shieldcortex 2.6.3 → 2.7.0

package/dist/defence/credential-leak/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/defence/credential-leak/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAEL,KAAK,iBAAiB,EACtB,KAAK,cAAc,EACnB,KAAK,kBAAkB,EACxB,MAAM,eAAe,CAAC;AAKvB,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,cAAc,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,kBAAkB,CAAC;IAC7B,kDAAkD;IAClD,KAAK,EAAE,MAAM,CAAC;IACd,6BAA6B;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,SAAS,GAAG,QAAQ,GAAG,QAAQ,CAAC;CACzC;AAED,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,iBAAiB,EAAE,CAAC;IAC9B,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,yBAAyB;IACxC,OAAO,EAAE,OAAO,CAAC;IACjB,eAAe,EAAE,OAAO,CAAC;IACzB,WAAW,EAAE,OAAO,CAAC;IACrB,YAAY,EAAE,OAAO,CAAC;IACtB,cAAc,EAAE,iBAAiB,EAAE,CAAC;IACpC,SAAS,EAAE,MAAM,EAAE,CAAC;CACrB;AAED,eAAO,MAAM,yBAAyB,EAAE,yBAOvC,CAAC;AAuCF;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,MAAM,EACf,MAAM,CAAC,EAAE,OAAO,CAAC,yBAAyB,CAAC,GAC1C,oBAAoB,CAmGtB;AAID;;;GAGG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,MAAM,EACf,MAAM,CAAC,EAAE,OAAO,CAAC,yBAAyB,CAAC,GAC1C,MAAM,CAGR;AAmBD,YAAY,EAAE,iBAAiB,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAC3F,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAC"}

package/dist/defence/credential-leak/index.js

@@ -0,0 +1,168 @@
+/**
+ * Credential Leak Detection — Layer 6
+ *
+ * Detects credentials, secrets, and sensitive tokens accidentally
+ * persisted in AI agent memory writes. Supports known API key formats,
+ * generic secrets, private keys, connection strings, environment
+ * variable patterns, and high-entropy string heuristics.
+ */
+import { ALL_CREDENTIAL_PATTERNS, } from './patterns.js';
+import { extractHighEntropyTokens } from './entropy.js';
+export const DEFAULT_CREDENTIAL_CONFIG = {
+    enabled: true,
+    blockOnCritical: true,
+    blockOnHigh: true,
+    warnOnMedium: true,
+    customPatterns: [],
+    allowlist: [],
+};
+// ── Redaction ──
+/**
+ * Redact a matched secret, showing first and last 4 chars.
+ * Very short matches get fully redacted.
+ */
+function redactMatch(value, type) {
+    if (value.length <= 12)
+        return `[REDACTED-${type}]`;
+    return `${value.slice(0, 4)}...${value.slice(-4)}`;
+}
+/**
+ * Determine action based on severity and config.
+ */
+function actionForSeverity(severity, config) {
+    if (severity === 'critical' && config.blockOnCritical)
+        return 'blocked';
+    if (severity === 'high' && config.blockOnHigh)
+        return 'blocked';
+    if (severity === 'medium' && config.warnOnMedium)
+        return 'warned';
+    return 'logged';
+}
+/**
+ * Check if a match is in the allowlist.
+ * Allowlist entries can be literal prefixes or glob-like patterns.
+ */
+function isAllowlisted(value, allowlist) {
+    for (const entry of allowlist) {
+        if (value.startsWith(entry) || value === entry)
+            return true;
+    }
+    return false;
+}
+// ── Scanner ──
+/**
+ * Scan content for credential leaks.
+ *
+ * Checks known API key formats, generic secrets, private keys,
+ * connection strings, env variable patterns, and high-entropy strings.
+ *
+ * @param content - The text content to scan
+ * @param config - Optional credential detection configuration
+ * @returns Scan result with findings and optional redacted content
+ */
+export function scanForCredentials(content, config) {
+    const cfg = { ...DEFAULT_CREDENTIAL_CONFIG, ...config };
+    if (!cfg.enabled || !content || content.length === 0) {
+        return { leaked: false, findings: [] };
+    }
+    const findings = [];
+    const matchedRanges = [];
+    const patterns = [...ALL_CREDENTIAL_PATTERNS, ...cfg.customPatterns];
+    // Run all pattern matchers
+    for (const pattern of patterns) {
+        // Reset regex lastIndex for each scan
+        const regex = new RegExp(pattern.regex.source, pattern.regex.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+            const fullMatch = match[0];
+            // For patterns with capture groups, use the group; otherwise the full match
+            const secretValue = match[1] ?? fullMatch;
+            // Skip if below minimum length
+            if (pattern.minLength && secretValue.length < pattern.minLength)
+                continue;
+            // Skip allowlisted values
+            if (isAllowlisted(secretValue, cfg.allowlist))
+                continue;
+            // Skip if this range is already covered by a higher-priority pattern
+            const start = match.index;
+            const end = start + fullMatch.length;
+            if (matchedRanges.some(r => start >= r.start && end <= r.end))
+                continue;
+            const action = actionForSeverity(pattern.severity, cfg);
+            const redacted = redactMatch(secretValue, pattern.type);
+            findings.push({
+                type: pattern.type,
+                provider: pattern.provider,
+                confidence: pattern.confidence,
+                severity: pattern.severity,
+                match: redacted,
+                position: start,
+                action,
+            });
+            const replacement = `[REDACTED-${pattern.type}${pattern.provider ? `-${pattern.provider}` : ''}]`;
+            matchedRanges.push({ start, end, replacement });
+        }
+    }
+    // Run entropy-based detection for anything not already caught
+    const entropyTokens = extractHighEntropyTokens(content);
+    for (const token of entropyTokens) {
+        const start = token.position;
+        const end = start + token.token.length;
+        // Skip if already caught by pattern matching
+        if (matchedRanges.some(r => (start >= r.start && start < r.end) ||
+            (end > r.start && end <= r.end)))
+            continue;
+        // Skip allowlisted
+        if (isAllowlisted(token.token, cfg.allowlist))
+            continue;
+        const severity = token.confidence >= 0.8 ? 'medium' : 'low';
+        const action = actionForSeverity(severity, cfg);
+        findings.push({
+            type: 'high_entropy',
+            confidence: token.confidence,
+            severity,
+            match: redactMatch(token.token, 'high_entropy'),
+            position: start,
+            action,
+        });
+        matchedRanges.push({ start, end, replacement: '[REDACTED-high_entropy]' });
+    }
+    // Sort findings by position
+    findings.sort((a, b) => a.position - b.position);
+    const leaked = findings.length > 0;
+    const hasBlocked = findings.some(f => f.action === 'blocked');
+    // Build redacted content if any findings
+    let redactedContent;
+    if (leaked) {
+        redactedContent = buildRedactedContent(content, matchedRanges);
+    }
+    return {
+        leaked,
+        findings,
+        redactedContent: hasBlocked ? redactedContent : redactedContent,
+    };
+}
+// ── Redaction Helper ──
+/**
+ * Replace all detected secrets in content with [REDACTED-{type}] placeholders.
+ * Useful for agents that want to store memory but strip the secrets.
+ */
+export function redactCredentials(content, config) {
+    const result = scanForCredentials(content, config);
+    return result.redactedContent ?? content;
+}
+/**
+ * Build redacted content by replacing matched ranges.
+ */
+function buildRedactedContent(content, ranges) {
+    // Sort by start position descending to replace from end to start
+    const sorted = [...ranges].sort((a, b) => b.start - a.start);
+    let result = content;
+    for (const range of sorted) {
+        result = result.slice(0, range.start) + range.replacement + result.slice(range.end);
+    }
+    return result;
+}
+export { shannonEntropy, checkHighEntropy } from './entropy.js';
+export { ALL_CREDENTIAL_PATTERNS } from './patterns.js';
+//# sourceMappingURL=index.js.map

