guardrail-security 1.0.2 → 2.0.0

package/dist/secrets/guardian.js

@@ -1,121 +1,262 @@
 "use strict";
+/* secrets-guardian.ts
+ * Enterprise-grade secrets scanning with:
+ * - Correct regex flag handling (keeps i/m/s and adds g)
+ * - Fix index=0 bug
+ * - Binary + size guards
+ * - Optional persistence via injected store (no prisma=null)
+ * - Fingerprints/value hashes for dedupe
+ * - Concurrency controls
+ */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.secretsGuardian = exports.SecretsGuardian = exports.SecretType = void 0;
-// Stub prisma for standalone use
-const prisma = null;
-// Local implementations of core utilities
-function calculateEntropy(str) {
-    const len = str.length;
-    const charCounts = {};
-    for (const char of str) {
-        charCounts[char] = (charCounts[char] || 0) + 1;
+exports.secretsGuardian = exports.SecretsGuardian = exports.PrismaSecretStore = exports.NoopSecretStore = void 0;
+const fs_1 = require("fs");
+const glob_1 = require("glob");
+const path_1 = require("path");
+const crypto_1 = require("crypto");
+const patterns_1 = require("./patterns");
+const config_loader_1 = require("./config-loader");
+const allowlist_1 = require("./allowlist");
+const contextual_risk_1 = require("./contextual-risk");
+const noopLogger = {
+    debug: () => undefined,
+    info: () => undefined,
+    warn: () => undefined,
+    error: () => undefined,
+};
+class NoopSecretStore {
+    async saveDetections() {
+        return;
     }
-    let entropy = 0;
-    for (const count of Object.values(charCounts)) {
-        const p = count / len;
-        entropy -= p * Math.log2(p);
+    async listDetections() {
+        return [];
     }
-    return entropy;
 }
-function maskSensitiveValue(value) {
-    if (value.length <= 8)
-        return '***';
-    return value.slice(0, 4) + '...' + value.slice(-4);
+exports.NoopSecretStore = NoopSecretStore;
+/**
+ * Minimal Prisma adapter (safe: stores hashes + masked only).
+ * NOTE: adjust model/table/columns to match your schema.
+ */
+class PrismaSecretStore {
+    prisma;
+    constructor(prisma) {
+        this.prisma = prisma;
+    }
+    async saveDetections(projectId, detections) {
+        if (!this.prisma)
+            return;
+        // Best effort: if table/model doesn't exist, caller should not crash.
+        try {
+            // Upsert-ish by fingerprint (recommended).
+            // If you don't have unique(fingerprint), switch to createMany w/ skipDuplicates.
+            for (const d of detections) {
+                // @ts-ignore
+                await this.prisma.secretDetection.upsert({
+                    where: { fingerprint: d.fingerprint },
+                    update: {
+                        confidence: d.confidence,
+                        entropy: d.entropy,
+                        isTest: d.isTest,
+                        risk: d.risk,
+                        maskedValue: d.maskedValue,
+                        valueHash: d.valueHash,
+                        location: d.location,
+                        recommendation: d.recommendation,
+                        secretType: d.secretType,
+                        filePath: d.filePath,
+                        projectId,
+                    },
+                    create: {
+                        fingerprint: d.fingerprint,
+                        projectId,
+                        filePath: d.filePath,
+                        secretType: d.secretType,
+                        risk: d.risk,
+                        maskedValue: d.maskedValue,
+                        valueHash: d.valueHash,
+                        location: d.location,
+                        confidence: d.confidence,
+                        entropy: d.entropy,
+                        isTest: d.isTest,
+                        isRevoked: d.isRevoked,
+                        recommendation: d.recommendation,
+                    },
+                });
+            }
+        }
+        catch {
+            // swallow (enterprise: you can log/telemetry this)
+        }
+    }
+    async listDetections(projectId) {
+        if (!this.prisma)
+            return [];
+        try {
+            // @ts-ignore
