clawsec 0.0.1

package/dist/src/detectors/secrets/token-detector.d.ts

@@ -0,0 +1,51 @@
+/**
+ * Token Detector
+ * Detects tokens including JWTs, Bearer tokens, and session tokens
+ */
+import type { SecretsDetectionResult, SecretSubDetector, TokenMatch } from './types.js';
+import type { Severity } from '../../config/index.js';
+/**
+ * Validate JWT structure
+ * Returns true if the token appears to be a valid JWT
+ */
+export declare function isValidJwtStructure(token: string): boolean;
+/**
+ * Match JWTs in text
+ */
+export declare function matchJwt(text: string): TokenMatch[];
+/**
+ * Match Bearer tokens in text
+ */
+export declare function matchBearerToken(text: string): TokenMatch[];
+/**
+ * Match session tokens in text
+ */
+export declare function matchSessionToken(text: string): TokenMatch[];
+/**
+ * Match refresh tokens in text
+ */
+export declare function matchRefreshToken(text: string): TokenMatch[];
+/**
+ * Match generic access tokens in text
+ */
+export declare function matchAccessToken(text: string): TokenMatch[];
+/**
+ * Match all token types in text
+ */
+export declare function matchTokens(text: string): TokenMatch[];
+/**
+ * Token Detector class
+ */
+export declare class TokenDetector implements SecretSubDetector {
+    private severity;
+    constructor(severity: Severity);
+    /**
+     * Scan text for tokens
+     */
+    scan(text: string, location: string): SecretsDetectionResult[];
+}
+/**
+ * Create a token detector
+ */
+export declare function createTokenDetector(severity: Severity): TokenDetector;
+//# sourceMappingURL=token-detector.d.ts.map

package/dist/src/detectors/secrets/token-detector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-detector.d.ts","sourceRoot":"","sources":["../../../../src/detectors/secrets/token-detector.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EACV,sBAAsB,EACtB,iBAAiB,EACjB,UAAU,EACX,MAAM,YAAY,CAAC;AACpB,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AAuCtD;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAwB1D;AAED;;GAEG;AACH,wBAAgB,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,EAAE,CAmBnD;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,EAAE,CAqB3D;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,EAAE,CAuB5D;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,EAAE,CAuB5D;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,EAAE,CA0B3D;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,EAAE,CAUtD;AAED;;GAEG;AACH,qBAAa,aAAc,YAAW,iBAAiB;IACrD,OAAO,CAAC,QAAQ,CAAW;gBAEf,QAAQ,EAAE,QAAQ;IAI9B;;OAEG;IACH,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,sBAAsB,EAAE;CAiB/D;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,QAAQ,GAAG,aAAa,CAErE"}