package/dist/defence/credential-leak/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/defence/credential-leak/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EACL,uBAAuB,GAIxB,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,wBAAwB,EAAE,MAAM,cAAc,CAAC;AA+BxD,MAAM,CAAC,MAAM,yBAAyB,GAA8B;IAClE,OAAO,EAAE,IAAI;IACb,eAAe,EAAE,IAAI;IACrB,WAAW,EAAE,IAAI;IACjB,YAAY,EAAE,IAAI;IAClB,cAAc,EAAE,EAAE;IAClB,SAAS,EAAE,EAAE;CACd,CAAC;AAEF,kBAAkB;AAElB;;;GAGG;AACH,SAAS,WAAW,CAAC,KAAa,EAAE,IAAoB;IACtD,IAAI,KAAK,CAAC,MAAM,IAAI,EAAE;QAAE,OAAO,aAAa,IAAI,GAAG,CAAC;IACpD,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;AACrD,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CACxB,QAA4B,EAC5B,MAAiC;IAEjC,IAAI,QAAQ,KAAK,UAAU,IAAI,MAAM,CAAC,eAAe;QAAE,OAAO,SAAS,CAAC;IACxE,IAAI,QAAQ,KAAK,MAAM,IAAI,MAAM,CAAC,WAAW;QAAE,OAAO,SAAS,CAAC;IAChE,IAAI,QAAQ,KAAK,QAAQ,IAAI,MAAM,CAAC,YAAY;QAAE,OAAO,QAAQ,CAAC;IAClE,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;GAGG;AACH,SAAS,aAAa,CAAC,KAAa,EAAE,SAAmB;IACvD,KAAK,MAAM,KAAK,IAAI,SAAS,EAAE,CAAC;QAC9B,IAAI,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,KAAK,KAAK,KAAK;YAAE,OAAO,IAAI,CAAC;IAC9D,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,gBAAgB;AAEhB;;;;;;;;;GASG;AACH,MAAM,UAAU,kBAAkB,CAChC,OAAe,EACf,MAA2C;IAE3C,MAAM,GAAG,GAA8B,EAAE,GAAG,yBAAyB,EAAE,GAAG,MAAM,EAAE,CAAC;IAEnF,IAAI,CAAC,GAAG,CAAC,OAAO,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrD,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;IACzC,CAAC;IAED,MAAM,QAAQ,GAAwB,EAAE,CAAC;IACzC,MAAM,aAAa,GAA+D,EAAE,CAAC;IAErF,MAAM,QAAQ,GAAG,CAAC,GAAG,uBAAuB,EAAE,GAAG,GAAG,CAAC,cAAc,CAAC,CAAC;IAErE,2BAA2B;IAC3B,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,sCAAsC;QACtC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACpE,IAAI,KAA6B,CAAC;QAElC,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC9C,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAC3B,4EAA4E;YAC5E,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,SAAS,CAAC;YAE1C,+BAA+B;YAC/B,IAAI,OAAO,CAAC,SAAS,IAAI,WAAW,CAAC,MAAM,GAAG,OAAO,CAAC,SAAS;gBAAE,SAAS;YAE1E,0BAA0B;YAC1B,IAAI,aAAa,CAAC,WAAW,EAAE,GAAG,CAAC,SAAS,CAAC;gBAAE,SAAS;YAExD,qEAAqE;YACrE,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC;YAC1B,MAAM,GAAG,GAAG,KAAK,GAAG,SAAS,CAAC,MAAM,CAAC;YACrC,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,IAAI,CAAC,CAAC,KAAK,IAAI,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC;gBAAE,SAAS;YAExE,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;YACxD,MAAM,QAAQ,GAAG,WAAW,CAAC,WAAW,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;YAExD,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,KAAK,EAAE,QAAQ;gBACf,QAAQ,EAAE,KAAK;gBACf,MAAM;aACP,CAAC,CAAC;YAEH,MAAM,WAAW,GAAG,aAAa,OAAO,CAAC,IAAI,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC;YAClG,aAAa,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,WAAW,EAAE,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;IAED,8DAA8D;IAC9D,MAAM,aAAa,GAAG,wBAAwB,CAAC,OAAO,CAAC,CAAC;IACxD,KAAK,MAAM,KAAK,IAAI,aAAa,EAAE,CAAC;QAClC,MAAM,KAAK,GAAG,KAAK,CAAC,QAAQ,CAAC;QAC7B,MAAM,GAAG,GAAG,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC;QAEvC,6CAA6C;QAC7C,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CACzB,CAAC,KAAK,IAAI,CAAC,CAAC,KAAK,IAAI,KAAK,GAAG,CAAC,CAAC,GAAG,CAAC;YACnC,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK,IAAI,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAChC;YAAE,SAAS;QAEZ,mBAAmB;QACnB,IAAI,aAAa,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,SAAS,CAAC;YAAE,SAAS;QAExD,MAAM,QAAQ,GAAuB,KAAK,CAAC,UAAU,IAAI,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC;QAChF,MAAM,MAAM,GAAG,iBAAiB,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QAEhD,QAAQ,CAAC,IAAI,CAAC;YACZ,IAAI,EAAE,cAAc;YACpB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,QAAQ;YACR,KAAK,EAAE,WAAW,CAAC,KAAK,CAAC,KAAK,EAAE,cAAc,CAAC;YAC/C,QAAQ,EAAE,KAAK;YACf,MAAM;SACP,CAAC,CAAC;QAEH,aAAa,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,WAAW,EAAE,yBAAyB,EAAE,CAAC,CAAC;IAC7E,CAAC;IAED,4BAA4B;IAC5B,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC;IAEjD,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IACnC,MAAM,UAAU,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC;IAE9D,yCAAyC;IACzC,IAAI,eAAmC,CAAC;IACxC,IAAI,MAAM,EAAE,CAAC;QACX,eAAe,GAAG,oBAAoB,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;IACjE,CAAC;IAED,OAAO;QACL,MAAM;QACN,QAAQ;QACR,eAAe,EAAE,UAAU,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,eAAe;KAChE,CAAC;AACJ,CAAC;AAED,yBAAyB;AAEzB;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAC/B,OAAe,EACf,MAA2C;IAE3C,MAAM,MAAM,GAAG,kBAAkB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACnD,OAAO,MAAM,CAAC,eAAe,IAAI,OAAO,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAC3B,OAAe,EACf,MAAkE;IAElE,iEAAiE;IACjE,MAAM,MAAM,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;IAC7D,IAAI,MAAM,GAAG,OAAO,CAAC;IACrB,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,GAAG,KAAK,CAAC,WAAW,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACtF,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAID,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAC"}

