npm - memorylink - Versions diffs - 2.1.0 → 2.2.0 - Mend

memorylink 2.1.0 → 2.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (68) hide show

package/CHANGELOG.md +10 -2
package/README.md +66 -52
package/dist/cli/commands/delete.d.ts +7 -0
package/dist/cli/commands/delete.d.ts.map +1 -0
package/dist/cli/commands/delete.js +106 -0
package/dist/cli/commands/delete.js.map +1 -0
package/dist/cli/commands/gate.d.ts +1 -1
package/dist/cli/commands/gate.d.ts.map +1 -1
package/dist/cli/commands/gate.js +14 -0
package/dist/cli/commands/gate.js.map +1 -1
package/dist/cli/commands/init.d.ts.map +1 -1
package/dist/cli/commands/init.js +17 -75
package/dist/cli/commands/init.js.map +1 -1
package/dist/cli/commands/list.d.ts +7 -0
package/dist/cli/commands/list.d.ts.map +1 -0
package/dist/cli/commands/list.js +129 -0
package/dist/cli/commands/list.js.map +1 -0
package/dist/cli/commands/remember.d.ts +3 -0
package/dist/cli/commands/remember.d.ts.map +1 -0
package/dist/cli/commands/remember.js +61 -0
package/dist/cli/commands/remember.js.map +1 -0
package/dist/cli/commands/retrieve.d.ts +3 -0
package/dist/cli/commands/retrieve.d.ts.map +1 -0
package/dist/cli/commands/retrieve.js +32 -0
package/dist/cli/commands/retrieve.js.map +1 -0
package/dist/cli/commands/scaffold.d.ts +6 -0
package/dist/cli/commands/scaffold.d.ts.map +1 -0
package/dist/cli/commands/scaffold.js +132 -0
package/dist/cli/commands/scaffold.js.map +1 -0
package/dist/cli/index.js +10 -0
package/dist/cli/index.js.map +1 -1
package/dist/core/memory/gates.d.ts +17 -0
package/dist/core/memory/gates.d.ts.map +1 -0
package/dist/core/memory/gates.js +75 -0
package/dist/core/memory/gates.js.map +1 -0
package/dist/core/memory/git.d.ts +9 -0
package/dist/core/memory/git.d.ts.map +1 -0
package/dist/core/memory/git.js +57 -0
package/dist/core/memory/git.js.map +1 -0
package/dist/core/memory/storage.d.ts +11 -0
package/dist/core/memory/storage.d.ts.map +1 -0
package/dist/core/memory/storage.js +63 -0
package/dist/core/memory/storage.js.map +1 -0
package/dist/core/memory/structure.d.ts +10 -0
package/dist/core/memory/structure.d.ts.map +1 -0
package/dist/core/memory/structure.js +51 -0
package/dist/core/memory/structure.js.map +1 -0
package/dist/core/types.d.ts +13 -1
package/dist/core/types.d.ts.map +1 -1
package/dist/gate/rules/valid-syntax.d.ts +16 -0
package/dist/gate/rules/valid-syntax.d.ts.map +1 -0
package/dist/gate/rules/valid-syntax.js +76 -0
package/dist/gate/rules/valid-syntax.js.map +1 -0
package/dist/quarantine/patterns.js +2 -2
package/dist/quarantine/patterns.js.map +1 -1
package/dist/tools/pointer-generator.d.ts.map +1 -1
package/dist/tools/pointer-generator.js +2 -2
package/dist/tools/pointer-generator.js.map +1 -1
package/docs/USER_GUIDE.md +181 -0
package/package.json +3 -3
package/docs/COMPARISONS.md +0 -229
package/docs/FAQ.md +0 -230
package/docs/GETTING_STARTED.md +0 -185
package/docs/PATTERNS.md +0 -206
package/docs/QUICK_REFERENCE.md +0 -209
package/docs/REMEDIATION.md +0 -332
package/docs/THREAT_MODEL.md +0 -279
package/docs/TROUBLESHOOTING.md +0 -280

package/docs/REMEDIATION.md DELETED Viewed

@@ -1,332 +0,0 @@
-# 🔄 Secret Remediation Guide
-**Version:** 2.0.2
-**Last Updated:** January 2, 2026
-When MemoryLink detects a secret, you should **rotate it immediately**. This guide provides direct links to rotate secrets for common providers.
