secretless-ai 0.3.0

package/dist/patterns.js

@@ -0,0 +1,59 @@
+"use strict";
+/**
+ * Credential patterns used across all Secretless integrations.
+ * Shared between scanner, hooks, and MCP server.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CONFIG_FILES = exports.SECRET_FILE_PATTERNS = exports.CREDENTIAL_PATTERNS = void 0;
+exports.CREDENTIAL_PATTERNS = [
+    { id: 'anthropic', name: 'Anthropic API Key', regex: /sk-ant-api\d{2}-[a-zA-Z0-9_-]{20,}/, envPrefix: 'ANTHROPIC_API_KEY' },
+    { id: 'openai-proj', name: 'OpenAI Project Key', regex: /sk-proj-[a-zA-Z0-9]{20,}/, envPrefix: 'OPENAI_API_KEY' },
+    { id: 'openai-legacy', name: 'OpenAI Legacy Key', regex: /sk-[a-zA-Z0-9]{48,}/, envPrefix: 'OPENAI_API_KEY' },
+    { id: 'aws-access', name: 'AWS Access Key', regex: /AKIA[0-9A-Z]{16}/, envPrefix: 'AWS_ACCESS_KEY_ID' },
+    { id: 'github-pat', name: 'GitHub Token', regex: /ghp_[a-zA-Z0-9]{36}/, envPrefix: 'GITHUB_TOKEN' },
+    { id: 'github-fine', name: 'GitHub Fine-Grained PAT', regex: /github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}/, envPrefix: 'GITHUB_TOKEN' },
+    { id: 'slack', name: 'Slack Token', regex: /xox[baprs]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}/, envPrefix: 'SLACK_TOKEN' },
+    { id: 'google', name: 'Google API Key', regex: /AIza[0-9A-Za-z_-]{35}/, envPrefix: 'GOOGLE_API_KEY' },
+    { id: 'stripe', name: 'Stripe Live Key', regex: /sk_live_[0-9a-zA-Z]{24,}/, envPrefix: 'STRIPE_SECRET_KEY' },
+    { id: 'sendgrid', name: 'SendGrid Key', regex: /SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}/, envPrefix: 'SENDGRID_API_KEY' },
+    { id: 'supabase', name: 'Supabase Service Key', regex: /eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[a-zA-Z0-9_-]{50,}/, envPrefix: 'SUPABASE_SERVICE_ROLE_KEY' },
+    { id: 'azure', name: 'Azure Key', regex: /[a-zA-Z0-9+/]{43}=/, envPrefix: 'AZURE_API_KEY' },
+];
+/** File patterns that should never be read by AI tools */
+exports.SECRET_FILE_PATTERNS = [
+    '.env',
+    '.env.local',
+    '.env.development',
+    '.env.production',
+    '.env.staging',
+    '*.key',
+    '*.pem',
+    '*.p12',
+    '*.pfx',
+    '*.crt',
+    '.aws/credentials',
+    '.ssh/*',
+    '.docker/config.json',
+    '.git-credentials',
+    '.npmrc',
+    '.pypirc',
+    '*.tfstate',
+    '*.tfvars',
+    'secrets/',
+    'credentials/',
+    '.opena2a/secretless-ai/',
+];
+/** Config files that may contain hardcoded secrets */
+exports.CONFIG_FILES = [
+    'config.json', 'config.yaml', 'config.yml',
+    '.env', '.env.local',
+    'package.json', 'mcp.json',
+    'CLAUDE.md',
+    '.openclaw/config.json', '.moltbot/config.json',
+    'openclaw.json', 'moltbot.json',
+    '.curse/mcp.json', '.vscode/mcp.json',
+    '.claude/settings.json',
+    '.cursor/settings.json',
+    '.github/copilot-instructions.md',
+];
+//# sourceMappingURL=patterns.js.map

