entkapp 5.3.0 → 5.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -1
- package/bin/cli.js +2 -2
- package/package.json +1 -1
- package/src/ast/SecretScanner.js +112 -50
package/README.md
CHANGED
package/bin/cli.js
CHANGED
|
@@ -28,7 +28,7 @@ async function bootstrap() {
|
|
|
28
28
|
program
|
|
29
29
|
.name('entkapp')
|
|
30
30
|
.description(ansis.cyan('The Ultimate Enterprise Codebase Janitor with OXC integration, type-aware analysis, and automated structural healing.'))
|
|
31
|
-
.version(packageJsonContent.version || '5.1
|
|
31
|
+
.version(packageJsonContent.version || '5.3.1');
|
|
32
32
|
|
|
33
33
|
program
|
|
34
34
|
.option('-c, --cwd <path>', 'Specify the execution context root directory', process.cwd())
|
|
@@ -132,7 +132,7 @@ async function bootstrap() {
|
|
|
132
132
|
}, timeoutMs);
|
|
133
133
|
timeoutTimer.unref(); // Allow process to exit if work finishes
|
|
134
134
|
|
|
135
|
-
console.log(ansis.bold.green(`\n📦 entkapp v${packageJsonContent.version || '5.1
|
|
135
|
+
console.log(ansis.bold.green(`\n📦 entkapp v${packageJsonContent.version || '5.3.1'} Engine Activation`));
|
|
136
136
|
console.log(ansis.dim('------------------------------------------------------------'));
|
|
137
137
|
console.log(`${ansis.bold('Target Workspace Root :')} ${ansis.blue(targetCwd)}`);
|
|
138
138
|
console.log(`${ansis.bold('Refactoring Mode :')} ${options.fix ? ansis.yellow('Active Fixing & Self-Healing Enabled') : ansis.gray('Dry-Run Reporting Only')}`);
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"$schema": "http://json-schema.org/draft-07/schema#",
|
|
3
3
|
"name": "entkapp",
|
|
4
|
-
"version": "5.3.
|
|
4
|
+
"version": "5.3.1",
|
|
5
5
|
"description": "The Ultimate Enterprise Codebase Janitor. High-speed OXC integration, type-aware analysis, and automated structural healing. Fully standalone architectural orchestrator.",
|
|
6
6
|
"type": "module",
|
|
7
7
|
"main": "index.js",
|
package/src/ast/SecretScanner.js
CHANGED
|
@@ -35,45 +35,89 @@ const SENSITIVE_NAME_PATTERNS = [
|
|
|
35
35
|
/private[_-]?key/i,
|
|
36
36
|
/client[_-]?secret/i,
|
|
37
37
|
/app[_-]?secret/i,
|
|
38
|
+
/security[_-]?token/i,
|
|
39
|
+
/master[_-]?key/i,
|
|
40
|
+
/root[_-]?password/i,
|
|
41
|
+
|
|
38
42
|
// Database credentials
|
|
39
43
|
/db[_-]?pass(word)?/i,
|
|
40
44
|
/database[_-]?pass(word)?/i,
|
|
41
45
|
/db[_-]?url/i,
|
|
42
46
|
/database[_-]?url/i,
|
|
43
47
|
/connection[_-]?string/i,
|
|
44
|
-
|
|
48
|
+
/postgres(ql)?[_-]?url/i,
|
|
49
|
+
/mongo(db)?[_-]?url/i,
|
|
50
|
+
/redis[_-]?url/i,
|
|
51
|
+
|
|
52
|
+
// Passwords & Pins
|
|
45
53
|
/^password$/i,
|
|
46
54
|
/^passwd$/i,
|
|
47
55
|
/^pwd$/i,
|
|
48
56
|
/[_-]password$/i,
|
|
49
|
-
|
|
57
|
+
/[_-]pass$/i,
|
|
58
|
+
