npm - tlc-claude-code - Versions diffs - 1.4.7 → 1.4.9 - Mend

tlc-claude-code 1.4.7 → 1.4.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (170) hide show

package/docker-compose.dev.yml +6 -3
package/package.json +1 -1
package/server/index.js +229 -14
package/server/lib/compliance/control-mapper.js +401 -0
package/server/lib/compliance/control-mapper.test.js +117 -0
package/server/lib/compliance/evidence-linker.js +296 -0
package/server/lib/compliance/evidence-linker.test.js +121 -0
package/server/lib/compliance/gdpr-checklist.js +416 -0
package/server/lib/compliance/gdpr-checklist.test.js +131 -0
package/server/lib/compliance/hipaa-checklist.js +277 -0
package/server/lib/compliance/hipaa-checklist.test.js +101 -0
package/server/lib/compliance/iso27001-checklist.js +287 -0
package/server/lib/compliance/iso27001-checklist.test.js +99 -0
package/server/lib/compliance/multi-framework-reporter.js +284 -0
package/server/lib/compliance/multi-framework-reporter.test.js +127 -0
package/server/lib/compliance/pci-dss-checklist.js +214 -0
package/server/lib/compliance/pci-dss-checklist.test.js +95 -0
package/server/lib/compliance/trust-centre.js +187 -0
package/server/lib/compliance/trust-centre.test.js +93 -0
package/server/lib/dashboard/api-server.js +155 -0
package/server/lib/dashboard/api-server.test.js +155 -0
package/server/lib/dashboard/health-api.js +199 -0
package/server/lib/dashboard/health-api.test.js +122 -0
package/server/lib/dashboard/notes-api.js +234 -0
package/server/lib/dashboard/notes-api.test.js +134 -0
package/server/lib/dashboard/router-api.js +176 -0
package/server/lib/dashboard/router-api.test.js +132 -0
package/server/lib/dashboard/tasks-api.js +289 -0
package/server/lib/dashboard/tasks-api.test.js +161 -0
package/server/lib/dashboard/tlc-introspection.js +197 -0
package/server/lib/dashboard/tlc-introspection.test.js +138 -0
package/server/lib/dashboard/version-api.js +222 -0
package/server/lib/dashboard/version-api.test.js +112 -0
package/server/lib/dashboard/websocket-server.js +104 -0
package/server/lib/dashboard/websocket-server.test.js +118 -0
package/server/lib/deploy/branch-classifier.js +163 -0
package/server/lib/deploy/branch-classifier.test.js +164 -0
package/server/lib/deploy/deployment-approval.js +299 -0
package/server/lib/deploy/deployment-approval.test.js +296 -0
package/server/lib/deploy/deployment-audit.js +374 -0
package/server/lib/deploy/deployment-audit.test.js +307 -0
package/server/lib/deploy/deployment-executor.js +335 -0
package/server/lib/deploy/deployment-executor.test.js +329 -0
package/server/lib/deploy/deployment-rules.js +163 -0
package/server/lib/deploy/deployment-rules.test.js +188 -0
package/server/lib/deploy/rollback-manager.js +379 -0
package/server/lib/deploy/rollback-manager.test.js +321 -0
package/server/lib/deploy/security-gates.js +236 -0
package/server/lib/deploy/security-gates.test.js +222 -0
package/server/lib/k8s/gitops-config.js +188 -0
package/server/lib/k8s/gitops-config.test.js +59 -0
package/server/lib/k8s/helm-generator.js +196 -0
package/server/lib/k8s/helm-generator.test.js +59 -0
package/server/lib/k8s/kustomize-generator.js +176 -0
package/server/lib/k8s/kustomize-generator.test.js +58 -0
package/server/lib/k8s/network-policy.js +114 -0
package/server/lib/k8s/network-policy.test.js +53 -0
package/server/lib/k8s/pod-security.js +114 -0
package/server/lib/k8s/pod-security.test.js +55 -0
package/server/lib/k8s/rbac-generator.js +132 -0
package/server/lib/k8s/rbac-generator.test.js +57 -0
package/server/lib/k8s/resource-manager.js +172 -0
package/server/lib/k8s/resource-manager.test.js +60 -0
package/server/lib/k8s/secrets-encryption.js +168 -0
package/server/lib/k8s/secrets-encryption.test.js +49 -0
package/server/lib/monitoring/alert-manager.js +238 -0