package/dist/patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../src/patterns.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AASU,QAAA,mBAAmB,GAAwB;IACtD,EAAE,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,mBAAmB,EAAE,KAAK,EAAE,oCAAoC,EAAE,SAAS,EAAE,mBAAmB,EAAE;IAC3H,EAAE,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,oBAAoB,EAAE,KAAK,EAAE,0BAA0B,EAAE,SAAS,EAAE,gBAAgB,EAAE;IACjH,EAAE,EAAE,EAAE,eAAe,EAAE,IAAI,EAAE,mBAAmB,EAAE,KAAK,EAAE,qBAAqB,EAAE,SAAS,EAAE,gBAAgB,EAAE;IAC7G,EAAE,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,kBAAkB,EAAE,SAAS,EAAE,mBAAmB,EAAE;IACvG,EAAE,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,qBAAqB,EAAE,SAAS,EAAE,cAAc,EAAE;IACnG,EAAE,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,yBAAyB,EAAE,KAAK,EAAE,4CAA4C,EAAE,SAAS,EAAE,cAAc,EAAE;IACtI,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,KAAK,EAAE,sDAAsD,EAAE,SAAS,EAAE,aAAa,EAAE;IAC7H,EAAE,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,uBAAuB,EAAE,SAAS,EAAE,gBAAgB,EAAE;IACrG,EAAE,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,iBAAiB,EAAE,KAAK,EAAE,0BAA0B,EAAE,SAAS,EAAE,mBAAmB,EAAE;IAC5G,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,cAAc,EAAE,KAAK,EAAE,0CAA0C,EAAE,SAAS,EAAE,kBAAkB,EAAE;IAC1H,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,sBAAsB,EAAE,KAAK,EAAE,0DAA0D,EAAE,SAAS,EAAE,2BAA2B,EAAE;IAC3J,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,oBAAoB,EAAE,SAAS,EAAE,eAAe,EAAE;CAC5F,CAAC;AAEF,0DAA0D;AAC7C,QAAA,oBAAoB,GAAa;IAC5C,MAAM;IACN,YAAY;IACZ,kBAAkB;IAClB,iBAAiB;IACjB,cAAc;IACd,OAAO;IACP,OAAO;IACP,OAAO;IACP,OAAO;IACP,OAAO;IACP,kBAAkB;IAClB,QAAQ;IACR,qBAAqB;IACrB,kBAAkB;IAClB,QAAQ;IACR,SAAS;IACT,WAAW;IACX,UAAU;IACV,UAAU;IACV,cAAc;IACd,yBAAyB;CAC1B,CAAC;AAEF,sDAAsD;AACzC,QAAA,YAAY,GAAG;IAC1B,aAAa,EAAE,aAAa,EAAE,YAAY;IAC1C,MAAM,EAAE,YAAY;IACpB,cAAc,EAAE,UAAU;IAC1B,WAAW;IACX,uBAAuB,EAAE,sBAAsB;IAC/C,eAAe,EAAE,cAAc;IAC/B,iBAAiB,EAAE,kBAAkB;IACrC,uBAAuB;IACvB,uBAAuB;IACvB,iCAAiC;CAClC,CAAC"}

package/dist/scan.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Scan project files for hardcoded credentials.
+ */
+export interface ScanFinding {
+    file: string;
+    line: number;
+    patternId: string;
+    patternName: string;
+    severity: 'critical' | 'high';
+    preview: string;
+}
+export interface ScanOptions {
+    /** Scan global config files like ~/.claude/CLAUDE.md (default: true) */
+    scanGlobal?: boolean;
+}
+/**
+ * Scan project config files for hardcoded credentials.
+ * Also scans global AI tool configs (e.g. ~/.claude/CLAUDE.md).
+ * Returns findings sorted by severity then file.
+ */
+export declare function scan(projectDir: string, options?: ScanOptions): ScanFinding[];
+//# sourceMappingURL=scan.d.ts.map

