seamshield 0.0.1 → 0.1.1

package/package.json

@@ -1,8 +1,62 @@
 {
   "name": "seamshield",
-  "version": "0.0.1",
-  "description": "Security scanner for AI-built apps. Placeholder release — v0.1 (scanner CLI + agent guard) is in active development.",
+  "version": "0.1.1",
+  "description": "Security scanner for AI-generated apps: finds the flaws vibecoded projects predictably ship",
+  "type": "module",
   "license": "MIT",
-  "author": "wundder",
-  "keywords": ["security", "scanner", "ai", "vibecoding", "secrets", "nextjs", "supabase"]
+  "homepage": "https://github.com/KaraboGerald/SeamShield#readme",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/KaraboGerald/SeamShield.git",
+    "directory": "packages/cli"
+  },
+  "bugs": {
+    "url": "https://github.com/KaraboGerald/SeamShield/issues"
+  },
+  "keywords": [
+    "security",
+    "scanner",
+    "cli",
+    "ai",
+    "vibecoding",
+    "secrets",
+    "sast",
+    "nextjs",
+    "supabase",
+    "firebase",
+    "claude-code",
+    "cursor",
+    "osv",
+    "sarif"
+  ],
+  "bin": {
+    "seamshield": "dist/index.js"
+  },
+  "files": [
+    "README.md",
+    "dist",
+    "rules",
+    "schemas"
+  ],
+  "engines": {
+    "node": ">=20"
+  },
+  "scripts": {
+    "build": "tsup src/index.ts --format esm --clean && tsc -p tsconfig.build.json && rm -rf rules schemas && cp -R ../rules/rules ../rules/schemas . && cp ../../README.md README.md",
+    "prepack": "pnpm run build",
+    "test": "vitest run"
+  },
+  "dependencies": {
+    "commander": "^14.0.0",
+    "yaml": "^2.5.0",
+    "zod": "^4.0.0"
+  },
+  "devDependencies": {
+    "@seamshield/core": "workspace:*",
+    "@seamshield/rules": "workspace:*",
+    "@types/node": "^22.0.0",
+    "tsup": "^8.3.0",
+    "typescript": "^5.7.0",
+    "vitest": "^3.0.0"
+  }
 }

package/rules/secrets.patterns.yaml

@@ -0,0 +1,28 @@
+# Shared provider-key patterns consumed by ss/secrets/hardcoded-provider-key
+# via `patterns_from`. Pattern names appear in finding titles, so keep them
+# stable and provider-prefixed.
+patterns:
+  - name: anthropic-api-key
+    regex: "sk-ant-[A-Za-z0-9_-]{20,}"
+  - name: openai-project-key
+    regex: "sk-proj-[A-Za-z0-9_-]{20,}"
+  - name: openai-legacy-key
+    regex: "sk-[A-Za-z0-9]{40,}"
+  - name: stripe-live-secret-key
+    regex: "sk_live_[A-Za-z0-9]{16,}"
+  - name: stripe-restricted-key
+    regex: "rk_live_[A-Za-z0-9]{16,}"
+  - name: stripe-webhook-secret
+    regex: "whsec_[A-Za-z0-9]{24,}"
+  - name: google-api-key
+    regex: "AIza[0-9A-Za-z_-]{35}"
+  - name: github-pat
+    regex: "ghp_[A-Za-z0-9]{36}"
+  - name: github-fine-grained-pat
+    regex: "github_pat_[A-Za-z0-9_]{36,}"
+  - name: aws-access-key-id
+    regex: "AKIA[0-9A-Z]{16}"
+  - name: slack-bot-token
+    regex: "xoxb-[0-9A-Za-z-]{20,}"
+  - name: convex-deploy-key
+    regex: "(?:prod|preview|dev):[a-z0-9-]+\\|[A-Za-z0-9+/=]{20,}"