----
-## ⚠️ Important: Always Assume Compromise
-If a secret was detected, assume it may have been exposed:
-1. **Rotate immediately** - Don't wait
-2. **Check access logs** - Look for unauthorized use
-3. **Update all locations** - Environment variables, CI secrets, etc.
-4. **Review Git history** - Use `ml gate --history`
----
-## ☁️ Cloud Providers
-### AWS
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **Access Key ID / Secret** | [AWS IAM Console → Users → Security Credentials](https://console.aws.amazon.com/iam/home#/users) |
-| **Session Token** | Expires automatically, rotate base credentials |
-**Steps:**
-1. Go to IAM → Users → Select user
-2. Security credentials tab
-3. Create new access key
-4. Delete old access key
-5. Update all applications
-### Google Cloud (GCP)
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **Service Account Key** | [GCP Console → IAM → Service Accounts](https://console.cloud.google.com/iam-admin/serviceaccounts) |
-| **API Key** | [GCP Console → APIs → Credentials](https://console.cloud.google.com/apis/credentials) |
-| **OAuth Client Secret** | [GCP Console → APIs → Credentials](https://console.cloud.google.com/apis/credentials) |
-### Microsoft Azure
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **Client Secret** | [Azure Portal → App Registrations](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps) |
-| **Storage Account Key** | [Azure Portal → Storage Accounts](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Storage%2FStorageAccounts) |
-| **Connection String** | Regenerate from respective service |
-### DigitalOcean
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **Personal Access Token** | [DigitalOcean → API → Tokens](https://cloud.digitalocean.com/account/api/tokens) |
-| **Spaces Access Key** | [DigitalOcean → API → Spaces Keys](https://cloud.digitalocean.com/account/api/tokens) |
----
-## 🤖 AI/ML Services
-### OpenAI
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **API Key** | [OpenAI Platform → API Keys](https://platform.openai.com/api-keys) |
-**Steps:**
-1. Go to API Keys page
-2. Click "Create new secret key"
-3. Delete the old key
-4. Update your applications
-### Anthropic (Claude)
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **API Key** | [Anthropic Console → API Keys](https://console.anthropic.com/settings/keys) |
-### Hugging Face
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **Access Token** | [Hugging Face → Settings → Access Tokens](https://huggingface.co/settings/tokens) |
-### Cohere
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **API Key** | [Cohere Dashboard → API Keys](https://dashboard.cohere.ai/api-keys) |
----
-## 💳 Payment Providers
-### Stripe
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **Secret Key** | [Stripe Dashboard → Developers → API Keys](https://dashboard.stripe.com/apikeys) |
-| **Webhook Secret** | [Stripe Dashboard → Developers → Webhooks](https://dashboard.stripe.com/webhooks) |
-**Note:** Stripe keys start with `sk_live_` (production) or `sk_test_` (test). Rotate production keys immediately!
-### PayPal
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **Client ID / Secret** | [PayPal Developer → My Apps](https://developer.paypal.com/developer/applications/) |
-### Razorpay 🇮🇳
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **Key ID / Secret** | [Razorpay Dashboard → Settings → API Keys](https://dashboard.razorpay.com/app/keys) |
-### Square
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **Access Token** | [Square Developer Dashboard](https://developer.squareup.com/apps) |
----
-## 🔐 Authentication Providers
-### GitHub
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **Personal Access Token** | [GitHub → Settings → Developer Settings → PAT](https://github.com/settings/tokens) |
-| **OAuth App Secret** | [GitHub → Settings → Developer Settings → OAuth Apps](https://github.com/settings/developers) |
-| **App Private Key** | [GitHub → Settings → Developer Settings → GitHub Apps](https://github.com/settings/apps) |
-### GitLab
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **Personal Access Token** | [GitLab → Preferences → Access Tokens](https://gitlab.com/-/profile/personal_access_tokens) |
-### Slack
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **Bot Token** | [Slack API → Your Apps](https://api.slack.com/apps) |
-| **Webhook URL** | [Slack API → Your Apps → Incoming Webhooks](https://api.slack.com/apps) |
-### Discord
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **Bot Token** | [Discord Developer Portal](https://discord.com/developers/applications) |
-| **Webhook URL** | Create new webhook in channel settings |
-### Auth0
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **Client Secret** | [Auth0 Dashboard → Applications](https://manage.auth0.com/) |