+            const rows = await this.prisma.secretDetection.findMany({
+                where: { projectId },
+                orderBy: { createdAt: 'desc' },
+            });
+            return rows.map((r) => ({
+                id: r.id,
+                projectId: r.projectId,
+                filePath: r.filePath,
+                secretType: r.secretType,
+                risk: (r.risk ?? 'medium'),
+                maskedValue: r.maskedValue,
+                valueHash: r.valueHash,
+                fingerprint: r.fingerprint,
+                location: r.location,
+                confidence: r.confidence,
+                entropy: r.entropy,
+                isTest: r.isTest,
+                isRevoked: r.isRevoked ?? false,
+                recommendation: r.recommendation,
+            }));
+        }
+        catch {
+            return [];
+        }
+    }
 }
-const patterns_1 = require("./patterns");
-const fs_1 = require("fs");
-const glob_1 = require("glob");
-const path_1 = require("path");
-// Define SecretType locally since it's not exported from database
-var SecretType;
-(function (SecretType) {
-    SecretType["API_KEY"] = "api_key";
-    SecretType["PASSWORD"] = "password";
-    SecretType["TOKEN"] = "token";
-    SecretType["CERTIFICATE"] = "certificate";
-    SecretType["PRIVATE_KEY"] = "private_key";
-    SecretType["DATABASE_URL"] = "database_url";
-    SecretType["JWT_SECRET"] = "jwt_secret";
-    SecretType["AWS_ACCESS_KEY"] = "aws_access_key";
-    SecretType["OTHER"] = "other";
-    SecretType["AWS_SECRET_KEY"] = "aws_secret_key";
-    SecretType["GITHUB_TOKEN"] = "github_token";
-    SecretType["GOOGLE_API_KEY"] = "google_api_key";
-    SecretType["STRIPE_KEY"] = "stripe_key";
-    SecretType["JWT_TOKEN"] = "jwt_token";
-    SecretType["SLACK_TOKEN"] = "slack_token";
-    SecretType["API_KEY_GENERIC"] = "api_key_generic";
-    SecretType["PASSWORD_GENERIC"] = "password_generic";
-})(SecretType || (exports.SecretType = SecretType = {}));
+exports.PrismaSecretStore = PrismaSecretStore;
 /**
  * Secrets & Credential Guardian
- *
- * Detects exposed secrets and credentials in code
  */
 class SecretsGuardian {
+    store;
+    logger;
+    compiledPatterns;
+    customPatternsCount = 0;
+    constructor(opts) {
+        this.store = opts?.store ?? new NoopSecretStore();
+        this.logger = opts?.logger ?? noopLogger;
+        this.compiledPatterns = patterns_1.SECRET_PATTERNS.map((p) => ({
+            meta: p,
+            regex: toGlobalRegex(p.pattern),
+        }));
+    }
+    /**
+     * Load custom patterns from project config
+     */
+    loadCustomPatterns(projectPath) {
+        try {
+            const customPatterns = (0, config_loader_1.loadCustomPatterns)(projectPath);
+            if (customPatterns.length > 0) {
+                const compiled = customPatterns.map((p) => ({
+                    meta: p,
+                    regex: toGlobalRegex(p.pattern),
+                }));
+                this.compiledPatterns = [...this.compiledPatterns, ...compiled];
+                this.customPatternsCount = customPatterns.length;
+                this.logger.info(`Loaded ${customPatterns.length} custom patterns`);
+            }
+        }
+        catch (err) {
+            if (err instanceof config_loader_1.ConfigValidationError) {
+                this.logger.error('Custom patterns validation failed', {
+                    message: err.message,
+                    details: err.details,
+                });
+                throw err;
+            }
+            this.logger.warn('Failed to load custom patterns', { error: String(err) });
+        }
+    }
     /**
      * Scan content for secrets
      */
-    async scanContent(content, filePath, options = {}) {
+    async scanContent(content, filePath, projectId, options = {}, allowlist) {
         const detections = [];
         const lines = content.split('\n');
-        for (const pattern of patterns_1.SECRET_PATTERNS) {
-            const matches = [...content.matchAll(new RegExp(pattern.pattern, 'g'))];
-            for (const match of matches) {
-                if (!match.index)
+        const lineStarts = computeLineStarts(content);
+        const isTestPath = pathLooksLikeTest(filePath);