package/dist/defence/credential-leak/patterns.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Credential Leak Detection — Pattern Definitions
+ *
+ * Known API key formats, secret patterns, and heuristic matchers
+ * for detecting accidentally persisted credentials in AI agent memory.
+ */
+export interface CredentialPattern {
+    name: string;
+    type: CredentialType;
+    provider?: string;
+    regex: RegExp;
+    severity: CredentialSeverity;
+    /** Base confidence when pattern matches (can be boosted by entropy) */
+    confidence: number;
+    /** Minimum match length to avoid false positives */
+    minLength?: number;
+}
+export type CredentialType = 'api_key' | 'jwt' | 'private_key' | 'connection_string' | 'env_secret' | 'high_entropy';
+export type CredentialSeverity = 'critical' | 'high' | 'medium' | 'low';
+export declare const API_KEY_PATTERNS: CredentialPattern[];
+export declare const GENERIC_SECRET_PATTERNS: CredentialPattern[];
+export declare const PRIVATE_KEY_PATTERNS: CredentialPattern[];
+export declare const CONNECTION_STRING_PATTERNS: CredentialPattern[];
+export declare const ENV_SECRET_PATTERNS: CredentialPattern[];
+export declare const ALL_CREDENTIAL_PATTERNS: CredentialPattern[];
+//# sourceMappingURL=patterns.d.ts.map

package/dist/defence/credential-leak/patterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../../src/defence/credential-leak/patterns.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,cAAc,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,kBAAkB,CAAC;IAC7B,uEAAuE;IACvE,UAAU,EAAE,MAAM,CAAC;IACnB,oDAAoD;IACpD,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,MAAM,cAAc,GACtB,SAAS,GACT,KAAK,GACL,aAAa,GACb,mBAAmB,GACnB,YAAY,GACZ,cAAc,CAAC;AAEnB,MAAM,MAAM,kBAAkB,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAIxE,eAAO,MAAM,gBAAgB,EAAE,iBAAiB,EAgK/C,CAAC;AAIF,eAAO,MAAM,uBAAuB,EAAE,iBAAiB,EAyBtD,CAAC;AAIF,eAAO,MAAM,oBAAoB,EAAE,iBAAiB,EAgCnD,CAAC;AAIF,eAAO,MAAM,0BAA0B,EAAE,iBAAiB,EAiCzD,CAAC;AAIF,eAAO,MAAM,mBAAmB,EAAE,iBAAiB,EA6BlD,CAAC;AAIF,eAAO,MAAM,uBAAuB,EAAE,iBAAiB,EAMtD,CAAC"}