package/dist/src/detectors/secrets/token-detector.js

@@ -0,0 +1,233 @@
+/**
+ * Token Detector
+ * Detects tokens including JWTs, Bearer tokens, and session tokens
+ */
+import { redactValue } from './api-key-detector.js';
+/**
+ * JWT pattern - three base64url-encoded parts separated by dots
+ * Header starts with eyJ (base64 for '{"')
+ */
+const JWT_PATTERN = /\beyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]+\b/g;
+/**
+ * Bearer token pattern in Authorization header
+ */
+const BEARER_PATTERN = /\b(?:Bearer|bearer|BEARER)\s+([A-Za-z0-9_.-]+)\b/g;
+/**
+ * Session token patterns
+ */
+const SESSION_PATTERNS = [
+    /\bsession_[A-Za-z0-9_-]{20,}\b/g,
+    /\bsess_[A-Za-z0-9_-]{20,}\b/g,
+    /\bsid[_-][A-Za-z0-9_-]{20,}\b/gi,
+];
+/**
+ * Refresh token patterns
+ */
+const REFRESH_PATTERNS = [
+    /\brefresh_[A-Za-z0-9_-]{20,}\b/g,
+    /\brt_[A-Za-z0-9_-]{20,}\b/g,
+];
+/**
+ * Access token patterns (generic)
+ */
+const ACCESS_TOKEN_PATTERNS = [
+    /\baccess_token[_=:]["']?([A-Za-z0-9_.-]{20,})["']?/gi,
+    /\btoken[_=:]["']?([A-Za-z0-9_.-]{32,})["']?/gi,
+];
+/**
+ * Validate JWT structure
+ * Returns true if the token appears to be a valid JWT
+ */
+export function isValidJwtStructure(token) {
+    const parts = token.split('.');
+    if (parts.length !== 3)
+        return false;
+    // Each part should be base64url encoded
+    const base64UrlRegex = /^[A-Za-z0-9_-]+$/;
+    if (!parts.every(part => base64UrlRegex.test(part)))
+        return false;
+    // Try to decode and parse the header
+    try {
+        const header = JSON.parse(atob(parts[0].replace(/-/g, '+').replace(/_/g, '/')));
+        // JWT headers typically have 'alg' and optionally 'typ'
+        if (!header.alg)
+            return false;
+        // Try to decode the payload (should be valid JSON)
+        const payload = JSON.parse(atob(parts[1].replace(/-/g, '+').replace(/_/g, '/')));
+        // Payload should be an object
+        if (typeof payload !== 'object' || payload === null)
+            return false;
+        return true;
+    }
+    catch {
+        // If we can't parse it, it's likely not a valid JWT
+        return false;
+    }
+}
+/**
+ * Match JWTs in text
+ */
+export function matchJwt(text) {
+    const matches = [];
+    const regex = new RegExp(JWT_PATTERN.source, JWT_PATTERN.flags);
+    let match;
+    while ((match = regex.exec(text)) !== null) {
+        const value = match[0];
+        const isValid = isValidJwtStructure(value);
+        matches.push({
+            matched: true,
+            tokenType: 'jwt',
+            value,
+            redactedValue: redactValue(value, 10, 6),
+            confidence: isValid ? 0.95 : 0.70,
+        });
+    }
+    return matches;
+}
+/**
+ * Match Bearer tokens in text
+ */
+export function matchBearerToken(text) {
+    const matches = [];
+    const regex = new RegExp(BEARER_PATTERN.source, BEARER_PATTERN.flags);
+    let match;
+    while ((match = regex.exec(text)) !== null) {
+        const value = match[1] || match[0];
+        // Skip if it looks like a JWT (will be caught by JWT detector)
+        if (value.startsWith('eyJ'))
+            continue;
+        matches.push({
+            matched: true,
+            tokenType: 'bearer',
+            value,
+            redactedValue: redactValue(value),
+            confidence: 0.85,
+        });
+    }
+    return matches;
+}
+/**
+ * Match session tokens in text
+ */
+export function matchSessionToken(text) {
+    const matches = [];
+    const seen = new Set();
+    for (const pattern of SESSION_PATTERNS) {
+        const regex = new RegExp(pattern.source, pattern.flags);
+        let match;
+        while ((match = regex.exec(text)) !== null) {
+            const value = match[0];
+            if (seen.has(value))
+                continue;
+            seen.add(value);
+            matches.push({
+                matched: true,
+                tokenType: 'session',
+                value,
+                redactedValue: redactValue(value),
+                confidence: 0.85,
+            });
+        }
+    }
+    return matches;
+}
+/**
+ * Match refresh tokens in text
+ */
+export function matchRefreshToken(text) {
+    const matches = [];
+    const seen = new Set();
+    for (const pattern of REFRESH_PATTERNS) {
+        const regex = new RegExp(pattern.source, pattern.flags);
+        let match;
+        while ((match = regex.exec(text)) !== null) {
+            const value = match[0];
+            if (seen.has(value))
+                continue;
+            seen.add(value);
+            matches.push({
+                matched: true,
+                tokenType: 'refresh',
+                value,
+                redactedValue: redactValue(value),
+                confidence: 0.85,
+            });
+        }
+    }
+    return matches;
+}
+/**
+ * Match generic access tokens in text
+ */
+export function matchAccessToken(text) {
+    const matches = [];
+    const seen = new Set();
+    for (const pattern of ACCESS_TOKEN_PATTERNS) {
+        const regex = new RegExp(pattern.source, pattern.flags);
+        let match;
+        while ((match = regex.exec(text)) !== null) {
+            const value = match[1] || match[0];
+            if (seen.has(value))
+                continue;
+            seen.add(value);
+            // Skip if it looks like a JWT
+            if (value.startsWith('eyJ'))
+                continue;
+            matches.push({
+                matched: true,
+                tokenType: 'bearer', // Treat generic access tokens as bearer-like
+                value,
+                redactedValue: redactValue(value),
+                confidence: 0.70,
+            });
+        }
+    }
+    return matches;
+}
+/**
+ * Match all token types in text
+ */
+export function matchTokens(text) {
+    const allMatches = [];
+    allMatches.push(...matchJwt(text));
+    allMatches.push(...matchBearerToken(text));
+    allMatches.push(...matchSessionToken(text));
+    allMatches.push(...matchRefreshToken(text));
+    allMatches.push(...matchAccessToken(text));
+    return allMatches;
+}
+/**
+ * Token Detector class
+ */
+export class TokenDetector {
+    severity;
+    constructor(severity) {
+        this.severity = severity;
+    }
+    /**
+     * Scan text for tokens
+     */
+    scan(text, location) {
+        const matches = matchTokens(text);
+        return matches.map((match) => ({
+            detected: true,
+            category: 'secrets',
+            severity: this.severity,
+            confidence: match.confidence,
+            reason: `Detected ${match.tokenType.toUpperCase()} token`,
+            metadata: {
+                type: 'token',
+                subtype: match.tokenType,
+                redactedValue: match.redactedValue,
+                location,
+            },
+        }));
+    }
+}
+/**
+ * Create a token detector
+ */
+export function createTokenDetector(severity) {
+    return new TokenDetector(severity);
+}
+//# sourceMappingURL=token-detector.js.map

