pi-lens 2.1.0 → 2.2.0

package/clients/dispatch/runners/secrets.js

@@ -0,0 +1,109 @@
+/**
+ * Secrets scanner runner
+ *
+ * Scans file content for potential secret patterns before write.
+ * Works on all file types via regex matching.
+ *
+ * Patterns detected:
+ * - Stripe/OpenAI keys (sk-*)
+ * - GitHub tokens (ghp_*, gho_*, github_pat_*)
+ * - AWS keys (AKIA*)
+ * - Slack tokens (xoxp-*, xoxb-*)
+ * - Private keys (BEGIN PRIVATE KEY)
+ * - Generic API key patterns
+ */
+const SECRET_PATTERNS = [
+    {
+        pattern: /sk-[a-zA-Z0-9]{20,}/g,
+        name: "stripe-openai-key",
+        message: "Possible Stripe or OpenAI API key (sk-*)",
+    },
+    {
+        pattern: /ghp_[a-zA-Z0-9]{36}/g,
+        name: "github-personal-token",
+        message: "GitHub personal access token (ghp_*)",
+    },
+    {
+        pattern: /gho_[a-zA-Z0-9]{36}/g,
+        name: "github-oauth-token",
+        message: "GitHub OAuth token (gho_*)",
+    },
+    {
+        pattern: /github_pat_[a-zA-Z_]{82}/g,
+        name: "github-fine-grained-pat",
+        message: "GitHub fine-grained PAT (github_pat_*)",
+    },
+    {
+        pattern: /AKIA[0-9A-Z]{16}/g,
+        name: "aws-access-key",
+        message: "AWS access key ID (AKIA*)",
+    },
+    {
+        pattern: /xox[bp]-[a-zA-Z0-9]{10,}/g,
+        name: "slack-token",
+        message: "Slack token (xoxb-*/xoxp-*)",
+    },
+    {
+        pattern: /-----BEGIN\s+(RSA\s+)?PRIVATE KEY-----/g,
+        name: "private-key",
+        message: "Private key material detected",
+    },
+    {
+        pattern: /password\s*[:=]\s*["'][^"']{8,}["']/gi,
+        name: "hardcoded-password",
+        message: "Possible hardcoded password",
+    },
+    {
+        pattern: /(?:secret|api_?key|token)\s*[:=]\s*["'][a-zA-Z0-9]{20,}["']/gi,
+        name: "generic-api-secret",
+        message: "Possible hardcoded secret, API key, or token",
+    },
+];
+function scanContent(content) {
+    const findings = [];
+    const lines = content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        for (const secret of SECRET_PATTERNS) {
+            secret.pattern.lastIndex = 0; // Reset regex state
+            const match = secret.pattern.exec(line);
+            if (match) {
+                findings.push({
+                    line: i + 1,
+                    pattern: secret,
+                    match: match[0].slice(0, 20) + "...",
+                });
+            }
+        }
+    }
+    return findings;
+}
+async function run(ctx) {
+    const diagnostics = [];
+    // Get the content being written - check both full content and the diff
+    const content = ctx.content;
+    if (!content)
+        return { diagnostics };
+    const findings = scanContent(content);
+    for (const finding of findings) {
+        diagnostics.push({
+            id: `secrets-${finding.pattern.name}-${finding.line}`,
+            message: `${finding.pattern.message} at line ${finding.line}. Remove before committing.`,
+            filePath: ctx.filePath,
+            line: finding.line,
+            severity: "error",
+            semantic: "blocking", // Always blocking - secrets should never be committed
+            tool: "secrets",
+            rule: finding.pattern.name,
+            fixable: false,
+        });
+    }
+    return { diagnostics };
+}
+const runner = {
+    id: "secrets",
+    appliesTo: ["*"], // All file types
+    priority: 0, // Run first - block before other checks
+    run,
+};
+export default runner;

