compromising-position 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Tommy Yau
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,250 @@
+# compromising-position
+
+**Were your API keys compromised? Find out.**
+
+A privacy-preserving credential exposure checker that identifies what kind of key you have, checks if it appears in breach databases, and optionally verifies if it's still active — all from a single CLI command.
+
+Built in response to the [OpenClaw security crisis](https://www.theregister.com/2026/02/05/openclaw_skills_marketplace_leaky_security) where tens of thousands of API keys were exposed through leaky skills, malicious plugins, and publicly accessible instances. Security advisories tell you to rotate your keys — but **compromising-position** tells you what happened *before* you rotated.
+
+> **Disclaimer:** I am not a security expert. This tool was vibe-coded in the age of personal software — built because I needed it and thought others might too. It aggregates publicly available breach-checking APIs and applies well-documented techniques (k-anonymity, SHA-256 hashing, Shannon entropy). It is not a substitute for professional security auditing, penetration testing, or incident response. Use it as one signal among many, not as your only line of defence. If you find a vulnerability, please [open an issue](https://github.com/tommyyau/compromising-position/issues).
+
+## The Problem
+
+You connected your API keys to a service. That service got breached, misconfigured, or had a supply chain attack. You rotated your keys. But:
+
+- Were your old keys sold on dark web marketplaces?
+- Did someone use your Anthropic key to run up charges?
+- Was your Slack token used to read company messages?
+- Is your old key *still active* because you forgot to revoke it?
+
+**No existing open-source tool answers all of these questions.**
+
+## What It Does
+
+```
+echo "sk-proj-abc123..." | npx compromising-position check
+```
+
+```
+--- Credential Exposure Report ---
+
+  Risk Level:  [CRITICAL]
+  Summary:     Identified as OpenAI — EXPOSED in 3 breach(es) — KEY IS CURRENTLY ACTIVE
+
+Local Analysis
+  Provider:    OpenAI (high confidence)
+  Entropy:     4.82 bits/char (0.81 normalized)
+
+HIBP Password Check (k-Anonymity)
+  FOUND in breach data — 3 occurrence(s)
+
+Plugin Results
+  Common/Weak Secret Detection: Not found in common secrets blocklist
+  GitGuardian HasMySecretLeaked: Found in 2 public GitHub repo(s)
+
+Active Key Verification
+  KEY IS ACTIVE — rotate immediately!
+```
+
+### The Pipeline
+
+1. **Identify** — Recognizes 39 API key formats (OpenAI, Anthropic, AWS, GitHub, Stripe, Slack, and 33 more)
+2. **Analyze** — Shannon entropy, encoding detection, weak/common secret blocklist (NIST SP 800-63B compliant)
+3. **Check breach databases** — HIBP (k-anonymity), GitGuardian, EmailRep.io, DeHashed, LeakCheck, Intelligence X
+4. **Verify liveness** — Optionally calls the provider API to check if the key still works (read-only, with explicit consent)
+5. **Risk score** — Single assessment from `info` to `critical`
+
+## Quick Start
+
+```bash
+# Install
+npm install -g compromising-position
+
+# Check a single key (interactive, hidden input)
+compromising-position check
+
+# Pipe a key in
+echo "ghp_abc123..." | compromising-position check
+
+# Check without network calls
+echo "sk_live_abc123" | compromising-position check --offline
+
+# Check + verify if key is still active (asks for consent)
+echo "sk-proj-abc123" | compromising-position check --verify
+
+# Check an email for breaches (requires HIBP API key)
+compromising-position check-email user@example.com
+
+# Batch check an entire .env file
+compromising-position check-batch .env.old
+
+# Output as SARIF for GitHub Advanced Security
+compromising-position check-batch secrets.json --format sarif
+```
+
+## Privacy Model
+
+Your secrets never leave your machine unless you explicitly opt in:
+
+| Check | What's Sent | Where |
+|-------|-------------|-------|
+| Local analysis | Nothing | Local only |
+| Common secrets blocklist | Nothing | Local only |
+| HIBP password | 5-char SHA-1 prefix | api.pwnedpasswords.com |
+| GitGuardian | SHA-256 hash | api.gitguardian.com |
+| EmailRep.io | Full email | emailrep.io |
+| Active verification | Full key | Provider API (opt-in) |
+
+Run `compromising-position check --privacy` to see the full data flow summary.
+
+## Supported Key Formats (39)
+
+| Provider | Prefix | Confidence |
+|----------|--------|------------|
+| OpenAI | `sk-proj-`, `sk-svcacct-`, `sk-` | high |
+| Anthropic | `sk-ant-api03-` | high |
+| AWS | `AKIA` | high |
+| GitHub | `ghp_`, `github_pat_` | high |
+| Stripe | `sk_live_`, `sk_test_` | high |