/pass(phrase|code)/i,
|
|
59
|
+
/admin[_-]?pass/i,
|
|
60
|
+
/pin[_-]?number/i,
|
|
61
|
+
|
|
62
|
+
// Tokens & Sessions
|
|
50
63
|
/[_-]token$/i,
|
|
51
64
|
/^token$/i,
|
|
52
|
-
/jwt[_-]?secret/i,
|
|
53
|
-
/session[_-]?secret/i,
|
|
65
|
+
/jwt[_-]?(secret|token)/i,
|
|
66
|
+
/session[_-]?(secret|token|id)/i,
|
|
54
67
|
/cookie[_-]?secret/i,
|
|
55
|
-
|
|
56
|
-
/
|
|
57
|
-
/
|
|
58
|
-
|
|
59
|
-
//
|
|
60
|
-
/
|
|
61
|
-
/
|
|
62
|
-
/
|
|
63
|
-
/
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
/openai[_-]?(key|token)/i,
|
|
68
|
+
/oauth[_-]?(token|secret|client)/i,
|
|
69
|
+
/refresh[_-]?token/i,
|
|
70
|
+
/csrf[_-]?token/i,
|
|
71
|
+
|
|
72
|
+
// Cloud Provider Keys (AWS, GCP, Azure)
|
|
73
|
+
/aws[_-]?(access[_-]?key|secret|session[_-]?token|key[_-]?id)/i,
|
|
74
|
+
/gcp[_-]?(key|secret|token|sa[_-]?key)/i,
|
|
75
|
+
/google[_-]?(api[_-]?key|credentials|client[_-]?secret)/i,
|
|
76
|
+
/azure[_-]?(key|secret|connection|token|tenant[_-]?id)/i,
|
|
77
|
+
|
|
78
|
+
// AI & Machine Learning Platforms
|
|
79
|
+
/openai[_-]?(key|token|secret)/i,
|
|
67
80
|
/anthropic[_-]?key/i,
|
|
68
|
-
/
|
|
69
|
-
/
|
|
81
|
+
/cohere[_-]?key/i,
|
|
82
|
+
/huggingface[_-]?token/i,
|
|
83
|
+
/replicate[_-]?api/i,
|
|
84
|
+
/langchain[_-]?api/i,
|
|
85
|
+
/pinecone[_-]?api/i,
|
|
86
|
+
/gemini[_-]?key/i,
|
|
87
|
+
|
|
88
|
+
// Service-Specific (CI/CD, Dev Tools, Payment, Comms)
|
|
89
|
+
/stripe[_-]?(key|secret|webhook)/i,
|
|
90
|
+
/twilio[_-]?(auth|token|sid)/i,
|
|
91
|
+
/sendgrid[_-]?(key|api)/i,
|
|
92
|
+
/github[_-]?(token|pat|secret|app[_-]?id)/i,
|
|
93
|
+
/gitlab[_-]?(token|pat|secret)/i,
|
|
94
|
+
/slack[_-]?(token|webhook|secret)/i,
|
|
95
|
+
/discord[_-]?(token|secret|webhook)/i,
|
|
96
|
+
/pagerduty[_-]?(token|key)/i,
|
|
97
|
+
/datadog[_-]?(api[_-]?key|app[_-]?key)/i,
|
|
98
|
+
/sentry[_-]?(dsn|auth[_-]?token)/i,
|
|
99
|
+
/heroku[_-]?(api[_-]?key|oauth)/i,
|
|
100
|
+
/atlassian[_-]?(token|secret)/i,
|
|
101
|
+
/jira[_-]?(token|password)/i,
|
|
102
|
+
/npm[_-]?auth[_-]?token/i,
|
|
103
|
+
/jfrog[_-]?(token|password|api)/i,
|
|
104
|
+
/firebase[_-]?(key|secret|token)/i,
|
|
105
|
+
/supabase[_-]?(key|secret|service[_-]?role)/i,
|
|
106
|
+
|
|
107
|
+
// Webhooks, Crypto, and Infrastructure
|
|
108
|
+
/webhook[_-]?(url|secret|token)/i,
|
|
109
|
+
/encryption[_-]?(key|secret|iv)/i,
|
|
70
110
|
/signing[_-]?key/i,
|
|
71
|
-
/hmac[_-]?key/i,
|
|
111
|
+
/hmac[_-]?(key|secret)/i,
|
|
72
112
|
/salt$/i,
|
|
73
|
-
/ssh[_-]?key/i,
|
|
74
|
-
/
|
|
75
|
-
/
|
|
76
|
-
/
|
|
113
|
+
/ssh[_-]?(key|private|public)/i,
|
|
114
|
+
/cert(ificate)?(s)?/i,
|
|
115
|
+
/credential(s)?/i,
|
|
116
|
+
/tls[_-]?(key|cert)/i,
|
|
117
|
+
/ssl[_-]?(key|cert)/i,
|
|
118
|
+
