compromising-position 1.0.0

package/dist/core/entropy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"entropy.js","sourceRoot":"","sources":["../../src/core/entropy.ts"],"names":[],"mappings":"AAGA;;;GAGG;AACH,MAAM,UAAU,wBAAwB,CAAC,GAAW;IAClD,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAE/B,MAAM,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,MAAM,IAAI,GAAG,GAAG,CAAC,CAAC,CAAE,CAAC;QACrB,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5C,CAAC;IAED,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;IACvB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,KAAK,GAAG,GAAG,CAAC;QACtB,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,oEAAoE;AACpE,MAAM,UAAU,cAAc,CAAC,IAAY;IACzC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAEhC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,KAAK,MAAM,EAAE,IAAI,IAAI,EAAE,CAAC;QACtB,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACxC,CAAC;IAED,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC;IACxB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,KAAK,GAAG,GAAG,CAAC;QACtB,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,wBAAwB,CAAC,GAAW;IAClD,IAAI,OAAO,GAAG,KAAK,CAAC;IACpB,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,SAAS,GAAG,KAAK,CAAC;IACtB,IAAI,aAAa,GAAG,KAAK,CAAC;IAC1B,IAAI,SAAS,GAAG,KAAK,CAAC;IACtB,IAAI,MAAM,GAAG,IAAI,CAAC;IAClB,IAAI,QAAQ,GAAG,IAAI,CAAC;IACpB,IAAI,SAAS,GAAG,IAAI,CAAC;IAErB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,MAAM,CAAC,GAAG,GAAG,CAAC,CAAC,CAAE,CAAC;QAClB,MAAM,OAAO,GAAG,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,IAAI,CAAC;QACvC,MAAM,OAAO,GAAG,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,IAAI,CAAC;QACvC,MAAM,OAAO,GAAG,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,IAAI,CAAC;QACvC,MAAM,UAAU,GAAG,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,IAAI,CAAC;QAC1C,MAAM,UAAU,GAAG,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,IAAI,CAAC;QAC1C,MAAM,YAAY,GAAG,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,IAAI,CAAC,CAAC,QAAQ;QAErE,IAAI,CAAC,KAAK,IAAI;YAAE,OAAO,GAAG,IAAI,CAAC;aAC1B,IAAI,CAAC,KAAK,IAAI;YAAE,QAAQ,GAAG,IAAI,CAAC;aAChC,IAAI,CAAC,KAAK,IAAI;YAAE,SAAS,GAAG,IAAI,CAAC;aACjC,IAAI,CAAC,KAAK,IAAI;YAAE,aAAa,GAAG,IAAI,CAAC;aACrC,IAAI,CAAC,KAAK,IAAI;YAAE,SAAS,GAAG,IAAI,CAAC;QAEtC,IAAI,CAAC,CAAC,OAAO,IAAI,UAAU,IAAI,UAAU,CAAC;YAAE,MAAM,GAAG,KAAK,CAAC;QAC3D,IAAI,CAAC,CAAC,OAAO,IAAI,OAAO,IAAI,OAAO,CAAC;YAAE,QAAQ,GAAG,KAAK,CAAC;QACvD,IAAI,CAAC,CAAC,OAAO,IAAI,OAAO,IAAI,OAAO,IAAI,YAAY,CAAC;YAAE,SAAS,GAAG,KAAK,CAAC;IAC1E,CAAC;IAED,IAAI,MAAM,IAAI,CAAC,OAAO,IAAI,CAAC,QAAQ,IAAI,CAAC,SAAS,IAAI,CAAC,aAAa,IAAI,CAAC,SAAS;QAAE,OAAO,KAAK,CAAC;IAChG,IAAI,SAAS,IAAI,CAAC,OAAO,IAAI,QAAQ,IAAI,SAAS,CAAC;QAAE,OAAO,QAAQ,CAAC;IACrE,IAAI,QAAQ,IAAI,CAAC,aAAa,IAAI,CAAC,SAAS;QAAE,OAAO,QAAQ,CAAC;IAC9D,IAAI,QAAQ,IAAI,CAAC,CAAC,OAAO,IAAI,CAAC,QAAQ,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QACtD,IAAI,aAAa,IAAI,SAAS;YAAE,OAAO,cAAc,CAAC;IACxD,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,8CAA8C;AAC9C,MAAM,UAAU,cAAc,CAAC,IAAY;IACzC,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IAC9C,qEAAqE;IACrE,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3F,OAAO,QAAQ,CAAC;IAClB,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,QAAQ,CAAC;IACjD,IAAI,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,cAAc,CAAC;IACzD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,kEAAkE;AAClE,SAAS,UAAU,CAAC,YAAoB;IACtC,OAAO,YAAY,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AACxD,CAAC;AAED,SAAS,uBAAuB,CAAC,QAAkB;IACjD,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,KAAK;YACR,OAAO,EAAE,CAAC;QACZ,KAAK,QAAQ;YACX,OAAO,EAAE,CAAC;QACZ,KAAK,QAAQ;YACX,OAAO,EAAE,CAAC;QACZ,KAAK,cAAc;YACjB,OAAO,EAAE,CAAC,CAAC,mBAAmB;QAChC,KAAK,OAAO;YACV,OAAO,EAAE,CAAC,CAAC,kBAAkB;IACjC,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,wBAAwB,CAAC,MAAoB;IAC3D,MAAM,GAAG,GAAG,MAAM,CAAC,eAAe,EAAE,CAAC;IACrC,qDAAqD;IACrD,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,IAAI,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC;IACrB,OAAO,KAAK,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,KAAK,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,KAAK,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC;QAAE,KAAK,EAAE,CAAC;IAC1H,OAAO,GAAG,GAAG,KAAK,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK,IAAI,IAAI,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK,IAAI,IAAI,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK,IAAI,IAAI,GAAG,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK,IAAI,CAAC;QAAE,GAAG,EAAE,CAAC;IAEhI,MAAM,OAAO,GAAG,GAAG,CAAC,QAAQ,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACzC,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC;IAC3B,MAAM,OAAO,GAAG,wBAAwB,CAAC,OAAO,CAAC,CAAC;IAClD,MAAM,QAAQ,GAAG,wBAAwB,CAAC,OAAO,CAAC,CAAC;IACnD,MAAM,MAAM,GAAG,UAAU,CAAC,uBAAuB,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC7D,MAAM,UAAU,GAAG,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IAErD,IAAI,OAAO,GAAkB,IAAI,CAAC;IAClC,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC;QACZ,OAAO,GAAG,wCAAwC,CAAC;IACrD,CAAC;SAAM,IAAI,OAAO,GAAG,GAAG,EAAE,CAAC;QACzB,OAAO,GAAG,uDAAuD,CAAC;IACpE,CAAC;SAAM,IAAI,OAAO,GAAG,GAAG,IAAI,GAAG,GAAG,EAAE,EAAE,CAAC;QACrC,OAAO,GAAG,sDAAsD,CAAC;IACnE,CAAC;IAED,OAAO;QACL,cAAc,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,IAAI,CAAC,GAAG,IAAI;QACjD,kBAAkB,EAAE,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,IAAI,CAAC,GAAG,IAAI;QACpD,iBAAiB,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,IAAI;QACvD,QAAQ;QACR,MAAM,EAAE,GAAG;QACX,OAAO;KACR,CAAC;AACJ,CAAC;AAED,mCAAmC;AACnC,MAAM,UAAU,cAAc,CAAC,IAAY;IACzC,MAAM,OAAO,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;IACrC,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,UAAU,CAAC,uBAAuB,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC7D,MAAM,UAAU,GAAG,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IAErD,IAAI,OAAO,GAAkB,IAAI,CAAC;IAClC,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpB,OAAO,GAAG,wCAAwC,CAAC;IACrD,CAAC;SAAM,IAAI,OAAO,GAAG,GAAG,EAAE,CAAC;QACzB,OAAO,GAAG,uDAAuD,CAAC;IACpE,CAAC;SAAM,IAAI,OAAO,GAAG,GAAG,IAAI,IAAI,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAC7C,OAAO,GAAG,sDAAsD,CAAC;IACnE,CAAC;IAED,OAAO;QACL,cAAc,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,IAAI,CAAC,GAAG,IAAI;QACjD,kBAAkB,EAAE,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,IAAI,CAAC,GAAG,IAAI;QACpD,iBAAiB,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,IAAI;QACvD,QAAQ;QACR,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,OAAO;KACR,CAAC;AACJ,CAAC"}