package/dist/scan.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan.d.ts","sourceRoot":"","sources":["../src/scan.ts"],"names":[],"mappings":"AAAA;;GAEG;AAOH,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,UAAU,GAAG,MAAM,CAAC;IAC9B,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,WAAW;IAC1B,wEAAwE;IACxE,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAQD;;;;GAIG;AACH,wBAAgB,IAAI,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,WAAW,GAAG,WAAW,EAAE,CAsF7E"}

package/dist/scan.js

@@ -0,0 +1,142 @@
+"use strict";
+/**
+ * Scan project files for hardcoded credentials.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scan = scan;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+const patterns_1 = require("./patterns");
+/** Global config files that may contain secrets (outside project dir) */
+const GLOBAL_CONFIG_FILES = [
+    { dir: path.join(os.homedir(), '.claude'), file: 'CLAUDE.md', label: '~/.claude/CLAUDE.md' },
+    { dir: path.join(os.homedir(), '.claude'), file: 'settings.json', label: '~/.claude/settings.json' },
+];
+/**
+ * Scan project config files for hardcoded credentials.
+ * Also scans global AI tool configs (e.g. ~/.claude/CLAUDE.md).
+ * Returns findings sorted by severity then file.
+ */
+function scan(projectDir, options) {
+    const findings = [];
+    const scanGlobal = options?.scanGlobal !== false;
+    // Scan global config files (keys in ~/.claude/CLAUDE.md are in every session's context)
+    for (const global of (scanGlobal ? GLOBAL_CONFIG_FILES : [])) {
+        const fullPath = path.join(global.dir, global.file);
+        if (!fs.existsSync(fullPath))
+            continue;
+        try {
+            const stat = fs.statSync(fullPath);
+            if (stat.size > 10 * 1024 * 1024 || !stat.isFile())
+                continue;
+            const content = fs.readFileSync(fullPath, 'utf-8');
+            const lines = content.split('\n');
+            for (let i = 0; i < lines.length; i++) {
+                const line = lines[i];
+                if (line.length > 4096)
+                    continue;
+                if (/\$\{[A-Z_]+\}/.test(line) && !/sk-ant|sk-proj|AKIA|ghp_|xox[baprs]/.test(line))
+                    continue;
+                for (const pattern of patterns_1.CREDENTIAL_PATTERNS) {
+                    if (pattern.regex.test(line)) {
+                        const masked = line.replace(pattern.regex, `[${pattern.name} REDACTED]`);
+                        findings.push({
+                            file: global.label,
+                            line: i + 1,
+                            patternId: pattern.id,
+                            patternName: pattern.name,
+                            severity: 'critical',
+                            preview: masked.trim().substring(0, 80),
+                        });
+                        break;
+                    }
+                }
+            }
+        }
+        catch { /* skip */ }
+    }
+    // Scan project-level config files
+    for (const configFile of patterns_1.CONFIG_FILES) {
+        const fullPath = path.join(projectDir, configFile);
+        if (!fs.existsSync(fullPath))
+            continue;
+        try {
+            const stat = fs.statSync(fullPath);
+            if (stat.size > 10 * 1024 * 1024)
+                continue;
+            if (!stat.isFile())
+                continue;
+            const content = fs.readFileSync(fullPath, 'utf-8');
+            const lines = content.split('\n');
+            for (let i = 0; i < lines.length; i++) {
+                const line = lines[i];
+                if (line.length > 4096)
+                    continue; // ReDoS protection
+                // Skip env var references and placeholders
+                if (/\$\{[A-Z_]+\}/.test(line) && !/sk-ant|sk-proj|AKIA|ghp_|xox[baprs]/.test(line)) {
+                    continue;
+                }
+                for (const pattern of patterns_1.CREDENTIAL_PATTERNS) {
+                    if (pattern.regex.test(line)) {
+                        // Mask the actual secret in the preview
+                        const masked = line.replace(pattern.regex, `[${pattern.name} REDACTED]`);
+                        findings.push({
+                            file: configFile,
+                            line: i + 1,
+                            patternId: pattern.id,
+                            patternName: pattern.name,
+                            severity: 'critical',
+                            preview: masked.trim().substring(0, 80),
+                        });
+                        break; // One finding per line
+                    }
+                }
+            }
+        }
+        catch {
+            // Skip unreadable files
+        }
+    }
+    // Sort: critical first, then by file
+    findings.sort((a, b) => {
+        if (a.severity !== b.severity)
+            return a.severity === 'critical' ? -1 : 1;
+        return a.file.localeCompare(b.file);
+    });
+    return findings;
+}
+//# sourceMappingURL=scan.js.map

