guardrail-security 1.0.0

package/dist/secrets/guardian.js

@@ -0,0 +1,334 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.secretsGuardian = exports.SecretsGuardian = exports.SecretType = void 0;
+const database_1 = require("@guardrail/database");
+const core_1 = require("@guardrail/core");
+const patterns_1 = require("./patterns");
+const fs_1 = require("fs");
+const glob_1 = require("glob");
+const path_1 = require("path");
+// Define SecretType locally since it's not exported from database
+var SecretType;
+(function (SecretType) {
+    SecretType["API_KEY"] = "api_key";
+    SecretType["PASSWORD"] = "password";
+    SecretType["TOKEN"] = "token";
+    SecretType["CERTIFICATE"] = "certificate";
+    SecretType["PRIVATE_KEY"] = "private_key";
+    SecretType["DATABASE_URL"] = "database_url";
+    SecretType["JWT_SECRET"] = "jwt_secret";
+    SecretType["AWS_ACCESS_KEY"] = "aws_access_key";
+    SecretType["OTHER"] = "other";
+    SecretType["AWS_SECRET_KEY"] = "aws_secret_key";
+    SecretType["GITHUB_TOKEN"] = "github_token";
+    SecretType["GOOGLE_API_KEY"] = "google_api_key";
+    SecretType["STRIPE_KEY"] = "stripe_key";
+    SecretType["JWT_TOKEN"] = "jwt_token";
+    SecretType["SLACK_TOKEN"] = "slack_token";
+    SecretType["API_KEY_GENERIC"] = "api_key_generic";
+    SecretType["PASSWORD_GENERIC"] = "password_generic";
+})(SecretType || (exports.SecretType = SecretType = {}));
+/**
+ * Secrets & Credential Guardian
+ *
+ * Detects exposed secrets and credentials in code
+ */
+class SecretsGuardian {
+    /**
+     * Scan content for secrets
+     */
+    async scanContent(content, filePath, options = {}) {
+        const detections = [];
+        const lines = content.split('\n');
+        for (const pattern of patterns_1.SECRET_PATTERNS) {
+            const matches = [...content.matchAll(new RegExp(pattern.pattern, 'g'))];
+            for (const match of matches) {
+                if (!match.index)
+                    continue;
+                // Extract the secret value (first capturing group)
+                const value = match[1] || match[0];
+                // Calculate entropy
+                const entropy = this.calculateEntropy(value);
+                // Check minimum entropy requirement
+                if (pattern.minEntropy && entropy < pattern.minEntropy) {
+                    continue;
+                }
+                // Find line number and column
+                const beforeMatch = content.substring(0, match.index);
+                const lineNumber = beforeMatch.split('\n').length;
+                const lineStart = beforeMatch.lastIndexOf('\n') + 1;
+                const column = match.index - lineStart + 1;
+                // Get context
+                const snippet = lines[lineNumber - 1] || '';
+                // Check if it's a test value
+                const isTest = this.isTestValue(value, snippet);
+                // Check for false positives
+                const isFalsePositive = this.isFalsePositive(value, pattern.type, snippet);
+                if (isFalsePositive) {
+                    continue;
+                }
+                // Calculate confidence
+                const confidence = this.calculateConfidence(value, pattern, entropy, isTest);
+                // Skip if below minimum confidence
+                if (options.minConfidence && confidence < options.minConfidence) {
+                    continue;
+                }
+                // Skip if excluding tests
+                if (options.excludeTests && isTest) {
+                    continue;
+                }
+                // Mask the value
+                const maskedValue = this.maskValue(value);
+                // Generate recommendation
+                const recommendation = this.generateRecommendation(pattern.type, isTest);
+                // Create detection object
+                const detection = {
+                    id: undefined, // Will be set when saved to database
+                    filePath,
+                    secretType: pattern.type,
+                    maskedValue,
+                    location: {
+                        line: lineNumber,
+                        column,
+                        snippet: snippet.trim(),
+                    },
+                    confidence,
+                    entropy,
+                    isTest,
+                    isRevoked: false,
+                    recommendation,
+                };
+                detections.push(detection);
+            }
+        }
+        return detections;
+    }
+    /**
+     * Scan entire project
+     */
+    async scanProject(projectPath, projectId, options = {}) {
+        const excludePatterns = [
+            '**/node_modules/**',
+            '**/dist/**',
+            '**/build/**',
+            '**/.git/**',
+            '**/coverage/**',
+            '**/*.min.js',
+            ...(options.excludePatterns || []),
+        ];
+        // Find all files to scan
+        const files = await (0, glob_1.glob)('**/*', {
+            cwd: projectPath,
+            ignore: excludePatterns,
+            nodir: true,
+        });
+        const allDetections = [];
+        let scannedFiles = 0;
+        for (const file of files) {
+            try {
+                const fullPath = (0, path_1.join)(projectPath, file);
+                const content = (0, fs_1.readFileSync)(fullPath, 'utf-8');
+                const detections = await this.scanContent(content, file, options);
+                // Save to database
+                for (const detection of detections) {
+                    try {
+                        // @ts-ignore - secretDetection may not exist in schema yet
+                        await database_1.prisma.secretDetection.create({
+                            data: {
+                                projectId: 'default',
+                                filePath: detection.filePath
+                            }
+                        });
+                    }
+                    catch (error) {
+                        // Table may not exist - continue
+                    }
+                }
