pkg-scaffold 3.3.4 → 3.3.6

package/src/ast/MagicDetector.js

@@ -6,6 +6,15 @@ import { PluginRegistry } from '../plugins/PluginRegistry.js';
  * Ecosystem Entry Point Manifest & Dynamic Framework Router Heuristic Validator
  * Intercepts implicit conventions to handle cases where direct import statements are absent.
  * Now refactored to use a pluggable architecture.
+ *
+ * Improvements over v1:
+ * - Extended config-file detection list (Biome, Oxlint, tsup, unbuild, etc.)
+ * - Next.js App Router conventions (page.tsx, layout.tsx, loading.tsx, error.tsx, etc.)
+ * - Remix conventions (route files under app/routes/)
+ * - SvelteKit conventions (+page.svelte, +layout.svelte, etc.)
+ * - Astro page/layout conventions
+ * - Common entry-point patterns (bin/, cli.ts, server.ts, main.ts, app.ts)
+ * - Test file patterns extended to cover Vitest workspace files
  */
 export class MagicDetector {
   constructor(context) {
@@ -60,20 +69,104 @@ export class MagicDetector {
   }
 
   isCoreToolingSuiteElement(normalizedPath) {
-    // Testing and execution matrices rules configuration keys
-    if (/\.(test|spec|e2e|cy)\.(js|ts|tsx|jsx|stories\.tsx|stories\.ts)$/i.test(normalizedPath)) return true;
-    
-    // Testing tools and structural environment frameworks configuration keys
-    const testEnvironments = [
-      'jest.config.', 'vitest.config.', 'playwright.config.', 'cypress.config.',
-      'webpack.config.', 'vite.config.', 'rollup.config.', 'tailwind.config.',
-      '.eslintrc.', 'prettier.config.', '.postcssrc.', 'postcss.config.',
-      'bin/cli.js', 'index.js', 'WorkerTaskRunner.js',
-      'src/server.ts', 'src/main.ts', 'src/app.ts', 'src/index.tsx', 'src/index.ts',
-      'server.ts', 'main.ts', 'app.ts'
+    // ── Test / spec files ──────────────────────────────────────────────────────
+    if (/\.(test|spec|e2e|cy)\.(js|ts|tsx|jsx)$/i.test(normalizedPath)) return true;
+    if (/\.stories\.(js|ts|tsx|jsx)$/i.test(normalizedPath)) return true;
+
+    // ── Build / bundler config files ───────────────────────────────────────────
+    const configFragments = [
+      // Test runners
+      'jest.config.', 'vitest.config.', 'vitest.workspace.',
+      'playwright.config.', 'cypress.config.',
+      // Bundlers
+      'webpack.config.', 'vite.config.', 'rollup.config.',
+      'esbuild.config.', 'parcel.config.',
+      'tsup.config.', 'unbuild.config.', 'pkgroll.config.',
+      // CSS / styling
+      'tailwind.config.', 'postcss.config.', '.postcssrc.',
+      // Linters / formatters
+      '.eslintrc.', 'eslint.config.', 'prettier.config.', '.prettierrc.',
+      '.stylelintrc.', 'stylelint.config.',
+      'biome.json', '.oxlintrc.',
+      // Babel / transpilation
+      '.babelrc.', 'babel.config.',
+      // Commit / git hooks
+      '.commitlintrc.', 'commitlint.config.',
+      '.lintstagedrc.', 'lint-staged.config.',
+      // Documentation
+      'typedoc.config.', 'typedoc.json',
+      // Monorepo tools
+      'turbo.json', 'nx.json', 'lerna.json',
+      // Misc tooling
+      'knip.config.', 'knip.json',
+      'syncpack.config.',
+      // Internal worker
+      'WorkerTaskRunner.js'
     ];
-    
-    return testEnvironments.some(matchPattern => normalizedPath.includes(matchPattern));
+    if (configFragments.some(f => normalizedPath.includes(f))) return true;
+
+    // ── Common application entry points ───────────────────────────────────────