package/dist/defence/credential-leak/patterns.js

@@ -0,0 +1,304 @@
+/**
+ * Credential Leak Detection — Pattern Definitions
+ *
+ * Known API key formats, secret patterns, and heuristic matchers
+ * for detecting accidentally persisted credentials in AI agent memory.
+ */
+// ── Known API Key Patterns ──
+export const API_KEY_PATTERNS = [
+    // OpenAI
+    {
+        name: 'OpenAI API Key',
+        type: 'api_key',
+        provider: 'openai',
+        regex: /sk-[A-Za-z0-9]{20,}/g,
+        severity: 'critical',
+        confidence: 0.95,
+        minLength: 24,
+    },
+    // Anthropic
+    {
+        name: 'Anthropic API Key',
+        type: 'api_key',
+        provider: 'anthropic',
+        regex: /sk-ant-[A-Za-z0-9\-_]{20,}/g,
+        severity: 'critical',
+        confidence: 0.98,
+    },
+    // AWS Access Key
+    {
+        name: 'AWS Access Key ID',
+        type: 'api_key',
+        provider: 'aws',
+        regex: /AKIA[0-9A-Z]{16}/g,
+        severity: 'critical',
+        confidence: 0.97,
+    },
+    // AWS Secret Key (typically base64-like, 40 chars)
+    {
+        name: 'AWS Secret Access Key',
+        type: 'api_key',
+        provider: 'aws',
+        regex: /(?:aws_secret_access_key|AWS_SECRET_ACCESS_KEY|SecretAccessKey)\s*[=:]\s*["']?([A-Za-z0-9/+=]{40})["']?/g,
+        severity: 'critical',
+        confidence: 0.95,
+    },
+    // GitHub tokens
+    {
+        name: 'GitHub Personal Access Token',
+        type: 'api_key',
+        provider: 'github',
+        regex: /ghp_[A-Za-z0-9]{36,}/g,
+        severity: 'critical',
+        confidence: 0.98,
+    },
+    {
+        name: 'GitHub OAuth Token',
+        type: 'api_key',
+        provider: 'github',
+        regex: /gho_[A-Za-z0-9]{36,}/g,
+        severity: 'critical',
+        confidence: 0.98,
+    },
+    {
+        name: 'GitHub Fine-grained PAT',
+        type: 'api_key',
+        provider: 'github',
+        regex: /github_pat_[A-Za-z0-9_]{22,}/g,
+        severity: 'critical',
+        confidence: 0.98,
+    },
+    // Stripe
+    {
+        name: 'Stripe Live Key',
+        type: 'api_key',
+        provider: 'stripe',
+        regex: /sk_live_[A-Za-z0-9]{24,}/g,
+        severity: 'critical',
+        confidence: 0.98,
+    },
+    {
+        name: 'Stripe Test Key',
+        type: 'api_key',
+        provider: 'stripe',
+        regex: /sk_test_[A-Za-z0-9]{24,}/g,
+        severity: 'medium',
+        confidence: 0.95,
+    },
+    {
+        name: 'Stripe Publishable Key',
+        type: 'api_key',
+        provider: 'stripe',
+        regex: /pk_(?:live|test)_[A-Za-z0-9]{24,}/g,
+        severity: 'medium',
+        confidence: 0.90,
+    },
+    // Twilio
+    {
+        name: 'Twilio API Key',
+        type: 'api_key',
+        provider: 'twilio',
+        regex: /SK[a-f0-9]{32}/g,
+        severity: 'critical',
+        confidence: 0.90,
+    },
+    // SendGrid
+    {
+        name: 'SendGrid API Key',
+        type: 'api_key',
+        provider: 'sendgrid',
+        regex: /SG\.[A-Za-z0-9\-_]{22,}\.[A-Za-z0-9\-_]{22,}/g,
+        severity: 'critical',
+        confidence: 0.97,
+    },
+    // Slack
+    {
+        name: 'Slack Bot Token',
+        type: 'api_key',
+        provider: 'slack',
+        regex: /xoxb-[0-9]{10,}-[0-9A-Za-z\-]{20,}/g,
+        severity: 'critical',
+        confidence: 0.96,
+    },
+    {
+        name: 'Slack Webhook URL',
+        type: 'api_key',
+        provider: 'slack',
+        regex: /https:\/\/hooks\.slack\.com\/services\/T[A-Z0-9]{8,}\/B[A-Z0-9]{8,}\/[A-Za-z0-9]{20,}/g,
+        severity: 'high',
+        confidence: 0.95,
+    },
+    // Google
+    {
+        name: 'Google API Key',
+        type: 'api_key',
+        provider: 'google',
+        regex: /AIza[A-Za-z0-9\-_]{35}/g,
+        severity: 'critical',
+        confidence: 0.95,
+    },
+    // Mailgun
+    {
+        name: 'Mailgun API Key',
+        type: 'api_key',
+        provider: 'mailgun',
+        regex: /key-[A-Za-z0-9]{32}/g,
+        severity: 'critical',
+        confidence: 0.85,
+    },
+    // npm
+    {
+        name: 'npm Access Token',
+        type: 'api_key',
+        provider: 'npm',
+        regex: /npm_[A-Za-z0-9]{36,}/g,
+        severity: 'critical',
+        confidence: 0.97,
+    },
+    // Heroku
+    {
+        name: 'Heroku API Key',
+        type: 'api_key',
+        provider: 'heroku',
+        regex: /[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/g,
+        severity: 'low',