+| Google | `AIza` | high |
+| Slack | `xoxb-`, `xoxp-` | high |
+| GitLab | `glpat-`, `glptt-` | high |
+| npm | `npm_` | high |
+| PyPI | `pypi-AgEIcHlwaS5vcmc` | high |
+| Shopify | `shppa_`, `shpat_` | high |
+| DigitalOcean | `dop_v1_`, `doo_v1_` | high |
+| Supabase | `sbp_` | high |
+| HashiCorp Vault | `hvs.` | high |
+| Terraform Cloud | `atlasv1-` | high |
+| PlanetScale | `pscale_tkn_` | high |
+| Postman | `PMAK-` | high |
+| Grafana | `glsa_` | high |
+| Linear | `lin_api_` | high |
+| Netlify | `nfp_` | high |
+| Doppler | `dp.st.`, `dp.sa.` | high |
+| Buildkite | `bkua_` | high |
+| Atlassian | `ATATT3xFfGF0` | high |
+| Figma | `figd_` | high |
+| SendGrid | `SG.` | high |
+| Twilio | `SK` | high |
+| Mailgun | `key-` | high |
+| Discord | token format | medium |
+| Telegram | bot token format | high |
+| CircleCI | `CIRCLE` | medium |
+| Notion | `secret_` | medium |
+
+## Data Sources
+
+### Free (no API key needed)
+- **HIBP Passwords** — k-anonymity, checks 600M+ breached passwords
+- **Common secrets blocklist** — Top passwords, default credentials, placeholders (fully local)
+- **EmailRep.io** — Email reputation, dark web presence (100 lookups/day free)
+
+### Requires API Key
+- **HIBP Email** — Breaches, stealer logs, pastes ($3.50/mo)
+- **GitGuardian** — Public GitHub repo secret scanning (free tier available)
+- **DeHashed** — 15B+ records, deep/dark web
+- **LeakCheck** — 28B+ records
+- **Intelligence X** — Tor, I2P, paste sites
+
+Configure keys via environment variables or `.env` file:
+
+```bash
+export HIBP_API_KEY=your-key
+export GITGUARDIAN_API_TOKEN=your-token
+export EMAILREP_API_KEY=your-key        # optional, higher rate limits
+export DEHASHED_EMAIL=your@email.com
+export DEHASHED_API_KEY=your-key
+export LEAKCHECK_API_KEY=your-key
+export INTELX_API_KEY=your-key
+```
+
+## Active Key Verification
+
+The `--verify` flag checks if a key is still active by calling the provider's API:
+
+| Provider | Endpoint | Method |
+|----------|----------|--------|
+| OpenAI | `/v1/models` | GET |
+| Anthropic | `/v1/models` | GET |
+| GitHub | `/user` | GET |
+| Slack | `auth.test` | POST |
+| AWS | Requires secret key — reports format only | — |
+
+All verification is:
+- **Opt-in only** — requires `--verify` flag
+- **Consent-gated** — interactive prompt before each call
+- **Read-only** — never makes write operations
+
+## CI/CD Integration
+
+### GitHub Actions
+
+```yaml
+- name: Check rotated secrets
+  run: |
+    echo "${{ secrets.OLD_API_KEY }}" | npx compromising-position check --json
+    # Exit code 1 = exposed, 0 = clean
+```
+
+### Batch + SARIF
+
+```yaml
+- name: Scan secrets file
+  run: npx compromising-position check-batch secrets.json --format sarif > results.sarif
+
+- name: Upload SARIF
+  uses: github/codeql-action/upload-sarif@v3
+  with:
+    sarif_file: results.sarif
+```
+
+### Pre-commit Hook
+
+```bash
+# .pre-commit-config.yaml
+- repo: local
+  hooks:
+    - id: check-secrets
+      name: Check for weak secrets
+      entry: bash -c 'echo "$1" | npx compromising-position check --offline'
+      language: system
+```
+
+## Output Formats
+
+| Flag | Format | Use Case |
+|------|--------|----------|
+| (default) | Human-readable | Terminal |
+| `--json` | JSON | Scripting, pipelines |
+| `--format sarif` | SARIF 2.1.0 | GitHub Advanced Security |
+| `--format csv` | CSV | Spreadsheets, reporting |
+
+## Security Design
+
+- **SecureBuffer** — All secrets held in zeroable Buffer wrappers, never plain strings
+- **Constant-time comparison** — HIBP suffix matching uses `timingSafeEqual`
+- **Memory zeroing** — Buffers zeroed on disposal, secure heap allocation via `--secure-heap`
+- **No secret logging** — Audit logs contain only truncated SHA-256 fingerprints
+- **Terminal injection protection** — All external data sanitized before terminal output
+- **Explicit Resource Management** — Supports TC39 `using` keyword for automatic cleanup
+
+## Development
+
+```bash
+git clone https://github.com/tommyyau/compromising-position.git
+cd compromising-position
+npm install
+npm run build
+npm test          # 196 tests across 23 test files
+```
+
+## A Note on How This Was Built
+
+This project was vibe-coded — built with AI assistance (Claude) in a single session, from idea to published repo. The architecture, code, and tests were generated collaboratively. I'm not a security researcher; I'm a developer who connected API keys to OpenClaw, watched the breach news unfold, and wanted a tool to answer the question: *"was I actually compromised?"*
+
+If you're a security professional and spot something wrong, PRs and issues are very welcome.
+
+## License
+
+MIT