+    const entryPatterns = [
+      // CLI binaries
+      '/bin/cli.js', '/bin/cli.ts', '/bin/cli.mjs',
+      '/bin/index.js', '/bin/index.ts',
+      // Server / app entry points (Reduced in v3.3.6 to avoid false positives in libraries)
+      '/src/main.ts', '/src/main.js',
+      '/src/app.ts', '/src/app.js',
+      '/src/api/HeadlessAPI.js', '/src/api/PluginSDK.js',
+      '/main.ts', '/main.js',
+      '/app.ts', '/app.js',
+    ];
+    if (entryPatterns.some(p => normalizedPath.endsWith(p))) return true;
+
+    // ── Next.js App Router conventions ────────────────────────────────────────
+    // Files under app/ directory with Next.js special names
+    if (/\/app\/(page|layout|loading|error|not-found|template|default|route|middleware)\.(js|ts|tsx|jsx)$/.test(normalizedPath)) return true;
+    // Next.js Pages Router
+    if (/\/pages\/.*\.(js|ts|tsx|jsx)$/.test(normalizedPath)) return true;
+    // Next.js API routes
+    if (/\/pages\/api\/.*\.(js|ts)$/.test(normalizedPath)) return true;
+    // Next.js middleware
+    if (/\/middleware\.(js|ts)$/.test(normalizedPath)) return true;
+    // Next.js config
+    if (/\/next\.config\.(js|ts|mjs|cjs)$/.test(normalizedPath)) return true;
+
+    // ── Remix conventions ─────────────────────────────────────────────────────
+    if (/\/app\/routes\/.*\.(js|ts|tsx|jsx)$/.test(normalizedPath)) return true;
+    if (/\/app\/root\.(js|ts|tsx|jsx)$/.test(normalizedPath)) return true;
+    if (/\/app\/entry\.(client|server)\.(js|ts|tsx|jsx)$/.test(normalizedPath)) return true;
+
+    // ── SvelteKit conventions ─────────────────────────────────────────────────
+    if (/\/\+page(\.(server|client))?\.(svelte|js|ts)$/.test(normalizedPath)) return true;
+    if (/\/\+layout(\.(server|client))?\.(svelte|js|ts)$/.test(normalizedPath)) return true;
+    if (/\/\+error\.(svelte|js|ts)$/.test(normalizedPath)) return true;
+    if (/\/\+server\.(js|ts)$/.test(normalizedPath)) return true;
+    if (/\/svelte\.config\.(js|ts|mjs)$/.test(normalizedPath)) return true;
+
+    // ── Astro conventions ─────────────────────────────────────────────────────
+    if (/\/src\/pages\/.*\.astro$/.test(normalizedPath)) return true;
+    if (/\/src\/layouts\/.*\.astro$/.test(normalizedPath)) return true;
+    if (/\/astro\.config\.(mjs|js|ts)$/.test(normalizedPath)) return true;
+
+    // ── Nuxt conventions ──────────────────────────────────────────────────────
+    if (/\/pages\/.*\.vue$/.test(normalizedPath)) return true;
+    if (/\/layouts\/.*\.vue$/.test(normalizedPath)) return true;
+    if (/\/server\/api\/.*\.(js|ts)$/.test(normalizedPath)) return true;
+    if (/\/nuxt\.config\.(js|ts|mjs)$/.test(normalizedPath)) return true;
+
+    // ── React / Vite entry points ─────────────────────────────────────────────
+    if (/\/vite\.config\.(js|ts|mjs)$/.test(normalizedPath)) return true;
+
+    // ── Angular conventions ───────────────────────────────────────────────────
+    if (/\/main\.(ts|js)$/.test(normalizedPath)) return true;
+    if (/\/app\.module\.(ts|js)$/.test(normalizedPath)) return true;
+    if (/\/angular\.json$/.test(normalizedPath)) return true;
+
+    // ── Expo / React Native ───────────────────────────────────────────────────
+    if (/\/app\/_layout\.(js|ts|tsx|jsx)$/.test(normalizedPath)) return true;
+    if (/\/app\/index\.(js|ts|tsx|jsx)$/.test(normalizedPath)) return true;
+
+    return false;
   }
 