package/dist/core/fingerprint.d.ts

@@ -0,0 +1,7 @@
+import type { SecureBuffer } from "./secure-buffer.js";
+/**
+ * Generate a truncated SHA-256 fingerprint for audit logging.
+ * Returns first 16 hex chars — enough for identification, not enough to reverse.
+ */
+export declare function fingerprint(secret: SecureBuffer): string;
+//# sourceMappingURL=fingerprint.d.ts.map

package/dist/core/fingerprint.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fingerprint.d.ts","sourceRoot":"","sources":["../../src/core/fingerprint.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAKvD;;;GAGG;AACH,wBAAgB,WAAW,CAAC,MAAM,EAAE,YAAY,GAAG,MAAM,CAExD"}

package/dist/core/fingerprint.js

@@ -0,0 +1,10 @@
+/** Number of hex characters to keep from SHA-256 for audit fingerprint. */
+const FINGERPRINT_LENGTH = 16;
+/**
+ * Generate a truncated SHA-256 fingerprint for audit logging.
+ * Returns first 16 hex chars — enough for identification, not enough to reverse.
+ */
+export function fingerprint(secret) {
+    return secret.sha256Hex().slice(0, FINGERPRINT_LENGTH);
+}
+//# sourceMappingURL=fingerprint.js.map

package/dist/core/fingerprint.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fingerprint.js","sourceRoot":"","sources":["../../src/core/fingerprint.ts"],"names":[],"mappings":"AAEA,2EAA2E;AAC3E,MAAM,kBAAkB,GAAG,EAAE,CAAC;AAE9B;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,MAAoB;IAC9C,OAAO,MAAM,CAAC,SAAS,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,kBAAkB,CAAC,CAAC;AACzD,CAAC"}

package/dist/core/key-identifier.d.ts

@@ -0,0 +1,9 @@
+import type { SecureBuffer } from "./secure-buffer.js";
+import { type KeyIdentification } from "../types/index.js";
+/**
+ * Identify the provider and confidence for a given key.
+ * Accepts SecureBuffer — regex matching is done via testPattern()
+ * to keep the temporary string scoped inside SecureBuffer.
+ */
+export declare function identifyKey(secret: SecureBuffer): KeyIdentification;
+//# sourceMappingURL=key-identifier.d.ts.map

package/dist/core/key-identifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-identifier.d.ts","sourceRoot":"","sources":["../../src/core/key-identifier.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAe,KAAK,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAoSxE;;;;GAIG;AACH,wBAAgB,WAAW,CAAC,MAAM,EAAE,YAAY,GAAG,iBAAiB,CAoBnE"}