package/dist/src/detectors/secrets/token-detector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-detector.js","sourceRoot":"","sources":["../../../../src/detectors/secrets/token-detector.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAQH,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAEpD;;;GAGG;AACH,MAAM,WAAW,GAAG,2DAA2D,CAAC;AAEhF;;GAEG;AACH,MAAM,cAAc,GAAG,mDAAmD,CAAC;AAE3E;;GAEG;AACH,MAAM,gBAAgB,GAAG;IACvB,iCAAiC;IACjC,8BAA8B;IAC9B,iCAAiC;CAClC,CAAC;AAEF;;GAEG;AACH,MAAM,gBAAgB,GAAG;IACvB,iCAAiC;IACjC,4BAA4B;CAC7B,CAAC;AAEF;;GAEG;AACH,MAAM,qBAAqB,GAAG;IAC5B,sDAAsD;IACtD,+CAA+C;CAChD,CAAC;AAEF;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAAa;IAC/C,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAErC,wCAAwC;IACxC,MAAM,cAAc,GAAG,kBAAkB,CAAC;IAC1C,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAElE,qCAAqC;IACrC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC;QAChF,wDAAwD;QACxD,IAAI,CAAC,MAAM,CAAC,GAAG;YAAE,OAAO,KAAK,CAAC;QAE9B,mDAAmD;QACnD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC;QACjF,8BAA8B;QAC9B,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,IAAI;YAAE,OAAO,KAAK,CAAC;QAElE,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,oDAAoD;QACpD,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,QAAQ,CAAC,IAAY;IACnC,MAAM,OAAO,GAAiB,EAAE,CAAC;IACjC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,WAAW,CAAC,MAAM,EAAE,WAAW,CAAC,KAAK,CAAC,CAAC;IAChE,IAAI,KAAK,CAAC;IAEV,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC3C,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACvB,MAAM,OAAO,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;QAE3C,OAAO,CAAC,IAAI,CAAC;YACX,OAAO,EAAE,IAAI;YACb,SAAS,EAAE,KAAK;YAChB,KAAK;YACL,aAAa,EAAE,WAAW,CAAC,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC;YACxC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI;SAClC,CAAC,CAAC;IACL,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,IAAY;IAC3C,MAAM,OAAO,GAAiB,EAAE,CAAC;IACjC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,cAAc,CAAC,MAAM,EAAE,cAAc,CAAC,KAAK,CAAC,CAAC;IACtE,IAAI,KAAK,CAAC;IAEV,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC3C,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC;QAEnC,+DAA+D;QAC/D,IAAI,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC;YAAE,SAAS;QAEtC,OAAO,CAAC,IAAI,CAAC;YACX,OAAO,EAAE,IAAI;YACb,SAAS,EAAE,QAAQ;YACnB,KAAK;YACL,aAAa,EAAE,WAAW,CAAC,KAAK,CAAC;YACjC,UAAU,EAAE,IAAI;SACjB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,IAAY;IAC5C,MAAM,OAAO,GAAiB,EAAE,CAAC;IACjC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/B,KAAK,MAAM,OAAO,IAAI,gBAAgB,EAAE,CAAC;QACvC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QACxD,IAAI,KAAK,CAAC;QACV,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC3C,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACvB,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC;gBAAE,SAAS;YAC9B,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YAEhB,OAAO,CAAC,IAAI,CAAC;gBACX,OAAO,EAAE,IAAI;gBACb,SAAS,EAAE,SAAS;gBACpB,KAAK;gBACL,aAAa,EAAE,WAAW,CAAC,KAAK,CAAC;gBACjC,UAAU,EAAE,IAAI;aACjB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,IAAY;IAC5C,MAAM,OAAO,GAAiB,EAAE,CAAC;IACjC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/B,KAAK,MAAM,OAAO,IAAI,gBAAgB,EAAE,CAAC;QACvC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QACxD,IAAI,KAAK,CAAC;QACV,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC3C,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACvB,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC;gBAAE,SAAS;YAC9B,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YAEhB,OAAO,CAAC,IAAI,CAAC;gBACX,OAAO,EAAE,IAAI;gBACb,SAAS,EAAE,SAAS;gBACpB,KAAK;gBACL,aAAa,EAAE,WAAW,CAAC,KAAK,CAAC;gBACjC,UAAU,EAAE,IAAI;aACjB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,IAAY;IAC3C,MAAM,OAAO,GAAiB,EAAE,CAAC;IACjC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/B,KAAK,MAAM,OAAO,IAAI,qBAAqB,EAAE,CAAC;QAC5C,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;QACxD,IAAI,KAAK,CAAC;QACV,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC3C,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC;YACnC,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC;gBAAE,SAAS;YAC9B,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YAEhB,8BAA8B;YAC9B,IAAI,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC;gBAAE,SAAS;YAEtC,OAAO,CAAC,IAAI,CAAC;gBACX,OAAO,EAAE,IAAI;gBACb,SAAS,EAAE,QAAQ,EAAE,6CAA6C;gBAClE,KAAK;gBACL,aAAa,EAAE,WAAW,CAAC,KAAK,CAAC;gBACjC,UAAU,EAAE,IAAI;aACjB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,IAAY;IACtC,MAAM,UAAU,GAAiB,EAAE,CAAC;IAEpC,UAAU,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;IACnC,UAAU,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC;IAC3C,UAAU,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC;IAC5C,UAAU,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC;IAC5C,UAAU,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC;IAE3C,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,MAAM,OAAO,aAAa;IAChB,QAAQ,CAAW;IAE3B,YAAY,QAAkB;QAC5B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IAED;;OAEG;IACH,IAAI,CAAC,IAAY,EAAE,QAAgB;QACjC,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;QAElC,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YAC7B,QAAQ,EAAE,IAAI;YACd,QAAQ,EAAE,SAAkB;YAC5B,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,MAAM,EAAE,YAAY,KAAK,CAAC,SAAS,CAAC,WAAW,EAAE,QAAQ;YACzD,QAAQ,EAAE;gBACR,IAAI,EAAE,OAAgB;gBACtB,OAAO,EAAE,KAAK,CAAC,SAAS;gBACxB,aAAa,EAAE,KAAK,CAAC,aAAa;gBAClC,QAAQ;aACT;SACF,CAAC,CAAC,CAAC;IACN,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,QAAkB;IACpD,OAAO,IAAI,aAAa,CAAC,QAAQ,CAAC,CAAC;AACrC,CAAC"}

