npm - agentmask - Versions diffs - 0.1.0 - Mend

agentmask 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

package/LICENSE +21 -0
package/README.md +165 -0
package/dist/chunk-2H7UOFLK.js +11 -0
package/dist/chunk-2H7UOFLK.js.map +1 -0
package/dist/chunk-F7TMT2OH.js +96 -0
package/dist/chunk-F7TMT2OH.js.map +1 -0
package/dist/chunk-P7BRPZBB.js +211 -0
package/dist/chunk-P7BRPZBB.js.map +1 -0
package/dist/chunk-Q7ZBIDBL.js +58 -0
package/dist/chunk-Q7ZBIDBL.js.map +1 -0
package/dist/chunk-YASOHGJL.js +44 -0
package/dist/chunk-YASOHGJL.js.map +1 -0
package/dist/cli.js +433 -0
package/dist/cli.js.map +1 -0
package/dist/index.js +410 -0
package/dist/index.js.map +1 -0
package/dist/post-scan-PZBRRZS6.js +50 -0
package/dist/post-scan-PZBRRZS6.js.map +1 -0
package/dist/pre-bash-CQ6UYBND.js +75 -0
package/dist/pre-bash-CQ6UYBND.js.map +1 -0
package/dist/pre-read-4YE6QMWV.js +49 -0
package/dist/pre-read-4YE6QMWV.js.map +1 -0
package/dist/pre-write-EBMADS22.js +53 -0
package/dist/pre-write-EBMADS22.js.map +1 -0
package/dist/server-3SUDWIDY.js +13944 -0
package/dist/server-3SUDWIDY.js.map +1 -0
package/package.json +63 -0

package/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2026 agentmask contributors
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md ADDED Viewed

@@ -0,0 +1,165 @@
+# agentmask
+Mask your secrets from AI coding agents. One command. Zero friction.
+agentmask prevents Claude Code (and other AI coding assistants) from reading, leaking, or committing your secrets. It works through three reinforcing layers:
+1. **Block** — Hooks that prevent secret files from being read and secret values from being written
+2. **Redirect** — An MCP server that provides redacted file access so the agent can still work
+3. **Instruct** — Behavioral rules that teach the agent to prefer safe alternatives
+## Quickstart
+```bash
+npm install -g agentmask
+cd your-project
+agentmask init
+```
+`init` scans your entire repository for secrets, builds a blocklist of every file containing them, and installs hooks + MCP server + behavioral rules. Secrets are blocked before they ever enter the AI's context.
+## What It Does
+| Scenario | What Happens |
+|----------|-------------|
+| Claude tries to `Read .env` | **Blocked.** Static pattern match. Redirected to `safe_read`. |
+| Claude tries to read `src/config.ts` (has hardcoded AWS key) | **Blocked.** Found by init scan, in blocklist. Redirected to `safe_read`. |
+| Claude writes `sk_live_...` into source code | **Blocked.** Content scan catches it. Told to use env var instead. |
+| Claude runs `cat .env` via Bash | **Blocked.** Command pattern match. |
+| Claude runs `git commit` with secrets in staged files | **Blocked.** Pre-commit scan. Shown file:line of each secret. |
+| Claude reads a new file with a secret (not yet in blocklist) | **Warned + auto-blocklisted.** First read leaks, every subsequent read is blocked. |
+| Claude does normal coding (90%+ of operations) | **No effect.** Sub-50ms hook, completely invisible. |
+## How It Works
+```
+agentmask init
+    │
+    ├── Scans entire repo for secrets (Tier 1 rules — zero false positives)
+    ├── .claude/agentmask-blocklist.json  ← files containing detected secrets
+    ├── .claude/settings.local.json       ← PreToolUse + PostToolUse hooks
+    ├── .claude/rules/agentmask.md        ← behavioral rules for Claude
+    └── .mcp.json                         ← MCP server registration
+```
+**Layer 1 — Block (Hooks):**
+PreToolUse hooks intercept every Read, Bash, Write, and Edit call. Pre-read checks two things: static file patterns (`.env`, `*.pem`, etc.) and the dynamic blocklist (files where secrets were found by the init scan or by post-scan at runtime). If matched, the operation is blocked and Claude receives guidance to use `safe_read`.
+**Layer 2 — Redirect (MCP Server):**
+When a read is blocked, Claude is directed to the `safe_read` MCP tool, which returns the file content with secrets replaced:
+```
+DATABASE_URL=postgresql://****:****@db.example.com:5432/myapp
+API_KEY=[REDACTED:28_chars]
+DEBUG=true          ← non-secret values kept as-is
+PORT=3000           ← non-secret values kept as-is
+```
+**Layer 3 — Instruct (Rules):**
+A `.claude/rules/agentmask.md` file teaches Claude to prefer safe tools and never output raw secret values.
+## The Blocklist
+The blocklist (`.claude/agentmask-blocklist.json`) is the key to blocking secrets before they enter context:
+- **Built at init time** — `agentmask init` scans every file in the repo using Tier 1 rules (provider-specific patterns with zero false positives)
+- **Updated at runtime** — if post-scan detects a secret in a file that wasn't in the blocklist, it's added automatically
+- **Checked on every read** — pre-read hook looks up the file in the blocklist before allowing the read
+- **Re-run `agentmask init`** anytime to rescan (e.g., after pulling new code)
+- **`agentmask allow-path`** removes a file from the blocklist (after you've fixed the secret)
+## Detection
+Detection is powered by [gitleaks](https://github.com/gitleaks/gitleaks) — **150+ battle-tested rules** covering AWS, GitHub, Stripe, Google, GCP, Slack, SendGrid, Shopify, OpenAI, Anthropic, GitLab, Twilio, PEM keys, JWTs, database connection strings, and many more providers.
+agentmask auto-downloads gitleaks if it's not already installed. No detection rules to maintain — when gitleaks updates, agentmask benefits automatically.
+**Requires:** `gitleaks` (auto-installed) or `brew install gitleaks`
+## Commands
+```bash
+agentmask init              # Scan repo, build blocklist, install hooks + MCP + rules
+agentmask init --team       # Write to shared .claude/settings.json (committed to git)
+agentmask remove            # Remove everything cleanly (hooks, rules, MCP, blocklist)
+agentmask scan [path]       # Scan files for secrets (report only)
+agentmask scan --staged     # Scan git staged files
+agentmask scan --json       # JSON output for CI/CD
+agentmask allow-path "p"    # Allowlist a path + remove from blocklist
+agentmask allow-value "v"   # Allowlist a specific value
+agentmask serve             # Start the MCP server (called automatically)
+```
+## MCP Tools
+When the MCP server is running, Claude Code has access to:
+| Tool | Description |
+|------|-------------|
+| `safe_read` | Read a file with secrets redacted |
+| `env_names` | List .env variable names and types without values |
+| `scan_file` | Scan a file for secrets (explicit security review) |
+| `scan_staged` | Scan git staging area before committing |
+## Configuration
+Create `.agentmask.toml` in your project root:
+```toml
+# Add custom blocked file patterns
+[scan]
+blocked_paths = [".env.custom", "**/my-secrets.yml"]
+# Allowlist paths (e.g., test fixtures with dummy secrets)
+[[allowlists]]
+paths = ["tests/**", "**/*.test.ts", "fixtures/**"]
+description = "Test files may contain dummy secrets"
+# Allowlist specific values
+[[allowlists]]
+stopwords = ["EXAMPLE_KEY_12345"]
+description = "Known test values"
+```
+## False Positives
+If agentmask blocks something it shouldn't:
+```bash
+# Allowlist a path pattern (also removes from blocklist)
+agentmask allow-path "tests/**"
+# Allowlist a specific value
+agentmask allow-value "EXAMPLE_KEY_12345"
+```
+These write to `.agentmask.toml` in your project root.
+## What It Cannot Do
+- **First read of a brand-new secret file** still enters context — post-scan catches it and blocklists it, so subsequent reads are blocked. This is unavoidable without reading every file before Claude does.
+- **Cannot catch every bash command** that accesses secrets (covers `cat .env`, `printenv`, etc. but not `node -e "console.log(process.env.X)"`)
+- **Cannot prevent Claude from saying a secret** in chat output (hooks only cover tool calls)
+- **Cannot validate** whether a detected secret is real or dummy without network calls
+- If agentmask crashes, it **degrades gracefully** — the operation proceeds (never blocks your work due to a bug)
+## Graceful Degradation
+agentmask is designed to never block your work due to its own failure:
+- Hook crashes → exit code 1 → Claude Code treats as non-blocking warning
+- MCP server crashes → Claude falls back to built-in Read/Write
+- Malformed input → allow, don't block
+- 4-second safety timeout on every hook (Claude Code's limit is 5s)
+## Protected File Patterns
+By default, agentmask blocks direct reading of these patterns (static, always active):
+`.env`, `.env.*`, `credentials.json`, `serviceAccountKey.json`, `*.pem`, `*.key`, `*.p12`, `*.pfx`, `id_rsa`, `id_ed25519`, `.netrc`, `.npmrc`, `.pypirc`, `.docker/config.json`, `.kube/config`, `.aws/credentials`, `.azure/credentials`, `.gcloud/*.json`, `secrets.yml`, `secrets.yaml`, `secrets.json`, `.htpasswd`
+In addition, `agentmask init` scans all other files and blocklists any that contain secrets.
+## License
+MIT

