npm - sandstream-kit - Versions diffs - 1.0.0 - Mend

sandstream-kit 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (519) hide show

package/LICENSE +21 -0
package/README.md +617 -0
package/dist/adapters/api-key-adapter.d.ts +35 -0
package/dist/adapters/api-key-adapter.js +46 -0
package/dist/adapters/api-key-adapter.js.map +1 -0
package/dist/adapters/clerk-auth.d.ts +6 -0
package/dist/adapters/clerk-auth.js +20 -0
package/dist/adapters/clerk-auth.js.map +1 -0
package/dist/adapters/cloudflare-r2.d.ts +6 -0
package/dist/adapters/cloudflare-r2.js +136 -0
package/dist/adapters/cloudflare-r2.js.map +1 -0
package/dist/adapters/expo-eas.d.ts +6 -0
package/dist/adapters/expo-eas.js +129 -0
package/dist/adapters/expo-eas.js.map +1 -0
package/dist/adapters/flagsmith-flags.d.ts +5 -0
package/dist/adapters/flagsmith-flags.js +20 -0
package/dist/adapters/flagsmith-flags.js.map +1 -0
package/dist/adapters/flyio-hosting.d.ts +2 -0
package/dist/adapters/flyio-hosting.js +143 -0
package/dist/adapters/flyio-hosting.js.map +1 -0
package/dist/adapters/index.d.ts +6 -0
package/dist/adapters/index.js +48 -0
package/dist/adapters/index.js.map +1 -0
package/dist/adapters/inngest-background.d.ts +5 -0
package/dist/adapters/inngest-background.js +19 -0
package/dist/adapters/inngest-background.js.map +1 -0
package/dist/adapters/liveblocks-realtime.d.ts +11 -0
package/dist/adapters/liveblocks-realtime.js +62 -0
package/dist/adapters/liveblocks-realtime.js.map +1 -0
package/dist/adapters/loops-email.d.ts +6 -0
package/dist/adapters/loops-email.js +18 -0
package/dist/adapters/loops-email.js.map +1 -0
package/dist/adapters/neon-db.d.ts +10 -0
package/dist/adapters/neon-db.js +94 -0
package/dist/adapters/neon-db.js.map +1 -0
package/dist/adapters/planetscale-db.d.ts +11 -0
package/dist/adapters/planetscale-db.js +134 -0
package/dist/adapters/planetscale-db.js.map +1 -0
package/dist/adapters/posthog-analytics.d.ts +6 -0
package/dist/adapters/posthog-analytics.js +22 -0
package/dist/adapters/posthog-analytics.js.map +1 -0
package/dist/adapters/railway-hosting.d.ts +2 -0
package/dist/adapters/railway-hosting.js +136 -0
package/dist/adapters/railway-hosting.js.map +1 -0
package/dist/adapters/resend-email.d.ts +35 -0
package/dist/adapters/resend-email.js +109 -0
package/dist/adapters/resend-email.js.map +1 -0
package/dist/adapters/searxng-instance.d.ts +6 -0
package/dist/adapters/searxng-instance.js +240 -0
package/dist/adapters/searxng-instance.js.map +1 -0
package/dist/adapters/sentry-monitoring.d.ts +7 -0
package/dist/adapters/sentry-monitoring.js +27 -0
package/dist/adapters/sentry-monitoring.js.map +1 -0
package/dist/adapters/stripe-payments.d.ts +6 -0
package/dist/adapters/stripe-payments.js +134 -0
package/dist/adapters/stripe-payments.js.map +1 -0
package/dist/adapters/supabase-db.d.ts +6 -0
package/dist/adapters/supabase-db.js +130 -0
package/dist/adapters/supabase-db.js.map +1 -0
package/dist/adapters/tinybird-analytics.d.ts +5 -0
package/dist/adapters/tinybird-analytics.js +20 -0
package/dist/adapters/tinybird-analytics.js.map +1 -0
package/dist/adapters/trigger-background.d.ts +6 -0
package/dist/adapters/trigger-background.js +20 -0
package/dist/adapters/trigger-background.js.map +1 -0
package/dist/adapters/types.d.ts +7 -0
package/dist/adapters/types.js +2 -0
package/dist/adapters/types.js.map +1 -0
package/dist/adapters/upstash-redis.d.ts +6 -0
package/dist/adapters/upstash-redis.js +88 -0
package/dist/adapters/upstash-redis.js.map +1 -0
package/dist/adapters/vercel-hosting.d.ts +6 -0
package/dist/adapters/vercel-hosting.js +112 -0
package/dist/adapters/vercel-hosting.js.map +1 -0
package/dist/agent-adapter-model.d.ts +108 -0
package/dist/agent-adapter-model.js +6 -0
package/dist/agent-adapter-model.js.map +1 -0
package/dist/agent-adapter-service.d.ts +67 -0
package/dist/agent-adapter-service.js +299 -0
package/dist/agent-adapter-service.js.map +1 -0
package/dist/agent-config.d.ts +56 -0
package/dist/agent-config.js +129 -0
package/dist/agent-config.js.map +1 -0
package/dist/agent-governance-model.d.ts +128 -0
package/dist/agent-governance-model.js +6 -0
package/dist/agent-governance-model.js.map +1 -0
package/dist/agent-governance-service.d.ts +101 -0
package/dist/agent-governance-service.js +319 -0
package/dist/agent-governance-service.js.map +1 -0
package/dist/alert-rules-engine.d.ts +102 -0
package/dist/alert-rules-engine.js +210 -0
package/dist/alert-rules-engine.js.map +1 -0
package/dist/analytics-service.d.ts +126 -0
package/dist/analytics-service.js +318 -0
package/dist/analytics-service.js.map +1 -0
package/dist/analyze.d.ts +19 -0
package/dist/analyze.js +311 -0
package/dist/analyze.js.map +1 -0
package/dist/apm-instrumentor.d.ts +119 -0
package/dist/apm-instrumentor.js +225 -0
package/dist/apm-instrumentor.js.map +1 -0
package/dist/approval-model.d.ts +82 -0
package/dist/approval-model.js +6 -0
package/dist/approval-model.js.map +1 -0
package/dist/approval-service.d.ts +39 -0
package/dist/approval-service.js +236 -0
package/dist/approval-service.js.map +1 -0
package/dist/approval.d.ts +22 -0
package/dist/approval.js +148 -0
package/dist/approval.js.map +1 -0
package/dist/audit-logging-model.d.ts +157 -0
package/dist/audit-logging-model.js +6 -0
package/dist/audit-logging-model.js.map +1 -0
package/dist/audit-logging-service.d.ts +89 -0
package/dist/audit-logging-service.js +367 -0
package/dist/audit-logging-service.js.map +1 -0
package/dist/audit-secrets.d.ts +42 -0
package/dist/audit-secrets.js +126 -0
package/dist/audit-secrets.js.map +1 -0
package/dist/audit.d.ts +43 -0
package/dist/audit.js +286 -0
package/dist/audit.js.map +1 -0
package/dist/author-dashboard.d.ts +84 -0
package/dist/author-dashboard.js +204 -0
package/dist/author-dashboard.js.map +1 -0
package/dist/author-notifications.d.ts +130 -0
package/dist/author-notifications.js +261 -0
package/dist/author-notifications.js.map +1 -0
package/dist/author-verification.d.ts +79 -0
package/dist/author-verification.js +257 -0
package/dist/author-verification.js.map +1 -0
package/dist/autonomous-setup-model.d.ts +117 -0
package/dist/autonomous-setup-model.js +6 -0
package/dist/autonomous-setup-model.js.map +1 -0
package/dist/autonomous-setup-service.d.ts +74 -0
package/dist/autonomous-setup-service.js +325 -0
package/dist/autonomous-setup-service.js.map +1 -0
package/dist/badge-system.d.ts +70 -0
package/dist/badge-system.js +210 -0
package/dist/badge-system.js.map +1 -0
package/dist/baseline.d.ts +34 -0
package/dist/baseline.js +78 -0
package/dist/baseline.js.map +1 -0
package/dist/beta-program-service.d.ts +112 -0
package/dist/beta-program-service.js +240 -0
package/dist/beta-program-service.js.map +1 -0
package/dist/budget.d.ts +34 -0
package/dist/budget.js +159 -0
package/dist/budget.js.map +1 -0
package/dist/bumblebee.d.ts +143 -0
package/dist/bumblebee.js +384 -0
package/dist/bumblebee.js.map +1 -0
package/dist/cache-manager.d.ts +97 -0
package/dist/cache-manager.js +244 -0
package/dist/cache-manager.js.map +1 -0
package/dist/cdn-adapter.d.ts +64 -0
package/dist/cdn-adapter.js +263 -0