package/server/lib/monitoring/alert-manager.test.js +106 -0
package/server/lib/monitoring/health-check.js +226 -0
package/server/lib/monitoring/health-check.test.js +176 -0
package/server/lib/monitoring/incident-manager.js +230 -0
package/server/lib/monitoring/incident-manager.test.js +98 -0
package/server/lib/monitoring/log-aggregator.js +147 -0
package/server/lib/monitoring/log-aggregator.test.js +89 -0
package/server/lib/monitoring/metrics-collector.js +337 -0
package/server/lib/monitoring/metrics-collector.test.js +172 -0
package/server/lib/monitoring/status-page.js +214 -0
package/server/lib/monitoring/status-page.test.js +105 -0
package/server/lib/monitoring/uptime-monitor.js +194 -0
package/server/lib/monitoring/uptime-monitor.test.js +109 -0
package/server/lib/network/fail2ban-config.js +294 -0
package/server/lib/network/fail2ban-config.test.js +275 -0
package/server/lib/network/firewall-manager.js +252 -0
package/server/lib/network/firewall-manager.test.js +254 -0
package/server/lib/network/geoip-filter.js +282 -0
package/server/lib/network/geoip-filter.test.js +264 -0
package/server/lib/network/rate-limiter.js +229 -0
package/server/lib/network/rate-limiter.test.js +293 -0
package/server/lib/network/request-validator.js +351 -0
package/server/lib/network/request-validator.test.js +345 -0
package/server/lib/network/security-headers.js +251 -0
package/server/lib/network/security-headers.test.js +283 -0
package/server/lib/network/tls-config.js +210 -0
package/server/lib/network/tls-config.test.js +248 -0
package/server/lib/security/auth-security.js +369 -0
package/server/lib/security/auth-security.test.js +448 -0
package/server/lib/security/cis-benchmark.js +152 -0
package/server/lib/security/cis-benchmark.test.js +137 -0
package/server/lib/security/compose-templates.js +312 -0
package/server/lib/security/compose-templates.test.js +229 -0
package/server/lib/security/container-runtime.js +456 -0
package/server/lib/security/container-runtime.test.js +503 -0
package/server/lib/security/cors-validator.js +278 -0
package/server/lib/security/cors-validator.test.js +310 -0
package/server/lib/security/crypto-utils.js +253 -0
package/server/lib/security/crypto-utils.test.js +409 -0
package/server/lib/security/dockerfile-linter.js +459 -0
package/server/lib/security/dockerfile-linter.test.js +483 -0
package/server/lib/security/dockerfile-templates.js +278 -0
package/server/lib/security/dockerfile-templates.test.js +164 -0
package/server/lib/security/error-sanitizer.js +426 -0
package/server/lib/security/error-sanitizer.test.js +331 -0
package/server/lib/security/headers-generator.js +368 -0
package/server/lib/security/headers-generator.test.js +398 -0
package/server/lib/security/image-scanner.js +83 -0
package/server/lib/security/image-scanner.test.js +106 -0
package/server/lib/security/input-validator.js +352 -0
package/server/lib/security/input-validator.test.js +330 -0
package/server/lib/security/network-policy.js +174 -0
package/server/lib/security/network-policy.test.js +164 -0
package/server/lib/security/output-encoder.js +237 -0
package/server/lib/security/output-encoder.test.js +276 -0
package/server/lib/security/path-validator.js +359 -0
package/server/lib/security/path-validator.test.js +293 -0
package/server/lib/security/query-builder.js +421 -0
package/server/lib/security/query-builder.test.js +318 -0
package/server/lib/security/secret-detector.js +290 -0
package/server/lib/security/secret-detector.test.js +354 -0
package/server/lib/security/secrets-validator.js +137 -0
package/server/lib/security/secrets-validator.test.js +120 -0
package/server/lib/security-testing/dast-runner.js +154 -0
package/server/lib/security-testing/dast-runner.test.js +62 -0
package/server/lib/security-testing/dependency-scanner.js +172 -0