package/dist/chunk-2H7UOFLK.js ADDED Viewed

@@ -0,0 +1,11 @@
+#!/usr/bin/env node
+var __defProp = Object.defineProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+export {
+  __export
+};
+//# sourceMappingURL=chunk-2H7UOFLK.js.map

package/dist/chunk-2H7UOFLK.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/dist/chunk-F7TMT2OH.js ADDED Viewed

@@ -0,0 +1,96 @@
+#!/usr/bin/env node
+// src/hooks/blocklist.ts
+import { existsSync, readFileSync, writeFileSync, mkdirSync, unlinkSync } from "fs";
+import { join, dirname, resolve } from "path";
+var BLOCKLIST_FILENAME = "agentmask-blocklist.json";
+function getBlocklistPath(cwd) {
+  return join(cwd, ".claude", BLOCKLIST_FILENAME);
+}
+function loadBlocklist(cwd) {
+  const filePath = getBlocklistPath(cwd);
+  try {
+    if (existsSync(filePath)) {
+      return JSON.parse(readFileSync(filePath, "utf-8"));
+    }
+  } catch {
+  }
+  return { files: {} };
+}
+function saveBlocklist(cwd, data) {
+  const filePath = getBlocklistPath(cwd);
+  mkdirSync(dirname(filePath), { recursive: true });
+  writeFileSync(filePath, JSON.stringify(data, null, 2) + "\n");
+}
+function isInBlocklist(filePath, cwd) {
+  const data = loadBlocklist(cwd);
+  const normalized = filePath.replace(/\\/g, "/");
+  if (data.files[normalized]) return data.files[normalized];
+  const resolved = resolve(cwd, filePath).replace(/\\/g, "/");
+  const cwdNorm = cwd.replace(/\\/g, "/");
+  const relative = resolved.startsWith(cwdNorm + "/") ? resolved.slice(cwdNorm.length + 1) : null;
+  if (relative && data.files[relative]) return data.files[relative];
+  for (const [blockedPath, entry] of Object.entries(data.files)) {
+    if (normalized.endsWith("/" + blockedPath) || normalized === blockedPath) {
+      return entry;
+    }
+    if (resolved.endsWith("/" + blockedPath) || resolved === blockedPath) {
+      return entry;
+    }
+  }
+  return void 0;
+}
+function addToBlocklist(filePath, secretDescriptions, cwd) {
+  const data = loadBlocklist(cwd);
+  const normalized = filePath.replace(/\\/g, "/");
+  const resolved = resolve(cwd, normalized).replace(/\\/g, "/");
+  const cwdNorm = cwd.replace(/\\/g, "/");
+  const key = resolved.startsWith(cwdNorm + "/") ? resolved.slice(cwdNorm.length + 1) : normalized;
+  const existing = data.files[key];
+  if (existing) {
+    const newSecrets = secretDescriptions.filter(
+      (s) => !existing.secrets.includes(s)
+    );
+    existing.secrets.push(...newSecrets);
+    existing.addedAt = (/* @__PURE__ */ new Date()).toISOString();
+  } else {
+    data.files[key] = {
+      secrets: secretDescriptions,
+      addedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  saveBlocklist(cwd, data);
+}
+function removeFromBlocklist(filePath, cwd) {
+  const data = loadBlocklist(cwd);
+  const normalized = filePath.replace(/\\/g, "/");
+  if (data.files[normalized]) {
+    delete data.files[normalized];
+    saveBlocklist(cwd, data);
+    return true;
+  }
+  const resolved = resolve(cwd, filePath).replace(/\\/g, "/");
+  const cwdNorm = cwd.replace(/\\/g, "/");
+  const relative = resolved.startsWith(cwdNorm + "/") ? resolved.slice(cwdNorm.length + 1) : null;
+  if (relative && data.files[relative]) {
+    delete data.files[relative];
+    saveBlocklist(cwd, data);
+    return true;
+  }
+  for (const key of Object.keys(data.files)) {
+    if (normalized.endsWith("/" + key) || normalized === key) {
+      delete data.files[key];
+      saveBlocklist(cwd, data);
+      return true;
+    }
+  }
+  return false;
+}
+export {
+  saveBlocklist,
+  isInBlocklist,
+  addToBlocklist,
+  removeFromBlocklist
+};
+//# sourceMappingURL=chunk-F7TMT2OH.js.map