+        confidence: 0.30,
+        // UUIDs are very common — only flagged as low confidence
+    },
+];
+// ── Generic Secret Patterns ──
+export const GENERIC_SECRET_PATTERNS = [
+    // JWT tokens
+    {
+        name: 'JWT Token',
+        type: 'jwt',
+        regex: /eyJ[A-Za-z0-9\-_]+\.eyJ[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+/g,
+        severity: 'high',
+        confidence: 0.92,
+    },
+    // Bearer tokens in headers
+    {
+        name: 'Bearer Token',
+        type: 'api_key',
+        regex: /(?:Authorization|authorization)\s*:\s*Bearer\s+([A-Za-z0-9\-_./+=]{20,})/g,
+        severity: 'high',
+        confidence: 0.90,
+    },
+    // Basic auth headers
+    {
+        name: 'Basic Auth Header',
+        type: 'api_key',
+        regex: /(?:Authorization|authorization)\s*:\s*Basic\s+([A-Za-z0-9+/=]{8,})/g,
+        severity: 'high',
+        confidence: 0.88,
+    },
+];
+// ── Private Key Patterns ──
+export const PRIVATE_KEY_PATTERNS = [
+    {
+        name: 'RSA Private Key',
+        type: 'private_key',
+        provider: 'rsa',
+        regex: /-----BEGIN\s+RSA\s+PRIVATE\s+KEY-----[\s\S]*?-----END\s+RSA\s+PRIVATE\s+KEY-----/g,
+        severity: 'critical',
+        confidence: 0.99,
+    },
+    {
+        name: 'EC Private Key',
+        type: 'private_key',
+        provider: 'ec',
+        regex: /-----BEGIN\s+EC\s+PRIVATE\s+KEY-----[\s\S]*?-----END\s+EC\s+PRIVATE\s+KEY-----/g,
+        severity: 'critical',
+        confidence: 0.99,
+    },
+    {
+        name: 'Generic Private Key',
+        type: 'private_key',
+        regex: /-----BEGIN\s+(?:ENCRYPTED\s+)?PRIVATE\s+KEY-----[\s\S]*?-----END\s+(?:ENCRYPTED\s+)?PRIVATE\s+KEY-----/g,
+        severity: 'critical',
+        confidence: 0.99,
+    },
+    {
+        name: 'SSH Private Key',
+        type: 'private_key',
+        provider: 'ssh',
+        regex: /-----BEGIN\s+OPENSSH\s+PRIVATE\s+KEY-----[\s\S]*?-----END\s+OPENSSH\s+PRIVATE\s+KEY-----/g,
+        severity: 'critical',
+        confidence: 0.99,
+    },
+];
+// ── Connection String Patterns ──
+export const CONNECTION_STRING_PATTERNS = [
+    {
+        name: 'PostgreSQL Connection String',
+        type: 'connection_string',
+        provider: 'postgres',
+        regex: /postgres(?:ql)?:\/\/[^\s"'`]+:[^\s"'`@]+@[^\s"'`]+/g,
+        severity: 'critical',
+        confidence: 0.95,
+    },
+    {
+        name: 'MySQL Connection String',
+        type: 'connection_string',
+        provider: 'mysql',
+        regex: /mysql:\/\/[^\s"'`]+:[^\s"'`@]+@[^\s"'`]+/g,
+        severity: 'critical',
+        confidence: 0.95,
+    },
+    {
+        name: 'MongoDB Connection String',
+        type: 'connection_string',
+        provider: 'mongodb',
+        regex: /mongodb(?:\+srv)?:\/\/[^\s"'`]+:[^\s"'`@]+@[^\s"'`]+/g,
+        severity: 'critical',
+        confidence: 0.95,
+    },
+    {
+        name: 'Redis Connection String',
+        type: 'connection_string',
+        provider: 'redis',
+        regex: /redis(?:s)?:\/\/[^\s"'`]*:[^\s"'`@]+@[^\s"'`]+/g,
+        severity: 'critical',
+        confidence: 0.93,
+    },
+];
+// ── Environment Variable Patterns ──
+export const ENV_SECRET_PATTERNS = [
+    {
+        name: 'Password Assignment',
+        type: 'env_secret',
+        regex: /(?:PASSWORD|PASSWD|DB_PASS|DB_PASSWORD|ADMIN_PASSWORD|ROOT_PASSWORD)\s*[=:]\s*["']?([^\s"']{8,})["']?/gi,
+        severity: 'high',
+        confidence: 0.85,
+    },
+    {
+        name: 'Secret Assignment',
+        type: 'env_secret',
+        regex: /(?:SECRET|SECRET_KEY|APP_SECRET|JWT_SECRET|SESSION_SECRET|ENCRYPTION_KEY)\s*[=:]\s*["']?([^\s"']{8,})["']?/gi,
+        severity: 'high',
+        confidence: 0.85,
+    },
+    {
+        name: 'Token Assignment',
+        type: 'env_secret',
+        regex: /(?:TOKEN|ACCESS_TOKEN|REFRESH_TOKEN|AUTH_TOKEN|API_TOKEN|BEARER_TOKEN)\s*[=:]\s*["']?([^\s"']{8,})["']?/gi,
+        severity: 'high',
+        confidence: 0.82,
+    },
+    {
+        name: 'API Key Assignment',
+        type: 'env_secret',
+        regex: /(?:API_KEY|APIKEY|API_SECRET)\s*[=:]\s*["']?([^\s"']{8,})["']?/gi,
+        severity: 'high',
+        confidence: 0.82,
+    },
+];
+// ── All Patterns Combined (in priority order) ──
+export const ALL_CREDENTIAL_PATTERNS = [
+    ...PRIVATE_KEY_PATTERNS,
+    ...API_KEY_PATTERNS,
+    ...CONNECTION_STRING_PATTERNS,
+    ...GENERIC_SECRET_PATTERNS,
+    ...ENV_SECRET_PATTERNS,
+];
+//# sourceMappingURL=patterns.js.map