package/server/lib/security-testing/dependency-scanner.test.js +64 -0
package/server/lib/security-testing/pentest-runner.js +230 -0
package/server/lib/security-testing/pentest-runner.test.js +60 -0
package/server/lib/security-testing/sast-runner.js +136 -0
package/server/lib/security-testing/sast-runner.test.js +62 -0
package/server/lib/security-testing/secret-scanner.js +153 -0
package/server/lib/security-testing/secret-scanner.test.js +66 -0
package/server/lib/security-testing/security-gate.js +216 -0
package/server/lib/security-testing/security-gate.test.js +115 -0
package/server/lib/security-testing/security-reporter.js +303 -0
package/server/lib/security-testing/security-reporter.test.js +114 -0
package/server/lib/standards/audit-checker.js +546 -0
package/server/lib/standards/audit-checker.test.js +415 -0
package/server/lib/standards/cleanup-executor.js +452 -0
package/server/lib/standards/cleanup-executor.test.js +293 -0
package/server/lib/standards/refactor-stepper.js +425 -0
package/server/lib/standards/refactor-stepper.test.js +298 -0
package/server/lib/standards/standards-injector.js +167 -0
package/server/lib/standards/standards-injector.test.js +232 -0
package/server/lib/user-management.test.js +284 -0
package/server/lib/vps/backup-manager.js +157 -0
package/server/lib/vps/backup-manager.test.js +59 -0
package/server/lib/vps/caddy-config.js +159 -0
package/server/lib/vps/caddy-config.test.js +48 -0
package/server/lib/vps/compose-orchestrator.js +219 -0
package/server/lib/vps/compose-orchestrator.test.js +50 -0
package/server/lib/vps/database-config.js +208 -0
package/server/lib/vps/database-config.test.js +47 -0
package/server/lib/vps/deploy-script.js +211 -0
package/server/lib/vps/deploy-script.test.js +53 -0
package/server/lib/vps/secrets-manager.js +148 -0
package/server/lib/vps/secrets-manager.test.js +58 -0
package/server/lib/vps/server-hardening.js +174 -0
package/server/lib/vps/server-hardening.test.js +70 -0
package/server/package-lock.json +19 -0
package/server/package.json +1 -0
package/server/templates/CLAUDE.md +37 -0
package/server/templates/CODING-STANDARDS.md +408 -0

package/server/lib/security/query-builder.test.js ADDED Viewed

@@ -0,0 +1,318 @@
+/**
+ * Query Builder Tests
+ *
+ * Tests for safe parameterized query building.
+ */
+import { describe, it, expect } from 'vitest';
+import {
+  createQueryBuilder,
+  select,
+  insert,
+  update,
+  del,
+  SecurityError,
+} from './query-builder.js';
+describe('query-builder', () => {
+  describe('select', () => {
+    it('builds SELECT with simple WHERE', () => {
+      const result = select('users')
+        .columns(['id', 'name', 'email'])
+        .where('id', '=', 1)
+        .build();
+      expect(result.sql).toBe('SELECT id, name, email FROM users WHERE id = $1');
+      expect(result.params).toEqual([1]);
+    });
+    it('builds SELECT with multiple WHERE conditions', () => {
+      const result = select('users')
+        .columns(['*'])
+        .where('status', '=', 'active')
+        .where('age', '>=', 18)
+        .build();
+      expect(result.sql).toBe('SELECT * FROM users WHERE status = $1 AND age >= $2');
+      expect(result.params).toEqual(['active', 18]);
+    });
+    it('builds SELECT with OR conditions', () => {
+      const result = select('users')
+        .columns(['*'])
+        .where('role', '=', 'admin')
+        .orWhere('role', '=', 'superadmin')
+        .build();
+      expect(result.sql).toContain('OR');
+      expect(result.params).toEqual(['admin', 'superadmin']);
+    });
+    it('builds SELECT with IN clause', () => {
+      const result = select('users')
+        .columns(['*'])
+        .whereIn('id', [1, 2, 3])
+        .build();
+      expect(result.sql).toBe('SELECT * FROM users WHERE id IN ($1, $2, $3)');
