npm - proofscan - Versions diffs - 0.6.10 → 0.7.1 - Mend

proofscan 0.6.10 → 0.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (54) hide show

package/dist/commands/config.d.ts.map +1 -1
package/dist/commands/config.js +74 -25
package/dist/commands/config.js.map +1 -1
package/dist/commands/connectors.d.ts.map +1 -1
package/dist/commands/connectors.js +9 -4
package/dist/commands/connectors.js.map +1 -1
package/dist/config/add.d.ts +23 -2
package/dist/config/add.d.ts.map +1 -1
package/dist/config/add.js +26 -4
package/dist/config/add.js.map +1 -1
package/dist/secrets/detection.d.ts +71 -0
package/dist/secrets/detection.d.ts.map +1 -0
package/dist/secrets/detection.js +186 -0
package/dist/secrets/detection.js.map +1 -0
package/dist/secrets/index.d.ts +12 -0
package/dist/secrets/index.d.ts.map +1 -0
package/dist/secrets/index.js +18 -0
package/dist/secrets/index.js.map +1 -0
package/dist/secrets/providers/dpapi.d.ts +22 -0
package/dist/secrets/providers/dpapi.d.ts.map +1 -0
package/dist/secrets/providers/dpapi.js +95 -0
package/dist/secrets/providers/dpapi.js.map +1 -0
package/dist/secrets/providers/index.d.ts +20 -0
package/dist/secrets/providers/index.d.ts.map +1 -0
package/dist/secrets/providers/index.js +47 -0
package/dist/secrets/providers/index.js.map +1 -0
package/dist/secrets/providers/plain.d.ts +21 -0
package/dist/secrets/providers/plain.d.ts.map +1 -0
package/dist/secrets/providers/plain.js +29 -0
package/dist/secrets/providers/plain.js.map +1 -0
package/dist/secrets/redaction.d.ts +76 -0
package/dist/secrets/redaction.d.ts.map +1 -0
package/dist/secrets/redaction.js +136 -0
package/dist/secrets/redaction.js.map +1 -0
package/dist/secrets/secretize.d.ts +107 -0
package/dist/secrets/secretize.d.ts.map +1 -0
package/dist/secrets/secretize.js +148 -0
package/dist/secrets/secretize.js.map +1 -0
package/dist/secrets/store.d.ts +42 -0
package/dist/secrets/store.d.ts.map +1 -0
package/dist/secrets/store.js +174 -0
package/dist/secrets/store.js.map +1 -0
package/dist/secrets/types.d.ts +135 -0
package/dist/secrets/types.d.ts.map +1 -0
package/dist/secrets/types.js +39 -0
package/dist/secrets/types.js.map +1 -0
package/dist/utils/output.d.ts +14 -0
package/dist/utils/output.d.ts.map +1 -1
package/dist/utils/output.js +16 -0
package/dist/utils/output.js.map +1 -1
package/dist/utils/sanitize-secrets.d.ts.map +1 -1
package/dist/utils/sanitize-secrets.js +20 -3
package/dist/utils/sanitize-secrets.js.map +1 -1
package/package.json +1 -1