+        // Track seen values at each line to prevent duplicates from multiple patterns
+        const seenAtLine = new Set();
+        for (const { meta, regex } of this.compiledPatterns) {
+            for (const match of content.matchAll(regex)) {
+                if (match.index === undefined)
+                    continue; // FIX: don't drop index 0
+                const rawCandidate = extractCandidate(match, meta);
+                const value = normalizeCandidate(rawCandidate);
+                if (!value)
                     continue;
-                // Extract the secret value (first capturing group)
-                const value = match[1] || match[0];
-                // Calculate entropy
-                const entropy = this.calculateEntropy(value);
-                // Check minimum entropy requirement
-                if (pattern.minEntropy && entropy < pattern.minEntropy) {
+                // Position
+                const pos = positionFromIndex(lineStarts, match.index);
+                const snippet = (lines[pos.line - 1] ?? '').trim();
+                // Context exclusions (schema/validator/etc)
+                if (isExcludedByContext(snippet))
                     continue;
-                }
-                // Find line number and column
-                const beforeMatch = content.substring(0, match.index);
-                const lineNumber = beforeMatch.split('\n').length;
-                const lineStart = beforeMatch.lastIndexOf('\n') + 1;
-                const column = match.index - lineStart + 1;
-                // Get context
-                const snippet = lines[lineNumber - 1] || '';
-                // Check if it's a test value
-                const isTest = this.isTestValue(value, snippet);
-                // Check for false positives
-                const isFalsePositive = this.isFalsePositive(value, pattern.type, snippet);
-                if (isFalsePositive) {
+                // Test/example classification
+                const isTest = isTestPath || isTestValue(value, snippet);
+                // Known false positives
+                if (isFalsePositiveValue(value))
                     continue;
-                }
-                // Calculate confidence
-                const confidence = this.calculateConfidence(value, pattern, entropy, isTest);
-                // Skip if below minimum confidence
-                if (options.minConfidence && confidence < options.minConfidence) {
+                // Skip documented examples
+                if (isExamplePattern(value, filePath))
                     continue;
-                }
-                // Skip if excluding tests
-                if (options.excludeTests && isTest) {
+                // Entropy
+                const entropy = calculateEntropy(value);
+                if (meta.minEntropy && entropy < meta.minEntropy)
+                    continue;
+                // Confidence
+                const confidence = calculateConfidence({
+                    value,
+                    meta,
+                    entropy,
+                    isTest,
+                    snippet,
+                });
+                if (options.minConfidence !== undefined && confidence < options.minConfidence)
+                    continue;
+                if (options.excludeTests && isTest)
+                    continue;
+                const maskedValue = meta.redact ? meta.redact(value, match) : maskSensitiveValue(value);
+                const valueHash = sha256(value);
+                // Dedupe: skip if same value already detected on same line
+                const lineKey = `${pos.line}:${valueHash}`;
+                if (seenAtLine.has(lineKey))
+                    continue;
+                seenAtLine.add(lineKey);
+                const fingerprint = sha256([
+                    projectId,
+                    filePath,
+                    meta.type,
+                    valueHash,
+                    String(pos.line),
+                    String(pos.column),
+                ].join('|'));
+                // Check allowlist
+                if (allowlist && allowlist.isAllowlisted(fingerprint)) {
                     continue;