package/clients/secrets-scanner.js

@@ -0,0 +1,113 @@
+/**
+ * Content-level secrets scanner
+ *
+ * Scans file content for potential secret patterns before write.
+ * Works on all file types via regex matching.
+ *
+ * Detected patterns:
+ * - Stripe/OpenAI keys (sk-*)
+ * - GitHub tokens (ghp_*, gho_*, github_pat_*)
+ * - AWS keys (AKIA*)
+ * - Slack tokens (xoxp-*, xoxb-*)
+ * - Private keys (BEGIN PRIVATE KEY)
+ * - Generic API key/password patterns
+ */
+// Patterns ordered by specificity - first match wins per line
+const SECRET_PATTERNS = [
+    // High-confidence: specific key prefixes
+    {
+        pattern: /sk-[a-zA-Z0-9-]{20,}/g,
+        name: "stripe-openai-key",
+        message: "Possible Stripe or OpenAI API key (sk-*)",
+    },
+    {
+        pattern: /ghp_[a-zA-Z0-9]{36}/g,
+        name: "github-personal-token",
+        message: "GitHub personal access token (ghp_*)",
+    },
+    {
+        pattern: /gho_[a-zA-Z0-9]{36}/g,
+        name: "github-oauth-token",
+        message: "GitHub OAuth token (gho_*)",
+    },
+    {
+        pattern: /github_pat_[a-zA-Z_]{82}/g,
+        name: "github-fine-grained-pat",
+        message: "GitHub fine-grained PAT (github_pat_*)",
+    },
+    {
+        pattern: /AKIA[0-9A-Z]{16}/g,
+        name: "aws-access-key",
+        message: "AWS access key ID (AKIA*)",
+    },
+    {
+        pattern: /xox[bp]-[a-zA-Z0-9]{10,}/g,
+        name: "slack-token",
+        message: "Slack token (xoxb-*/xoxp-*)",
+    },
+    {
+        pattern: /-----BEGIN\s+(RSA\s+)?PRIVATE KEY-----/g,
+        name: "private-key",
+        message: "Private key material detected",
+    },
+    // Medium-confidence: quoted credentials
+    {
+        pattern: /password\s*[:=]\s*["'][^"']{4,}["']/gi,
+        name: "hardcoded-password",
+        message: "Possible hardcoded password",
+    },
+    {
+        pattern: /(?:secret|api_?key|token|access_?key)\s*[:=]\s*["'][a-zA-Z0-9_\-/.]{8,}["']/gi,
+        name: "hardcoded-secret",
+        message: "Possible hardcoded secret or API key",
+    },
+    // .env format: KEY=VALUE (no quotes)
+    {
+        pattern: /^(?:API_?KEY|SECRET|TOKEN|PASSWORD|AWS_?ACCESS_?KEY)\s*=\s*\S{8,}/gim,
+        name: "env-file-secret",
+        message: "Possible secret in .env format",
+    },
+];
+/**
+ * Scan content for potential secrets
+ * Returns findings with line numbers
+ */
+export function scanForSecrets(content) {
+    const findings = [];
+    const lines = content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        let matched = false;
+        for (const pattern of SECRET_PATTERNS) {
+            // Reset lastIndex before each test (important for global regex)
+            const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+            if (regex.test(line)) {
+                findings.push({
+                    line: i + 1,
+                    message: pattern.message,
+                });
+                matched = true;
+                break; // One finding per line
+            }
+        }
+    }
+    return findings;
+}
+/**
+ * Format secrets findings for terminal output
+ */
+export function formatSecrets(findings, filePath) {
+    if (findings.length === 0)
+        return "";
+    const lines = [
+        `🔴 STOP — ${findings.length} potential secret(s) in ${filePath}:`,
+    ];
+    for (const f of findings.slice(0, 5)) {
+        lines.push(`  L${f.line}: ${f.message}`);
+    }
+    if (findings.length > 5) {
+        lines.push(`  ... and ${findings.length - 5} more`);
+    }
+    lines.push("  → Remove before continuing. Use env vars instead.");
+    return lines.join("\n");
+}