package/dist/cdn-adapter.js.map +1 -0
package/dist/certification-workflow-model.d.ts +95 -0
package/dist/certification-workflow-model.js +6 -0
package/dist/certification-workflow-model.js.map +1 -0
package/dist/certification-workflow-service.d.ts +72 -0
package/dist/certification-workflow-service.js +305 -0
package/dist/certification-workflow-service.js.map +1 -0
package/dist/check-design.d.ts +38 -0
package/dist/check-design.js +256 -0
package/dist/check-design.js.map +1 -0
package/dist/check-gitignore.d.ts +39 -0
package/dist/check-gitignore.js +156 -0
package/dist/check-gitignore.js.map +1 -0
package/dist/check-hooks.d.ts +15 -0
package/dist/check-hooks.js +72 -0
package/dist/check-hooks.js.map +1 -0
package/dist/check-lock.d.ts +16 -0
package/dist/check-lock.js +94 -0
package/dist/check-lock.js.map +1 -0
package/dist/check-secrets.d.ts +11 -0
package/dist/check-secrets.js +320 -0
package/dist/check-secrets.js.map +1 -0
package/dist/check-security.d.ts +13 -0
package/dist/check-security.js +887 -0
package/dist/check-security.js.map +1 -0
package/dist/check-services.d.ts +10 -0
package/dist/check-services.js +44 -0
package/dist/check-services.js.map +1 -0
package/dist/check-skills.d.ts +8 -0
package/dist/check-skills.js +26 -0
package/dist/check-skills.js.map +1 -0
package/dist/check-tests.d.ts +43 -0
package/dist/check-tests.js +175 -0
package/dist/check-tests.js.map +1 -0
package/dist/check-tools.d.ts +8 -0
package/dist/check-tools.js +42 -0
package/dist/check-tools.js.map +1 -0
package/dist/check-web-search.d.ts +12 -0
package/dist/check-web-search.js +168 -0
package/dist/check-web-search.js.map +1 -0
package/dist/ci-cd-publisher.d.ts +162 -0
package/dist/ci-cd-publisher.js +319 -0
package/dist/ci-cd-publisher.js.map +1 -0
package/dist/cli.d.ts +2 -0
package/dist/cli.js +4074 -0
package/dist/cli.js.map +1 -0
package/dist/clone.d.ts +25 -0
package/dist/clone.js +73 -0
package/dist/clone.js.map +1 -0
package/dist/completions.d.ts +8 -0
package/dist/completions.js +250 -0
package/dist/completions.js.map +1 -0
package/dist/compression-manager.d.ts +107 -0
package/dist/compression-manager.js +250 -0
package/dist/compression-manager.js.map +1 -0
package/dist/config.d.ts +233 -0
package/dist/config.js +255 -0
package/dist/config.js.map +1 -0
package/dist/context.d.ts +38 -0
package/dist/context.js +86 -0
package/dist/context.js.map +1 -0
package/dist/cost-monitor.d.ts +72 -0
package/dist/cost-monitor.js +218 -0
package/dist/cost-monitor.js.map +1 -0
package/dist/create-plugin.d.ts +22 -0
package/dist/create-plugin.js +266 -0
package/dist/create-plugin.js.map +1 -0
package/dist/database.d.ts +123 -0
package/dist/database.js +354 -0
package/dist/database.js.map +1 -0
package/dist/datadog-adapter.d.ts +60 -0
package/dist/datadog-adapter.js +245 -0
package/dist/datadog-adapter.js.map +1 -0
package/dist/doctor.d.ts +15 -0
package/dist/doctor.js +131 -0
package/dist/doctor.js.map +1 -0
package/dist/documentation-generator.d.ts +226 -0
package/dist/documentation-generator.js +348 -0
package/dist/documentation-generator.js.map +1 -0
package/dist/elevation-scopes.d.ts +40 -0
package/dist/elevation-scopes.js +110 -0
package/dist/elevation-scopes.js.map +1 -0
package/dist/elevation.d.ts +102 -0
package/dist/elevation.js +449 -0
package/dist/elevation.js.map +1 -0
package/dist/env-diff.d.ts +27 -0
package/dist/env-diff.js +104 -0
package/dist/env-diff.js.map +1 -0
package/dist/env-inspect.d.ts +28 -0
package/dist/env-inspect.js +81 -0
package/dist/env-inspect.js.map +1 -0
package/dist/env-switch.d.ts +37 -0
package/dist/env-switch.js +102 -0
package/dist/env-switch.js.map +1 -0
package/dist/environment.d.ts +27 -0
package/dist/environment.js +148 -0
package/dist/environment.js.map +1 -0
package/dist/error-tracker.d.ts +92 -0
package/dist/error-tracker.js +206 -0
package/dist/error-tracker.js.map +1 -0
package/dist/escalate.d.ts +11 -0
package/dist/escalate.js +73 -0
package/dist/escalate.js.map +1 -0
package/dist/event-stream.d.ts +81 -0
package/dist/event-stream.js +161 -0
package/dist/event-stream.js.map +1 -0
package/dist/fix.d.ts +42 -0
package/dist/fix.js +419 -0
package/dist/fix.js.map +1 -0
package/dist/governance-middleware.d.ts +22 -0
package/dist/governance-middleware.js +173 -0
package/dist/governance-middleware.js.map +1 -0
package/dist/governance.d.ts +44 -0
package/dist/governance.js +236 -0
package/dist/governance.js.map +1 -0
package/dist/hooks.d.ts +25 -0
package/dist/hooks.js +281 -0
package/dist/hooks.js.map +1 -0
package/dist/id-generator.d.ts +43 -0
package/dist/id-generator.js +47 -0
package/dist/id-generator.js.map +1 -0
package/dist/image-optimizer.d.ts +92 -0
package/dist/image-optimizer.js +202 -0
package/dist/image-optimizer.js.map +1 -0
package/dist/install.d.ts +15 -0
package/dist/install.js +59 -0
package/dist/install.js.map +1 -0
package/dist/lock.d.ts +82 -0
package/dist/lock.js +264 -0
package/dist/lock.js.map +1 -0
package/dist/login.d.ts +23 -0
package/dist/login.js +132 -0
package/dist/login.js.map +1 -0
package/dist/mcp-kit-tools-model.d.ts +195 -0
package/dist/mcp-kit-tools-model.js +6 -0
package/dist/mcp-kit-tools-model.js.map +1 -0
package/dist/mcp-kit-tools-service.d.ts +127 -0
package/dist/mcp-kit-tools-service.js +943 -0
package/dist/mcp-kit-tools-service.js.map +1 -0
package/dist/mcp-orchestrator.d.ts +70 -0
package/dist/mcp-orchestrator.js +175 -0
package/dist/mcp-orchestrator.js.map +1 -0
package/dist/mcp-server.d.ts +3 -0
package/dist/mcp-server.js +722 -0
package/dist/mcp-server.js.map +1 -0
package/dist/middleware/rate-limiter.d.ts +74 -0
package/dist/middleware/rate-limiter.js +342 -0
package/dist/middleware/rate-limiter.js.map +1 -0
package/dist/migration-runner.d.ts +66 -0
package/dist/migration-runner.js +192 -0
package/dist/migration-runner.js.map +1 -0
package/dist/migrations.d.ts +25 -0
package/dist/migrations.js +530 -0
package/dist/migrations.js.map +1 -0
package/dist/moderation-system.d.ts +153 -0
package/dist/moderation-system.js +338 -0
package/dist/moderation-system.js.map +1 -0
package/dist/multi-agent-workflow-model.d.ts +125 -0
package/dist/multi-agent-workflow-model.js +6 -0
package/dist/multi-agent-workflow-model.js.map +1 -0
package/dist/multi-agent-workflow-service.d.ts +102 -0
package/dist/multi-agent-workflow-service.js +452 -0
package/dist/multi-agent-workflow-service.js.map +1 -0
package/dist/onepassword.d.ts +75 -0
package/dist/onepassword.js +140 -0
package/dist/onepassword.js.map +1 -0
package/dist/open.d.ts +30 -0
package/dist/open.js +166 -0
package/dist/open.js.map +1 -0
package/dist/output.d.ts +32 -0
package/dist/output.js +295 -0
package/dist/output.js.map +1 -0
package/dist/partner-service.d.ts +101 -0
package/dist/partner-service.js +191 -0
package/dist/partner-service.js.map +1 -0
package/dist/payout-service.d.ts +136 -0
package/dist/payout-service.js +293 -0
package/dist/payout-service.js.map +1 -0
package/dist/pkg.d.ts +30 -0
package/dist/pkg.js +162 -0
package/dist/pkg.js.map +1 -0
package/dist/plugin-loader.d.ts +16 -0
package/dist/plugin-loader.js +124 -0
package/dist/plugin-loader.js.map +1 -0