package/dist/src/detectors/secrets/types.d.ts

@@ -0,0 +1,157 @@
+/**
+ * Secrets Detector Types
+ * Type definitions for detecting secrets, tokens, and PII
+ */
+import type { Severity, Action } from '../../config/index.js';
+/**
+ * Detection context passed to detectors
+ */
+export interface SecretsDetectionContext {
+    /** Name of the tool being invoked */
+    toolName: string;
+    /** Input parameters to the tool */
+    toolInput: Record<string, unknown>;
+    /** Output from the tool (if scanning output) */
+    toolOutput?: string;
+}
+/**
+ * Type of secret detected
+ */
+export type SecretType = 'api-key' | 'token' | 'credential' | 'pii';
+/**
+ * Provider of the detected API key
+ */
+export type ApiKeyProvider = 'openai' | 'aws' | 'github' | 'stripe' | 'slack' | 'google' | 'anthropic' | 'generic';
+/**
+ * Type of token detected
+ */
+export type TokenType = 'jwt' | 'bearer' | 'session' | 'refresh';
+/**
+ * Type of PII detected
+ */
+export type PiiType = 'ssn' | 'credit-card' | 'email';
+/**
+ * Result of a secrets detection
+ */
+export interface SecretsDetectionResult {
+    /** Whether a secret was detected */
+    detected: boolean;
+    /** Category of the detection */
+    category: 'secrets';
+    /** Severity level of the detection */
+    severity: Severity;
+    /** Confidence score from 0 to 1 */
+    confidence: number;
+    /** Human-readable reason for the detection */
+    reason: string;
+    /** Additional metadata about the detection */
+    metadata?: {
+        /** Type of secret detected */
+        type: SecretType;
+        /** Provider for API keys */
+        provider?: string;
+        /** Redacted value showing first/last few chars with *** */
+        redactedValue?: string;
+        /** Where the secret was found (input/output, field name) */
+        location?: string;
+        /** Specific subtype (jwt, ssn, etc.) */
+        subtype?: string;
+    };
+}
+/**
+ * Configuration for the secrets detector
+ */
+export interface SecretsDetectorConfig {
+    /** Whether the detector is enabled */
+    enabled: boolean;
+    /** Severity level to assign to detections */
+    severity: Severity;
+    /** Action to take when secret is detected */
+    action: Action;
+}
+/**
+ * Interface for the main secrets detector
+ */
+export interface SecretsDetector {
+    /**
+     * Detect secrets in the given context
+     * @param context Detection context with tool information
+     * @returns Detection result (may contain multiple matches)
+     */
+    detect(context: SecretsDetectionContext): Promise<SecretsDetectionResult>;
+}
+/**
+ * Interface for sub-detectors (api-key, token, pii)
+ */
+export interface SecretSubDetector {
+    /**
+     * Scan text for secrets
+     * @param text Text to scan
+     * @param location Description of where the text came from
+     * @returns Array of detection results
+     */
+    scan(text: string, location: string): SecretsDetectionResult[];
+}
+/**
+ * API key match result
+ */
+export interface ApiKeyMatch {
+    /** Whether a match was found */
+    matched: boolean;
+    /** The provider of the API key */
+    provider: ApiKeyProvider;
+    /** The original matched value */
+    value: string;
+    /** Redacted value for safe display */
+    redactedValue: string;
+    /** Confidence score */
+    confidence: number;
+}
+/**
+ * Token match result
+ */
+export interface TokenMatch {
+    /** Whether a match was found */
+    matched: boolean;
+    /** Type of token */
+    tokenType: TokenType;
+    /** The original matched value */
+    value: string;
+    /** Redacted value for safe display */
+    redactedValue: string;
+    /** Confidence score */
+    confidence: number;