package/dist/core/key-identifier.js

@@ -0,0 +1,310 @@
+import { KeyProvider } from "../types/index.js";
+const KEY_PATTERNS = [
+    // OpenAI project keys
+    {
+        provider: KeyProvider.OpenAI,
+        regex: /^sk-proj-[A-Za-z0-9_-]{80,180}$/,
+        confidence: "high",
+        description: "OpenAI project API key",
+    },
+    // OpenAI service account keys
+    {
+        provider: KeyProvider.OpenAIService,
+        regex: /^sk-svcacct-[A-Za-z0-9_-]{80,180}$/,
+        confidence: "high",
+        description: "OpenAI service account key",
+    },
+    // OpenAI legacy keys
+    {
+        provider: KeyProvider.OpenAI,
+        regex: /^sk-[A-Za-z0-9]{32,64}$/,
+        confidence: "medium",
+        description: "OpenAI API key (legacy format)",
+    },
+    // Anthropic
+    {
+        provider: KeyProvider.Anthropic,
+        regex: /^sk-ant-api03-[A-Za-z0-9_-]{90,110}$/,
+        confidence: "high",
+        description: "Anthropic API key",
+    },
+    // AWS Access Key ID
+    {
+        provider: KeyProvider.AWS,
+        regex: /^AKIA[0-9A-Z]{16}$/,
+        confidence: "high",
+        description: "AWS Access Key ID",
+    },
+    // GitHub Personal Access Token (classic)
+    {
+        provider: KeyProvider.GitHubPAT,
+        regex: /^ghp_[a-zA-Z0-9]{36}$/,
+        confidence: "high",
+        description: "GitHub Personal Access Token (classic)",
+    },
+    // GitHub Fine-Grained PAT
+    {
+        provider: KeyProvider.GitHubFineGrained,
+        regex: /^github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}$/,
+        confidence: "high",
+        description: "GitHub Fine-Grained Personal Access Token",
+    },
+    // Stripe live secret key
+    {
+        provider: KeyProvider.StripeLive,
+        regex: /^sk_live_[0-9a-zA-Z]{24,34}$/,
+        confidence: "high",
+        description: "Stripe live secret key",
+    },
+    // Stripe test secret key
+    {
+        provider: KeyProvider.StripeTest,
+        regex: /^sk_test_[0-9a-zA-Z]{24,34}$/,
+        confidence: "high",
+        description: "Stripe test secret key",
+    },
+    // Google API key
+    {
+        provider: KeyProvider.GoogleAPI,
+        regex: /^AIza[0-9A-Za-z\-_]{35}$/,
+        confidence: "high",
+        description: "Google API key",
+    },
+    // Slack Bot Token
+    {
+        provider: KeyProvider.SlackBot,
+        regex: /^xoxb-[0-9]+-[0-9]+-[a-zA-Z0-9]+$/,
+        confidence: "high",
+        description: "Slack Bot token",
+    },
+    // Slack User Token
+    {
+        provider: KeyProvider.SlackUser,
+        regex: /^xoxp-[0-9]+-[0-9]+-[0-9]+-[a-f0-9]+$/,
+        confidence: "high",
+        description: "Slack User token",
+    },
+    // SendGrid
+    {
+        provider: KeyProvider.SendGrid,
+        regex: /^SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}$/,
+        confidence: "high",
+        description: "SendGrid API key",
+    },
+    // Twilio
+    {
+        provider: KeyProvider.Twilio,
+        regex: /^SK[0-9a-fA-F]{32}$/,
+        confidence: "high",
+        description: "Twilio API key",
+    },
+    // Mailgun
+    {
+        provider: KeyProvider.Mailgun,
+        regex: /^key-[0-9a-f]{32}$/,
+        confidence: "high",
+        description: "Mailgun API key",
+    },
+    // Discord Bot Token
+    {
+        provider: KeyProvider.DiscordBot,
+        regex: /^[A-Za-z0-9_-]{24}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27,}$/,
+        confidence: "medium",
+        description: "Discord Bot token",
+    },
+    // Telegram Bot Token
+    {
+        provider: KeyProvider.TelegramBot,
+        regex: /^[0-9]{8,10}:[A-Za-z0-9_-]{35}$/,
+        confidence: "high",
+        description: "Telegram Bot token",
+    },
+    // GitLab Personal Access Token
+    {
+        provider: KeyProvider.GitLabPAT,
+        regex: /^glpat-[A-Za-z0-9_-]{20,}$/,
+        confidence: "high",
+        description: "GitLab Personal Access Token",
+    },
+    // GitLab Pipeline Trigger Token
+    {
+        provider: KeyProvider.GitLabPipeline,
+        regex: /^glptt-[A-Za-z0-9_-]{20,}$/,
+        confidence: "high",
+        description: "GitLab Pipeline Trigger Token",
+    },
+    // npm token
+    {
+        provider: KeyProvider.NpmToken,
+        regex: /^npm_[A-Za-z0-9]{36,}$/,
+        confidence: "high",
+        description: "npm access token",
+    },
+    // PyPI token
+    {
+        provider: KeyProvider.PyPIToken,
+        regex: /^pypi-AgEIcHlwaS5vcmc[A-Za-z0-9_-]{50,}$/,
+        confidence: "high",
+        description: "PyPI API token",
+    },
+    // Shopify Private App Token
+    {
+        provider: KeyProvider.ShopifyPrivate,
+        regex: /^shppa_[a-fA-F0-9]{32,}$/,
+        confidence: "high",