package/dist/secrets/detection.js ADDED Viewed

@@ -0,0 +1,186 @@
+/**
+ * Secret detection utilities (Phase 3.5)
+ *
+ * Detects sensitive keys and placeholder values in configuration.
+ * Used during config import/paste/set to auto-detect secrets.
+ */
+/**
+ * Patterns that indicate a key is for sensitive data
+ * Case-insensitive matching
+ */
+const SECRET_KEY_PATTERNS = [
+    /api[-_]?key/i,
+    /apikey/i,
+    /api[-_]?token/i,
+    /access[-_]?key/i,
+    /access[-_]?token/i,
+    /secret[-_]?key/i,
+    /secret/i,
+    /password/i,
+    /passwd/i,
+    /bearer/i,
+    /authorization/i,
+    /auth[-_]?token/i,
+    /private[-_]?key/i,
+    /credentials?/i,
+    /client[-_]?secret/i,
+];
+/**
+ * Placeholder patterns that indicate a value should be replaced
+ * Case-insensitive matching
+ */
+const PLACEHOLDER_PATTERNS = [
+    /^your[-_\s]?api[-_\s]?key$/i,
+    /^your[-_\s]?token$/i,
+    /^your[-_\s]?secret$/i,
+    /^your[-_\s]?password$/i,
+    /^your[-_\s]?.*[-_\s]?here$/i,
+    /^<.*>$/, // <YOUR_API_KEY>
+    /^\[.*\]$/, // [YOUR_API_KEY]
+    /^{.*}$/, // {YOUR_API_KEY}
+    /^changeme$/i,
+    /^change[-_\s]?me$/i,
+    /^xxx+$/i,
+    /^placeholder$/i,
+    /^replace[-_\s]?me$/i,
+    /^todo$/i,
+    /^fixme$/i,
+    /^insert[-_\s]?here$/i,
+    /^sk[-_]xxx/i, // sk-xxxxxxxx
+    /^pk[-_]xxx/i, // pk-xxxxxxxx
+];
+/**
+ * Values that look like real secrets (for validation)
+ * These patterns help identify actual API keys vs. placeholders
+ */
+const REAL_SECRET_PATTERNS = [
+    /^sk-[a-zA-Z0-9]{20,}$/, // OpenAI API key
+    /^pk-[a-zA-Z0-9]{20,}$/, // Some provider public key
+    /^ghp_[a-zA-Z0-9]{36,}$/, // GitHub PAT
+    /^gho_[a-zA-Z0-9]{36,}$/, // GitHub OAuth token
+    /^github_pat_[a-zA-Z0-9_]{22,}$/, // GitHub fine-grained PAT
+    /^[A-Za-z0-9+/=]{20,}$/, // Generic base64-ish token
+];
+/**
+ * Check if a key name indicates a secret/sensitive value
+ *
+ * @param key - The key name to check (e.g., "OPENAI_API_KEY")
+ * @returns true if the key likely holds a secret
+ */
+export function isSecretKey(key) {
+    return SECRET_KEY_PATTERNS.some(pattern => pattern.test(key));
+}
+/**
+ * Check if a value is a placeholder that needs to be replaced
+ *
+ * @param value - The value to check
+ * @returns true if the value is a placeholder
+ */
+export function isPlaceholder(value) {
+    if (!value || typeof value !== 'string') {
+        return false;
+    }
+    const trimmed = value.trim();
+    // Empty or very short values are not placeholders
+    if (trimmed.length < 3) {
+        return false;
+    }
+    return PLACEHOLDER_PATTERNS.some(pattern => pattern.test(trimmed));
+}
+/**
+ * Check if a value looks like a real secret (not a placeholder)
+ *
+ * @param value - The value to check
+ * @returns true if the value appears to be a real secret
+ */
+export function looksLikeRealSecret(value) {
+    if (!value || typeof value !== 'string') {
+        return false;
+    }
+    const trimmed = value.trim();
+    // Check for known secret formats
+    if (REAL_SECRET_PATTERNS.some(pattern => pattern.test(trimmed))) {
+        return true;
+    }
+    // Heuristic: long alphanumeric strings are likely secrets
+    // Minimum 20 chars, mostly alphanumeric with some special chars
+    if (trimmed.length >= 20 && /^[a-zA-Z0-9_\-+=/.]{20,}$/.test(trimmed)) {
+        return true;
+    }
+    return false;
+}
+/** Minimum length for a value to be considered a storable secret */
+const MIN_SECRET_LENGTH = 8;
+/**
+ * Detect if a key-value pair is a secret and determine action
+ *
+ * @param key - The key name
+ * @param value - The value
+ * @returns Detection result with recommended action
+ */
+export function detectSecret(key, value) {
+    const secretKey = isSecretKey(key);
+    const placeholder = isPlaceholder(value);
+    const looksReal = looksLikeRealSecret(value);
+    const isTooShort = !value || value.length < MIN_SECRET_LENGTH;
+    let action;
+    if (!secretKey) {
+        // Not a secret key - skip
+        action = 'skip';
+    }
+    else if (placeholder) {
+        // Secret key with placeholder value - warn user
+        action = 'warn';
+    }
+    else if (isTooShort) {
+        // Secret key with very short/empty value - likely not a real secret, warn
+        action = 'warn';
+    }
+    else if (looksReal) {
+        // Secret key with real-looking value - store securely
+        action = 'store';
+    }
+    else {
+        // Secret key with value that's long enough but doesn't match known patterns - store to be safe
+        action = 'store';
+    }
+    return {
+        key,
+        value,
+        isSecretKey: secretKey,
+        isPlaceholder: placeholder,
+        looksLikeSecret: looksReal,
+        action,
+    };
+}
+/**
+ * Scan an env object for secrets
+ *
+ * @param env - Environment variables object
+ * @returns Array of detection results for secret keys
+ */
+export function scanEnvForSecrets(env) {
+    const results = [];
+    for (const [key, value] of Object.entries(env)) {
+        const result = detectSecret(key, value);
+        if (result.isSecretKey) {
+            results.push(result);
+        }
+    }
+    return results;
+}
+/**
+ * Count secrets in an env object
+ *
+ * @param env - Environment variables object
+ * @returns Object with counts by action type
+ */
+export function countSecrets(env) {
+    const results = scanEnvForSecrets(env);
+    return {
+        toStore: results.filter(r => r.action === 'store').length,
+        warnings: results.filter(r => r.action === 'warn').length,
+        total: results.length,
+    };
+}
+//# sourceMappingURL=detection.js.map

