compromising-position 1.0.0

package/dist/types/index.js

@@ -0,0 +1,45 @@
+export var KeyProvider;
+(function (KeyProvider) {
+    KeyProvider["OpenAI"] = "OpenAI";
+    KeyProvider["OpenAIService"] = "OpenAI Service Account";
+    KeyProvider["Anthropic"] = "Anthropic";
+    KeyProvider["AWS"] = "AWS";
+    KeyProvider["GitHubPAT"] = "GitHub PAT";
+    KeyProvider["GitHubFineGrained"] = "GitHub Fine-Grained";
+    KeyProvider["StripeLive"] = "Stripe Live";
+    KeyProvider["StripeTest"] = "Stripe Test";
+    KeyProvider["GoogleAPI"] = "Google API";
+    KeyProvider["SlackBot"] = "Slack Bot";
+    KeyProvider["SlackUser"] = "Slack User";
+    KeyProvider["SendGrid"] = "SendGrid";
+    KeyProvider["Twilio"] = "Twilio";
+    KeyProvider["Mailgun"] = "Mailgun";
+    KeyProvider["DiscordBot"] = "Discord Bot";
+    KeyProvider["TelegramBot"] = "Telegram Bot";
+    // Phase 1 additions
+    KeyProvider["GitLabPAT"] = "GitLab PAT";
+    KeyProvider["GitLabPipeline"] = "GitLab Pipeline";
+    KeyProvider["NpmToken"] = "npm Token";
+    KeyProvider["PyPIToken"] = "PyPI Token";
+    KeyProvider["ShopifyPrivate"] = "Shopify Private";
+    KeyProvider["ShopifyAccess"] = "Shopify Access";
+    KeyProvider["DigitalOceanPAT"] = "DigitalOcean PAT";
+    KeyProvider["DigitalOceanOAuth"] = "DigitalOcean OAuth";
+    KeyProvider["Supabase"] = "Supabase";
+    KeyProvider["HashiCorpVault"] = "HashiCorp Vault";
+    KeyProvider["TerraformCloud"] = "Terraform Cloud";
+    KeyProvider["PlanetScale"] = "PlanetScale";
+    KeyProvider["Postman"] = "Postman";
+    KeyProvider["GrafanaService"] = "Grafana Service";
+    KeyProvider["Linear"] = "Linear";
+    KeyProvider["Netlify"] = "Netlify";
+    KeyProvider["DopplerServiceToken"] = "Doppler Service Token";
+    KeyProvider["DopplerServiceAccount"] = "Doppler Service Account";
+    KeyProvider["Buildkite"] = "Buildkite";
+    KeyProvider["Atlassian"] = "Atlassian";
+    KeyProvider["Figma"] = "Figma";
+    KeyProvider["CircleCI"] = "CircleCI";
+    KeyProvider["Notion"] = "Notion";
+    KeyProvider["Unknown"] = "Unknown";
+})(KeyProvider || (KeyProvider = {}));
+//# sourceMappingURL=index.js.map

package/dist/types/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAAA,MAAM,CAAN,IAAY,WA0CX;AA1CD,WAAY,WAAW;IACrB,gCAAiB,CAAA;IACjB,uDAAwC,CAAA;IACxC,sCAAuB,CAAA;IACvB,0BAAW,CAAA;IACX,uCAAwB,CAAA;IACxB,wDAAyC,CAAA;IACzC,yCAA0B,CAAA;IAC1B,yCAA0B,CAAA;IAC1B,uCAAwB,CAAA;IACxB,qCAAsB,CAAA;IACtB,uCAAwB,CAAA;IACxB,oCAAqB,CAAA;IACrB,gCAAiB,CAAA;IACjB,kCAAmB,CAAA;IACnB,yCAA0B,CAAA;IAC1B,2CAA4B,CAAA;IAC5B,oBAAoB;IACpB,uCAAwB,CAAA;IACxB,iDAAkC,CAAA;IAClC,qCAAsB,CAAA;IACtB,uCAAwB,CAAA;IACxB,iDAAkC,CAAA;IAClC,+CAAgC,CAAA;IAChC,mDAAoC,CAAA;IACpC,uDAAwC,CAAA;IACxC,oCAAqB,CAAA;IACrB,iDAAkC,CAAA;IAClC,iDAAkC,CAAA;IAClC,0CAA2B,CAAA;IAC3B,kCAAmB,CAAA;IACnB,iDAAkC,CAAA;IAClC,gCAAiB,CAAA;IACjB,kCAAmB,CAAA;IACnB,4DAA6C,CAAA;IAC7C,gEAAiD,CAAA;IACjD,sCAAuB,CAAA;IACvB,sCAAuB,CAAA;IACvB,8BAAe,CAAA;IACf,oCAAqB,CAAA;IACrB,gCAAiB,CAAA;IACjB,kCAAmB,CAAA;AACrB,CAAC,EA1CW,WAAW,KAAX,WAAW,QA0CtB"}