package/dist/plugin-registry-model.d.ts +133 -0
package/dist/plugin-registry-model.js +6 -0
package/dist/plugin-registry-model.js.map +1 -0
package/dist/plugin-registry-service.d.ts +109 -0
package/dist/plugin-registry-service.js +361 -0
package/dist/plugin-registry-service.js.map +1 -0
package/dist/plugin-registry.d.ts +58 -0
package/dist/plugin-registry.js +108 -0
package/dist/plugin-registry.js.map +1 -0
package/dist/plugin-updates.d.ts +135 -0
package/dist/plugin-updates.js +326 -0
package/dist/plugin-updates.js.map +1 -0
package/dist/plugins-cli.d.ts +7 -0
package/dist/plugins-cli.js +157 -0
package/dist/plugins-cli.js.map +1 -0
package/dist/plugins.d.ts +88 -0
package/dist/plugins.js +251 -0
package/dist/plugins.js.map +1 -0
package/dist/policy.d.ts +66 -0
package/dist/policy.js +160 -0
package/dist/policy.js.map +1 -0
package/dist/post-pull-audit.d.ts +39 -0
package/dist/post-pull-audit.js +151 -0
package/dist/post-pull-audit.js.map +1 -0
package/dist/provision.d.ts +17 -0
package/dist/provision.js +147 -0
package/dist/provision.js.map +1 -0
package/dist/query-optimizer.d.ts +102 -0
package/dist/query-optimizer.js +199 -0
package/dist/query-optimizer.js.map +1 -0
package/dist/read-only-mode.d.ts +46 -0
package/dist/read-only-mode.js +71 -0
package/dist/read-only-mode.js.map +1 -0
package/dist/redis-adapter.d.ts +71 -0
package/dist/redis-adapter.js +278 -0
package/dist/redis-adapter.js.map +1 -0
package/dist/resilience-tests.d.ts +120 -0
package/dist/resilience-tests.js +293 -0
package/dist/resilience-tests.js.map +1 -0
package/dist/revocation.d.ts +22 -0
package/dist/revocation.js +100 -0
package/dist/revocation.js.map +1 -0
package/dist/run.d.ts +21 -0
package/dist/run.js +80 -0
package/dist/run.js.map +1 -0
package/dist/scan-build.d.ts +18 -0
package/dist/scan-build.js +100 -0
package/dist/scan-build.js.map +1 -0
package/dist/scan-plaintext.d.ts +24 -0
package/dist/scan-plaintext.js +147 -0
package/dist/scan-plaintext.js.map +1 -0
package/dist/scan-staged.d.ts +15 -0
package/dist/scan-staged.js +70 -0
package/dist/scan-staged.js.map +1 -0
package/dist/scan-transcripts.d.ts +23 -0
package/dist/scan-transcripts.js +93 -0
package/dist/scan-transcripts.js.map +1 -0
package/dist/secret-backends.d.ts +50 -0
package/dist/secret-backends.js +510 -0
package/dist/secret-backends.js.map +1 -0
package/dist/secret-expiration.d.ts +46 -0
package/dist/secret-expiration.js +172 -0
package/dist/secret-expiration.js.map +1 -0
package/dist/secrets-migrate.d.ts +75 -0
package/dist/secrets-migrate.js +185 -0
package/dist/secrets-migrate.js.map +1 -0
package/dist/secrets-model.d.ts +77 -0
package/dist/secrets-model.js +6 -0
package/dist/secrets-model.js.map +1 -0
package/dist/secrets-onecli.d.ts +65 -0
package/dist/secrets-onecli.js +113 -0
package/dist/secrets-onecli.js.map +1 -0
package/dist/secrets-propagate.d.ts +48 -0
package/dist/secrets-propagate.js +201 -0
package/dist/secrets-propagate.js.map +1 -0
package/dist/secrets-pull.d.ts +34 -0
package/dist/secrets-pull.js +118 -0
package/dist/secrets-pull.js.map +1 -0
package/dist/secrets-purge-history.d.ts +53 -0
package/dist/secrets-purge-history.js +144 -0
package/dist/secrets-purge-history.js.map +1 -0
package/dist/secrets-rotate-cli.d.ts +54 -0
package/dist/secrets-rotate-cli.js +438 -0
package/dist/secrets-rotate-cli.js.map +1 -0
package/dist/secrets-rotate.d.ts +38 -0
package/dist/secrets-rotate.js +65 -0
package/dist/secrets-rotate.js.map +1 -0
package/dist/secrets-service.d.ts +73 -0
package/dist/secrets-service.js +283 -0
package/dist/secrets-service.js.map +1 -0
package/dist/secrets-set.d.ts +25 -0
package/dist/secrets-set.js +33 -0
package/dist/secrets-set.js.map +1 -0
package/dist/secrets-sync.d.ts +21 -0
package/dist/secrets-sync.js +215 -0
package/dist/secrets-sync.js.map +1 -0
package/dist/secrets-validate.d.ts +41 -0
package/dist/secrets-validate.js +126 -0
package/dist/secrets-validate.js.map +1 -0
package/dist/secrets-vault-migrate.d.ts +71 -0
package/dist/secrets-vault-migrate.js +258 -0
package/dist/secrets-vault-migrate.js.map +1 -0
package/dist/secrets.d.ts +16 -0
package/dist/secrets.js +72 -0
package/dist/secrets.js.map +1 -0
package/dist/security-hardening.d.ts +150 -0
package/dist/security-hardening.js +275 -0
package/dist/security-hardening.js.map +1 -0
package/dist/security-policy.d.ts +89 -0
package/dist/security-policy.js +174 -0
package/dist/security-policy.js.map +1 -0
package/dist/security-prescan.d.ts +117 -0
package/dist/security-prescan.js +566 -0
package/dist/security-prescan.js.map +1 -0
package/dist/sentry-adapter.d.ts +49 -0
package/dist/sentry-adapter.js +227 -0
package/dist/sentry-adapter.js.map +1 -0
package/dist/service-adapter.d.ts +94 -0
package/dist/service-adapter.js +162 -0
package/dist/service-adapter.js.map +1 -0
package/dist/skills.d.ts +13 -0
package/dist/skills.js +17 -0
package/dist/skills.js.map +1 -0
package/dist/sla-monitor.d.ts +107 -0
package/dist/sla-monitor.js +233 -0
package/dist/sla-monitor.js.map +1 -0
package/dist/stack-detector.d.ts +12 -0
package/dist/stack-detector.js +251 -0
package/dist/stack-detector.js.map +1 -0
package/dist/team-model.d.ts +58 -0
package/dist/team-model.js +83 -0
package/dist/team-model.js.map +1 -0
package/dist/team-service.d.ts +54 -0
package/dist/team-service.js +206 -0
package/dist/team-service.js.map +1 -0
package/dist/toml-generator.d.ts +8 -0
package/dist/toml-generator.js +223 -0
package/dist/toml-generator.js.map +1 -0
package/dist/triage-sandbox.d.ts +34 -0
package/dist/triage-sandbox.js +167 -0
package/dist/triage-sandbox.js.map +1 -0
package/dist/triage.d.ts +30 -0
package/dist/triage.js +79 -0
package/dist/triage.js.map +1 -0
package/dist/update-check.d.ts +13 -0
package/dist/update-check.js +91 -0
package/dist/update-check.js.map +1 -0
package/dist/utils/colors.d.ts +14 -0
package/dist/utils/colors.js +15 -0
package/dist/utils/colors.js.map +1 -0
package/dist/utils/didYouMean.d.ts +15 -0
package/dist/utils/didYouMean.js +47 -0
package/dist/utils/didYouMean.js.map +1 -0
package/dist/utils/exec.d.ts +21 -0
package/dist/utils/exec.js +23 -0
package/dist/utils/exec.js.map +1 -0
package/dist/utils/execFileNoThrow.d.ts +14 -0
package/dist/utils/execFileNoThrow.js +29 -0
package/dist/utils/execFileNoThrow.js.map +1 -0
package/dist/utils/flags.d.ts +19 -0
package/dist/utils/flags.js +36 -0
package/dist/utils/flags.js.map +1 -0
package/dist/utils/parseCommand.d.ts +16 -0
package/dist/utils/parseCommand.js +13 -0
package/dist/utils/parseCommand.js.map +1 -0
package/dist/utils/prompt.d.ts +13 -0
package/dist/utils/prompt.js +35 -0
package/dist/utils/prompt.js.map +1 -0
package/dist/utils/promptSelect.d.ts +19 -0
package/dist/utils/promptSelect.js +89 -0
package/dist/utils/promptSelect.js.map +1 -0
package/dist/utils/redactSecrets.d.ts +24 -0
package/dist/utils/redactSecrets.js +134 -0
package/dist/utils/redactSecrets.js.map +1 -0
package/dist/validation/dynamic-schema.d.ts +29 -0
package/dist/validation/dynamic-schema.js +76 -0
package/dist/validation/dynamic-schema.js.map +1 -0
package/package.json +52 -0