package/dist/secrets/detection.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"detection.js","sourceRoot":"","sources":["../../src/secrets/detection.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;;GAGG;AACH,MAAM,mBAAmB,GAAG;IAC1B,cAAc;IACd,SAAS;IACT,gBAAgB;IAChB,iBAAiB;IACjB,mBAAmB;IACnB,iBAAiB;IACjB,SAAS;IACT,WAAW;IACX,SAAS;IACT,SAAS;IACT,gBAAgB;IAChB,iBAAiB;IACjB,kBAAkB;IAClB,eAAe;IACf,oBAAoB;CACrB,CAAC;AAEF;;;GAGG;AACH,MAAM,oBAAoB,GAAG;IAC3B,6BAA6B;IAC7B,qBAAqB;IACrB,sBAAsB;IACtB,wBAAwB;IACxB,6BAA6B;IAC7B,QAAQ,EAAG,iBAAiB;IAC5B,UAAU,EAAG,iBAAiB;IAC9B,QAAQ,EAAG,iBAAiB;IAC5B,aAAa;IACb,oBAAoB;IACpB,SAAS;IACT,gBAAgB;IAChB,qBAAqB;IACrB,SAAS;IACT,UAAU;IACV,sBAAsB;IACtB,aAAa,EAAG,cAAc;IAC9B,aAAa,EAAG,cAAc;CAC/B,CAAC;AAEF;;;GAGG;AACH,MAAM,oBAAoB,GAAG;IAC3B,uBAAuB,EAAG,iBAAiB;IAC3C,uBAAuB,EAAG,2BAA2B;IACrD,wBAAwB,EAAG,aAAa;IACxC,wBAAwB,EAAG,qBAAqB;IAChD,gCAAgC,EAAG,0BAA0B;IAC7D,uBAAuB,EAAG,2BAA2B;CACtD,CAAC;AAEF;;;;;GAKG;AACH,MAAM,UAAU,WAAW,CAAC,GAAW;IACrC,OAAO,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AAChE,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,aAAa,CAAC,KAAa;IACzC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACxC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAE7B,kDAAkD;IAClD,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;AACrE,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAAa;IAC/C,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACxC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAE7B,iCAAiC;IACjC,IAAI,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;QAChE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,0DAA0D;IAC1D,gEAAgE;IAChE,IAAI,OAAO,CAAC,MAAM,IAAI,EAAE,IAAI,2BAA2B,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QACtE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAoBD,oEAAoE;AACpE,MAAM,iBAAiB,GAAG,CAAC,CAAC;AAE5B;;;;;;GAMG;AACH,MAAM,UAAU,YAAY,CAAC,GAAW,EAAE,KAAa;IACrD,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IACnC,MAAM,WAAW,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;IACzC,MAAM,SAAS,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;IAC7C,MAAM,UAAU,GAAG,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,GAAG,iBAAiB,CAAC;IAE9D,IAAI,MAAiC,CAAC;IAEtC,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,0BAA0B;QAC1B,MAAM,GAAG,MAAM,CAAC;IAClB,CAAC;SAAM,IAAI,WAAW,EAAE,CAAC;QACvB,gDAAgD;QAChD,MAAM,GAAG,MAAM,CAAC;IAClB,CAAC;SAAM,IAAI,UAAU,EAAE,CAAC;QACtB,0EAA0E;QAC1E,MAAM,GAAG,MAAM,CAAC;IAClB,CAAC;SAAM,IAAI,SAAS,EAAE,CAAC;QACrB,sDAAsD;QACtD,MAAM,GAAG,OAAO,CAAC;IACnB,CAAC;SAAM,CAAC;QACN,+FAA+F;QAC/F,MAAM,GAAG,OAAO,CAAC;IACnB,CAAC;IAED,OAAO;QACL,GAAG;QACH,KAAK;QACL,WAAW,EAAE,SAAS;QACtB,aAAa,EAAE,WAAW;QAC1B,eAAe,EAAE,SAAS;QAC1B,MAAM;KACP,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,iBAAiB,CAAC,GAA2B;IAC3D,MAAM,OAAO,GAA4B,EAAE,CAAC;IAE5C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,MAAM,MAAM,GAAG,YAAY,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACxC,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;YACvB,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAAC,GAA2B;IAKtD,MAAM,OAAO,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAEvC,OAAO;QACL,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,OAAO,CAAC,CAAC,MAAM;QACzD,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,MAAM;QACzD,KAAK,EAAE,OAAO,CAAC,MAAM;KACtB,CAAC;AACJ,CAAC"}

