cto-ai-cli 3.1.0 → 3.2.0

package/dist/cli/score.js

@@ -2,7 +2,7 @@
 
 // src/cli/score.ts
 import { resolve as resolve4, join as join4 } from "path";
-import { mkdirSync, writeFileSync, readFileSync } from "fs";
+import { mkdirSync, writeFileSync, readFileSync, appendFileSync } from "fs";
 
 // src/engine/analyzer.ts
 import { readFile as readFile2, readdir, stat as stat2 } from "fs/promises";
@@ -737,7 +737,29 @@ var BUILTIN_PATTERNS = [
   { type: "connection-string", source: `(?:mongodb(?:\\+srv)?|postgres(?:ql)?|mysql|redis|amqp):\\/\\/[^\\s'"]+:[^\\s'"]+@[^\\s'"]+`, flags: "gi", severity: "critical", description: "Database Connection String" },
   { type: "connection-string", source: `(?:DATABASE_URL|REDIS_URL|MONGODB_URI)\\s*[:=]\\s*['"]?([^\\s'"]{10,})['"]?`, flags: "gi", severity: "high", description: "Database URL" },
   // Environment variables with secrets
-  { type: "env-variable", source: `(?:SECRET|PRIVATE|ENCRYPTION)[_-]?(?:KEY|TOKEN|PASS)\\s*[:=]\\s*['"]?([^\\s'"]{8,})['"]?`, flags: "gi", severity: "high", description: "Secret Environment Variable" }
+  { type: "env-variable", source: `(?:SECRET|PRIVATE|ENCRYPTION)[_-]?(?:KEY|TOKEN|PASS)\\s*[:=]\\s*['"]?([^\\s'"]{8,})['"]?`, flags: "gi", severity: "high", description: "Secret Environment Variable" },
+  // Stripe
+  { type: "api-key", source: "sk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Stripe Live Secret Key" },
+  { type: "api-key", source: "pk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "high", description: "Stripe Live Publishable Key" },
+  { type: "api-key", source: "rk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Stripe Restricted Key" },
+  // Slack
+  { type: "token", source: "xoxb-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Slack Bot Token" },
+  { type: "token", source: "xoxp-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Slack User Token" },
+  { type: "api-key", source: "https://hooks\\.slack\\.com/services/T[a-zA-Z0-9_]+/B[a-zA-Z0-9_]+/[a-zA-Z0-9_]+", flags: "g", severity: "high", description: "Slack Webhook URL" },
+  // Google
+  { type: "api-key", source: "AIza[0-9A-Za-z_-]{35}", flags: "g", severity: "high", description: "Google API Key" },
+  { type: "token", source: "ya29\\.[0-9A-Za-z_-]+", flags: "g", severity: "high", description: "Google OAuth Token" },
+  // Azure
+  { type: "api-key", source: "(?:AccountKey|SharedAccessKey)\\s*=\\s*[a-zA-Z0-9+/=]{40,}", flags: "g", severity: "critical", description: "Azure Storage Key" },
+  // Twilio
+  { type: "api-key", source: "AC[a-f0-9]{32}", flags: "g", severity: "high", description: "Twilio Account SID" },
+  // SendGrid
+  { type: "api-key", source: "SG\\.[a-zA-Z0-9_-]{22}\\.[a-zA-Z0-9_-]{43}", flags: "g", severity: "critical", description: "SendGrid API Key" },
+  // JWT
+  { type: "token", source: "eyJ[a-zA-Z0-9_-]{10,}\\.eyJ[a-zA-Z0-9_-]{10,}\\.[a-zA-Z0-9_-]{10,}", flags: "g", severity: "high", description: "JSON Web Token" },
+  // PII
+  { type: "pii", source: "\\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Z|a-z]{2,}\\b", flags: "g", severity: "medium", description: "Email Address (PII)" },
+  { type: "pii", source: "\\b\\d{3}[-.]?\\d{2}[-.]?\\d{4}\\b", flags: "g", severity: "high", description: "Possible SSN (PII)" }
 ];
 function buildPatterns(customPatterns = []) {
   const patterns = BUILTIN_PATTERNS.map((def) => ({
@@ -827,6 +849,136 @@ function deduplicateFindings(findings) {
     return true;