+                allDetections.push(...detections);
+                scannedFiles++;
+            }
+            catch (error) {
+                // Skip files that can't be read
+                continue;
+            }
+        }
+        // Generate summary
+        const byType = {};
+        const byRisk = { high: 0, medium: 0, low: 0 };
+        for (const detection of allDetections) {
+            byType[detection.secretType] = (byType[detection.secretType] || 0) + 1;
+            if (detection.confidence >= 0.8) {
+                byRisk.high++;
+            }
+            else if (detection.confidence >= 0.5) {
+                byRisk.medium++;
+            }
+            else {
+                byRisk.low++;
+            }
+        }
+        return {
+            projectId,
+            totalFiles: files.length,
+            scannedFiles,
+            detections: allDetections,
+            summary: {
+                totalSecrets: allDetections.length,
+                byType,
+                byRisk,
+            },
+        };
+    }
+    /**
+     * Calculate entropy for randomness detection
+     */
+    calculateEntropy(str) {
+        return (0, core_1.calculateEntropy)(str);
+    }
+    /**
+     * Check if likely test/example value
+     */
+    isTestValue(value, context) {
+        const lowerValue = value.toLowerCase();
+        const lowerContext = context.toLowerCase();
+        // Check value itself
+        for (const pattern of patterns_1.TEST_PATTERNS) {
+            if (pattern.test(lowerValue)) {
+                return true;
+            }
+        }
+        // Check context
+        if (lowerContext.includes('test') ||
+            lowerContext.includes('example') ||
+            lowerContext.includes('demo') ||
+            lowerContext.includes('fixture') ||
+            lowerContext.includes('mock')) {
+            return true;
+        }
+        return false;
+    }
+    /**
+     * Check for false positives
+     */
+    isFalsePositive(value, type, _context) {
+        const lowerValue = value.toLowerCase();
+        // Check against known false positives
+        if (patterns_1.FALSE_POSITIVE_VALUES.has(lowerValue)) {
+            return true;
+        }
+        // Check for placeholder patterns
+        if (/^(x+|0+|1+|a+)$/i.test(value)) {
+            return true;
+        }
+        // Check for repeated characters (likely placeholder)
+        if (/(.)\1{10,}/.test(value)) {
+            return true;
+        }
+        // JWT-specific false positive checks
+        if (type === SecretType.JWT_TOKEN) {
+            // Very simple/short payload might be example
+            try {
+                const parts = value.split('.');
+                if (parts.length === 3 && parts[1]) {
+                    const payload = Buffer.from(parts[1], 'base64').toString();
+                    if (payload.length < 20) {
+                        return true;
+                    }
+                }
+            }
+            catch {
+                // Invalid JWT, might be false positive
+                return true;
+            }
+        }
+        return false;
+    }
+    /**
+     * Calculate confidence score
+     */
+    calculateConfidence(value, pattern, entropy, isTest) {
+        let confidence = 0.7; // Base confidence
+        // Increase confidence for high entropy
+        if (entropy > 4.5) {
+            confidence += 0.2;
+        }
+        else if (entropy > 4.0) {
+            confidence += 0.1;
+        }
+        // Decrease confidence for test values
+        if (isTest) {
+            confidence -= 0.3;
+        }
+        // Pattern-specific adjustments
+        if (pattern.type === SecretType.AWS_ACCESS_KEY && value.startsWith('AKIA')) {
+            confidence += 0.1;
+        }
+        if (pattern.type === SecretType.GITHUB_TOKEN && /^gh[pos]_/.test(value)) {
+            confidence += 0.1;
+        }
+        return Math.max(0, Math.min(1, confidence));
+    }
+    /**
+     * Mask secret for safe logging
+     */
+    maskValue(value) {
+        return (0, core_1.maskSensitiveValue)(value);
+    }
+    /**
+     * Generate recommendation
+     */
+    generateRecommendation(type, isTest) {
+        if (isTest) {
+            return {
+                action: 'remove',
+                reason: 'Test credential detected in code',
+                remediation: 'Remove test credentials and use mocking instead',
+            };
+        }
+        // High-risk secrets require rotation
+        const highRiskTypes = [
+            'AWS_SECRET_KEY',
+            'GITHUB_TOKEN',
+            'STRIPE_KEY',
+            'PRIVATE_KEY',
+        ];
+        if (highRiskTypes.includes(type)) {
+            return {
+                action: 'revoke_and_rotate',
+                reason: 'High-risk credential exposed in code',
+                remediation: 'Immediately revoke this credential and rotate to a new one. Store in secure vault or environment variables.',
+            };
+        }
+        // Medium-risk can use env vars
+        return {
+            action: 'move_to_env',
+            reason: 'Credential should not be hardcoded',
+            remediation: 'Move to environment variables or secure vault (e.g., AWS Secrets Manager, HashiCorp Vault)',
+        };
+    }
+    /**
+     * Get project secrets report
+     */
+    async getProjectReport(projectId) {
+        // @ts-ignore - secretDetection may not exist in schema yet
+        const detections = await database_1.prisma.secretDetection.findMany({
+            where: { projectId },
+            orderBy: { createdAt: 'desc' },
+        });
+        return detections.map((s) => ({
+            id: s.id,
+            filePath: s.filePath,
+            secretType: s.secretType,
+            maskedValue: s.maskedValue,
+            location: s.location,
+            confidence: s.confidence,
+            entropy: s.entropy,
+            isTest: s.isTest,
+            isRevoked: s.isRevoked,
+            recommendation: s.recommendation,
+        }));
+    }
+}
+exports.SecretsGuardian = SecretsGuardian;
+// Export singleton
+exports.secretsGuardian = new SecretsGuardian();

