commit-cop 1.0.0 → 1.1.0

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAE5C,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,aAAa,CAAC;KACnB,WAAW,CAAC,4CAA4C,CAAC;KACzD,MAAM,CAAC,UAAU,EAAE,0BAA0B,CAAC;KAC9C,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;IACxB,MAAM,WAAW,GAAG,cAAc,EAAE,CAAC;IAErC,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7B,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;QACtC,OAAO;IACT,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC;QAC/B,WAAW;QACX,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC;KAChC,CAAC,CAAC;IAEH,WAAW,CAAC,QAAQ,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;IAE1C,MAAM,SAAS,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC;IAC3E,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAC/B,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,QAAQ,KAAK,SAAS,CAC5C,CAAC;IAEF,IAAI,SAAS,IAAI,CAAC,OAAO,CAAC,MAAM,IAAI,WAAW,CAAC,EAAE,CAAC;QACjD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,KAAK,EAAE,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAE5C,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,YAAY,CAAC;KAClB,WAAW,CAAC,4CAA4C,CAAC;KACzD,MAAM,CAAC,UAAU,EAAE,0BAA0B,CAAC;KAC9C,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;IACxB,MAAM,WAAW,GAAG,cAAc,EAAE,CAAC;IAErC,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7B,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;QACtC,OAAO;IACT,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC;QAC/B,WAAW;QACX,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC;KAChC,CAAC,CAAC;IAEH,WAAW,CAAC,QAAQ,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;IAE1C,MAAM,SAAS,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC;IAC3E,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAC/B,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,QAAQ,KAAK,SAAS,CAC5C,CAAC;IAEF,IAAI,SAAS,IAAI,CAAC,OAAO,CAAC,MAAM,IAAI,WAAW,CAAC,EAAE,CAAC;QACjD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,KAAK,EAAE,CAAC"}

package/dist/scanner.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../src/scanner.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAmBxD,wBAAsB,SAAS,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CASzE"}
+{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../src/scanner.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AA+BxD,wBAAsB,SAAS,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CASzE"}

package/dist/scanner.js

@@ -1,18 +1,30 @@
 import { envFileCheck } from "./checks/envFileCheck.js";
 import { generatedFolderCheck } from "./checks/generatedFolderCheck.js";
-import { consoleLogCheck } from "./checks/consoleLogCheck.js";
+import { mergeConflictCheck } from "./checks/mergeConflictCheck.js";
+import { sensitiveFilenameCheck } from "./checks/sensitiveFilenameCheck.js";
+import { secretCheck } from "./checks/secretCheck.js";
 import { focusedTestCheck } from "./checks/focusedTestCheck.js";
+import { consoleLogCheck } from "./checks/consoleLogCheck.js";
+import { debuggerCheck } from "./checks/debuggerCheck.js";
 import { localHostCheck } from "./checks/localHostCheck.js";
+import { junkFileCheck } from "./checks/junkFileCheck.js";
+import { lockfileDriftCheck } from "./checks/lockfileDriftCheck.js";
 import { largeFileCheck } from "./checks/largeFileCheck.js";
-import { secretCheck } from "./checks/secretCheck.js";
+import { binaryFileCheck } from "./checks/binaryFileCheck.js";
 const checks = [
+    mergeConflictCheck,
     envFileCheck,
+    sensitiveFilenameCheck,
     generatedFolderCheck,
     secretCheck,
     focusedTestCheck,
     consoleLogCheck,
+    debuggerCheck,
     localHostCheck,
+    junkFileCheck,
+    lockfileDriftCheck,
     largeFileCheck,
+    binaryFileCheck,
 ];
 export async function runChecks(context) {
     const allFindings = [];