package/dist/secrets/index.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+/**
+ * Secrets module (Phase 3.5)
+ *
+ * Provides secure storage and handling of API keys and sensitive configuration.
+ */
+export * from './types.js';
+export { isSecretKey, isPlaceholder, looksLikeRealSecret, detectSecret, scanEnvForSecrets, countSecrets, type SecretDetectionResult, } from './detection.js';
+export { redactDeep, redactValue, redactEnv, redactionSummary, isRedacted, REDACTED, REDACTED_REF, type RedactionResult, type RedactionOptions, } from './redaction.js';
+export { SqliteSecretStore, getSecretStore, closeSecretStore, } from './store.js';
+export { PlainProvider, DpapiProvider, getBestProvider, getProvider, } from './providers/index.js';
+export { secretizeEnv, formatSecretizeOutput, isSecretizeAvailable, type SecretizeKeyResult, type SecretizeResult, type SecretizeOptions, type FormatSecretizeOptions, } from './secretize.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/secrets/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/secrets/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,cAAc,YAAY,CAAC;AAG3B,OAAO,EACL,WAAW,EACX,aAAa,EACb,mBAAmB,EACnB,YAAY,EACZ,iBAAiB,EACjB,YAAY,EACZ,KAAK,qBAAqB,GAC3B,MAAM,gBAAgB,CAAC;AAGxB,OAAO,EACL,UAAU,EACV,WAAW,EACX,SAAS,EACT,gBAAgB,EAChB,UAAU,EACV,QAAQ,EACR,YAAY,EACZ,KAAK,eAAe,EACpB,KAAK,gBAAgB,GACtB,MAAM,gBAAgB,CAAC;AAGxB,OAAO,EACL,iBAAiB,EACjB,cAAc,EACd,gBAAgB,GACjB,MAAM,YAAY,CAAC;AAGpB,OAAO,EACL,aAAa,EACb,aAAa,EACb,eAAe,EACf,WAAW,GACZ,MAAM,sBAAsB,CAAC;AAG9B,OAAO,EACL,YAAY,EACZ,qBAAqB,EACrB,oBAAoB,EACpB,KAAK,kBAAkB,EACvB,KAAK,eAAe,EACpB,KAAK,gBAAgB,EACrB,KAAK,sBAAsB,GAC5B,MAAM,gBAAgB,CAAC"}

package/dist/secrets/index.js ADDED Viewed

@@ -0,0 +1,18 @@
+/**
+ * Secrets module (Phase 3.5)
+ *
+ * Provides secure storage and handling of API keys and sensitive configuration.
+ */
+// Types and interfaces
+export * from './types.js';
+// Detection utilities
+export { isSecretKey, isPlaceholder, looksLikeRealSecret, detectSecret, scanEnvForSecrets, countSecrets, } from './detection.js';
+// Redaction utilities
+export { redactDeep, redactValue, redactEnv, redactionSummary, isRedacted, REDACTED, REDACTED_REF, } from './redaction.js';
+// Store
+export { SqliteSecretStore, getSecretStore, closeSecretStore, } from './store.js';
+// Providers
+export { PlainProvider, DpapiProvider, getBestProvider, getProvider, } from './providers/index.js';
+// Secretize
+export { secretizeEnv, formatSecretizeOutput, isSecretizeAvailable, } from './secretize.js';
+//# sourceMappingURL=index.js.map

package/dist/secrets/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/secrets/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,uBAAuB;AACvB,cAAc,YAAY,CAAC;AAE3B,sBAAsB;AACtB,OAAO,EACL,WAAW,EACX,aAAa,EACb,mBAAmB,EACnB,YAAY,EACZ,iBAAiB,EACjB,YAAY,GAEb,MAAM,gBAAgB,CAAC;AAExB,sBAAsB;AACtB,OAAO,EACL,UAAU,EACV,WAAW,EACX,SAAS,EACT,gBAAgB,EAChB,UAAU,EACV,QAAQ,EACR,YAAY,GAGb,MAAM,gBAAgB,CAAC;AAExB,QAAQ;AACR,OAAO,EACL,iBAAiB,EACjB,cAAc,EACd,gBAAgB,GACjB,MAAM,YAAY,CAAC;AAEpB,YAAY;AACZ,OAAO,EACL,aAAa,EACb,aAAa,EACb,eAAe,EACf,WAAW,GACZ,MAAM,sBAAsB,CAAC;AAE9B,YAAY;AACZ,OAAO,EACL,YAAY,EACZ,qBAAqB,EACrB,oBAAoB,GAKrB,MAAM,gBAAgB,CAAC"}