package/dist/secrets/index.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Secrets & Credential Guardian
+ *
+ * Detects and prevents exposure of secrets and credentials
+ */
+export * from './patterns';
+export { secretsGuardian, SecretsGuardian } from './guardian';
+export { preCommitHook } from './pre-commit';
+export { vaultIntegration } from './vault-integration';
+//# sourceMappingURL=index.d.ts.map

package/dist/secrets/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/secrets/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,cAAc,YAAY,CAAC;AAC3B,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/secrets/index.js

@@ -0,0 +1,30 @@
+"use strict";
+/**
+ * Secrets & Credential Guardian
+ *
+ * Detects and prevents exposure of secrets and credentials
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.vaultIntegration = exports.preCommitHook = exports.SecretsGuardian = exports.secretsGuardian = void 0;
+__exportStar(require("./patterns"), exports);
+var guardian_1 = require("./guardian");
+Object.defineProperty(exports, "secretsGuardian", { enumerable: true, get: function () { return guardian_1.secretsGuardian; } });
+Object.defineProperty(exports, "SecretsGuardian", { enumerable: true, get: function () { return guardian_1.SecretsGuardian; } });
+var pre_commit_1 = require("./pre-commit");
+Object.defineProperty(exports, "preCommitHook", { enumerable: true, get: function () { return pre_commit_1.preCommitHook; } });
+var vault_integration_1 = require("./vault-integration");
+Object.defineProperty(exports, "vaultIntegration", { enumerable: true, get: function () { return vault_integration_1.vaultIntegration; } });

package/dist/secrets/patterns.d.ts

@@ -0,0 +1,42 @@
+export declare enum SecretType {
+    API_KEY = "api_key",
+    PASSWORD = "password",
+    TOKEN = "token",
+    CERTIFICATE = "certificate",
+    PRIVATE_KEY = "private_key",
+    DATABASE_URL = "database_url",
+    JWT_SECRET = "jwt_secret",
+    AWS_ACCESS_KEY = "aws_access_key",
+    OTHER = "other",
+    AWS_SECRET_KEY = "aws_secret_key",
+    GITHUB_TOKEN = "github_token",
+    GOOGLE_API_KEY = "google_api_key",
+    STRIPE_KEY = "stripe_key",
+    JWT_TOKEN = "jwt_token",
+    SLACK_TOKEN = "slack_token",
+    API_KEY_GENERIC = "api_key_generic"
+}
+/**
+ * Secret detection pattern
+ */
+export interface SecretPattern {
+    type: SecretType;
+    name: string;
+    pattern: RegExp;
+    minEntropy?: number;
+    description: string;
+    examples: string[];
+}
+/**
+ * Comprehensive secret detection patterns
+ */
+export declare const SECRET_PATTERNS: SecretPattern[];
+/**
+ * Test/example value patterns (to exclude false positives)
+ */
+export declare const TEST_PATTERNS: RegExp[];
+/**
+ * Common false positive values
+ */
+export declare const FALSE_POSITIVE_VALUES: Set<string>;
+//# sourceMappingURL=patterns.d.ts.map

package/dist/secrets/patterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../src/secrets/patterns.ts"],"names":[],"mappings":"AACA,oBAAY,UAAU;IACpB,OAAO,YAAY;IACnB,QAAQ,aAAa;IACrB,KAAK,UAAU;IACf,WAAW,gBAAgB;IAC3B,WAAW,gBAAgB;IAC3B,YAAY,iBAAiB;IAC7B,UAAU,eAAe;IACzB,cAAc,mBAAmB;IACjC,KAAK,UAAU;IACf,cAAc,mBAAmB;IACjC,YAAY,iBAAiB;IAC7B,cAAc,mBAAmB;IACjC,UAAU,eAAe;IACzB,SAAS,cAAc;IACvB,WAAW,gBAAgB;IAC3B,eAAe,oBAAoB;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,UAAU,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED;;GAEG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,EAyG1C,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,aAAa,UAkBzB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,qBAAqB,aAiBhC,CAAC"}

