npm - pkg-scaffold - Versions diffs - 3.3.5 → 3.3.6 - Mend

pkg-scaffold 3.3.5 → 3.3.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/README.md +4 -1
package/bin/cli.js +2 -2
package/package.json +8 -3
package/src/EngineContext.js +20 -9
package/src/ast/ASTAnalyzer.js +6 -0
package/src/ast/MagicDetector.js +2 -7
package/src/ast/OxcAnalyzer.js +57 -15
package/src/ast/SecretScanner.js +304 -0
package/src/index.js +63 -2
package/src/performance/WorkerPool.js +6 -3
package/src/resolution/WorkSpaceGraph.js +9 -0
package/src/performance/WorkerTaskRunner.js +0 -83

package/README.md CHANGED Viewed

@@ -14,6 +14,7 @@
 *   **🔌 Massive Plugin Ecosystem:** Over 20+ built-in plugins (Next.js, Nuxt, SvelteKit, Tailwind, Jest, Vitest, Playwright, GitHub Actions, Webpack, Babel, Rollup, ESLint, Prettier, Husky, and many more).
 *   **💀 True Dead Code Detection:** Advanced graph-based reachability analysis to find truly dead files and unused exports, even deep within your codebase.
 *   **🔄 Circular Dependency Detection:** High-performance Tarjan-based algorithm to detect and report circular dependencies.
+*   **🔐 Secrets Scanning:** Automatically detects hardcoded API keys, tokens, and credentials (v3.3.6+).
 *   **🛡️ Supply Chain Guard:** Detects typosquatting and verifies integrity lockfile hashes.
 *   **🛠️ Automated Structural Healing:** Not just reporting, but automatically fixing structural issues (removing dead files, pruning unused dependencies) with git-based rollback protection.
 *   **⚙️ Flexible Configuration:** Supports `pkg-scaffold.json`, `pkg-scaffold.ts`, `scaffold.config.js`, and more.
@@ -33,9 +34,11 @@ pnpm add -D pkg-scaffold
 Run the CLI at the root of your project:
 ```bash
-npx pkg-scaffold --run
+npx pkg-scaffold -r
 ```
+> **Note**: Always use the `-r` flag to start the analysis loop. v3.3.6+ also features **Auto-Detection for Monorepos**.
 ### CLI Options
 *   `-c, --cwd <path>`: Specify the execution context root directory.

package/bin/cli.js CHANGED Viewed

@@ -64,7 +64,7 @@ async function bootstrap() {
         const answer = await rl.question(ansis.bold.yellow('❓ No "pkg-scaffold:run" script found in package.json. Install it? (y/n): '));
         if (answer.toLowerCase() === 'y') {
           pkgJson.scripts = pkgJson.scripts || {};
-          pkgJson.scripts['pkg-scaffold:run'] = 'pkg-scaffold --fix';
+          pkgJson.scripts['pkg-scaffold:run'] = 'npx pkg-scaffold --fix';
           await fs.writeFile(pkgJsonPath, JSON.stringify(pkgJson, null, 2));
           console.log(ansis.green('✅ "pkg-scaffold:run" script added to package.json.'));
         }
@@ -95,7 +95,7 @@ async function bootstrap() {
       if (pkgJson?.scripts?.['pkg-scaffold:run'] || configInstalled) {
         console.log(ansis.bold.cyan('\n🚀 Setup complete! To start the engine, run:'));
-        console.log(ansis.white(`   - pkg-scaffold -r`));
+        console.log(ansis.white(`   - npx pkg-scaffold -r`));
         console.log(ansis.white(`   - npm run pkg-scaffold:run\n`));
       }
     }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "pkg-scaffold",
-  "version": "3.3.5",
+  "version": "3.3.6",
   "description": "The Ultimate Enterprise Codebase Janitor. Faster than Knip with OXC integration, type-aware analysis, and automated structural healing. Fully standalone - solving what Knip cannot.",
   "type": "module",
   "main": "index.js",
@@ -9,7 +9,7 @@
   },
   "scripts": {
     "start": "node bin/cli.js",
-    "pkg-scaffold:run": "node bin/cli.js",
+    "pkg-scaffold:run": "npx pkg-scaffold --fix",
     "test": "echo \"Error: no test specified\" && exit 0",
     "test:stability": "npm run test",
     "docs:dev": "vitepress dev docs",
@@ -48,7 +48,12 @@
     "package.json",
     "packages",
     "scan",
+    "security",
+    "secret-scanner",
+    "secrets",
+    "hardcoded-secrets",
+    "credentials",
+    "audit",
     "structural-healing",
     "setup",
     "type",