+        description: "Shopify Private App token",
+    },
+    // Shopify Access Token
+    {
+        provider: KeyProvider.ShopifyAccess,
+        regex: /^shpat_[a-fA-F0-9]{32,}$/,
+        confidence: "high",
+        description: "Shopify Access token",
+    },
+    // DigitalOcean Personal Access Token
+    {
+        provider: KeyProvider.DigitalOceanPAT,
+        regex: /^dop_v1_[a-f0-9]{64}$/,
+        confidence: "high",
+        description: "DigitalOcean Personal Access Token",
+    },
+    // DigitalOcean OAuth Token
+    {
+        provider: KeyProvider.DigitalOceanOAuth,
+        regex: /^doo_v1_[a-f0-9]{64}$/,
+        confidence: "high",
+        description: "DigitalOcean OAuth token",
+    },
+    // Supabase
+    {
+        provider: KeyProvider.Supabase,
+        regex: /^sbp_[a-f0-9]{40,}$/,
+        confidence: "high",
+        description: "Supabase service key",
+    },
+    // HashiCorp Vault
+    {
+        provider: KeyProvider.HashiCorpVault,
+        regex: /^hvs\.[A-Za-z0-9_-]{24,}$/,
+        confidence: "high",
+        description: "HashiCorp Vault token",
+    },
+    // Terraform Cloud
+    {
+        provider: KeyProvider.TerraformCloud,
+        regex: /^atlasv1-[A-Za-z0-9_-]{60,}$/,
+        confidence: "high",
+        description: "Terraform Cloud API token",
+    },
+    // PlanetScale
+    {
+        provider: KeyProvider.PlanetScale,
+        regex: /^pscale_tkn_[A-Za-z0-9_-]{30,}$/,
+        confidence: "high",
+        description: "PlanetScale database token",
+    },
+    // Postman
+    {
+        provider: KeyProvider.Postman,
+        regex: /^PMAK-[A-Za-z0-9]{24,}-[A-Za-z0-9]{34,}$/,
+        confidence: "high",
+        description: "Postman API key",
+    },
+    // Grafana Service Account
+    {
+        provider: KeyProvider.GrafanaService,
+        regex: /^glsa_[A-Za-z0-9_]{32,}_[a-f0-9]{8}$/,
+        confidence: "high",
+        description: "Grafana Service Account token",
+    },
+    // Linear
+    {
+        provider: KeyProvider.Linear,
+        regex: /^lin_api_[A-Za-z0-9]{40,}$/,
+        confidence: "high",
+        description: "Linear API key",
+    },
+    // Netlify
+    {
+        provider: KeyProvider.Netlify,
+        regex: /^nfp_[A-Za-z0-9]{40,}$/,
+        confidence: "high",
+        description: "Netlify personal access token",
+    },
+    // Doppler Service Token
+    {
+        provider: KeyProvider.DopplerServiceToken,
+        regex: /^dp\.st\.[A-Za-z0-9_-]{40,}$/,
+        confidence: "high",
+        description: "Doppler service token",
+    },
+    // Doppler Service Account
+    {
+        provider: KeyProvider.DopplerServiceAccount,
+        regex: /^dp\.sa\.[A-Za-z0-9_-]{40,}$/,
+        confidence: "high",
+        description: "Doppler service account token",
+    },
+    // Buildkite
+    {
+        provider: KeyProvider.Buildkite,
+        regex: /^bkua_[A-Za-z0-9]{40,}$/,
+        confidence: "high",
+        description: "Buildkite Agent token",
+    },
+    // Atlassian API Token
+    {
+        provider: KeyProvider.Atlassian,
+        regex: /^ATATT3xFfGF0[A-Za-z0-9_-]{50,}$/,
+        confidence: "high",
+        description: "Atlassian API token",
+    },
+    // Figma
+    {
+        provider: KeyProvider.Figma,
+        regex: /^figd_[A-Za-z0-9_-]{22,}$/,
+        confidence: "high",
+        description: "Figma personal access token",
+    },
+    // CircleCI
+    {
+        provider: KeyProvider.CircleCI,
+        regex: /^CIRCLE[A-Za-z0-9_-]{32,}$/,
+        confidence: "medium",
+        description: "CircleCI API token",
+    },
+    // Notion
+    {
+        provider: KeyProvider.Notion,
+        regex: /^secret_[A-Za-z0-9]{43}$/,
+        confidence: "medium",
+        description: "Notion integration token",
+    },
+];
+/**
+ * Identify the provider and confidence for a given key.
+ * Accepts SecureBuffer — regex matching is done via testPattern()
+ * to keep the temporary string scoped inside SecureBuffer.
+ */
+export function identifyKey(secret) {
+    // Use withString to trim once, then test trimmed value against patterns.
+    // The string is scoped to the callback and not returned.
+    return secret.withString((raw) => {
+        const trimmed = raw.trim();
+        for (const pattern of KEY_PATTERNS) {
+            if (pattern.regex.test(trimmed)) {
+                return {
+                    provider: pattern.provider,
+                    confidence: pattern.confidence,
+                    description: pattern.description,
+                };
+            }
+        }
+        return {
+            provider: KeyProvider.Unknown,
+            confidence: "low",
+            description: "Unknown key format",
+        };
+    });
+}
+//# sourceMappingURL=key-identifier.js.map