   });
 }
+function shannonEntropy(str) {
+  const freq = /* @__PURE__ */ new Map();
+  for (const ch of str) {
+    freq.set(ch, (freq.get(ch) || 0) + 1);
+  }
+  let entropy = 0;
+  for (const count of freq.values()) {
+    const p = count / str.length;
+    if (p > 0) entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+var HIGH_ENTROPY_RE = /['"]([a-zA-Z0-9+/=_\-]{30,})['"]|=\s*['"]?([a-zA-Z0-9+/=_\-]{30,})['"]?/g;
+var ENTROPY_SKIP = [
+  /^[a-f0-9]{32,}$/i,
+  // hex hashes
+  /^[A-Z_]{30,}$/,
+  // all-caps constants
+  /^[a-z_]{30,}$/,
+  // all-lowercase identifiers
+  /^[a-zA-Z0-9+/]+=+$/,
+  // base64 padding
+  /^[a-z]+[A-Z][a-zA-Z]+$/,
+  // camelCase identifiers
+  /sha\d+-/i
+  // integrity hashes (sha256-, sha512-)
+];
+function scanContentForHighEntropy(content, filePath, threshold = 5) {
+  const findings = [];
+  const lines = content.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (line.trim().startsWith("//") || line.trim().startsWith("#") || line.trim().startsWith("*")) continue;
+    HIGH_ENTROPY_RE.lastIndex = 0;
+    let match;
+    while ((match = HIGH_ENTROPY_RE.exec(line)) !== null) {
+      const value = match[1] || match[2];
+      if (!value || value.length < 40) continue;
+      if (isTemplateOrPlaceholder(value)) continue;
+      if (ENTROPY_SKIP.some((p) => p.test(value))) continue;
+      const entropy = shannonEntropy(value);
+      if (entropy >= threshold) {
+        findings.push({
+          type: "high-entropy",
+          file: filePath,
+          line: i + 1,
+          match: value,
+          redacted: redactSecret(value),
+          severity: entropy >= 5 ? "high" : "medium"
+        });
+      }
+    }
+  }
+  return deduplicateFindings(findings);
+}
+async function auditProject(projectPath, filePaths, options = {}) {
+  const { customPatterns = [], entropyThreshold = 4.5, includePII = true } = options;
+  const allFindings = [];
+  const filesWithSecrets = /* @__PURE__ */ new Set();
+  for (const fp of filePaths) {
+    try {
+      const content = await readFile3(fp, "utf-8");
+      const relPath = relative3(resolve3(projectPath), resolve3(fp));
+      const isTestFile = /\.(test|spec|mock)\.[jt]sx?$/.test(relPath) || relPath.includes("__tests__");
+      const isDtsFile = relPath.endsWith(".d.ts");
+      let findings = scanContentForSecrets(content, relPath, customPatterns);
+      if (!includePII) {
+        findings = findings.filter((f) => f.type !== "pii");
+      }
+      const entropyFindings = isTestFile || isDtsFile ? [] : scanContentForHighEntropy(content, relPath, entropyThreshold);
+      const combined = [...findings, ...entropyFindings];
+      if (combined.length > 0) {
+        filesWithSecrets.add(relPath);
+        allFindings.push(...combined);
+      }
+    } catch {
+    }
+  }
+  allFindings.sort((a, b) => {
+    const order = { critical: 0, high: 1, medium: 2, low: 3 };
+    return order[a.severity] - order[b.severity];
+  });
+  const bySeverity = { critical: 0, high: 0, medium: 0, low: 0 };
+  const byType = {};
+  for (const f of allFindings) {
+    bySeverity[f.severity]++;
+    byType[f.type] = (byType[f.type] || 0) + 1;
+  }
+  const recommendations = [];
+  if (bySeverity.critical > 0) {
+    recommendations.push("CRITICAL: Rotate all detected credentials immediately. They may already be compromised.");
+  }
+  if (byType["password"] > 0) {