package/bin/compromising-position

@@ -0,0 +1,29 @@
+#!/usr/bin/env node
+
+// Launch with secure heap allocation to reduce risk of secrets
+// lingering in process memory after buffer zeroing.
+//
+// If --secure-heap is not supported (older Node), fall back gracefully.
+
+import { execFileSync } from "node:child_process";
+import { fileURLToPath } from "node:url";
+import { dirname, resolve } from "node:path";
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const entry = resolve(__dirname, "..", "dist", "index.js");
+
+try {
+  execFileSync(
+    process.execPath,
+    ["--secure-heap=16384", "--secure-heap-min=8", entry, ...process.argv.slice(2)],
+    { stdio: "inherit" },
+  );
+} catch (err) {
+  // If secure heap not available, run without it
+  if (err && typeof err === "object" && "status" in err) {
+    process.exit(err.status as number);
+  }
+  execFileSync(process.execPath, [entry, ...process.argv.slice(2)], {
+    stdio: "inherit",
+  });
+}

package/dist/checks/hibp-email.d.ts

@@ -0,0 +1,7 @@
+import type { HibpEmailResult } from "../types/index.js";
+/**
+ * Check an email against HIBP breached accounts, stealer logs, and paste endpoints.
+ * Requires a paid HIBP API key ($3.50/mo).
+ */
+export declare function checkHibpEmail(email: string, apiKey: string): Promise<HibpEmailResult>;
+//# sourceMappingURL=hibp-email.d.ts.map

package/dist/checks/hibp-email.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hibp-email.d.ts","sourceRoot":"","sources":["../../src/checks/hibp-email.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAEV,eAAe,EAGhB,MAAM,mBAAmB,CAAC;AA0G3B;;;GAGG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,eAAe,CAAC,CA0B1B"}