/kube(config)?[_-]?(token|secret)/i,
|
|
119
|
+
/vault[_-]?(token|secret|key)/i,
|
|
120
|
+
/bitcoind?[_-]?(rpc)?password/i,
|
|
77
121
|
];
|
|
78
122
|
|
|
79
123
|
/**
|
|
@@ -84,37 +128,55 @@ const SENSITIVE_VALUE_PATTERNS = [
|
|
|
84
128
|
// AWS Access Key IDs
|
|
85
129
|
{ pattern: /AKIA[0-9A-Z]{16}/, label: 'AWS_ACCESS_KEY_ID', severity: SecretSeverity.CRITICAL },
|
|
86
130
|
// AWS Secret Access Keys (40-char base64-ish)
|
|
87
|
-
{ pattern: /[A-Za-z0-9/+=]{40}/, label: 'AWS_SECRET_KEY_CANDIDATE', severity: SecretSeverity.MEDIUM },
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
131
|
+
{ pattern: /(?<![A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=])/, label: 'AWS_SECRET_KEY_CANDIDATE', severity: SecretSeverity.MEDIUM },
|
|
132
|
+
|
|
133
|
+
// Generic high-entropy hex strings (32+ chars) - Added word boundaries to reduce false positives
|
|
134
|
+
{ pattern: /\b[0-9a-f]{32,}\b/i, label: 'HEX_SECRET', severity: SecretSeverity.HIGH },
|
|
135
|
+
// Generic high-entropy base64 strings (32+ chars) - Replaced rigid anchors with lookarounds
|
|
136
|
+
{ pattern: /(?<![A-Za-z0-9+/])[A-Za-z0-9+/]{32,}={0,2}(?![A-Za-z0-9+/])/, label: 'BASE64_SECRET', severity: SecretSeverity.MEDIUM },
|
|
137
|
+
|
|
92
138
|
// JWT tokens
|
|
93
|
-
{ pattern:
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
{ pattern:
|
|
139
|
+
{ pattern: /\bey[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\b/, label: 'JWT_TOKEN', severity: SecretSeverity.CRITICAL },
|
|
140
|
+
|
|
141
|
+
// GitHub access tokens (Updated for all token formats: ghp, gho, ghu, ghs, ghr, fine-grained)
|
|
142
|
+
{ pattern: /\bgh[pousr]_[A-Za-z0-9]{36}\b/, label: 'GITHUB_TOKEN_CLASSIC', severity: SecretSeverity.CRITICAL },
|
|
143
|
+
{ pattern: /\bgithub_pat_[A-Za-z0-9_]{82}\b/, label: 'GITHUB_PAT_FINE', severity: SecretSeverity.CRITICAL },
|
|
144
|
+
{ pattern: /\bghs_[A-Za-z0-9\.\-_]{36,}\b/, label: 'GITHUB_APP_STATELESS_TOKEN', severity: SecretSeverity.CRITICAL }, // Supports the modern 2026 ghs_ JWT format
|
|
145
|
+
|
|
97
146
|
// Stripe keys
|
|
98
|
-
{ pattern:
|
|
99
|
-
{ pattern:
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
{ pattern: /[
|
|
104
|
-
|
|
105
|
-
|
|
147
|
+
{ pattern: /\bsk_(live|test)_[A-Za-z0-9]{24,}\b/, label: 'STRIPE_SECRET_KEY', severity: SecretSeverity.CRITICAL },
|
|
148
|
+
{ pattern: /\bpk_(live|test)_[A-Za-z0-9]{24,}\b/, label: 'STRIPE_PUBLIC_KEY', severity: SecretSeverity.HIGH },
|
|
149
|
+
|
|
150
|
+
// Slack tokens & Webhooks
|
|
151
|
+
{ pattern: /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/, label: 'SLACK_TOKEN', severity: SecretSeverity.CRITICAL },
|
|
152
|
+
{ pattern: /https:\/\/hooks\.slack\.com\/services\/T[A-Z0-9_]{8}\/B[A-Z0-9_]{8}\/[A-Za-z0-9_]{24}/, label: 'SLACK_WEBHOOK', severity: SecretSeverity.CRITICAL },