package/dist/secrets/providers/dpapi.d.ts ADDED Viewed

@@ -0,0 +1,22 @@
+/**
+ * Windows DPAPI encryption provider (Phase 3.5)
+ *
+ * Uses Windows Data Protection API with CurrentUser scope.
+ * Secrets are encrypted using the user's Windows credentials.
+ *
+ * Implementation uses PowerShell to call .NET's ProtectedData class.
+ */
+import type { IEncryptionProvider, ProviderType } from '../types.js';
+/**
+ * DPAPI provider - Windows Data Protection API
+ *
+ * Encrypts data using the current Windows user's credentials.
+ * Data can only be decrypted by the same user on the same machine.
+ */
+export declare class DpapiProvider implements IEncryptionProvider {
+    readonly type: ProviderType;
+    isAvailable(): boolean;
+    encrypt(plaintext: string): Promise<string>;
+    decrypt(ciphertext: string): Promise<string>;
+}
+//# sourceMappingURL=dpapi.d.ts.map

package/dist/secrets/providers/dpapi.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"dpapi.d.ts","sourceRoot":"","sources":["../../../src/secrets/providers/dpapi.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAsBrE;;;;;GAKG;AACH,qBAAa,aAAc,YAAW,mBAAmB;IACvD,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAW;IAEtC,WAAW,IAAI,OAAO;IAKhB,OAAO,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IA6B3C,OAAO,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;CA+BnD"}

package/dist/secrets/providers/dpapi.js ADDED Viewed

@@ -0,0 +1,95 @@
+/**
+ * Windows DPAPI encryption provider (Phase 3.5)
+ *
+ * Uses Windows Data Protection API with CurrentUser scope.
+ * Secrets are encrypted using the user's Windows credentials.
+ *
+ * Implementation uses PowerShell to call .NET's ProtectedData class.
+ */
+import { execSync } from 'child_process';
+/** Maximum ciphertext length (100KB base64 encoded) */
+const MAX_CIPHERTEXT_LENGTH = 100000;
+/** Valid base64 pattern (strict validation for command injection prevention) */
+const BASE64_PATTERN = /^[A-Za-z0-9+/]*={0,2}$/;
+/**
+ * Validate that a string is valid base64 format
+ * Security: Prevents command injection by ensuring only safe characters
+ */
+function isValidBase64(value) {
+    if (!value || value.length === 0) {
+        return false;
+    }
+    if (value.length > MAX_CIPHERTEXT_LENGTH) {
+        return false;
+    }
+    return BASE64_PATTERN.test(value);
+}
+/**
+ * DPAPI provider - Windows Data Protection API
+ *
+ * Encrypts data using the current Windows user's credentials.
+ * Data can only be decrypted by the same user on the same machine.
+ */
+export class DpapiProvider {
+    type = 'dpapi';
+    isAvailable() {
+        // Only available on Windows
+        return process.platform === 'win32';
+    }
+    async encrypt(plaintext) {
+        if (!this.isAvailable()) {
+            throw new Error('DPAPI is only available on Windows');
+        }
+        // Convert plaintext to base64 for safe PowerShell handling
+        const base64Input = Buffer.from(plaintext, 'utf-8').toString('base64');
+        // PowerShell script to encrypt using DPAPI
+        const script = `
+      Add-Type -AssemblyName System.Security
+      $bytes = [System.Convert]::FromBase64String("${base64Input}")
+      $encrypted = [System.Security.Cryptography.ProtectedData]::Protect($bytes, $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser)
+      [System.Convert]::ToBase64String($encrypted)
+    `.trim().replace(/\n/g, '; ');
+        try {
+            const result = execSync(`powershell -NoProfile -NonInteractive -Command "${script}"`, {
+                encoding: 'utf-8',
+                windowsHide: true,
+                timeout: 10000,
+            });
+            return result.trim();
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            throw new Error(`DPAPI encryption failed: ${message}`);
+        }
+    }
+    async decrypt(ciphertext) {
+        if (!this.isAvailable()) {
+            throw new Error('DPAPI is only available on Windows');
+        }
+        // Security: Validate ciphertext format to prevent command injection
+        if (!isValidBase64(ciphertext)) {
+            throw new Error('Invalid ciphertext format: must be valid base64');
+        }
+        // PowerShell script to decrypt using DPAPI
+        const script = `
+      Add-Type -AssemblyName System.Security
+      $encrypted = [System.Convert]::FromBase64String("${ciphertext}")
+      $bytes = [System.Security.Cryptography.ProtectedData]::Unprotect($encrypted, $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser)
+      [System.Convert]::ToBase64String($bytes)
+    `.trim().replace(/\n/g, '; ');
+        try {
+            const result = execSync(`powershell -NoProfile -NonInteractive -Command "${script}"`, {
+                encoding: 'utf-8',
+                windowsHide: true,
+                timeout: 10000,
+            });
+            // Result is base64 encoded plaintext
+            return Buffer.from(result.trim(), 'base64').toString('utf-8');
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            throw new Error(`DPAPI decryption failed: ${message}`);
+        }
+    }
+}
+//# sourceMappingURL=dpapi.js.map