package/dist/core/key-identifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-identifier.js","sourceRoot":"","sources":["../../src/core/key-identifier.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAA0B,MAAM,mBAAmB,CAAC;AASxE,MAAM,YAAY,GAAiB;IACjC,sBAAsB;IACtB;QACE,QAAQ,EAAE,WAAW,CAAC,MAAM;QAC5B,KAAK,EAAE,iCAAiC;QACxC,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,wBAAwB;KACtC;IACD,8BAA8B;IAC9B;QACE,QAAQ,EAAE,WAAW,CAAC,aAAa;QACnC,KAAK,EAAE,oCAAoC;QAC3C,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,4BAA4B;KAC1C;IACD,qBAAqB;IACrB;QACE,QAAQ,EAAE,WAAW,CAAC,MAAM;QAC5B,KAAK,EAAE,yBAAyB;QAChC,UAAU,EAAE,QAAQ;QACpB,WAAW,EAAE,gCAAgC;KAC9C;IACD,YAAY;IACZ;QACE,QAAQ,EAAE,WAAW,CAAC,SAAS;QAC/B,KAAK,EAAE,sCAAsC;QAC7C,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,mBAAmB;KACjC;IACD,oBAAoB;IACpB;QACE,QAAQ,EAAE,WAAW,CAAC,GAAG;QACzB,KAAK,EAAE,oBAAoB;QAC3B,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,mBAAmB;KACjC;IACD,yCAAyC;IACzC;QACE,QAAQ,EAAE,WAAW,CAAC,SAAS;QAC/B,KAAK,EAAE,uBAAuB;QAC9B,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,wCAAwC;KACtD;IACD,0BAA0B;IAC1B;QACE,QAAQ,EAAE,WAAW,CAAC,iBAAiB;QACvC,KAAK,EAAE,8CAA8C;QACrD,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,2CAA2C;KACzD;IACD,yBAAyB;IACzB;QACE,QAAQ,EAAE,WAAW,CAAC,UAAU;QAChC,KAAK,EAAE,8BAA8B;QACrC,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,wBAAwB;KACtC;IACD,yBAAyB;IACzB;QACE,QAAQ,EAAE,WAAW,CAAC,UAAU;QAChC,KAAK,EAAE,8BAA8B;QACrC,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,wBAAwB;KACtC;IACD,iBAAiB;IACjB;QACE,QAAQ,EAAE,WAAW,CAAC,SAAS;QAC/B,KAAK,EAAE,0BAA0B;QACjC,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,gBAAgB;KAC9B;IACD,kBAAkB;IAClB;QACE,QAAQ,EAAE,WAAW,CAAC,QAAQ;QAC9B,KAAK,EAAE,mCAAmC;QAC1C,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,iBAAiB;KAC/B;IACD,mBAAmB;IACnB;QACE,QAAQ,EAAE,WAAW,CAAC,SAAS;QAC/B,KAAK,EAAE,uCAAuC;QAC9C,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,kBAAkB;KAChC;IACD,WAAW;IACX;QACE,QAAQ,EAAE,WAAW,CAAC,QAAQ;QAC9B,KAAK,EAAE,4CAA4C;QACnD,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,kBAAkB;KAChC;IACD,SAAS;IACT;QACE,QAAQ,EAAE,WAAW,CAAC,MAAM;QAC5B,KAAK,EAAE,qBAAqB;QAC5B,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,gBAAgB;KAC9B;IACD,UAAU;IACV;QACE,QAAQ,EAAE,WAAW,CAAC,OAAO;QAC7B,KAAK,EAAE,oBAAoB;QAC3B,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,iBAAiB;KAC/B;IACD,oBAAoB;IACpB;QACE,QAAQ,EAAE,WAAW,CAAC,UAAU;QAChC,KAAK,EAAE,2DAA2D;QAClE,UAAU,EAAE,QAAQ;QACpB,WAAW,EAAE,mBAAmB;KACjC;IACD,qBAAqB;IACrB;QACE,QAAQ,EAAE,WAAW,CAAC,WAAW;QACjC,KAAK,EAAE,iCAAiC;QACxC,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,oBAAoB;KAClC;IACD,+BAA+B;IAC/B;QACE,QAAQ,EAAE,WAAW,CAAC,SAAS;QAC/B,KAAK,EAAE,4BAA4B;QACnC,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,8BAA8B;KAC5C;IACD,gCAAgC;IAChC;QACE,QAAQ,EAAE,WAAW,CAAC,cAAc;QACpC,KAAK,EAAE,4BAA4B;QACnC,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,+BAA+B;KAC7C;IACD,YAAY;IACZ;QACE,QAAQ,EAAE,WAAW,CAAC,QAAQ;QAC9B,KAAK,EAAE,wBAAwB;QAC/B,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,kBAAkB;KAChC;IACD,aAAa;IACb;QACE,QAAQ,EAAE,WAAW,CAAC,SAAS;QAC/B,KAAK,EAAE,0CAA0C;QACjD,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,gBAAgB;KAC9B;IACD,4BAA4B;IAC5B;QACE,QAAQ,EAAE,WAAW,CAAC,cAAc;QACpC,KAAK,EAAE,0BAA0B;QACjC,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,2BAA2B;KACzC;IACD,uBAAuB;IACvB;QACE,QAAQ,EAAE,WAAW,CAAC,aAAa;QACnC,KAAK,EAAE,0BAA0B;QACjC,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,sBAAsB;KACpC;IACD,qCAAqC;IACrC;QACE,QAAQ,EAAE,WAAW,CAAC,eAAe;QACrC,KAAK,EAAE,uBAAuB;QAC9B,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,oCAAoC;KAClD;IACD,2BAA2B;IAC3B;QACE,QAAQ,EAAE,WAAW,CAAC,iBAAiB;QACvC,KAAK,EAAE,uBAAuB;QAC9B,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,0BAA0B;KACxC;IACD,WAAW;IACX;QACE,QAAQ,EAAE,WAAW,CAAC,QAAQ;QAC9B,KAAK,EAAE,qBAAqB;QAC5B,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,sBAAsB;KACpC;IACD,kBAAkB;IAClB;QACE,QAAQ,EAAE,WAAW,CAAC,cAAc;QACpC,KAAK,EAAE,2BAA2B;QAClC,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,uBAAuB;KACrC;IACD,kBAAkB;IAClB;QACE,QAAQ,EAAE,WAAW,CAAC,cAAc;QACpC,KAAK,EAAE,8BAA8B;QACrC,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,2BAA2B;KACzC;IACD,cAAc;IACd;QACE,QAAQ,EAAE,WAAW,CAAC,WAAW;QACjC,KAAK,EAAE,iCAAiC;QACxC,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,4BAA4B;KAC1C;IACD,UAAU;IACV;QACE,QAAQ,EAAE,WAAW,CAAC,OAAO;QAC7B,KAAK,EAAE,0CAA0C;QACjD,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,iBAAiB;KAC/B;IACD,0BAA0B;IAC1B;QACE,QAAQ,EAAE,WAAW,CAAC,cAAc;QACpC,KAAK,EAAE,sCAAsC;QAC7C,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,+BAA+B;KAC7C;IACD,SAAS;IACT;QACE,QAAQ,EAAE,WAAW,CAAC,MAAM;QAC5B,KAAK,EAAE,4BAA4B;QACnC,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,gBAAgB;KAC9B;IACD,UAAU;IACV;QACE,QAAQ,EAAE,WAAW,CAAC,OAAO;QAC7B,KAAK,EAAE,wBAAwB;QAC/B,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,+BAA+B;KAC7C;IACD,wBAAwB;IACxB;QACE,QAAQ,EAAE,WAAW,CAAC,mBAAmB;QACzC,KAAK,EAAE,8BAA8B;QACrC,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,uBAAuB;KACrC;IACD,0BAA0B;IAC1B;QACE,QAAQ,EAAE,WAAW,CAAC,qBAAqB;QAC3C,KAAK,EAAE,8BAA8B;QACrC,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,+BAA+B;KAC7C;IACD,YAAY;IACZ;QACE,QAAQ,EAAE,WAAW,CAAC,SAAS;QAC/B,KAAK,EAAE,yBAAyB;QAChC,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,uBAAuB;KACrC;IACD,sBAAsB;IACtB;QACE,QAAQ,EAAE,WAAW,CAAC,SAAS;QAC/B,KAAK,EAAE,kCAAkC;QACzC,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,qBAAqB;KACnC;IACD,QAAQ;IACR;QACE,QAAQ,EAAE,WAAW,CAAC,KAAK;QAC3B,KAAK,EAAE,2BAA2B;QAClC,UAAU,EAAE,MAAM;QAClB,WAAW,EAAE,6BAA6B;KAC3C;IACD,WAAW;IACX;QACE,QAAQ,EAAE,WAAW,CAAC,QAAQ;QAC9B,KAAK,EAAE,4BAA4B;QACnC,UAAU,EAAE,QAAQ;QACpB,WAAW,EAAE,oBAAoB;KAClC;IACD,SAAS;IACT;QACE,QAAQ,EAAE,WAAW,CAAC,MAAM;QAC5B,KAAK,EAAE,0BAA0B;QACjC,UAAU,EAAE,QAAQ;QACpB,WAAW,EAAE,0BAA0B;KACxC;CACF,CAAC;AAEF;;;;GAIG;AACH,MAAM,UAAU,WAAW,CAAC,MAAoB;IAC9C,yEAAyE;IACzE,yDAAyD;IACzD,OAAO,MAAM,CAAC,UAAU,CAAC,CAAC,GAAG,EAAE,EAAE;QAC/B,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;QAC3B,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;YACnC,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBAChC,OAAO;oBACL,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,UAAU,EAAE,OAAO,CAAC,UAAU;oBAC9B,WAAW,EAAE,OAAO,CAAC,WAAW;iBACjC,CAAC;YACJ,CAAC;QACH,CAAC;QACD,OAAO;YACL,QAAQ,EAAE,WAAW,CAAC,OAAO;YAC7B,UAAU,EAAE,KAAc;YAC1B,WAAW,EAAE,oBAAoB;SAClC,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/core/sanitize.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Sanitize a string for safe terminal output.
+ * Strips ANSI escape sequences and non-printable control characters
+ * to prevent terminal escape injection attacks.
+ */
+export declare function sanitizeForTerminal(s: string): string;
+//# sourceMappingURL=sanitize.d.ts.map