+}
+/**
+ * PII match result
+ */
+export interface PiiMatch {
+    /** Whether a match was found */
+    matched: boolean;
+    /** Type of PII */
+    piiType: PiiType;
+    /** The original matched value */
+    value: string;
+    /** Redacted value for safe display */
+    redactedValue: string;
+    /** Confidence score */
+    confidence: number;
+    /** Whether Luhn validation passed (for credit cards) */
+    luhnValid?: boolean;
+}
+/**
+ * Credential match result
+ */
+export interface CredentialMatch {
+    /** Whether a match was found */
+    matched: boolean;
+    /** Type of credential pattern */
+    credentialType: string;
+    /** The matched value (usually key=value) */
+    value: string;
+    /** Redacted value */
+    redactedValue: string;
+    /** Confidence score */
+    confidence: number;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/src/detectors/secrets/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../src/detectors/secrets/types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAE9D;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC,qCAAqC;IACrC,QAAQ,EAAE,MAAM,CAAC;IACjB,mCAAmC;IACnC,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC,gDAAgD;IAChD,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,MAAM,UAAU,GAAG,SAAS,GAAG,OAAO,GAAG,YAAY,GAAG,KAAK,CAAC;AAEpE;;GAEG;AACH,MAAM,MAAM,cAAc,GACtB,QAAQ,GACR,KAAK,GACL,QAAQ,GACR,QAAQ,GACR,OAAO,GACP,QAAQ,GACR,WAAW,GACX,SAAS,CAAC;AAEd;;GAEG;AACH,MAAM,MAAM,SAAS,GAAG,KAAK,GAAG,QAAQ,GAAG,SAAS,GAAG,SAAS,CAAC;AAEjE;;GAEG;AACH,MAAM,MAAM,OAAO,GAAG,KAAK,GAAG,aAAa,GAAG,OAAO,CAAC;AAEtD;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,oCAAoC;IACpC,QAAQ,EAAE,OAAO,CAAC;IAClB,gCAAgC;IAChC,QAAQ,EAAE,SAAS,CAAC;IACpB,sCAAsC;IACtC,QAAQ,EAAE,QAAQ,CAAC;IACnB,mCAAmC;IACnC,UAAU,EAAE,MAAM,CAAC;IACnB,8CAA8C;IAC9C,MAAM,EAAE,MAAM,CAAC;IACf,8CAA8C;IAC9C,QAAQ,CAAC,EAAE;QACT,8BAA8B;QAC9B,IAAI,EAAE,UAAU,CAAC;QACjB,4BAA4B;QAC5B,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,2DAA2D;QAC3D,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,4DAA4D;QAC5D,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,wCAAwC;QACxC,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,sCAAsC;IACtC,OAAO,EAAE,OAAO,CAAC;IACjB,6CAA6C;IAC7C,QAAQ,EAAE,QAAQ,CAAC;IACnB,6CAA6C;IAC7C,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B;;;;OAIG;IACH,MAAM,CAAC,OAAO,EAAE,uBAAuB,GAAG,OAAO,CAAC,sBAAsB,CAAC,CAAC;CAC3E;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC;;;;;OAKG;IACH,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,sBAAsB,EAAE,CAAC;CAChE;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,gCAAgC;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,kCAAkC;IAClC,QAAQ,EAAE,cAAc,CAAC;IACzB,iCAAiC;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,sCAAsC;IACtC,aAAa,EAAE,MAAM,CAAC;IACtB,uBAAuB;IACvB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,gCAAgC;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,oBAAoB;IACpB,SAAS,EAAE,SAAS,CAAC;IACrB,iCAAiC;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,sCAAsC;IACtC,aAAa,EAAE,MAAM,CAAC;IACtB,uBAAuB;IACvB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,gCAAgC;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,kBAAkB;IAClB,OAAO,EAAE,OAAO,CAAC;IACjB,iCAAiC;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,sCAAsC;IACtC,aAAa,EAAE,MAAM,CAAC;IACtB,uBAAuB;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,wDAAwD;IACxD,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,gCAAgC;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,iCAAiC;IACjC,cAAc,EAAE,MAAM,CAAC;IACvB,4CAA4C;IAC5C,KAAK,EAAE,MAAM,CAAC;IACd,qBAAqB;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,uBAAuB;IACvB,UAAU,EAAE,MAAM,CAAC;CACpB"}