package/dist/defence/credential-leak/patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../../src/defence/credential-leak/patterns.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAwBH,+BAA+B;AAE/B,MAAM,CAAC,MAAM,gBAAgB,GAAwB;IACnD,SAAS;IACT;QACE,IAAI,EAAE,gBAAgB;QACtB,IAAI,EAAE,SAAS;QACf,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,sBAAsB;QAC7B,QAAQ,EAAE,UAAU;QACpB,UAAU,EAAE,IAAI;QAChB,SAAS,EAAE,EAAE;KACd;IACD,YAAY;IACZ;QACE,IAAI,EAAE,mBAAmB;QACzB,IAAI,EAAE,SAAS;QACf,QAAQ,EAAE,WAAW;QACrB,KAAK,EAAE,6BAA6B;QACpC,QAAQ,EAAE,UAAU;QACpB,UAAU,EAAE,IAAI;KACjB;IACD,iBAAiB;IACjB;QACE,IAAI,EAAE,mBAAmB;QACzB,IAAI,EAAE,SAAS;QACf,QAAQ,EAAE,KAAK;QACf,KAAK,EAAE,mBAAmB;QAC1B,QAAQ,EAAE,UAAU;QACpB,UAAU,EAAE,IAAI;KACjB;IACD,mDAAmD;IACnD;QACE,IAAI,EAAE,uBAAuB;QAC7B,IAAI,EAAE,SAAS;QACf,QAAQ,EAAE,KAAK;QACf,KAAK,EAAE,0GAA0G;QACjH,QAAQ,EAAE,UAAU;QACpB,UAAU,EAAE,IAAI;KACjB;IACD,gBAAgB;IAChB;QACE,IAAI,EAAE,8BAA8B;QACpC,IAAI,EAAE,SAAS;QACf,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,uBAAuB;QAC9B,QAAQ,EAAE,UAAU;QACpB,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,oBAAoB;QAC1B,IAAI,EAAE,SAAS;QACf,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,uBAAuB;QAC9B,QAAQ,EAAE,UAAU;QACpB,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,yBAAyB;QAC/B,IAAI,EAAE,SAAS;QACf,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,+BAA+B;QACtC,QAAQ,EAAE,UAAU;QACpB,UAAU,EAAE,IAAI;KACjB;IACD,SAAS;IACT;QACE,IAAI,EAAE,iBAAiB;QACvB,IAAI,EAAE,SAAS;QACf,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,2BAA2B;QAClC,QAAQ,EAAE,UAAU;QACpB,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,iBAAiB;QACvB,IAAI,EAAE,SAAS;QACf,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,2BAA2B;QAClC,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,wBAAwB;QAC9B,IAAI,EAAE,SAAS;QACf,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,IAAI;KACjB;IACD,SAAS;IACT;QACE,IAAI,EAAE,gBAAgB;QACtB,IAAI,EAAE,SAAS;QACf,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,iBAAiB;QACxB,QAAQ,EAAE,UAAU;QACpB,UAAU,EAAE,IAAI;KACjB;IACD,WAAW;IACX;QACE,IAAI,EAAE,kBAAkB;QACxB,IAAI,EAAE,SAAS;QACf,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,+CAA+C;QACtD,QAAQ,EAAE,UAAU;QACpB,UAAU,EAAE,IAAI;KACjB;IACD,QAAQ;IACR;QACE,IAAI,EAAE,iBAAiB;QACvB,IAAI,EAAE,SAAS;QACf,QAAQ,EAAE,OAAO;QACjB,KAAK,EAAE,qCAAqC;QAC5C,QAAQ,EAAE,UAAU;QACpB,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,IAAI,EAAE,SAAS;QACf,QAAQ,EAAE,OAAO;QACjB,KAAK,EAAE,wFAAwF;QAC/F,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,IAAI;KACjB;IACD,SAAS;IACT;QACE,IAAI,EAAE,gBAAgB;QACtB,IAAI,EAAE,SAAS;QACf,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU;QACpB,UAAU,EAAE,IAAI;KACjB;IACD,UAAU;IACV;QACE,IAAI,EAAE,iBAAiB;QACvB,IAAI,EAAE,SAAS;QACf,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,sBAAsB;QAC7B,QAAQ,EAAE,UAAU;QACpB,UAAU,EAAE,IAAI;KACjB;IACD,MAAM;IACN;QACE,IAAI,EAAE,kBAAkB;QACxB,IAAI,EAAE,SAAS;QACf,QAAQ,EAAE,KAAK;QACf,KAAK,EAAE,uBAAuB;QAC9B,QAAQ,EAAE,UAAU;QACpB,UAAU,EAAE,IAAI;KACjB;IACD,SAAS;IACT;QACE,IAAI,EAAE,gBAAgB;QACtB,IAAI,EAAE,SAAS;QACf,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,+DAA+D;QACtE,QAAQ,EAAE,KAAK;QACf,UAAU,EAAE,IAAI;QAChB,yDAAyD;KAC1D;CACF,CAAC;AAEF,gCAAgC;AAEhC,MAAM,CAAC,MAAM,uBAAuB,GAAwB;IAC1D,aAAa;IACb;QACE,IAAI,EAAE,WAAW;QACjB,IAAI,EAAE,KAAK;QACX,KAAK,EAAE,0DAA0D;QACjE,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,IAAI;KACjB;IACD,2BAA2B;IAC3B;QACE,IAAI,EAAE,cAAc;QACpB,IAAI,EAAE,SAAS;QACf,KAAK,EAAE,2EAA2E;QAClF,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,IAAI;KACjB;IACD,qBAAqB;IACrB;QACE,IAAI,EAAE,mBAAmB;QACzB,IAAI,EAAE,SAAS;QACf,KAAK,EAAE,qEAAqE;QAC5E,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,IAAI;KACjB;CACF,CAAC;AAEF,6BAA6B;AAE7B,MAAM,CAAC,MAAM,oBAAoB,GAAwB;IACvD;QACE,IAAI,EAAE,iBAAiB;QACvB,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,KAAK;QACf,KAAK,EAAE,mFAAmF;QAC1F,QAAQ,EAAE,UAAU;QACpB,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,IAAI;QACd,KAAK,EAAE,iFAAiF;QACxF,QAAQ,EAAE,UAAU;QACpB,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,qBAAqB;QAC3B,IAAI,EAAE,aAAa;QACnB,KAAK,EAAE,yGAAyG;QAChH,QAAQ,EAAE,UAAU;QACpB,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,iBAAiB;QACvB,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,KAAK;QACf,KAAK,EAAE,2FAA2F;QAClG,QAAQ,EAAE,UAAU;QACpB,UAAU,EAAE,IAAI;KACjB;CACF,CAAC;AAEF,mCAAmC;AAEnC,MAAM,CAAC,MAAM,0BAA0B,GAAwB;IAC7D;QACE,IAAI,EAAE,8BAA8B;QACpC,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,qDAAqD;QAC5D,QAAQ,EAAE,UAAU;QACpB,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,yBAAyB;QAC/B,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,OAAO;QACjB,KAAK,EAAE,2CAA2C;QAClD,QAAQ,EAAE,UAAU;QACpB,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,2BAA2B;QACjC,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,uDAAuD;QAC9D,QAAQ,EAAE,UAAU;QACpB,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,yBAAyB;QAC/B,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,OAAO;QACjB,KAAK,EAAE,iDAAiD;QACxD,QAAQ,EAAE,UAAU;QACpB,UAAU,EAAE,IAAI;KACjB;CACF,CAAC;AAEF,sCAAsC;AAEtC,MAAM,CAAC,MAAM,mBAAmB,GAAwB;IACtD;QACE,IAAI,EAAE,qBAAqB;QAC3B,IAAI,EAAE,YAAY;QAClB,KAAK,EAAE,yGAAyG;QAChH,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,IAAI,EAAE,YAAY;QAClB,KAAK,EAAE,8GAA8G;QACrH,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,IAAI,EAAE,YAAY;QAClB,KAAK,EAAE,2GAA2G;QAClH,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,IAAI;KACjB;IACD;QACE,IAAI,EAAE,oBAAoB;QAC1B,IAAI,EAAE,YAAY;QAClB,KAAK,EAAE,kEAAkE;QACzE,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,IAAI;KACjB;CACF,CAAC;AAEF,kDAAkD;AAElD,MAAM,CAAC,MAAM,uBAAuB,GAAwB;IAC1D,GAAG,oBAAoB;IACvB,GAAG,gBAAgB;IACnB,GAAG,0BAA0B;IAC7B,GAAG,uBAAuB;IAC1B,GAAG,mBAAmB;CACvB,CAAC"}