package/dist/chunk-F7TMT2OH.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/hooks/blocklist.ts"],"sourcesContent":["import { existsSync, readFileSync, writeFileSync, mkdirSync, unlinkSync } from \"node:fs\";\nimport { join, dirname, resolve } from \"node:path\";\n\n/**\n * Dynamic blocklist — files where secrets have been detected.\n *\n * Built at init time by scanning the entire repo (Tier 1 rules only).\n * Updated at runtime by post-scan when secrets are found in new files.\n * Checked by pre-read to block files before they enter context.\n */\n\nexport interface BlocklistEntry {\n secrets: string[];\n addedAt: string;\n}\n\nexport interface BlocklistData {\n /** Map of relative file path → entry */\n files: Record<string, BlocklistEntry>;\n}\n\nconst BLOCKLIST_FILENAME = \"agentmask-blocklist.json\";\n\nexport function getBlocklistPath(cwd: string): string {\n return join(cwd, \".claude\", BLOCKLIST_FILENAME);\n}\n\nexport function loadBlocklist(cwd: string): BlocklistData {\n const filePath = getBlocklistPath(cwd);\n try {\n if (existsSync(filePath)) {\n return JSON.parse(readFileSync(filePath, \"utf-8\"));\n }\n } catch {\n // Corrupted — start fresh\n }\n return { files: {} };\n}\n\nexport function saveBlocklist(cwd: string, data: BlocklistData): void {\n const filePath = getBlocklistPath(cwd);\n mkdirSync(dirname(filePath), { recursive: true });\n writeFileSync(filePath, JSON.stringify(data, null, 2) + \"\\n\");\n}\n\n/**\n * Check if a file path is in the dynamic blocklist.\n * Matches by exact relative path or by filename suffix.\n */\nexport function isInBlocklist(\n filePath: string,\n cwd: string,\n): BlocklistEntry | undefined {\n const data = loadBlocklist(cwd);\n const normalized = filePath.replace(/\\\\/g, \"/\");\n\n // Try exact match\n if (data.files[normalized]) return data.files[normalized];\n\n // Try relative to cwd\n const resolved = resolve(cwd, filePath).replace(/\\\\/g, \"/\");\n const cwdNorm = cwd.replace(/\\\\/g, \"/\");\n const relative = resolved.startsWith(cwdNorm + \"/\")\n ? resolved.slice(cwdNorm.length + 1)\n : null;\n if (relative && data.files[relative]) return data.files[relative];\n\n // Try matching by suffix (handles absolute vs relative path differences)\n for (const [blockedPath, entry] of Object.entries(data.files)) {\n if (normalized.endsWith(\"/\" + blockedPath) || normalized === blockedPath) {\n return entry;\n }\n if (resolved.endsWith(\"/\" + blockedPath) || resolved === blockedPath) {\n return entry;\n }\n }\n\n return undefined;\n}\n\n/**\n * Add a file to the blocklist.\n */\nexport function addToBlocklist(\n filePath: string,\n secretDescriptions: string[],\n cwd: string,\n): void {\n const data = loadBlocklist(cwd);\n const normalized = filePath.replace(/\\\\/g, \"/\");\n\n // Make path relative to cwd if possible\n const resolved = resolve(cwd, normalized).replace(/\\\\/g, \"/\");\n const cwdNorm = cwd.replace(/\\\\/g, \"/\");\n const key = resolved.startsWith(cwdNorm + \"/\")\n ? resolved.slice(cwdNorm.length + 1)\n : normalized;\n\n const existing = data.files[key];\n if (existing) {\n const newSecrets = secretDescriptions.filter(\n (s) => !existing.secrets.includes(s),\n );\n existing.secrets.push(...newSecrets);\n existing.addedAt = new Date().toISOString();\n } else {\n data.files[key] = {\n secrets: secretDescriptions,\n addedAt: new Date().toISOString(),\n };\n }\n\n saveBlocklist(cwd, data);\n}\n\n/**\n * Remove a file from the blocklist.\n */\nexport function removeFromBlocklist(filePath: string, cwd: string): boolean {\n const data = loadBlocklist(cwd);\n const normalized = filePath.replace(/\\\\/g, \"/\");\n\n // Try exact key\n if (data.files[normalized]) {\n delete data.files[normalized];\n saveBlocklist(cwd, data);\n return true;\n }\n\n // Try relative resolution\n const resolved = resolve(cwd, filePath).replace(/\\\\/g, \"/\");\n const cwdNorm = cwd.replace(/\\\\/g, \"/\");\n const relative = resolved.startsWith(cwdNorm + \"/\")\n ? resolved.slice(cwdNorm.length + 1)\n : null;\n if (relative && data.files[relative]) {\n delete data.files[relative];\n saveBlocklist(cwd, data);\n return true;\n }\n\n // Try suffix match\n for (const key of Object.keys(data.files)) {\n if (normalized.endsWith(\"/\" + key) || normalized === key) {\n delete data.files[key];\n saveBlocklist(cwd, data);\n return true;\n }\n }\n\n return false;\n}\n\n/**\n * Delete the blocklist file entirely.\n */\nexport function deleteBlocklist(cwd: string): boolean {\n const filePath = getBlocklistPath(cwd);\n if (existsSync(filePath)) {\n unlinkSync(filePath);\n return true;\n }\n return false;\n}\n"],"mappings":";;;AAAA,SAAS,YAAY,cAAc,eAAe,WAAW,kBAAkB;AAC/E,SAAS,MAAM,SAAS,eAAe;AAoBvC,IAAM,qBAAqB;AAEpB,SAAS,iBAAiB,KAAqB;AACpD,SAAO,KAAK,KAAK,WAAW,kBAAkB;AAChD;AAEO,SAAS,cAAc,KAA4B;AACxD,QAAM,WAAW,iBAAiB,GAAG;AACrC,MAAI;AACF,QAAI,WAAW,QAAQ,GAAG;AACxB,aAAO,KAAK,MAAM,aAAa,UAAU,OAAO,CAAC;AAAA,IACnD;AAAA,EACF,QAAQ;AAAA,EAER;AACA,SAAO,EAAE,OAAO,CAAC,EAAE;AACrB;AAEO,SAAS,cAAc,KAAa,MAA2B;AACpE,QAAM,WAAW,iBAAiB,GAAG;AACrC,YAAU,QAAQ,QAAQ,GAAG,EAAE,WAAW,KAAK,CAAC;AAChD,gBAAc,UAAU,KAAK,UAAU,MAAM,MAAM,CAAC,IAAI,IAAI;AAC9D;AAMO,SAAS,cACd,UACA,KAC4B;AAC5B,QAAM,OAAO,cAAc,GAAG;AAC9B,QAAM,aAAa,SAAS,QAAQ,OAAO,GAAG;AAG9C,MAAI,KAAK,MAAM,UAAU,EAAG,QAAO,KAAK,MAAM,UAAU;AAGxD,QAAM,WAAW,QAAQ,KAAK,QAAQ,EAAE,QAAQ,OAAO,GAAG;AAC1D,QAAM,UAAU,IAAI,QAAQ,OAAO,GAAG;AACtC,QAAM,WAAW,SAAS,WAAW,UAAU,GAAG,IAC9C,SAAS,MAAM,QAAQ,SAAS,CAAC,IACjC;AACJ,MAAI,YAAY,KAAK,MAAM,QAAQ,EAAG,QAAO,KAAK,MAAM,QAAQ;AAGhE,aAAW,CAAC,aAAa,KAAK,KAAK,OAAO,QAAQ,KAAK,KAAK,GAAG;AAC7D,QAAI,WAAW,SAAS,MAAM,WAAW,KAAK,eAAe,aAAa;AACxE,aAAO;AAAA,IACT;AACA,QAAI,SAAS,SAAS,MAAM,WAAW,KAAK,aAAa,aAAa;AACpE,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;AAKO,SAAS,eACd,UACA,oBACA,KACM;AACN,QAAM,OAAO,cAAc,GAAG;AAC9B,QAAM,aAAa,SAAS,QAAQ,OAAO,GAAG;AAG9C,QAAM,WAAW,QAAQ,KAAK,UAAU,EAAE,QAAQ,OAAO,GAAG;AAC5D,QAAM,UAAU,IAAI,QAAQ,OAAO,GAAG;AACtC,QAAM,MAAM,SAAS,WAAW,UAAU,GAAG,IACzC,SAAS,MAAM,QAAQ,SAAS,CAAC,IACjC;AAEJ,QAAM,WAAW,KAAK,MAAM,GAAG;AAC/B,MAAI,UAAU;AACZ,UAAM,aAAa,mBAAmB;AAAA,MACpC,CAAC,MAAM,CAAC,SAAS,QAAQ,SAAS,CAAC;AAAA,IACrC;AACA,aAAS,QAAQ,KAAK,GAAG,UAAU;AACnC,aAAS,WAAU,oBAAI,KAAK,GAAE,YAAY;AAAA,EAC5C,OAAO;AACL,SAAK,MAAM,GAAG,IAAI;AAAA,MAChB,SAAS;AAAA,MACT,UAAS,oBAAI,KAAK,GAAE,YAAY;AAAA,IAClC;AAAA,EACF;AAEA,gBAAc,KAAK,IAAI;AACzB;AAKO,SAAS,oBAAoB,UAAkB,KAAsB;AAC1E,QAAM,OAAO,cAAc,GAAG;AAC9B,QAAM,aAAa,SAAS,QAAQ,OAAO,GAAG;AAG9C,MAAI,KAAK,MAAM,UAAU,GAAG;AAC1B,WAAO,KAAK,MAAM,UAAU;AAC5B,kBAAc,KAAK,IAAI;AACvB,WAAO;AAAA,EACT;AAGA,QAAM,WAAW,QAAQ,KAAK,QAAQ,EAAE,QAAQ,OAAO,GAAG;AAC1D,QAAM,UAAU,IAAI,QAAQ,OAAO,GAAG;AACtC,QAAM,WAAW,SAAS,WAAW,UAAU,GAAG,IAC9C,SAAS,MAAM,QAAQ,SAAS,CAAC,IACjC;AACJ,MAAI,YAAY,KAAK,MAAM,QAAQ,GAAG;AACpC,WAAO,KAAK,MAAM,QAAQ;AAC1B,kBAAc,KAAK,IAAI;AACvB,WAAO;AAAA,EACT;AAGA,aAAW,OAAO,OAAO,KAAK,KAAK,KAAK,GAAG;AACzC,QAAI,WAAW,SAAS,MAAM,GAAG,KAAK,eAAe,KAAK;AACxD,aAAO,KAAK,MAAM,GAAG;AACrB,oBAAc,KAAK,IAAI;AACvB,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;","names":[]}