package/dist/src/detectors/secrets/types.js

@@ -0,0 +1,6 @@
+/**
+ * Secrets Detector Types
+ * Type definitions for detecting secrets, tokens, and PII
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/src/detectors/secrets/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../../src/detectors/secrets/types.ts"],"names":[],"mappings":"AAAA;;;GAGG"}

package/dist/src/detectors/website/category-detector.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Category Detector
+ * Detects website categories like malware, phishing, gambling, adult content
+ */
+import type { CategoryDetectionResult, WebsiteCategory } from './types.js';
+/**
+ * Detect website category based on domain patterns
+ */
+export declare function detectCategory(domain: string): CategoryDetectionResult;
+/**
+ * Check if a category is considered dangerous (malware, phishing)
+ */
+export declare function isDangerousCategory(category: WebsiteCategory): boolean;
+/**
+ * Check if a category is considered optional/warning-only (gambling, adult)
+ */
+export declare function isWarningCategory(category: WebsiteCategory): boolean;
+/**
+ * Get severity description for a category
+ */
+export declare function getCategorySeverityDescription(category: WebsiteCategory): string;
+//# sourceMappingURL=category-detector.d.ts.map

package/dist/src/detectors/website/category-detector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"category-detector.d.ts","sourceRoot":"","sources":["../../../../src/detectors/website/category-detector.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,uBAAuB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AA0H3E;;GAEG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,uBAAuB,CAoBtE;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,eAAe,GAAG,OAAO,CAEtE;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,eAAe,GAAG,OAAO,CAEpE;AAED;;GAEG;AACH,wBAAgB,8BAA8B,CAAC,QAAQ,EAAE,eAAe,GAAG,MAAM,CAahF"}