package/dist/secrets/providers/dpapi.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"dpapi.js","sourceRoot":"","sources":["../../../src/secrets/providers/dpapi.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAGzC,uDAAuD;AACvD,MAAM,qBAAqB,GAAG,MAAM,CAAC;AAErC,gFAAgF;AAChF,MAAM,cAAc,GAAG,wBAAwB,CAAC;AAEhD;;;GAGG;AACH,SAAS,aAAa,CAAC,KAAa;IAClC,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjC,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,KAAK,CAAC,MAAM,GAAG,qBAAqB,EAAE,CAAC;QACzC,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AACpC,CAAC;AAED;;;;;GAKG;AACH,MAAM,OAAO,aAAa;IACf,IAAI,GAAiB,OAAO,CAAC;IAEtC,WAAW;QACT,4BAA4B;QAC5B,OAAO,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,SAAiB;QAC7B,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;QACxD,CAAC;QAED,2DAA2D;QAC3D,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAEvE,2CAA2C;QAC3C,MAAM,MAAM,GAAG;;qDAEkC,WAAW;;;KAG3D,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QAE9B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,QAAQ,CAAC,mDAAmD,MAAM,GAAG,EAAE;gBACpF,QAAQ,EAAE,OAAO;gBACjB,WAAW,EAAE,IAAI;gBACjB,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;YACH,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC;QACvB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,MAAM,IAAI,KAAK,CAAC,4BAA4B,OAAO,EAAE,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,UAAkB;QAC9B,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;QACxD,CAAC;QAED,oEAAoE;QACpE,IAAI,CAAC,aAAa,CAAC,UAAU,CAAC,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;QACrE,CAAC;QAED,2CAA2C;QAC3C,MAAM,MAAM,GAAG;;yDAEsC,UAAU;;;KAG9D,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QAE9B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,QAAQ,CAAC,mDAAmD,MAAM,GAAG,EAAE;gBACpF,QAAQ,EAAE,OAAO;gBACjB,WAAW,EAAE,IAAI;gBACjB,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;YACH,qCAAqC;YACrC,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAChE,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACjE,MAAM,IAAI,KAAK,CAAC,4BAA4B,OAAO,EAAE,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;CACF"}

package/dist/secrets/providers/index.d.ts ADDED Viewed

@@ -0,0 +1,20 @@
+/**
+ * Encryption providers index
+ */
+export { PlainProvider } from './plain.js';
+export { DpapiProvider } from './dpapi.js';
+import type { IEncryptionProvider, ProviderType } from '../types.js';
+/**
+ * Get the best available encryption provider for the current platform
+ *
+ * Priority:
+ * 1. DPAPI on Windows
+ * 2. Keychain on macOS (future)
+ * 3. Plain fallback (no encryption, with warning)
+ */
+export declare function getBestProvider(): IEncryptionProvider;
+/**
+ * Get a specific provider by type
+ */
+export declare function getProvider(type: ProviderType): IEncryptionProvider;
+//# sourceMappingURL=index.d.ts.map

package/dist/secrets/providers/index.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/secrets/providers/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAC3C,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAE3C,OAAO,KAAK,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAIrE;;;;;;;GAOG;AACH,wBAAgB,eAAe,IAAI,mBAAmB,CAgBrD;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,YAAY,GAAG,mBAAmB,CAYnE"}