+    recommendations.push("Move passwords to environment variables or a secrets manager (AWS Secrets Manager, Vault, etc.).");
+  }
+  if (byType["api-key"] > 0 || byType["aws-key"] > 0) {
+    recommendations.push("Use environment variables for API keys. Never commit them to source control.");
+  }
+  if (byType["connection-string"] > 0) {
+    recommendations.push("Database connection strings should use environment variables, not hardcoded values.");
+  }
+  if (byType["private-key"] > 0) {
+    recommendations.push("Private keys should NEVER be in source code. Use a key management service.");
+  }
+  if (byType["pii"] > 0) {
+    recommendations.push("PII detected. Review for GDPR/CCPA compliance. Consider data anonymization.");
+  }
+  if (byType["high-entropy"] > 0) {
+    recommendations.push("High-entropy strings detected that may be secrets. Review manually.");
+  }
+  if (allFindings.length > 0) {
+    recommendations.push("Add a .gitignore entry for .env files if not already present.");
+    recommendations.push("Run `npx cto-ai-cli --audit` regularly or add to CI pipeline.");
+  }
+  if (allFindings.length === 0) {
+    recommendations.push("No secrets detected. Great job keeping your codebase clean!");
+  }
+  return {
+    findings: allFindings,
+    summary: {
+      totalFiles: filePaths.length,
+      filesScanned: filePaths.length,
+      filesWithSecrets: filesWithSecrets.size,
+      totalFindings: allFindings.length,
+      bySeverity,
+      byType
+    },
+    recommendations
+  };
+}
 
 // src/engine/pruner.ts
 import { Project as Project2, SyntaxKind as SyntaxKind2 } from "ts-morph";
@@ -1887,6 +2039,7 @@ async function main() {
   const fixMode = args.includes("--fix");
   const reportMode = args.includes("--report");
   const compareMode = args.includes("--compare");
+  const auditMode = args.includes("--audit");
   const helpMode = args.includes("--help") || args.includes("-h");
   const contextIdx = args.indexOf("--context");
   const contextTask = contextIdx !== -1 && args[contextIdx + 1] ? args[contextIdx + 1] : null;
@@ -1904,6 +2057,7 @@ async function main() {
     npx cto-ai-cli --context "your task"     Generate task-specific context
     npx cto-ai-cli --report                  Generate shareable markdown report
     npx cto-ai-cli --compare                 Compare your score vs popular projects
+    npx cto-ai-cli --audit                   Security audit: detect secrets & PII
     npx cto-ai-cli --json                    Output as JSON (for CI/scripts)
 
   What it does:
@@ -1964,6 +2118,9 @@ async function main() {
     if (compareMode) {
       runCompare(score);
     }
+    if (auditMode) {
+      await runAudit(projectPath, analysis);
+    }
     console.log("");
     console.log(`  Scanned in ${elapsed}s \xB7 ${analysis.totalFiles} files \xB7 ${Math.round(analysis.totalTokens / 1e3)}K tokens`);
     console.log("");
@@ -2365,6 +2522,188 @@ function renderCompareBar(pct) {
   const empty = width - filled;
   return "\u2588".repeat(filled) + "\u2591".repeat(empty);
 }
+async function runAudit(projectPath, analysis) {
+  console.log("");
+  console.log("  \u{1F50D} Running security audit...");
+  console.log("");
+  const filePaths = analysis.files.map((f) => f.path);
+  const result = await auditProject(projectPath, filePaths, { includePII: true });
+  const { summary, findings, recommendations } = result;
+  const statusIcon = summary.bySeverity.critical > 0 ? "\u{1F534}" : summary.bySeverity.high > 0 ? "\u{1F7E0}" : summary.totalFindings > 0 ? "\u{1F7E1}" : "\u{1F7E2}";