package/src/EngineContext.js CHANGED Viewed

@@ -1,6 +1,6 @@
 /**
  * ============================================================================
- * 📦 pkg-scaffold v3.3.5: Enterprise In-Memory Codebase State Manifest
+ * 📦 pkg-scaffold v3.3.6: Enterprise In-Memory Codebase State Manifest
  * ============================================================================
  * Implements a high-density, centralized graph database context for tracking
  * software engineering debt, dependencies, types, and vulnerabilities.
@@ -50,6 +50,8 @@ export class GraphNode {
     // Detailed AST Location Diagnostics (Symbol -> Structural Location Mapping)
     this.symbolSourceLocations = new Map(); // Symbol -> { line: number, column: number, length: number }
+    // Security threat findings for this file
+    this.securityThreats = [];
   }
   /**
@@ -64,17 +66,25 @@ export class GraphNode {
       if (!parentNode) continue;
       // Check if the symbol is explicitly imported by the parent
-      const importKey = `${path.relative(path.dirname(parentPath), this.filePath).replace(/\\/g, '/')}:${symbolName}`;
-      const importKeyAlt = `${path.relative(path.dirname(parentPath), this.filePath).replace(/\\/g, '/').replace(/\.(js|ts|tsx|jsx)$/, '')}:${symbolName}`;
+      // Strategy 1: Check absolute path based tokens (more reliable)
+      const absoluteImportKey = `${this.filePath}:${symbolName}`;
+      const absoluteStarKey = `${this.filePath}:*`;
-      if (parentNode.importedSymbols.has(importKey) || parentNode.importedSymbols.has(importKeyAlt)) {
+      if (parentNode.importedSymbols.has(absoluteImportKey) || parentNode.importedSymbols.has(absoluteStarKey)) {
         return true;
       }
-      // Check for star imports or namespace imports
-      const starKey = `${path.relative(path.dirname(parentPath), this.filePath).replace(/\\/g, '/')}:*`;
-      const starKeyAlt = `${path.relative(path.dirname(parentPath), this.filePath).replace(/\\/g, '/').replace(/\.(js|ts|tsx|jsx)$/, '')}:*`;
-      if (parentNode.importedSymbols.has(starKey) || parentNode.importedSymbols.has(starKeyAlt)) {
+      // Strategy 2: Check relative path based tokens (legacy/compatibility)
+      const relativePath = path.relative(path.dirname(parentPath), this.filePath).replace(/\\/g, '/');
+      const relativePathNoExt = relativePath.replace(/\.(js|ts|tsx|jsx)$/, '');
+      const importKey = `${relativePath}:${symbolName}`;
+      const importKeyAlt = `${relativePathNoExt}:${symbolName}`;
+      const starKey = `${relativePath}:*`;
+      const starKeyAlt = `${relativePathNoExt}:*`;
+      if (parentNode.importedSymbols.has(importKey) || parentNode.importedSymbols.has(importKeyAlt) ||
+          parentNode.importedSymbols.has(starKey) || parentNode.importedSymbols.has(starKeyAlt)) {
         return true;
       }
@@ -117,7 +127,7 @@ export class GraphNode {
       incomingDependenciesCount: this.incomingEdges.size,
       outgoingDependenciesCount: this.outgoingEdges.size,
       isDanglingOrphan: this.incomingEdges.size === 0 && !this.isLibraryEntry,
-      trackedThreatsCount: this.securityThreats.length
+      trackedThreatsCount: (this.securityThreats || []).length
     };
   }
 }
@@ -160,6 +170,7 @@ export class EngineContext {
     };
     this.usedExternalPackages = new Set(); // Global set of used npm packages
     this.manifestDependencies = new Map(); // Package.json path -> { dependencies, devDependencies, peerDependencies, optionalDependencies }
+    this.allSecretFindings = []; // Aggregated hardcoded secret findings across all scanned files
     // DependencyProfiler instance for implicit invocation tracing
     this._depProfiler = new DependencyProfiler(this);

package/src/ast/ASTAnalyzer.js CHANGED Viewed

@@ -274,6 +274,8 @@ export class ASTAnalyzer {
             start: decl.getStart(sourceFile),
             end: decl.getEnd()
           });
+          const loc = sourceFile.getLineAndCharacterOfPosition(decl.getStart(sourceFile));
+          fileNode.symbolSourceLocations.set(name, { line: loc.line + 1, column: loc.character + 1 });
           this.addDeclaredSymbol(name, decl, sourceFile);
         } else if (decl.name && ts.isObjectBindingPattern(decl.name)) {
            decl.name.elements.forEach(element => {
@@ -284,6 +286,8 @@ export class ASTAnalyzer {
                        start: element.getStart(sourceFile),
                        end: element.getEnd()
                    });
+                   const loc = sourceFile.getLineAndCharacterOfPosition(element.getStart(sourceFile));
+                   fileNode.symbolSourceLocations.set(name, { line: loc.line + 1, column: loc.character + 1 });
                    this.addDeclaredSymbol(name, element, sourceFile);
                }
            });
@@ -296,6 +300,8 @@ export class ASTAnalyzer {
                        start: element.getStart(sourceFile),
                        end: element.getEnd()
                    });
+                   const loc = sourceFile.getLineAndCharacterOfPosition(element.getStart(sourceFile));
+                   fileNode.symbolSourceLocations.set(name, { line: loc.line + 1, column: loc.character + 1 });
                    this.addDeclaredSymbol(name, element, sourceFile);
                }
            });

