ultraenv 1.0.0

package/dist/chunk-MSXMESFP.js

@@ -0,0 +1,1910 @@
+import {
+  getStagedFiles,
+  isGitIgnored,
+  isGitRepository
+} from "./chunk-R7PZRSZ7.js";
+import {
+  maskValue
+} from "./chunk-TE7HPLA6.js";
+
+// src/data/secret-patterns.ts
+var SECRET_PATTERNS = [
+  // =========================================================================
+  // AWS
+  // =========================================================================
+  {
+    id: "aws-access-key-id",
+    name: "AWS Access Key ID",
+    pattern: /(?:^|["'\s:=,`])(AKIA[0-9A-Z]{16})(?:["'\s,`]|$)/gm,
+    confidence: 0.95,
+    severity: "critical",
+    description: "AWS IAM Access Key ID. Grants programmatic access to AWS resources.",
+    remediation: "Rotate the key immediately in the AWS IAM Console. Use environment variables or a secrets manager. Never commit access keys to source control.",
+    category: "aws"
+  },
+  {
+    id: "aws-secret-access-key",
+    name: "AWS Secret Access Key",
+    pattern: /(?:^|["'\s:=,`])(aws(.{0,20})?(secret|Secret|SECRET)(.{0,20})?[=\s]\s*["']?)([A-Za-z0-9/+=]{40})(?:["'\s,`;]|$)/gm,
+    confidence: 0.85,
+    severity: "critical",
+    description: "AWS Secret Access Key. The secret counterpart to an AWS Access Key ID.",
+    remediation: "Rotate the key immediately. Use AWS IAM to generate new credentials and store them in a secure vault.",
+    category: "aws"
+  },
+  {
+    id: "aws-session-token",
+    name: "AWS Session Token",
+    pattern: /(?:^|["'\s:=,`])(AQo[A-Za-z0-9/+=]{150,}(?:%3D){0,2})(?:["'\s,`;]|$)/gm,
+    confidence: 0.9,
+    severity: "critical",
+    description: "AWS temporary session token (STS). Grants short-lived AWS credentials.",
+    remediation: "Do not commit session tokens. They expire but should still be treated as sensitive. Use role-based access instead.",
+    category: "aws"
+  },
+  {
+    id: "aws-account-id",
+    name: "AWS Account ID",
+    pattern: /(?:^|["'\s:=,(])(\d{12})(?:["'\s,)]|$)/gm,
+    confidence: 0.3,
+    severity: "medium",
+    description: "Potential AWS Account ID (12-digit number). May indicate hardcoded AWS resource references.",
+    remediation: "Use environment variables or parameter store for account IDs. Avoid hardcoding account-specific identifiers.",
+    category: "aws"
+  },
+  // =========================================================================
+  // GitHub
+  // =========================================================================
+  {
+    id: "github-personal-access-token",
+    name: "GitHub Personal Access Token",
+    pattern: /(?:^|["'\s:=,`])(ghp_[A-Za-z0-9_]{36,})(?:["'\s,`;]|$)/gm,
+    confidence: 0.95,
+    severity: "critical",
+    description: "GitHub Personal Access Token (classic). Grants access to GitHub APIs and repositories.",
+    remediation: "Revoke the token immediately at GitHub Settings > Developer settings > Personal access tokens. Use GitHub Secrets or a vault.",
+    category: "github"
+  },
+  {
+    id: "github-oauth-access-token",
+    name: "GitHub OAuth Access Token",
+    pattern: /(?:^|["'\s:=,`])(gho_[A-Za-z0-9_]{36,})(?:["'\s,`;]|$)/gm,
+    confidence: 0.95,
+    severity: "critical",
+    description: "GitHub OAuth Access Token. Used for OAuth-based GitHub authentication.",
+    remediation: "Revoke the OAuth application at GitHub Settings > Developer settings > OAuth Apps. Rotate the token.",
+    category: "github"
+  },
+  {
+    id: "github-app-token",
+    name: "GitHub App Token",
+    pattern: /(?:^|["'\s:=,`])(ghs_[A-Za-z0-9_]{36,})(?:["'\s,`;]|$)/gm,
+    confidence: 0.95,
+    severity: "critical",
+    description: "GitHub App Installation Token. Grants repository-scoped access via a GitHub App.",
+    remediation: "Revoke the app installation and generate a new token. Store tokens in a secure vault with short TTL.",
+    category: "github"
+  },
+  {
+    id: "github-refresh-token",
+    name: "GitHub Refresh Token",
+    pattern: /(?:^|["'\s:=,`])(ghr_[A-Za-z0-9_]{36,})(?:["'\s,`;]|$)/gm,
+    confidence: 0.95,
+    severity: "critical",
+    description: "GitHub Refresh Token. Used to obtain new user-to-server tokens.",
+    remediation: "Revoke the refresh token at GitHub Settings > Developer settings. Regenerate and store securely.",
+    category: "github"
+  },
+  {
+    id: "github-user-to-server-token",
+    name: "GitHub User-to-Server Token",
+    pattern: /(?:^|["'\s:=,`])(ghu_[A-Za-z0-9_]{36,})(?:["'\s,`;]|$)/gm,
+    confidence: 0.95,
+    severity: "critical",
+    description: "GitHub User-to-Server Token. Grants a user access to a GitHub App.",
+    remediation: "Revoke the token at GitHub Settings > Developer settings. Use GitHub Secrets for storage.",