                 }
-                // Mask the value
-                const maskedValue = this.maskValue(value);
-                // Generate recommendation
-                const recommendation = this.generateRecommendation(pattern.type, isTest);
-                // Create detection object
+                // Adjust risk by context if enabled
+                let adjustedRisk = meta.risk;
+                if (options.useContextualRisk !== false) {
+                    adjustedRisk = (0, contextual_risk_1.adjustRiskByContext)({
+                        filePath,
+                        entropy,
+                        originalRisk: meta.risk,
+                    });
+                }
                 const detection = {
-                    id: undefined, // Will be set when saved to database
+                    projectId,
                     filePath,
-                    secretType: pattern.type,
+                    secretType: meta.type,
+                    risk: adjustedRisk,
                     maskedValue,
+                    valueHash,
+                    fingerprint,
                     location: {
-                        line: lineNumber,
-                        column,
-                        snippet: snippet.trim(),
+                        line: pos.line,
+                        column: pos.column,
+                        snippet,
                     },
                     confidence,
                     entropy,
                     isTest,
                     isRevoked: false,
-                    recommendation,
+                    recommendation: generateRecommendation(meta.type, adjustedRisk, isTest),
                 };
                 detections.push(detection);
             }
@@ -123,231 +264,363 @@ class SecretsGuardian {
         return detections;
     }
     /**
-     * Scan entire project
+     * Scan an entire project directory
      */
     async scanProject(projectPath, projectId, options = {}) {
+        // Load custom patterns if enabled
+        if (options.useCustomPatterns !== false) {
+            this.loadCustomPatterns(projectPath);
+        }
+        // Load allowlist if enabled
+        let allowlist;
+        if (options.useAllowlist !== false) {
+            allowlist = new allowlist_1.Allowlist(projectPath);
+        }
         const excludePatterns = [
             '**/node_modules/**',
+            '**/.git/**',
             '**/dist/**',
             '**/build/**',
-            '**/.git/**',
             '**/coverage/**',
+            '**/.next/**',
             '**/*.min.js',
-            ...(options.excludePatterns || []),
+            '**/*.map',
+            ...(options.excludePatterns ?? []),
         ];
-        // Find all files to scan
         const files = await (0, glob_1.glob)('**/*', {
             cwd: projectPath,
             ignore: excludePatterns,
             nodir: true,
+            dot: true,
+            follow: false,
         });
+        const maxFileSizeBytes = options.maxFileSizeBytes ?? 2 * 1024 * 1024; // 2MB default
+        const concurrency = Math.max(1, Math.min(64, options.concurrency ?? 8));
+        const skipBinaryFiles = options.skipBinaryFiles ?? true;
         const allDetections = [];
         let scannedFiles = 0;
-        for (const file of files) {
+        let skippedLarge = 0;
+        let skippedBinary = 0;
+        const initialDetectionCount = 0;
+        await runWithConcurrency(files, concurrency, async (file) => {
+            const fullPath = (0, path_1.join)(projectPath, file);
             try {
-                const fullPath = (0, path_1.join)(projectPath, file);
-                const content = (0, fs_1.readFileSync)(fullPath, 'utf-8');
-                const detections = await this.scanContent(content, file, options);
-                // Save to database
-                for (const detection of detections) {
-                    try {
-                        // @ts-ignore - secretDetection may not exist in schema yet
-                        await prisma.secretDetection.create({
-                            data: {
-                                projectId: 'default',
-                                filePath: detection.filePath