package/dist/verification/anthropic-verifier.d.ts

@@ -0,0 +1,3 @@
+import type { KeyVerifier } from "./verifier.js";
+export declare const anthropicVerifier: KeyVerifier;
+//# sourceMappingURL=anthropic-verifier.d.ts.map

package/dist/verification/anthropic-verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"anthropic-verifier.d.ts","sourceRoot":"","sources":["../../src/verification/anthropic-verifier.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAEjD,eAAO,MAAM,iBAAiB,EAAE,WAuD/B,CAAC"}

package/dist/verification/anthropic-verifier.js

@@ -0,0 +1,56 @@
+import { sanitizeForTerminal } from "../core/sanitize.js";
+import { KeyProvider } from "../types/index.js";
+export const anthropicVerifier = {
+    provider: KeyProvider.Anthropic,
+    endpoint: "https://api.anthropic.com/v1/models",
+    description: "Lists available models (read-only)",
+    async verify(secret) {
+        const key = secret.unsafeGetString();
+        try {
+            const response = await fetch("https://api.anthropic.com/v1/models", {
+                method: "GET",
+                headers: {
+                    "x-api-key": key,
+                    "anthropic-version": "2023-06-01",
+                    "User-Agent": "compromising-position/1.0.0",
+                },
+            });
+            if (response.status === 200) {
+                return {
+                    provider: KeyProvider.Anthropic,
+                    active: true,
+                    details: "Key is active — authenticated to Anthropic API",
+                    error: null,
+                    endpoint: "https://api.anthropic.com/v1/models",
+                };
+            }
+            if (response.status === 401) {
+                return {
+                    provider: KeyProvider.Anthropic,
+                    active: false,
+                    details: "Key is invalid or revoked",
+                    error: null,
+                    endpoint: "https://api.anthropic.com/v1/models",
+                };
+            }
+            return {
+                provider: KeyProvider.Anthropic,
+                active: false,
+                details: `Unexpected status: ${response.status}`,
+                error: `Anthropic API returned ${response.status}: ${sanitizeForTerminal(response.statusText)}`,
+                endpoint: "https://api.anthropic.com/v1/models",
+            };
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            return {
+                provider: KeyProvider.Anthropic,
+                active: false,
+                details: "Verification failed",
+                error: `Network error: ${sanitizeForTerminal(message)}`,
+                endpoint: "https://api.anthropic.com/v1/models",
+            };
+        }
+    },
+};
+//# sourceMappingURL=anthropic-verifier.js.map

package/dist/verification/anthropic-verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"anthropic-verifier.js","sourceRoot":"","sources":["../../src/verification/anthropic-verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAE1D,OAAO,EAAE,WAAW,EAA2B,MAAM,mBAAmB,CAAC;AAGzE,MAAM,CAAC,MAAM,iBAAiB,GAAgB;IAC5C,QAAQ,EAAE,WAAW,CAAC,SAAS;IAC/B,QAAQ,EAAE,qCAAqC;IAC/C,WAAW,EAAE,oCAAoC;IAEjD,KAAK,CAAC,MAAM,CAAC,MAAoB;QAC/B,MAAM,GAAG,GAAG,MAAM,CAAC,eAAe,EAAE,CAAC;QACrC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,qCAAqC,EAAE;gBAClE,MAAM,EAAE,KAAK;gBACb,OAAO,EAAE;oBACP,WAAW,EAAE,GAAG;oBAChB,mBAAmB,EAAE,YAAY;oBACjC,YAAY,EAAE,6BAA6B;iBAC5C;aACF,CAAC,CAAC;YAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,OAAO;oBACL,QAAQ,EAAE,WAAW,CAAC,SAAS;oBAC/B,MAAM,EAAE,IAAI;oBACZ,OAAO,EAAE,gDAAgD;oBACzD,KAAK,EAAE,IAAI;oBACX,QAAQ,EAAE,qCAAqC;iBAChD,CAAC;YACJ,CAAC;YAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBAC5B,OAAO;oBACL,QAAQ,EAAE,WAAW,CAAC,SAAS;oBAC/B,MAAM,EAAE,KAAK;oBACb,OAAO,EAAE,2BAA2B;oBACpC,KAAK,EAAE,IAAI;oBACX,QAAQ,EAAE,qCAAqC;iBAChD,CAAC;YACJ,CAAC;YAED,OAAO;gBACL,QAAQ,EAAE,WAAW,CAAC,SAAS;gBAC/B,MAAM,EAAE,KAAK;gBACb,OAAO,EAAE,sBAAsB,QAAQ,CAAC,MAAM,EAAE;gBAChD,KAAK,EAAE,0BAA0B,QAAQ,CAAC,MAAM,KAAK,mBAAmB,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE;gBAC/F,QAAQ,EAAE,qCAAqC;aAChD,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,OAAO;gBACL,QAAQ,EAAE,WAAW,CAAC,SAAS;gBAC/B,MAAM,EAAE,KAAK;gBACb,OAAO,EAAE,qBAAqB;gBAC9B,KAAK,EAAE,kBAAkB,mBAAmB,CAAC,OAAO,CAAC,EAAE;gBACvD,QAAQ,EAAE,qCAAqC;aAChD,CAAC;QACJ,CAAC;IACH,CAAC;CACF,CAAC"}