package/rules/ss-agent-mcp-inline-credentials.yaml

@@ -0,0 +1,23 @@
+id: ss/agent/mcp-inline-credentials
+severity: high
+title: Inline credential in MCP server configuration
+description: >
+  An MCP configuration file passes a literal credential value instead of an
+  environment variable reference. MCP configs are commonly committed and
+  shared between machines, leaking the credential with them.
+framework_ref: AI_AGENT_DROP_IN.md#default-security-stance
+check:
+  type: regex
+  redact: true
+  include:
+    basenames: [".mcp.json", "mcp.json", "claude_desktop_config.json"]
+  patterns:
+    - name: inline-mcp-credential
+      regex: "\"[A-Z0-9_]*(?:KEY|TOKEN|SECRET|PASSWORD)[A-Z0-9_]*\"\\s*:\\s*\"(?![$]|\\$\\{)[^\"]{12,}\""
+fix:
+  summary: Reference the credential via ${ENV_VAR} and set it in the environment instead.
+  agent_prompt: >
+    Replace this literal value with an environment-variable reference (for
+    example "${GITHUB_TOKEN}") and document the variable in the project
+    README or .env.example. If this config file was committed with the real
+    value, tell the user to rotate the credential.

package/rules/ss-agent-overbroad-permissions.yaml

@@ -0,0 +1,27 @@
+id: ss/agent/overbroad-permissions
+severity: warn
+title: Overbroad AI agent permission grant
+description: >
+  An agent settings file grants blanket permissions — wildcard Bash,
+  allow-everything, or bypassing the permission system entirely. One
+  prompt-injected instruction then runs with full machine access.
+framework_ref: AI_AGENT_DROP_IN.md#default-security-stance
+check:
+  type: regex
+  include:
+    basenames: ["settings.json", "settings.local.json"]
+    path_contains: [".claude"]
+  patterns:
+    - name: wildcard-bash-allow
+      regex: "\"Bash\\(\\*"
+    - name: bypass-permissions-mode
+      regex: "bypassPermissions|dangerously-skip-permissions"
+    - name: allow-everything
+      regex: "\"allow\"\\s*:\\s*\\[\\s*\"\\*\""
+fix:
+  summary: Replace blanket grants with specific allowed command patterns.
+  agent_prompt: >
+    Replace the wildcard grant with the specific commands the workflow
+    actually needs (for example "Bash(npm test:*)", "Bash(git status)").
+    Remove bypassPermissions/skip-permissions defaults so destructive
+    actions still prompt.

package/rules/ss-agent-secrets-in-agent-files.yaml

@@ -0,0 +1,22 @@
+id: ss/agent/secrets-in-agent-files
+severity: block
+title: Provider API key in an AI agent instruction file
+description: >
+  An agent instruction file (CLAUDE.md, AGENTS.md, .cursorrules, *.mdc)
+  contains a provider API key. These files are read into every agent
+  session, pasted into prompts, and frequently committed — a key here
+  leaks on every channel at once.
+framework_ref: AI_AGENT_DROP_IN.md#default-security-stance
+check:
+  type: regex
+  redact: true
+  include:
+    basenames: ["CLAUDE.md", "AGENTS.md", "GEMINI.md", ".cursorrules", ".clinerules", "*.mdc"]
+  patterns_from: secrets.patterns.yaml
+fix:
+  summary: Remove the key from the instruction file and rotate it.
+  agent_prompt: >
+    Delete this key from the agent instruction file. If the agent needs the
+    credential, reference an environment variable name instead and load it
+    at runtime. Tell the user to rotate the key — instruction files are
+    copied into prompts and logs, so the value is burned.

package/rules/ss-auth-admin-route-unprotected.yaml

@@ -0,0 +1,24 @@
+id: ss/auth/admin-route-unprotected
+severity: high
+title: Admin route with no recognizable auth check
+description: >
+  A page or route under an /admin/ path contains no recognizable
+  authentication or authorization marker. If a parent layout or middleware
+  guards it, suppress this with a seamshield-ignore comment; otherwise the
+  admin surface is open to anyone with the URL.
+framework_ref: AI_AGENT_DROP_IN.md#default-security-stance
+check:
+  type: absence
+  include:
+    path_contains: ["app/admin", "pages/admin"]
+    extensions: [".ts", ".tsx", ".js", ".jsx"]
+  patterns:
+    - name: auth-markers
+      regex: "auth|Auth|session|Session|currentUser|getUser|redirect|signIn|login|Login|clerk|Clerk|verif|jwt|JWT|cookie|Cookie|middleware"
+fix:
+  summary: Add a server-side auth + role check before rendering admin content.
+  agent_prompt: >
+    Add a server-side authentication and role check at the top of this
+    admin page or its layout — for example, load the session, verify the
+    user has an admin role, and redirect to the login page otherwise. A
+    client-side check is not sufficient; the check must run on the server.