package/src/ast/MagicDetector.js CHANGED Viewed

@@ -110,17 +110,12 @@ export class MagicDetector {
       // CLI binaries
       '/bin/cli.js', '/bin/cli.ts', '/bin/cli.mjs',
       '/bin/index.js', '/bin/index.ts',
-      // Server / app entry points
-      '/src/server.ts', '/src/server.js',
+      // Server / app entry points (Reduced in v3.3.6 to avoid false positives in libraries)
       '/src/main.ts', '/src/main.js',
       '/src/app.ts', '/src/app.js',
-      '/src/index.ts', '/src/index.tsx',
-      '/src/index.js', '/src/index.jsx',
-      '/server.ts', '/server.js',
+      '/src/api/HeadlessAPI.js', '/src/api/PluginSDK.js',
       '/main.ts', '/main.js',
       '/app.ts', '/app.js',
-      '/index.ts', '/index.tsx',
-      '/index.js', '/index.jsx',
     ];
     if (entryPatterns.some(p => normalizedPath.endsWith(p))) return true;

package/src/ast/OxcAnalyzer.js CHANGED Viewed

@@ -1,19 +1,42 @@
 export class OxcAnalyzer {
   constructor(context) {
     this.context = context;
+    this.oxc = null;
+    this.isAvailable = false;
+    // Initialization is handled via init() or lazily during parseFile
+  }
+  async init() {
+    if (this.isAvailable) return true;
     try {
-      this.oxc = require("oxc-parser");
+      // In ESM, we use dynamic import()
+      const oxc = await import("oxc-parser");
+      this.oxc = oxc;
       this.isAvailable = true;
+      return true;
     } catch (e) {
-      this.isAvailable = false;
-      if (this.context.verbose) {
-        console.warn("[OxcAnalyzer] oxc-parser not found, falling back to TypeScript compiler API.");
+      try {
+        // Fallback for older node versions or specific bundling setups
+        const { createRequire } = await import('module');
+        const require = createRequire(import.meta.url);
+        this.oxc = require("oxc-parser");
+        this.isAvailable = true;
+        return true;
+      } catch (err) {
+        this.isAvailable = false;
+        if (this.context.verbose) {
+          console.warn("[OxcAnalyzer] oxc-parser not found or failed to load, falling back to TypeScript compiler API.");
+        }
+        return false;
       }
     }
   }
-  parseFile(filePath, content, fileNode) {
-    if (!this.isAvailable) return false;
+  async parseFile(filePath, content, fileNode) {
+    if (!this.isAvailable) {
+      const initialized = await this.init();
+      if (!initialized) return false;
+    }
     try {
       if (this.context.verbose) {
@@ -32,6 +55,26 @@ export class OxcAnalyzer {
       fileNode.decorators = new Set();
       this.walkOxcAst(ast.program, fileNode, content);
+      // Compute line/column for each export start position
+      const lines = content.split('\n');
+      const getLineCol = (pos) => {
+        let count = 0;
+        for (let i = 0; i < lines.length; i++) {
+          if (count + lines[i].length + 1 > pos) {
+            return { line: i + 1, column: pos - count + 1 };
+          }
+          count += lines[i].length + 1;
+        }
+        return { line: 1, column: 1 };
+      };
+      for (const [name, meta] of fileNode.internalExports.entries()) {
+        if (meta.start !== undefined) {
+          fileNode.symbolSourceLocations.set(name, getLineCol(meta.start));
+        }
+      }
       return true;
     } catch (e) {
       if (this.context.verbose) {
@@ -63,6 +106,10 @@ export class OxcAnalyzer {
       case "Decorator":
         this.handleDecorator(node, fileNode);
         break;
+      case "StringLiteral":
+        // Track for secret scanning if it looks like a secret
+        fileNode.rawStringReferences.add(node.value);
+        break;
     }
     // Traverse children
@@ -109,7 +156,7 @@ export class OxcAnalyzer {
     if (node.type === "ExportAllDeclaration") {
       const sourceSpecifier = node.source ? node.source.value : null;
       if (sourceSpecifier) {
-        // FIX: Register re-export source as an explicit import so the graph linker
+        // Register re-export source as an explicit import so the graph linker
         // creates an incomingEdge on the re-exported file.
         fileNode.explicitImports.add(sourceSpecifier);
@@ -128,7 +175,7 @@ export class OxcAnalyzer {
         } else {
           // export * from 'module'
           fileNode.internalExports.set("*", { type: "re-export-all", source: sourceSpecifier });
-          // FIX: Register as wildcard importedSymbol so graph linker creates incomingEdge
+          // Register as wildcard importedSymbol so graph linker creates incomingEdge
           fileNode.importedSymbols.add(`${sourceSpecifier}:*`);
         }
       }
@@ -138,7 +185,7 @@ export class OxcAnalyzer {
     if (node.source) {
       // Re-export with source: export { x } from 'module'
       const specifier = node.source.value;
-      // FIX: Register re-export source as an explicit import
+      // Register re-export source as an explicit import
       fileNode.explicitImports.add(specifier);
       // Track external package usage from re-exports
@@ -157,7 +204,7 @@ export class OxcAnalyzer {
             start: node.start,
             end: node.end,
           });
-          // FIX: Register as importedSymbol so barrel-tracer can resolve origin file
+          // Register as importedSymbol so barrel-tracer can resolve origin file
           fileNode.importedSymbols.add(`${specifier}:${localName}`);
         });
       }
@@ -276,15 +323,10 @@ export class OxcAnalyzer {
     if (node.expression.type === "CallExpression") {
       node.expression.arguments.forEach(arg => {
         // Further analysis of arguments can be done here if needed
-        // e.g., if (arg.type === "StringLiteral") fileNode.decoratorArgs.add(`${decoratorName}:${arg.value}`);
       });
     }
   }
-  /**
-   * Extracts the root npm package name from an import specifier.
-   * Handles scoped packages (@scope/pkg) and subpath imports (pkg/utils, @scope/pkg/utils).
-   */
   _extractPackageName(specifier) {
     if (specifier.startsWith('@')) {
       const parts = specifier.split('/');