package/dist/verification/aws-verifier.d.ts

@@ -0,0 +1,14 @@
+import type { KeyVerifier } from "./verifier.js";
+/**
+ * AWS verifier for Access Key IDs.
+ *
+ * Note: AWS Access Key verification requires both the Access Key ID
+ * and the Secret Access Key. Since we only have the Access Key ID,
+ * we can only check the format. Full verification would require the
+ * secret key as well, which the user would need to provide separately.
+ *
+ * For now, this verifier reports that the key *looks like* a valid
+ * AWS Access Key ID but cannot verify it without the secret key.
+ */
+export declare const awsVerifier: KeyVerifier;
+//# sourceMappingURL=aws-verifier.d.ts.map

package/dist/verification/aws-verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws-verifier.d.ts","sourceRoot":"","sources":["../../src/verification/aws-verifier.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAEjD;;;;;;;;;;GAUG;AACH,eAAO,MAAM,WAAW,EAAE,WAkBzB,CAAC"}

package/dist/verification/aws-verifier.js

@@ -0,0 +1,30 @@
+import { KeyProvider } from "../types/index.js";
+/**
+ * AWS verifier for Access Key IDs.
+ *
+ * Note: AWS Access Key verification requires both the Access Key ID
+ * and the Secret Access Key. Since we only have the Access Key ID,
+ * we can only check the format. Full verification would require the
+ * secret key as well, which the user would need to provide separately.
+ *
+ * For now, this verifier reports that the key *looks like* a valid
+ * AWS Access Key ID but cannot verify it without the secret key.
+ */
+export const awsVerifier = {
+    provider: KeyProvider.AWS,
+    endpoint: "https://sts.amazonaws.com (GetCallerIdentity)",
+    description: "Calls STS GetCallerIdentity to check if key pair is active (read-only). Requires both Access Key ID and Secret Access Key.",
+    async verify(secret) {
+        // AWS Access Key IDs alone cannot be verified — need the secret key too.
+        // We report this limitation clearly.
+        return {
+            provider: KeyProvider.AWS,
+            active: false,
+            details: "AWS Access Key ID detected but verification requires the corresponding Secret Access Key. " +
+                "Check AWS IAM console to verify key status.",
+            error: null,
+            endpoint: "https://sts.amazonaws.com",
+        };
+    },
+};
+//# sourceMappingURL=aws-verifier.js.map

package/dist/verification/aws-verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws-verifier.js","sourceRoot":"","sources":["../../src/verification/aws-verifier.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAA2B,MAAM,mBAAmB,CAAC;AAGzE;;;;;;;;;;GAUG;AACH,MAAM,CAAC,MAAM,WAAW,GAAgB;IACtC,QAAQ,EAAE,WAAW,CAAC,GAAG;IACzB,QAAQ,EAAE,+CAA+C;IACzD,WAAW,EAAE,4HAA4H;IAEzI,KAAK,CAAC,MAAM,CAAC,MAAoB;QAC/B,yEAAyE;QACzE,qCAAqC;QACrC,OAAO;YACL,QAAQ,EAAE,WAAW,CAAC,GAAG;YACzB,MAAM,EAAE,KAAK;YACb,OAAO,EACL,4FAA4F;gBAC5F,6CAA6C;YAC/C,KAAK,EAAE,IAAI;YACX,QAAQ,EAAE,2BAA2B;SACtC,CAAC;IACJ,CAAC;CACF,CAAC"}

package/dist/verification/github-verifier.d.ts

@@ -0,0 +1,4 @@
+import type { KeyVerifier } from "./verifier.js";
+export declare const githubPatVerifier: KeyVerifier;
+export declare const githubFineGrainedVerifier: KeyVerifier;
+//# sourceMappingURL=github-verifier.d.ts.map