package/dist/scan-build.d.ts ADDED Viewed

@@ -0,0 +1,18 @@
+import { type SecretFinding } from "./utils/redactSecrets.js";
+/**
+ * Walks built-artifact directories looking for leaked credentials. The
+ * typical failure mode this catches is a Next.js `NEXT_PUBLIC_` typo that
+ * silently inlines a server-only secret into the client bundle.
+ *
+ * Intentionally narrow in scope:
+ *   - only known build-output dirs (no full-repo walk — that's what
+ *     scanStagedFiles + checkSecretsInCode do)
+ *   - skips obvious binary extensions
+ *   - bounded per-file read at 5 MiB so a giant minified blob doesn't
+ *     stall the scan
+ */
+export interface BuildHit {
+    file: string;
+    findings: SecretFinding[];
+}
+export declare function scanBuildArtifacts(cwd?: string, customDirs?: string[]): Promise<BuildHit[]>;

package/dist/scan-build.js ADDED Viewed

@@ -0,0 +1,100 @@
+import { readFile, readdir, stat } from "node:fs/promises";
+import { resolve, join } from "node:path";
+import { findSecrets } from "./utils/redactSecrets.js";
+const DEFAULT_BUILD_DIRS = [
+    ".next",
+    "dist",
+    "build",
+    "out",
+    ".vercel/output",
+    ".svelte-kit",
+    ".nuxt",
+    ".output",
+];
+const SCANNABLE_EXTS = new Set([
+    ".js",
+    ".mjs",
+    ".cjs",
+    ".ts",
+    ".tsx",
+    ".jsx",
+    ".html",
+    ".css",
+    ".json",
+    ".map",
+    ".txt",
+    ".env",
+    ".env.local",
+    ".env.production",
+]);
+const SKIP_DIRS = new Set([
+    "node_modules",
+    ".git",
+    ".pnpm-store",
+    "cache",
+]);
+const MAX_BYTES = 5 * 1024 * 1024; // 5 MiB
+async function walk(dir, out, depth = 0, maxDepth = 8) {
+    if (depth > maxDepth)
+        return;
+    let entries;
+    try {
+        entries = await readdir(dir, { withFileTypes: true });
+    }
+    catch {
+        return;
+    }
+    for (const ent of entries) {
+        if (SKIP_DIRS.has(ent.name))
+            continue;
+        const full = join(dir, ent.name);
+        if (ent.isDirectory()) {
+            await walk(full, out, depth + 1, maxDepth);
+        }
+        else if (ent.isFile()) {
+            const ext = ent.name.includes(".")
+                ? ent.name.slice(ent.name.lastIndexOf("."))
+                : "";
+            if (!SCANNABLE_EXTS.has(ext) && !ent.name.startsWith(".env"))
+                continue;
+            out.push(full);
+        }
+    }
+}
+export async function scanBuildArtifacts(cwd = process.cwd(), customDirs) {
+    const dirsToScan = customDirs ?? DEFAULT_BUILD_DIRS;
+    const files = [];
+    for (const d of dirsToScan) {
+        const full = resolve(cwd, d);
+        try {
+            const st = await stat(full);
+            if (!st.isDirectory())
+                continue;
+        }
+        catch {
+            continue;
+        }
+        await walk(full, files);
+    }
+    const hits = [];
+    for (const path of files) {
+        let content;
+        try {
+            const st = await stat(path);
+            if (st.size > MAX_BYTES)
+                continue;
+            content = await readFile(path, "utf-8");
+        }
+        catch {
+            continue;
+        }
+        const findings = findSecrets(content);
+        if (findings.length > 0) {
+            // Strip leading cwd from path for readable reporting.
+            const rel = path.startsWith(cwd) ? path.slice(cwd.length + 1) : path;
+            hits.push({ file: rel, findings });
+        }
+    }
+    return hits;
+}
+//# sourceMappingURL=scan-build.js.map