+  const statusText = summary.bySeverity.critical > 0 ? "CRITICAL ISSUES FOUND" : summary.bySeverity.high > 0 ? "HIGH-SEVERITY ISSUES FOUND" : summary.totalFindings > 0 ? "MINOR ISSUES FOUND" : "ALL CLEAR";
+  console.log("  \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557");
+  console.log("  \u2551                                                  \u2551");
+  console.log(`  \u2551   ${statusIcon} Security Audit: ${statusText.padEnd(28)} \u2551`);
+  console.log("  \u2551                                                  \u2551");
+  console.log(`  \u2551   Files scanned:  ${summary.filesScanned.toString().padEnd(30)} \u2551`);
+  console.log(`  \u2551   Files affected: ${summary.filesWithSecrets.toString().padEnd(30)} \u2551`);
+  console.log(`  \u2551   Total findings: ${summary.totalFindings.toString().padEnd(30)} \u2551`);
+  console.log("  \u2551                                                  \u2551");
+  console.log("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563");
+  console.log("  \u2551                                                  \u2551");
+  if (summary.bySeverity.critical > 0) {
+    console.log(`  \u2551   \u{1F534} Critical: ${summary.bySeverity.critical.toString().padEnd(33)} \u2551`);
+  }
+  if (summary.bySeverity.high > 0) {
+    console.log(`  \u2551   \u{1F7E0} High:     ${summary.bySeverity.high.toString().padEnd(33)} \u2551`);
+  }
+  if (summary.bySeverity.medium > 0) {
+    console.log(`  \u2551   \u{1F7E1} Medium:   ${summary.bySeverity.medium.toString().padEnd(33)} \u2551`);
+  }
+  if (summary.bySeverity.low > 0) {
+    console.log(`  \u2551   \u{1F535} Low:      ${summary.bySeverity.low.toString().padEnd(33)} \u2551`);
+  }
+  if (summary.totalFindings === 0) {
+    console.log("  \u2551   \u2705 No secrets or PII detected                  \u2551");
+  }
+  console.log("  \u2551                                                  \u2551");
+  if (Object.keys(summary.byType).length > 0) {
+    console.log("  \u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563");
+    console.log("  \u2551                                                  \u2551");
+    console.log("  \u2551   By type:                                       \u2551");
+    for (const [type, count] of Object.entries(summary.byType)) {
+      const label = type.padEnd(18);
+      console.log(`  \u2551     ${label} ${count.toString().padEnd(28)} \u2551`);
+    }
+    console.log("  \u2551                                                  \u2551");
+  }
+  console.log("  \u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D");
+  if (findings.length > 0) {
+    console.log("");
+    console.log("  Findings:");
+    console.log("");
+    const shown = findings.slice(0, 15);
+    for (const f of shown) {
+      const icon = f.severity === "critical" ? "\u{1F534}" : f.severity === "high" ? "\u{1F7E0}" : f.severity === "medium" ? "\u{1F7E1}" : "\u{1F535}";
+      const sev = f.severity.toUpperCase().padEnd(8);
+      console.log(`  ${icon} ${sev} ${f.file}:${f.line}`);
+      console.log(`           ${f.type}: ${f.redacted}`);
+    }
+    if (findings.length > 15) {
+      console.log(`  ... and ${findings.length - 15} more (see .cto/audit/ for full report)`);
+    }
+  }
+  if (recommendations.length > 0) {
+    console.log("");
+    console.log("  Recommendations:");
+    console.log("");
+    for (const rec of recommendations) {