package/dist/scan.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan.js","sourceRoot":"","sources":["../src/scan.ts"],"names":[],"mappings":";AAAA;;GAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgCH,oBAsFC;AApHD,uCAAyB;AACzB,2CAA6B;AAC7B,uCAAyB;AACzB,yCAA+D;AAgB/D,yEAAyE;AACzE,MAAM,mBAAmB,GAAG;IAC1B,EAAE,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,qBAAqB,EAAE;IAC5F,EAAE,GAAG,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,CAAC,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,yBAAyB,EAAE;CACrG,CAAC;AAEF;;;;GAIG;AACH,SAAgB,IAAI,CAAC,UAAkB,EAAE,OAAqB;IAC5D,MAAM,QAAQ,GAAkB,EAAE,CAAC;IACnC,MAAM,UAAU,GAAG,OAAO,EAAE,UAAU,KAAK,KAAK,CAAC;IAEjD,wFAAwF;IACxF,KAAK,MAAM,MAAM,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;QAC7D,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;QACpD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;YAAE,SAAS;QACvC,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACnC,IAAI,IAAI,CAAC,IAAI,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE;gBAAE,SAAS;YAC7D,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YACnD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAClC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,IAAI,IAAI,CAAC,MAAM,GAAG,IAAI;oBAAE,SAAS;gBACjC,IAAI,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,qCAAqC,CAAC,IAAI,CAAC,IAAI,CAAC;oBAAE,SAAS;gBAC9F,KAAK,MAAM,OAAO,IAAI,8BAAmB,EAAE,CAAC;oBAC1C,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,OAAO,CAAC,IAAI,YAAY,CAAC,CAAC;wBACzE,QAAQ,CAAC,IAAI,CAAC;4BACZ,IAAI,EAAE,MAAM,CAAC,KAAK;4BAClB,IAAI,EAAE,CAAC,GAAG,CAAC;4BACX,SAAS,EAAE,OAAO,CAAC,EAAE;4BACrB,WAAW,EAAE,OAAO,CAAC,IAAI;4BACzB,QAAQ,EAAE,UAAU;4BACpB,OAAO,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC;yBACxC,CAAC,CAAC;wBACH,MAAM;oBACR,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC,CAAC,UAAU,CAAC,CAAC;IACxB,CAAC;IAED,kCAAkC;IAClC,KAAK,MAAM,UAAU,IAAI,uBAAY,EAAE,CAAC;QACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;QACnD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC;YAAE,SAAS;QAEvC,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACnC,IAAI,IAAI,CAAC,IAAI,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI;gBAAE,SAAS;YAC3C,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE;gBAAE,SAAS;YAE7B,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YACnD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAElC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,IAAI,IAAI,CAAC,MAAM,GAAG,IAAI;oBAAE,SAAS,CAAC,mBAAmB;gBAErD,2CAA2C;gBAC3C,IAAI,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,qCAAqC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACpF,SAAS;gBACX,CAAC;gBAED,KAAK,MAAM,OAAO,IAAI,8BAAmB,EAAE,CAAC;oBAC1C,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC7B,wCAAwC;wBACxC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,OAAO,CAAC,IAAI,YAAY,CAAC,CAAC;wBAEzE,QAAQ,CAAC,IAAI,CAAC;4BACZ,IAAI,EAAE,UAAU;4BAChB,IAAI,EAAE,CAAC,GAAG,CAAC;4BACX,SAAS,EAAE,OAAO,CAAC,EAAE;4BACrB,WAAW,EAAE,OAAO,CAAC,IAAI;4BACzB,QAAQ,EAAE,UAAU;4BACpB,OAAO,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC;yBACxC,CAAC,CAAC;wBACH,MAAM,CAAC,uBAAuB;oBAChC,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,wBAAwB;QAC1B,CAAC;IACH,CAAC;IAED,qCAAqC;IACrC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACrB,IAAI,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,QAAQ;YAAE,OAAO,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACzE,OAAO,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/status.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Check Secretless AI protection status for a project.
+ */
+import { type AITool } from './detect';
+export interface StatusResult {
+    isProtected: boolean;
+    configuredTools: AITool[];
+    hookInstalled: boolean;
+    denyRuleCount: number;
+    secretsFound: number;
+}
+/**
+ * Check the current protection status of the project.
+ */
+export declare function status(projectDir: string): StatusResult;
+//# sourceMappingURL=status.d.ts.map