|
|
153
|
+
|
|
154
|
+
// Discord tokens & Webhooks
|
|
155
|
+
{ pattern: /\b[MN][A-Za-z0-9]{23}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27}\b/, label: 'DISCORD_TOKEN', severity: SecretSeverity.CRITICAL },
|
|
156
|
+
{ pattern: /https:\/\/discord\.com\/api\/webhooks\/[0-9]{18,20}\/[A-Za-z0-9_-]{68,}/, label: 'DISCORD_WEBHOOK', severity: SecretSeverity.CRITICAL },
|
|
157
|
+
|
|
158
|
+
// Twilio SID & Auth Token
|
|
159
|
+
{ pattern: /\bAC[a-f0-9]{32}\b/, label: 'TWILIO_SID', severity: SecretSeverity.HIGH },
|
|
160
|
+
{ pattern: /\b[a-f0-9]{32}\b/, label: 'TWILIO_AUTH_TOKEN_CANDIDATE', severity: SecretSeverity.MEDIUM }, // Twilio tokens are raw 32-char hex strings often found near SIDs
|
|
161
|
+
|
|
106
162
|
// SendGrid API key
|
|
107
|
-
{ pattern:
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
{ pattern:
|
|
112
|
-
|
|
113
|
-
{ pattern: /AIza[0-9A-Za-z\\-_]{35}/, label: 'GOOGLE_API_KEY', severity: SecretSeverity.CRITICAL },
|
|
114
|
-
// Firebase Web API Key
|
|
115
|
-
{ pattern: /AIzaSy[0-9A-Za-z\\-_]{33}/, label: 'FIREBASE_API_KEY', severity: SecretSeverity.CRITICAL },
|
|
116
|
-
];
|
|
163
|
+
{ pattern: /\bSG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}\b/, label: 'SENDGRID_KEY', severity: SecretSeverity.CRITICAL },
|
|
164
|
+
|
|
165
|
+
// OpenAI & Anthropic API keys (Updated for Legacy, Project, and Claude token formats)
|
|
166
|
+
{ pattern: /\bsk-[A-Za-z0-9]{32,}\b/, label: 'OPENAI_KEY_LEGACY', severity: SecretSeverity.CRITICAL },
|
|
167
|
+
{ pattern: /\bsk-proj-[A-Za-z0-9-_]{40,}\b/, label: 'OPENAI_PROJECT_KEY', severity: SecretSeverity.CRITICAL },
|
|
168
|
+
{ pattern: /\bsk-ant-sid01-[A-Za-z0-9-_]{93}\b/, label: 'ANTHROPIC_CLAUDE_KEY', severity: SecretSeverity.CRITICAL },
|
|
117
169
|
|
|
170
|
+
// Generic UUID-like tokens
|
|
171
|
+
{ pattern: /\b[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\b/i, label: 'UUID_SECRET_CANDIDATE', severity: SecretSeverity.MEDIUM },
|
|
172
|
+
|
|
173
|
+
// Google & Firebase Key
|
|
174
|
+
{ pattern: /\bAIza[0-9A-Za-z\\-_]{35}\b/, label: 'GOOGLE_API_KEY', severity: SecretSeverity.CRITICAL },
|
|
175
|
+
{ pattern: /\bAIzaSy[0-9A-Za-z\\-_]{33}\b/, label: 'FIREBASE_API_KEY', severity: SecretSeverity.CRITICAL },
|
|
176
|
+
|
|
177
|
+
// Private Key Files (Detects multi-line PEM blocks often found inside JSON/Env variables)
|
|
178
|
+
{ pattern: /-----BEGIN [A-Z ]+ PRIVATE KEY-----/, label: 'PRIVATE_KEY_BLOCK', severity: SecretSeverity.CRITICAL },
|
|
179
|
+
];
|
|
118
180
|
/**
|
|
119
181
|
* Minimum length a string value must have to be considered a potential secret.
|
|
120
182
|
* Short strings like "test", "dev", "localhost" are excluded.
|