package/dist/chunk-P7BRPZBB.js ADDED Viewed

@@ -0,0 +1,211 @@
+#!/usr/bin/env node
+// src/gitleaks/runner.ts
+import { execFileSync } from "child_process";
+import { readFileSync, writeFileSync, mkdirSync as mkdirSync2, unlinkSync as unlinkSync2, rmSync } from "fs";
+import { join as join2 } from "path";
+import { tmpdir } from "os";
+import { randomBytes } from "crypto";
+// src/gitleaks/binary.ts
+import { existsSync, mkdirSync, chmodSync, createWriteStream, unlinkSync } from "fs";
+import { join } from "path";
+import { execSync } from "child_process";
+import { pipeline } from "stream/promises";
+import { extract } from "tar";
+var GITLEAKS_VERSION = "8.22.1";
+var CACHE_DIR = join(
+  process.env.HOME ?? process.env.USERPROFILE ?? "/tmp",
+  ".agentmask",
+  "bin"
+);
+async function getGitleaksBinary() {
+  const systemBin = findInPath();
+  if (systemBin) return systemBin;
+  const cachedBin = join(CACHE_DIR, "gitleaks");
+  if (existsSync(cachedBin)) return cachedBin;
+  console.log(`gitleaks not found. Downloading v${GITLEAKS_VERSION}...`);
+  await downloadGitleaks(cachedBin);
+  return cachedBin;
+}
+function findInPath() {
+  try {
+    const path = execSync("which gitleaks", {
+      encoding: "utf-8",
+      stdio: ["pipe", "pipe", "pipe"]
+    }).trim();
+    if (path && existsSync(path)) return path;
+  } catch {
+  }
+  return null;
+}
+async function downloadGitleaks(destPath) {
+  const { platform, arch } = getPlatformArch();
+  const filename = `gitleaks_${GITLEAKS_VERSION}_${platform}_${arch}.tar.gz`;
+  const url = `https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/${filename}`;
+  mkdirSync(CACHE_DIR, { recursive: true });
+  const tmpTarball = join(CACHE_DIR, `gitleaks-download.tar.gz`);
+  try {
+    const response = await fetch(url, { redirect: "follow" });
+    if (!response.ok || !response.body) {
+      throw new Error(`Download failed: ${response.status} ${response.statusText}`);
+    }
+    const fileStream = createWriteStream(tmpTarball);
+    await pipeline(response.body, fileStream);
+    await extract({
+      file: tmpTarball,
+      cwd: CACHE_DIR,
+      filter: (path) => path === "gitleaks"
+    });
+    chmodSync(destPath, 493);
+    console.log(`  Downloaded gitleaks v${GITLEAKS_VERSION} \u2192 ${destPath}`);
+  } finally {
+    try {
+      unlinkSync(tmpTarball);
+    } catch {
+    }
+  }
+}
+function getPlatformArch() {
+  const platform = process.platform === "darwin" ? "darwin" : process.platform === "linux" ? "linux" : process.platform === "win32" ? "windows" : process.platform;
+  const arch = process.arch === "arm64" ? "arm64" : process.arch === "x64" ? "x64" : process.arch;
+  return { platform, arch };
+}
+// src/gitleaks/runner.ts
+async function scanDir(dirPath, options) {
+  const bin = await getGitleaksBinary();
+  const reportPath = tempPath("agentmask-report", ".json");
+  try {
+    const args = [
+      "dir",
+      dirPath,
+      "--report-format",
+      "json",
+      "--report-path",
+      reportPath,
+      "--no-banner",
+      "--exit-code",
+      "0"
+    ];
+    if (options?.configPath) {
+      args.push("--config", options.configPath);
+    }
+    execFileSync(bin, args, {
+      encoding: "utf-8",
+      stdio: ["pipe", "pipe", "pipe"],
+      timeout: 6e4
+    });
+    return readReport(reportPath);
+  } finally {
+    tryUnlink(reportPath);
+  }
+}
+async function scanFile(filePath) {
+  const bin = await getGitleaksBinary();
+  const reportPath = tempPath("agentmask-report", ".json");
+  try {
+    execFileSync(bin, [
+      "dir",
+      filePath,
+      "--report-format",
+      "json",
+      "--report-path",
+      reportPath,
+      "--no-banner",
+      "--exit-code",
+      "0"
+    ], {
+      encoding: "utf-8",
+      stdio: ["pipe", "pipe", "pipe"],
+      timeout: 1e4
+    });
+    return readReport(reportPath);
+  } finally {
+    tryUnlink(reportPath);
+  }
+}
+async function scanContent(content, filename) {
+  const bin = await getGitleaksBinary();
+  const scanDir2 = join2(tmpdir(), `agentmask-scan-${randomBytes(4).toString("hex")}`);
+  const scanFile2 = join2(scanDir2, filename ?? "content.txt");
+  const reportPath = tempPath("agentmask-report", ".json");
+  try {
+    mkdirSync2(scanDir2, { recursive: true });
+    writeFileSync(scanFile2, content);
+    execFileSync(bin, [
+      "dir",
+      scanDir2,
+      "--report-format",
+      "json",
+      "--report-path",
+      reportPath,
+      "--no-banner",
+      "--exit-code",
+      "0"
+    ], {
+      encoding: "utf-8",
+      stdio: ["pipe", "pipe", "pipe"],
+      timeout: 1e4
+    });
+    return readReport(reportPath);
+  } finally {
+    tryUnlink(reportPath);
+    try {
+      rmSync(scanDir2, { recursive: true, force: true });
+    } catch {
+    }
+  }
+}
+async function scanStaged(cwd) {
+  const bin = await getGitleaksBinary();
+  const reportPath = tempPath("agentmask-report", ".json");
+  try {
+    execFileSync(bin, [
+      "git",
+      "--staged",
+      "--report-format",
+      "json",
+      "--report-path",
+      reportPath,
+      "--no-banner",
+      "--exit-code",
+      "0"
+    ], {
+      cwd,
+      encoding: "utf-8",
+      stdio: ["pipe", "pipe", "pipe"],
+      timeout: 3e4
+    });
+    return readReport(reportPath);
+  } finally {
+    tryUnlink(reportPath);
+  }
+}
+function readReport(reportPath) {
+  try {
+    const raw = readFileSync(reportPath, "utf-8");
+    const findings = JSON.parse(raw);
+    return Array.isArray(findings) ? findings : [];
+  } catch {
+    return [];
+  }
+}
+function tempPath(prefix, ext) {
+  return join2(tmpdir(), `${prefix}-${randomBytes(4).toString("hex")}${ext}`);
+}
+function tryUnlink(path) {
+  try {
+    unlinkSync2(path);
+  } catch {
+  }
+}
+export {
+  getGitleaksBinary,
+  scanDir,
+  scanFile,
+  scanContent,
+  scanStaged
+};
+//# sourceMappingURL=chunk-P7BRPZBB.js.map