package/dist/secrets/patterns.js

@@ -0,0 +1,165 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FALSE_POSITIVE_VALUES = exports.TEST_PATTERNS = exports.SECRET_PATTERNS = exports.SecretType = void 0;
+// Define SecretType locally since it's not exported from database
+var SecretType;
+(function (SecretType) {
+    SecretType["API_KEY"] = "api_key";
+    SecretType["PASSWORD"] = "password";
+    SecretType["TOKEN"] = "token";
+    SecretType["CERTIFICATE"] = "certificate";
+    SecretType["PRIVATE_KEY"] = "private_key";
+    SecretType["DATABASE_URL"] = "database_url";
+    SecretType["JWT_SECRET"] = "jwt_secret";
+    SecretType["AWS_ACCESS_KEY"] = "aws_access_key";
+    SecretType["OTHER"] = "other";
+    SecretType["AWS_SECRET_KEY"] = "aws_secret_key";
+    SecretType["GITHUB_TOKEN"] = "github_token";
+    SecretType["GOOGLE_API_KEY"] = "google_api_key";
+    SecretType["STRIPE_KEY"] = "stripe_key";
+    SecretType["JWT_TOKEN"] = "jwt_token";
+    SecretType["SLACK_TOKEN"] = "slack_token";
+    SecretType["API_KEY_GENERIC"] = "api_key_generic";
+})(SecretType || (exports.SecretType = SecretType = {}));
+/**
+ * Comprehensive secret detection patterns
+ */
+exports.SECRET_PATTERNS = [
+    // AWS Access Keys
+    {
+        type: 'AWS_ACCESS_KEY',
+        name: 'AWS Access Key ID',
+        pattern: /(AKIA[0-9A-Z]{16})/,
+        minEntropy: 3.5,
+        description: 'AWS Access Key ID (starts with AKIA)',
+        examples: ['AKIAIOSFODNN7EXAMPLE'],
+    },
+    // AWS Secret Keys
+    {
+        type: 'AWS_SECRET_KEY',
+        name: 'AWS Secret Access Key',
+        pattern: /aws[_\s]*secret[_\s]*access[_\s]*key[_\s]*[=:]\s*['"]?([A-Za-z0-9/+=]{40})['"]?/i,
+        minEntropy: 4.5,
+        description: 'AWS Secret Access Key (40 characters)',
+        examples: ['aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'],
+    },
+    // GitHub Personal Access Tokens
+    {
+        type: 'GITHUB_TOKEN',
+        name: 'GitHub Personal Access Token',
+        pattern: /(ghp_[a-zA-Z0-9]{36}|gho_[a-zA-Z0-9]{36}|ghu_[a-zA-Z0-9]{36}|ghs_[a-zA-Z0-9]{36}|ghr_[a-zA-Z0-9]{36})/,
+        description: 'GitHub Personal Access Token (ghp_, gho_, ghu_, ghs_, ghr_)',
+        examples: ['ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'],
+    },
+    // Google API Keys
+    {
+        type: 'GOOGLE_API_KEY',
+        name: 'Google API Key',
+        pattern: /(AIza[0-9A-Za-z\-_]{35})/,
+        description: 'Google API Key (starts with AIza)',
+        examples: ['AIzaSyDaGmWKa4JsXZ-HjGw7ISLn_3namBGewQe'],
+    },
+    // Stripe API Keys
+    {
+        type: 'STRIPE_KEY',
+        name: 'Stripe API Key',
+        pattern: /(sk_live_[0-9a-zA-Z]{24,}|pk_live_[0-9a-zA-Z]{24,}|rk_live_[0-9a-zA-Z]{24,})/,
+        description: 'Stripe Live API Key',
+        examples: ['sk_live_1234567890abcdefghijklmn'],
+    },
+    // JWT Tokens
+    {
+        type: 'JWT_TOKEN',
+        name: 'JWT Token',
+        pattern: /(eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]+)/,