+      expect(result.params).toEqual([1, 2, 3]);
+    });
+    it('builds SELECT with ORDER BY', () => {
+      const result = select('users')
+        .columns(['*'])
+        .orderBy('created_at', 'DESC')
+        .build();
+      expect(result.sql).toContain('ORDER BY created_at DESC');
+    });
+    it('builds SELECT with LIMIT and OFFSET', () => {
+      const result = select('users')
+        .columns(['*'])
+        .limit(10)
+        .offset(20)
+        .build();
+      expect(result.sql).toContain('LIMIT $1');
+      expect(result.sql).toContain('OFFSET $2');
+      expect(result.params).toContain(10);
+      expect(result.params).toContain(20);
+    });
+    it('rejects string concatenation in WHERE value', () => {
+      expect(() => {
+        select('users')
+          .columns(['*'])
+          .whereRaw("name = '" + "'; DROP TABLE users;--")
+          .build();
+      }).toThrow(SecurityError);
+    });
+    it('rejects unwhitelisted table name', () => {
+      const builder = createQueryBuilder({
+        allowedTables: ['users', 'posts'],
+      });
+      expect(() => {
+        builder.select('admin_secrets').columns(['*']).build();
+      }).toThrow(SecurityError);
+    });
+    it('rejects unwhitelisted column name', () => {
+      const builder = createQueryBuilder({
+        allowedColumns: { users: ['id', 'name', 'email'] },
+      });
+      expect(() => {
+        builder.select('users').columns(['password_hash']).build();
+      }).toThrow(SecurityError);
+    });
+  });
+  describe('insert', () => {
+    it('builds INSERT with values', () => {
+      const result = insert('users')
+        .values({ name: 'John', email: 'john@example.com' })
+        .build();
+      expect(result.sql).toBe('INSERT INTO users (name, email) VALUES ($1, $2)');
+      expect(result.params).toEqual(['John', 'john@example.com']);
+    });
+    it('builds INSERT with multiple rows', () => {
+      const result = insert('users')
+        .values([
+          { name: 'John', email: 'john@example.com' },
+          { name: 'Jane', email: 'jane@example.com' },
+        ])
+        .build();
+      expect(result.sql).toContain('VALUES ($1, $2), ($3, $4)');
+      expect(result.params).toHaveLength(4);
+    });
+    it('builds INSERT with RETURNING clause', () => {
+      const result = insert('users')
+        .values({ name: 'John' })
+        .returning(['id'])
+        .build();
+      expect(result.sql).toContain('RETURNING id');
+    });
+    it('escapes column names with special characters', () => {
+      const result = insert('users')
+        .values({ 'user-name': 'John' })
+        .build();
+      expect(result.sql).toContain('"user-name"');
+    });
+    it('rejects SQL in column names', () => {
+      expect(() => {
+        insert('users')
+          .values({ 'name; DROP TABLE users;--': 'John' })
+          .build();
+      }).toThrow(SecurityError);
+    });
+  });
+  describe('update', () => {
+    it('builds UPDATE with SET and WHERE', () => {
+      const result = update('users')
+        .set({ name: 'John', status: 'active' })
+        .where('id', '=', 1)
+        .build();
+      expect(result.sql).toBe('UPDATE users SET name = $1, status = $2 WHERE id = $3');
+      expect(result.params).toEqual(['John', 'active', 1]);
+    });
+    it('requires WHERE clause by default', () => {
+      expect(() => {
+        update('users')
+          .set({ status: 'deleted' })
+          .build();
+      }).toThrow(SecurityError);
+    });
+    it('allows UPDATE without WHERE when explicitly unsafe', () => {
+      const result = update('users')
+        .set({ status: 'inactive' })
+        .unsafe()
+        .build();
+      expect(result.sql).toBe('UPDATE users SET status = $1');
+    });
+    it('builds UPDATE with RETURNING', () => {