   /**

package/src/ast/OxcAnalyzer.js

@@ -1,19 +1,42 @@
 export class OxcAnalyzer {
   constructor(context) {
     this.context = context;
+    this.oxc = null;
+    this.isAvailable = false;
+    // Initialization is handled via init() or lazily during parseFile
+  }
+
+  async init() {
+    if (this.isAvailable) return true;
     try {
-      this.oxc = require("oxc-parser");
+      // In ESM, we use dynamic import()
+      const oxc = await import("oxc-parser");
+      this.oxc = oxc;
       this.isAvailable = true;
+      return true;
     } catch (e) {
-      this.isAvailable = false;
-      if (this.context.verbose) {
-        console.warn("[OxcAnalyzer] oxc-parser not found, falling back to TypeScript compiler API.");
+      try {
+        // Fallback for older node versions or specific bundling setups
+        const { createRequire } = await import('module');
+        const require = createRequire(import.meta.url);
+        this.oxc = require("oxc-parser");
+        this.isAvailable = true;
+        return true;
+      } catch (err) {
+        this.isAvailable = false;
+        if (this.context.verbose) {
+          console.warn("[OxcAnalyzer] oxc-parser not found or failed to load, falling back to TypeScript compiler API.");
+        }
+        return false;
       }
     }
   }
 
-  parseFile(filePath, content, fileNode) {
-    if (!this.isAvailable) return false;
+  async parseFile(filePath, content, fileNode) {
+    if (!this.isAvailable) {
+      const initialized = await this.init();
+      if (!initialized) return false;
+    }
 
     try {
       if (this.context.verbose) {
@@ -32,6 +55,26 @@ export class OxcAnalyzer {
       fileNode.decorators = new Set();
 
       this.walkOxcAst(ast.program, fileNode, content);
+      
+      // Compute line/column for each export start position
+      const lines = content.split('\n');
+      const getLineCol = (pos) => {
+        let count = 0;
+        for (let i = 0; i < lines.length; i++) {
+          if (count + lines[i].length + 1 > pos) {
+            return { line: i + 1, column: pos - count + 1 };
+          }
+          count += lines[i].length + 1;
+        }
+        return { line: 1, column: 1 };
+      };
+
+      for (const [name, meta] of fileNode.internalExports.entries()) {
+        if (meta.start !== undefined) {
+          fileNode.symbolSourceLocations.set(name, getLineCol(meta.start));
+        }
+      }
+
       return true;
     } catch (e) {
       if (this.context.verbose) {
@@ -63,6 +106,10 @@ export class OxcAnalyzer {
       case "Decorator":
         this.handleDecorator(node, fileNode);
         break;
+      case "StringLiteral":
+        // Track for secret scanning if it looks like a secret
+        fileNode.rawStringReferences.add(node.value);
+        break;
     }
 
     // Traverse children
@@ -81,11 +128,15 @@ export class OxcAnalyzer {
     const specifier = node.source.value;
     fileNode.explicitImports.add(specifier);
 
+    // Track external package usage for dependency analysis
+    if (!specifier.startsWith('.') && !specifier.startsWith('/')) {
+      fileNode.externalPackageUsage.add(this._extractPackageName(specifier));
+    }
+
     if (node.specifiers) {
       node.specifiers.forEach((spec) => {
         if (spec.type === "ImportSpecifier") {
           const importedName = spec.imported.name;
-          const localName = spec.local.name;
           fileNode.importedSymbols.add(`${specifier}:${importedName}`);
         } else if (spec.type === "ImportDefaultSpecifier") {
           fileNode.importedSymbols.add(`${specifier}:default`);
@@ -103,20 +154,45 @@ export class OxcAnalyzer {
     }
 