+    category: "github"
+  },
+  {
+    id: "github-webhook-secret",
+    name: "GitHub Webhook Secret",
+    pattern: /(?:^|["'\s:=,`])(ghw_[A-Za-z0-9_]{36,})(?:["'\s,`;]|$)/gm,
+    confidence: 0.9,
+    severity: "high",
+    description: "GitHub Webhook Secret. Used to verify the authenticity of webhook payloads.",
+    remediation: "Regenerate the webhook secret in repository settings. Store in a secure vault. Never commit to source.",
+    category: "github"
+  },
+  // =========================================================================
+  // Stripe
+  // =========================================================================
+  {
+    id: "stripe-secret-key",
+    name: "Stripe Secret Key",
+    pattern: /(?:^|["'\s:=,`])(sk_live_[A-Za-z0-9]{24,})(?:["'\s,`;]|$)/gm,
+    confidence: 0.95,
+    severity: "critical",
+    description: "Stripe Live Secret Key. Can process live payments and access customer data.",
+    remediation: "Roll the API key immediately in the Stripe Dashboard. Use environment variables and never commit to source.",
+    category: "stripe"
+  },
+  {
+    id: "stripe-publishable-key",
+    name: "Stripe Publishable Key",
+    pattern: /(?:^|["'\s:=,`])(pk_live_[A-Za-z0-9]{24,})((?:["'\s,`;]|$))/gm,
+    confidence: 0.7,
+    severity: "medium",
+    description: "Stripe Live Publishable Key. Designed to be public but should not be hardcoded.",
+    remediation: "Use environment variables for publishable keys to enable environment-specific configuration.",
+    category: "stripe"
+  },
+  {
+    id: "stripe-restricted-key",
+    name: "Stripe Restricted Key",
+    pattern: /(?:^|["'\s:=,`])(rk_live_[A-Za-z0-9]{24,})(?:["'\s,`;]|$)/gm,
+    confidence: 0.95,
+    severity: "critical",
+    description: "Stripe Restricted Key. Scoped API key with limited permissions for live mode.",
+    remediation: "Roll the restricted key in the Stripe Dashboard. Store in a vault with proper access controls.",
+    category: "stripe"
+  },
+  // =========================================================================
+  // Slack
+  // =========================================================================
+  {
+    id: "slack-bot-token",
+    name: "Slack Bot Token",
+    pattern: /(?:^|["'\s:=,`])(xoxb-[A-Za-z0-9-]{10,})(?:["'\s,`;]|$)/gm,
+    confidence: 0.9,
+    severity: "critical",
+    description: "Slack Bot Token (xoxb-). Grants API access to Slack workspace.",
+    remediation: "Revoke the bot token at api.slack.com/apps. Rotate and store in a secrets manager.",
+    category: "slack"
+  },
+  {
+    id: "slack-user-token",
+    name: "Slack User Token",
+    pattern: /(?:^|["'\s:=,`])(xoxp-[A-Za-z0-9-]{10,})(?:["'\s,`;]|$)/gm,
+    confidence: 0.9,
+    severity: "critical",
+    description: "Slack User Token (xoxp-). Grants user-level Slack workspace access.",
+    remediation: "Revoke the user token immediately. Rotate and store in a secure vault.",
+    category: "slack"
+  },
+  {
+    id: "slack-app-token",
+    name: "Slack App-Level Token",
+    pattern: /(?:^|["'\s:=,`])(xoxa-[A-Za-z0-9-]{10,})(?:["'\s,`;]|$)/gm,
+    confidence: 0.9,
+    severity: "critical",
+    description: "Slack App-Level Token (xoxa-). Grants app-level Slack access.",
+    remediation: "Revoke the token in the Slack API app management dashboard. Rotate credentials.",
+    category: "slack"
+  },
+  {
+    id: "slack-webhook-url",
+    name: "Slack Webhook URL",
+    pattern: /https:\/\/hooks\.slack\.com\/services\/T[A-Z0-9]+\/B[A-Z0-9]+\/[A-Za-z0-9]+/g,
+    confidence: 0.9,
+    severity: "high",
+    description: "Slack Incoming Webhook URL. Can be used to post messages to Slack channels.",
+    remediation: "Rotate the webhook URL in your Slack app configuration. Use environment variables.",
+    category: "slack"
+  },
+  // =========================================================================
+  // Google
+  // =========================================================================
+  {
+    id: "google-api-key",
+    name: "Google API Key",
+    pattern: /(?:^|["'\s:=,`])(AIza[0-9A-Za-z_-]{35})(?:["'\s,`;]|$)/gm,
+    confidence: 0.85,
+    severity: "high",
+    description: "Google API Key. Grants access to Google Cloud Platform services.",
+    remediation: "Restrict the API key in Google Cloud Console > APIs & Services > Credentials. Set application restrictions and API restrictions.",
+    category: "google"
+  },
+  {
+    id: "google-oauth-client-id",
+    name: "Google OAuth Client ID",
+    pattern: /(?:^|["'\s:=,`])(\d{4,}-[a-z0-9_]{32}\.apps\.googleusercontent\.com)(?:["'\s,`;]|$)/gm,
+    confidence: 0.85,
+    severity: "medium",