+        minEntropy: 4.0,
+        description: 'JSON Web Token (JWT)',
+        examples: ['eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U'],
+    },
+    // Private Keys
+    {
+        type: 'PRIVATE_KEY',
+        name: 'Private Key',
+        pattern: /(-----BEGIN (RSA |EC |OPENSSH |DSA )?PRIVATE KEY-----[\s\S]*?-----END (RSA |EC |OPENSSH |DSA )?PRIVATE KEY-----)/,
+        description: 'Private Key (RSA, EC, OpenSSH, DSA)',
+        examples: ['-----BEGIN PRIVATE KEY-----\\nMIIEvQIBADANBgk...\\n-----END PRIVATE KEY-----'],
+    },
+    // Database URLs with credentials
+    {
+        type: 'DATABASE_URL',
+        name: 'Database URL with Password',
+        pattern: /(postgres|mysql|mongodb|redis):\/\/[a-zA-Z0-9_-]+:([a-zA-Z0-9!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]+)@[a-zA-Z0-9.-]+:[0-9]+/,
+        minEntropy: 3.0,
+        description: 'Database connection string with embedded password',
+        examples: ['postgresql://user:password123@localhost:5432/dbname'],
+    },
+    // Slack Tokens
+    {
+        type: 'SLACK_TOKEN',
+        name: 'Slack Token',
+        pattern: /(xox[pboa]-[0-9]{10,13}-[0-9]{10,13}-[0-9]{10,13}-[a-z0-9]{32})/,
+        description: 'Slack Bot/User/App Token',
+        examples: ['xoxb-0000000000-0000000000-0000000000-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'],
+    },
+    // Generic API Keys (high entropy)
+    {
+        type: 'API_KEY_GENERIC',
+        name: 'Generic API Key',
+        pattern: /(?:api[_\s-]?key|apikey|access[_\s-]?token|auth[_\s-]?token|secret[_\s-]?key)[_\s]*[=:]\s*['"]?([a-zA-Z0-9_\-]{32,})['"]?/i,
+        minEntropy: 4.0,
+        description: 'Generic API key or access token (high entropy)',
+        examples: ['api_key = abcdef1234567890abcdef1234567890'],
+    },
+    // Generic Passwords
+    {
+        type: 'PASSWORD_GENERIC',
+        name: 'Generic Password',
+        pattern: /(?:password|passwd|pwd)[_\s]*[=:]\s*['"]([^'"]{8,})['"]|(?:password|passwd|pwd)[_\s]*[=:]\s*([^\s]{8,})/i,
+        minEntropy: 3.0,
+        description: 'Generic password in configuration',
+        examples: ['password = "MySecretP@ssw0rd"'],
+    },
+];
+/**
+ * Test/example value patterns (to exclude false positives)
+ */
+exports.TEST_PATTERNS = [
+    /test/i,
+    /example/i,
+    /sample/i,
+    /demo/i,
+    /fake/i,
+    /dummy/i,
+    /placeholder/i,
+    /\*{3,}/,
+    /x{3,}/i,
+    /0{5,}/,
+    /1{5,}/,
+    /abc{3,}/i,
+    /qwerty/i,
+    /password123/i,
+    /changeme/i,
+    /your[_-]?key/i,
+    /your[_-]?secret/i,
+];
+/**
+ * Common false positive values
+ */
+exports.FALSE_POSITIVE_VALUES = new Set([
+    'example',
+    'test',
+    'sample',
+    'demo',
+    'placeholder',
+    'your_key_here',
+    'your_secret_here',
+    'xxx',
+    'yyy',
+    'zzz',
+    '***',
+    '000000000000',
+    '111111111111',
+    'abcdefghijklmnopqrstuvwxyz',
+    'ABCDEFGHIJKLMNOPQRSTUVWXYZ',
+    '1234567890',
+]);

