z0-9]{20,})['"`]/,
+    severity: "critical",
+    message: "Clerk secret key hardcoded",
+    suggestion: "Use process.env.CLERK_SECRET_KEY",
+    confidence: 90,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  {
+    name: "vercel-token",
+    ruleId: "CRED001",
+    regex: /['"`]([a-zA-Z0-9]{24})['"`](?=.*(?:vercel|VERCEL))/i,
+    severity: "high",
+    message: "Vercel API token hardcoded",
+    suggestion: "Use process.env.VERCEL_TOKEN",
+    confidence: 80,
+    flagInTests: false,
+    skipInExamples: true
+  },
+  {
+    name: "discord-bot-token",
+    ruleId: "CRED001",
+    regex: /['"`]([MN][A-Za-z\d]{23,}\.[\w-]{6}\.[\w-]{27,})['"`]/,
+    severity: "critical",
+    message: "Discord bot token hardcoded",
+    suggestion: "Use process.env.DISCORD_BOT_TOKEN",
+    confidence: 95,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  {
+    name: "linear-api-key",
+    ruleId: "CRED001",
+    regex: /['"`](lin_api_[a-zA-Z0-9]{30,})['"`]/,
+    severity: "critical",
+    message: "Linear API key hardcoded",
+    suggestion: "Use process.env.LINEAR_API_KEY",
+    confidence: 98,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  {
+    name: "resend-api-key",
+    ruleId: "CRED001",
+    regex: /['"`](re_[a-zA-Z0-9]{20,})['"`]/,
+    severity: "critical",
+    message: "Resend API key hardcoded",
+    suggestion: "Use process.env.RESEND_API_KEY",
+    confidence: 90,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  // ── Cloud Providers ──
+  {
+    name: "gcp-service-account-key",
+    ruleId: "CRED001",
+    regex: /['"`](\{[^'"`]*"type"\s*:\s*"service_account"[^'"`]*\})['"`]/,
+    severity: "critical",
+    message: "GCP service account key JSON hardcoded \u2014 grants full cloud access",
+    suggestion: "Use GOOGLE_APPLICATION_CREDENTIALS env var pointing to a key file outside the repo.",
+    confidence: 98,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  {
+    name: "gcp-api-key",
+    ruleId: "CRED001",
+    regex: /['"`](AIza[0-9A-Za-z_-]{35})['"`]/,
+    severity: "high",
+    message: "Google Cloud / Firebase API key hardcoded",
+    suggestion: "Use process.env.GOOGLE_API_KEY or restrict the key in GCP console.",
+    confidence: 95,
+    flagInTests: false,
+    skipInExamples: true
+  },
+  {
+    name: "azure-storage-key",
+    ruleId: "CRED001",
+    regex: /(?:AccountKey|azure_storage_key|AZURE_STORAGE_KEY)\s*[:=]\s*['"`]([A-Za-z0-9+/=]{44,})['"`]/i,
+    severity: "critical",
+    message: "Azure Storage account key hardcoded",
+    suggestion: "Use process.env.AZURE_STORAGE_KEY or Managed Identity for authentication.",
+    confidence: 90,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  {
+    name: "azure-connection-string",
+    ruleId: "CRED005",
+    regex: /['"`]DefaultEndpointsProtocol=https?;AccountName=[^;]+;AccountKey=[^'"`]{20,}['"`]/,
+    severity: "critical",
+    message: "Azure connection string with credentials hardcoded",
+    suggestion: "Use process.env.AZURE_STORAGE_CONNECTION_STRING",
+    confidence: 98,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  {
+    name: "cloudflare-api-token",
+    ruleId: "CRED001",
+    regex: /['"`]([A-Za-z0-9_-]{40})['"`](?=.*(?:cloudflare|CLOUDFLARE|CF_))/i,
+    severity: "critical",
+    message: "Cloudflare API token hardcoded",
+    suggestion: "Use process.env.CLOUDFLARE_API_TOKEN",
+    confidence: 82,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  {
+    name: "planetscale-token",
+    ruleId: "CRED001",
+    regex: /['"`](pscale_tkn_[a-zA-Z0-9_]{20,})['"`]/,
+    severity: "critical",
+    message: "PlanetScale API token hardcoded",
+    suggestion: "Use process.env.PLANETSCALE_TOKEN",
+    confidence: 98,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  {
+    name: "planetscale-password",
+    ruleId: "CRED001",
+    regex: /['"`](pscale_pw_[a-zA-Z0-9_]{20,})['"`]/,
+    severity: "critical",