package/dist/core/sanitize.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitize.d.ts","sourceRoot":"","sources":["../../src/core/sanitize.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAQrD"}

package/dist/core/sanitize.js

@@ -0,0 +1,15 @@
+/**
+ * Sanitize a string for safe terminal output.
+ * Strips ANSI escape sequences and non-printable control characters
+ * to prevent terminal escape injection attacks.
+ */
+export function sanitizeForTerminal(s) {
+    return s
+        // Remove ANSI escape sequences (CSI, OSC, etc.)
+        .replace(/\x1b\[[0-9;]*[A-Za-z]/g, "")
+        .replace(/\x1b\][^\x07]*\x07/g, "")
+        .replace(/\x1b[^[\]]/g, "")
+        // Remove non-printable control characters (keep newline \n and tab \t)
+        .replace(/[\x00-\x08\x0b\x0c\x0e-\x1f\x7f-\x9f]/g, "");
+}
+//# sourceMappingURL=sanitize.js.map

package/dist/core/sanitize.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitize.js","sourceRoot":"","sources":["../../src/core/sanitize.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CAAC,CAAS;IAC3C,OAAO,CAAC;QACN,gDAAgD;SAC/C,OAAO,CAAC,wBAAwB,EAAE,EAAE,CAAC;SACrC,OAAO,CAAC,qBAAqB,EAAE,EAAE,CAAC;SAClC,OAAO,CAAC,aAAa,EAAE,EAAE,CAAC;QAC3B,uEAAuE;SACtE,OAAO,CAAC,wCAAwC,EAAE,EAAE,CAAC,CAAC;AAC3D,CAAC"}