     if (node.type === "ExportAllDeclaration") {
-      if (node.exported && node.exported.type === "ExportNamespaceSpecifier") {
-        // export * as name from 'module'
-        const name = node.exported.name;
-        fileNode.internalExports.set(name, { type: "re-export-namespace", source: node.source.value, originalName: "*", start: node.start, end: node.end });
-      } else {
-        // export * from 'module'
-        fileNode.internalExports.set("*", { type: "re-export-all", source: node.source.value });
+      const sourceSpecifier = node.source ? node.source.value : null;
+      if (sourceSpecifier) {
+        // Register re-export source as an explicit import so the graph linker
+        // creates an incomingEdge on the re-exported file.
+        fileNode.explicitImports.add(sourceSpecifier);
+
+        // Track external package usage from re-exports
+        if (!sourceSpecifier.startsWith('.') && !sourceSpecifier.startsWith('/')) {
+          fileNode.externalPackageUsage.add(this._extractPackageName(sourceSpecifier));
+        }
+
+        if (node.exported) {
+          // export * as name from 'module'
+          const name = node.exported.name || (node.exported.type === "Identifier" ? node.exported.name : null);
+          if (name) {
+            fileNode.internalExports.set(name, { type: "re-export-namespace", source: sourceSpecifier, originalName: "*", start: node.start, end: node.end });
+            fileNode.importedSymbols.add(`${sourceSpecifier}:*`);
+          }
+        } else {
+          // export * from 'module'
+          fileNode.internalExports.set("*", { type: "re-export-all", source: sourceSpecifier });
+          // Register as wildcard importedSymbol so graph linker creates incomingEdge
+          fileNode.importedSymbols.add(`${sourceSpecifier}:*`);
+        }
       }
       return;
     }
 
     if (node.source) {
-      // Re-export
+      // Re-export with source: export { x } from 'module'
       const specifier = node.source.value;
+      // Register re-export source as an explicit import
+      fileNode.explicitImports.add(specifier);
+
+      // Track external package usage from re-exports
+      if (!specifier.startsWith('.') && !specifier.startsWith('/')) {
+        fileNode.externalPackageUsage.add(this._extractPackageName(specifier));
+      }
+
       if (node.specifiers) {
         node.specifiers.forEach((spec) => {
           const exportedName = spec.exported.name;
@@ -128,6 +204,8 @@ export class OxcAnalyzer {
             start: node.start,
             end: node.end,
           });
+          // Register as importedSymbol so barrel-tracer can resolve origin file
+          fileNode.importedSymbols.add(`${specifier}:${localName}`);
         });
       }
     } else if (node.declaration) {
@@ -184,12 +262,28 @@ export class OxcAnalyzer {
   }
 
   handleCallExpression(node, fileNode) {
-    if (node.callee.type === "Import" && node.arguments.length > 0 && node.arguments[0].type === "StringLiteral") {
+    // Dynamic import(): import('./module')
+    if (node.callee.type === "Import" && node.arguments.length > 0) {
+      const arg = node.arguments[0];
+      if (arg.type === "StringLiteral") {
+        const specifier = arg.value;
+        fileNode.explicitImports.add(specifier);
+        fileNode.dynamicImports.add(specifier);
+        if (!specifier.startsWith('.') && !specifier.startsWith('/')) {
+          fileNode.externalPackageUsage.add(this._extractPackageName(specifier));
+        }
+      } else {
+        // Non-literal dynamic import: record as calculated
+        if (fileNode.calculatedDynamicImports) {
+          fileNode.calculatedDynamicImports.push({ kind: arg.type, start: arg.start });
+        }
+      }
+    } else if (node.callee.type === "Identifier" && node.callee.name === "require" && node.arguments.length > 0 && node.arguments[0].type === "StringLiteral") {
       const specifier = node.arguments[0].value;
       fileNode.explicitImports.add(specifier);
-      fileNode.dynamicImports.add(specifier);
-    } else if (node.callee.type === "Identifier" && node.callee.name === "require" && node.arguments.length > 0 && node.arguments[0].type === "StringLiteral") {
-      fileNode.explicitImports.add(node.arguments[0].value);
+      if (!specifier.startsWith('.') && !specifier.startsWith('/')) {
+        fileNode.externalPackageUsage.add(this._extractPackageName(specifier));
+      }
     }
   }
 
@@ -229,8 +323,15 @@ export class OxcAnalyzer {
     if (node.expression.type === "CallExpression") {
       node.expression.arguments.forEach(arg => {
         // Further analysis of arguments can be done here if needed
-        // e.g., if (arg.type === "StringLiteral") fileNode.decoratorArgs.add(`${decoratorName}:${arg.value}`);
       });
     }
   }
+
+  _extractPackageName(specifier) {
+    if (specifier.startsWith('@')) {
+      const parts = specifier.split('/');
+      return parts.length >= 2 ? `${parts[0]}/${parts[1]}` : specifier;
+    }
+    return specifier.split('/')[0];
+  }
 }