+    description: "Google OAuth Client ID. Identifies the application for OAuth flows.",
+    remediation: "Restrict the OAuth client to specific domains in Google Cloud Console. Store in environment variables.",
+    category: "google"
+  },
+  {
+    id: "google-oauth-client-secret",
+    name: "Google OAuth Client Secret",
+    pattern: /(?:^|["'\s:=,`]GOCSPX-[A-Za-z0-9_-]{28,})(?:["'\s,`;]|$)/gm,
+    confidence: 0.9,
+    severity: "critical",
+    description: "Google OAuth Client Secret (new format). Used for OAuth authentication flows.",
+    remediation: "Reset the client secret in Google Cloud Console. Store in a secrets manager.",
+    category: "google"
+  },
+  {
+    id: "google-firebase-api-key",
+    name: "Google Firebase API Key",
+    pattern: /(?:^|["'\s:=,`])(AAAA[A-Za-z0-9_-]{36,})(?:["'\s,`;]|$)/gm,
+    confidence: 0.8,
+    severity: "high",
+    description: "Google Firebase Cloud Messaging API Key (Server Key / Legacy).",
+    remediation: "Migrate to Firebase Cloud Messaging v1 API. Use service account credentials instead of legacy API keys.",
+    category: "google"
+  },
+  {
+    id: "google-service-account-private-key",
+    name: "Google Service Account Private Key",
+    pattern: /"private_key"\s*:\s*"(-----BEGIN (?:RSA |EC )?PRIVATE KEY-----[\s\S]*?-----END (?:RSA |EC )?PRIVATE KEY-----)"/gm,
+    confidence: 0.95,
+    severity: "critical",
+    description: "Google Cloud Service Account private key embedded in JSON credentials.",
+    remediation: "Rotate the service account key in Google Cloud IAM. Use Workload Identity or ADC (Application Default Credentials) instead.",
+    category: "google"
+  },
+  // =========================================================================
+  // Private Keys & Certificates
+  // =========================================================================
+  {
+    id: "rsa-private-key",
+    name: "RSA Private Key",
+    pattern: /-----BEGIN RSA PRIVATE KEY-----[\s\S]*?-----END RSA PRIVATE KEY-----/gm,
+    confidence: 0.99,
+    severity: "critical",
+    description: "RSA Private Key in PEM format. Used for TLS, SSH, or code signing.",
+    remediation: "Remove the private key from source code. Generate a new key pair and store the private key in a hardware security module or vault.",
+    category: "keys"
+  },
+  {
+    id: "ec-private-key",
+    name: "EC Private Key",
+    pattern: /-----BEGIN EC PRIVATE KEY-----[\s\S]*?-----END EC PRIVATE KEY-----/gm,
+    confidence: 0.99,
+    severity: "critical",
+    description: "Elliptic Curve Private Key in PEM format.",
+    remediation: "Remove from source code. Generate a new key pair and store the private key in a secure vault.",
+    category: "keys"
+  },
+  {
+    id: "dsa-private-key",
+    name: "DSA Private Key",
+    pattern: /-----BEGIN DSA PRIVATE KEY-----[\s\S]*?-----END DSA PRIVATE KEY-----/gm,
+    confidence: 0.99,
+    severity: "critical",
+    description: "DSA Private Key in PEM format.",
+    remediation: "Remove from source code. Generate a new key and store in a secure vault.",
+    category: "keys"
+  },
+  {
+    id: "openssh-private-key",
+    name: "OpenSSH Private Key",
+    pattern: /-----BEGIN OPENSSH PRIVATE KEY-----[\s\S]*?-----END OPENSSH PRIVATE KEY-----/gm,
+    confidence: 0.99,
+    severity: "critical",
+    description: "OpenSSH Private Key. Grants SSH access to remote systems.",
+    remediation: "Remove from source code. Generate a new SSH key pair and store the private key securely.",
+    category: "keys"
+  },
+  {
+    id: "pgp-private-key",
+    name: "PGP Private Key",
+    pattern: /-----BEGIN PGP PRIVATE KEY BLOCK-----[\s\S]*?-----END PGP PRIVATE KEY BLOCK-----/gm,
+    confidence: 0.99,
+    severity: "critical",
+    description: "PGP Private Key Block. Used for encryption and signing.",
+    remediation: "Remove from source code. Revoke the key if necessary and generate a new one.",
+    category: "keys"
+  },
+  {
+    id: "encrypted-private-key",
+    name: "Encrypted Private Key",
+    pattern: /-----BEGIN ENCRYPTED PRIVATE KEY-----[\s\S]*?-----END ENCRYPTED PRIVATE KEY-----/gm,
+    confidence: 0.95,
+    severity: "critical",
+    description: "Encrypted Private Key in PEM format. Still sensitive even with encryption.",
+    remediation: "Remove from source code. Store in a dedicated secrets manager.",
+    category: "keys"
+  },
+  {
+    id: "pem-certificate",
+    name: "PEM Certificate",
+    pattern: /-----BEGIN CERTIFICATE-----[\s\S]*?-----END CERTIFICATE-----/gm,
+    confidence: 0.85,
+    severity: "high",
+    description: "PEM-encoded X.509 Certificate. May contain sensitive organizational information.",
+    remediation: "Remove from source code. Store certificates in a certificate management system.",