package/src/ast/SecretScanner.js ADDED Viewed

@@ -0,0 +1,304 @@
+/**
+ * ============================================================================
+ * 🔐 SecretScanner – Hardcoded Credential & API Key Detector
+ * ============================================================================
+ * Scans source files for hardcoded secrets such as API keys, tokens,
+ * passwords, and other sensitive credentials using heuristic pattern matching
+ * on both variable names and string literal values.
+ *
+ * New in v3.3.6: integrated into the main analysis pipeline so that secrets
+ * are surfaced alongside dead-code and unused-dependency findings.
+ */
+/**
+ * Severity levels for detected secrets.
+ */
+export const SecretSeverity = {
+  CRITICAL: 'CRITICAL',
+  HIGH: 'HIGH',
+  MEDIUM: 'MEDIUM',
+};
+/**
+ * Patterns that flag a variable/property *name* as likely containing a secret.
+ * Matched case-insensitively against the identifier text.
+ */
+const SENSITIVE_NAME_PATTERNS = [
+  // Generic credential names
+  /api[_-]?key/i,
+  /apikey/i,
+  /api[_-]?secret/i,
+  /access[_-]?token/i,
+  /auth[_-]?token/i,
+  /bearer[_-]?token/i,
+  /secret[_-]?key/i,
+  /private[_-]?key/i,
+  /client[_-]?secret/i,
+  /app[_-]?secret/i,
+  // Database credentials
+  /db[_-]?pass(word)?/i,
+  /database[_-]?pass(word)?/i,
+  /db[_-]?url/i,
+  /database[_-]?url/i,
+  /connection[_-]?string/i,
+  // Passwords
+  /^password$/i,
+  /^passwd$/i,
+  /^pwd$/i,
+  /[_-]password$/i,
+  // Tokens
+  /[_-]token$/i,
+  /^token$/i,
+  /jwt[_-]?secret/i,
+  /session[_-]?secret/i,
+  /cookie[_-]?secret/i,
+  // Cloud provider keys
+  /aws[_-]?(access[_-]?key|secret|session[_-]?token)/i,
+  /gcp[_-]?key/i,
+  /azure[_-]?(key|secret|connection)/i,
+  // Service-specific
+  /stripe[_-]?(key|secret)/i,
+  /twilio[_-]?(auth|token|sid)/i,
+  /sendgrid[_-]?key/i,
+  /github[_-]?token/i,
+  /slack[_-]?(token|webhook)/i,
+  /discord[_-]?(token|secret)/i,
+  /openai[_-]?(key|token)/i,
+  /anthropic[_-]?key/i,
+  /webhook[_-]?(url|secret)/i,
+  /encryption[_-]?key/i,
+  /signing[_-]?key/i,
+  /hmac[_-]?key/i,
+  /salt$/i,
+];
+/**
+ * Patterns that flag a *string literal value* as likely being a secret.
+ * These are matched against the raw string content.
+ */
+const SENSITIVE_VALUE_PATTERNS = [
+  // AWS Access Key IDs
+  { pattern: /AKIA[0-9A-Z]{16}/, label: 'AWS_ACCESS_KEY_ID', severity: SecretSeverity.CRITICAL },
+  // AWS Secret Access Keys (40-char base64-ish)
+  { pattern: /[A-Za-z0-9/+=]{40}/, label: 'AWS_SECRET_KEY_CANDIDATE', severity: SecretSeverity.MEDIUM },
+  // Generic high-entropy hex strings (32+ chars)
+  { pattern: /^[0-9a-f]{32,}$/i, label: 'HEX_SECRET', severity: SecretSeverity.HIGH },
+  // Generic high-entropy base64 strings (32+ chars)
+  { pattern: /^[A-Za-z0-9+/]{32,}={0,2}$/, label: 'BASE64_SECRET', severity: SecretSeverity.MEDIUM },
+  // JWT tokens
+  { pattern: /^ey[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/, label: 'JWT_TOKEN', severity: SecretSeverity.CRITICAL },
+  // GitHub personal access tokens
+  { pattern: /ghp_[A-Za-z0-9]{36}/, label: 'GITHUB_PAT', severity: SecretSeverity.CRITICAL },
+  { pattern: /github_pat_[A-Za-z0-9_]{82}/, label: 'GITHUB_PAT_FINE', severity: SecretSeverity.CRITICAL },
+  // Stripe keys
+  { pattern: /sk_(live|test)_[A-Za-z0-9]{24,}/, label: 'STRIPE_SECRET_KEY', severity: SecretSeverity.CRITICAL },
+  { pattern: /pk_(live|test)_[A-Za-z0-9]{24,}/, label: 'STRIPE_PUBLIC_KEY', severity: SecretSeverity.HIGH },
+  // Slack tokens
+  { pattern: /xox[baprs]-[A-Za-z0-9-]{10,}/, label: 'SLACK_TOKEN', severity: SecretSeverity.CRITICAL },
+  // Discord tokens
+  { pattern: /[MN][A-Za-z0-9]{23}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27}/, label: 'DISCORD_TOKEN', severity: SecretSeverity.CRITICAL },
+  // Twilio SID
+  { pattern: /AC[a-f0-9]{32}/, label: 'TWILIO_SID', severity: SecretSeverity.HIGH },
+  // SendGrid API key
+  { pattern: /SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}/, label: 'SENDGRID_KEY', severity: SecretSeverity.CRITICAL },
+  // OpenAI API key
+  { pattern: /sk-[A-Za-z0-9]{32,}/, label: 'OPENAI_KEY', severity: SecretSeverity.CRITICAL },
+  // Generic UUID-like tokens that look like secrets (not just any UUID)
+  { pattern: /[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/, label: 'UUID_SECRET_CANDIDATE', severity: SecretSeverity.MEDIUM },
+];
+/**
+ * Minimum length a string value must have to be considered a potential secret.
+ * Short strings like "test", "dev", "localhost" are excluded.
+ */
+const MIN_SECRET_VALUE_LENGTH = 8;
+/**
+ * Values that are obviously not secrets (common placeholders / env-var references).
+ */
+const SAFE_VALUE_ALLOWLIST = new Set([
+  'your_api_key_here',
+  'your-api-key',
+  'YOUR_API_KEY',
+  'YOUR_SECRET',
+  'REPLACE_ME',
+  'changeme',
+  'placeholder',
+  'example',
+  'test',
+  'demo',
+  'localhost',
+  '127.0.0.1',
+  'process.env',
+  '',
+]);
+/**
+ * Checks whether a string value looks like an environment-variable reference
+ * (e.g. `process.env.SECRET` or `import.meta.env.SECRET`).
+ */
+function isEnvReference(value) {
+  return (
+    value.startsWith('process.env') ||
+    value.startsWith('import.meta.env') ||
+    value.startsWith('${') ||
+    /^[A-Z_][A-Z0-9_]*$/.test(value) // ALL_CAPS env-var placeholder
+  );
+}
+/**
+ * Determines whether a string value is high-entropy enough to be a real secret.