+      const result = update('users')
+        .set({ name: 'John' })
+        .where('id', '=', 1)
+        .returning(['id', 'name'])
+        .build();
+      expect(result.sql).toContain('RETURNING id, name');
+    });
+  });
+  describe('delete', () => {
+    it('builds DELETE with WHERE', () => {
+      const result = del('users')
+        .where('id', '=', 1)
+        .build();
+      expect(result.sql).toBe('DELETE FROM users WHERE id = $1');
+      expect(result.params).toEqual([1]);
+    });
+    it('requires WHERE clause by default', () => {
+      expect(() => {
+        del('users').build();
+      }).toThrow(SecurityError);
+    });
+    it('allows DELETE without WHERE when explicitly unsafe', () => {
+      const result = del('users').unsafe().build();
+      expect(result.sql).toBe('DELETE FROM users');
+    });
+    it('builds DELETE with multiple conditions', () => {
+      const result = del('users')
+        .where('status', '=', 'deleted')
+        .where('deleted_at', '<', '2024-01-01')
+        .build();
+      expect(result.sql).toContain('AND');
+      expect(result.params).toHaveLength(2);
+    });
+  });
+  describe('SQL keyword safety', () => {
+    it('treats SQL keywords in values as data', () => {
+      const result = insert('users')
+        .values({ name: 'SELECT * FROM users' })
+        .build();
+      expect(result.params).toContain('SELECT * FROM users');
+      expect(result.sql).not.toContain('SELECT * FROM users');
+    });
+    it('treats DROP TABLE in values as data', () => {
+      const result = update('users')
+        .set({ bio: 'DROP TABLE users;' })
+        .where('id', '=', 1)
+        .build();
+      expect(result.params).toContain('DROP TABLE users;');
+    });
+    it('treats UNION in values as data', () => {
+      const result = select('users')
+        .columns(['*'])
+        .where('name', '=', "' UNION SELECT * FROM passwords--")
+        .build();
+      expect(result.params).toContain("' UNION SELECT * FROM passwords--");
+    });
+  });
+  describe('dialect support', () => {
+    it('uses PostgreSQL parameter style ($1)', () => {
+      const builder = createQueryBuilder({ dialect: 'postgresql' });
+      const result = builder.select('users')
+        .columns(['*'])
+        .where('id', '=', 1)
+        .build();
+      expect(result.sql).toContain('$1');
+    });
+    it('uses MySQL parameter style (?)', () => {
+      const builder = createQueryBuilder({ dialect: 'mysql' });
+      const result = builder.select('users')
+        .columns(['*'])
+        .where('id', '=', 1)
+        .build();
+      expect(result.sql).toContain('?');
+    });
+    it('uses SQLite parameter style (?)', () => {
+      const builder = createQueryBuilder({ dialect: 'sqlite' });
+      const result = builder.select('users')
+        .columns(['*'])
+        .where('id', '=', 1)
+        .build();
+      expect(result.sql).toContain('?');
+    });
+  });
+  describe('identifier escaping', () => {
+    it('escapes table names with special characters', () => {
+      const result = select('user-data')
+        .columns(['*'])
+        .build();
+      expect(result.sql).toContain('"user-data"');
+    });
+    it('escapes reserved word table names', () => {
+      const result = select('order')
+        .columns(['*'])
+        .build();
+      expect(result.sql).toContain('"order"');
+    });
+    it('handles schema-qualified table names', () => {
+      const result = select('public.users')
+        .columns(['*'])
+        .build();
+      expect(result.sql).toContain('public.users');
+    });
+  });
+});

package/server/lib/security/secret-detector.js ADDED Viewed

@@ -0,0 +1,290 @@
+/**
+ * Secret Detector Module
+ *
+ * Detects hardcoded secrets, API keys, and credentials in code.