package/dist/secrets/providers/index.js ADDED Viewed

@@ -0,0 +1,47 @@
+/**
+ * Encryption providers index
+ */
+export { PlainProvider } from './plain.js';
+export { DpapiProvider } from './dpapi.js';
+import { PlainProvider } from './plain.js';
+import { DpapiProvider } from './dpapi.js';
+/**
+ * Get the best available encryption provider for the current platform
+ *
+ * Priority:
+ * 1. DPAPI on Windows
+ * 2. Keychain on macOS (future)
+ * 3. Plain fallback (no encryption, with warning)
+ */
+export function getBestProvider() {
+    // Try DPAPI first (Windows)
+    const dpapi = new DpapiProvider();
+    if (dpapi.isAvailable()) {
+        return dpapi;
+    }
+    // TODO: Add macOS Keychain support
+    // const keychain = new KeychainProvider();
+    // if (keychain.isAvailable()) {
+    //   return keychain;
+    // }
+    // Fallback to plain (no encryption)
+    console.warn('Warning: No secure encryption provider available. Secrets will be stored without encryption.');
+    return new PlainProvider();
+}
+/**
+ * Get a specific provider by type
+ */
+export function getProvider(type) {
+    switch (type) {
+        case 'dpapi':
+            return new DpapiProvider();
+        case 'plain':
+            return new PlainProvider();
+        case 'keychain':
+            // Not yet implemented
+            throw new Error('Keychain provider not yet implemented');
+        default:
+            throw new Error(`Unknown provider type: ${type}`);
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/secrets/providers/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/secrets/providers/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAC3C,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAG3C,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAC3C,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAE3C;;;;;;;GAOG;AACH,MAAM,UAAU,eAAe;IAC7B,4BAA4B;IAC5B,MAAM,KAAK,GAAG,IAAI,aAAa,EAAE,CAAC;IAClC,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;QACxB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,mCAAmC;IACnC,2CAA2C;IAC3C,gCAAgC;IAChC,qBAAqB;IACrB,IAAI;IAEJ,oCAAoC;IACpC,OAAO,CAAC,IAAI,CAAC,8FAA8F,CAAC,CAAC;IAC7G,OAAO,IAAI,aAAa,EAAE,CAAC;AAC7B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,IAAkB;IAC5C,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,OAAO;YACV,OAAO,IAAI,aAAa,EAAE,CAAC;QAC7B,KAAK,OAAO;YACV,OAAO,IAAI,aAAa,EAAE,CAAC;QAC7B,KAAK,UAAU;YACb,sBAAsB;YACtB,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D;YACE,MAAM,IAAI,KAAK,CAAC,0BAA0B,IAAI,EAAE,CAAC,CAAC;IACtD,CAAC;AACH,CAAC"}

package/dist/secrets/providers/plain.d.ts ADDED Viewed

@@ -0,0 +1,21 @@
+/**
+ * Plain encryption provider (no encryption)
+ *
+ * This is a fallback provider for testing and platforms without
+ * native encryption support. It provides NO security and should
+ * only be used for development/testing purposes.
+ */
+import type { IEncryptionProvider, ProviderType } from '../types.js';
+/**
+ * Plain provider - stores secrets as base64 without encryption
+ *
+ * WARNING: This provider offers NO security. Secrets are only
+ * base64 encoded, not encrypted. Use only for testing.
+ */
+export declare class PlainProvider implements IEncryptionProvider {
+    readonly type: ProviderType;
+    isAvailable(): boolean;
+    encrypt(plaintext: string): Promise<string>;
+    decrypt(ciphertext: string): Promise<string>;
+}
+//# sourceMappingURL=plain.d.ts.map

package/dist/secrets/providers/plain.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"plain.d.ts","sourceRoot":"","sources":["../../../src/secrets/providers/plain.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAErE;;;;;GAKG;AACH,qBAAa,aAAc,YAAW,mBAAmB;IACvD,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAW;IAEtC,WAAW,IAAI,OAAO;IAKhB,OAAO,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAK3C,OAAO,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;CAInD"}

package/dist/secrets/providers/plain.js ADDED Viewed

@@ -0,0 +1,29 @@
+/**
+ * Plain encryption provider (no encryption)
+ *
+ * This is a fallback provider for testing and platforms without
+ * native encryption support. It provides NO security and should
+ * only be used for development/testing purposes.
+ */
+/**
+ * Plain provider - stores secrets as base64 without encryption
+ *
+ * WARNING: This provider offers NO security. Secrets are only
+ * base64 encoded, not encrypted. Use only for testing.
+ */
+export class PlainProvider {
+    type = 'plain';
+    isAvailable() {
+        // Always available as fallback
+        return true;
+    }
+    async encrypt(plaintext) {
+        // Just base64 encode - NO ENCRYPTION
+        return Buffer.from(plaintext, 'utf-8').toString('base64');
+    }
+    async decrypt(ciphertext) {
+        // Just base64 decode
+        return Buffer.from(ciphertext, 'base64').toString('utf-8');
+    }
+}
+//# sourceMappingURL=plain.js.map