package/dist/chunk-P7BRPZBB.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/gitleaks/runner.ts","../src/gitleaks/binary.ts"],"sourcesContent":["import { execSync, execFileSync } from \"node:child_process\";\nimport { readFileSync, writeFileSync, mkdirSync, unlinkSync, rmSync } from \"node:fs\";\nimport { join } from \"node:path\";\nimport { tmpdir } from \"node:os\";\nimport { randomBytes } from \"node:crypto\";\nimport { getGitleaksBinary } from \"./binary.js\";\n\n/**\n * A single finding from gitleaks JSON output.\n */\nexport interface GitleaksFinding {\n RuleID: string;\n Description: string;\n StartLine: number;\n EndLine: number;\n StartColumn: number;\n EndColumn: number;\n Match: string;\n Secret: string;\n File: string;\n Entropy: number;\n Fingerprint: string;\n}\n\n/**\n * Scan a directory for secrets.\n */\nexport async function scanDir(\n dirPath: string,\n options?: { configPath?: string },\n): Promise<GitleaksFinding[]> {\n const bin = await getGitleaksBinary();\n const reportPath = tempPath(\"agentmask-report\", \".json\");\n\n try {\n const args = [\n \"dir\",\n dirPath,\n \"--report-format\", \"json\",\n \"--report-path\", reportPath,\n \"--no-banner\",\n \"--exit-code\", \"0\",\n ];\n if (options?.configPath) {\n args.push(\"--config\", options.configPath);\n }\n\n execFileSync(bin, args, {\n encoding: \"utf-8\",\n stdio: [\"pipe\", \"pipe\", \"pipe\"],\n timeout: 60_000,\n });\n\n return readReport(reportPath);\n } finally {\n tryUnlink(reportPath);\n }\n}\n\n/**\n * Scan a single file for secrets.\n */\nexport async function scanFile(filePath: string): Promise<GitleaksFinding[]> {\n const bin = await getGitleaksBinary();\n const reportPath = tempPath(\"agentmask-report\", \".json\");\n\n try {\n execFileSync(bin, [\n \"dir\",\n filePath,\n \"--report-format\", \"json\",\n \"--report-path\", reportPath,\n \"--no-banner\",\n \"--exit-code\", \"0\",\n ], {\n encoding: \"utf-8\",\n stdio: [\"pipe\", \"pipe\", \"pipe\"],\n timeout: 10_000,\n });\n\n return readReport(reportPath);\n } finally {\n tryUnlink(reportPath);\n }\n}\n\n/**\n * Scan arbitrary content by writing to a temp file.\n * Used by pre-write hook (scan content before it's written)\n * and post-scan hook (scan tool output).\n */\nexport async function scanContent(\n content: string,\n filename?: string,\n): Promise<GitleaksFinding[]> {\n const bin = await getGitleaksBinary();\n const scanDir = join(tmpdir(), `agentmask-scan-${randomBytes(4).toString(\"hex\")}`);\n const scanFile = join(scanDir, filename ?? \"content.txt\");\n const reportPath = tempPath(\"agentmask-report\", \".json\");\n\n try {\n mkdirSync(scanDir, { recursive: true });\n writeFileSync(scanFile, content);\n\n execFileSync(bin, [\n \"dir\",\n scanDir,\n \"--report-format\", \"json\",\n \"--report-path\", reportPath,\n \"--no-banner\",\n \"--exit-code\", \"0\",\n ], {\n encoding: \"utf-8\",\n stdio: [\"pipe\", \"pipe\", \"pipe\"],\n timeout: 10_000,\n });\n\n return readReport(reportPath);\n } finally {\n tryUnlink(reportPath);\n try { rmSync(scanDir, { recursive: true, force: true }); } catch {}\n }\n}\n\n/**\n * Scan git staged files for secrets.\n */\nexport async function scanStaged(cwd: string): Promise<GitleaksFinding[]> {\n const bin = await getGitleaksBinary();\n const reportPath = tempPath(\"agentmask-report\", \".json\");\n\n try {\n execFileSync(bin, [\n \"git\",\n \"--staged\",\n \"--report-format\", \"json\",\n \"--report-path\", reportPath,\n \"--no-banner\",\n \"--exit-code\", \"0\",\n ], {\n cwd,\n encoding: \"utf-8\",\n stdio: [\"pipe\", \"pipe\", \"pipe\"],\n timeout: 30_000,\n });\n\n return readReport(reportPath);\n } finally {\n tryUnlink(reportPath);\n }\n}\n\nfunction readReport(reportPath: string): GitleaksFinding[] {\n try {\n const raw = readFileSync(reportPath, \"utf-8\");\n const