package/rules/ss-auth-api-route-no-auth.yaml

@@ -0,0 +1,24 @@
+id: ss/auth/api-route-no-auth
+severity: warn
+title: API route with no recognizable auth or signature check
+description: >
+  An API route handler contains no recognizable authentication,
+  authorization, or webhook-signature marker. Review whether this endpoint
+  should really be callable by anyone on the internet.
+framework_ref: AI_AGENT_DROP_IN.md#default-security-stance
+check:
+  type: absence
+  include:
+    path_contains: ["/api/"]
+    extensions: [".ts", ".js", ".tsx", ".jsx"]
+  patterns:
+    - name: auth-or-signature-markers
+      regex: "auth|Auth|session|Session|currentUser|getUser|clerk|Clerk|jwt|JWT|cookie|Cookie|bearer|Bearer|signature|webhook|svix|x-api-key|apiKey|API_KEY|verif|rate[Ll]imit|public"
+fix:
+  summary: Authenticate the caller, or mark the route as intentionally public.
+  agent_prompt: >
+    Decide whether this API route should be public. If not, validate the
+    caller's session or API key at the top of the handler and return 401
+    before doing any work. If it is intentionally public (a health check,
+    a webhook with signature verification elsewhere), add a short comment
+    saying so and a seamshield-ignore for this rule.

package/rules/ss-auth-client-only-guard.yaml

@@ -0,0 +1,24 @@
+id: ss/auth/client-only-guard
+severity: warn
+title: Auth guard that only runs in the browser
+description: >
+  A "use client" component gates content behind a client-side user check.
+  Client-side guards are cosmetic — the data behind them must also be
+  protected on the server, or anyone can fetch it directly.
+framework_ref: AI_AGENT_DROP_IN.md#default-security-stance
+check:
+  type: regex
+  include:
+    extensions: [".ts", ".tsx", ".js", ".jsx"]
+  file_contains: "[\"']use client[\"']"
+  patterns:
+    - name: client-side-auth-gate
+      regex: "if\\s*\\(\\s*!\\s*(?:user|session|currentUser|isAuthenticated|isLoggedIn|loggedIn|signedIn|isSignedIn)\\b"
+fix:
+  summary: Keep the UX guard, but enforce the same check server-side where the data is fetched.
+  agent_prompt: >
+    Keep this client-side check for UX, but verify that every piece of data
+    this component renders is also protected server-side — in the route
+    handler, server component, or database policy that produces it. If the
+    server already enforces it, suppress this finding with a
+    seamshield-ignore comment.

package/rules/ss-auth-cors-wildcard-with-credentials.yaml

@@ -0,0 +1,21 @@
+id: ss/auth/cors-wildcard-with-credentials
+severity: high
+title: CORS wildcard origin combined with credentials
+description: >
+  This file allows any origin (Access-Control-Allow-Origin set from a
+  wildcard) while also enabling Access-Control-Allow-Credentials. That
+  combination lets any website act on behalf of your logged-in users.
+framework_ref: AI_AGENT_DROP_IN.md#default-security-stance
+check:
+  type: regex
+  file_contains: "Allow-Credentials[\"']?\\s*[,:=]\\s*[\"']?true"
+  patterns:
+    - name: cors-wildcard-origin
+      regex: "Allow-Origin[\"']?\\s*[,:=]\\s*[\"']\\*"
+fix:
+  summary: Replace the wildcard with an explicit allowlist of trusted origins.
+  agent_prompt: >
+    Replace the wildcard origin with an explicit allowlist: read the
+    request Origin header, compare it against a fixed set of trusted
+    origins, and echo it back only on match. Keep Allow-Credentials only if
+    cookies or auth headers are genuinely needed cross-origin.