package/dist/src/detectors/website/category-detector.js

@@ -0,0 +1,162 @@
+/**
+ * Category Detector
+ * Detects website categories like malware, phishing, gambling, adult content
+ */
+import { matchesGlobPattern } from './pattern-matcher.js';
+/**
+ * Known malware domain patterns
+ * These patterns match domains commonly associated with malware distribution
+ */
+const MALWARE_PATTERNS = [
+    // Common malware domain patterns
+    '*.malware.*',
+    '*.virus.*',
+    '*.trojan.*',
+    '*.exploit.*',
+    'malware-*.*',
+    '*-malware.*',
+    '*.malicious.*',
+    // Suspicious TLDs often used for malware
+    '*.xyz',
+    '*.tk',
+    '*.ml',
+    '*.ga',
+    '*.cf',
+    '*.gq',
+    // Download/crack sites (common malware vectors)
+    '*crack*.*',
+    '*keygen*.*',
+    '*warez*.*',
+    '*pirat*.*',
+];
+/**
+ * Known phishing domain patterns
+ * These patterns match domains commonly used for phishing attacks
+ */
+const PHISHING_PATTERNS = [
+    // Phishing keyword patterns
+    'phishing-*.*',
+    '*-phishing.*',
+    '*.phishing.*',
+    // Common phishing techniques
+    '*login-secure*.*',
+    '*secure-login*.*',
+    '*account-verify*.*',
+    '*verify-account*.*',
+    '*update-payment*.*',
+    '*payment-update*.*',
+    '*confirm-identity*.*',
+    '*identity-confirm*.*',
+    // Lookalike domain patterns (suspicious)
+    '*-signin.*',
+    '*signin-*.*',
+    '*-login.*',
+    '*login-*.*',
+    '*paypa1*.*', // Paypal with 1 instead of l
+    '*g00gle*.*', // Google with 0 instead of o
+    '*amaz0n*.*', // Amazon with 0 instead of o
+    '*faceb00k*.*', // Facebook with 0 instead of o
+    '*micros0ft*.*', // Microsoft with 0 instead of o
+    '*app1e*.*', // Apple with 1 instead of l
+    // Urgent action domains
+    '*urgent-*.*',
+    '*-urgent.*',
+    '*suspended-*.*',
+    '*-suspended.*',
+];
+/**
+ * Gambling domain patterns
+ */
+const GAMBLING_PATTERNS = [
+    '*.casino.*',
+    '*.bet.*',
+    '*.poker.*',
+    '*.slots.*',
+    '*.gambling.*',
+    '*casino*.*',
+    '*betting*.*',
+    '*poker*.*',
+    '*blackjack*.*',
+    '*roulette*.*',
+    '*lottery*.*',
+    '*jackpot*.*',
+    '*.888casino.*',
+    '*.bet365.*',
+    '*.pokerstars.*',
+    '*.draftkings.*',
+    '*.fanduel.*',
+];
+/**
+ * Adult content domain patterns
+ */
+const ADULT_PATTERNS = [
+    '*.adult.*',
+    '*.xxx.*',
+    '*.porn*.*',
+    '*porn*.*',
+    '*.sex.*',
+    '*adult*.*',
+    '*.nsfw.*',
+    '*nsfw*.*',
+];
+/**
+ * Category patterns with their severity
+ */
+const CATEGORY_PATTERNS = [
+    { category: 'malware', patterns: MALWARE_PATTERNS, defaultConfidence: 0.85 },
+    { category: 'phishing', patterns: PHISHING_PATTERNS, defaultConfidence: 0.80 },
+    { category: 'gambling', patterns: GAMBLING_PATTERNS, defaultConfidence: 0.90 },
+    { category: 'adult', patterns: ADULT_PATTERNS, defaultConfidence: 0.90 },
+];
+/**
+ * Detect website category based on domain patterns
+ */
+export function detectCategory(domain) {
+    const domainLower = domain.toLowerCase();
+    for (const { category, patterns, defaultConfidence } of CATEGORY_PATTERNS) {
+        for (const pattern of patterns) {
+            if (matchesGlobPattern(domainLower, pattern)) {
+                return {
+                    detected: true,
+                    category,
+                    matchedPattern: pattern,
+                    confidence: defaultConfidence,
+                };
+            }
+        }
+    }
+    return {
+        detected: false,
+        confidence: 0,
+    };
+}
+/**
+ * Check if a category is considered dangerous (malware, phishing)
+ */
+export function isDangerousCategory(category) {
+    return category === 'malware' || category === 'phishing';
+}
+/**
+ * Check if a category is considered optional/warning-only (gambling, adult)
+ */
+export function isWarningCategory(category) {
+    return category === 'gambling' || category === 'adult';
+}
+/**
+ * Get severity description for a category
+ */
+export function getCategorySeverityDescription(category) {
+    switch (category) {
+        case 'malware':
+            return 'potential malware distribution site';
+        case 'phishing':
+            return 'potential phishing site';
+        case 'gambling':
+            return 'gambling website';
+        case 'adult':
+            return 'adult content website';
+        default:
+            return 'unknown category';
+    }
+}
+//# sourceMappingURL=category-detector.js.map