package/dist/checks/hibp-email.js

@@ -0,0 +1,99 @@
+import { sanitizeForTerminal } from "../core/sanitize.js";
+const HIBP_BASE = "https://haveibeenpwned.com/api/v3";
+const USER_AGENT = "compromising-position/1.0.0";
+const MAX_RETRIES = 1;
+/** Delay for rate limiting. */
+function delay(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
+/**
+ * Fetch wrapper that:
+ * - Never exposes the API key in error messages
+ * - Handles 429 rate limiting with Retry-After header
+ */
+async function hibpFetch(url, apiKey, retries = 0) {
+    let response;
+    try {
+        response = await fetch(url, {
+            headers: {
+                "hibp-api-key": apiKey,
+                "User-Agent": USER_AGENT,
+            },
+        });
+    }
+    catch (err) {
+        // Wrap network errors to prevent any header/key leakage
+        const msg = err instanceof Error ? err.message : "unknown error";
+        throw new Error(`HIBP request failed: ${sanitizeForTerminal(msg)}`);
+    }
+    // Handle rate limiting with exponential backoff
+    if (response.status === 429 && retries < MAX_RETRIES) {
+        const retryAfter = parseInt(response.headers.get("Retry-After") ?? "2", 10);
+        const waitMs = (Number.isNaN(retryAfter) ? 2 : retryAfter) * 1000;
+        await delay(waitMs);
+        return hibpFetch(url, apiKey, retries + 1);
+    }
+    return response;
+}
+async function fetchBreaches(email, apiKey) {
+    const encoded = encodeURIComponent(email);
+    const response = await hibpFetch(`${HIBP_BASE}/breachedaccount/${encoded}?truncateResponse=false`, apiKey);
+    if (response.status === 404)
+        return [];
+    if (!response.ok) {
+        throw new Error(`Breaches API returned ${response.status}: ${sanitizeForTerminal(response.statusText)}`);
+    }
+    return (await response.json());
+}
+async function fetchStealerLogs(email, apiKey) {
+    const encoded = encodeURIComponent(email);
+    const response = await hibpFetch(`${HIBP_BASE}/stealerlogsbyemail/${encoded}`, apiKey);
+    if (response.status === 404)
+        return [];
+    if (!response.ok) {
+        throw new Error(`Stealer logs API returned ${response.status}: ${sanitizeForTerminal(response.statusText)}`);
+    }
+    return (await response.json());
+}
+async function fetchPastes(email, apiKey) {
+    const encoded = encodeURIComponent(email);
+    const response = await hibpFetch(`${HIBP_BASE}/pasteaccount/${encoded}`, apiKey);
+    if (response.status === 404)
+        return [];
+    if (!response.ok) {
+        throw new Error(`Pastes API returned ${response.status}: ${sanitizeForTerminal(response.statusText)}`);
+    }
+    return (await response.json());
+}
+/**
+ * Check an email against HIBP breached accounts, stealer logs, and paste endpoints.
+ * Requires a paid HIBP API key ($3.50/mo).
+ */
+export async function checkHibpEmail(email, apiKey) {
+    try {
+        // Fetch sequentially to respect rate limits
+        const breaches = await fetchBreaches(email, apiKey);
+        await delay(1600);
+        const stealerLogs = await fetchStealerLogs(email, apiKey);
+        await delay(1600);
+        const pastes = await fetchPastes(email, apiKey);
+        return {
+            checked: true,
+            breaches,
+            stealerLogs,
+            pastes,
+            error: null,
+        };
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        return {
+            checked: true,
+            breaches: [],
+            stealerLogs: [],
+            pastes: [],
+            error: sanitizeForTerminal(message),
+        };
+    }
+}