+    category: "keys"
+  },
+  {
+    id: "pkcs8-private-key",
+    name: "PKCS#8 Private Key",
+    pattern: /-----BEGIN PRIVATE KEY-----[\s\S]*?-----END PRIVATE KEY-----/gm,
+    confidence: 0.99,
+    severity: "critical",
+    description: "PKCS#8 Private Key in PEM format (generic unencrypted private key).",
+    remediation: "Remove from source code. Store in a hardware security module or vault.",
+    category: "keys"
+  },
+  // =========================================================================
+  // JWT Tokens
+  // =========================================================================
+  {
+    id: "jwt-token",
+    name: "JSON Web Token",
+    pattern: /(?:^|["'\s:=,`])(eyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,})(?:["'\s,`;]|$)/gm,
+    confidence: 0.75,
+    severity: "high",
+    description: "JSON Web Token (JWT). May contain sensitive claims and grant authentication.",
+    remediation: "Do not hardcode JWTs. Use secure token exchange mechanisms and short-lived tokens.",
+    category: "auth"
+  },
+  // =========================================================================
+  // Database Connection Strings
+  // =========================================================================
+  {
+    id: "mongodb-connection-string",
+    name: "MongoDB Connection String",
+    pattern: /mongodb(?:\+srv)?:\/\/[^\s"'`]+/g,
+    confidence: 0.9,
+    severity: "critical",
+    description: "MongoDB connection URI containing credentials and connection details.",
+    remediation: "Store connection strings in a secrets manager. Use environment variables. Mask credentials in connection strings.",
+    category: "database"
+  },
+  {
+    id: "postgresql-connection-string",
+    name: "PostgreSQL Connection String",
+    pattern: /postgres(?:ql)?:\/\/[^\s"'`]+@[^\s"'`]+/g,
+    confidence: 0.9,
+    severity: "critical",
+    description: "PostgreSQL connection URI containing username and password.",
+    remediation: "Store connection strings in a secrets manager. Use IAM authentication when possible.",
+    category: "database"
+  },
+  {
+    id: "mysql-connection-string",
+    name: "MySQL Connection String",
+    pattern: /mysql(?:\+ssl)?:\/\/[^\s"'`]+@[^\s"'`]+/g,
+    confidence: 0.9,
+    severity: "critical",
+    description: "MySQL connection URI containing username and password.",
+    remediation: "Store connection strings in a secrets manager. Rotate database credentials regularly.",
+    category: "database"
+  },
+  {
+    id: "redis-connection-string",
+    name: "Redis Connection String",
+    pattern: /redis(?:\+sentinel)?(?:\+ssl)?:\/\/[^\s"'`]+/g,
+    confidence: 0.85,
+    severity: "critical",
+    description: "Redis connection URI with optional credentials.",
+    remediation: "Store connection strings in a secrets manager. Enable TLS and use ACLs for authentication.",
+    category: "database"
+  },
+  {
+    id: "couchdb-connection-string",
+    name: "CouchDB Connection String",
+    pattern: /couchdb(?:s)?:\/\/[^\s"'`]+@[^\s"'`]+/g,
+    confidence: 0.85,
+    severity: "critical",
+    description: "CouchDB connection URI containing credentials.",
+    remediation: "Store connection strings in a secrets manager. Use proxy authentication.",
+    category: "database"
+  },
+  // =========================================================================
+  // SendGrid
+  // =========================================================================
+  {
+    id: "sendgrid-api-key",
+    name: "SendGrid API Key",
+    pattern: /(?:^|["'\s:=,`])(SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43})(?:["'\s,`;]|$)/gm,
+    confidence: 0.95,
+    severity: "critical",
+    description: "SendGrid API Key. Grants access to send emails and manage contacts.",
+    remediation: "Revoke the key in SendGrid Dashboard > Settings > API Keys. Store new key in a secrets manager.",
+    category: "email"
+  },
+  // =========================================================================
+  // Twilio
+  // =========================================================================
+  {
+    id: "twilio-api-key-sid",
+    name: "Twilio API Key SID",
+    pattern: /(?:^|["'\s:=,`])(SK[0-9a-fA-F]{32})(?:["'\s,`;]|$)/gm,
+    confidence: 0.85,
+    severity: "critical",
+    description: "Twilio API Key SID. Used for authenticating Twilio API requests.",
+    remediation: "Rotate the API key in the Twilio Console. Store in a secrets manager.",
+    category: "telecom"
+  },
+  {
+    id: "twilio-auth-token",
+    name: "Twilio Auth Token",
+    pattern: /(?:twilio|TWILIO).{0,30}(?:auth|AUTH).{0,10}(?:token|TOKEN)[\s]*[:=][\s]*["']?([A-Za-z0-9]{32})(?:["'\s,`;]|$)/gm,