-| **Management API Token** | [Auth0 Dashboard → APIs](https://manage.auth0.com/) |
----
-## 🗄️ Database Services
-### MongoDB Atlas
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **Connection String** | [MongoDB Atlas → Database Access](https://cloud.mongodb.com/) |
-**Steps:**
-1. Go to Database Access
-2. Edit user, set new password
-3. Update connection strings
-### Supabase
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **Service Role Key** | [Supabase Dashboard → Settings → API](https://app.supabase.com/) |
-| **Anon Key** | Public key, but rotate if needed |
-### Firebase
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **Service Account Key** | [Firebase Console → Project Settings → Service Accounts](https://console.firebase.google.com/) |
-### Redis Labs
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **Database Password** | [Redis Labs Console → Database → Configuration](https://app.redislabs.com/) |
----
-## 📧 Email/SMS Services
-### SendGrid
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **API Key** | [SendGrid → Settings → API Keys](https://app.sendgrid.com/settings/api_keys) |
-### Mailgun
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **API Key** | [Mailgun → API Security](https://app.mailgun.com/app/account/security/api_keys) |
-### Twilio
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **Auth Token** | [Twilio Console → Account Info](https://console.twilio.com/) |
-| **API Key** | [Twilio Console → API Keys](https://console.twilio.com/) |
----
-## 🌐 Deployment Platforms
-### Vercel
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **Token** | [Vercel → Settings → Tokens](https://vercel.com/account/tokens) |
-### Netlify
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **Personal Access Token** | [Netlify → User Settings → Applications](https://app.netlify.com/user/applications) |
-### Heroku
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **API Key** | [Heroku → Account Settings](https://dashboard.heroku.com/account) |
-### Railway
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **Token** | [Railway → Account Settings → Tokens](https://railway.app/account/tokens) |
----
-## 🇮🇳 India-Specific Services
-### Paytm
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **Merchant Key** | [Paytm Dashboard → API Keys](https://dashboard.paytm.com/next/apikeys) |
-### PhonePe
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **API Key** | Contact PhonePe Business Support |
-### Cashfree
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **App ID / Secret** | [Cashfree Dashboard → Credentials](https://merchant.cashfree.com/) |
----
-## 🔧 Development Tools
-### npm
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **Auth Token** | [npm → Access Tokens](https://www.npmjs.com/settings/~/tokens) |
-### Docker Hub
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **Access Token** | [Docker Hub → Account Settings → Security](https://hub.docker.com/settings/security) |
-### CircleCI
-| Secret Type | Rotation Link |
-|-------------|---------------|
-| **API Token** | [CircleCI → User Settings → Personal API Tokens](https://app.circleci.com/settings/user/tokens) |
----
-## 📋 General Rotation Checklist
-After rotating a secret:
-- [ ] **Update environment variables** (local `.env` files)
-- [ ] **Update CI/CD secrets** (GitHub Actions, GitLab CI, etc.)
-- [ ] **Update deployment platforms** (Vercel, Netlify, etc.)
-- [ ] **Update configuration files** (ensure not committed!)
-- [ ] **Test the application** (verify new key works)
-- [ ] **Check audit logs** (look for unauthorized access)
-- [ ] **Run `ml scan`** (verify no secrets remain)
----
-## 🚨 Emergency Response
-If you believe a secret was exploited:
-1. **Rotate immediately** - Don't investigate first
-2. **Check access logs** - Provider dashboards usually have this
-3. **Revoke sessions** - Force re-authentication
-4. **Enable MFA** - If not already enabled
-5. **Contact provider** - Report potential breach
-6. **Document incident** - For compliance
----
-## 📞 Provider Security Contacts
-| Provider | Security Contact |
-|----------|------------------|
-| AWS | [AWS Security](https://aws.amazon.com/security/vulnerability-reporting/) |
-| Google | [Google Security](https://www.google.com/about/appsecurity/) |
-| GitHub | [GitHub Security](https://github.com/security) |
-| Stripe | [Stripe Security](https://stripe.com/docs/security) |
----
-*This guide is part of MemoryLink's security documentation. Always follow your organization's incident response procedures.*

package/docs/THREAT_MODEL.md DELETED Viewed

@@ -1,279 +0,0 @@
-# 🔐 MemoryLink Threat Model
-**Version:** 2.0.2
-**Last Updated:** January 2, 2026
-**Status:** Production
-This document describes the security boundaries, threat model, and trust assumptions for MemoryLink.