package/dist/verification/github-verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"github-verifier.d.ts","sourceRoot":"","sources":["../../src/verification/github-verifier.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AA+DjD,eAAO,MAAM,iBAAiB,aAA4C,CAAC;AAC3E,eAAO,MAAM,yBAAyB,aAAoD,CAAC"}

package/dist/verification/github-verifier.js

@@ -0,0 +1,62 @@
+import { sanitizeForTerminal } from "../core/sanitize.js";
+import { KeyProvider } from "../types/index.js";
+/** Handles both classic PATs (ghp_) and fine-grained tokens (github_pat_). */
+function makeGitHubVerifier(provider) {
+    return {
+        provider,
+        endpoint: "https://api.github.com/user",
+        description: "Gets authenticated user info and scopes (read-only)",
+        async verify(secret) {
+            const key = secret.unsafeGetString();
+            try {
+                const response = await fetch("https://api.github.com/user", {
+                    method: "GET",
+                    headers: {
+                        Authorization: `Bearer ${key}`,
+                        "User-Agent": "compromising-position/1.0.0",
+                        Accept: "application/vnd.github+json",
+                    },
+                });
+                if (response.status === 200) {
+                    const scopes = response.headers.get("x-oauth-scopes") ?? "none";
+                    return {
+                        provider,
+                        active: true,
+                        details: `Key is active — scopes: ${sanitizeForTerminal(scopes)}`,
+                        error: null,
+                        endpoint: "https://api.github.com/user",
+                    };
+                }
+                if (response.status === 401) {
+                    return {
+                        provider,
+                        active: false,
+                        details: "Key is invalid or revoked",
+                        error: null,
+                        endpoint: "https://api.github.com/user",
+                    };
+                }
+                return {
+                    provider,
+                    active: false,
+                    details: `Unexpected status: ${response.status}`,
+                    error: `GitHub API returned ${response.status}: ${sanitizeForTerminal(response.statusText)}`,
+                    endpoint: "https://api.github.com/user",
+                };
+            }
+            catch (err) {
+                const message = err instanceof Error ? err.message : String(err);
+                return {
+                    provider,
+                    active: false,
+                    details: "Verification failed",
+                    error: `Network error: ${sanitizeForTerminal(message)}`,
+                    endpoint: "https://api.github.com/user",
+                };
+            }
+        },
+    };
+}
+export const githubPatVerifier = makeGitHubVerifier(KeyProvider.GitHubPAT);
+export const githubFineGrainedVerifier = makeGitHubVerifier(KeyProvider.GitHubFineGrained);
+//# sourceMappingURL=github-verifier.js.map

package/dist/verification/github-verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"github-verifier.js","sourceRoot":"","sources":["../../src/verification/github-verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAE1D,OAAO,EAAE,WAAW,EAA2B,MAAM,mBAAmB,CAAC;AAGzE,8EAA8E;AAC9E,SAAS,kBAAkB,CAAC,QAAqB;IAC/C,OAAO;QACL,QAAQ;QACR,QAAQ,EAAE,6BAA6B;QACvC,WAAW,EAAE,qDAAqD;QAElE,KAAK,CAAC,MAAM,CAAC,MAAoB;YAC/B,MAAM,GAAG,GAAG,MAAM,CAAC,eAAe,EAAE,CAAC;YACrC,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,6BAA6B,EAAE;oBAC1D,MAAM,EAAE,KAAK;oBACb,OAAO,EAAE;wBACP,aAAa,EAAE,UAAU,GAAG,EAAE;wBAC9B,YAAY,EAAE,6BAA6B;wBAC3C,MAAM,EAAE,6BAA6B;qBACtC;iBACF,CAAC,CAAC;gBAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBAC5B,MAAM,MAAM,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,IAAI,MAAM,CAAC;oBAChE,OAAO;wBACL,QAAQ;wBACR,MAAM,EAAE,IAAI;wBACZ,OAAO,EAAE,2BAA2B,mBAAmB,CAAC,MAAM,CAAC,EAAE;wBACjE,KAAK,EAAE,IAAI;wBACX,QAAQ,EAAE,6BAA6B;qBACxC,CAAC;gBACJ,CAAC;gBAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBAC5B,OAAO;wBACL,QAAQ;wBACR,MAAM,EAAE,KAAK;wBACb,OAAO,EAAE,2BAA2B;wBACpC,KAAK,EAAE,IAAI;wBACX,QAAQ,EAAE,6BAA6B;qBACxC,CAAC;gBACJ,CAAC;gBAED,OAAO;oBACL,QAAQ;oBACR,MAAM,EAAE,KAAK;oBACb,OAAO,EAAE,sBAAsB,QAAQ,CAAC,MAAM,EAAE;oBAChD,KAAK,EAAE,uBAAuB,QAAQ,CAAC,MAAM,KAAK,mBAAmB,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE;oBAC5F,QAAQ,EAAE,6BAA6B;iBACxC,CAAC;YACJ,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBACjE,OAAO;oBACL,QAAQ;oBACR,MAAM,EAAE,KAAK;oBACb,OAAO,EAAE,qBAAqB;oBAC9B,KAAK,EAAE,kBAAkB,mBAAmB,CAAC,OAAO,CAAC,EAAE;oBACvD,QAAQ,EAAE,6BAA6B;iBACxC,CAAC;YACJ,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,MAAM,iBAAiB,GAAG,kBAAkB,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;AAC3E,MAAM,CAAC,MAAM,yBAAyB,GAAG,kBAAkB,CAAC,WAAW,CAAC,iBAAiB,CAAC,CAAC"}