package/rules/ss-client-firebase-admin-in-client.yaml

@@ -0,0 +1,23 @@
+id: ss/client/firebase-admin-in-client
+severity: block
+title: firebase-admin imported in a client component
+description: >
+  firebase-admin is the server-side SDK that bypasses all Firebase security
+  rules. Importing it in a "use client" file either breaks the build or, far
+  worse, bundles admin credentials into the browser bundle.
+framework_ref: AI_AGENT_DROP_IN.md#framework-compromise-rule
+check:
+  type: regex
+  include:
+    extensions: [".ts", ".tsx", ".js", ".jsx", ".mjs"]
+  file_contains: "[\"']use client[\"']"
+  patterns:
+    - name: firebase-admin-import
+      regex: "(?:from\\s+[\"']firebase-admin|require\\([\"']firebase-admin)"
+fix:
+  summary: Move firebase-admin usage into server-only code; clients use the regular firebase SDK.
+  agent_prompt: >
+    Remove the firebase-admin import from this client component. Move the
+    admin operation into a server route handler or server action, expose
+    only the minimal result to the client, and use the regular `firebase`
+    client SDK (gated by security rules) for client-side reads.

package/rules/ss-client-next-public-secret.yaml

@@ -0,0 +1,33 @@
+id: ss/client/next-public-secret
+severity: block
+title: Secret exposed through a NEXT_PUBLIC_ variable
+description: >
+  Next.js inlines every NEXT_PUBLIC_ variable into the client JavaScript
+  bundle at build time. A variable named NEXT_PUBLIC_*SECRET*, *SERVICE_ROLE*,
+  *PRIVATE*, *PASSWORD*, or *ADMIN* ships that value to every browser that
+  loads the app.
+framework_ref: AI_AGENT_DROP_IN.md#framework-compromise-rule
+check:
+  type: regex
+  include:
+    extensions:
+      - ".ts"
+      - ".tsx"
+      - ".js"
+      - ".jsx"
+      - ".mjs"
+      - ".cjs"
+    basenames:
+      - ".env*"
+  patterns:
+    - name: next-public-secret-name
+      regex: "NEXT_PUBLIC_[A-Z0-9_]*(?:SECRET|SERVICE_ROLE|PRIVATE|PASSWORD|ADMIN)[A-Z0-9_]*"
+fix:
+  summary: Rename the variable to drop the NEXT_PUBLIC_ prefix and read it only on the server.
+  agent_prompt: >
+    Remove the NEXT_PUBLIC_ prefix from this variable so Next.js stops
+    inlining it into the client bundle. Move every read of it into
+    server-only code (a route handler, server action, or server component)
+    and pass only derived, non-secret data to client components. If the app
+    was already deployed with this variable, tell the user to rotate the
+    underlying credential.

package/rules/ss-client-server-secret-env-in-client.yaml

@@ -0,0 +1,24 @@
+id: ss/client/server-secret-env-in-client
+severity: high
+title: Server secret environment variable read in a client component
+description: >
+  A "use client" file reads a secret-named environment variable. In the
+  browser bundle that read resolves to undefined at best — and if the
+  bundler inlines it, the secret ships to every visitor.
+framework_ref: AI_AGENT_DROP_IN.md#framework-compromise-rule
+check:
+  type: regex
+  include:
+    extensions: [".ts", ".tsx", ".js", ".jsx", ".mjs"]
+  file_contains: "[\"']use client[\"']"
+  patterns:
+    - name: server-secret-env-read
+      regex: "process\\.env\\.(?!NEXT_PUBLIC_)[A-Z0-9_]*(?:SECRET|PRIVATE|PASSWORD|SERVICE_ROLE|API_KEY|TOKEN)[A-Z0-9_]*"
+fix:
+  summary: Move the env read into server code and pass only derived, non-secret data to the client.
+  agent_prompt: >
+    Move this environment variable read out of the client component into a
+    server component, route handler, or server action. Pass only the
+    derived, non-secret result down as props. Never rename the variable to
+    NEXT_PUBLIC_ to "fix" the undefined value — that ships the secret to
+    the browser.

package/rules/ss-client-supabase-service-role-in-client.yaml

@@ -0,0 +1,24 @@
+id: ss/client/supabase-service-role-in-client
+severity: block
+title: Supabase service-role key referenced in a client component
+description: >
+  A "use client" file references the Supabase service-role key. The
+  service-role key bypasses Row Level Security; any reference in
+  client-bundled code risks shipping full database access to every browser.
+framework_ref: AI_AGENT_DROP_IN.md#framework-compromise-rule
+check:
+  type: regex
+  include:
+    extensions: [".ts", ".tsx", ".js", ".jsx", ".mjs"]
+  file_contains: "[\"']use client[\"']"
+  patterns:
+    - name: service-role-reference
+      regex: "SUPABASE_SERVICE_ROLE"
+fix:
+  summary: Use the anon key plus RLS in client code; keep the service-role key server-side.
+  agent_prompt: >
+    Replace this service-role usage with the public anon key and rely on
+    Row Level Security policies for authorization. Any operation that truly
+    needs service-role privileges must move to a server route handler or
+    edge function. If this code ever shipped, tell the user to rotate the
+    service-role key.