-                            }
-                        });
-                    }
-                    catch (error) {
-                        // Table may not exist - continue
-                    }
+                const st = (0, fs_1.statSync)(fullPath);
+                if (!st.isFile())
+                    return;
+                if (st.size > maxFileSizeBytes) {
+                    this.logger.debug('Skipping large file', { file, size: st.size });
+                    skippedLarge++;
+                    return;
+                }
+                const buf = (0, fs_1.readFileSync)(fullPath);
+                if (skipBinaryFiles && looksBinary(buf)) {
+                    this.logger.debug('Skipping binary file', { file });
+                    skippedBinary++;
+                    return;
                 }
-                allDetections.push(...detections);
+                const content = buf.toString('utf-8');
+                const detections = await this.scanContent(content, file, projectId, options, allowlist);
+                if (detections.length)
+                    allDetections.push(...detections);
                 scannedFiles++;
             }
-            catch (error) {
-                // Skip files that can't be read
-                continue;
+            catch (err) {
+                this.logger.debug('Skipping unreadable file', { file, err: String(err) });
             }
-        }
-        // Generate summary
+        });
+        // Persist (best effort)
+        await this.store.saveDetections(projectId, allDetections);
+        // Summary
         const byType = {};
         const byRisk = { high: 0, medium: 0, low: 0 };
-        for (const detection of allDetections) {
-            byType[detection.secretType] = (byType[detection.secretType] || 0) + 1;
-            if (detection.confidence >= 0.8) {
-                byRisk.high++;
-            }
-            else if (detection.confidence >= 0.5) {
-                byRisk.medium++;
-            }
-            else {
-                byRisk.low++;
-            }
+        for (const d of allDetections) {
+            byType[d.secretType] = (byType[d.secretType] ?? 0) + 1;
+            byRisk[d.risk]++;
         }
+        const allowlistSuppressed = allowlist ? (initialDetectionCount - allDetections.length) : 0;
         return {
             projectId,
             totalFiles: files.length,
             scannedFiles,
+            skippedFiles: skippedLarge + skippedBinary,
             detections: allDetections,
             summary: {
                 totalSecrets: allDetections.length,
                 byType,
                 byRisk,
             },
+            performance: {
+                skippedLarge,
+                skippedBinary,
+                allowlistSuppressed,
+                customPatternsLoaded: this.customPatternsCount,
+            },
         };
     }
     /**
-     * Calculate entropy for randomness detection
+     * Retrieve detections from store
      */
-    calculateEntropy(str) {
-        return calculateEntropy(str);
+    async getProjectReport(projectId) {
+        return this.store.listDetections(projectId);
     }
-    /**
-     * Check if likely test/example value
-     */
-    isTestValue(value, context) {
-        const lowerValue = value.toLowerCase();
-        const lowerContext = context.toLowerCase();
-        // Check value itself
-        for (const pattern of patterns_1.TEST_PATTERNS) {
-            if (pattern.test(lowerValue)) {
-                return true;
-            }
-        }
-        // Check context
-        if (lowerContext.includes('test') ||
-            lowerContext.includes('example') ||
-            lowerContext.includes('demo') ||
-            lowerContext.includes('fixture') ||
-            lowerContext.includes('mock')) {
-            return true;
-        }
+}
+exports.SecretsGuardian = SecretsGuardian;
+/** Singleton (uses Noop store unless you wire it) */
+exports.secretsGuardian = new SecretsGuardian();
+/* ------------------------------ helpers ------------------------------ */
+function toGlobalRegex(re) {
+    // Preserve existing flags (i/m/s/u/y) and add g if missing.