findings = JSON.parse(raw);\n return Array.isArray(findings) ? findings : [];\n } catch {\n return [];\n }\n}\n\nfunction tempPath(prefix: string, ext: string): string {\n return join(tmpdir(), `${prefix}-${randomBytes(4).toString(\"hex\")}${ext}`);\n}\n\nfunction tryUnlink(path: string): void {\n try { unlinkSync(path); } catch {}\n}\n","import { existsSync, mkdirSync, chmodSync, createWriteStream, unlinkSync } from \"node:fs\";\nimport { join } from \"node:path\";\nimport { execSync } from \"node:child_process\";\nimport { pipeline } from \"node:stream/promises\";\nimport { createGunzip } from \"node:zlib\";\nimport { extract } from \"tar\";\n\n/**\n * Pinned gitleaks version. Update this when testing against a new release.\n */\nconst GITLEAKS_VERSION = \"8.22.1\";\n\n/**\n * Where we cache the downloaded binary.\n */\nconst CACHE_DIR = join(\n process.env.HOME ?? process.env.USERPROFILE ?? \"/tmp\",\n \".agentmask\",\n \"bin\",\n);\n\n/**\n * Find the gitleaks binary. Checks in order:\n * 1. System PATH (user already has it installed)\n * 2. Our cache directory (previously downloaded)\n * 3. Downloads it automatically\n */\nexport async function getGitleaksBinary(): Promise<string> {\n // 1. Check system PATH\n const systemBin = findInPath();\n if (systemBin) return systemBin;\n\n // 2. Check cache\n const cachedBin = join(CACHE_DIR, \"gitleaks\");\n if (existsSync(cachedBin)) return cachedBin;\n\n // 3. Download\n console.log(`gitleaks not found. Downloading v${GITLEAKS_VERSION}...`);\n await downloadGitleaks(cachedBin);\n return cachedBin;\n}\n\n/**\n * Check if gitleaks is available without downloading.\n */\nexport function isGitleaksAvailable(): boolean {\n if (findInPath()) return true;\n const cachedBin = join(CACHE_DIR, \"gitleaks\");\n return existsSync(cachedBin);\n}\n\nfunction findInPath(): string | null {\n try {\n const path = execSync(\"which gitleaks\", {\n encoding: \"utf-8\",\n stdio: [\"pipe\", \"pipe\", \"pipe\"],\n }).trim();\n if (path && existsSync(path)) return path;\n } catch {\n // not in PATH\n }\n return null;\n}\n\nasync function downloadGitleaks(destPath: string): Promise<void> {\n const { platform, arch } = getPlatformArch();\n const filename = `gitleaks_${GITLEAKS_VERSION}_${platform}_${arch}.tar.gz`;\n const url = `https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/${filename}`;\n\n mkdirSync(CACHE_DIR, { recursive: true });\n\n // Download to temp file\n const tmpTarball = join(CACHE_DIR, `gitleaks-download.tar.gz`);\n\n try {\n const response = await fetch(url, { redirect: \"follow\" });\n if (!response.ok || !response.body) {\n throw new Error(`Download failed: ${response.status} ${response.statusText}`);\n }\n\n // Write tarball to disk\n const fileStream = createWriteStream(tmpTarball);\n // @ts-ignore - Node.js ReadableStream from fetch is compatible\n await pipeline(response.body, fileStream);\n\n // Extract the gitleaks binary from the tarball\n await extract({\n file: tmpTarball,\n cwd: CACHE_DIR,\n filter: (path) => path === \"gitleaks\",\n });\n\n // Make executable\n chmodSync(destPath, 0o755);\n\n console.log(` Downloaded gitleaks v${GITLEAKS_VERSION} → ${destPath}`);\n } finally {\n // Clean up tarball\n try {\n unlinkSync(tmpTarball);\n } catch {}\n }\n}\n\nfunction getPlatformArch(): { platform: string; arch: string } {\n const platform =\n process.platform === \"darwin\"\n ? \"darwin\"\n : process.platform === \"linux\"\n ? \"linux\"\n : process.platform === \"win32\"\n ? \"windows\"\n : process.platform;\n\n const arch =\n process.arch === \"arm64\"\n ? \"arm64\"\n : process.arch === \"x64\"\n ? \"x64\"\n : process.arch;\n\n return { platform, arch };\n}\n"],"mappings":";;;AAAA,SAAmB,oBAAoB;AACvC,SAAS,cAAc,eAAe,aAAAA,YAAW,cAAAC,aAAY,cAAc;AAC3E,SAAS,QAAAC,aAAY;AACrB,SAAS,cAAc;AACvB,SAAS,mBAAmB;;;ACJ5B,SAAS,YAAY,WAAW,WAAW,mBAAmB,kBAAkB;AAChF,SAAS,YAAY;AACrB,SAAS,gBAAgB;AACzB,SAAS,gBAAgB;AAEzB,SAAS,eAAe;AAKxB,IAAM,mBAAmB;AAKzB,IAAM,YAAY;AAAA,EAChB,QAAQ,IAAI,QAAQ,QAAQ,IAAI,eAAe;AAAA,EAC/C;AAAA,EACA;AACF;AAQA,eAAsB,oBAAqC;AAEzD,QAAM,YAAY,WAAW;AAC7B,MAAI,UAAW,QAAO;AAGtB,QAAM,YAAY,KAAK,WAAW,UAAU;AAC5C,MAAI,WAAW,SAAS,EAAG,QAAO;AAGlC,UAAQ,IAAI,oCAAoC,gBAAgB,KAAK;AACrE,QAAM,iBAAiB,SAAS;AAChC,SAAO;AACT;AAWA,SAAS,aAA4B;AACnC,MAAI;AACF,UAAM,OAAO,SAAS,kBAAkB;AAAA,MACtC,UAAU;AAAA,MACV,OAAO,CAAC,QAAQ,QAAQ,MAAM;AAAA,IAChC,CAAC,EAAE,KAAK;AACR,QAAI,QAAQ,WAAW,IAAI,EAAG,QAAO;AAAA,EACvC,QAAQ;AAAA,EAER;AACA,SAAO;AACT;AAEA,eAAe,iBAAiB,UAAiC;AAC/D,QAAM,EAAE,UAAU,KAAK,IAAI,gBAAgB;AAC3C,QAAM,WAAW,YAAY,gBAAgB,IAAI,QAAQ,IAAI,IAAI;AACjE,QAAM,MAAM,2DAA2D,gBAAgB,IAAI,QAAQ;AAEnG,YAAU,WAAW,EAAE,WAAW,KAAK,CAAC;AAGxC,QAAM,aAAa,KAAK,WAAW,0BAA0B;AAE7D,MAAI;AACF,UAAM,WAAW,MAAM,MAAM,KAAK,EAAE,UAAU,SAAS,CAAC;AACxD,QAAI,CAAC,SAAS,MAAM,CAAC,SAAS,MAAM;AAClC,YAAM,IAAI,MAAM,oBAAoB,SAAS,MAAM,IAAI,SAAS,UAAU,EAAE;AAAA,IAC9E;AAGA,UAAM,aAAa,kBAAkB,UAAU;AAE/C,UAAM,SAAS,SAAS,MAAM,UAAU;AAGxC,UAAM,QAAQ;AAAA,MACZ,MAAM;AAAA,MACN,KAAK;AAAA,MACL,QAAQ,CAAC,SAAS,SAAS;AAAA,IAC7B,CAAC;AAGD,cAAU,UAAU,GAAK;AAEzB,YAAQ,IAAI,0BAA0B,gBAAgB,WAAM,QAAQ,EAAE;AAAA,EACxE,UAAE;AAEA,QAAI;AACF,iBAAW,UAAU;AAAA,IACvB,QAAQ;AAAA,IAAC;AAAA,EACX;AACF;AAEA,SAAS,kBAAsD;AAC7D,QAAM,WACJ,QAAQ,aAAa,WACjB,WACA,QAAQ,aAAa,UACnB,UACA,QAAQ,aAAa,UACnB,YACA,QAAQ;AAElB,QAAM,OACJ,QAAQ,SAAS,UACb,UACA,QAAQ,SAAS,QACf,QACA,QAAQ;AAEhB,SAAO,EAAE,UAAU,KAAK;AAC1B;;;AD/FA,eAAsB,QACpB,SACA,SAC4B;AAC5B,QAAM,MAAM,MAAM,kBAAkB;AACpC,QAAM,aAAa,SAAS,oBAAoB,OAAO;AAEvD,MAAI;AACF,UAAM,OAAO;AAAA,MACX;AAAA,MACA;AAAA,MACA;AAAA,MAAmB;AAAA,MACnB;AAAA,MAAiB;AAAA,MACjB;AAAA,MACA;AAAA,MAAe;AAAA,IACjB;AACA,QAAI,SAAS,YAAY;AACvB,WAAK,KAAK,YAAY,QAAQ,UAAU;AAAA,IAC1C;AAEA,iBAAa,KAAK,MAAM;AAAA,MACtB,UAAU;AAAA,MACV,OAAO,CAAC,QAAQ,QAAQ,MAAM;AAAA,MAC9B,SAAS;AAAA,IACX,CAAC;AAED,WAAO,WAAW,UAAU;AAAA,EAC9B,UAAE;AACA,cAAU,UAAU;AAAA,EACtB;AACF;AAKA,eAAsB,SAAS,UAA8C;AAC3E,QAAM,MAAM,MAAM,kBAAkB;AACpC,QAAM,aAAa,SAAS,oBAAoB,OAAO;AAEvD,MAAI;AACF,iBAAa,KAAK;AAAA,MAChB;AAAA,MACA;AAAA,MACA;AAAA,MAAmB;AAAA,MACnB;AAAA,MAAiB;AAAA,MACjB;AAAA,MACA;AAAA,MAAe;AAAA,IACjB,GAAG;AAAA,MACD,UAAU;AAAA,MACV,OAAO,CAAC,QAAQ,QAAQ,MAAM;AAAA,MAC9B,SAAS;AAAA,IACX,CAAC;AAED,WAAO,WAAW,UAAU;AAAA,EAC9B,UAAE;AACA,cAAU,UAAU;AAAA,EACtB;AACF;AAOA,eAAsB,YACpB,SACA,UAC4B;AAC5B,QAAM,MAAM,MAAM,kBAAkB;AACpC,QAAMC,WAAUC,MAAK,OAAO,GAAG,kBAAkB,YAAY,CAAC,EAAE,SAAS,KAAK,CAAC,EAAE;AACjF,QAAMC,YAAWD,MAAKD,UAAS,YAAY,aAAa;AACxD,QAAM,aAAa,SAAS,oBAAoB,OAAO;AAEvD,MAAI;AACF,IAAAG,WAAUH,UAAS,EAAE,WAAW,KAAK,CAAC;AACtC,kBAAcE,WAAU,OAAO;AAE/B,iBAAa,KAAK;AAAA,MAChB;AAAA,MACAF;AAAA,MACA;AAAA,MAAmB;AAAA,MACnB;AAAA,MAAiB;AAAA,MACjB;AAAA,MACA;AAAA,MAAe;AAAA,IACjB,GAAG;AAAA,MACD,UAAU;AAAA,MACV,OAAO,CAAC,QAAQ,QAAQ,MAAM;AAAA,MAC9B,SAAS;AAAA,IACX,CAAC;AAED,WAAO,WAAW,UAAU;AAAA,EAC9B,UAAE;AACA,cAAU,UAAU;AACpB,QAAI;AAAE,aAAOA,UAAS,EAAE,WAAW,MAAM,OAAO,KAAK,CAAC;AAAA,IAAG,QAAQ;AAAA,IAAC;AAAA,EACpE;AACF;AAKA,eAAsB,WAAW,KAAyC;AACxE,QAAM,MAAM,MAAM,kBAAkB;AACpC,QAAM,aAAa,SAAS,oBAAoB,OAAO;AAEvD,MAAI;AACF,iBAAa,KAAK;AAAA,MAChB;AAAA,MACA;AAAA,MACA;AAAA,MAAmB;AAAA,MACnB;AAAA,MAAiB;AAAA,MACjB;AAAA,MACA;AAAA,MAAe;AAAA,IACjB,GAAG;AAAA,MACD;AAAA,MACA,UAAU;AAAA,MACV,OAAO,CAAC,QAAQ,QAAQ,MAAM;AAAA,MAC9B,SAAS;AAAA,IACX,CAAC;AAED,WAAO,WAAW,UAAU;AAAA,EAC9B,UAAE;AACA,cAAU,UAAU;AAAA,EACtB;AACF;AAEA,SAAS,WAAW,YAAuC;AACzD,MAAI;AACF,UAAM,MAAM,aAAa,YAAY,OAAO;AAC5C,UAAM,WAAW,KAAK,MAAM,GAAG;AAC/B,WAAO,MAAM,QAAQ,QAAQ,IAAI,WAAW,CAAC;AAAA,EAC/C,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;AAEA,SAAS,SAAS,QAAgB,KAAqB;AACrD,SAAOC,MAAK,OAAO,GAAG,GAAG,MAAM,IAAI,YAAY,CAAC,EAAE,SAAS,KAAK,CAAC,GAAG,GAAG,EAAE;AAC3E;AAEA,SAAS,UAAU,MAAoB;AACrC,MAAI;AAAE,IAAAG,YAAW,IAAI;AAAA,EAAG,QAAQ;AAAA,EAAC;AACnC;","names":["mkdirSync","unlinkSync","join","scanDir","join","scanFile","mkdirSync","unlinkSync"]}