package/dist/scanner.js.map

@@ -1 +1 @@
-{"version":3,"file":"scanner.js","sourceRoot":"","sources":["../src/scanner.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACxD,OAAO,EAAE,oBAAoB,EAAE,MAAM,kCAAkC,CAAC;AACxE,OAAO,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAChE,OAAO,EAAE,cAAc,EAAE,MAAM,4BAA4B,CAAC;AAC5D,OAAO,EAAE,cAAc,EAAE,MAAM,4BAA4B,CAAC;AAC5D,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AAEtD,MAAM,MAAM,GAAG;IACb,YAAY;IACZ,oBAAoB;IACpB,WAAW;IACX,gBAAgB;IAChB,eAAe;IACf,cAAc;IACd,cAAc;CACf,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,OAAqB;IACnD,MAAM,WAAW,GAAc,EAAE,CAAC;IAElC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC1C,WAAW,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;IAChC,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC"}
+{"version":3,"file":"scanner.js","sourceRoot":"","sources":["../src/scanner.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACxD,OAAO,EAAE,oBAAoB,EAAE,MAAM,kCAAkC,CAAC;AACxE,OAAO,EAAE,kBAAkB,EAAE,MAAM,gCAAgC,CAAC;AACpE,OAAO,EAAE,sBAAsB,EAAE,MAAM,oCAAoC,CAAC;AAC5E,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,4BAA4B,CAAC;AAC5D,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAC1D,OAAO,EAAE,kBAAkB,EAAE,MAAM,gCAAgC,CAAC;AACpE,OAAO,EAAE,cAAc,EAAE,MAAM,4BAA4B,CAAC;AAC5D,OAAO,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAC;AAE9D,MAAM,MAAM,GAAG;IACb,kBAAkB;IAClB,YAAY;IACZ,sBAAsB;IACtB,oBAAoB;IACpB,WAAW;IACX,gBAAgB;IAChB,eAAe;IACf,aAAa;IACb,cAAc;IACd,aAAa;IACb,kBAAkB;IAClB,cAAc;IACd,eAAe;CAChB,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,OAAqB;IACnD,MAAM,WAAW,GAAc,EAAE,CAAC;IAElC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC1C,WAAW,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;IAChC,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC"}

package/package.json

@@ -1,16 +1,17 @@
 {
   "name": "commit-cop",
-  "version": "1.0.0",
-  "description": "A pre-commit safety checker that scans staged files for risky commits.",
+  "version": "1.1.0",
+  "description": "Commit Cop — a pre-commit safety checker that scans staged files for risky commits.",
   "type": "module",
   "bin": {
-    "commitclean": "./dist/index.js"
+    "commit-cop": "./dist/index.js"
   },
   "scripts": {
     "dev": "tsx src/index.ts",
     "build": "tsc",
     "start": "node dist/index.js",
-    "commitclean": "tsx src/index.ts"
+    "commit-cop": "tsx src/index.ts",
+    "demo:setup": "node scripts/setup-demo.mjs"
   },
   "repository": {
     "type": "git",
@@ -38,4 +39,4 @@
     "chalk": "^5.6.2",
     "commander": "^14.0.3"
   }
-}
+}

package/src/brand.ts

@@ -0,0 +1,3 @@
+export const PRODUCT_NAME = "Commit Cop";
+export const CLI_NAME = "commit-cop";
+export const TAGLINE = "Catch bad commits before they hit GitHub";

package/src/checks/binaryFileCheck.ts

@@ -0,0 +1,64 @@
+import fs from "node:fs";
+import type { Check, Finding } from "../types.js";
+import { getBaseName } from "./utils.js";
+
+const binaryExtensions = new Set([
+  ".zip",
+  ".exe",
+  ".dll",
+  ".mp4",
+  ".mov",
+  ".sqlite",
+  ".db",
+]);
+
+function hasNullBytes(file: string): boolean {
+  const buffer = fs.readFileSync(file);
+  const sampleSize = Math.min(buffer.length, 8192);
+
+  for (let index = 0; index < sampleSize; index += 1) {
+    if (buffer[index] === 0) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+export const binaryFileCheck: Check = {
+  name: "binary-file-check",
+
+  async run(context) {
+    const findings: Finding[] = [];
+
+    for (const file of context.stagedFiles) {
+      if (!fs.existsSync(file)) continue;
+
+      const baseName = getBaseName(file);
+      const extension = baseName.includes(".")
+        ? baseName.slice(baseName.lastIndexOf(".")).toLowerCase()
+        : "";
+
+      let isBinary = binaryExtensions.has(extension);
+
+      try {
+        isBinary ||= hasNullBytes(file);
+      } catch {
+        continue;
+      }
+
+      if (isBinary) {
+        findings.push({
+          severity: "warning",
+          checkName: this.name,
+          file,
+          message:
+            "Binary file detected — archives, executables, and media don't belong in source control.",
+          suggestion: "Remove it from the commit or store it with Git LFS.",
+        });
+      }
+    }
+
+    return findings;
+  },
+};