+    confidence: 0.85,
+    severity: "critical",
+    description: "Twilio Account Auth Token. Grants full access to the Twilio account.",
+    remediation: "Rotate the auth token in the Twilio Console. Never commit to source control.",
+    category: "telecom"
+  },
+  // =========================================================================
+  // Azure
+  // =========================================================================
+  {
+    id: "azure-connection-string",
+    name: "Azure Connection String",
+    pattern: /DefaultEndpointsProtocol=https?;AccountName=[A-Za-z0-9]+;AccountKey=[A-Za-z0-9+/=]+/g,
+    confidence: 0.95,
+    severity: "critical",
+    description: "Azure Storage Account connection string containing the account key.",
+    remediation: "Use Azure Key Vault or Managed Identity instead of connection strings. Rotate the account key.",
+    category: "azure"
+  },
+  {
+    id: "azure-credential",
+    name: "Azure Credentials",
+    pattern: /(?:^|["'\s:=,`])([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\.[A-Za-z0-9_-]{30,})(?:["'\s,`;]|$)/gm,
+    confidence: 0.75,
+    severity: "critical",
+    description: "Potential Azure service principal credential or managed identity token.",
+    remediation: "Use Azure Key Vault for storing credentials. Rotate service principal secrets.",
+    category: "azure"
+  },
+  // =========================================================================
+  // DigitalOcean
+  // =========================================================================
+  {
+    id: "digitalocean-token",
+    name: "DigitalOcean API Token",
+    pattern: /(?:^|["'\s:=,`])(dop_v1_[A-Za-z0-9]{64,})(?:["'\s,`;]|$)/gm,
+    confidence: 0.95,
+    severity: "critical",
+    description: "DigitalOcean API Token (v1). Grants full API access.",
+    remediation: "Revoke the token in the DigitalOcean Control Panel > API > Tokens. Store in a secrets manager.",
+    category: "cloud"
+  },
+  {
+    id: "digitalocean-pat",
+    name: "DigitalOcean Personal Access Token",
+    pattern: /(?:^|["'\s:=,`])(dop_v1_[a-f0-9]{64})(?:["'\s,`;]|$)/gm,
+    confidence: 0.9,
+    severity: "critical",
+    description: "DigitalOcean Personal Access Token.",
+    remediation: "Revoke the token in DigitalOcean settings and generate a new one. Store securely.",
+    category: "cloud"
+  },
+  // =========================================================================
+  // Heroku
+  // =========================================================================
+  {
+    id: "heroku-api-key",
+    name: "Heroku API Key",
+    pattern: /(?:^|["'\s:=,`])([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}-[a-f0-9]{16})(?:["'\s,`;]|$)/gm,
+    confidence: 0.7,
+    severity: "high",
+    description: "Heroku API Key. Grants access to Heroku platform APIs.",
+    remediation: "Rotate the API key in Heroku Account Settings. Store in environment variables.",
+    category: "cloud"
+  },
+  // =========================================================================
+  // NPM
+  // =========================================================================
+  {
+    id: "npm-token",
+    name: "NPM Access Token",
+    pattern: /(?:^|["'\s:=,`])(npm_[A-Za-z0-9]{36,})(?:["'\s,`;]|$)/gm,
+    confidence: 0.95,
+    severity: "critical",
+    description: "NPM Access Token. Can be used to publish packages to the npm registry.",
+    remediation: "Revoke the token at https://www.npmjs.com/settings/keys. Generate a new token with minimal scope.",
+    category: "package-manager"
+  },
+  // =========================================================================
+  // Docker
+  // =========================================================================
+  {
+    id: "docker-hub-credentials",
+    name: "Docker Hub Credentials",
+    pattern: /docker\.io\/[^\s"'`]+:[^\s"'`]+@[^\s"'`]+/g,
+    confidence: 0.85,
+    severity: "high",
+    description: "Docker Hub credentials embedded in a registry URL.",
+    remediation: "Use docker login with credentials stored securely. Use Docker credential helpers.",
+    category: "container"
+  },
+  {
+    id: "docker-auth-token",
+    name: "Docker Registry Auth Token",
+    pattern: /(?:^|["'\s:=,`])(eyJ[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,})(?:["'\s,`;]|$)/gm,
+    confidence: 0.7,
+    severity: "high",
+    description: "Docker Registry Bearer Token (JWT format). Used for container registry authentication.",
+    remediation: "Do not store Docker auth tokens in source. Use docker credential store or CI secrets.",
+    category: "container"
+  },
+  // =========================================================================