package/dist/secrets/providers/plain.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"plain.js","sourceRoot":"","sources":["../../../src/secrets/providers/plain.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH;;;;;GAKG;AACH,MAAM,OAAO,aAAa;IACf,IAAI,GAAiB,OAAO,CAAC;IAEtC,WAAW;QACT,+BAA+B;QAC/B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,SAAiB;QAC7B,qCAAqC;QACrC,OAAO,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC5D,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,UAAkB;QAC9B,qBAAqB;QACrB,OAAO,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC7D,CAAC;CACF"}

package/dist/secrets/redaction.d.ts ADDED Viewed

@@ -0,0 +1,76 @@
+/**
+ * Secret redaction utilities (Phase 3.5)
+ *
+ * Provides deep redaction of secrets in config output.
+ * Used by config show, export, and snapshot commands.
+ */
+/** Redacted placeholder for secrets */
+export declare const REDACTED = "***REDACTED***";
+/** Redacted placeholder for secret references */
+export declare const REDACTED_REF = "***SECRET_REF***";
+/**
+ * Result of redaction
+ */
+export interface RedactionResult {
+    /** Redacted value */
+    value: unknown;
+    /** Number of values redacted */
+    count: number;
+}
+/**
+ * Options for redaction
+ */
+export interface RedactionOptions {
+    /** Redact values for secret keys (default: true) */
+    redactSecretKeys?: boolean;
+    /** Redact secret references like "dpapi:xxx" (default: true) */
+    redactSecretRefs?: boolean;
+    /** Custom redaction string for values */
+    redactedValue?: string;
+    /** Custom redaction string for references */
+    redactedRef?: string;
+}
+/**
+ * Recursively redact secrets in a value
+ *
+ * Handles:
+ * - Secret references (dpapi:xxx, keychain:xxx)
+ * - Values for keys that match secret patterns
+ *
+ * @param value - Any JSON-serializable value
+ * @param options - Redaction options
+ * @returns Redacted value and count
+ */
+export declare function redactDeep(value: unknown, options?: RedactionOptions): RedactionResult;
+/**
+ * Redact a single value based on key and options
+ *
+ * @param key - The key name
+ * @param value - The value to potentially redact
+ * @param options - Redaction options
+ * @returns Redacted value if applicable, original otherwise
+ */
+export declare function redactValue(key: string, value: string, options?: RedactionOptions): string;
+/**
+ * Redact env variables object
+ *
+ * @param env - Environment variables
+ * @param options - Redaction options
+ * @returns Redacted env and count
+ */
+export declare function redactEnv(env: Record<string, string>, options?: RedactionOptions): {
+    env: Record<string, string>;
+    count: number;
+};
+/**
+ * Create a summary of redacted values
+ *
+ * @param count - Number of values redacted
+ * @returns Human-readable summary
+ */
+export declare function redactionSummary(count: number): string;
+/**
+ * Check if a value has been redacted
+ */
+export declare function isRedacted(value: string): boolean;
+//# sourceMappingURL=redaction.d.ts.map

package/dist/secrets/redaction.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"redaction.d.ts","sourceRoot":"","sources":["../../src/secrets/redaction.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,uCAAuC;AACvC,eAAO,MAAM,QAAQ,mBAAmB,CAAC;AAEzC,iDAAiD;AACjD,eAAO,MAAM,YAAY,qBAAqB,CAAC;AAE/C;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,qBAAqB;IACrB,KAAK,EAAE,OAAO,CAAC;IACf,gCAAgC;IAChC,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,oDAAoD;IACpD,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,gEAAgE;IAChE,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,yCAAyC;IACzC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,6CAA6C;IAC7C,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AASD;;;;;;;;;;GAUG;AACH,wBAAgB,UAAU,CACxB,KAAK,EAAE,OAAO,EACd,OAAO,GAAE,gBAAqB,GAC7B,eAAe,CAkDjB;AAED;;;;;;;GAOG;AACH,wBAAgB,WAAW,CACzB,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,MAAM,EACb,OAAO,GAAE,gBAAqB,GAC7B,MAAM,CAgBR;AAED;;;;;;GAMG;AACH,wBAAgB,SAAS,CACvB,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC3B,OAAO,GAAE,gBAAqB,GAC7B;IAAE,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAchD;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAQtD;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAEjD"}