+    const flags = re.flags.includes('g') ? re.flags : re.flags + 'g';
+    return new RegExp(re.source, flags);
+}
+function extractCandidate(match, meta) {
+    const group = meta.valueGroup !== undefined
+        ? meta.valueGroup
+        : match.length > 1
+            ? 1
+            : 0;
+    const v = match[group] ?? match[0] ?? '';
+    return String(v);
+}
+function normalizeCandidate(v) {
+    return v
+        .trim()
+        .replace(/^['"`]/, '')
+        .replace(/['"`]$/, '')
+        .replace(/[;,)\]]+$/, '')
+        .trim();
+}
+function sha256(input) {
+    return (0, crypto_1.createHash)('sha256').update(input, 'utf8').digest('hex');
+}
+function calculateEntropy(str) {
+    const len = str.length;
+    if (len === 0)
+        return 0;
+    const counts = {};
+    for (const ch of str)
+        counts[ch] = (counts[ch] ?? 0) + 1;
+    let entropy = 0;
+    for (const n of Object.values(counts)) {
+        const p = n / len;
+        entropy -= p * Math.log2(p);
+    }
+    return entropy;
+}
+function maskSensitiveValue(value) {
+    const v = value.trim();
+    if (v.length <= 12)
+        return '***';
+    return `${v.slice(0, 4)}...${v.slice(-4)}`;
+}
+function computeLineStarts(content) {
+    const starts = [0];
+    for (let i = 0; i < content.length; i++) {
+        if (content.charCodeAt(i) === 10 /* \n */)
+            starts.push(i + 1);
+    }
+    return starts;
+}
+function positionFromIndex(lineStarts, index) {
+    // Binary search for rightmost line start <= index
+    let lo = 0;
+    let hi = lineStarts.length - 1;
+    while (lo <= hi) {
+        const mid = (lo + hi) >> 1;
+        if ((lineStarts[mid] ?? 0) <= index)
+            lo = mid + 1;
+        else
+            hi = mid - 1;
+    }
+    const line = Math.max(1, hi + 1);
+    const column = index - (lineStarts[hi] ?? 0) + 1;
+    return { line, column };
+}
+function looksBinary(buf) {
+    // quick heuristic: null byte presence or high non-text ratio
+    const len = Math.min(buf.length, 8000);
+    if (len === 0)
         return false;
+    let suspicious = 0;
+    for (let i = 0; i < len; i++) {
+        const b = buf[i] ?? 0;
+        if (b === 0)
+            return true; // null byte
+        // allow common whitespace + UTF-8 bytes; count control chars
+        if (b < 9 || (b > 13 && b < 32))
+            suspicious++;
     }
-    /**
-     * Check for false positives
-     */
-    isFalsePositive(value, type, _context) {
-        const lowerValue = value.toLowerCase();
-        // Check against known false positives
-        if (patterns_1.FALSE_POSITIVE_VALUES.has(lowerValue)) {
+    return suspicious / len > 0.15;
+}
+function pathLooksLikeTest(filePath) {
+    const p = filePath.toLowerCase();
+    return (p.includes('/__tests__/') ||
+        p.includes('\\__tests__\\') ||
+        p.includes('/__mocks__/') ||
+        p.includes('\\__mocks__\\') ||
+        p.includes('/test/') ||
+        p.includes('\\test\\') ||
+        p.endsWith('.spec.ts') ||
+        p.endsWith('.spec.tsx') ||
+        p.endsWith('.test.ts') ||
+        p.endsWith('.test.tsx'));
+}
+function isTestValue(value, contextLine) {
+    const v = value.toLowerCase();
+    const c = contextLine.toLowerCase();
+    for (const re of patterns_1.TEST_PATTERNS) {
+        if (re.test(v) || re.test(c))
             return true;
-        }
-        // Check for placeholder patterns
-        if (/^(x+|0+|1+|a+)$/i.test(value)) {
+    }
+    // Super-common placeholders
+    if (/(^x{6,}$|^0{6,}$|^1{6,}$|^a{6,}$)/i.test(value))
+        return true;
+    if (/(.)\1{10,}/.test(value))
+        return true;
+    return false;
+}
+function isExcludedByContext(contextLine) {
+    const c = contextLine.toLowerCase();
+    return patterns_1.CONTEXT_EXCLUSION_PATTERNS.some((re) => re.test(c));
+}
+function isExamplePattern(value, filePath) {
+    const lower = value.toLowerCase();
+    const pathLower = filePath.toLowerCase();
+    // Skip patterns.ts examples (documented examples)
+    if (pathLower.includes('patterns.ts') || pathLower.includes('patterns.js')) {
+        return true;
+    }
+    // Common example values
+    const exampleValues = [
+        'akiaiosfodnn7example',
+        'asiaiosfodnn7example',