package/rules/ss-convex-internal-not-internal.yaml

@@ -0,0 +1,25 @@
+id: ss/convex/internal-not-internal
+severity: warn
+title: Function named internal* but exported as public
+description: >
+  A Convex function whose name starts with "internal" is declared with the
+  public mutation/query/action constructor. The name says private, the
+  declaration says public — anyone can call it.
+framework_ref: AI_AGENT_DROP_IN.md#default-security-stance
+check:
+  type: regex
+  include:
+    path_contains: ["convex/"]
+    extensions: [".ts", ".js"]
+  exclude:
+    dirs: ["_generated"]
+  patterns:
+    - name: internal-named-public-fn
+      regex: "const\\s+internal[A-Z]\\w*\\s*=\\s*(?:mutation|query|action)\\s*\\("
+fix:
+  summary: Declare it with internalMutation/internalQuery/internalAction instead.
+  agent_prompt: >
+    Change this declaration to the internal variant (internalMutation,
+    internalQuery, or internalAction from ./_generated/server) so it can
+    only be invoked by other Convex functions, and update any client-side
+    callers — they should not exist if the name is accurate.

package/rules/ss-convex-mutation-no-auth.yaml

@@ -0,0 +1,26 @@
+id: ss/convex/mutation-no-auth
+severity: warn
+title: Public Convex mutation with no auth check
+description: >
+  A public Convex mutation never consults ctx.auth. Public mutations are
+  callable by anyone who can reach the deployment URL — review whether this
+  one should verify the caller first.
+framework_ref: AI_AGENT_DROP_IN.md#default-security-stance
+check:
+  type: absence
+  include:
+    path_contains: ["convex/"]
+    extensions: [".ts", ".js"]
+  exclude:
+    dirs: ["_generated"]
+  file_contains: "(?<![A-Za-z])mutation\\s*\\("
+  patterns:
+    - name: convex-auth-markers
+      regex: "ctx\\.auth|getAuthUserId|getUserIdentity|requireAuth|internalMutation"
+fix:
+  summary: Verify the caller with ctx.auth at the top of the mutation, or make it internal.
+  agent_prompt: >
+    Add an auth check at the top of this mutation — for example `const
+    identity = await ctx.auth.getUserIdentity(); if (!identity) throw new
+    Error("Unauthorized");` — or convert it to internalMutation if it
+    should only ever be called from other server functions.

package/rules/ss-deps-hallucinated-package.yaml

@@ -0,0 +1,16 @@
+id: ss/deps/hallucinated-package
+severity: block
+title: Dependency does not exist on npm
+description: >
+  AI agents sometimes invent package names. Installing a newly created or
+  squatted package with that name later can execute attacker-controlled code.
+framework_ref: AI_AGENT_DROP_IN.md#supply-chain-stance
+check:
+  type: builtin
+  builtin: hallucinated-package
+fix:
+  summary: Replace the dependency with a real maintained package or remove it.
+  agent_prompt: >
+    Verify the intended package name against npm and the project docs. Replace
+    this dependency with the maintained package that provides the needed API,
+    update imports, reinstall, and commit the updated lockfile.

package/rules/ss-deps-known-vuln.yaml

@@ -0,0 +1,16 @@
+id: ss/deps/known-vuln
+severity: high
+title: Dependency version has known vulnerabilities
+description: >
+  The pinned dependency version is reported by OSV for the npm ecosystem.
+  Known exploited vulnerability indicators are escalated to block severity.
+framework_ref: seamshield-final-framework/adoption-contract/.seamshield/release-gates.yaml
+check:
+  type: builtin
+  builtin: known-vuln
+fix:
+  summary: Upgrade the dependency to a non-vulnerable version and refresh the lockfile.
+  agent_prompt: >
+    Upgrade this dependency to the nearest non-vulnerable version that satisfies
+    the project, update the lockfile, run the affected tests, and document any
+    breaking API changes.