package/clients/secrets-scanner.test.js

@@ -0,0 +1,100 @@
+import { describe, expect, it } from "vitest";
+import { formatSecrets, scanForSecrets } from "./secrets-scanner.js";
+describe("scanForSecrets", () => {
+    it("should detect Stripe/OpenAI keys (sk-*)", () => {
+        const content = `const apiKey = "sk-live-1234567890abcdefghij";`;
+        const findings = scanForSecrets(content);
+        expect(findings.length).toBe(1);
+        expect(findings[0].message).toContain("Stripe or OpenAI");
+    });
+    it("should detect GitHub personal tokens (ghp_*)", () => {
+        const content = `token = "ghp_1234567890abcdefghijklmnopqrstuvwxyz";`;
+        const findings = scanForSecrets(content);
+        expect(findings.length).toBe(1);
+        expect(findings[0].message).toContain("GitHub personal");
+    });
+    it("should detect AWS access keys (AKIA*)", () => {
+        const content = `const AWS_KEY = "AKIAIOSFODNN7EXAMPLE";`;
+        const findings = scanForSecrets(content);
+        expect(findings.length).toBe(1);
+        expect(findings[0].message).toContain("AWS access key");
+    });
+    it("should detect private key material", () => {
+        const content = `-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA...`;
+        const findings = scanForSecrets(content);
+        expect(findings.length).toBe(1);
+        expect(findings[0].message).toContain("Private key");
+    });
+    it("should detect hardcoded passwords", () => {
+        const content = `const config = { password: "hunter2" };`;
+        const findings = scanForSecrets(content);
+        expect(findings.length).toBe(1);
+        expect(findings[0].message).toContain("password");
+    });
+    it("should detect secrets in .env format", () => {
+        const content = `API_KEY=sk-live-1234567890abcdefghij
+DATABASE_URL=postgres://localhost`;
+        const findings = scanForSecrets(content);
+        expect(findings.length).toBe(1);
+        // sk-* pattern catches this first (more specific)
+        expect(findings[0].message).toContain("Stripe or OpenAI");
+    });
+    it("should NOT flag safe content", () => {
+        const content = `
+const name = "test";
+const url = "https://example.com";
+const port = 3000;
+const message = "Hello world";
+`;
+        const findings = scanForSecrets(content);
+        expect(findings.length).toBe(0);
+    });
+    it("should NOT flag env var references", () => {
+        const content = `const key = process.env.API_KEY;`;
+        const findings = scanForSecrets(content);
+        expect(findings.length).toBe(0);
+    });
+    it("should detect multiple secrets", () => {
+        const content = `
+const sk = "sk-live-1234567890abcdefghij";
+const gh = "ghp_1234567890abcdefghijklmnopqrstuvwxyz";
+`;
+        const findings = scanForSecrets(content);
+        expect(findings.length).toBe(2);
+    });
+    it("should report correct line numbers", () => {
+        const content = `line 1
+line 2
+const secret = "sk-live-1234567890abcdefghij";
+line 4`;
+        const findings = scanForSecrets(content);
+        expect(findings.length).toBe(1);
+        expect(findings[0].line).toBe(3);
+    });
+});
+describe("formatSecrets", () => {
+    it("should format findings for terminal output", () => {
+        const findings = [
+            { line: 5, message: "Possible Stripe or OpenAI API key (sk-*)" },
+        ];
+        const output = formatSecrets(findings, "src/config.ts");
+        expect(output).toContain("STOP");
+        expect(output).toContain("1 potential secret(s)");
+        expect(output).toContain("L5");
+        expect(output).toContain("src/config.ts");
+    });
+    it("should return empty string for no findings", () => {
+        const output = formatSecrets([], "src/config.ts");
+        expect(output).toBe("");
+    });
+    it("should truncate at 5 findings", () => {
+        const findings = Array.from({ length: 10 }, (_, i) => ({
+            line: i + 1,
+            message: "Test secret",
+        }));
+        const output = formatSecrets(findings, "src/config.ts");
+        expect(output).toContain("10 potential secret(s)");
+        expect(output).toContain("... and 5 more");
+    });
+});