package/src/checks/consoleLogCheck.ts

@@ -27,8 +27,9 @@ export const consoleLogCheck: Check = {
             checkName: this.name,
             file,
             line: index + 1,
-            message: "console.log found in staged code.",
-            suggestion: "Remove debug logs before committing.",
+            message:
+              "Debug log left in code — easy to miss and clutters production output.",
+            suggestion: "Delete the console.log before committing.",
           });
         }
       });

package/src/checks/debuggerCheck.ts

@@ -0,0 +1,33 @@
+import type { Check, Finding } from "../types.js";
+import { isCodeFile, readFileLines } from "./utils.js";
+
+export const debuggerCheck: Check = {
+  name: "debugger-check",
+
+  async run(context) {
+    const findings: Finding[] = [];
+
+    for (const file of context.stagedFiles) {
+      if (!isCodeFile(file)) continue;
+
+      const lines = readFileLines(file);
+      if (!lines) continue;
+
+      lines.forEach((line, index) => {
+        if (/\bdebugger\b/.test(line)) {
+          findings.push({
+            severity: "warning",
+            checkName: this.name,
+            file,
+            line: index + 1,
+            message:
+              "debugger statement left in code — pauses execution and breaks CI/headless runs.",
+            suggestion: "Delete the debugger statement before committing.",
+          });
+        }
+      });
+    }
+
+    return findings;
+  },
+};

package/src/checks/envFileCheck.ts

@@ -14,8 +14,9 @@ export const envFileCheck: Check = {
           severity: "error",
           checkName: this.name,
           file,
-          message: "Environment file is staged and may contain secrets.",
-          suggestion: `Run: git restore --staged ${file}`,
+          message:
+            ".env file detected — these often hold API keys, passwords, and tokens.",
+          suggestion: `Unstage it: git restore --staged ${file}`,
         });
       }
     }

package/src/checks/focusedTestCheck.ts

@@ -28,8 +28,8 @@ export const focusedTestCheck: Check = {
               checkName: this.name,
               file,
               line: index + 1,
-              message: `${pattern} found. This may skip the rest of the test suite.`,
-              suggestion: `Replace ${pattern} with the normal test function.`,
+              message: `${pattern} detected — only that test will run, hiding failures in the rest of the suite.`,
+              suggestion: `Change ${pattern} back to ${pattern.replace(".only", "")}.`,
             });
           }
         }

package/src/checks/generatedFolderCheck.ts

@@ -1,4 +1,5 @@
 import type { Check, Finding } from "../types.js";
+import { normalizePath } from "./utils.js";
 
 const blockedFolders = [
   "node_modules/",
@@ -8,6 +9,13 @@ const blockedFolders = [
   "coverage/",
 ];
 
+function matchesBlockedFolder(normalizedPath: string, folder: string): boolean {
+  return (
+    normalizedPath.startsWith(folder) ||
+    normalizedPath.includes(`/${folder}`)
+  );
+}
+
 export const generatedFolderCheck: Check = {
   name: "generated-folder-check",
 
@@ -15,10 +23,10 @@ export const generatedFolderCheck: Check = {
     const findings: Finding[] = [];
 
     for (const file of context.stagedFiles) {
-      const normalized = file.replaceAll("\\", "/");
+      const normalized = normalizePath(file);
 
       const matchedFolder = blockedFolders.find((folder) =>
-        normalized.startsWith(folder)
+        matchesBlockedFolder(normalized, folder)
       );
 