+ * Uses Shannon entropy as a heuristic.
+ */
+function shannonEntropy(str) {
+  const freq = {};
+  for (const ch of str) freq[ch] = (freq[ch] || 0) + 1;
+  let entropy = 0;
+  for (const count of Object.values(freq)) {
+    const p = count / str.length;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+/**
+ * Main scanner class. Operates on pre-parsed AST nodes produced by either
+ * ASTAnalyzer (TypeScript compiler API) or OxcAnalyzer (oxc-parser).
+ */
+export class SecretScanner {
+  /**
+   * Scans a source file's text for hardcoded secrets.
+   *
+   * @param {string} filePath   - Absolute path to the file being scanned.
+   * @param {string} fileContent - Raw source text of the file.
+   * @returns {Array<SecretFinding>} - Array of detected secret findings.
+   */
+  scanFileContent(filePath, fileContent) {
+    const findings = [];
+    const lines = fileContent.split('\n');
+    lines.forEach((line, lineIndex) => {
+      const lineNumber = lineIndex + 1;
+      // Skip comment-only lines and import statements
+      const trimmed = line.trim();
+      if (
+        trimmed.startsWith('//') ||
+        trimmed.startsWith('*') ||
+        trimmed.startsWith('/*') ||
+        trimmed.startsWith('import ') ||
+        trimmed.startsWith('export { ')
+      ) {
+        return;
+      }
+      // ── Strategy 1: Name-based heuristic ──────────────────────────────────
+      // Look for variable/property assignments where the name matches a
+      // sensitive pattern and the value is a non-trivial string literal.
+      const assignmentMatch = line.match(
+        /(?:const|let|var|readonly)?\s*([A-Za-z_$][A-Za-z0-9_$]*)\s*[=:]\s*["'`]([^"'`]+)["'`]/
+      );
+      if (assignmentMatch) {
+        const [, varName, value] = assignmentMatch;
+        if (
+          value.length >= MIN_SECRET_VALUE_LENGTH &&
+          !SAFE_VALUE_ALLOWLIST.has(value) &&
+          !isEnvReference(value) &&
+          SENSITIVE_NAME_PATTERNS.some(p => p.test(varName))
+        ) {
+          findings.push({
+            file: filePath,
+            line: lineNumber,
+            column: line.indexOf(value),
+            variableName: varName,
+            valueSnippet: this._redact(value),
+            label: this._labelFromName(varName),
+            severity: SecretSeverity.CRITICAL,
+          });
+          return; // Don't double-report the same line
+        }
+      }
+      // ── Strategy 2: Value-pattern matching ────────────────────────────────
+      // Extract all string literals on this line and test them against known
+      // secret value patterns.
+      const stringLiterals = [...line.matchAll(/["'`]([^"'`\n]{8,})["'`]/g)];
+      for (const match of stringLiterals) {
+        const value = match[1];
+        if (SAFE_VALUE_ALLOWLIST.has(value) || isEnvReference(value)) continue;
+        for (const { pattern, label, severity } of SENSITIVE_VALUE_PATTERNS) {
+          if (pattern.test(value)) {
+            // Avoid duplicate findings for the same position
+            const alreadyReported = findings.some(
+              f => f.line === lineNumber && f.valueSnippet === this._redact(value)
+            );
+            if (!alreadyReported) {
+              findings.push({
+                file: filePath,
+                line: lineNumber,
+                column: line.indexOf(match[0]),
+                variableName: null,
+                valueSnippet: this._redact(value),
+                label,
+                severity,
+              });
+            }
+            break;
+          }
+        }
+      }
+      // ── Strategy 3: High-entropy string heuristic ─────────────────────────
+      // Any string literal with Shannon entropy > 4.5 and length >= 20 that
+      // is assigned to a sensitive-named variable is flagged.
+      if (assignmentMatch) {
+        const [, varName, value] = assignmentMatch;
+        if (
+          value.length >= 20 &&
+          shannonEntropy(value) > 4.5 &&
+          !SAFE_VALUE_ALLOWLIST.has(value) &&
+          !isEnvReference(value) &&
+          SENSITIVE_NAME_PATTERNS.some(p => p.test(varName))
+        ) {
+          const alreadyReported = findings.some(f => f.line === lineNumber);
+          if (!alreadyReported) {
+            findings.push({
+              file: filePath,
+              line: lineNumber,
+              column: line.indexOf(value),
+              variableName: varName,
+              valueSnippet: this._redact(value),
+              label: 'HIGH_ENTROPY_SECRET',
+              severity: SecretSeverity.HIGH,
+            });
+          }
+        }
+      }
+    });
+    return findings;
+  }
+  /**
+   * Redacts a secret value for safe display in reports.
+   * Shows the first 4 characters followed by asterisks.
+   */
+  _redact(value) {
+    if (value.length <= 4) return '****';
+    return value.slice(0, 4) + '*'.repeat(Math.min(value.length - 4, 8));
+  }
+  /**
+   * Derives a human-readable label from a variable name.
+   */
+  _labelFromName(name) {
+    const upper = name.toUpperCase();
+    if (/API[_-]?KEY/.test(upper)) return 'API_KEY';
+    if (/TOKEN/.test(upper)) return 'AUTH_TOKEN';
+    if (/PASSWORD|PASSWD|PWD/.test(upper)) return 'PASSWORD';
+    if (/SECRET/.test(upper)) return 'SECRET';
+    if (/DATABASE|DB/.test(upper)) return 'DATABASE_CREDENTIAL';
+    return 'SENSITIVE_VALUE';
+  }
+}