+ * Helps prevent OWASP A02: Cryptographic Failures and A07: Auth Failures
+ */
+/**
+ * Built-in secret detection patterns
+ * All patterns use simple, non-backtracking regex
+ */
+const BUILT_IN_PATTERNS = [
+  // AWS Access Key (always starts with AKIA, exactly 20 chars)
+  {
+    name: 'aws_access_key',
+    pattern: /AKIA[0-9A-Z]{16}/g,
+    severity: 'critical',
+  },
+  // AWS Secret Key (40 char base64-like, starts with wJalrX typically)
+  {
+    name: 'aws_secret_key',
+    pattern: /(?:secret(?:Access)?Key|aws_secret)\s*[=:]\s*["']([A-Za-z0-9/+=]{40})["']/gi,
+    severity: 'critical',
+  },
+  // GitHub tokens (prefixed with ghp_, gho_, ghu_, ghr_, ghs_)
+  {
+    name: 'github_token',
+    pattern: /gh[pousr]_[A-Za-z0-9]{36}/g,
+    severity: 'critical',
+  },
+  // Stripe secret key (sk_live_ or sk_test_, 4-32 chars after prefix for tests)
+  {
+    name: 'stripe_secret_key',
+    pattern: /sk_live_[A-Za-z0-9]{4,32}/g,
+    severity: 'critical',
+  },
+  {
+    name: 'stripe_test_key',
+    pattern: /sk_test_[A-Za-z0-9]{4,32}/g,
+    severity: 'high',
+  },
+  // Private keys (PEM format headers)
+  {
+    name: 'private_key',
+    pattern: /-----BEGIN\s+(?:RSA\s+|EC\s+|DSA\s+|OPENSSH\s+)?PRIVATE\s+KEY-----/g,
+    severity: 'critical',
+  },
+  // JWT tokens - detect by eyJ prefix (Base64 for {"alg" or {"typ")
+  {
+    name: 'jwt_token',
+    pattern: /eyJ[A-Za-z0-9_-]{20,}\.eyJ[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,}/g,
+    severity: 'high',
+  },
+  // Database connection strings with embedded credentials
+  {
+    name: 'connection_string',
+    pattern: /(?:postgresql|mysql|mongodb(?:\+srv)?|redis):\/\/\w+:\w+@[^\s"']+/gi,
+    severity: 'critical',
+  },
+  // Password assignments (simple detection)
+  {
+    name: 'password',
+    pattern: /(?:password|passwd|pass|db_password|secret)\s*[:=]\s*["'][^"']{4,30}["']/gi,
+    severity: 'high',
+    excludePatterns: [/process\.env/i, /\$\{/],
+  },
+];
+/**
+ * Patterns that indicate false positives
+ * These are checked against the LINE, not just the matched value
+ */
+const FALSE_POSITIVE_PATTERNS = [
+  /process\.env/i,
+  /\$\{[^}]+\}/,
+  /YOUR_[A-Z_]+_HERE/i,
+  /PLACEHOLDER/i,
+  /-----BEGIN\s+PUBLIC\s+KEY-----/,
+  /-----BEGIN\s+CERTIFICATE-----/,
+];
+/**
+ * Patterns checked only against the matched value (not the full line)
+ */
+const VALUE_FALSE_POSITIVE_PATTERNS = [
+  /^x{4,}$/i,  // Only if the entire value is just x's
+];
+/**
+ * Detect secrets in code content
+ * @param {string} content - Code content to scan
+ * @param {Object} options - Detection options
+ * @returns {Object} Detection results
+ */
+export function detectSecrets(content, options = {}) {
+  const {
+    patterns = BUILT_IN_PATTERNS,
+    ignoreTestValues = false,
+  } = options;
+  const findings = [];
+  const lines = content.split('\n');
+  for (const patternDef of patterns) {
+    const { name, pattern, severity, excludePatterns } = patternDef;
+    // Create a fresh regex instance with global flag
+    const flags = pattern.flags.includes('g') ? pattern.flags : pattern.flags + 'g';
+    const regex = new RegExp(pattern.source, flags);
+    let match;
+    while ((match = regex.exec(content)) !== null) {
+      const matchStart = match.index;
+      const matchValue = match[0];
+      // Find line number
+      let lineNumber = 1;
+      let charCount = 0;
+      for (let i = 0; i < lines.length; i++) {
+        if (charCount + lines[i].length >= matchStart) {
+          lineNumber = i + 1;
+          break;
+        }
+        charCount += lines[i].length + 1;
+      }
+      const line = lines[lineNumber - 1] || '';
+      // Check for false positives