+      const icon = rec.startsWith("CRITICAL") ? "\u{1F6A8}" : "\u{1F4A1}";
+      console.log(`  ${icon} ${rec}`);
+    }
+  }
+  const ctoDir = join4(projectPath, ".cto");
+  const auditDir = join4(ctoDir, "audit");
+  mkdirSync(auditDir, { recursive: true });
+  const now = /* @__PURE__ */ new Date();
+  const dateStr = now.toISOString().split("T")[0];
+  const logFile = join4(auditDir, `${dateStr}.jsonl`);
+  const logEntry = {
+    timestamp: now.toISOString(),
+    version: "3.2.0",
+    summary: {
+      filesScanned: summary.filesScanned,
+      filesWithSecrets: summary.filesWithSecrets,
+      totalFindings: summary.totalFindings,
+      bySeverity: summary.bySeverity,
+      byType: summary.byType
+    },
+    findings: findings.map((f) => ({
+      type: f.type,
+      file: f.file,
+      line: f.line,
+      severity: f.severity,
+      redacted: f.redacted
+    }))
+  };
+  appendFileSync(logFile, JSON.stringify(logEntry) + "\n");
+  let report = `# Security Audit Report
+
+`;
+  report += `> Generated by cto-ai-cli on ${now.toISOString()}
+
+`;
+  report += `## Summary
+
+`;
+  report += `| Metric | Value |
+`;
+  report += `|--------|-------|
+`;
+  report += `| Files scanned | ${summary.filesScanned} |
+`;
+  report += `| Files with issues | ${summary.filesWithSecrets} |
+`;
+  report += `| Total findings | ${summary.totalFindings} |
+`;
+  report += `| Critical | ${summary.bySeverity.critical} |
+`;
+  report += `| High | ${summary.bySeverity.high} |
+`;
+  report += `| Medium | ${summary.bySeverity.medium} |
+
+`;
+  if (findings.length > 0) {
+    report += `## Findings
+
+`;
+    report += `| Severity | Type | File | Line | Redacted |
+`;
+    report += `|----------|------|------|------|----------|
+`;
+    for (const f of findings) {
+      report += `| ${f.severity} | ${f.type} | ${f.file} | ${f.line} | \`${f.redacted.slice(0, 30)}\` |
+`;
+    }
+    report += "\n";
+  }
+  if (recommendations.length > 0) {
+    report += `## Recommendations
+
+`;
+    for (const rec of recommendations) {
+      report += `- ${rec}
+`;
+    }
+  }
+  writeFileSync(join4(auditDir, "report.md"), report);
+  const envSecrets = findings.filter(
+    (f) => f.type === "env-variable" || f.type === "password" || f.type === "api-key" || f.type === "aws-key" || f.type === "connection-string"
+  );
+  if (envSecrets.length > 0) {
+    const envVarNames = /* @__PURE__ */ new Set();
+    for (const f of envSecrets) {
+      const varMatch = f.match.match(/^([A-Z_][A-Z0-9_]*)\s*[:=]/i);
+      if (varMatch) {
+        envVarNames.add(varMatch[1].toUpperCase());
+      } else {
+        const name = f.type.toUpperCase().replace(/-/g, "_");
+        envVarNames.add(name);
+      }
+    }
+    if (envVarNames.size > 0) {
+      let envExample = "# Environment variables \u2014 NEVER commit real values\n";
+      envExample += "# Generated by cto-ai-cli --audit\n\n";
+      for (const name of envVarNames) {
+        envExample += `${name}=your_${name.toLowerCase()}_here
+`;
+      }
+      writeFileSync(join4(ctoDir, ".env.example"), envExample);
+    }
+  }
+  console.log("");
+  console.log("  \u{1F4C1} Audit artifacts:");
+  console.log(`  \u{1F4CB} .cto/audit/${dateStr}.jsonl   Audit log (append-only)`);
+  console.log("  \u{1F4CA} .cto/audit/report.md         Full report");
+  if (envSecrets.length > 0) {
+    console.log("  \u{1F4DD} .cto/.env.example            Template for environment variables");