package/dist/scan-build.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"scan-build.js","sourceRoot":"","sources":["../src/scan-build.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,WAAW,EAAsB,MAAM,0BAA0B,CAAC;AAmB3E,MAAM,kBAAkB,GAAG;IACzB,OAAO;IACP,MAAM;IACN,OAAO;IACP,KAAK;IACL,gBAAgB;IAChB,aAAa;IACb,OAAO;IACP,SAAS;CACV,CAAC;AAEF,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC;IAC7B,KAAK;IACL,MAAM;IACN,MAAM;IACN,KAAK;IACL,MAAM;IACN,MAAM;IACN,OAAO;IACP,MAAM;IACN,OAAO;IACP,MAAM;IACN,MAAM;IACN,MAAM;IACN,YAAY;IACZ,iBAAiB;CAClB,CAAC,CAAC;AAEH,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC;IACxB,cAAc;IACd,MAAM;IACN,aAAa;IACb,OAAO;CACR,CAAC,CAAC;AAEH,MAAM,SAAS,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,QAAQ;AAE3C,KAAK,UAAU,IAAI,CACjB,GAAW,EACX,GAAa,EACb,KAAK,GAAG,CAAC,EACT,QAAQ,GAAG,CAAC;IAEZ,IAAI,KAAK,GAAG,QAAQ;QAAE,OAAO;IAC7B,IAAI,OAAO,CAAC;IACZ,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IACxD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;IACT,CAAC;IACD,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;QAC1B,IAAI,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,SAAS;QACtC,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;QACjC,IAAI,GAAG,CAAC,WAAW,EAAE,EAAE,CAAC;YACtB,MAAM,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,KAAK,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC;QAC7C,CAAC;aAAM,IAAI,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC;YACxB,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAChC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;gBAC3C,CAAC,CAAC,EAAE,CAAC;YACP,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;gBAAE,SAAS;YACvE,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjB,CAAC;IACH,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,MAAc,OAAO,CAAC,GAAG,EAAE,EAC3B,UAAqB;IAErB,MAAM,UAAU,GAAG,UAAU,IAAI,kBAAkB,CAAC;IACpD,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;QAC3B,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QAC7B,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,CAAC;YAC5B,IAAI,CAAC,EAAE,CAAC,WAAW,EAAE;gBAAE,SAAS;QAClC,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,MAAM,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAC1B,CAAC;IAED,MAAM,IAAI,GAAe,EAAE,CAAC;IAC5B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,OAAe,CAAC;QACpB,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,CAAC;YAC5B,IAAI,EAAE,CAAC,IAAI,GAAG,SAAS;gBAAE,SAAS;YAClC,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,MAAM,QAAQ,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,sDAAsD;YACtD,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YACrE,IAAI,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,QAAQ,EAAE,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/scan-plaintext.d.ts ADDED Viewed

@@ -0,0 +1,24 @@
+import { type SecretFinding } from "./utils/redactSecrets.js";
+export interface PlaintextHit {
+    file: string;
+    findings: SecretFinding[];
+}
+export interface PlaintextScanOptions {
+    /** Additional file paths (relative to cwd) to scan beyond the defaults. */
+    extraFiles?: string[];
+    /** Additional dirs to walk recursively (depth-limited). Defaults to common config homes. */
+    extraDirs?: string[];
+    /** Max directory recursion depth. Default 3. Walk skips node_modules/.git/dist/build/out. */
+    maxDepth?: number;
+    /** Override the entire default list — useful for `.kit.toml` config. */
+    overrideFiles?: string[];
+    overrideDirs?: string[];
+}
+/**
+ * Scan high-signal locations for plaintext secrets before the user moves
+ * to a vault. Widened in P2: recurses into named config dirs (depth-limited),
+ * skips obvious build artifacts/node_modules, follows symlinks safely
+ * (resolves real path + dedupes), and accepts caller-supplied include lists
+ * so `.kit.toml` can extend the defaults per-project.
+ */
+export declare function scanPlaintextSecrets(cwd?: string, opts?: PlaintextScanOptions): Promise<PlaintextHit[]>;

package/dist/scan-plaintext.js ADDED Viewed

@@ -0,0 +1,147 @@
+import { readFile, readdir, access, stat, realpath } from "node:fs/promises";
+import { resolve, join, relative } from "node:path";
+import { findSecrets } from "./utils/redactSecrets.js";
+const DEFAULT_FILE_NAMES = [
+    ".env",
+    ".env.local",
+    ".env.development",
+    ".env.production",
+    ".env.staging",
+    ".env.test",
+    ".env.preview",
+    ".envrc",
+    "package.json",
+    "vercel.json",
+    "fly.toml",
+    "railway.toml",
+    "wrangler.toml",
+    "netlify.toml",
+    "render.yaml",
+    "docker-compose.yml",
+    "docker-compose.yaml",
+    "terraform.tfvars",
+    "terraform.tfvars.json",
+];
+const DEFAULT_RECURSIVE_DIRS = ["scripts", "config", "infra", "terraform", ".github"];
+const RECURSIVE_FILE_EXTS = /\.(sh|js|ts|mjs|cjs|json|yml|yaml|toml|tf|tfvars|tfstate|env)$/;
+const SKIP_DIR_NAMES = new Set([
+    "node_modules",
+    ".git",
+    "dist",
+    "build",
+    "out",
+    ".next",
+    ".turbo",
+    ".cache",
+    "coverage",
+    ".venv",
+    "venv",
+    "__pycache__",
+    ".kit", // own state
+]);
+/**
+ * Scan high-signal locations for plaintext secrets before the user moves
+ * to a vault. Widened in P2: recurses into named config dirs (depth-limited),
+ * skips obvious build artifacts/node_modules, follows symlinks safely
+ * (resolves real path + dedupes), and accepts caller-supplied include lists
+ * so `.kit.toml` can extend the defaults per-project.
+ */
+export async function scanPlaintextSecrets(cwd = process.cwd(), opts = {}) {
+    const hits = [];
+    const seenRealPaths = new Set();
+    const fileTargets = opts.overrideFiles ?? [
+        ...DEFAULT_FILE_NAMES,
+        ...(opts.extraFiles ?? []),
+    ];
+    const dirTargets = opts.overrideDirs ?? [
+        ...DEFAULT_RECURSIVE_DIRS,
+        ...(opts.extraDirs ?? []),
+    ];
+    const maxDepth = opts.maxDepth ?? 3;
+    const scanFile = async (relativePath, absolutePath) => {
+        let realPath;
+        try {
+            realPath = await realpath(absolutePath);
+        }
+        catch {
+            return;
+        }
+        if (seenRealPaths.has(realPath))
+            return;
+        seenRealPaths.add(realPath);
+        try {
+            const info = await stat(realPath);
+            if (!info.isFile())
+                return;
+            // Refuse to slurp anything huge — kit isn't a full secret scanner.
+            if (info.size > 5 * 1024 * 1024)
+                return;
+        }
+        catch {
+            return;
+        }
+        try {
+            const text = await readFile(realPath, "utf-8");
+            const findings = findSecrets(text);
+            if (findings.length > 0) {
+                hits.push({ file: relativePath, findings });
+            }
+        }
+        catch {
+            /* unreadable / binary — skip */
+        }
+    };
+    // Pass 1: named files at repo root.
+    for (const name of fileTargets) {
+        const absolute = resolve(cwd, name);
+        try {
+            await access(absolute);
+        }
+        catch {
+            continue;
+        }
+        await scanFile(name, absolute);
+    }
+    // Pass 2: depth-limited walk of the configured dirs.
+    for (const dirName of dirTargets) {
+        const root = resolve(cwd, dirName);
+        try {
+            await access(root);
+        }
+        catch {
+            continue;
+        }
+        await walk(root, 0);
+    }
+    async function walk(dir, depth) {
+        if (depth > maxDepth)
+            return;
+        let entries;
+        try {
+            entries = (await readdir(dir, { withFileTypes: true }));
+        }
+        catch {
+            return;
+        }
+        for (const ent of entries) {
+            if (SKIP_DIR_NAMES.has(ent.name))
+                continue;
+            const childAbs = join(dir, ent.name);
+            const childRel = relative(cwd, childAbs);
+            if (ent.isDirectory()) {
+                await walk(childAbs, depth + 1);
+                continue;
+            }
+            if (!ent.isFile() && !ent.isSymbolicLink())
+                continue;
+            // Only match the known-noisy extensions to keep the scan fast.
+            // .tfstate is intentionally included even though it's huge in some
+            // repos — the size guard above caps the slurp.
+            if (!RECURSIVE_FILE_EXTS.test(ent.name))
+                continue;
+            await scanFile(childRel, childAbs);
+        }
+    }
+    return hits;
+}
+//# sourceMappingURL=scan-plaintext.js.map