       if (matchedFolder) {
@@ -26,12 +34,12 @@ export const generatedFolderCheck: Check = {
           severity: "error",
           checkName: this.name,
           file,
-          message: `${matchedFolder} is staged but is usually generated and should not be committed.`,
-          suggestion: `Add ${matchedFolder} to .gitignore and run: git restore --staged ${file}`,
+          message: `Generated folder (${matchedFolder}) — auto-built files bloat the repo and cause merge pain.`,
+          suggestion: `Add ${matchedFolder} to .gitignore, then: git restore --staged ${file}`,
         });
       }
     }
 
     return findings;
   },
-};
+};

package/src/checks/junkFileCheck.ts

@@ -0,0 +1,40 @@
+import type { Check, Finding } from "../types.js";
+import { getBaseName, matchesAnyPattern } from "./utils.js";
+
+const junkExactNames = new Set([
+  ".ds_store",
+  "thumbs.db",
+  "desktop.ini",
+]);
+
+const junkNamePatterns = [/\.swp$/i, /\.bak$/i, /\.tmp$/i, /~$/];
+
+export const junkFileCheck: Check = {
+  name: "junk-file-check",
+
+  async run(context) {
+    const findings: Finding[] = [];
+
+    for (const file of context.stagedFiles) {
+      const baseName = getBaseName(file);
+      const normalizedBaseName = baseName.toLowerCase();
+
+      const isJunk =
+        junkExactNames.has(normalizedBaseName) ||
+        matchesAnyPattern(baseName, junkNamePatterns);
+
+      if (isJunk) {
+        findings.push({
+          severity: "warning",
+          checkName: this.name,
+          file,
+          message:
+            "OS or editor junk file — adds noise and has no place in the repo.",
+          suggestion: `Unstage it: git restore --staged ${file}`,
+        });
+      }
+    }
+
+    return findings;
+  },
+};

package/src/checks/largeFileCheck.ts

@@ -20,8 +20,8 @@ export const largeFileCheck: Check = {
           severity: "warning",
           checkName: this.name,
           file,
-          message: `Large file staged: ${sizeMb.toFixed(2)} MB.`,
-          suggestion: "Consider removing this file from Git or using Git LFS.",
+          message: `Large file (${sizeMb.toFixed(2)} MB) — slows clones and may hit GitHub's size limits.`,
+          suggestion: "Remove it from Git or use Git LFS for big assets.",
         });
       }
     }

package/src/checks/localHostCheck.ts

@@ -27,8 +27,8 @@ export const localHostCheck: Check = {
               checkName: this.name,
               file,
               line: index + 1,
-              message: `Hardcoded local URL found: ${pattern}`,
-              suggestion: "Use an environment variable instead of a hardcoded localhost URL.",
+              message: `Hardcoded local URL (${pattern}) — won't work in production or for teammates.`,
+              suggestion: "Move the URL to an environment variable (e.g. process.env.API_URL).",
             });
           }
         }

package/src/checks/lockfileDriftCheck.ts

@@ -0,0 +1,40 @@
+import type { Check, Finding } from "../types.js";
+import { normalizePath } from "./utils.js";
+
+function isStaged(stagedFiles: string[], target: string): boolean {
+  return stagedFiles.some((file) => normalizePath(file) === target);
+}
+
+export const lockfileDriftCheck: Check = {
+  name: "lockfile-drift-check",
+
+  async run(context) {
+    const findings: Finding[] = [];
+    const packageJsonStaged = isStaged(context.stagedFiles, "package.json");
+    const lockfileStaged = isStaged(context.stagedFiles, "package-lock.json");
+
+    if (packageJsonStaged && !lockfileStaged) {
+      findings.push({
+        severity: "warning",
+        checkName: this.name,
+        file: "package.json",
+        message:
+          "package.json changed without its lockfile — teammates may get different dependency versions.",
+        suggestion: "Run npm install, then stage package-lock.json.",
+      });
+    }
+
+    if (lockfileStaged && !packageJsonStaged) {
+      findings.push({
+        severity: "warning",
+        checkName: this.name,
+        file: "package-lock.json",
+        message:
+          "Lockfile changed without package.json — the lockfile may not match your declared dependencies.",
+        suggestion: "Stage package.json too, or unstage package-lock.json.",
+      });
+    }
+
+    return findings;
+  },
+};