package/dist/verification/openai-verifier.d.ts

@@ -0,0 +1,4 @@
+import type { KeyVerifier } from "./verifier.js";
+export declare const openaiVerifier: KeyVerifier;
+export declare const openaiServiceVerifier: KeyVerifier;
+//# sourceMappingURL=openai-verifier.d.ts.map

package/dist/verification/openai-verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"openai-verifier.d.ts","sourceRoot":"","sources":["../../src/verification/openai-verifier.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AA4DjD,eAAO,MAAM,cAAc,aAAyC,CAAC;AACrE,eAAO,MAAM,qBAAqB,aAAgD,CAAC"}

package/dist/verification/openai-verifier.js

@@ -0,0 +1,59 @@
+import { sanitizeForTerminal } from "../core/sanitize.js";
+import { KeyProvider } from "../types/index.js";
+function makeOpenAIVerifier(provider) {
+    return {
+        provider,
+        endpoint: "https://api.openai.com/v1/models",
+        description: "Lists available models (read-only)",
+        async verify(secret) {
+            const key = secret.unsafeGetString();
+            try {
+                const response = await fetch("https://api.openai.com/v1/models", {
+                    method: "GET",
+                    headers: {
+                        Authorization: `Bearer ${key}`,
+                        "User-Agent": "compromising-position/1.0.0",
+                    },
+                });
+                if (response.status === 200) {
+                    return {
+                        provider,
+                        active: true,
+                        details: "Key is active — authenticated to OpenAI API",
+                        error: null,
+                        endpoint: "https://api.openai.com/v1/models",
+                    };
+                }
+                if (response.status === 401) {
+                    return {
+                        provider,
+                        active: false,
+                        details: "Key is invalid or revoked",
+                        error: null,
+                        endpoint: "https://api.openai.com/v1/models",
+                    };
+                }
+                return {
+                    provider,
+                    active: false,
+                    details: `Unexpected status: ${response.status}`,
+                    error: `OpenAI API returned ${response.status}: ${sanitizeForTerminal(response.statusText)}`,
+                    endpoint: "https://api.openai.com/v1/models",
+                };
+            }
+            catch (err) {
+                const message = err instanceof Error ? err.message : String(err);
+                return {
+                    provider,
+                    active: false,
+                    details: "Verification failed",
+                    error: `Network error: ${sanitizeForTerminal(message)}`,
+                    endpoint: "https://api.openai.com/v1/models",
+                };
+            }
+        },
+    };
+}
+export const openaiVerifier = makeOpenAIVerifier(KeyProvider.OpenAI);
+export const openaiServiceVerifier = makeOpenAIVerifier(KeyProvider.OpenAIService);
+//# sourceMappingURL=openai-verifier.js.map