+  }
+  console.log("");
+  if (process.env.CI && (summary.bySeverity.critical > 0 || summary.bySeverity.high > 0)) {
+    console.log("  \u274C CI mode: Failing due to critical/high severity findings.");
+    process.exit(1);
+  }
+}
 function formatTokens(n) {
   if (n >= 1e6) return `${(n / 1e6).toFixed(1)}M`;
   if (n >= 1e3) return `${(n / 1e3).toFixed(1)}K`;

package/dist/cli/v2/index.js

@@ -1336,7 +1336,29 @@ var BUILTIN_PATTERNS = [
   { type: "connection-string", source: `(?:mongodb(?:\\+srv)?|postgres(?:ql)?|mysql|redis|amqp):\\/\\/[^\\s'"]+:[^\\s'"]+@[^\\s'"]+`, flags: "gi", severity: "critical", description: "Database Connection String" },
   { type: "connection-string", source: `(?:DATABASE_URL|REDIS_URL|MONGODB_URI)\\s*[:=]\\s*['"]?([^\\s'"]{10,})['"]?`, flags: "gi", severity: "high", description: "Database URL" },
   // Environment variables with secrets
-  { type: "env-variable", source: `(?:SECRET|PRIVATE|ENCRYPTION)[_-]?(?:KEY|TOKEN|PASS)\\s*[:=]\\s*['"]?([^\\s'"]{8,})['"]?`, flags: "gi", severity: "high", description: "Secret Environment Variable" }
+  { type: "env-variable", source: `(?:SECRET|PRIVATE|ENCRYPTION)[_-]?(?:KEY|TOKEN|PASS)\\s*[:=]\\s*['"]?([^\\s'"]{8,})['"]?`, flags: "gi", severity: "high", description: "Secret Environment Variable" },
+  // Stripe
+  { type: "api-key", source: "sk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Stripe Live Secret Key" },
+  { type: "api-key", source: "pk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "high", description: "Stripe Live Publishable Key" },
+  { type: "api-key", source: "rk_live_[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Stripe Restricted Key" },
+  // Slack
+  { type: "token", source: "xoxb-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Slack Bot Token" },
+  { type: "token", source: "xoxp-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24,}", flags: "g", severity: "critical", description: "Slack User Token" },
+  { type: "api-key", source: "https://hooks\\.slack\\.com/services/T[a-zA-Z0-9_]+/B[a-zA-Z0-9_]+/[a-zA-Z0-9_]+", flags: "g", severity: "high", description: "Slack Webhook URL" },
+  // Google
+  { type: "api-key", source: "AIza[0-9A-Za-z_-]{35}", flags: "g", severity: "high", description: "Google API Key" },
+  { type: "token", source: "ya29\\.[0-9A-Za-z_-]+", flags: "g", severity: "high", description: "Google OAuth Token" },
+  // Azure
+  { type: "api-key", source: "(?:AccountKey|SharedAccessKey)\\s*=\\s*[a-zA-Z0-9+/=]{40,}", flags: "g", severity: "critical", description: "Azure Storage Key" },
+  // Twilio
+  { type: "api-key", source: "AC[a-f0-9]{32}", flags: "g", severity: "high", description: "Twilio Account SID" },
+  // SendGrid
+  { type: "api-key", source: "SG\\.[a-zA-Z0-9_-]{22}\\.[a-zA-Z0-9_-]{43}", flags: "g", severity: "critical", description: "SendGrid API Key" },
+  // JWT
+  { type: "token", source: "eyJ[a-zA-Z0-9_-]{10,}\\.eyJ[a-zA-Z0-9_-]{10,}\\.[a-zA-Z0-9_-]{10,}", flags: "g", severity: "high", description: "JSON Web Token" },
+  // PII
+  { type: "pii", source: "\\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Z|a-z]{2,}\\b", flags: "g", severity: "medium", description: "Email Address (PII)" },
+  { type: "pii", source: "\\b\\d{3}[-.]?\\d{2}[-.]?\\d{4}\\b", flags: "g", severity: "high", description: "Possible SSN (PII)" }
 ];
 function buildPatterns(customPatterns = []) {
   const patterns = BUILTIN_PATTERNS.map((def) => ({