package/src/ast/SecretScanner.js

@@ -0,0 +1,304 @@
+/**
+ * ============================================================================
+ * 🔐 SecretScanner – Hardcoded Credential & API Key Detector
+ * ============================================================================
+ * Scans source files for hardcoded secrets such as API keys, tokens,
+ * passwords, and other sensitive credentials using heuristic pattern matching
+ * on both variable names and string literal values.
+ *
+ * New in v3.3.6: integrated into the main analysis pipeline so that secrets
+ * are surfaced alongside dead-code and unused-dependency findings.
+ */
+
+/**
+ * Severity levels for detected secrets.
+ */
+export const SecretSeverity = {
+  CRITICAL: 'CRITICAL',
+  HIGH: 'HIGH',
+  MEDIUM: 'MEDIUM',
+};
+
+/**
+ * Patterns that flag a variable/property *name* as likely containing a secret.
+ * Matched case-insensitively against the identifier text.
+ */
+const SENSITIVE_NAME_PATTERNS = [
+  // Generic credential names
+  /api[_-]?key/i,
+  /apikey/i,
+  /api[_-]?secret/i,
+  /access[_-]?token/i,
+  /auth[_-]?token/i,
+  /bearer[_-]?token/i,
+  /secret[_-]?key/i,
+  /private[_-]?key/i,
+  /client[_-]?secret/i,
+  /app[_-]?secret/i,
+  // Database credentials
+  /db[_-]?pass(word)?/i,
+  /database[_-]?pass(word)?/i,
+  /db[_-]?url/i,
+  /database[_-]?url/i,
+  /connection[_-]?string/i,
+  // Passwords
+  /^password$/i,
+  /^passwd$/i,
+  /^pwd$/i,
+  /[_-]password$/i,
+  // Tokens
+  /[_-]token$/i,
+  /^token$/i,
+  /jwt[_-]?secret/i,
+  /session[_-]?secret/i,
+  /cookie[_-]?secret/i,
+  // Cloud provider keys
+  /aws[_-]?(access[_-]?key|secret|session[_-]?token)/i,
+  /gcp[_-]?key/i,
+  /azure[_-]?(key|secret|connection)/i,
+  // Service-specific
+  /stripe[_-]?(key|secret)/i,
+  /twilio[_-]?(auth|token|sid)/i,
+  /sendgrid[_-]?key/i,
+  /github[_-]?token/i,
+  /slack[_-]?(token|webhook)/i,
+  /discord[_-]?(token|secret)/i,
+  /openai[_-]?(key|token)/i,
+  /anthropic[_-]?key/i,
+  /webhook[_-]?(url|secret)/i,
+  /encryption[_-]?key/i,
+  /signing[_-]?key/i,
+  /hmac[_-]?key/i,
+  /salt$/i,
+];
+
+/**
+ * Patterns that flag a *string literal value* as likely being a secret.
+ * These are matched against the raw string content.
+ */
+const SENSITIVE_VALUE_PATTERNS = [
+  // AWS Access Key IDs
+  { pattern: /AKIA[0-9A-Z]{16}/, label: 'AWS_ACCESS_KEY_ID', severity: SecretSeverity.CRITICAL },
+  // AWS Secret Access Keys (40-char base64-ish)
+  { pattern: /[A-Za-z0-9/+=]{40}/, label: 'AWS_SECRET_KEY_CANDIDATE', severity: SecretSeverity.MEDIUM },
+  // Generic high-entropy hex strings (32+ chars)
+  { pattern: /^[0-9a-f]{32,}$/i, label: 'HEX_SECRET', severity: SecretSeverity.HIGH },
+  // Generic high-entropy base64 strings (32+ chars)
+  { pattern: /^[A-Za-z0-9+/]{32,}={0,2}$/, label: 'BASE64_SECRET', severity: SecretSeverity.MEDIUM },
+  // JWT tokens
+  { pattern: /^ey[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/, label: 'JWT_TOKEN', severity: SecretSeverity.CRITICAL },
+  // GitHub personal access tokens
+  { pattern: /ghp_[A-Za-z0-9]{36}/, label: 'GITHUB_PAT', severity: SecretSeverity.CRITICAL },
+  { pattern: /github_pat_[A-Za-z0-9_]{82}/, label: 'GITHUB_PAT_FINE', severity: SecretSeverity.CRITICAL },
+  // Stripe keys
+  { pattern: /sk_(live|test)_[A-Za-z0-9]{24,}/, label: 'STRIPE_SECRET_KEY', severity: SecretSeverity.CRITICAL },
+  { pattern: /pk_(live|test)_[A-Za-z0-9]{24,}/, label: 'STRIPE_PUBLIC_KEY', severity: SecretSeverity.HIGH },
+  // Slack tokens
+  { pattern: /xox[baprs]-[A-Za-z0-9-]{10,}/, label: 'SLACK_TOKEN', severity: SecretSeverity.CRITICAL },