package/dist/verification/openai-verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"openai-verifier.js","sourceRoot":"","sources":["../../src/verification/openai-verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAE1D,OAAO,EAAE,WAAW,EAA2B,MAAM,mBAAmB,CAAC;AAGzE,SAAS,kBAAkB,CAAC,QAAqB;IAC/C,OAAO;QACL,QAAQ;QACR,QAAQ,EAAE,kCAAkC;QAC5C,WAAW,EAAE,oCAAoC;QAEjD,KAAK,CAAC,MAAM,CAAC,MAAoB;YAC/B,MAAM,GAAG,GAAG,MAAM,CAAC,eAAe,EAAE,CAAC;YACrC,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,kCAAkC,EAAE;oBAC/D,MAAM,EAAE,KAAK;oBACb,OAAO,EAAE;wBACP,aAAa,EAAE,UAAU,GAAG,EAAE;wBAC9B,YAAY,EAAE,6BAA6B;qBAC5C;iBACF,CAAC,CAAC;gBAEH,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBAC5B,OAAO;wBACL,QAAQ;wBACR,MAAM,EAAE,IAAI;wBACZ,OAAO,EAAE,6CAA6C;wBACtD,KAAK,EAAE,IAAI;wBACX,QAAQ,EAAE,kCAAkC;qBAC7C,CAAC;gBACJ,CAAC;gBAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBAC5B,OAAO;wBACL,QAAQ;wBACR,MAAM,EAAE,KAAK;wBACb,OAAO,EAAE,2BAA2B;wBACpC,KAAK,EAAE,IAAI;wBACX,QAAQ,EAAE,kCAAkC;qBAC7C,CAAC;gBACJ,CAAC;gBAED,OAAO;oBACL,QAAQ;oBACR,MAAM,EAAE,KAAK;oBACb,OAAO,EAAE,sBAAsB,QAAQ,CAAC,MAAM,EAAE;oBAChD,KAAK,EAAE,uBAAuB,QAAQ,CAAC,MAAM,KAAK,mBAAmB,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE;oBAC5F,QAAQ,EAAE,kCAAkC;iBAC7C,CAAC;YACJ,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBACjE,OAAO;oBACL,QAAQ;oBACR,MAAM,EAAE,KAAK;oBACb,OAAO,EAAE,qBAAqB;oBAC9B,KAAK,EAAE,kBAAkB,mBAAmB,CAAC,OAAO,CAAC,EAAE;oBACvD,QAAQ,EAAE,kCAAkC;iBAC7C,CAAC;YACJ,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,MAAM,cAAc,GAAG,kBAAkB,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;AACrE,MAAM,CAAC,MAAM,qBAAqB,GAAG,kBAAkB,CAAC,WAAW,CAAC,aAAa,CAAC,CAAC"}

package/dist/verification/slack-verifier.d.ts

@@ -0,0 +1,4 @@
+import type { KeyVerifier } from "./verifier.js";
+export declare const slackBotVerifier: KeyVerifier;
+export declare const slackUserVerifier: KeyVerifier;
+//# sourceMappingURL=slack-verifier.d.ts.map

package/dist/verification/slack-verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"slack-verifier.d.ts","sourceRoot":"","sources":["../../src/verification/slack-verifier.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AA2EjD,eAAO,MAAM,gBAAgB,aAA0C,CAAC;AACxE,eAAO,MAAM,iBAAiB,aAA2C,CAAC"}

package/dist/verification/slack-verifier.js

@@ -0,0 +1,67 @@
+import { sanitizeForTerminal } from "../core/sanitize.js";
+import { KeyProvider } from "../types/index.js";
+function makeSlackVerifier(provider) {
+    return {
+        provider,
+        endpoint: "https://slack.com/api/auth.test",
+        description: "Calls auth.test to check if token is active (read-only)",
+        async verify(secret) {
+            const key = secret.unsafeGetString();
+            try {
+                const response = await fetch("https://slack.com/api/auth.test", {
+                    method: "POST",
+                    headers: {
+                        Authorization: `Bearer ${key}`,
+                        "Content-Type": "application/x-www-form-urlencoded",
+                        "User-Agent": "compromising-position/1.0.0",
+                    },
+                });
+                if (!response.ok) {
+                    return {
+                        provider,
+                        active: false,
+                        details: `Unexpected HTTP status: ${response.status}`,
+                        error: `Slack API returned ${response.status}: ${sanitizeForTerminal(response.statusText)}`,
+                        endpoint: "https://slack.com/api/auth.test",
+                    };
+                }
+                const data = (await response.json());
+                if (data.ok) {
+                    const info = [
+                        data.team ? `team: ${sanitizeForTerminal(data.team)}` : null,
+                        data.user ? `user: ${sanitizeForTerminal(data.user)}` : null,
+                    ]
+                        .filter(Boolean)
+                        .join(", ");
+                    return {
+                        provider,
+                        active: true,
+                        details: `Key is active — ${info || "authenticated to Slack"}`,
+                        error: null,
+                        endpoint: "https://slack.com/api/auth.test",
+                    };
+                }
+                return {
+                    provider,
+                    active: false,
+                    details: `Key is invalid: ${sanitizeForTerminal(data.error ?? "unknown error")}`,
+                    error: null,
+                    endpoint: "https://slack.com/api/auth.test",
+                };
+            }
+            catch (err) {
+                const message = err instanceof Error ? err.message : String(err);
+                return {
+                    provider,
+                    active: false,
+                    details: "Verification failed",
+                    error: `Network error: ${sanitizeForTerminal(message)}`,
+                    endpoint: "https://slack.com/api/auth.test",
+                };
+            }
+        },
+    };
+}
+export const slackBotVerifier = makeSlackVerifier(KeyProvider.SlackBot);
+export const slackUserVerifier = makeSlackVerifier(KeyProvider.SlackUser);
+//# sourceMappingURL=slack-verifier.js.map