+    message: "PlanetScale database password hardcoded",
+    suggestion: "Use process.env.DATABASE_PASSWORD or PlanetScale connection string from env.",
+    confidence: 98,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  {
+    name: "neon-connection-string",
+    ruleId: "CRED005",
+    regex: /['"`]postgres(?:ql)?:\/\/[^'"`]*\.neon\.tech[^'"`]*['"`]/i,
+    severity: "critical",
+    message: "Neon database connection string hardcoded",
+    suggestion: "Use process.env.DATABASE_URL",
+    confidence: 95,
+    flagInTests: false,
+    skipInExamples: true
+  },
+  {
+    name: "turso-auth-token",
+    ruleId: "CRED001",
+    regex: /(?:TURSO_AUTH_TOKEN|authToken)\s*[:=]\s*['"`](eyJ[a-zA-Z0-9_-]{20,}\.[a-zA-Z0-9_-]{20,})['"`]/i,
+    severity: "critical",
+    message: "Turso database auth token hardcoded",
+    suggestion: "Use process.env.TURSO_AUTH_TOKEN",
+    confidence: 92,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  {
+    name: "upstash-redis-token",
+    ruleId: "CRED001",
+    regex: /(?:UPSTASH_REDIS_REST_TOKEN|upstash.*token)\s*[:=]\s*['"`]([A-Za-z0-9]{20,})['"`]/i,
+    severity: "critical",
+    message: "Upstash Redis REST token hardcoded",
+    suggestion: "Use process.env.UPSTASH_REDIS_REST_TOKEN",
+    confidence: 88,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  {
+    name: "databricks-token",
+    ruleId: "CRED001",
+    regex: /['"`](dapi[a-f0-9]{32})['"`]/,
+    severity: "critical",
+    message: "Databricks API token hardcoded",
+    suggestion: "Use process.env.DATABRICKS_TOKEN",
+    confidence: 96,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  {
+    name: "telegram-bot-token",
+    ruleId: "CRED001",
+    regex: /['"`](\d{8,10}:[A-Za-z0-9_-]{35})['"`]/,
+    severity: "critical",
+    message: "Telegram bot token hardcoded",
+    suggestion: "Use process.env.TELEGRAM_BOT_TOKEN",
+    confidence: 92,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  {
+    name: "postmark-server-token",
+    ruleId: "CRED001",
+    regex: /['"`]([a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12})['"`](?=.*(?:postmark|POSTMARK))/i,
+    severity: "critical",
+    message: "Postmark server token hardcoded",
+    suggestion: "Use process.env.POSTMARK_SERVER_TOKEN",
+    confidence: 85,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  {
+    name: "mailgun-api-key",
+    ruleId: "CRED001",
+    regex: /['"`](key-[a-f0-9]{32})['"`]/,
+    severity: "critical",
+    message: "Mailgun API key hardcoded",
+    suggestion: "Use process.env.MAILGUN_API_KEY",
+    confidence: 95,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  {
+    name: "algolia-admin-key",
+    ruleId: "CRED001",
+    regex: /['"`]([a-f0-9]{32})['"`](?=.*(?:algolia|ALGOLIA).*(?:admin|ADMIN))/i,
+    severity: "critical",
+    message: "Algolia admin API key hardcoded",
+    suggestion: "Use process.env.ALGOLIA_ADMIN_API_KEY. Use search-only keys client-side.",
+    confidence: 82,
+    flagInTests: true,
+    skipInExamples: false
+  },
+  {
+    name: "sentry-dsn",
+    ruleId: "CRED001",
+    regex: /['"`](https:\/\/[a-f0-9]{32}@[a-z0-9]+\.ingest\.sentry\.io\/\d+)['"`]/,
+    severity: "medium",
+    message: "Sentry DSN hardcoded \u2014 consider using env var for environment-specific DSNs",
+    suggestion: "Use process.env.SENTRY_DSN (or NEXT_PUBLIC_SENTRY_DSN for client-side).",
+    confidence: 85,
+    flagInTests: false,
+    skipInExamples: true
+  },
+  {
+    name: "posthog-api-key",
+    ruleId: "CRED001",
+    regex: /['"`](phc_[a-zA-Z0-9]{20,})['"`]/,
+    severity: "medium",
+    message: "PostHog API key hardcoded \u2014 use env var for environment isolation",
+    suggestion: "Use process.env.NEXT_PUBLIC_POSTHOG_KEY",
+    confidence: 90,
+    flagInTests: false,
+    skipInExamples: true
+  },
+  // ── URL-embedded credentials ──
+  {
+    name: "url-embedded-credentials",
+    ruleId: "CRED006",