package/dist/scan-plaintext.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"scan-plaintext.js","sourceRoot":"","sources":["../src/scan-plaintext.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAE7E,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AACpD,OAAO,EAAE,WAAW,EAAsB,MAAM,0BAA0B,CAAC;AAmB3E,MAAM,kBAAkB,GAAG;IACzB,MAAM;IACN,YAAY;IACZ,kBAAkB;IAClB,iBAAiB;IACjB,cAAc;IACd,WAAW;IACX,cAAc;IACd,QAAQ;IACR,cAAc;IACd,aAAa;IACb,UAAU;IACV,cAAc;IACd,eAAe;IACf,cAAc;IACd,aAAa;IACb,oBAAoB;IACpB,qBAAqB;IACrB,kBAAkB;IAClB,uBAAuB;CACxB,CAAC;AAEF,MAAM,sBAAsB,GAAG,CAAC,SAAS,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,SAAS,CAAC,CAAC;AAEtF,MAAM,mBAAmB,GAAG,gEAAgE,CAAC;AAE7F,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC;IAC7B,cAAc;IACd,MAAM;IACN,MAAM;IACN,OAAO;IACP,KAAK;IACL,OAAO;IACP,QAAQ;IACR,QAAQ;IACR,UAAU;IACV,OAAO;IACP,MAAM;IACN,aAAa;IACb,MAAM,EAAE,YAAY;CACrB,CAAC,CAAC;AAEH;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,MAAc,OAAO,CAAC,GAAG,EAAE,EAC3B,OAA6B,EAAE;IAE/B,MAAM,IAAI,GAAmB,EAAE,CAAC;IAChC,MAAM,aAAa,GAAG,IAAI,GAAG,EAAU,CAAC;IAExC,MAAM,WAAW,GAAG,IAAI,CAAC,aAAa,IAAI;QACxC,GAAG,kBAAkB;QACrB,GAAG,CAAC,IAAI,CAAC,UAAU,IAAI,EAAE,CAAC;KAC3B,CAAC;IACF,MAAM,UAAU,GAAG,IAAI,CAAC,YAAY,IAAI;QACtC,GAAG,sBAAsB;QACzB,GAAG,CAAC,IAAI,CAAC,SAAS,IAAI,EAAE,CAAC;KAC1B,CAAC;IACF,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,CAAC,CAAC;IAEpC,MAAM,QAAQ,GAAG,KAAK,EAAE,YAAoB,EAAE,YAAoB,EAAE,EAAE;QACpE,IAAI,QAAgB,CAAC;QACrB,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,QAAQ,CAAC,YAAY,CAAC,CAAC;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;QACT,CAAC;QACD,IAAI,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,OAAO;QACxC,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC5B,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,CAAC;YAClC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE;gBAAE,OAAO;YAC3B,mEAAmE;YACnE,IAAI,IAAI,CAAC,IAAI,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI;gBAAE,OAAO;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;QACT,CAAC;QACD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAC/C,MAAM,QAAQ,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;YACnC,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxB,IAAI,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,gCAAgC;QAClC,CAAC;IACH,CAAC,CAAC;IAEF,oCAAoC;IACpC,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;QAC/B,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QACpC,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;QACzB,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,MAAM,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IACjC,CAAC;IAED,qDAAqD;IACrD,KAAK,MAAM,OAAO,IAAI,UAAU,EAAE,CAAC;QACjC,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QACnC,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;QACrB,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IACtB,CAAC;IAED,KAAK,UAAU,IAAI,CAAC,GAAW,EAAE,KAAa;QAC5C,IAAI,KAAK,GAAG,QAAQ;YAAE,OAAO;QAC7B,IAAI,OAAiB,CAAC;QACtB,IAAI,CAAC;YACH,OAAO,GAAG,CAAC,MAAM,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAwB,CAAC;QACjF,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;QACT,CAAC;QACD,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;YAC1B,IAAI,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,SAAS;YAC3C,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;YACrC,MAAM,QAAQ,GAAG,QAAQ,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;YACzC,IAAI,GAAG,CAAC,WAAW,EAAE,EAAE,CAAC;gBACtB,MAAM,IAAI,CAAC,QAAQ,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;gBAChC,SAAS;YACX,CAAC;YACD,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,GAAG,CAAC,cAAc,EAAE;gBAAE,SAAS;YACrD,+DAA+D;YAC/D,mEAAmE;YACnE,+CAA+C;YAC/C,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,SAAS;YAClD,MAAM,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/scan-staged.d.ts ADDED Viewed