+  // Firebase
+  // =========================================================================
+  {
+    id: "firebase-config",
+    name: "Firebase Configuration",
+    pattern: /firebase[A-Za-z]*\.json["'\s]*[:=]\s*["'][\s\S]*?"apiKey"\s*:\s*"[A-Za-z0-9_-]+"/gm,
+    confidence: 0.8,
+    severity: "medium",
+    description: "Firebase configuration block containing API keys and project identifiers.",
+    remediation: "Use Firebase Admin SDK with service account credentials. Restrict API keys in Google Cloud Console.",
+    category: "google"
+  },
+  // =========================================================================
+  // Shopify
+  // =========================================================================
+  {
+    id: "shopify-app-secret",
+    name: "Shopify App Secret",
+    pattern: /(?:^|["'\s:=,`])(shpca_[A-Za-z0-9]{32,})(?:["'\s,`;]|$)/gm,
+    confidence: 0.9,
+    severity: "critical",
+    description: "Shopify App Client Secret. Used for OAuth with Shopify apps.",
+    remediation: "Regenerate the app secret in the Shopify Partners Dashboard. Store in a vault.",
+    category: "e-commerce"
+  },
+  {
+    id: "shopify-access-token",
+    name: "Shopify Access Token",
+    pattern: /(?:^|["'\s:=,`])(shpat_[A-Za-z0-9]{32,})(?:["'\s,`;]|$)/gm,
+    confidence: 0.9,
+    severity: "critical",
+    description: "Shopify App Access Token. Grants API access to a Shopify store.",
+    remediation: "Revoke the access token in the Shopify Admin. Regenerate and store securely.",
+    category: "e-commerce"
+  },
+  // =========================================================================
+  // Telegram
+  // =========================================================================
+  {
+    id: "telegram-bot-token",
+    name: "Telegram Bot Token",
+    pattern: /(?:^|["'\s:=,`])(\d{8,10}:[A-Za-z0-9_-]{35})(?:["'\s,`;]|$)/gm,
+    confidence: 0.85,
+    severity: "high",
+    description: "Telegram Bot API Token. Grants control over a Telegram bot.",
+    remediation: "Revoke the token by messaging @BotFather on Telegram. Generate a new token and store securely.",
+    category: "messaging"
+  },
+  // =========================================================================
+  // Discord
+  // =========================================================================
+  {
+    id: "discord-bot-token",
+    name: "Discord Bot Token",
+    pattern: /(?:^|["'\s:=,`])([MN][A-Za-z\d]{23,}\.[\w-]{6}\.[\w-]{27})(?:["'\s,`;]|$)/gm,
+    confidence: 0.9,
+    severity: "critical",
+    description: "Discord Bot Token. Grants full bot access to Discord guilds and channels.",
+    remediation: "Reset the token in the Discord Developer Portal > Bot page. Store in environment variables.",
+    category: "messaging"
+  },
+  {
+    id: "discord-client-secret",
+    name: "Discord Client Secret",
+    pattern: /(?:^|["'\s:=,`])([A-Za-z0-9_-]{32})(?:["'\s,`;]|$)/gm,
+    confidence: 0.5,
+    severity: "high",
+    description: "Potential Discord OAuth2 Client Secret.",
+    remediation: "Reset the client secret in the Discord Developer Portal. Store in a vault.",
+    category: "messaging"
+  },
+  // =========================================================================
+  // Mailgun
+  // =========================================================================
+  {
+    id: "mailgun-api-key",
+    name: "Mailgun API Key",
+    pattern: /(?:^|["'\s:=,`])(key-[A-Za-z0-9]{32})(?:["'\s,`;]|$)/gm,
+    confidence: 0.85,
+    severity: "critical",
+    description: "Mailgun API Key. Grants access to send emails via Mailgun.",
+    remediation: "Rotate the API key in the Mailgun Dashboard. Store in a secrets manager.",
+    category: "email"
+  },
+  // =========================================================================
+  // Base64-Encoded Credentials
+  // =========================================================================
+  {
+    id: "base64-credentials",
+    name: "Base64-Encoded Credentials",
+    pattern: /(?:^|["'\s:=,`])(Basic\s+[A-Za-z0-9+/]{20,}={0,2})(?:["'\s,`;]|$)/gm,
+    confidence: 0.7,
+    severity: "high",
+    description: "Base64-encoded HTTP Basic Auth credentials (Basic base64(user:pass)).",
+    remediation: "Use OAuth2 or token-based authentication. Store credentials in a vault.",
+    category: "auth"
+  },
+  {
+    id: "base64-encoded-secret",
+    name: "Base64-Encoded Secret String",
+    pattern: /(?:^|["'\s:=,`])(?:password|secret|token|credential|apikey)(?:["'\s]*)[:=](?:["'\s]*)([A-Za-z0-9+/]{40,}={0,2})(?:["'\s,`;]|$)/gim,
+    confidence: 0.65,
+    severity: "high",
+    description: "A base64-encoded value assigned to a secret-related variable name.",