+  // Discord tokens
+  { pattern: /[MN][A-Za-z0-9]{23}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27}/, label: 'DISCORD_TOKEN', severity: SecretSeverity.CRITICAL },
+  // Twilio SID
+  { pattern: /AC[a-f0-9]{32}/, label: 'TWILIO_SID', severity: SecretSeverity.HIGH },
+  // SendGrid API key
+  { pattern: /SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}/, label: 'SENDGRID_KEY', severity: SecretSeverity.CRITICAL },
+  // OpenAI API key
+  { pattern: /sk-[A-Za-z0-9]{32,}/, label: 'OPENAI_KEY', severity: SecretSeverity.CRITICAL },
+  // Generic UUID-like tokens that look like secrets (not just any UUID)
+  { pattern: /[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/, label: 'UUID_SECRET_CANDIDATE', severity: SecretSeverity.MEDIUM },
+];
+
+/**
+ * Minimum length a string value must have to be considered a potential secret.
+ * Short strings like "test", "dev", "localhost" are excluded.
+ */
+const MIN_SECRET_VALUE_LENGTH = 8;
+
+/**
+ * Values that are obviously not secrets (common placeholders / env-var references).
+ */
+const SAFE_VALUE_ALLOWLIST = new Set([
+  'your_api_key_here',
+  'your-api-key',
+  'YOUR_API_KEY',
+  'YOUR_SECRET',
+  'REPLACE_ME',
+  'changeme',
+  'placeholder',
+  'example',
+  'test',
+  'demo',
+  'localhost',
+  '127.0.0.1',
+  'process.env',
+  '',
+]);
+
+/**
+ * Checks whether a string value looks like an environment-variable reference
+ * (e.g. `process.env.SECRET` or `import.meta.env.SECRET`).
+ */
+function isEnvReference(value) {
+  return (
+    value.startsWith('process.env') ||
+    value.startsWith('import.meta.env') ||
+    value.startsWith('${') ||
+    /^[A-Z_][A-Z0-9_]*$/.test(value) // ALL_CAPS env-var placeholder
+  );
+}
+
+/**
+ * Determines whether a string value is high-entropy enough to be a real secret.
+ * Uses Shannon entropy as a heuristic.
+ */
+function shannonEntropy(str) {
+  const freq = {};
+  for (const ch of str) freq[ch] = (freq[ch] || 0) + 1;
+  let entropy = 0;
+  for (const count of Object.values(freq)) {
+    const p = count / str.length;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+
+/**
+ * Main scanner class. Operates on pre-parsed AST nodes produced by either
+ * ASTAnalyzer (TypeScript compiler API) or OxcAnalyzer (oxc-parser).
+ */
+export class SecretScanner {
+  /**
+   * Scans a source file's text for hardcoded secrets.
+   *
+   * @param {string} filePath   - Absolute path to the file being scanned.
+   * @param {string} fileContent - Raw source text of the file.
+   * @returns {Array<SecretFinding>} - Array of detected secret findings.
+   */
+  scanFileContent(filePath, fileContent) {
+    const findings = [];
+    const lines = fileContent.split('\n');
+
+    lines.forEach((line, lineIndex) => {
+      const lineNumber = lineIndex + 1;
+
+      // Skip comment-only lines and import statements
+      const trimmed = line.trim();
+      if (
+        trimmed.startsWith('//') ||
+        trimmed.startsWith('*') ||
+        trimmed.startsWith('/*') ||
+        trimmed.startsWith('import ') ||
+        trimmed.startsWith('export { ')
+      ) {
+        return;
+      }
+
+      // ── Strategy 1: Name-based heuristic ──────────────────────────────────
+      // Look for variable/property assignments where the name matches a
+      // sensitive pattern and the value is a non-trivial string literal.
+      const assignmentMatch = line.match(
+        /(?:const|let|var|readonly)?\s*([A-Za-z_$][A-Za-z0-9_$]*)\s*[=:]\s*["'`]([^"'`]+)["'`]/
+      );
+      if (assignmentMatch) {
+        const [, varName, value] = assignmentMatch;