package/src/index.js CHANGED Viewed

@@ -1,8 +1,9 @@
 import { DeadCodeDetector } from "./ast/DeadCodeDetector.js";
 import { OxcAnalyzer } from "./ast/OxcAnalyzer.js";
+import { SecretScanner } from './ast/SecretScanner.js';
 /**
  * ============================================================================
- * 📦 pkg-scaffold v3.4.0: Unified Architectural Refactoring Orchestrator
+ * 📦 pkg-scaffold v3.3.6: Unified Architectural Refactoring Orchestrator
  * ============================================================================
  * Main execution bridge managing multi-pass compilation cycles, semantic cross-linking,
  * supply-chain validation audits, and automated structural healing rollbacks.
@@ -64,6 +65,8 @@ export class RefactoringEngine {
     this.workerPool = new WorkerPool(this.context);
     this.gitSandbox = new GitSandbox(this.context);
     this.selfHealer = new SelfHealer(this.context, this.txManager, this.gitSandbox);
+    // Stage 6: Secret / hardcoded credential scanner
+    this.secretScanner = new SecretScanner();
   }
   /**
@@ -130,6 +133,15 @@ export class RefactoringEngine {
         if (isFileCached) {
           this.context.metrics.cacheHits++;
           this.hydrateNodeFromCache(node, cacheManifest[filePath]);
+          // Re-run secret scan even on cached files (secrets may change without AST change)
+          try {
+            const cachedContent = await fs.readFile(filePath, 'utf8');
+            const secretFindings = this.secretScanner.scanFileContent(filePath, cachedContent);
+            if (secretFindings.length > 0) {
+              node.securityThreats = (node.securityThreats || []).concat(secretFindings);
+              secretFindings.forEach(f => this.context.allSecretFindings.push(f));
+            }
+          } catch { /* unreadable file – skip */ }
         } else if (!parallelParseCompleted) {
           this.context.metrics.cacheMisses++;
           const fileContent = await fs.readFile(filePath, 'utf8'); // Read file content here
@@ -138,6 +150,12 @@ export class RefactoringEngine {
           } else {
             this.analyzer.parseFile(filePath, fileContent, node);
           }
+          // Secret scan on freshly parsed content
+          const secretFindings = this.secretScanner.scanFileContent(filePath, fileContent);
+          if (secretFindings.length > 0) {
+            node.securityThreats = (node.securityThreats || []).concat(secretFindings);
+            secretFindings.forEach(f => this.context.allSecretFindings.push(f));
+          }
         }
         this.magicDetector.injectVirtualConsumerEdges(filePath, node, activeFrameworkEcosystems);
@@ -189,8 +207,33 @@ export class RefactoringEngine {
         this.circularDetector.formatCycles().forEach(c => console.log(ansis.dim(`    • ${c}`)));
       }
+      // Pass 4b: Report hardcoded secrets
+      console.log(ansis.dim('🔐 Scanning for hardcoded secrets...'));
+      const allSecrets = this.context.allSecretFindings || [];
+      if (allSecrets.length > 0) {
+        const criticalSecrets = allSecrets.filter(s => s.severity === 'CRITICAL');
+        const otherSecrets = allSecrets.filter(s => s.severity !== 'CRITICAL');
+        console.log(ansis.bold.red(`\n🔐 Hardcoded Secrets Detected (${allSecrets.length}):`) );
+        if (criticalSecrets.length > 0) {
+          console.log(ansis.red(`  CRITICAL (${criticalSecrets.length}):`));
+          criticalSecrets.forEach(s => {
+            const relPath = path.relative(this.context.cwd, s.file);
+            const varInfo = s.variableName ? ` [${s.label}]` : ` [${s.label}]`;
+            console.log(ansis.dim(`    • ${s.variableName || '<literal>'} in ${relPath}:${s.line}${varInfo}`));
+          });