package/dist/status.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"status.d.ts","sourceRoot":"","sources":["../src/status.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,OAAO,EAAiB,KAAK,MAAM,EAAE,MAAM,UAAU,CAAC;AAGtD,MAAM,WAAW,YAAY;IAC3B,WAAW,EAAE,OAAO,CAAC;IACrB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,aAAa,EAAE,OAAO,CAAC;IACvB,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AACH,wBAAgB,MAAM,CAAC,UAAU,EAAE,MAAM,GAAG,YAAY,CA6DvD"}

package/dist/status.js

@@ -0,0 +1,105 @@
+"use strict";
+/**
+ * Check Secretless AI protection status for a project.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.status = status;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const detect_1 = require("./detect");
+const scan_1 = require("./scan");
+/**
+ * Check the current protection status of the project.
+ */
+function status(projectDir) {
+    const result = {
+        isProtected: false,
+        configuredTools: [],
+        hookInstalled: false,
+        denyRuleCount: 0,
+        secretsFound: 0,
+    };
+    // Check Claude Code hook
+    const hookPath = path.join(projectDir, '.claude', 'hooks', 'secretless-guard.sh');
+    result.hookInstalled = fs.existsSync(hookPath);
+    // Check Claude Code deny rules
+    const settingsPath = path.join(projectDir, '.claude', 'settings.json');
+    if (fs.existsSync(settingsPath)) {
+        try {
+            const settings = JSON.parse(fs.readFileSync(settingsPath, 'utf-8'));
+            result.denyRuleCount = settings?.permissions?.deny?.length || 0;
+        }
+        catch {
+            // Invalid JSON
+        }
+    }
+    // Check which tools have Secretless AI instructions
+    const detected = (0, detect_1.detectAITools)(projectDir);
+    for (const tool of detected) {
+        const filePath = path.join(projectDir, tool.settingsFile);
+        if (fs.existsSync(filePath)) {
+            try {
+                const content = fs.readFileSync(filePath, 'utf-8');
+                if (content.includes('secretless-ai:managed') || content.includes('Secretless AI')) {
+                    result.configuredTools.push(tool.tool);
+                }
+            }
+            catch {
+                // Skip
+            }
+        }
+    }
+    // Also check CLAUDE.md directly
+    const claudeMd = path.join(projectDir, 'CLAUDE.md');
+    if (fs.existsSync(claudeMd)) {
+        try {
+            const content = fs.readFileSync(claudeMd, 'utf-8');
+            if (content.includes('secretless-ai:managed') && !result.configuredTools.includes('claude-code')) {
+                result.configuredTools.push('claude-code');
+            }
+        }
+        catch {
+            // Skip
+        }
+    }
+    // Scan for secrets (project-level only for status report)
+    const findings = (0, scan_1.scan)(projectDir, { scanGlobal: false });
+    result.secretsFound = findings.length;
+    // Protected if hook is installed OR instructions are present in at least one tool
+    result.isProtected = result.hookInstalled || result.configuredTools.length > 0;
+    return result;
+}
+//# sourceMappingURL=status.js.map