+//# sourceMappingURL=hibp-email.js.map

package/dist/checks/hibp-email.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hibp-email.js","sourceRoot":"","sources":["../../src/checks/hibp-email.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAQ1D,MAAM,SAAS,GAAG,mCAAmC,CAAC;AACtD,MAAM,UAAU,GAAG,6BAA6B,CAAC;AACjD,MAAM,WAAW,GAAG,CAAC,CAAC;AAEtB,+BAA+B;AAC/B,SAAS,KAAK,CAAC,EAAU;IACvB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAC3D,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,SAAS,CACtB,GAAW,EACX,MAAc,EACd,OAAO,GAAG,CAAC;IAEX,IAAI,QAAkB,CAAC;IACvB,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAC1B,OAAO,EAAE;gBACP,cAAc,EAAE,MAAM;gBACtB,YAAY,EAAE,UAAU;aACzB;SACF,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,wDAAwD;QACxD,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;QACjE,MAAM,IAAI,KAAK,CAAC,wBAAwB,mBAAmB,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACtE,CAAC;IAED,gDAAgD;IAChD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,OAAO,GAAG,WAAW,EAAE,CAAC;QACrD,MAAM,UAAU,GAAG,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC,CAAC;QAC5E,MAAM,MAAM,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC;QAClE,MAAM,KAAK,CAAC,MAAM,CAAC,CAAC;QACpB,OAAO,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,GAAG,CAAC,CAAC,CAAC;IAC7C,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,KAAK,UAAU,aAAa,CAC1B,KAAa,EACb,MAAc;IAEd,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;IAC1C,MAAM,QAAQ,GAAG,MAAM,SAAS,CAC9B,GAAG,SAAS,oBAAoB,OAAO,yBAAyB,EAChE,MAAM,CACP,CAAC;IAEF,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG;QAAE,OAAO,EAAE,CAAC;IACvC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CACb,yBAAyB,QAAQ,CAAC,MAAM,KAAK,mBAAmB,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CACxF,CAAC;IACJ,CAAC;IAED,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAkB,CAAC;AAClD,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,KAAa,EACb,MAAc;IAEd,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;IAC1C,MAAM,QAAQ,GAAG,MAAM,SAAS,CAC9B,GAAG,SAAS,uBAAuB,OAAO,EAAE,EAC5C,MAAM,CACP,CAAC;IAEF,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG;QAAE,OAAO,EAAE,CAAC;IACvC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CACb,6BAA6B,QAAQ,CAAC,MAAM,KAAK,mBAAmB,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAC5F,CAAC;IACJ,CAAC;IAED,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAsB,CAAC;AACtD,CAAC;AAED,KAAK,UAAU,WAAW,CACxB,KAAa,EACb,MAAc;IAEd,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;IAC1C,MAAM,QAAQ,GAAG,MAAM,SAAS,CAC9B,GAAG,SAAS,iBAAiB,OAAO,EAAE,EACtC,MAAM,CACP,CAAC;IAEF,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG;QAAE,OAAO,EAAE,CAAC;IACvC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CACb,uBAAuB,QAAQ,CAAC,MAAM,KAAK,mBAAmB,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CACtF,CAAC;IACJ,CAAC;IAED,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAiB,CAAC;AACjD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,KAAa,EACb,MAAc;IAEd,IAAI,CAAC;QACH,4CAA4C;QAC5C,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACpD,MAAM,KAAK,CAAC,IAAI,CAAC,CAAC;QAClB,MAAM,WAAW,GAAG,MAAM,gBAAgB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC1D,MAAM,KAAK,CAAC,IAAI,CAAC,CAAC;QAClB,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAEhD,OAAO;YACL,OAAO,EAAE,IAAI;YACb,QAAQ;YACR,WAAW;YACX,MAAM;YACN,KAAK,EAAE,IAAI;SACZ,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO;YACL,OAAO,EAAE,IAAI;YACb,QAAQ,EAAE,EAAE;YACZ,WAAW,EAAE,EAAE;YACf,MAAM,EAAE,EAAE;YACV,KAAK,EAAE,mBAAmB,CAAC,OAAO,CAAC;SACpC,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/checks/hibp-password.d.ts