+    remediation: "Decode to verify, then store in a secrets manager. Use proper secret management.",
+    category: "auth"
+  },
+  // =========================================================================
+  // Generic Variable Assignments
+  // =========================================================================
+  {
+    id: "generic-api-key-assignment",
+    name: "Generic API Key Assignment",
+    pattern: /(?:^|["'\s])(?:API[_-]?KEY|api[_-]?key)\s*[:=]\s*["']([^\s"'`]{8,})["']/gm,
+    confidence: 0.7,
+    severity: "high",
+    description: "Generic API_KEY variable assignment with a suspicious value.",
+    remediation: "Move API keys to a secrets manager or environment variables. Never hardcode in source.",
+    category: "generic"
+  },
+  {
+    id: "generic-token-assignment",
+    name: "Generic Token Assignment",
+    pattern: /(?:^|["'\s])(?:TOKEN|token|Token)\s*[:=]\s*["']([^\s"'`]{8,})["']/gm,
+    confidence: 0.6,
+    severity: "high",
+    description: "Generic TOKEN variable assignment with a suspicious value.",
+    remediation: "Move tokens to a secrets manager. Use secure token storage mechanisms.",
+    category: "generic"
+  },
+  {
+    id: "generic-secret-assignment",
+    name: "Generic Secret Assignment",
+    pattern: /(?:^|["'\s])(?:SECRET|secret|Secret)[_-]?(?:KEY|key|Key)?\s*[:=]\s*["']([^\s"'`]{8,})["']/gm,
+    confidence: 0.65,
+    severity: "high",
+    description: "Generic SECRET variable assignment with a suspicious value.",
+    remediation: "Move secrets to a vault. Use encrypted storage for sensitive configuration.",
+    category: "generic"
+  },
+  {
+    id: "generic-password-assignment",
+    name: "Generic Password Assignment",
+    pattern: /(?:^|["'\s])(?:PASSWORD|passwd|password|Password)\s*[:=]\s*["']([^\s"'`]{4,})["']/gm,
+    confidence: 0.75,
+    severity: "high",
+    description: "Generic PASSWORD variable assignment with a value.",
+    remediation: "Never hardcode passwords. Use a secrets manager or secure credential store.",
+    category: "generic"
+  },
+  // =========================================================================
+  // .env File Patterns
+  // =========================================================================
+  {
+    id: "env-file-secret-pattern",
+    name: ".env File Secret Pattern",
+    pattern: /(?:^|[\r\n])([A-Z][A-Z0-9_]*(?:(?:PASSWORD|SECRET|TOKEN|KEY|CREDENTIAL|PRIVATE|AUTH)[A-Z0-9_]*)\s*=\s*[^\s][^\r\n]{7,})(?:[\r\n]|$)/gm,
+    confidence: 0.7,
+    severity: "high",
+    description: "Environment variable with a secret-like name and a value in an .env file.",
+    remediation: "Use ultraenv vault encryption for sensitive .env values. Never commit .env files to source control.",
+    category: "env"
+  },
+  // =========================================================================
+  // Hardcoded Passwords
+  // =========================================================================
+  {
+    id: "hardcoded-password-url",
+    name: "Hardcoded Password in URL",
+    pattern: /(?:https?:\/\/)[^\s"'`]*:[^\s"'`]*@(?:[^\s"'`]+)/g,
+    confidence: 0.8,
+    severity: "critical",
+    description: "URL containing embedded credentials (protocol://user:password@host).",
+    remediation: "Remove credentials from URLs. Use environment variables for authentication parameters.",
+    category: "generic"
+  },
+  {
+    id: "hardcoded-password-string",
+    name: "Hardcoded Password String",
+    pattern: /(?:password|passwd|pwd)\s*[:=]\s*["']([^"']{4,}?)["']/gim,
+    confidence: 0.7,
+    severity: "high",
+    description: "Hardcoded password string in configuration or code.",
+    remediation: "Replace with references to a secrets manager. Never store plain-text passwords in code.",
+    category: "generic"
+  },
+  // =========================================================================
+  // SSH
+  // =========================================================================
+  {
+    id: "ssh-private-key",
+    name: "SSH Private Key",
+    pattern: /-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----/gm,
+    confidence: 0.99,
+    severity: "critical",
+    description: "SSH Private Key in any PEM format. Grants remote access to systems.",
+    remediation: "Remove from source immediately. Generate a new SSH key pair. Store private key in SSH agent or vault.",
+    category: "keys"
+  },
+  // =========================================================================
+  // Cloudflare
+  // =========================================================================
+  {
+    id: "cloudflare-api-token",
+    name: "Cloudflare API Token",