+    regex: /['"`]https?:\/\/[^'"`\s]*:[^'"`\s@]*@[^'"`\s]+['"`]/,
+    severity: "high",
+    message: "URL contains embedded credentials (user:password@host)",
+    suggestion: "Move credentials to environment variables. Use URL without auth: https://host/path",
+    confidence: 85,
+    flagInTests: false,
+    skipInExamples: true
+  }
+];
+var CredentialsEngine = class {
+  id = "credentials";
+  async scan(delta, signal) {
+    if (signal?.aborted) return [];
+    const uri = delta.documentUri;
+    const source = delta.fullText;
+    if (!source.includes("'") && !source.includes('"') && !source.includes("`") && !source.includes("-----BEGIN ") && !/(?:sk_live_|sk_test_|pk_live_|AKIA|ghp_|gho_|xox[bpoas]-|sk-ant-|npm_|hf_)/i.test(source)) return [];
+    const credLang = inferCredentialLang(delta);
+    const isTest = isTestFile(uri);
+    const isExample = isExampleFile(uri);
+    const critical = isCriticalPath(uri);
+    const findings = [];
+    const lines = delta.lines ?? source.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+      if (signal?.aborted) break;
+      const line = lines[i];
+      const trimmed = line.trim();
+      if (trimmed.startsWith("//") || trimmed.startsWith("*") || trimmed.startsWith("#") || credLang === "python" && (trimmed.startsWith('"""') || trimmed.startsWith("'''"))) {
+        continue;
+      }
+      for (const pattern of PATTERNS) {
+        if (isTest && !pattern.flagInTests) continue;
+        if (isExample && pattern.skipInExamples) continue;
+        const match = pattern.regex.exec(line);
+        if (!match) continue;
+        if (/^\s*\w+\s*[?]?\s*:\s*(?:string|number|boolean|any|unknown|Record|Partial|Required)/.test(line)) continue;
+        if (/\(\s*\w+\s*:\s*(?:string|any)/.test(line)) continue;
+        if (pattern.ruleId !== "CRED001" && pattern.ruleId !== "CRED004") {
+          if (/process\.env\.|import\.meta\.env\.|config\.|getenv|dotenv/.test(line)) continue;
+        }
+        if (pattern.ruleId === "CRED002" || pattern.ruleId === "CRED003") {
+          const val = match[1] ?? "";
+          if (!val) continue;
+          if (isFakeCredentialValue(val)) continue;
+          if (/(?:type\s|interface\s|Schema|schema|zod\.|z\.|yup\.|joi\.|@param|@type|PropTypes)/.test(line)) continue;
+          if (/(?:expect|assert|should|toBe|toEqual|toMatch|describe|it\s*\()/.test(line)) continue;
+        }
+        if (pattern.name === "generic-password") {
+          const val = match[1] ?? "";
+          if (!val || val.length < 6) continue;
+          if (isFakeCredentialValue(val)) continue;
+          if (/password\s*:\s*(?:string|undefined|null|boolean)/.test(line)) continue;
+        }
+        if (pattern.name === "generic-secret") {
+          const val = match[1] ?? "";
+          if (!val || /^[a-z_]+$/i.test(val)) continue;
+          if (isFakeCredentialValue(val)) continue;
+          if (/\w+\(|\w+\.\w+/.test(val)) continue;
+        }
+        if (pattern.ruleId === "CRED005" || pattern.ruleId === "CRED006") {
+          if (/\$\{|<.*>|YOUR_|REPLACE|TODO|localhost/.test(line)) continue;
+          if (/example/i.test(line) && !/example\.(?:com|org|net|io)/i.test(line)) continue;
+        }
+        findings.push({
+          id: deterministicId(uri, i + 1, pattern.ruleId, pattern.name),
+          engine: "credentials",
+          severity: escalate(pattern.severity, critical),
+          category: "credentials",
+          file: uri,
+          line: i + 1,
+          column: match.index ?? 0,
+          message: pattern.message,
+          evidence: maskEvidence(trimmed),
+          suggestion: localizeCredentialSuggestion(pattern.suggestion, credLang),
+          confidence: pattern.confidence / 100,
+          autoFixable: false,
+          ruleId: pattern.ruleId
+        });
+      }
+    }
+    return findings;
+  }
+};
+
+export { CredentialsEngine };