+        }
+        if (otherSecrets.length > 0) {
+          console.log(ansis.yellow(`  HIGH/MEDIUM (${otherSecrets.length}):`));
+          otherSecrets.forEach(s => {
+            const relPath = path.relative(this.context.cwd, s.file);
+            console.log(ansis.dim(`    • ${s.variableName || '<literal>'} in ${relPath}:${s.line} [${s.label}]`));
+          });
+        }
+      }
       // Pass 5: Compile metrics summary and print diagnostics report
       const analysisSummary = await this.context.generateSummaryReport();
+      analysisSummary.structuralIssuesDetected.hardcodedSecrets = allSecrets;
       this.displayConsoleDiagnostics(analysisSummary);
       // Pass 6: Display Optimization Plan and Run Automated Structural Healing
@@ -275,6 +318,7 @@ export class RefactoringEngine {
       const res = path.resolve(dir, entry.name);
       if (entry.isDirectory()) {
         if (entry.name === 'node_modules' || entry.name === '.git' || entry.name === '.scaffold-cache') continue;
+        if (this.context.verbose) console.log(ansis.dim(`📂 Scanning deep folder: ${res}`));
         await this.discoverSourceFiles(res, fileList);
       } else {
         const ext = path.extname(entry.name);
@@ -304,6 +348,15 @@ export class RefactoringEngine {
         }
       }
+      // Pass A.2: Mark package entry points as library entries
+      for (const pkg of this.workspaceGraph.packageManifests.values()) {
+        for (const entryPath of pkg.entryPoints) {
+          if (this.context.graph.has(entryPath)) {
+            this.context.graph.get(entryPath).isLibraryEntry = true;
+          }
+        }
+      }
       // Pass B: Link named-symbol imports through barrel/re-export chains
       for (const specToken of node.importedSymbols) {
         const delimiterIndex = specToken.indexOf(':');
@@ -326,6 +379,9 @@ export class RefactoringEngine {
           if (traceResolution && this.context.graph.has(traceResolution.originFile)) {
             this.context.graph.get(traceResolution.originFile).incomingEdges.add(filePath);
             node.outgoingEdges.add(traceResolution.originFile);
+            // Fix: Store the absolute resolution in importedSymbols so isSymbolReferencedExternally can find it
+            // Use the traced symbol name (in case of re-exports with renaming)
+            node.importedSymbols.add(`${traceResolution.originFile}:${traceResolution.symbolName}`);
           }
         }
       }
@@ -356,9 +412,11 @@ export class RefactoringEngine {
     console.log(`💾 Cache Optimization: ${summary.graphCacheOptimization.ratio} hits`);
     console.log(ansis.bold('\n🔍 Structural Integrity:'));
+    const secretCount = (summary.structuralIssuesDetected.hardcodedSecrets || []).length;
     if (summary.structuralIssuesDetected.deadFiles.length === 0 &&
         summary.structuralIssuesDetected.deadExports.length === 0 &&
-        summary.structuralIssuesDetected.unusedDependencies.length === 0) {
+        summary.structuralIssuesDetected.unusedDependencies.length === 0 &&
+        secretCount === 0) {
       console.log(ansis.green('  ✅ No major structural debt detected.'));
     } else {
       if (summary.structuralIssuesDetected.deadFiles.length > 0) {
@@ -370,6 +428,9 @@ export class RefactoringEngine {
       if (summary.structuralIssuesDetected.unusedDependencies.length > 0) {
         console.log(ansis.yellow(`  📦 Found ${summary.structuralIssuesDetected.unusedDependencies.length} unused dependencies.`));
       }
+      if (secretCount > 0) {
+        console.log(ansis.red(`  🔐 Found ${secretCount} hardcoded secret(s) / credential(s).`));
+      }
     }
     console.log(ansis.dim('\n------------------------------------------------------------\n'));