package/clients/secrets-scanner.test.ts

@@ -0,0 +1,113 @@
+import { describe, expect, it } from "vitest";
+import { formatSecrets, scanForSecrets } from "./secrets-scanner.js";
+
+describe("scanForSecrets", () => {
+	it("should detect Stripe/OpenAI keys (sk-*)", () => {
+		const content = `const apiKey = "sk-live-1234567890abcdefghij";`;
+		const findings = scanForSecrets(content);
+		expect(findings.length).toBe(1);
+		expect(findings[0].message).toContain("Stripe or OpenAI");
+	});
+
+	it("should detect GitHub personal tokens (ghp_*)", () => {
+		const content = `token = "ghp_1234567890abcdefghijklmnopqrstuvwxyz";`;
+		const findings = scanForSecrets(content);
+		expect(findings.length).toBe(1);
+		expect(findings[0].message).toContain("GitHub personal");
+	});
+
+	it("should detect AWS access keys (AKIA*)", () => {
+		const content = `const AWS_KEY = "AKIAIOSFODNN7EXAMPLE";`;
+		const findings = scanForSecrets(content);
+		expect(findings.length).toBe(1);
+		expect(findings[0].message).toContain("AWS access key");
+	});
+
+	it("should detect private key material", () => {
+		const content = `-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA...`;
+		const findings = scanForSecrets(content);
+		expect(findings.length).toBe(1);
+		expect(findings[0].message).toContain("Private key");
+	});
+
+	it("should detect hardcoded passwords", () => {
+		const content = `const config = { password: "hunter2" };`;
+		const findings = scanForSecrets(content);
+		expect(findings.length).toBe(1);
+		expect(findings[0].message).toContain("password");
+	});
+
+	it("should detect secrets in .env format", () => {
+		const content = `API_KEY=sk-live-1234567890abcdefghij
+DATABASE_URL=postgres://localhost`;
+		const findings = scanForSecrets(content);
+		expect(findings.length).toBe(1);
+		// sk-* pattern catches this first (more specific)
+		expect(findings[0].message).toContain("Stripe or OpenAI");
+	});
+
+	it("should NOT flag safe content", () => {
+		const content = `
+const name = "test";
+const url = "https://example.com";
+const port = 3000;
+const message = "Hello world";
+`;
+		const findings = scanForSecrets(content);
+		expect(findings.length).toBe(0);
+	});
+
+	it("should NOT flag env var references", () => {
+		const content = `const key = process.env.API_KEY;`;
+		const findings = scanForSecrets(content);
+		expect(findings.length).toBe(0);
+	});
+
+	it("should detect multiple secrets", () => {
+		const content = `
+const sk = "sk-live-1234567890abcdefghij";
+const gh = "ghp_1234567890abcdefghijklmnopqrstuvwxyz";
+`;
+		const findings = scanForSecrets(content);
+		expect(findings.length).toBe(2);
+	});
+
+	it("should report correct line numbers", () => {
+		const content = `line 1
+line 2
+const secret = "sk-live-1234567890abcdefghij";
+line 4`;
+		const findings = scanForSecrets(content);
+		expect(findings.length).toBe(1);
+		expect(findings[0].line).toBe(3);
+	});
+});
+
+describe("formatSecrets", () => {
+	it("should format findings for terminal output", () => {
+		const findings = [
+			{ line: 5, message: "Possible Stripe or OpenAI API key (sk-*)" },
+		];
+		const output = formatSecrets(findings, "src/config.ts");
+		expect(output).toContain("STOP");
+		expect(output).toContain("1 potential secret(s)");
+		expect(output).toContain("L5");
+		expect(output).toContain("src/config.ts");
+	});
+
+	it("should return empty string for no findings", () => {
+		const output = formatSecrets([], "src/config.ts");
+		expect(output).toBe("");
+	});
+
+	it("should truncate at 5 findings", () => {
+		const findings = Array.from({ length: 10 }, (_, i) => ({
+			line: i + 1,
+			message: "Test secret",
+		}));
+		const output = formatSecrets(findings, "src/config.ts");
+		expect(output).toContain("10 potential secret(s)");
+		expect(output).toContain("... and 5 more");
+	});
+});