package/dist/defence/index.d.ts

@@ -8,6 +8,8 @@ export { scoreSource, filterByTrust } from './trust/index.js';
 export { analyzeFirewall } from './firewall/index.js';
 export { classifySensitivity, redactContent, redactForDisplay } from './sensitivity/index.js';
 export { analyzeFragmentation, storeFragmentationData } from './fragmentation/index.js';
+export { scanForCredentials, redactCredentials, DEFAULT_CREDENTIAL_CONFIG } from './credential-leak/index.js';
+export type { CredentialScanResult, CredentialFinding, CredentialDetectionConfig, CredentialType, CredentialSeverity } from './credential-leak/index.js';
 export { logAudit, queryAuditLogs, getAuditStats } from './audit/index.js';
 export { scanSkill, scanSkillContent, discoverSkillFiles, detectFormat, detectFormatFromContent, parseSkillFile, readSkillFile } from './skill-scanner/index.js';
 export type { SkillScanResult, SkillScanOptions, SkillThreatFinding, ParsedSkill, SkillFormat } from './skill-scanner/index.js';

package/dist/defence/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/defence/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAGnD,OAAO,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC;AACpD,YAAY,EACV,aAAa,EACb,qBAAqB,EACrB,aAAa,EACb,gBAAgB,EAChB,cAAc,EACd,qBAAqB,EACrB,yBAAyB,EACzB,gBAAgB,EAChB,eAAe,EACf,UAAU,EACV,eAAe,EACf,UAAU,GACX,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAG9D,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAGtD,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAG9F,OAAO,EAAE,oBAAoB,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAGxF,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAG3E,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,YAAY,EAAE,uBAAuB,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACjK,YAAY,EAAE,eAAe,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAGhI,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,eAAe,EAAE,kBAAkB,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAC9K,YAAY,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/defence/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAGnD,OAAO,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC;AACpD,YAAY,EACV,aAAa,EACb,qBAAqB,EACrB,aAAa,EACb,gBAAgB,EAChB,cAAc,EACd,qBAAqB,EACrB,yBAAyB,EACzB,gBAAgB,EAChB,eAAe,EACf,UAAU,EACV,eAAe,EACf,UAAU,GACX,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAG9D,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAGtD,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAG9F,OAAO,EAAE,oBAAoB,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAGxF,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,yBAAyB,EAAE,MAAM,4BAA4B,CAAC;AAC9G,YAAY,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,yBAAyB,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAGzJ,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAG3E,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,YAAY,EAAE,uBAAuB,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACjK,YAAY,EAAE,eAAe,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAGhI,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,eAAe,EAAE,kBAAkB,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAC9K,YAAY,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAC"}

package/dist/defence/index.js

@@ -13,6 +13,8 @@ export { analyzeFirewall } from './firewall/index.js';
 export { classifySensitivity, redactContent, redactForDisplay } from './sensitivity/index.js';
 // Fragmentation
 export { analyzeFragmentation, storeFragmentationData } from './fragmentation/index.js';
+// Credential Leak Detection (Layer 6)
+export { scanForCredentials, redactCredentials, DEFAULT_CREDENTIAL_CONFIG } from './credential-leak/index.js';
 // Audit
 export { logAudit, queryAuditLogs, getAuditStats } from './audit/index.js';
 // Skill Scanner