package/dist/verification/slack-verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"slack-verifier.js","sourceRoot":"","sources":["../../src/verification/slack-verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAE1D,OAAO,EAAE,WAAW,EAA2B,MAAM,mBAAmB,CAAC;AAGzE,SAAS,iBAAiB,CAAC,QAAqB;IAC9C,OAAO;QACL,QAAQ;QACR,QAAQ,EAAE,iCAAiC;QAC3C,WAAW,EAAE,yDAAyD;QAEtE,KAAK,CAAC,MAAM,CAAC,MAAoB;YAC/B,MAAM,GAAG,GAAG,MAAM,CAAC,eAAe,EAAE,CAAC;YACrC,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,iCAAiC,EAAE;oBAC9D,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE;wBACP,aAAa,EAAE,UAAU,GAAG,EAAE;wBAC9B,cAAc,EAAE,mCAAmC;wBACnD,YAAY,EAAE,6BAA6B;qBAC5C;iBACF,CAAC,CAAC;gBAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;oBACjB,OAAO;wBACL,QAAQ;wBACR,MAAM,EAAE,KAAK;wBACb,OAAO,EAAE,2BAA2B,QAAQ,CAAC,MAAM,EAAE;wBACrD,KAAK,EAAE,sBAAsB,QAAQ,CAAC,MAAM,KAAK,mBAAmB,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE;wBAC3F,QAAQ,EAAE,iCAAiC;qBAC5C,CAAC;gBACJ,CAAC;gBAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAKlC,CAAC;gBAEF,IAAI,IAAI,CAAC,EAAE,EAAE,CAAC;oBACZ,MAAM,IAAI,GAAG;wBACX,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI;wBAC5D,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI;qBAC7D;yBACE,MAAM,CAAC,OAAO,CAAC;yBACf,IAAI,CAAC,IAAI,CAAC,CAAC;oBAEd,OAAO;wBACL,QAAQ;wBACR,MAAM,EAAE,IAAI;wBACZ,OAAO,EAAE,mBAAmB,IAAI,IAAI,wBAAwB,EAAE;wBAC9D,KAAK,EAAE,IAAI;wBACX,QAAQ,EAAE,iCAAiC;qBAC5C,CAAC;gBACJ,CAAC;gBAED,OAAO;oBACL,QAAQ;oBACR,MAAM,EAAE,KAAK;oBACb,OAAO,EAAE,mBAAmB,mBAAmB,CAAC,IAAI,CAAC,KAAK,IAAI,eAAe,CAAC,EAAE;oBAChF,KAAK,EAAE,IAAI;oBACX,QAAQ,EAAE,iCAAiC;iBAC5C,CAAC;YACJ,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBACjE,OAAO;oBACL,QAAQ;oBACR,MAAM,EAAE,KAAK;oBACb,OAAO,EAAE,qBAAqB;oBAC9B,KAAK,EAAE,kBAAkB,mBAAmB,CAAC,OAAO,CAAC,EAAE;oBACvD,QAAQ,EAAE,iCAAiC;iBAC5C,CAAC;YACJ,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,MAAM,gBAAgB,GAAG,iBAAiB,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;AACxE,MAAM,CAAC,MAAM,iBAAiB,GAAG,iBAAiB,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC"}

package/dist/verification/verifier-registry.d.ts

@@ -0,0 +1,13 @@
+import type { KeyProvider } from "../types/index.js";
+import type { KeyVerifier } from "./verifier.js";
+/**
+ * Registry mapping KeyProvider enum values to their verifier implementations.
+ */
+export declare class VerifierRegistry {
+    #private;
+    register(verifier: KeyVerifier): void;
+    get(provider: KeyProvider): KeyVerifier | undefined;
+    has(provider: KeyProvider): boolean;
+    getAll(): KeyVerifier[];
+}
+//# sourceMappingURL=verifier-registry.d.ts.map

package/dist/verification/verifier-registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier-registry.d.ts","sourceRoot":"","sources":["../../src/verification/verifier-registry.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAEjD;;GAEG;AACH,qBAAa,gBAAgB;;IAG3B,QAAQ,CAAC,QAAQ,EAAE,WAAW,GAAG,IAAI;IAIrC,GAAG,CAAC,QAAQ,EAAE,WAAW,GAAG,WAAW,GAAG,SAAS;IAInD,GAAG,CAAC,QAAQ,EAAE,WAAW,GAAG,OAAO;IAInC,MAAM,IAAI,WAAW,EAAE;CAGxB"}