package/dist/src/detectors/website/category-detector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"category-detector.js","sourceRoot":"","sources":["../../../../src/detectors/website/category-detector.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAE1D;;;GAGG;AACH,MAAM,gBAAgB,GAAG;IACvB,iCAAiC;IACjC,aAAa;IACb,WAAW;IACX,YAAY;IACZ,aAAa;IACb,aAAa;IACb,aAAa;IACb,eAAe;IAEf,yCAAyC;IACzC,OAAO;IACP,MAAM;IACN,MAAM;IACN,MAAM;IACN,MAAM;IACN,MAAM;IAEN,gDAAgD;IAChD,WAAW;IACX,YAAY;IACZ,WAAW;IACX,WAAW;CACZ,CAAC;AAEF;;;GAGG;AACH,MAAM,iBAAiB,GAAG;IACxB,4BAA4B;IAC5B,cAAc;IACd,cAAc;IACd,cAAc;IAEd,6BAA6B;IAC7B,kBAAkB;IAClB,kBAAkB;IAClB,oBAAoB;IACpB,oBAAoB;IACpB,oBAAoB;IACpB,oBAAoB;IACpB,sBAAsB;IACtB,sBAAsB;IAEtB,yCAAyC;IACzC,YAAY;IACZ,aAAa;IACb,WAAW;IACX,YAAY;IACZ,YAAY,EAAO,6BAA6B;IAChD,YAAY,EAAO,6BAA6B;IAChD,YAAY,EAAO,6BAA6B;IAChD,cAAc,EAAK,+BAA+B;IAClD,eAAe,EAAI,gCAAgC;IACnD,WAAW,EAAQ,4BAA4B;IAE/C,wBAAwB;IACxB,aAAa;IACb,YAAY;IACZ,gBAAgB;IAChB,eAAe;CAChB,CAAC;AAEF;;GAEG;AACH,MAAM,iBAAiB,GAAG;IACxB,YAAY;IACZ,SAAS;IACT,WAAW;IACX,WAAW;IACX,cAAc;IACd,YAAY;IACZ,aAAa;IACb,WAAW;IACX,eAAe;IACf,cAAc;IACd,aAAa;IACb,aAAa;IACb,eAAe;IACf,YAAY;IACZ,gBAAgB;IAChB,gBAAgB;IAChB,aAAa;CACd,CAAC;AAEF;;GAEG;AACH,MAAM,cAAc,GAAG;IACrB,WAAW;IACX,SAAS;IACT,WAAW;IACX,UAAU;IACV,SAAS;IACT,WAAW;IACX,UAAU;IACV,UAAU;CACX,CAAC;AAEF;;GAEG;AACH,MAAM,iBAAiB,GAIlB;IACH,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,IAAI,EAAE;IAC5E,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,IAAI,EAAE;IAC9E,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,IAAI,EAAE;IAC9E,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,iBAAiB,EAAE,IAAI,EAAE;CACzE,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,MAAc;IAC3C,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;IAEzC,KAAK,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,iBAAiB,EAAE,IAAI,iBAAiB,EAAE,CAAC;QAC1E,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,IAAI,kBAAkB,CAAC,WAAW,EAAE,OAAO,CAAC,EAAE,CAAC;gBAC7C,OAAO;oBACL,QAAQ,EAAE,IAAI;oBACd,QAAQ;oBACR,cAAc,EAAE,OAAO;oBACvB,UAAU,EAAE,iBAAiB;iBAC9B,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,KAAK;QACf,UAAU,EAAE,CAAC;KACd,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,QAAyB;IAC3D,OAAO,QAAQ,KAAK,SAAS,IAAI,QAAQ,KAAK,UAAU,CAAC;AAC3D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,QAAyB;IACzD,OAAO,QAAQ,KAAK,UAAU,IAAI,QAAQ,KAAK,OAAO,CAAC;AACzD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,8BAA8B,CAAC,QAAyB;IACtE,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,SAAS;YACZ,OAAO,qCAAqC,CAAC;QAC/C,KAAK,UAAU;YACb,OAAO,yBAAyB,CAAC;QACnC,KAAK,UAAU;YACb,OAAO,kBAAkB,CAAC;QAC5B,KAAK,OAAO;YACV,OAAO,uBAAuB,CAAC;QACjC;YACE,OAAO,kBAAkB,CAAC;IAC9B,CAAC;AACH,CAAC"}