package/src/performance/WorkerPool.js CHANGED Viewed

@@ -1,6 +1,7 @@
-import { Worker, isMainThread, parentPort, workerData } from 'worker_threads';
+import { Worker } from 'worker_threads';
 import os from 'os';
 import path from 'path';
+import { fileURLToPath } from 'url';
 /**
  * Host CPU Thread-Distribution Pipeline Supervisor
@@ -11,7 +12,9 @@ export class WorkerPool {
     this.context = context;
     // Dynamically query host specs; default down to 1 if threading channels are choked
     this.hardwareConcurrencyCoreCount = maximumConcurrencyLimit || os.availableParallelism?.() || os.cpus().length || 2;
-    this.workerScriptPath = path.resolve(path.dirname(import.meta.url.replace('file://', '')), 'WorkerTaskRunner.js');
+    // Resolve worker script path relative to this module
+    const __dir = path.dirname(fileURLToPath(import.meta.url));
+    this.workerScriptPath = path.resolve(__dir, 'WorkerTaskRunner.js');
   }
   /**
@@ -86,7 +89,7 @@ export class WorkerPool {
   executeChunkInsideThread(fileChunkSubset) {
     return new Promise((resolve, reject) => {
-      const workerInstance = new Worker(this.workerScriptPath, {
+      const workerInstance = new Worker(this.workerScriptPath, { type: 'module',
         workerData: { files: fileChunkSubset, contextOptions: { verbose: this.context.verbose } }
       });

package/src/resolution/WorkSpaceGraph.js CHANGED Viewed

@@ -83,6 +83,15 @@ export class WorkspaceGraph {
     if (workspaceGlobs.length > 0) {
       this.context.isWorkspaceEnabled = true;
+      if (this.context.verbose) {
+        console.log(`🌐 Auto-detected monorepo layout with ${workspaceGlobs.length} glob patterns.`);
+      }
+    } else if (this.context.isWorkspaceEnabled) {
+      // Force enabled via flag but no patterns found; default to standard packages/*
+      workspaceGlobs = ['packages/*'];
+      if (this.context.verbose) {
+        console.log(`🌐 Workspace mode forced via flag. Using default patterns: ${workspaceGlobs.join(', ')}`);
+      }
     } else {
       return; // Workspace mesh maps skipped for single-package targets
     }

package/src/performance/WorkerTaskRunner.js DELETED Viewed

@@ -1,83 +0,0 @@
-import { parentPort, workerData } from 'worker_threads';
-import { ASTAnalyzer } from '../ast/ASTAnalyzer.js';
-import ts from 'typescript';
-import fs from 'fs';
-/**
- * Isolated Worker Thread Target Pipeline Task Loop Execution Instance
- */
-async function processThreadChunks() {
-  const { files, contextOptions } = workerData;
-  const partialGraphPayloadResults = [];
-  // Construct a lightweight standalone instance of our analyzer core inside the worker
-  const standaloneAnalyzer = new ASTAnalyzer({ verbose: contextOptions.verbose });
-  for (const file of files) {
-    if (file.endsWith('package.json')) continue;
-    try {
-      const text = fs.readFileSync(file, 'utf8');
-      // Build a minimal virtual reference mapping node to capture features
-      const mockNode = {
-        explicitImports: new Set(),
-        dynamicImports: new Set(),
-        importedSymbols: new Set(),
-        rawStringReferences: new Set(),
-        instantiatedIdentifiers: new Set(),
-        propertyAccessChains: new Set(),
-        internalExports: new Map(),
-        securityThreats: [],
-        localSuppressedRules: new Set(),
-        externalPackageUsage: new Set(),
-        symbolSourceLocations: new Map(),
-        calculatedDynamicImports: [],
-        jsxComponents: new Set(),
-        jsxProps: new Set(),
-        decorators: new Set()
-      };
-      // Use the public getScriptKind() method added to ASTAnalyzer
-      const scriptKind = standaloneAnalyzer.getScriptKind(file);
-      const sourceFile = ts.createSourceFile(
-        file,
-        text,
-        ts.ScriptTarget.Latest,
-        true,
-        scriptKind
-      );
-      standaloneAnalyzer.extractTopLevelJSDocSuppreessions(sourceFile, mockNode);
-      // Use the walkNode() alias that maps to walkAST() with the correct argument order
-      standaloneAnalyzer.walkNode(sourceFile, sourceFile, mockNode);
-      partialGraphPayloadResults.push({
-        filePath: file,
-        explicitImports: Array.from(mockNode.explicitImports),
-        dynamicImports: Array.from(mockNode.dynamicImports),
-        importedSymbols: Array.from(mockNode.importedSymbols),
-        rawStringReferences: Array.from(mockNode.rawStringReferences),
-        instantiatedIdentifiers: Array.from(mockNode.instantiatedIdentifiers),
-        propertyAccessChains: Array.from(mockNode.propertyAccessChains),
-        internalExports: Object.fromEntries(mockNode.internalExports),
-        securityThreats: mockNode.securityThreats,
-        localSuppressedRules: Array.from(mockNode.localSuppressedRules),
-        externalPackageUsage: Array.from(mockNode.externalPackageUsage),
-        symbolSourceLocations: Object.fromEntries(mockNode.symbolSourceLocations),
-        calculatedDynamicImports: mockNode.calculatedDynamicImports
-      });
-    } catch (err) {
-      // Log parse errors in verbose mode so they are not silently swallowed
-      if (contextOptions.verbose) {
-        console.warn(`[Worker] Failed to parse ${file}: ${err.message}`);
-      }
-    }
-  }
-  // Stream compiled metadata structures directly back to the primary supervisor pool thread channel
-  parentPort.postMessage(partialGraphPayloadResults);
-}
-processThreadChunks();