package/src/checks/mergeConflictCheck.ts

@@ -0,0 +1,41 @@
+import type { Check, Finding } from "../types.js";
+import { readFileLines, shouldSkipContentScan } from "./utils.js";
+
+const conflictMarkers = ["<<<<<<<", "=======", ">>>>>>>"];
+
+export const mergeConflictCheck: Check = {
+  name: "merge-conflict-check",
+
+  async run(context) {
+    const findings: Finding[] = [];
+
+    for (const file of context.stagedFiles) {
+      if (shouldSkipContentScan(file)) continue;
+
+      const lines = readFileLines(file);
+      if (!lines) continue;
+
+      lines.forEach((line, index) => {
+        const trimmed = line.trim();
+
+        for (const marker of conflictMarkers) {
+          if (trimmed.startsWith(marker)) {
+            findings.push({
+              severity: "error",
+              checkName: this.name,
+              file,
+              line: index + 1,
+              message:
+                "Unresolved merge conflict — this file won't run correctly until fixed.",
+              suggestion:
+                "Resolve the conflict, remove the <<<<<<< / ======= / >>>>>>> markers, then restage.",
+            });
+            return;
+          }
+        }
+      });
+    }
+
+    return findings;
+  },
+};

package/src/checks/secretCheck.ts

@@ -1,14 +1,26 @@
-import fs from "node:fs";
 import type { Check, Finding } from "../types.js";
+import {
+  isCommentLine,
+  isPlaceholderValue,
+  readFileLines,
+  shouldSkipContentScan,
+} from "./utils.js";
 
-const secretPatterns = [
-  /OPENAI_API_KEY\s*=/i,
-  /DATABASE_URL\s*=/i,
-  /JWT_SECRET\s*=/i,
-  /AUTH_SECRET\s*=/i,
-  /PRIVATE_KEY\s*=/i,
-  /SECRET_KEY\s*=/i,
-  /sk-[A-Za-z0-9_-]{20,}/,
+const secretRules: { pattern: RegExp; label: string }[] = [
+  { pattern: /OPENAI_API_KEY\s*=/i, label: "OpenAI API key" },
+  { pattern: /DATABASE_URL\s*=/i, label: "database connection string" },
+  { pattern: /JWT_SECRET\s*=/i, label: "JWT secret" },
+  { pattern: /AUTH_SECRET\s*=/i, label: "auth secret" },
+  { pattern: /PRIVATE_KEY\s*=/i, label: "private key" },
+  { pattern: /SECRET_KEY\s*=/i, label: "secret key" },
+  { pattern: /sk-[A-Za-z0-9_-]{20,}/, label: "API key" },
+  { pattern: /ghp_[A-Za-z0-9]{36,}/, label: "GitHub personal access token" },
+  { pattern: /github_pat_[A-Za-z0-9_]+/, label: "GitHub personal access token" },
+  { pattern: /AKIA[0-9A-Z]{16}/, label: "AWS access key" },
+  { pattern: /sk_live_[A-Za-z0-9]+/, label: "Stripe live secret key" },
+  { pattern: /AIza[0-9A-Za-z_-]{35}/, label: "Google API key" },
+  { pattern: /hooks\.slack\.com\/services\//, label: "Slack webhook URL" },
+  { pattern: /password\s*=\s*['"][^'"]{8,}['"]/i, label: "hardcoded password" },
 ];
 
 export const secretCheck: Check = {
@@ -18,22 +30,26 @@ export const secretCheck: Check = {
     const findings: Finding[] = [];
 
     for (const file of context.stagedFiles) {
-      if (!fs.existsSync(file)) continue;
+      if (shouldSkipContentScan(file)) continue;
 