----
-## 📋 Overview
-MemoryLink is a **local-first** secret detection tool. It operates entirely on your machine with:
-- No network calls
-- No telemetry
-- No cloud dependencies
----
-## 🎯 Security Goals
-| Goal | Description | Status |
-|------|-------------|--------|
-| **Prevent Secret Leaks** | Block secrets from reaching Git remotes | ✅ Implemented |
-| **Protect Detected Secrets** | Encrypt quarantined secrets at rest | ✅ Implemented |
-| **Maintain Audit Trail** | Log all security events immutably | ✅ Implemented |
-| **Zero Data Exfiltration** | No data leaves user's machine | ✅ Implemented |
-| **Minimal Attack Surface** | No network, minimal dependencies | ✅ Implemented |
----
-## 🏗️ Architecture Security
-### Data Flow
-```
-┌──────────────────────────────────────────────────────────────────┐
-│                        USER'S MACHINE                            │
-│                                                                  │
-│  ┌─────────────┐     ┌─────────────┐     ┌─────────────┐        │
-│  │  Your Code  │────▶│  MemoryLink │────▶│   Git Repo  │        │
-│  │  (Scanned)  │     │  (Scanner)  │     │   (Clean)   │        │
-│  └─────────────┘     └──────┬──────┘     └─────────────┘        │
-│                             │                                    │
-│                    ┌────────▼────────┐                          │
-│                    │   If Secrets    │                          │
-│                    │    Detected     │                          │
-│                    └────────┬────────┘                          │
-│                             │                                    │
-│         ┌───────────────────┼───────────────────┐               │
-│         ▼                   ▼                   ▼               │
-│  ┌─────────────┐     ┌─────────────┐     ┌─────────────┐        │
-│  │  Quarantine │     │ Audit Trail │     │    Block    │        │
-│  │ (Encrypted) │     │   (Logs)    │     │   Commit    │        │
-│  └─────────────┘     └─────────────┘     └─────────────┘        │
-│                                                                  │
-└──────────────────────────────────────────────────────────────────┘
-                              │
-                              ▼
-                    ┌─────────────────┐
-                    │  NETWORK NEVER  │
-                    │    ACCESSED     │
-                    └─────────────────┘
-```
-### Trust Boundaries
-| Zone | Trust Level | Data |
-|------|-------------|------|
-| **User's Home Dir** | High | `~/.memorylink/keys/` (encryption keys) |
-| **Project Dir** | Medium | `.memorylink/` (project config, quarantine) |
-| **Git Working Tree** | Low | Scanned for secrets |
-| **Git Remote** | Untrusted | Should never receive secrets |
-| **Network** | N/A | Never accessed |
----
-## 🔑 Cryptographic Design
-### Encryption
-| Component | Algorithm | Key Size | Notes |
-|-----------|-----------|----------|-------|
-| **Quarantine Encryption** | AES-256-GCM | 256-bit | Authenticated encryption |
-| **Key Derivation** | Random | 256-bit | Crypto-secure random |
-| **IV Generation** | Random | 96-bit | Unique per encryption |
-### Key Storage
-```
-~/.memorylink/
-└── keys/
-    └── <project-hash>.key    # 256-bit AES key
-```
-**Key Properties:**
-- ✅ Stored outside project directory
-- ✅ Never committed to Git
-- ✅ One key per project (isolated)
-- ⚠️ Should be 600 permissions (Unix) / User-only ACL (Windows)
-### Key Rotation
-Currently, keys are:
-- Created on first `ml init`
-- Never automatically rotated
-- Manual rotation: Delete key file, re-run `ml init`
-**Future (v2.1):** Automatic key rotation with `ml keys rotate`
----
-## 🚨 Threat Analysis
-### Threats Mitigated
-| Threat | Mitigation | Effectiveness |
-|--------|------------|---------------|
-| **Accidental secret commit** | Pre-commit hook | ✅ High |
-| **Accidental secret push** | Pre-push hook | ✅ High |
-| **Secret in CI logs** | Masked output | ✅ High |
-| **Quarantine file theft** | AES-256-GCM encryption | ✅ High |
-| **Telemetry/tracking** | No network calls | ✅ Complete |
-### Threats NOT Mitigated
-| Threat | Why | Recommendation |
-|--------|-----|----------------|