@@ -0,0 +1,13 @@
+import type { SecureBuffer } from "../core/secure-buffer.js";
+import type { HibpPasswordResult } from "../types/index.js";
+/**
+ * Check a secret against the HIBP Pwned Passwords API using k-anonymity.
+ *
+ * Only the first 5 characters of the SHA-1 hash are sent to the server.
+ * The remaining 35 characters are compared locally using constant-time comparison.
+ *
+ * Uses Buffer-based SHA-1 computation to avoid leaving the full hash
+ * as an immutable string on the V8 heap.
+ */
+export declare function checkHibpPassword(secret: SecureBuffer): Promise<HibpPasswordResult>;
+//# sourceMappingURL=hibp-password.d.ts.map

package/dist/checks/hibp-password.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hibp-password.d.ts","sourceRoot":"","sources":["../../src/checks/hibp-password.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAE7D,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAc5D;;;;;;;;GAQG;AACH,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,YAAY,GACnB,OAAO,CAAC,kBAAkB,CAAC,CA0D7B"}

package/dist/checks/hibp-password.js

@@ -0,0 +1,119 @@
+import { timingSafeEqual } from "node:crypto";
+import { sanitizeForTerminal } from "../core/sanitize.js";
+const HIBP_RANGE_URL = "https://api.pwnedpasswords.com/range/";
+const USER_AGENT = "compromising-position/1.0.0";
+/**
+ * Number of hex chars for the prefix (5 = 2.5 bytes of SHA-1).
+ * This is the only portion transmitted to the HIBP server.
+ */
+const PREFIX_HEX_LENGTH = 5;
+/** Number of hex chars for the suffix (35 = remaining SHA-1). */
+const SUFFIX_HEX_LENGTH = 35;
+/**
+ * Check a secret against the HIBP Pwned Passwords API using k-anonymity.
+ *
+ * Only the first 5 characters of the SHA-1 hash are sent to the server.
+ * The remaining 35 characters are compared locally using constant-time comparison.
+ *
+ * Uses Buffer-based SHA-1 computation to avoid leaving the full hash
+ * as an immutable string on the V8 heap.
+ */
+export async function checkHibpPassword(secret) {
+    // Compute SHA-1 as raw bytes (20 bytes), not a hex string.
+    // This avoids leaving the full 40-char hex hash as an un-zeroable string.
+    const sha1Buf = secret.sha1Buffer();
+    // Extract prefix as hex for the API call (first 2.5 bytes = 5 hex chars).
+    // We need to read 3 bytes and take the first 5 hex chars.
+    const prefixBytes = sha1Buf.subarray(0, 3);
+    const prefix = prefixBytes.toString("hex").toUpperCase().slice(0, PREFIX_HEX_LENGTH);
+    // Build the suffix as a fixed-size uppercase hex Buffer for constant-time comparison.
+    const suffixHex = sha1Buf.subarray(2).toString("hex").toUpperCase().slice(1); // skip first nibble (already in prefix)
+    const suffixBuffer = Buffer.from(suffixHex, "utf-8");
+    // Zero the raw SHA-1 buffer now that we've extracted what we need
+    sha1Buf.fill(0);
+    try {
+        const response = await fetch(`${HIBP_RANGE_URL}${prefix}`, {
+            headers: {
+                "User-Agent": USER_AGENT,
+                "Add-Padding": "true",
+            },
+        });
+        if (!response.ok) {
+            return {
+                checked: true,
+                found: false,
+                occurrences: 0,
+                hashPrefix: prefix,
+                error: `HIBP API returned ${response.status}: ${sanitizeForTerminal(response.statusText)}`,
+            };
+        }
+        const body = await response.text();
+        const match = findMatchConstantTime(suffixBuffer, body);
+        return {
+            checked: true,
+            found: match.found,
+            occurrences: match.occurrences,
+            hashPrefix: prefix,
+            error: null,
+        };
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        return {
+            checked: true,
+            found: false,
+            occurrences: 0,
+            hashPrefix: prefix,
+            error: `Network error: ${sanitizeForTerminal(message)}`,
+        };
+    }
+    finally {
+        // Zero the suffix buffer
+        suffixBuffer.fill(0);
+    }
+}
+/**
+ * Compare our suffix against all returned suffixes using constant-time comparison.
+ *
+ * Every entry is compared with timingSafeEqual regardless of length match.
+ * Entries that don't match the expected length are padded to avoid skipping
+ * the comparison (which would create a timing side-channel).
+ *
+ * The loop never breaks early. Result variables are updated using the same
+ * code path on every iteration to minimize data-dependent timing variance.
+ */
+function findMatchConstantTime(targetSuffix, responseBody) {
+    const targetLen = targetSuffix.length;
+    let found = false;
+    let occurrences = 0;
+    const lines = responseBody.split("\n");
+    for (const line of lines) {
+        const trimmed = line.trim();
+        if (trimmed.length === 0)
+            continue;
+        const colonIndex = trimmed.indexOf(":");
+        if (colonIndex === -1)
+            continue;
+        const entrySuffix = trimmed.slice(0, colonIndex);
+        const countStr = trimmed.slice(colonIndex + 1);
+        const count = parseInt(countStr, 10);
+        // Skip entries with invalid count (NaN, negative)
+        if (Number.isNaN(count) || count < 0)
+            continue;
+        // Pad or truncate entry to target length so we always call timingSafeEqual.
+        // This avoids a length-dependent branch that skips the comparison.
+        const entryBuf = Buffer.alloc(targetLen);
+        const entryRaw = Buffer.from(entrySuffix.toUpperCase(), "utf-8");
+        entryRaw.copy(entryBuf, 0, 0, Math.min(entryRaw.length, targetLen));
+        const lengthMatch = entryRaw.length === targetLen;
+        const bytesMatch = timingSafeEqual(entryBuf, targetSuffix);
+        // Both length and content must match. Use branchless-style update:
+        // always evaluate both conditions, never break early.
+        if (lengthMatch && bytesMatch) {
+            found = true;
+            occurrences = count;
+        }
+    }
+    return { found, occurrences };
+}
+//# sourceMappingURL=hibp-password.js.map

