agentmask 0.1.0

package/dist/pre-write-EBMADS22.js

@@ -0,0 +1,53 @@
+#!/usr/bin/env node
+import {
+  DEFAULT_BLOCKED_PATTERNS,
+  isBlockedPath
+} from "./chunk-Q7ZBIDBL.js";
+import {
+  allow,
+  block,
+  readStdin,
+  startSafetyTimer
+} from "./chunk-YASOHGJL.js";
+import {
+  scanContent
+} from "./chunk-P7BRPZBB.js";
+import "./chunk-2H7UOFLK.js";
+
+// src/hooks/pre-write.ts
+import { basename } from "path";
+startSafetyTimer();
+async function main() {
+  const input = await readStdin();
+  const filePath = input.tool_input?.file_path;
+  if (!filePath) {
+    allow();
+    return;
+  }
+  if (isBlockedPath(filePath, DEFAULT_BLOCKED_PATTERNS)) {
+    allow();
+    return;
+  }
+  const content = input.tool_input?.content ?? input.tool_input?.new_string;
+  if (!content) {
+    allow();
+    return;
+  }
+  try {
+    const findings = await scanContent(content, basename(filePath));
+    if (findings.length > 0) {
+      const details = findings.map((f) => `  Line ${f.StartLine}: ${f.Description}`).join("\n");
+      block(
+        `[agentmask] BLOCKED: Detected ${findings.length} secret(s) in content being written to ${filePath}:
+${details}
+
+Use environment variable references instead of hardcoding secrets.
+Example: process.env.API_KEY or os.environ["API_KEY"]`
+      );
+    }
+  } catch {
+  }
+  allow();
+}
+main().catch(() => process.exit(1));
+//# sourceMappingURL=pre-write-EBMADS22.js.map

package/dist/pre-write-EBMADS22.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/hooks/pre-write.ts"],"sourcesContent":["import { readStdin, block, allow, startSafetyTimer } from \"./common.js\";\nimport { isBlockedPath, DEFAULT_BLOCKED_PATTERNS } from \"../scanner/file-patterns.js\";\nimport { scanContent } from \"../gitleaks/runner.js\";\nimport { basename } from \"node:path\";\n\nstartSafetyTimer();\n\nasync function main() {\n  const input = await readStdin();\n  const filePath = input.tool_input?.file_path as string | undefined;\n\n  if (!filePath) {\n    allow();\n    return;\n  }\n\n  // Don't scan writes TO secret files (they're expected to have secrets)\n  if (isBlockedPath(filePath, DEFAULT_BLOCKED_PATTERNS)) {\n    allow();\n    return;\n  }\n\n  // Get the content being written\n  const content =\n    (input.tool_input?.content as string | undefined) ??\n    (input.tool_input?.new_string as string | undefined);\n\n  if (!content) {\n    allow();\n    return;\n  }\n\n  try {\n    const findings = await scanContent(content, basename(filePath));\n\n    if (findings.length > 0) {\n      const details = findings\n        .map((f) => `  Line ${f.StartLine}: ${f.Description}`)\n        .join(\"\\n\");\n      block(\n        `[agentmask] BLOCKED: Detected ${findings.length} secret(s) in content being written to ${filePath}:\\n` +\n          `${details}\\n\\n` +\n          `Use environment variable references instead of hardcoding secrets.\\n` +\n          `Example: process.env.API_KEY or os.environ[\"API_KEY\"]`,\n      );\n    }\n  } catch {\n    // gitleaks failed — degrade gracefully, allow the write\n  }\n\n  allow();\n}\n\nmain().catch(() => process.exit(1));\n"],"mappings":";;;;;;;;;;;;;;;;;AAGA,SAAS,gBAAgB;AAEzB,iBAAiB;AAEjB,eAAe,OAAO;AACpB,QAAM,QAAQ,MAAM,UAAU;AAC9B,QAAM,WAAW,MAAM,YAAY;AAEnC,MAAI,CAAC,UAAU;AACb,UAAM;AACN;AAAA,EACF;AAGA,MAAI,cAAc,UAAU,wBAAwB,GAAG;AACrD,UAAM;AACN;AAAA,EACF;AAGA,QAAM,UACH,MAAM,YAAY,WAClB,MAAM,YAAY;AAErB,MAAI,CAAC,SAAS;AACZ,UAAM;AACN;AAAA,EACF;AAEA,MAAI;AACF,UAAM,WAAW,MAAM,YAAY,SAAS,SAAS,QAAQ,CAAC;AAE9D,QAAI,SAAS,SAAS,GAAG;AACvB,YAAM,UAAU,SACb,IAAI,CAAC,MAAM,UAAU,EAAE,SAAS,KAAK,EAAE,WAAW,EAAE,EACpD,KAAK,IAAI;AACZ;AAAA,QACE,iCAAiC,SAAS,MAAM,0CAA0C,QAAQ;AAAA,EAC7F,OAAO;AAAA;AAAA;AAAA;AAAA,MAGd;AAAA,IACF;AAAA,EACF,QAAQ;AAAA,EAER;AAEA,QAAM;AACR;AAEA,KAAK,EAAE,MAAM,MAAM,QAAQ,KAAK,CAAC,CAAC;","names":[]}