@@ -0,0 +1,15 @@
+import { type SecretFinding } from "./utils/redactSecrets.js";
+export interface StagedHit {
+    file: string;
+    findings: SecretFinding[];
+}
+/**
+ * Reads the list of staged file paths from git, then scans each blob for
+ * SECRET_PATTERNS. Returns one entry per file that has at least one match.
+ *
+ * Operates on the staged blob (`git show :file`) rather than the working
+ * copy, so a developer can't bypass the check by un-staging the file after
+ * the hook fires. NUL-delimited path parsing keeps newlines + spaces in
+ * filenames safe.
+ */
+export declare function scanStagedFiles(cwd?: string): Promise<StagedHit[]>;

package/dist/scan-staged.js ADDED Viewed

@@ -0,0 +1,70 @@
+import { readFile } from "node:fs/promises";
+import { findSecrets } from "./utils/redactSecrets.js";
+import { exec } from "./utils/exec.js";
+/**
+ * Reads the list of staged file paths from git, then scans each blob for
+ * SECRET_PATTERNS. Returns one entry per file that has at least one match.
+ *
+ * Operates on the staged blob (`git show :file`) rather than the working
+ * copy, so a developer can't bypass the check by un-staging the file after
+ * the hook fires. NUL-delimited path parsing keeps newlines + spaces in
+ * filenames safe.
+ */
+export async function scanStagedFiles(cwd = process.cwd()) {
+    let paths;
+    try {
+        // `git diff --cached` compares the index to HEAD; on a fresh repo there
+        // is no HEAD yet, which makes the call exit non-zero. Use the empty-tree
+        // SHA as the comparison base in that case so first-ever-commit hooks
+        // still get scanned.
+        let hasHead = true;
+        try {
+            await exec("git", ["rev-parse", "--verify", "HEAD"], {
+                cwd,
+                timeout: 3_000,
+            });
+        }
+        catch {
+            hasHead = false;
+        }
+        const args = hasHead
+            ? ["diff", "--cached", "--name-only", "--diff-filter=AM", "-z"]
+            : ["diff", "--cached", "--name-only", "--diff-filter=AM", "-z",
+                "4b825dc642cb6eb9a060e54bf8d69288fbee4904"]; // Git's well-known empty tree
+        const { stdout } = await exec("git", args, { cwd, timeout: 5_000 });
+        paths = stdout.split("\0").filter(Boolean);
+    }
+    catch {
+        // not a git repo, or git missing — let hook fall through silently
+        return [];
+    }
+    const { resolve } = await import("node:path");
+    const hits = [];
+    for (const path of paths) {
+        // Read the staged blob (`git show :file`) so a developer can't bypass
+        // by un-staging the change after the hook fires. Cap at 1 MiB.
+        let content;
+        try {
+            const { stdout } = await exec("git", ["show", `:${path}`], {
+                cwd,
+                timeout: 5_000,
+                maxBuffer: 1 * 1024 * 1024,
+            });
+            content = stdout;
+        }
+        catch {
+            try {
+                content = await readFile(resolve(cwd, path), "utf-8");
+            }
+            catch {
+                continue;
+            }
+        }
+        const findings = findSecrets(content);
+        if (findings.length > 0) {
+            hits.push({ file: path, findings });
+        }
+    }
+    return hits;
+}
+//# sourceMappingURL=scan-staged.js.map

package/dist/scan-staged.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"scan-staged.js","sourceRoot":"","sources":["../src/scan-staged.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,WAAW,EAAsB,MAAM,0BAA0B,CAAC;AAC3E,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAC;AAQvC;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,MAAc,OAAO,CAAC,GAAG,EAAE;IAC/D,IAAI,KAAe,CAAC;IACpB,IAAI,CAAC;QACH,wEAAwE;QACxE,yEAAyE;QACzE,qEAAqE;QACrE,qBAAqB;QACrB,IAAI,OAAO,GAAG,IAAI,CAAC;QACnB,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,WAAW,EAAE,UAAU,EAAE,MAAM,CAAC,EAAE;gBACnD,GAAG;gBACH,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,GAAG,KAAK,CAAC;QAClB,CAAC;QACD,MAAM,IAAI,GAAG,OAAO;YAClB,CAAC,CAAC,CAAC,MAAM,EAAE,UAAU,EAAE,aAAa,EAAE,kBAAkB,EAAE,IAAI,CAAC;YAC/D,CAAC,CAAC,CAAC,MAAM,EAAE,UAAU,EAAE,aAAa,EAAE,kBAAkB,EAAE,IAAI;gBAC3D,0CAA0C,CAAC,CAAC,CAAC,8BAA8B;QAChF,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;QACpE,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,kEAAkE;QAClE,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;IAC9C,MAAM,IAAI,GAAgB,EAAE,CAAC;IAC7B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,sEAAsE;QACtE,+DAA+D;QAC/D,IAAI,OAAe,CAAC;QACpB,IAAI,CAAC;YACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,MAAM,EAAE,IAAI,IAAI,EAAE,CAAC,EAAE;gBACzD,GAAG;gBACH,OAAO,EAAE,KAAK;gBACd,SAAS,EAAE,CAAC,GAAG,IAAI,GAAG,IAAI;aAC3B,CAAC,CAAC;YACH,OAAO,GAAG,MAAM,CAAC;QACnB,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC;gBACH,OAAO,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC;YACxD,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;QACH,CAAC;QACD,MAAM,QAAQ,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,IAAI,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;QACtC,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/scan-transcripts.d.ts ADDED Viewed

@@ -0,0 +1,23 @@
+import { type SecretFinding } from "./utils/redactSecrets.js";
+/**
+ * Scans agent transcript and prompt-cache directories for leaked credentials.
+ *
+ * Why this matters: an AI agent receives a real key in conversation history,
+ * the message gets persisted to a transcript file, and that file gets read
+ * back into every future prompt. The key keeps re-leaking until the transcript
+ * is purged.
+ *
+ * Scans:
+ *   - `<repo>/.claude/`           — project-local Claude Code state
+ *   - `<repo>/.opencode/`         — OpenCode local state
+ *   - `~/.claude/projects/<repo>/` — global Claude Code project cache
+ *   - `~/.claude/projects/-<repo-path>/` — same, with normalized slashes
+ *
+ * Files we read: `*.jsonl`, `*.md`, `*.json`, `*.txt` (transcript-shaped).
+ * Skipped: binary, large blobs over 10 MiB, node_modules.
+ */
+export interface TranscriptHit {
+    file: string;
+    findings: SecretFinding[];
+}
+export declare function scanTranscripts(cwd?: string): Promise<TranscriptHit[]>;

package/dist/scan-transcripts.js ADDED Viewed

@@ -0,0 +1,93 @@
+import { readFile, readdir, stat } from "node:fs/promises";
+import { resolve, join } from "node:path";
+import { homedir } from "node:os";
+import { findSecrets } from "./utils/redactSecrets.js";
+const SCANNABLE_EXTS = new Set([".jsonl", ".md", ".json", ".txt", ".log"]);
+const SKIP_DIRS = new Set(["node_modules", ".git", "tool-results"]);
+const MAX_BYTES = 10 * 1024 * 1024; // 10 MiB
+async function dirExists(path) {
+    try {
+        const st = await stat(path);
+        return st.isDirectory();
+    }
+    catch {
+        return false;
+    }
+}
+async function walk(dir, out, depth = 0, maxDepth = 6) {
+    if (depth > maxDepth)
+        return;
+    let entries;
+    try {
+        entries = await readdir(dir, { withFileTypes: true });
+    }
+    catch {
+        return;
+    }
+    for (const ent of entries) {
+        if (SKIP_DIRS.has(ent.name))
+            continue;
+        const full = join(dir, ent.name);
+        if (ent.isDirectory()) {
+            await walk(full, out, depth + 1, maxDepth);
+        }
+        else if (ent.isFile()) {
+            const ext = ent.name.includes(".")
+                ? ent.name.slice(ent.name.lastIndexOf("."))
+                : "";
+            if (!SCANNABLE_EXTS.has(ext))
+                continue;
+            out.push(full);
+        }
+    }
+}
+/**
+ * Convert an absolute repo path into the slug Claude Code uses for its
+ * `~/.claude/projects/<slug>/` directory: leading dash, then path with `/`
+ * replaced by `-`. Best-effort — both forms are checked.
+ */
+function repoSlug(cwd) {
+    return cwd.replace(/^\//, "-").replace(/\//g, "-");
+}
+export async function scanTranscripts(cwd = process.cwd()) {
+    const candidates = [];
+    // Project-local agent dirs
+    for (const local of [".claude", ".opencode", ".cursor", ".aider"]) {
+        const full = resolve(cwd, local);
+        if (await dirExists(full))
+            candidates.push(full);
+    }
+    // Global Claude Code project cache (best-effort slug match)
+    const home = homedir();
+    const slug = repoSlug(cwd);
+    for (const global of [
+        join(home, ".claude", "projects", slug),
+        join(home, ".opencode", "projects", slug),
+    ]) {
+        if (await dirExists(global))
+            candidates.push(global);
+    }
+    const files = [];
+    for (const root of candidates) {
+        await walk(root, files);
+    }
+    const hits = [];
+    for (const path of files) {
+        let content;
+        try {
+            const st = await stat(path);
+            if (st.size > MAX_BYTES)
+                continue;
+            content = await readFile(path, "utf-8");
+        }
+        catch {
+            continue;
+        }
+        const findings = findSecrets(content);
+        if (findings.length > 0) {
+            hits.push({ file: path, findings });
+        }
+    }
+    return hits;
+}
+//# sourceMappingURL=scan-transcripts.js.map