package/dist/checks/hibp-password.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hibp-password.js","sourceRoot":"","sources":["../../src/checks/hibp-password.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE9C,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAG1D,MAAM,cAAc,GAAG,uCAAuC,CAAC;AAC/D,MAAM,UAAU,GAAG,6BAA6B,CAAC;AAEjD;;;GAGG;AACH,MAAM,iBAAiB,GAAG,CAAC,CAAC;AAE5B,iEAAiE;AACjE,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAE7B;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,MAAoB;IAEpB,2DAA2D;IAC3D,0EAA0E;IAC1E,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAEpC,0EAA0E;IAC1E,0DAA0D;IAC1D,MAAM,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAC3C,MAAM,MAAM,GAAG,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,iBAAiB,CAAC,CAAC;IAErF,sFAAsF;IACtF,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,wCAAwC;IACtH,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IAErD,kEAAkE;IAClE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAEhB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,cAAc,GAAG,MAAM,EAAE,EAAE;YACzD,OAAO,EAAE;gBACP,YAAY,EAAE,UAAU;gBACxB,aAAa,EAAE,MAAM;aACtB;SACF,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,KAAK,EAAE,KAAK;gBACZ,WAAW,EAAE,CAAC;gBACd,UAAU,EAAE,MAAM;gBAClB,KAAK,EAAE,qBAAqB,QAAQ,CAAC,MAAM,KAAK,mBAAmB,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE;aAC3F,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnC,MAAM,KAAK,GAAG,qBAAqB,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;QAExD,OAAO;YACL,OAAO,EAAE,IAAI;YACb,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,WAAW,EAAE,KAAK,CAAC,WAAW;YAC9B,UAAU,EAAE,MAAM;YAClB,KAAK,EAAE,IAAI;SACZ,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO;YACL,OAAO,EAAE,IAAI;YACb,KAAK,EAAE,KAAK;YACZ,WAAW,EAAE,CAAC;YACd,UAAU,EAAE,MAAM;YAClB,KAAK,EAAE,kBAAkB,mBAAmB,CAAC,OAAO,CAAC,EAAE;SACxD,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,yBAAyB;QACzB,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACvB,CAAC;AACH,CAAC;AAOD;;;;;;;;;GASG;AACH,SAAS,qBAAqB,CAC5B,YAAoB,EACpB,YAAoB;IAEpB,MAAM,SAAS,GAAG,YAAY,CAAC,MAAM,CAAC;IACtC,IAAI,KAAK,GAAG,KAAK,CAAC;IAClB,IAAI,WAAW,GAAG,CAAC,CAAC;IAEpB,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACvC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QAEnC,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,UAAU,KAAK,CAAC,CAAC;YAAE,SAAS;QAEhC,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;QACjD,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC;QAC/C,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;QAErC,kDAAkD;QAClD,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,KAAK,GAAG,CAAC;YAAE,SAAS;QAE/C,4EAA4E;QAC5E,mEAAmE;QACnE,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QACzC,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,EAAE,OAAO,CAAC,CAAC;QACjE,QAAQ,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,EAAE,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC;QAEpE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,KAAK,SAAS,CAAC;QAClD,MAAM,UAAU,GAAG,eAAe,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;QAE3D,mEAAmE;QACnE,sDAAsD;QACtD,IAAI,WAAW,IAAI,UAAU,EAAE,CAAC;YAC9B,KAAK,GAAG,IAAI,CAAC;YACb,WAAW,GAAG,KAAK,CAAC;QACtB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC;AAChC,CAAC"}

package/dist/checks/local-check.d.ts

@@ -0,0 +1,9 @@
+import type { SecureBuffer } from "../core/secure-buffer.js";
+import { type LocalCheckResult } from "../types/index.js";
+/**
+ * Perform local-only analysis: provider identification, entropy, format checks.
+ * Uses Buffer-based operations where possible to minimize the lifetime
+ * of secret data as immutable JS strings (which cannot be zeroed).
+ */
+export declare function performLocalCheck(secret: SecureBuffer): LocalCheckResult;
+//# sourceMappingURL=local-check.d.ts.map

package/dist/checks/local-check.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"local-check.d.ts","sourceRoot":"","sources":["../../src/checks/local-check.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAG7D,OAAO,EAAe,KAAK,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAEvE;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,YAAY,GAAG,gBAAgB,CAqCxE"}

package/dist/checks/local-check.js

@@ -0,0 +1,36 @@
+import { identifyKey } from "../core/key-identifier.js";
+import { analyzeEntropyFromBuffer } from "../core/entropy.js";
+import { KeyProvider } from "../types/index.js";
+/**
+ * Perform local-only analysis: provider identification, entropy, format checks.
+ * Uses Buffer-based operations where possible to minimize the lifetime
+ * of secret data as immutable JS strings (which cannot be zeroed).
+ */
+export function performLocalCheck(secret) {
+    const identification = identifyKey(secret);
+    const entropy = analyzeEntropyFromBuffer(secret);
+    const warnings = [];
+    // Collect warnings
+    if (entropy.warning) {
+        warnings.push(entropy.warning);
+    }
+    if (entropy.length < 8) {
+        warnings.push("Input is very short — unlikely to be a real API key");
+    }
+    if (identification.provider === KeyProvider.StripeTest) {
+        warnings.push("This is a Stripe TEST key — not a production secret, but still should not be shared");
+    }
+    if (identification.provider === KeyProvider.Unknown && entropy.shannonEntropy < 3.0) {
+        warnings.push("Unrecognized format with low entropy — may be a password or placeholder");
+    }
+    // Heuristic: does this look like a real secret?
+    const looksLikeSecret = identification.provider !== KeyProvider.Unknown ||
+        (entropy.shannonEntropy >= 3.5 && entropy.length >= 16);
+    return {
+        identification,
+        entropy,
+        warnings,
+        looksLikeSecret,
+    };
+}
+//# sourceMappingURL=local-check.js.map