+        'wjalrxutnfemi/k7mdeng/bpxrficyexamplekey',
+        'aizasydagmwka4jsxz-hjgw7isln_3nambgewqe',
+        'sk_live_1234567890abcdefghijklmn',
+        'xoxb-0000000000-0000000000-0000000000',
+        'ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
+    ];
+    for (const ex of exampleValues) {
+        if (lower.includes(ex) || ex.includes(lower))
             return true;
-        }
-        // Check for repeated characters (likely placeholder)
-        if (/(.)\1{10,}/.test(value)) {
+    }
+    // "EXAMPLE" in the value
+    if (lower.includes('example'))
+        return true;
+    return false;
+}
+function isFalsePositiveValue(value) {
+    const lower = value.toLowerCase();
+    if (patterns_1.FALSE_POSITIVE_VALUES.has(lower))
+        return true;
+    // obvious placeholders
+    if (/^(x+|0+|1+|a+)$/i.test(value))
+        return true;
+    if (/(.)\1{10,}/.test(value))
+        return true;
+    // extremely low variety in a long string
+    if (value.length >= 24) {
+        const unique = new Set(value).size;
+        if (unique <= 3)
             return true;
-        }
-        // JWT-specific false positive checks
-        if (type === SecretType.JWT_TOKEN) {
-            // Very simple/short payload might be example
+    }
+    return false;
+}
+function decodeBase64Url(segment) {
+    // base64url -> base64
+    const b64 = segment.replace(/-/g, '+').replace(/_/g, '/');
+    const pad = b64.length % 4 === 0 ? '' : '='.repeat(4 - (b64.length % 4));
+    return Buffer.from(b64 + pad, 'base64').toString('utf8');
+}
+function calculateConfidence(args) {
+    const { value, meta, entropy, isTest } = args;
+    // Base by risk: conservative defaults
+    let confidence = meta.risk === 'high' ? 0.8 : meta.risk === 'medium' ? 0.7 : 0.6;
+    // Entropy boosts (generic)
+    if (entropy >= 4.8)
+        confidence += 0.15;
+    else if (entropy >= 4.2)
+        confidence += 0.1;
+    else if (entropy >= 3.6)
+        confidence += 0.05;
+    // Pattern-specific sanity checks
+    if (meta.type === patterns_1.SecretType.AWS_ACCESS_KEY && /^(AKIA|ASIA)/.test(value))
+        confidence += 0.1;
+    if (meta.type === patterns_1.SecretType.GITHUB_TOKEN && /^(ghp|gho|ghu|ghs|ghr)_/.test(value))
+        confidence += 0.1;
+    // JWT: validate structure to reduce false positives
+    if (meta.type === patterns_1.SecretType.JWT_TOKEN) {
+        const parts = value.split('.');
+        if (parts.length !== 3)
+            confidence -= 0.25;
+        else {
             try {
-                const parts = value.split('.');
-                if (parts.length === 3 && parts[1]) {
-                    const payload = Buffer.from(parts[1], 'base64').toString();
-                    if (payload.length < 20) {
-                        return true;
-                    }
-                }
+                const payload = decodeBase64Url(parts[1] ?? '');
+                // If it doesn't look like JSON, down-weight
+                if (!payload.includes('{') || payload.length < 20)
+                    confidence -= 0.2;
             }
             catch {
-                // Invalid JWT, might be false positive
-                return true;
+                confidence -= 0.3;
             }
         }
-        return false;
     }
-    /**
-     * Calculate confidence score
-     */
-    calculateConfidence(value, pattern, entropy, isTest) {
-        let confidence = 0.7; // Base confidence
-        // Increase confidence for high entropy
-        if (entropy > 4.5) {
-            confidence += 0.2;
-        }
-        else if (entropy > 4.0) {
-            confidence += 0.1;
-        }
-        // Decrease confidence for test values
-        if (isTest) {
-            confidence -= 0.3;
-        }
-        // Pattern-specific adjustments
-        if (pattern.type === SecretType.AWS_ACCESS_KEY && value.startsWith('AKIA')) {
-            confidence += 0.1;
-        }
-        if (pattern.type === SecretType.GITHUB_TOKEN && /^gh[pos]_/.test(value)) {
-            confidence += 0.1;
-        }
-        return Math.max(0, Math.min(1, confidence));
+    // Down-weight test/example
+    if (isTest)
+        confidence -= 0.3;
+    return clamp01(confidence);