-      const content = fs.readFileSync(file, "utf-8");
-      const lines = content.split("\n");
+      const lines = readFileLines(file);
+      if (!lines) continue;
 
       lines.forEach((line, index) => {
-        for (const pattern of secretPatterns) {
-          if (pattern.test(line)) {
+        if (isCommentLine(line) || isPlaceholderValue(line)) return;
+
+        for (const rule of secretRules) {
+          if (rule.pattern.test(line)) {
             findings.push({
               severity: "error",
               checkName: this.name,
               file,
               line: index + 1,
-              message: "Possible secret found in staged file.",
-              suggestion: "Remove the secret and rotate it if it was already pushed.",
+              message: `Possible ${rule.label} — credentials pushed to GitHub can be scraped instantly.`,
+              suggestion:
+                "Remove it from the code, unstage the file, and rotate the credential if it was ever pushed.",
             });
+            return;
           }
         }
       });
@@ -41,4 +57,4 @@ export const secretCheck: Check = {
 
     return findings;
   },
-};
+};

package/src/checks/sensitiveFilenameCheck.ts

@@ -0,0 +1,51 @@
+import type { Check, Finding } from "../types.js";
+import { getBaseName, matchesAnyPattern, normalizePath } from "./utils.js";
+
+const sensitiveExactNames = new Set([
+  "id_rsa",
+  "id_ed25519",
+  "credentials.json",
+  "serviceaccountkey.json",
+  ".npmrc",
+  ".pypirc",
+]);
+
+const sensitiveNamePatterns = [
+  /\.pem$/i,
+  /\.p12$/i,
+  /\.key$/i,
+  /^firebase-adminsdk.*\.json$/i,
+];
+
+export const sensitiveFilenameCheck: Check = {
+  name: "sensitive-filename-check",
+
+  async run(context) {
+    const findings: Finding[] = [];
+
+    for (const file of context.stagedFiles) {
+      const baseName = getBaseName(file);
+      const normalizedBaseName = baseName.toLowerCase();
+      const normalizedPath = normalizePath(file).toLowerCase();
+
+      const isSensitive =
+        sensitiveExactNames.has(normalizedBaseName) ||
+        matchesAnyPattern(baseName, sensitiveNamePatterns) ||
+        normalizedPath.endsWith("/credentials.json") ||
+        normalizedPath.includes("serviceaccountkey.json");
+
+      if (isSensitive) {
+        findings.push({
+          severity: "error",
+          checkName: this.name,
+          file,
+          message:
+            "Credential or key file detected — private keys and auth config should not be in Git.",
+          suggestion: `Unstage it: git restore --staged ${file}`,
+        });
+      }
+    }
+
+    return findings;
+  },
+};

package/src/checks/utils.ts

@@ -0,0 +1,62 @@
+import fs from "node:fs";
+
+const CODE_EXTENSIONS = [".js", ".jsx", ".ts", ".tsx"];
+
+const SKIP_CONTENT_EXTENSIONS = [".md", ".example", ".sample"];
+
+const PLACEHOLDER_PATTERNS = [
+  /your-api-key/i,
+  /changeme/i,
+  /xxx+/i,
+  /TODO/i,
+  /placeholder/i,
+  /example/i,
+  /replace-me/i,
+];
+
+export function normalizePath(file: string): string {
+  return file.replaceAll("\\", "/");
+}
+
+export function getBaseName(file: string): string {
+  return normalizePath(file).split("/").pop() ?? "";
+}
+
+export function isCodeFile(file: string): boolean {
+  return CODE_EXTENSIONS.some((ext) => file.endsWith(ext));
+}
+
+export function shouldSkipContentScan(file: string): boolean {
+  return SKIP_CONTENT_EXTENSIONS.some((ext) => file.endsWith(ext));
+}
+
+export function readFileLines(file: string): string[] | null {
+  if (!fs.existsSync(file)) return null;
+
+  try {
+    return fs.readFileSync(file, "utf-8").split("\n");
+  } catch {
+    return null;
+  }
+}
+
+export function isCommentLine(line: string): boolean {
+  const trimmed = line.trim();
+  return (
+    trimmed.startsWith("//") ||
+    trimmed.startsWith("#") ||
+    trimmed.startsWith("*") ||
+    trimmed.startsWith("/*")
+  );
+}
+
+export function isPlaceholderValue(line: string): boolean {
+  return PLACEHOLDER_PATTERNS.some((pattern) => pattern.test(line));
+}
+
+export function matchesAnyPattern(
+  value: string,
+  patterns: RegExp[]
+): boolean {
+  return patterns.some((pattern) => pattern.test(value));
+}