package/clients/secrets-scanner.ts

@@ -0,0 +1,134 @@
+/**
+ * Content-level secrets scanner
+ *
+ * Scans file content for potential secret patterns before write.
+ * Works on all file types via regex matching.
+ *
+ * Detected patterns:
+ * - Stripe/OpenAI keys (sk-*)
+ * - GitHub tokens (ghp_*, gho_*, github_pat_*)
+ * - AWS keys (AKIA*)
+ * - Slack tokens (xoxp-*, xoxb-*)
+ * - Private keys (BEGIN PRIVATE KEY)
+ * - Generic API key/password patterns
+ */
+
+interface SecretPattern {
+	pattern: RegExp;
+	name: string;
+	message: string;
+}
+
+// Patterns ordered by specificity - first match wins per line
+const SECRET_PATTERNS: SecretPattern[] = [
+	// High-confidence: specific key prefixes
+	{
+		pattern: /sk-[a-zA-Z0-9-]{20,}/g,
+		name: "stripe-openai-key",
+		message: "Possible Stripe or OpenAI API key (sk-*)",
+	},
+	{
+		pattern: /ghp_[a-zA-Z0-9]{36}/g,
+		name: "github-personal-token",
+		message: "GitHub personal access token (ghp_*)",
+	},
+	{
+		pattern: /gho_[a-zA-Z0-9]{36}/g,
+		name: "github-oauth-token",
+		message: "GitHub OAuth token (gho_*)",
+	},
+	{
+		pattern: /github_pat_[a-zA-Z_]{82}/g,
+		name: "github-fine-grained-pat",
+		message: "GitHub fine-grained PAT (github_pat_*)",
+	},
+	{
+		pattern: /AKIA[0-9A-Z]{16}/g,
+		name: "aws-access-key",
+		message: "AWS access key ID (AKIA*)",
+	},
+	{
+		pattern: /xox[bp]-[a-zA-Z0-9]{10,}/g,
+		name: "slack-token",
+		message: "Slack token (xoxb-*/xoxp-*)",
+	},
+	{
+		pattern: /-----BEGIN\s+(RSA\s+)?PRIVATE KEY-----/g,
+		name: "private-key",
+		message: "Private key material detected",
+	},
+	// Medium-confidence: quoted credentials
+	{
+		pattern: /password\s*[:=]\s*["'][^"']{4,}["']/gi,
+		name: "hardcoded-password",
+		message: "Possible hardcoded password",
+	},
+	{
+		pattern:
+			/(?:secret|api_?key|token|access_?key)\s*[:=]\s*["'][a-zA-Z0-9_\-/.]{8,}["']/gi,
+		name: "hardcoded-secret",
+		message: "Possible hardcoded secret or API key",
+	},
+	// .env format: KEY=VALUE (no quotes)
+	{
+		pattern:
+			/^(?:API_?KEY|SECRET|TOKEN|PASSWORD|AWS_?ACCESS_?KEY)\s*=\s*\S{8,}/gim,
+		name: "env-file-secret",
+		message: "Possible secret in .env format",
+	},
+];
+
+export interface SecretFinding {
+	line: number;
+	message: string;
+}
+
+/**
+ * Scan content for potential secrets
+ * Returns findings with line numbers
+ */
+export function scanForSecrets(content: string): SecretFinding[] {
+	const findings: SecretFinding[] = [];
+	const lines = content.split("\n");
+
+	for (let i = 0; i < lines.length; i++) {
+		const line = lines[i];
+		let matched = false;
+		for (const pattern of SECRET_PATTERNS) {
+			// Reset lastIndex before each test (important for global regex)
+			const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+			if (regex.test(line)) {
+				findings.push({
+					line: i + 1,
+					message: pattern.message,
+				});
+				matched = true;
+				break; // One finding per line
+			}
+		}
+	}
+
+	return findings;
+}
+
+/**
+ * Format secrets findings for terminal output
+ */
+export function formatSecrets(
+	findings: SecretFinding[],
+	filePath: string,
+): string {
+	if (findings.length === 0) return "";
+
+	const lines = [
+		`🔴 STOP — ${findings.length} potential secret(s) in ${filePath}:`,
+	];
+	for (const f of findings.slice(0, 5)) {
+		lines.push(`  L${f.line}: ${f.message}`);
+	}
+	if (findings.length > 5) {
+		lines.push(`  ... and ${findings.length - 5} more`);
+	}
+	lines.push("  → Remove before continuing. Use env vars instead.");
+	return lines.join("\n");
+}