+        if (
+          value.length >= MIN_SECRET_VALUE_LENGTH &&
+          !SAFE_VALUE_ALLOWLIST.has(value) &&
+          !isEnvReference(value) &&
+          SENSITIVE_NAME_PATTERNS.some(p => p.test(varName))
+        ) {
+          findings.push({
+            file: filePath,
+            line: lineNumber,
+            column: line.indexOf(value),
+            variableName: varName,
+            valueSnippet: this._redact(value),
+            label: this._labelFromName(varName),
+            severity: SecretSeverity.CRITICAL,
+          });
+          return; // Don't double-report the same line
+        }
+      }
+
+      // ── Strategy 2: Value-pattern matching ────────────────────────────────
+      // Extract all string literals on this line and test them against known
+      // secret value patterns.
+      const stringLiterals = [...line.matchAll(/["'`]([^"'`\n]{8,})["'`]/g)];
+      for (const match of stringLiterals) {
+        const value = match[1];
+        if (SAFE_VALUE_ALLOWLIST.has(value) || isEnvReference(value)) continue;
+
+        for (const { pattern, label, severity } of SENSITIVE_VALUE_PATTERNS) {
+          if (pattern.test(value)) {
+            // Avoid duplicate findings for the same position
+            const alreadyReported = findings.some(
+              f => f.line === lineNumber && f.valueSnippet === this._redact(value)
+            );
+            if (!alreadyReported) {
+              findings.push({
+                file: filePath,
+                line: lineNumber,
+                column: line.indexOf(match[0]),
+                variableName: null,
+                valueSnippet: this._redact(value),
+                label,
+                severity,
+              });
+            }
+            break;
+          }
+        }
+      }
+
+      // ── Strategy 3: High-entropy string heuristic ─────────────────────────
+      // Any string literal with Shannon entropy > 4.5 and length >= 20 that
+      // is assigned to a sensitive-named variable is flagged.
+      if (assignmentMatch) {
+        const [, varName, value] = assignmentMatch;
+        if (
+          value.length >= 20 &&
+          shannonEntropy(value) > 4.5 &&
+          !SAFE_VALUE_ALLOWLIST.has(value) &&
+          !isEnvReference(value) &&
+          SENSITIVE_NAME_PATTERNS.some(p => p.test(varName))
+        ) {
+          const alreadyReported = findings.some(f => f.line === lineNumber);
+          if (!alreadyReported) {
+            findings.push({
+              file: filePath,
+              line: lineNumber,
+              column: line.indexOf(value),
+              variableName: varName,
+              valueSnippet: this._redact(value),
+              label: 'HIGH_ENTROPY_SECRET',
+              severity: SecretSeverity.HIGH,
+            });
+          }
+        }
+      }
+    });
+
+    return findings;
+  }
+
+  /**
+   * Redacts a secret value for safe display in reports.
+   * Shows the first 4 characters followed by asterisks.
+   */
+  _redact(value) {
+    if (value.length <= 4) return '****';
+    return value.slice(0, 4) + '*'.repeat(Math.min(value.length - 4, 8));
+  }
+
+  /**
+   * Derives a human-readable label from a variable name.
+   */
+  _labelFromName(name) {
+    const upper = name.toUpperCase();
+    if (/API[_-]?KEY/.test(upper)) return 'API_KEY';
+    if (/TOKEN/.test(upper)) return 'AUTH_TOKEN';
+    if (/PASSWORD|PASSWD|PWD/.test(upper)) return 'PASSWORD';
+    if (/SECRET/.test(upper)) return 'SECRET';
+    if (/DATABASE|DB/.test(upper)) return 'DATABASE_CREDENTIAL';
+    return 'SENSITIVE_VALUE';
+  }
+}