package/dist/status.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"status.js","sourceRoot":"","sources":["../src/status.ts"],"names":[],"mappings":";AAAA;;GAEG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkBH,wBA6DC;AA7ED,uCAAyB;AACzB,2CAA6B;AAC7B,qCAAsD;AACtD,iCAA8B;AAU9B;;GAEG;AACH,SAAgB,MAAM,CAAC,UAAkB;IACvC,MAAM,MAAM,GAAiB;QAC3B,WAAW,EAAE,KAAK;QAClB,eAAe,EAAE,EAAE;QACnB,aAAa,EAAE,KAAK;QACpB,aAAa,EAAE,CAAC;QAChB,YAAY,EAAE,CAAC;KAChB,CAAC;IAEF,yBAAyB;IACzB,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,SAAS,EAAE,OAAO,EAAE,qBAAqB,CAAC,CAAC;IAClF,MAAM,CAAC,aAAa,GAAG,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;IAE/C,+BAA+B;IAC/B,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;IACvE,IAAI,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAChC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC,CAAC;YACpE,MAAM,CAAC,aAAa,GAAG,QAAQ,EAAE,WAAW,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC,CAAC;QAClE,CAAC;QAAC,MAAM,CAAC;YACP,eAAe;QACjB,CAAC;IACH,CAAC;IAED,oDAAoD;IACpD,MAAM,QAAQ,GAAG,IAAA,sBAAa,EAAC,UAAU,CAAC,CAAC;IAC3C,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;QAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;QAC1D,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC5B,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;gBACnD,IAAI,OAAO,CAAC,QAAQ,CAAC,uBAAuB,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;oBACnF,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACzC,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO;YACT,CAAC;QACH,CAAC;IACH,CAAC;IAED,gCAAgC;IAChC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IACpD,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC5B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YACnD,IAAI,OAAO,CAAC,QAAQ,CAAC,uBAAuB,CAAC,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;gBACjG,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;YAC7C,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;QACT,CAAC;IACH,CAAC;IAED,0DAA0D;IAC1D,MAAM,QAAQ,GAAG,IAAA,WAAI,EAAC,UAAU,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC,CAAC;IACzD,MAAM,CAAC,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC;IAEtC,kFAAkF;IAClF,MAAM,CAAC,WAAW,GAAG,MAAM,CAAC,aAAa,IAAI,MAAM,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,CAAC;IAE/E,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/verify.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Verify that secrets are accessible via env vars but NOT in AI context files.
+ * This is the core dogfooding test: can the agent USE keys without SEEING them.
+ */
+export interface VerifyResult {
+    /** Env var name → whether it's set */
+    envVars: Record<string, boolean>;
+    /** Credentials found in AI context files (should be empty) */
+    exposedInContext: Array<{
+        envVar: string;
+        patternName: string;
+        file: string;
+        line: number;
+    }>;
+    /** Overall pass/fail */
+    passed: boolean;
+}
+/**
+ * Verify secrets are properly managed: accessible via env vars, absent from context.
+ */
+export declare function verify(projectDir: string): VerifyResult;
+//# sourceMappingURL=verify.d.ts.map