package/rules/ss-deps-no-lockfile.yaml

@@ -0,0 +1,17 @@
+id: ss/deps/no-lockfile
+severity: warn
+title: package.json with no lockfile
+description: >
+  No lockfile sits next to package.json, so every install re-resolves
+  dependency versions. Builds are not reproducible, and a hijacked patch
+  release of any dependency lands silently on the next install.
+framework_ref: AI_AGENT_DROP_IN.md#supply-chain-stance
+check:
+  type: builtin
+  builtin: no-lockfile
+fix:
+  summary: Commit a lockfile (pnpm-lock.yaml, package-lock.json, or yarn.lock).
+  agent_prompt: >
+    Run the project's package manager install once (npm install / pnpm
+    install / yarn) and commit the generated lockfile. Make sure .gitignore
+    does not exclude it.

package/rules/ss-deps-unpinned-spec.yaml

@@ -0,0 +1,22 @@
+id: ss/deps/unpinned-spec
+severity: info
+title: Dependency pinned to "latest" or "*"
+description: >
+  A dependency version of "latest" or "*" resolves to whatever the
+  registry serves at install time, making builds unreproducible and
+  auto-adopting compromised releases.
+framework_ref: AI_AGENT_DROP_IN.md#supply-chain-stance
+check:
+  type: regex
+  include:
+    basenames: ["package.json"]
+  patterns:
+    - name: latest-or-star-spec
+      regex: "\"\\s*:\\s*\"(?:\\*|latest)\""
+fix:
+  summary: Pin the dependency to a specific version or range.
+  agent_prompt: >
+    Replace the "latest" or "*" specifier with the currently installed
+    version (check the lockfile or node_modules/<pkg>/package.json) using a
+    caret range, for example "^2.4.1", then reinstall to update the
+    lockfile.

package/rules/ss-firebase-open-rules.yaml

@@ -0,0 +1,22 @@
+id: ss/firebase/open-rules
+severity: block
+title: Firebase security rules allow unrestricted access
+description: >
+  A Firebase rules file grants read or write with "if true". Every
+  document or object it covers is readable or writable by anyone on the
+  internet, no authentication required.
+framework_ref: AI_AGENT_DROP_IN.md#default-security-stance
+check:
+  type: regex
+  include:
+    basenames: ["*.rules"]
+  patterns:
+    - name: allow-if-true
+      regex: "allow\\s+[a-z, ]+:\\s*if\\s+true"
+fix:
+  summary: Require auth and ownership in the rule condition.
+  agent_prompt: >
+    Replace `if true` with a real condition — at minimum `if request.auth
+    != null`, and for user data `if request.auth.uid == resource.data.
+    ownerId` (or the equivalent path check). Deploy the updated rules and
+    verify access with the Firebase rules simulator.

package/rules/ss-secrets-env-file-committed.yaml

@@ -0,0 +1,21 @@
+id: ss/secrets/env-file-committed
+severity: block
+title: .env file is committed or not git-ignored
+description: >
+  Dotenv files hold live credentials. If a .env file is tracked by git, or
+  sits untracked without a .gitignore entry, the next `git add .` ships every
+  secret in it to the remote — the single most common leak in AI-generated
+  repos.
+framework_ref: AI_AGENT_DROP_IN.md#default-security-stance
+check:
+  type: builtin
+  builtin: env-file-committed
+fix:
+  summary: Git-ignore the .env file, untrack it, and rotate every credential it contains.
+  agent_prompt: >
+    Add `.env` and `.env.*` (with an exception for `.env.example`) to
+    .gitignore. For each dotenv file already tracked by git, run
+    `git rm --cached <file>` so it stays on disk but leaves the index. Create
+    a `.env.example` listing variable names with empty values. Finally, tell
+    the user every credential in the file must be rotated at its provider,
+    because git history still contains the old values.