package/dist/chunk-Q7ZBIDBL.js ADDED Viewed

@@ -0,0 +1,58 @@
+#!/usr/bin/env node
+// src/scanner/file-patterns.ts
+import { minimatch } from "minimatch";
+import { basename } from "path";
+var DEFAULT_BLOCKED_PATTERNS = [
+  // Environment files
+  ".env",
+  ".env.*",
+  "**/.env",
+  "**/.env.*",
+  // Credential files
+  "**/credentials.json",
+  "**/serviceAccountKey.json",
+  "**/service-account*.json",
+  // Key files
+  "**/*.pem",
+  "**/*.key",
+  "**/*.p12",
+  "**/*.pfx",
+  // SSH keys
+  "**/id_rsa",
+  "**/id_ed25519",
+  "**/id_ecdsa",
+  "**/id_dsa",
+  // Auth config files
+  "**/.netrc",
+  "**/.npmrc",
+  "**/.pypirc",
+  "**/.docker/config.json",
+  "**/.kube/config",
+  "**/kubeconfig",
+  // Cloud provider credentials
+  "**/.aws/credentials",
+  "**/.aws/config",
+  "**/.azure/credentials",
+  "**/.gcloud/*.json",
+  // Other
+  "**/.htpasswd",
+  "**/secrets.yml",
+  "**/secrets.yaml",
+  "**/secrets.json"
+];
+function isBlockedPath(filePath, blockedPatterns = DEFAULT_BLOCKED_PATTERNS) {
+  const normalized = filePath.replace(/\\/g, "/");
+  const base = basename(normalized);
+  for (const pattern of blockedPatterns) {
+    if (minimatch(normalized, pattern, { dot: true })) return true;
+    if (minimatch(base, pattern, { dot: true })) return true;
+  }
+  return false;
+}
+export {
+  DEFAULT_BLOCKED_PATTERNS,
+  isBlockedPath
+};
+//# sourceMappingURL=chunk-Q7ZBIDBL.js.map

package/dist/chunk-Q7ZBIDBL.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/scanner/file-patterns.ts"],"sourcesContent":["import { minimatch } from \"minimatch\";\nimport { basename, resolve } from \"node:path\";\n\n/**\n * Default file patterns that should always be blocked from direct reading.\n * These files are known to contain secrets.\n */\nexport const DEFAULT_BLOCKED_PATTERNS: string[] = [\n // Environment files\n \".env\",\n \".env.*\",\n \"**/.env\",\n \"**/.env.*\",\n\n // Credential files\n \"**/credentials.json\",\n \"**/serviceAccountKey.json\",\n \"**/service-account*.json\",\n\n // Key files\n \"**/*.pem\",\n \"**/*.key\",\n \"**/*.p12\",\n \"**/*.pfx\",\n\n // SSH keys\n \"**/id_rsa\",\n \"**/id_ed25519\",\n \"**/id_ecdsa\",\n \"**/id_dsa\",\n\n // Auth config files\n \"**/.netrc\",\n \"**/.npmrc\",\n \"**/.pypirc\",\n \"**/.docker/config.json\",\n \"**/.kube/config\",\n \"**/kubeconfig\",\n\n // Cloud provider credentials\n \"**/.aws/credentials\",\n \"**/.aws/config\",\n \"**/.azure/credentials\",\n \"**/.gcloud/*.json\",\n\n // Other\n \"**/.htpasswd\",\n \"**/secrets.yml\",\n \"**/secrets.yaml\",\n \"**/secrets.json\",\n];\n\n/**\n * Check if a file path matches any of the blocked patterns.\n */\nexport function isBlockedPath(\n filePath: string,\n blockedPatterns: string[] = DEFAULT_BLOCKED_PATTERNS,\n): boolean {\n const normalized = filePath.replace(/\\\\/g, \"/\");\n const base = basename(normalized);\n\n for (const pattern of blockedPatterns) {\n // Check against full path\n if (minimatch(normalized, pattern, { dot: true })) return true;\n // Check against just the filename (for patterns like \".env\")\n if (minimatch(base, pattern, { dot: true })) return true;\n }\n\n return false;\n}\n\n/**\n * Check if a file path is in an allowlisted path.\n */\nexport function isAllowlistedPath(\n filePath: string,\n allowlistPatterns: string[],\n): boolean {\n if (allowlistPatterns.length === 0) return false;\n const normalized = filePath.replace(/\\\\/g, \"/\");\n\n for (const pattern of allowlistPatterns) {\n if (minimatch(normalized, pattern, { dot: true })) return true;\n }\n\n return false;\n}\n\n/**\n * Check if a file is likely binary (should be skipped during scanning).\n */\nexport function isBinaryFile(filePath: string): boolean {\n const ext = filePath.split(\".\").pop()?.toLowerCase();\n return BINARY_EXTENSIONS.has(ext ?? \"\");\n}\n\nconst BINARY_EXTENSIONS = new Set([\n \"png\", \"jpg\", \"jpeg\", \"gif\", \"bmp\", \"ico\", \"webp\", \"svg\",\n \"mp3\", \"mp4\", \"avi\", \"mov\", \"mkv\", \"wav\", \"flac\",\n \"zip\", \"tar\", \"gz\", \"bz2\", \"xz\", \"7z\", \"rar\",\n \"exe\", \"dll\", \"so\", \"dylib\", \"bin\",\n \"pdf\", \"doc\", \"docx\", \"xls\", \"xlsx\",\n \"woff\", \"woff2\", \"ttf\", \"eot\", \"otf\",\n \"pyc\", \"pyo\", \"class\", \"o\", \"obj\",\n \"sqlite\", \"db\", \"sqlite3\",\n]);\n"],"mappings":";;;AAAA,SAAS,iBAAiB;AAC1B,SAAS,gBAAyB;AAM3B,IAAM,2BAAqC;AAAA;AAAA,EAEhD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAGA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAKO,SAAS,cACd,UACA,kBAA4B,0BACnB;AACT,QAAM,aAAa,SAAS,QAAQ,OAAO,GAAG;AAC9C,QAAM,OAAO,SAAS,UAAU;AAEhC,aAAW,WAAW,iBAAiB;AAErC,QAAI,UAAU,YAAY,SAAS,EAAE,KAAK,KAAK,CAAC,EAAG,QAAO;AAE1D,QAAI,UAAU,MAAM,SAAS,EAAE,KAAK,KAAK,CAAC,EAAG,QAAO;AAAA,EACtD;AAEA,SAAO;AACT;","names":[]}

package/dist/chunk-YASOHGJL.js ADDED Viewed

@@ -0,0 +1,44 @@
+#!/usr/bin/env node
+// src/hooks/common.ts
+async function readStdin() {
+  return new Promise((resolve, reject) => {
+    let data = "";
+    process.stdin.setEncoding("utf-8");
+    process.stdin.on("data", (chunk) => data += chunk);
+    process.stdin.on("end", () => {
+      try {
+        resolve(JSON.parse(data));
+      } catch {
+        resolve({});
+      }
+    });
+    process.stdin.on("error", reject);
+  });
+}
+function block(message) {
+  process.stderr.write(message);
+  process.exit(2);
+}
+function allow(additionalContext) {
+  if (additionalContext) {
+    const output = {
+      hookSpecificOutput: { additionalContext }
+    };
+    process.stdout.write(JSON.stringify(output));
+  }
+  process.exit(0);
+}
+function startSafetyTimer(ms = 4e3) {
+  setTimeout(() => {
+    process.exit(1);
+  }, ms).unref();
+}
+export {
+  readStdin,
+  block,
+  allow,
+  startSafetyTimer
+};
+//# sourceMappingURL=chunk-YASOHGJL.js.map