package/dist/checks/local-check.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"local-check.js","sourceRoot":"","sources":["../../src/checks/local-check.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AACxD,OAAO,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,WAAW,EAAyB,MAAM,mBAAmB,CAAC;AAEvE;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAoB;IACpD,MAAM,cAAc,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;IAC3C,MAAM,OAAO,GAAG,wBAAwB,CAAC,MAAM,CAAC,CAAC;IACjD,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,mBAAmB;IACnB,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IACjC,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,QAAQ,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;IACvE,CAAC;IAED,IAAI,cAAc,CAAC,QAAQ,KAAK,WAAW,CAAC,UAAU,EAAE,CAAC;QACvD,QAAQ,CAAC,IAAI,CACX,qFAAqF,CACtF,CAAC;IACJ,CAAC;IAED,IAAI,cAAc,CAAC,QAAQ,KAAK,WAAW,CAAC,OAAO,IAAI,OAAO,CAAC,cAAc,GAAG,GAAG,EAAE,CAAC;QACpF,QAAQ,CAAC,IAAI,CACX,yEAAyE,CAC1E,CAAC;IACJ,CAAC;IAED,gDAAgD;IAChD,MAAM,eAAe,GACnB,cAAc,CAAC,QAAQ,KAAK,WAAW,CAAC,OAAO;QAC/C,CAAC,OAAO,CAAC,cAAc,IAAI,GAAG,IAAI,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;IAE1D,OAAO;QACL,cAAc;QACd,OAAO;QACP,QAAQ;QACR,eAAe;KAChB,CAAC;AACJ,CAAC"}

package/dist/checks/plugin.d.ts

@@ -0,0 +1,29 @@
+import type { SecureBuffer } from "../core/secure-buffer.js";
+import type { AppConfig, PluginCheckResult, PluginInputKind } from "../types/index.js";
+/**
+ * Interface for check plugins. Each plugin checks a secret or email
+ * against a specific data source and returns a standardized result.
+ */
+export interface CheckPlugin {
+    /** Unique identifier for this plugin. */
+    readonly id: string;
+    /** Human-readable name for display. */
+    readonly name: string;
+    /** What kind of input this plugin operates on. */
+    readonly inputKind: PluginInputKind;
+    /** Whether this plugin makes network requests. */
+    readonly requiresNetwork: boolean;
+    /** Config keys (env var names) that must be set for this plugin to run. */
+    readonly requiredConfigKeys: string[];
+    /** Whether this plugin is free (no API key purchase needed). */
+    readonly isFree: boolean;
+    /** Short description of what data is sent and where, for --privacy output. */
+    readonly privacySummary: string;
+    /**
+     * Run the check.
+     * @param input - The secret (SecureBuffer) or email (string), depending on inputKind.
+     * @param config - App configuration including API keys.
+     */
+    check(input: SecureBuffer | string, config: AppConfig): Promise<PluginCheckResult>;
+}
+//# sourceMappingURL=plugin.d.ts.map

package/dist/checks/plugin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin.d.ts","sourceRoot":"","sources":["../../src/checks/plugin.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,KAAK,EACV,SAAS,EACT,iBAAiB,EACjB,eAAe,EAChB,MAAM,mBAAmB,CAAC;AAE3B;;;GAGG;AACH,MAAM,WAAW,WAAW;IAC1B,yCAAyC;IACzC,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IAEpB,uCAAuC;IACvC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAEtB,kDAAkD;IAClD,QAAQ,CAAC,SAAS,EAAE,eAAe,CAAC;IAEpC,kDAAkD;IAClD,QAAQ,CAAC,eAAe,EAAE,OAAO,CAAC;IAElC,2EAA2E;IAC3E,QAAQ,CAAC,kBAAkB,EAAE,MAAM,EAAE,CAAC;IAEtC,gEAAgE;IAChE,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC;IAEzB,8EAA8E;IAC9E,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAEhC;;;;OAIG;IACH,KAAK,CACH,KAAK,EAAE,YAAY,GAAG,MAAM,EAC5B,MAAM,EAAE,SAAS,GAChB,OAAO,CAAC,iBAAiB,CAAC,CAAC;CAC/B"}

package/dist/checks/plugin.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=plugin.js.map

package/dist/checks/plugin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin.js","sourceRoot":"","sources":["../../src/checks/plugin.ts"],"names":[],"mappings":""}