package/clients/sg-runner.js

@@ -126,9 +126,15 @@ export class SgRunner {
     /**
      * Format matches for display
      */
-    formatMatches(matches, isDryRun = false, maxItems = 50) {
-        if (matches.length === 0)
+    formatMatches(matches, isDryRun = false, maxItems = 50, showModeIndicator = false) {
+        if (matches.length === 0) {
+            if (showModeIndicator) {
+                return isDryRun
+                    ? "[DRY-RUN] No matches found."
+                    : "[APPLIED] No changes made (no matches found).";
+            }
             return "No matches found";
+        }
         const shown = matches.slice(0, maxItems);
         const lines = shown.map((m) => {
             const loc = `${m.file}:${m.range.start.line + 1}:${m.range.start.column + 1}`;
@@ -140,6 +146,13 @@ export class SgRunner {
         if (matches.length > maxItems) {
             lines.unshift(`Found ${matches.length} matches (showing first ${maxItems}):`);
         }
+        if (showModeIndicator) {
+            const prefix = isDryRun ? "[DRY-RUN]" : "[APPLIED]";
+            const suffix = isDryRun
+                ? "\n\n(Dry run — use apply=true to apply changes)"
+                : "";
+            return `${prefix} ${matches.length} replacement(s):\n\n${lines.join("\n")}${suffix}`;
+        }
         return lines.join("\n");
     }
 }

package/clients/sg-runner.ts

@@ -162,8 +162,21 @@ export class SgRunner {
 	/**
 	 * Format matches for display
 	 */
-	formatMatches(matches: SgMatch[], isDryRun = false, maxItems = 50): string {
-		if (matches.length === 0) return "No matches found";
+	formatMatches(
+		matches: SgMatch[],
+		isDryRun = false,
+		maxItems = 50,
+		showModeIndicator = false,
+	): string {
+		if (matches.length === 0) {
+			if (showModeIndicator) {
+				return isDryRun
+					? "[DRY-RUN] No matches found."
+					: "[APPLIED] No changes made (no matches found).";
+			}
+			return "No matches found";
+		}
+
 		const shown = matches.slice(0, maxItems);
 		const lines = shown.map((m) => {
 			const loc = `${m.file}:${m.range.start.line + 1}:${m.range.start.column + 1}`;
@@ -172,11 +185,21 @@ export class SgRunner {
 				? `${loc}\n  - ${text}\n  + ${m.replacement}`
 				: `${loc}: ${text}`;
 		});
+
 		if (matches.length > maxItems) {
 			lines.unshift(
 				`Found ${matches.length} matches (showing first ${maxItems}):`,
 			);
 		}
+
+		if (showModeIndicator) {
+			const prefix = isDryRun ? "[DRY-RUN]" : "[APPLIED]";
+			const suffix = isDryRun
+				? "\n\n(Dry run — use apply=true to apply changes)"
+				: "";
+			return `${prefix} ${matches.length} replacement(s):\n\n${lines.join("\n")}${suffix}`;
+		}
+
 		return lines.join("\n");
 	}
 }