package/dist/core/secure-buffer.d.ts

@@ -0,0 +1,61 @@
+/**
+ * Buffer wrapper that auto-zeroes memory on disposal.
+ * Secrets should always be held in SecureBuffer, never plain strings.
+ *
+ * SECURITY NOTE: Prefer fromBuffer() over fromString(). JavaScript strings
+ * are immutable and cannot be zeroed from memory — they persist on the V8
+ * heap until garbage collected. fromString() is provided for convenience
+ * but the caller's original string will remain in memory.
+ */
+export declare class SecureBuffer {
+    #private;
+    private constructor();
+    static fromBuffer(buf: Buffer): SecureBuffer;
+    /**
+     * @deprecated Prefer fromBuffer() — JS strings are immutable and cannot
+     * be zeroed from memory. The original `str` will persist until GC.
+     */
+    static fromString(str: string): SecureBuffer;
+    get length(): number;
+    get isDisposed(): boolean;
+    /**
+     * Returns the raw buffer. The caller MUST NOT store the reference
+     * beyond immediate use, and MUST NOT mutate it.
+     */
+    unsafeGetBuffer(): Buffer;
+    /**
+     * Returns the content as a UTF-8 string.
+     *
+     * SECURITY WARNING: The returned string is immutable and cannot be
+     * zeroed from memory. Minimize use and scope of the return value.
+     */
+    unsafeGetString(): string;
+    /** Returns full SHA-1 as an uppercase hex string. */
+    sha1Hex(): string;
+    /**
+     * Returns SHA-1 as a raw Buffer (20 bytes). Caller is responsible
+     * for zeroing this buffer when done.
+     */
+    sha1Buffer(): Buffer;
+    sha256Hex(): string;
+    /**
+     * Test whether the buffer content matches a regex pattern.
+     * Internally creates a temporary string, but the scope is minimized
+     * to this method call. This avoids exposing the string to callers.
+     */
+    testPattern(pattern: RegExp): boolean;
+    /**
+     * Apply a function to the buffer's string representation.
+     * The temporary string is scoped to the callback, minimizing exposure.
+     * Returns the callback's result without exposing the string to callers.
+     */
+    withString<T>(fn: (s: string) => T): T;
+    /** Zero out the buffer memory. */
+    dispose(): void;
+    /** Support `using` keyword (TC39 Explicit Resource Management). */
+    [Symbol.dispose](): void;
+    /** Never accidentally leak the secret. */
+    toString(): string;
+    toJSON(): string;
+}
+//# sourceMappingURL=secure-buffer.d.ts.map

package/dist/core/secure-buffer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secure-buffer.d.ts","sourceRoot":"","sources":["../../src/core/secure-buffer.ts"],"names":[],"mappings":"AAEA;;;;;;;;GAQG;AACH,qBAAa,YAAY;;IAIvB,OAAO;IAIP,MAAM,CAAC,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,YAAY;IAO5C;;;OAGG;IACH,MAAM,CAAC,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,YAAY;IAK5C,IAAI,MAAM,IAAI,MAAM,CAGnB;IAED,IAAI,UAAU,IAAI,OAAO,CAExB;IAED;;;OAGG;IACH,eAAe,IAAI,MAAM;IAKzB;;;;;OAKG;IACH,eAAe,IAAI,MAAM;IAKzB,qDAAqD;IACrD,OAAO,IAAI,MAAM;IAKjB;;;OAGG;IACH,UAAU,IAAI,MAAM;IAKpB,SAAS,IAAI,MAAM;IAQnB;;;;OAIG;IACH,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO;IAKrC;;;;OAIG;IACH,UAAU,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,MAAM,KAAK,CAAC,GAAG,CAAC;IAKtC,kCAAkC;IAClC,OAAO,IAAI,IAAI;IAOf,mEAAmE;IACnE,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,IAAI;IAIxB,0CAA0C;IAC1C,QAAQ,IAAI,MAAM;IAIlB,MAAM,IAAI,MAAM;CAcjB"}