package/rules/ss-secrets-generic-credential-assignment.yaml

@@ -0,0 +1,26 @@
+id: ss/secrets/generic-credential-assignment
+severity: high
+title: Credential-looking literal assigned in source
+description: >
+  A variable or property whose name says secret, token, password, or apikey
+  is assigned a long literal value in source code. Even when the value is
+  not a recognized provider key, committing credentials to source is unsafe.
+framework_ref: AI_AGENT_DROP_IN.md#default-security-stance
+check:
+  type: regex
+  redact: true
+  include:
+    extensions: [".ts", ".tsx", ".js", ".jsx", ".mjs", ".cjs", ".py", ".rb", ".go", ".yaml", ".yml", ".toml"]
+  exclude:
+    basenames: [".env*", "package-lock.json", "pnpm-lock.yaml", "yarn.lock", "*.min.js", "*.test.ts", "*.test.js", "*.spec.ts", "*.spec.js"]
+    dirs: ["test", "tests", "__tests__", "fixtures", "__fixtures__", "__mocks__"]
+  patterns:
+    - name: generic-credential
+      regex: "(?:[Ss][Ee][Cc][Rr][Ee][Tt]|[Tt][Oo][Kk][Ee][Nn]|[Pp][Aa][Ss][Ss][Ww][Oo][Rr][Dd]|[Aa][Pp][Ii][_-]?[Kk][Ee][Yy])[A-Za-z0-9_]*[\"']?\\s*[:=]\\s*[\"'][A-Za-z0-9+/_-]{32,}[\"']"
+fix:
+  summary: Move the value into an environment variable and rotate it if it was real.
+  agent_prompt: >
+    Replace this literal with a read from a server-side environment
+    variable, add the variable name to .env.example with a placeholder
+    value, and ask the user whether the committed value was a real
+    credential — if so they must rotate it.

package/rules/ss-secrets-hardcoded-provider-key.yaml

@@ -0,0 +1,47 @@
+id: ss/secrets/hardcoded-provider-key
+severity: block
+title: Hardcoded provider API key in source
+description: >
+  A live API key (Anthropic, OpenAI, Stripe, Google, GitHub, AWS, Slack,
+  Convex) is written directly in source code. Anyone with repo read access —
+  or anyone who fetches the client bundle — can spend on your account.
+framework_ref: AI_AGENT_DROP_IN.md#default-security-stance
+check:
+  type: regex
+  patterns_from: secrets.patterns.yaml
+  redact: true
+  include:
+    extensions:
+      - ".ts"
+      - ".tsx"
+      - ".js"
+      - ".jsx"
+      - ".mjs"
+      - ".cjs"
+      - ".json"
+      - ".yaml"
+      - ".yml"
+      - ".toml"
+      - ".py"
+      - ".rb"
+      - ".go"
+      - ".html"
+      - ".svelte"
+      - ".vue"
+      - ".astro"
+  exclude:
+    basenames:
+      - ".env*"
+      - "package-lock.json"
+      - "pnpm-lock.yaml"
+      - "yarn.lock"
+      - "bun.lockb"
+      - "*.min.js"
+fix:
+  summary: Move the key into an environment variable and rotate it at the provider.
+  agent_prompt: >
+    Replace the hardcoded key with a server-side environment variable read
+    (for example `process.env.PROVIDER_API_KEY`), add the variable name to
+    `.env.example`, and make sure the file that reads it only runs on the
+    server. Then tell the user to rotate this key at the provider dashboard —
+    treat the committed value as burned.

package/rules/ss-secrets-private-key-file.yaml

@@ -0,0 +1,22 @@
+id: ss/secrets/private-key-file
+severity: block
+title: Private key material committed to the repo
+description: >
+  A PEM-encoded private key (RSA, EC, OpenSSH, or PKCS#8) is present in the
+  repository. Private keys in git history stay compromised forever, even
+  after deletion.
+framework_ref: AI_AGENT_DROP_IN.md#default-security-stance
+check:
+  type: regex
+  exclude:
+    basenames: ["*.pub"]
+  patterns:
+    - name: pem-private-key
+      regex: "-----BEGIN (?:RSA |EC |DSA |OPENSSH |ENCRYPTED )?PRIVATE KEY-----"
+fix:
+  summary: Remove the key file, gitignore it, and rotate the key pair.
+  agent_prompt: >
+    Remove this private key file from the repository, add its path (or
+    *.pem / *.key) to .gitignore, and tell the user to rotate the key pair
+    everywhere it is used — git history preserves the old key, so deletion
+    alone does not make it safe.