package/dist/verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAOH,MAAM,WAAW,YAAY;IAC3B,sCAAsC;IACtC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,8DAA8D;IAC9D,gBAAgB,EAAE,KAAK,CAAC;QACtB,MAAM,EAAE,MAAM,CAAC;QACf,WAAW,EAAE,MAAM,CAAC;QACpB,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;KACd,CAAC,CAAC;IACH,wBAAwB;IACxB,MAAM,EAAE,OAAO,CAAC;CACjB;AAyBD;;GAEG;AACH,wBAAgB,MAAM,CAAC,UAAU,EAAE,MAAM,GAAG,YAAY,CA2DvD"}

package/dist/verify.js

@@ -0,0 +1,122 @@
+"use strict";
+/**
+ * Verify that secrets are accessible via env vars but NOT in AI context files.
+ * This is the core dogfooding test: can the agent USE keys without SEEING them.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verify = verify;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+const patterns_1 = require("./patterns");
+/** Files that are loaded into the AI context window */
+const AI_CONTEXT_FILES = [
+    // Global
+    path.join(os.homedir(), '.claude', 'CLAUDE.md'),
+    path.join(os.homedir(), '.claude', 'settings.json'),
+];
+/** Project-level files that end up in AI context */
+const PROJECT_CONTEXT_FILES = [
+    'CLAUDE.md',
+    '.cursorrules',
+    '.windsurfrules',
+    '.clinerules',
+    '.github/copilot-instructions.md',
+    '.claude/settings.json',
+    '.cursor/mcp.json',
+    '.vscode/mcp.json',
+    'mcp.json',
+    '.env',
+    '.env.local',
+    'config.json',
+];
+/**
+ * Verify secrets are properly managed: accessible via env vars, absent from context.
+ */
+function verify(projectDir) {
+    const envVars = {};
+    const exposedInContext = [];
+    // Deduplicate env var names across patterns
+    const uniqueEnvVars = [...new Set(patterns_1.CREDENTIAL_PATTERNS.map((p) => p.envPrefix))];
+    // Check which env vars are set
+    for (const envVar of uniqueEnvVars) {
+        envVars[envVar] = !!process.env[envVar] && process.env[envVar].length > 0;
+    }
+    // Build list of all files to check
+    const filesToCheck = [];
+    for (const global of AI_CONTEXT_FILES) {
+        filesToCheck.push({ absPath: global, label: global.replace(os.homedir(), '~') });
+    }
+    for (const rel of PROJECT_CONTEXT_FILES) {
+        filesToCheck.push({ absPath: path.join(projectDir, rel), label: rel });
+    }
+    // Scan each file for credential patterns
+    for (const { absPath, label } of filesToCheck) {
+        if (!fs.existsSync(absPath))
+            continue;
+        try {
+            const stat = fs.statSync(absPath);
+            if (!stat.isFile() || stat.size > 10 * 1024 * 1024)
+                continue;
+            const content = fs.readFileSync(absPath, 'utf-8');
+            const lines = content.split('\n');
+            for (let i = 0; i < lines.length; i++) {
+                const line = lines[i];
+                if (line.length > 4096)
+                    continue;
+                for (const pattern of patterns_1.CREDENTIAL_PATTERNS) {
+                    if (pattern.regex.test(line)) {
+                        exposedInContext.push({
+                            envVar: pattern.envPrefix,
+                            patternName: pattern.name,
+                            file: label,
+                            line: i + 1,
+                        });
+                        break;
+                    }
+                }
+            }
+        }
+        catch {
+            // Skip unreadable
+        }
+    }
+    // Pass = at least one env var is set AND zero credentials exposed in context
+    const anyEnvSet = Object.values(envVars).some((v) => v);
+    const passed = anyEnvSet && exposedInContext.length === 0;
+    return { envVars, exposedInContext, passed };
+}
+//# sourceMappingURL=verify.js.map