package/dist/verification/verifier-registry.js

@@ -0,0 +1,19 @@
+/**
+ * Registry mapping KeyProvider enum values to their verifier implementations.
+ */
+export class VerifierRegistry {
+    #verifiers = new Map();
+    register(verifier) {
+        this.#verifiers.set(verifier.provider, verifier);
+    }
+    get(provider) {
+        return this.#verifiers.get(provider);
+    }
+    has(provider) {
+        return this.#verifiers.has(provider);
+    }
+    getAll() {
+        return Array.from(this.#verifiers.values());
+    }
+}
+//# sourceMappingURL=verifier-registry.js.map

package/dist/verification/verifier-registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier-registry.js","sourceRoot":"","sources":["../../src/verification/verifier-registry.ts"],"names":[],"mappings":"AAGA;;GAEG;AACH,MAAM,OAAO,gBAAgB;IAClB,UAAU,GAAG,IAAI,GAAG,EAA4B,CAAC;IAE1D,QAAQ,CAAC,QAAqB;QAC5B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IACnD,CAAC;IAED,GAAG,CAAC,QAAqB;QACvB,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACvC,CAAC;IAED,GAAG,CAAC,QAAqB;QACvB,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACvC,CAAC;IAED,MAAM;QACJ,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;IAC9C,CAAC;CACF"}

package/dist/verification/verifier.d.ts

@@ -0,0 +1,24 @@
+import type { SecureBuffer } from "../core/secure-buffer.js";
+import type { KeyProvider, VerificationResult } from "../types/index.js";
+/**
+ * Interface for active key verifiers.
+ * Each verifier checks if a key is still active by making a
+ * minimal read-only API call to the provider.
+ *
+ * IMPORTANT: Verifiers must only use read-only endpoints.
+ * Never make write operations with user keys.
+ */
+export interface KeyVerifier {
+    /** Which provider this verifier handles. */
+    readonly provider: KeyProvider;
+    /** The endpoint that will be called. Shown to the user for consent. */
+    readonly endpoint: string;
+    /** Human-readable description of what this verification does. */
+    readonly description: string;
+    /**
+     * Verify if the key is currently active.
+     * @param secret - The API key to verify.
+     */
+    verify(secret: SecureBuffer): Promise<VerificationResult>;
+}
+//# sourceMappingURL=verifier.d.ts.map

package/dist/verification/verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../../src/verification/verifier.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,KAAK,EAAE,WAAW,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAEzE;;;;;;;GAOG;AACH,MAAM,WAAW,WAAW;IAC1B,4CAA4C;IAC5C,QAAQ,CAAC,QAAQ,EAAE,WAAW,CAAC;IAE/B,uEAAuE;IACvE,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAE1B,iEAAiE;IACjE,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAE7B;;;OAGG;IACH,MAAM,CAAC,MAAM,EAAE,YAAY,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAAC;CAC3D"}

package/dist/verification/verifier.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=verifier.js.map

package/dist/verification/verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../../src/verification/verifier.ts"],"names":[],"mappings":""}

package/package.json

@@ -0,0 +1,61 @@
+{
+  "name": "compromising-position",
+  "version": "1.0.0",
+  "description": "Privacy-preserving credential exposure checker — were your API keys compromised? Find out.",
+  "type": "module",
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "bin": {
+    "compromising-position": "./bin/compromising-position"
+  },
+  "files": [
+    "dist/",
+    "bin/",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "start": "node dist/index.js",
+    "dev": "tsc --watch",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "check": "tsc --noEmit",
+    "prepublishOnly": "npm run build && npm test"
+  },
+  "keywords": [
+    "security",
+    "credentials",
+    "k-anonymity",
+    "hibp",
+    "privacy",
+    "api-keys",
+    "breach-detection",
+    "credential-exposure",
+    "openclaw",
+    "secret-scanning",
+    "cli"
+  ],
+  "author": "Tommy Yau",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/tommyyau/compromising-position.git"
+  },
+  "homepage": "https://github.com/tommyyau/compromising-position",
+  "bugs": {
+    "url": "https://github.com/tommyyau/compromising-position/issues"
+  },
+  "dependencies": {
+    "chalk": "^5.3.0",
+    "commander": "^12.1.0",
+    "dotenv": "^16.4.5"
+  },
+  "devDependencies": {
+    "@types/node": "^20.14.0",
+    "msw": "^2.3.0",
+    "typescript": "^5.5.0",
+    "vitest": "^2.0.0"
+  }
+}