+}
+function clamp01(n) {
+    return Math.max(0, Math.min(1, n));
+}
+function generateRecommendation(type, risk, isTest) {
+    if (isTest) {
+        return {
+            action: 'remove',
+            reason: 'Test/example credential detected in codebase',
+            remediation: 'Remove the credential from the repo. Use environment variables for local dev, and use mocks/fixtures that do not contain real secrets.',
+        };
     }
-    /**
-     * Mask secret for safe logging
-     */
-    maskValue(value) {
-        return maskSensitiveValue(value);
+    // Always rotate on these types
+    const rotateTypes = new Set([
+        patterns_1.SecretType.PRIVATE_KEY,
+        patterns_1.SecretType.AWS_SECRET_KEY,
+        patterns_1.SecretType.GITHUB_TOKEN,
+        patterns_1.SecretType.STRIPE_KEY,
+        patterns_1.SecretType.DATABASE_URL,
+    ]);
+    if (rotateTypes.has(type) || risk === 'high') {
+        return {
+            action: 'revoke_and_rotate',
+            reason: 'High-risk credential exposure',
+            remediation: 'Immediately revoke/rotate the credential. Audit usage, invalidate sessions if applicable, and re-issue via a secrets manager (AWS Secrets Manager / GCP Secret Manager / HashiCorp Vault).',
+        };
     }
-    /**
-     * Generate recommendation
-     */
-    generateRecommendation(type, isTest) {
-        if (isTest) {
-            return {
-                action: 'remove',
-                reason: 'Test credential detected in code',
-                remediation: 'Remove test credentials and use mocking instead',
-            };
-        }
-        // High-risk secrets require rotation
-        const highRiskTypes = [
-            'AWS_SECRET_KEY',
-            'GITHUB_TOKEN',
-            'STRIPE_KEY',
-            'PRIVATE_KEY',
-        ];
-        if (highRiskTypes.includes(type)) {
-            return {
-                action: 'revoke_and_rotate',
-                reason: 'High-risk credential exposed in code',
-                remediation: 'Immediately revoke this credential and rotate to a new one. Store in secure vault or environment variables.',
-            };
-        }
-        // Medium-risk can use env vars
+    if (risk === 'medium') {
         return {
             action: 'move_to_env',
             reason: 'Credential should not be hardcoded',
-            remediation: 'Move to environment variables or secure vault (e.g., AWS Secrets Manager, HashiCorp Vault)',
+            remediation: 'Move the value to environment variables (or a secrets manager) and reference it at runtime. Ensure CI/CD injects it securely.',
         };
     }
-    /**
-     * Get project secrets report
-     */
-    async getProjectReport(projectId) {
-        // @ts-ignore - secretDetection may not exist in schema yet
-        const detections = await prisma.secretDetection.findMany({
-            where: { projectId },
-            orderBy: { createdAt: 'desc' },
-        });
-        return detections.map((s) => ({
-            id: s.id,
-            filePath: s.filePath,
-            secretType: s.secretType,
-            maskedValue: s.maskedValue,
-            location: s.location,
-            confidence: s.confidence,
-            entropy: s.entropy,
-            isTest: s.isTest,
-            isRevoked: s.isRevoked,
-            recommendation: s.recommendation,
-        }));
-    }
+    return {
+        action: 'use_vault',
+        reason: 'Sensitive value detected',
+        remediation: 'Store in a secrets manager and load via runtime injection. Consider tightening repo protections and adding pre-commit scanning.',
+    };
+}
+async function runWithConcurrency(items, concurrency, worker) {
+    let i = 0;
+    const runners = Array.from({ length: Math.min(concurrency, items.length) }, async () => {
+        while (true) {
+            const idx = i++;
+            if (idx >= items.length)
+                return;
+            const item = items[idx];
+            if (item !== undefined)
+                await worker(item);
+        }
+    });
+    await Promise.all(runners);
 }
-exports.SecretsGuardian = SecretsGuardian;
-// Export singleton
-exports.secretsGuardian = new SecretsGuardian();