-| **Malicious user disabling hooks** | User has full control | Use CI enforcement (`ml gate`) |
-| **Key file theft** | If attacker has machine access | Use disk encryption (FileVault/BitLocker) |
-| **Memory dump attacks** | Secrets in RAM during scan | Use secure OS, avoid shared machines |
-| **Supply chain attacks** | npm dependency risks | Audit dependencies, use lockfile |
-| **Secrets in Git history** | Already committed secrets | Use `ml gate --history` + `git filter-branch` |
-### Out of Scope
-These threats are explicitly NOT in MemoryLink's threat model:
-1. **Malware on user's machine** - MemoryLink cannot protect against rootkits/keyloggers
-2. **Physical access attacks** - Use full-disk encryption
-3. **Social engineering** - User education required
-4. **Zero-day vulnerabilities** - Keep MemoryLink updated
----
-## 🛡️ Security Controls
-### Input Validation
-| Input | Validation | Risk |
-|-------|------------|------|
-| **File paths** | Normalized, no symlinks | Path traversal |
-| **Regex patterns** | Pre-tested for ReDoS | Denial of service |
-| **Config files** | JSON schema validation | Injection |
-| **CLI arguments** | Type-checked | Command injection |
-### File System Security
-| Control | Implementation |
-|---------|----------------|
-| **Symlink handling** | Skipped by default |
-| **Binary files** | Skipped (detected by magic bytes) |
-| **Large files** | Size limit configurable |
-| **Hidden files** | Scanned by default (configurable) |
-### Git Integration Security
-| Hook | Security Property |
-|------|-------------------|
-| **pre-commit** | Blocks staged files with secrets |
-| **pre-push** | Full repo scan before push |
-| **Bypass** | `--no-verify` (logged in audit) |
----
-## 📊 Security Comparison
-| Feature | MemoryLink | gitleaks | truffleHog | GitGuardian |
-|---------|-----------|----------|------------|-------------|
-| **Local-only** | ✅ | ✅ | ✅ | ❌ Cloud |
-| **Zero telemetry** | ✅ | ✅ | ⚠️ Opt-out | ❌ Required |
-| **Encrypted quarantine** | ✅ | ❌ | ❌ | ❌ |
-| **Audit trail** | ✅ | ❌ | ❌ | ✅ Cloud |
-| **Key isolation** | ✅ Home dir | N/A | N/A | N/A |
----
-## 🔍 Security Verification
-### Self-Check Command
-```bash
-ml self-check
-```
-Verifies:
-- ✅ Installation integrity
-- ✅ Git hooks installed
-- ✅ Config file valid
-- ✅ Key file exists and accessible
-### Manual Verification
-```bash
-# Verify no network calls (run while scanning)
-sudo lsof -i -P | grep memorylink
-# Expected: No output (no network connections)
-# Verify key permissions (Unix)
-ls -la ~/.memorylink/keys/
-# Expected: -rw------- (600)
-# Verify quarantine encryption
-file .memorylink/quarantined/*
-# Expected: "data" (encrypted, not readable)
-```
----
-## 🚨 Incident Response
-### If Secrets Were Committed
-1. **Don't push** - If not pushed, secret is still local
-2. **Remove from history**: `git filter-branch` or BFG Repo Cleaner
-3. **Rotate the secret** - Consider it compromised
-4. **Run `ml gate --history`** - Find all historical secrets
-5. **Review audit logs** - `.memorylink/audit/`
-### If Key File Compromised
-1. **Delete the key**: `rm ~/.memorylink/keys/<project>.key`
-2. **Re-initialize**: `ml init`
-3. **Quarantined secrets** are now unreadable (acceptable loss)
-4. **Audit logs** remain readable (not encrypted)
----
-## 📋 Compliance Notes
-### Relevant Standards
-| Standard | Relevance | Status |
-|----------|-----------|--------|
-| **OWASP ASVS** | Secret management | Aligned |
-| **OWASP ASI06** | AI security | Planned v3.0 |
-| **PCI DSS** | Payment card data | Detects card patterns |
-| **GDPR** | Personal data (India: Aadhaar) | Detects PII patterns |
-### Audit Support
-MemoryLink provides:
-- ✅ Immutable audit logs (append-only)
-- ✅ Timestamped events
-- ✅ Detection fingerprints
-- ✅ User action logging
----
-## 📞 Security Contact
-**Report security issues:** security@memorylink.dev (or GitHub Security Advisory)
-**Response time:** 48 hours for initial response
-**Disclosure policy:** Coordinated disclosure, 90-day window
----
-## 📝 Revision History
-| Version | Date | Changes |
-|---------|------|---------|
-| 1.0 | 2026-01-02 | Initial threat model |
----
-*This document is part of MemoryLink's security documentation.*