package/dist/scan-transcripts.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"scan-transcripts.js","sourceRoot":"","sources":["../src/scan-transcripts.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,WAAW,EAAsB,MAAM,0BAA0B,CAAC;AAwB3E,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,CAAC,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;AAC3E,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,CAAC,cAAc,EAAE,MAAM,EAAE,cAAc,CAAC,CAAC,CAAC;AACpE,MAAM,SAAS,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,SAAS;AAE7C,KAAK,UAAU,SAAS,CAAC,IAAY;IACnC,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,CAAC;QAC5B,OAAO,EAAE,CAAC,WAAW,EAAE,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,KAAK,UAAU,IAAI,CACjB,GAAW,EACX,GAAa,EACb,KAAK,GAAG,CAAC,EACT,QAAQ,GAAG,CAAC;IAEZ,IAAI,KAAK,GAAG,QAAQ;QAAE,OAAO;IAC7B,IAAI,OAAO,CAAC;IACZ,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IACxD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;IACT,CAAC;IACD,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;QAC1B,IAAI,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,SAAS;QACtC,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;QACjC,IAAI,GAAG,CAAC,WAAW,EAAE,EAAE,CAAC;YACtB,MAAM,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,KAAK,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC;QAC7C,CAAC;aAAM,IAAI,GAAG,CAAC,MAAM,EAAE,EAAE,CAAC;YACxB,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC;gBAChC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;gBAC3C,CAAC,CAAC,EAAE,CAAC;YACP,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC;gBAAE,SAAS;YACvC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjB,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,QAAQ,CAAC,GAAW;IAC3B,OAAO,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;AACrD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,MAAc,OAAO,CAAC,GAAG,EAAE;IAE3B,MAAM,UAAU,GAAa,EAAE,CAAC;IAEhC,2BAA2B;IAC3B,KAAK,MAAM,KAAK,IAAI,CAAC,SAAS,EAAE,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC,EAAE,CAAC;QAClE,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACjC,IAAI,MAAM,SAAS,CAAC,IAAI,CAAC;YAAE,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnD,CAAC;IAED,4DAA4D;IAC5D,MAAM,IAAI,GAAG,OAAO,EAAE,CAAC;IACvB,MAAM,IAAI,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;IAC3B,KAAK,MAAM,MAAM,IAAI;QACnB,IAAI,CAAC,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,IAAI,CAAC;QACvC,IAAI,CAAC,IAAI,EAAE,WAAW,EAAE,UAAU,EAAE,IAAI,CAAC;KAC1C,EAAE,CAAC;QACF,IAAI,MAAM,SAAS,CAAC,MAAM,CAAC;YAAE,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACvD,CAAC;IAED,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;QAC9B,MAAM,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAC1B,CAAC;IAED,MAAM,IAAI,GAAoB,EAAE,CAAC;IACjC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,OAAe,CAAC;QACpB,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,CAAC;YAC5B,IAAI,EAAE,CAAC,IAAI,GAAG,SAAS;gBAAE,SAAS;YAClC,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAC1C,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,MAAM,QAAQ,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxB,IAAI,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;QACtC,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/secret-backends.d.ts ADDED Viewed

@@ -0,0 +1,50 @@
+import type { SecretKeyConfig, InfisicalConfig } from "./config.js";
+import type { SecretResolveResult } from "./secrets.js";
+/**
+ * Single source of truth for every secret backend kit speaks to.
+ *
+ * Each backend declares how to `resolve` (read) a value and, optionally, how
+ * to `write` one. A backend with no `write` is read-only — migration to it is
+ * unsupported, surfaced uniformly by {@link writeViaBackend}. Keeping read and
+ * write side-by-side in one object is the whole point: the previous design had
+ * two independent `switch (source)` statements (one in secrets.ts, one in
+ * secrets-migrate.ts), so adding a backend to one and forgetting the other
+ * failed silently. Here the omission is visible in a single place — and the
+ * read/write capability matrix is asserted in secret-backends.test.ts.
+ */
+export interface WriteOpts {
+    vault?: string;
+    project?: string;
+    region?: string;
+    vaultPath?: string;
+}
+export interface WriteResult {
+    ok: boolean;
+    ref?: string;
+    detail: string;
+}
+export interface SecretBackend {
+    /** Read a secret value for `name` using its `config`. Never throws — failures
+     *  come back as `{ resolved: false, detail }`. */
+    resolve(name: string, config: SecretKeyConfig, infisicalConfig?: InfisicalConfig): Promise<SecretResolveResult>;
+    /** Write a secret. Absent ⇒ the backend is read-only (migration unsupported).
+     *  May throw; callers wrap it so the error is redacted before surfacing.
+     *
+     *  Value handling: where the CLI supports it, the value is fed via stdin so it
+     *  never lands in argv / the process table (vault `kv put -`, aws/gcp
+     *  `file:///dev/stdin` / `--data-file=-`). The 1Password, Infisical, Doppler and
+     *  Azure CLIs only accept the value as a `key=value` / `--value` argv token for
+     *  these operations, so it is briefly visible in `ps` there — an inherent CLI
+     *  limitation. The error path is covered regardless: writeSecretToBackend redacts
+     *  the held plaintext by exact substring before any failure message is surfaced. */
+    write?(key: string, value: string, opts: WriteOpts): Promise<WriteResult>;
+}
+/** Reset the Infisical cache. Called once per `generateSecrets` run. */
+export declare function resetInfisicalCache(): void;
+export declare const BACKENDS: Record<string, SecretBackend>;
+/** Resolve (read) a secret via the registry. Mirrors the old `resolveSecret`
+ *  switch — unknown sources return a uniform `Unknown source` result. */
+export declare function resolveViaBackend(name: string, config: SecretKeyConfig, infisicalConfig?: InfisicalConfig): Promise<SecretResolveResult>;
+/** Write a secret via the registry. Backends without a `write` are read-only;
+ *  the "not yet supported" message matches the old switch default verbatim. */
+export declare function writeViaBackend(store: string, key: string, value: string, opts: WriteOpts): Promise<WriteResult>;