package/dist/verify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.js","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+CH,wBA2DC;AAxGD,uCAAyB;AACzB,2CAA6B;AAC7B,uCAAyB;AACzB,yCAA+D;AAgB/D,uDAAuD;AACvD,MAAM,gBAAgB,GAAG;IACvB,SAAS;IACT,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,WAAW,CAAC;IAC/C,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,eAAe,CAAC;CACpD,CAAC;AAEF,oDAAoD;AACpD,MAAM,qBAAqB,GAAG;IAC5B,WAAW;IACX,cAAc;IACd,gBAAgB;IAChB,aAAa;IACb,iCAAiC;IACjC,uBAAuB;IACvB,kBAAkB;IAClB,kBAAkB;IAClB,UAAU;IACV,MAAM;IACN,YAAY;IACZ,aAAa;CACd,CAAC;AAEF;;GAEG;AACH,SAAgB,MAAM,CAAC,UAAkB;IACvC,MAAM,OAAO,GAA4B,EAAE,CAAC;IAC5C,MAAM,gBAAgB,GAAqC,EAAE,CAAC;IAE9D,4CAA4C;IAC5C,MAAM,aAAa,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,8BAAmB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IAEhF,+BAA+B;IAC/B,KAAK,MAAM,MAAM,IAAI,aAAa,EAAE,CAAC;QACnC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAE,CAAC,MAAM,GAAG,CAAC,CAAC;IAC7E,CAAC;IAED,mCAAmC;IACnC,MAAM,YAAY,GAA8C,EAAE,CAAC;IAEnE,KAAK,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;QACtC,YAAY,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IACnF,CAAC;IAED,KAAK,MAAM,GAAG,IAAI,qBAAqB,EAAE,CAAC;QACxC,YAAY,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,GAAG,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;IACzE,CAAC;IAED,yCAAyC;IACzC,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,YAAY,EAAE,CAAC;QAC9C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC;YAAE,SAAS;QACtC,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAClC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,IAAI,CAAC,IAAI,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI;gBAAE,SAAS;YAE7D,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YAClD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAElC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,IAAI,IAAI,CAAC,MAAM,GAAG,IAAI;oBAAE,SAAS;gBAEjC,KAAK,MAAM,OAAO,IAAI,8BAAmB,EAAE,CAAC;oBAC1C,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC7B,gBAAgB,CAAC,IAAI,CAAC;4BACpB,MAAM,EAAE,OAAO,CAAC,SAAS;4BACzB,WAAW,EAAE,OAAO,CAAC,IAAI;4BACzB,IAAI,EAAE,KAAK;4BACX,IAAI,EAAE,CAAC,GAAG,CAAC;yBACZ,CAAC,CAAC;wBACH,MAAM;oBACR,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,kBAAkB;QACpB,CAAC;IACH,CAAC;IAED,6EAA6E;IAC7E,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC;IACxD,MAAM,MAAM,GAAG,SAAS,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC,CAAC;IAE1D,OAAO,EAAE,OAAO,EAAE,gBAAgB,EAAE,MAAM,EAAE,CAAC;AAC/C,CAAC"}

package/package.json

@@ -0,0 +1,47 @@
+{
+  "name": "secretless-ai",
+  "version": "0.3.0",
+  "description": "One command to keep secrets out of AI. Works with Claude Code, Cursor, Copilot, Windsurf, and any AI coding tool.",
+  "license": "Apache-2.0",
+  "type": "commonjs",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "bin": {
+    "secretless-ai": "dist/cli.js"
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "test": "vitest run",
+    "dev": "tsc --watch",
+    "clean": "rm -rf dist",
+    "prepublishOnly": "npm run build && npm test"
+  },
+  "keywords": [
+    "ai",
+    "secrets",
+    "credentials",
+    "security",
+    "claude",
+    "cursor",
+    "copilot",
+    "windsurf",
+    "cline",
+    "aider",
+    "mcp"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/opena2a-org/secretless"
+  },
+  "homepage": "https://github.com/opena2a-org/secretless",
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "devDependencies": {
+    "typescript": "^5.3.0",
+    "vitest": "^1.2.0"
+  }
+}