+      let isFalsePositive = false;
+      // Check pattern-specific exclusions
+      if (excludePatterns) {
+        for (const excl of excludePatterns) {
+          if (excl.test(line)) {
+            isFalsePositive = true;
+            break;
+          }
+        }
+      }
+      // Check global false positive patterns (against line)
+      if (!isFalsePositive) {
+        for (const fp of FALSE_POSITIVE_PATTERNS) {
+          if (fp.test(line)) {
+            isFalsePositive = true;
+            break;
+          }
+        }
+      }
+      // Check value-specific false positive patterns
+      if (!isFalsePositive) {
+        for (const fp of VALUE_FALSE_POSITIVE_PATTERNS) {
+          if (fp.test(matchValue)) {
+            isFalsePositive = true;
+            break;
+          }
+        }
+      }
+      // Skip test values if configured
+      if (!isFalsePositive && ignoreTestValues) {
+        if (/test|example|sample|demo/i.test(matchValue)) {
+          isFalsePositive = true;
+        }
+      }
+      if (!isFalsePositive) {
+        findings.push({
+          type: name,
+          line: lineNumber,
+          column: matchStart - content.lastIndexOf('\n', matchStart - 1),
+          severity: severity || 'medium',
+          snippet: line.trim().substring(0, 100),
+        });
+      }
+    }
+  }
+  return {
+    findings,
+    hasSecrets: findings.length > 0,
+  };
+}
+/**
+ * Scan a file for secrets
+ */
+export async function scanFile(filePath, options = {}) {
+  const { content } = options;
+  if (!content) {
+    throw new Error('Content must be provided');
+  }
+  const result = detectSecrets(content, options);
+  return {
+    file: filePath,
+    findings: result.findings.map((f) => ({ ...f, file: filePath })),
+    hasSecrets: result.hasSecrets,
+  };
+}
+/**
+ * Scan a directory for secrets
+ */
+export async function scanDirectory(dirPath, options = {}) {
+  const { files = {}, ignore = [] } = options;
+  const allFindings = [];
+  let filesWithSecrets = 0;
+  let totalFiles = 0;
+  for (const [filePath, content] of Object.entries(files)) {
+    const relativePath = filePath.replace(dirPath, '').replace(/^\//, '');
+    // Check ignore patterns
+    let shouldIgnore = false;
+    for (const pattern of ignore) {
+      if (relativePath.includes(pattern.replace('/**', '').replace('/*', ''))) {
+        shouldIgnore = true;
+        break;
+      }
+    }
+    if (shouldIgnore) continue;
+    totalFiles++;
+    const result = await scanFile(filePath, { content, ...options });
+    if (result.hasSecrets) {
+      filesWithSecrets++;
+      allFindings.push(...result.findings);
+    }
+  }
+  return {
+    directory: dirPath,
+    totalFiles,
+    filesWithSecrets,
+    findings: allFindings,
+    hasSecrets: allFindings.length > 0,
+  };
+}
+/**
+ * Create a custom secret detector
+ */
+export function createSecretDetector(options = {}) {
+  const { patterns = [], builtInPatterns = true } = options;
+  const activePatterns = builtInPatterns
+    ? [...BUILT_IN_PATTERNS, ...patterns]
+    : patterns;
+  return {
+    patterns: activePatterns,
+    detect(content, detectOptions = {}) {
+      return detectSecrets(content, { ...detectOptions, patterns: this.patterns });
+    },
+    addPattern(pattern) {
+      this.patterns.push(pattern);
+    },
+  };
+}
+/**
+ * Add a custom pattern to an existing detector
+ */
+export function addCustomPattern(detector, pattern) {
+  if (!detector || !detector.patterns) {
+    throw new Error('Invalid detector');
+  }
+  detector.patterns.push({
+    name: pattern.name,
+    pattern: pattern.pattern,
+    severity: pattern.severity || 'medium',
+  });
+}