package/dist/secrets/pre-commit.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Staged file info
+ */
+export interface StagedFile {
+    path: string;
+    content: string;
+}
+/**
+ * Pre-commit scan result
+ */
+export interface PreCommitScanResult {
+    passed: boolean;
+    detections: number;
+    files: string[];
+    message: string;
+}
+/**
+ * Pre-Commit Hook for Secrets Detection
+ */
+export declare class PreCommitHook {
+    /**
+     * Generate pre-commit hook script
+     */
+    generateHookScript(): string;
+    /**
+     * Scan staged files
+     */
+    scanStagedFiles(gitRoot: string): Promise<PreCommitScanResult>;
+    /**
+     * Get staged files from git
+     */
+    private getStagedFiles;
+    /**
+     * Install pre-commit hook
+     */
+    installHook(gitRoot: string): void;
+}
+export declare const preCommitHook: PreCommitHook;
+//# sourceMappingURL=pre-commit.d.ts.map

package/dist/secrets/pre-commit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pre-commit.d.ts","sourceRoot":"","sources":["../../src/secrets/pre-commit.ts"],"names":[],"mappings":"AAKA;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,OAAO,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,qBAAa,aAAa;IACxB;;OAEG;IACH,kBAAkB,IAAI,MAAM;IAoB5B;;OAEG;IACG,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC;IA+CpE;;OAEG;IACH,OAAO,CAAC,cAAc;IAqCtB;;OAEG;IACH,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;CAWnC;AAGD,eAAO,MAAM,aAAa,eAAsB,CAAC"}