package/dist/defence/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/defence/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,WAAW;AACX,OAAO,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAEnD,iBAAiB;AACjB,OAAO,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC;AAgBpD,QAAQ;AACR,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAE9D,WAAW;AACX,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD,cAAc;AACd,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE9F,gBAAgB;AAChB,OAAO,EAAE,oBAAoB,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAExF,QAAQ;AACR,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAE3E,gBAAgB;AAChB,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,YAAY,EAAE,uBAAuB,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAGjK,QAAQ;AACR,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,eAAe,EAAE,kBAAkB,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAE9K,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/defence/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,WAAW;AACX,OAAO,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAEnD,iBAAiB;AACjB,OAAO,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC;AAgBpD,QAAQ;AACR,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAE9D,WAAW;AACX,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD,cAAc;AACd,OAAO,EAAE,mBAAmB,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE9F,gBAAgB;AAChB,OAAO,EAAE,oBAAoB,EAAE,sBAAsB,EAAE,MAAM,0BAA0B,CAAC;AAExF,sCAAsC;AACtC,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,yBAAyB,EAAE,MAAM,4BAA4B,CAAC;AAG9G,QAAQ;AACR,OAAO,EAAE,QAAQ,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAE3E,gBAAgB;AAChB,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,YAAY,EAAE,uBAAuB,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAGjK,QAAQ;AACR,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,eAAe,EAAE,kBAAkB,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAE9K,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAC"}

package/dist/defence/pipeline.d.ts

@@ -1,7 +1,7 @@
 /**
  * Defence Pipeline Orchestrator
  *
- * Runs all 5 defence layers in sequence and returns a unified result.
+ * Runs all 6 defence layers in sequence and returns a unified result.
  * Fail-closed: if any layer throws, the pipeline defaults to BLOCK for security.
  */
 import type { DefenceConfig, DefencePipelineResult, DefenceSource } from './types.js';

package/dist/defence/pipeline.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"pipeline.d.ts","sourceRoot":"","sources":["../../src/defence/pipeline.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,aAAa,EACb,qBAAqB,EACrB,aAAa,EAKd,MAAM,YAAY,CAAC;AAWpB,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,aAAa,EACrB,MAAM,CAAC,EAAE,aAAa,EACtB,OAAO,CAAC,EAAE,MAAM,GACf,qBAAqB,CAwJvB"}
+{"version":3,"file":"pipeline.d.ts","sourceRoot":"","sources":["../../src/defence/pipeline.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,aAAa,EACb,qBAAqB,EACrB,aAAa,EAKd,MAAM,YAAY,CAAC;AAYpB,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,aAAa,EACrB,MAAM,CAAC,EAAE,aAAa,EACtB,OAAO,CAAC,EAAE,MAAM,GACf,qBAAqB,CA+KvB"}

package/dist/defence/pipeline.js

@@ -1,7 +1,7 @@
 /**
  * Defence Pipeline Orchestrator
  *
- * Runs all 5 defence layers in sequence and returns a unified result.
+ * Runs all 6 defence layers in sequence and returns a unified result.
  * Fail-closed: if any layer throws, the pipeline defaults to BLOCK for security.
  */
 import { DEFAULT_DEFENCE_CONFIG } from './types.js';
@@ -9,6 +9,7 @@ import { scoreSource } from './trust/index.js';
 import { analyzeFirewall } from './firewall/index.js';
 import { classifySensitivity } from './sensitivity/index.js';
 import { analyzeFragmentation } from './fragmentation/index.js';
+import { scanForCredentials } from './credential-leak/index.js';
 import { logAudit, createContentHash } from './audit/index.js';
 import { persistEvent } from '../api/events.js';
 import { syncToCloud } from '../cloud/sync.js';
@@ -27,13 +28,29 @@ export function runDefencePipeline(content, title, source, config, project) {
         if (cfg.enableFragmentationDetection && firewall.result !== 'BLOCK') {
             fragmentation = analyzeFragmentation(content, title, cfg);
         }
-        // 5. Determine final decision
+        // 5. Run credential leak detection (Layer 6)
+        const credentialScan = scanForCredentials(content);
+        // 6. Determine final decision
         let allowed;
         let reason;
+        // Check if credential scan produced any blocked findings
+        const credentialBlocked = credentialScan.findings.some(f => f.action === 'blocked');
         if (firewall.result === 'BLOCK') {
             allowed = false;
             reason = firewall.reason;
         }
+        else if (credentialBlocked) {
+            allowed = false;
+            const blockedTypes = credentialScan.findings
+                .filter(f => f.action === 'blocked')
+                .map(f => f.provider ? `${f.provider} ${f.type}` : f.type);
+            reason = `Blocked: credential leak detected (${blockedTypes.join(', ')})`;
+            // Also update firewall result to reflect the block
+            firewall.result = 'BLOCK';
+            if (!firewall.threatIndicators.includes('credential_leak')) {
+                firewall.threatIndicators.push('credential_leak');
+            }
+        }
         else if (firewall.result === 'QUARANTINE') {
             allowed = false;
             reason = `Quarantined: ${firewall.reason}`;
@@ -51,6 +68,10 @@ export function runDefencePipeline(content, title, source, config, project) {
             allowed = true;
             reason = firewall.reason;
         }
+        // Add credential_leak to threat indicators if any findings (even non-blocking)
+        if (credentialScan.leaked && !firewall.threatIndicators.includes('credential_leak')) {
+            firewall.threatIndicators.push('credential_leak');
+        }
         const durationMs = Math.round(performance.now() - startTime);
         // 6. Log audit
         const _contentHash = createContentHash(content);
@@ -94,6 +115,7 @@ export function runDefencePipeline(content, title, source, config, project) {
             fragmentation,
             sensitivity,
             trust,
+            credentialScan: credentialScan.leaked ? credentialScan : undefined,
             auditId,
         };
         // 8. Sync audit data to cloud (fire-and-forget, never blocks)