package/dist/core/secure-buffer.js

@@ -0,0 +1,122 @@
+import { createHash } from "node:crypto";
+/**
+ * Buffer wrapper that auto-zeroes memory on disposal.
+ * Secrets should always be held in SecureBuffer, never plain strings.
+ *
+ * SECURITY NOTE: Prefer fromBuffer() over fromString(). JavaScript strings
+ * are immutable and cannot be zeroed from memory — they persist on the V8
+ * heap until garbage collected. fromString() is provided for convenience
+ * but the caller's original string will remain in memory.
+ */
+export class SecureBuffer {
+    #buffer;
+    #disposed = false;
+    constructor(buffer) {
+        this.#buffer = buffer;
+    }
+    static fromBuffer(buf) {
+        // Copy so caller can't mutate our internal buffer
+        const copy = Buffer.alloc(buf.length);
+        buf.copy(copy);
+        return new SecureBuffer(copy);
+    }
+    /**
+     * @deprecated Prefer fromBuffer() — JS strings are immutable and cannot
+     * be zeroed from memory. The original `str` will persist until GC.
+     */
+    static fromString(str) {
+        const buf = Buffer.from(str, "utf-8");
+        return new SecureBuffer(buf);
+    }
+    get length() {
+        this.#ensureNotDisposed();
+        return this.#buffer.length;
+    }
+    get isDisposed() {
+        return this.#disposed;
+    }
+    /**
+     * Returns the raw buffer. The caller MUST NOT store the reference
+     * beyond immediate use, and MUST NOT mutate it.
+     */
+    unsafeGetBuffer() {
+        this.#ensureNotDisposed();
+        return this.#buffer;
+    }
+    /**
+     * Returns the content as a UTF-8 string.
+     *
+     * SECURITY WARNING: The returned string is immutable and cannot be
+     * zeroed from memory. Minimize use and scope of the return value.
+     */
+    unsafeGetString() {
+        this.#ensureNotDisposed();
+        return this.#buffer.toString("utf-8");
+    }
+    /** Returns full SHA-1 as an uppercase hex string. */
+    sha1Hex() {
+        this.#ensureNotDisposed();
+        return createHash("sha1").update(this.#buffer).digest("hex").toUpperCase();
+    }
+    /**
+     * Returns SHA-1 as a raw Buffer (20 bytes). Caller is responsible
+     * for zeroing this buffer when done.
+     */
+    sha1Buffer() {
+        this.#ensureNotDisposed();
+        return createHash("sha1").update(this.#buffer).digest();
+    }
+    sha256Hex() {
+        this.#ensureNotDisposed();
+        return createHash("sha256")
+            .update(this.#buffer)
+            .digest("hex")
+            .toLowerCase();
+    }
+    /**
+     * Test whether the buffer content matches a regex pattern.
+     * Internally creates a temporary string, but the scope is minimized
+     * to this method call. This avoids exposing the string to callers.
+     */
+    testPattern(pattern) {
+        this.#ensureNotDisposed();
+        return pattern.test(this.#buffer.toString("utf-8"));
+    }
+    /**
+     * Apply a function to the buffer's string representation.
+     * The temporary string is scoped to the callback, minimizing exposure.
+     * Returns the callback's result without exposing the string to callers.
+     */
+    withString(fn) {
+        this.#ensureNotDisposed();
+        return fn(this.#buffer.toString("utf-8"));
+    }
+    /** Zero out the buffer memory. */
+    dispose() {
+        if (!this.#disposed) {
+            this.#buffer.fill(0);
+            this.#disposed = true;
+        }
+    }
+    /** Support `using` keyword (TC39 Explicit Resource Management). */
+    [Symbol.dispose]() {
+        this.dispose();
+    }
+    /** Never accidentally leak the secret. */
+    toString() {
+        return "[SecureBuffer: REDACTED]";
+    }
+    toJSON() {
+        return "[SecureBuffer: REDACTED]";
+    }
+    /** Node.js inspect — also redacted. */
+    [Symbol.for("nodejs.util.inspect.custom")]() {
+        return "[SecureBuffer: REDACTED]";
+    }
+    #ensureNotDisposed() {
+        if (this.#disposed) {
+            throw new Error("SecureBuffer has been disposed");
+        }
+    }
+}
+//# sourceMappingURL=secure-buffer.js.map

package/dist/core/secure-buffer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secure-buffer.js","sourceRoot":"","sources":["../../src/core/secure-buffer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC;;;;;;;;GAQG;AACH,MAAM,OAAO,YAAY;IACvB,OAAO,CAAS;IAChB,SAAS,GAAG,KAAK,CAAC;IAElB,YAAoB,MAAc;QAChC,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;IACxB,CAAC;IAED,MAAM,CAAC,UAAU,CAAC,GAAW;QAC3B,kDAAkD;QAClD,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACtC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACf,OAAO,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC;IAChC,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,UAAU,CAAC,GAAW;QAC3B,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QACtC,OAAO,IAAI,YAAY,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC;IAED,IAAI,MAAM;QACR,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC1B,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;IAC7B,CAAC;IAED,IAAI,UAAU;QACZ,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED;;;OAGG;IACH,eAAe;QACb,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC1B,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED;;;;;OAKG;IACH,eAAe;QACb,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC1B,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACxC,CAAC;IAED,qDAAqD;IACrD,OAAO;QACL,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC1B,OAAO,UAAU,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;IAC7E,CAAC;IAED;;;OAGG;IACH,UAAU;QACR,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC1B,OAAO,UAAU,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;IAC1D,CAAC;IAED,SAAS;QACP,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC1B,OAAO,UAAU,CAAC,QAAQ,CAAC;aACxB,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC;aACpB,MAAM,CAAC,KAAK,CAAC;aACb,WAAW,EAAE,CAAC;IACnB,CAAC;IAED;;;;OAIG;IACH,WAAW,CAAC,OAAe;QACzB,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC1B,OAAO,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IACtD,CAAC;IAED;;;;OAIG;IACH,UAAU,CAAI,EAAoB;QAChC,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAC1B,OAAO,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IAC5C,CAAC;IAED,kCAAkC;IAClC,OAAO;QACL,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YACpB,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACrB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;QACxB,CAAC;IACH,CAAC;IAED,mEAAmE;IACnE,CAAC,MAAM,CAAC,OAAO,CAAC;QACd,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,CAAC;IAED,0CAA0C;IAC1C,QAAQ;QACN,OAAO,0BAA0B,CAAC;IACpC,CAAC;IAED,MAAM;QACJ,OAAO,0BAA0B,CAAC;IACpC,CAAC;IAED,uCAAuC;IACvC,CAAC,MAAM,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAC;QACxC,OAAO,0BAA0B,CAAC;IACpC,CAAC;IAED,kBAAkB;QAChB,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;CACF"}

package/dist/index.d.ts

@@ -0,0 +1,4 @@
+import { CheckRegistry } from "./checks/registry.js";
+declare const registry: CheckRegistry;
+export { registry };
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAqCrD,QAAA,MAAM,QAAQ,eAAsB,CAAC;AA8frC,OAAO,EAAE,QAAQ,EAAE,CAAC"}