+    pattern: /(?:^|["'\s:=,`])(v1\.0-[A-Za-z0-9_-]{35,}-[A-Za-z0-9_-]{15,})(?:["'\s,`;]|$)/gm,
+    confidence: 0.9,
+    severity: "critical",
+    description: "Cloudflare API Token. Grants access to Cloudflare services and zones.",
+    remediation: "Revoke the token in Cloudflare Dashboard > My Profile > API Tokens. Store securely.",
+    category: "cloud"
+  },
+  {
+    id: "cloudflare-global-api-key",
+    name: "Cloudflare Global API Key",
+    pattern: /(?:^|["'\s:=,`])([A-Za-z0-9]{37})(?:["'\s,`;]|$)/gm,
+    confidence: 0.4,
+    severity: "high",
+    description: "Potential Cloudflare Global API Key (24 hex + 13 chars).",
+    remediation: "Revoke the key in Cloudflare Dashboard. Use scoped API tokens instead of global keys.",
+    category: "cloud"
+  },
+  // =========================================================================
+  // Auth0
+  // =========================================================================
+  {
+    id: "auth0-client-secret",
+    name: "Auth0 Client Secret",
+    pattern: /(?:^|["'\s:=,`])([A-Za-z0-9_-]{40,})(?:["'\s,`;]|$)(?:\s*#.*auth0.*)/gm,
+    confidence: 0.5,
+    severity: "high",
+    description: "Potential Auth0 Client Secret (long random string near Auth0 reference).",
+    remediation: "Rotate the client secret in Auth0 Dashboard > Applications. Store in a vault.",
+    category: "auth"
+  },
+  // =========================================================================
+  // PagerDuty
+  // =========================================================================
+  {
+    id: "pagerduty-token",
+    name: "PagerDuty API Token",
+    pattern: /(?:^|["'\s:=,`])(PD-[A-Za-z0-9]{20,})(?:["'\s,`;]|$)/gm,
+    confidence: 0.85,
+    severity: "high",
+    description: "PagerDuty API Token / Events API Key.",
+    remediation: "Rotate the token in PagerDuty. Store in environment variables.",
+    category: "devops"
+  },
+  // =========================================================================
+  // Datadog
+  // =========================================================================
+  {
+    id: "datadog-api-key",
+    name: "Datadog API Key",
+    pattern: /(?:^|["'\s:=,`])(dd_[A-Za-z0-9]{32,})(?:["'\s,`;]|$)/gm,
+    confidence: 0.85,
+    severity: "high",
+    description: "Datadog API Key. Grants access to monitoring and alerting APIs.",
+    remediation: "Rotate the API key in Datadog. Store in environment variables or a vault.",
+    category: "monitoring"
+  },
+  // =========================================================================
+  // Generic High-Entropy Strings
+  // =========================================================================
+  {
+    id: "generic-high-entropy-string",
+    name: "Generic High-Entropy String",
+    pattern: /(?:^|["'\s:=,`])([A-Za-z0-9+/=]{40,})(?:["'\s,`;]|$)/gm,
+    confidence: 0.3,
+    severity: "medium",
+    description: "Long base64-like string that may be a secret, token, or encoded credential.",
+    remediation: "Review the value to determine if it is sensitive. Move to a secrets manager if confirmed.",
+    category: "generic"
+  }
+];
+
+// src/scanner/patterns.ts
+var patternRegistry = [...SECRET_PATTERNS];
+function offsetToLine(content, offset) {
+  let line = 1;
+  for (let i = 0; i < offset && i < content.length; i++) {
+    if (content[i] === "\n") {
+      line++;
+    }
+  }
+  return line;
+}
+function offsetToColumn(content, offset) {
+  let lastNewline = -1;
+  for (let i = offset - 1; i >= 0; i--) {
+    if (content[i] === "\n") {
+      lastNewline = i;
+      break;
+    }
+  }
+  return offset - lastNewline;
+}
+function extractVarName(line, matchedValue) {
+  const varMatch = /^(?:export\s+)?([A-Z][A-Z0-9_]*)\s*[=:]\s*/i.exec(line);
+  if (varMatch) {
+    const varName = varMatch[1];
+    const assignEnd = varMatch[0].length;
+    if (line.indexOf(matchedValue, assignEnd) !== -1) {
+      return varName;
+    }
+  }
+  return void 0;
+}
+function getLineAtOffset(content, offset) {
+  const start = content.lastIndexOf("\n", offset - 1) + 1;
+  const end = content.indexOf("\n", offset);
+  return content.slice(start, end === -1 ? void 0 : end);
+}
+function matchSinglePattern(content, pattern, filePath) {
+  const results = [];
+  const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+  regex.lastIndex = 0;
+  let match;
+  while ((match = regex.exec(content)) !== null) {
+    const fullMatch = match[0] ?? "";
+    const matchStart = match.index;
+    let secretValue = fullMatch;
+    for (let g = match.length - 1; g >= 1; g--) {
+      const groupValue = match[g];
+      if (groupValue !== void 0 && groupValue !== "") {
+        secretValue = groupValue;
+        const groupStart = fullMatch.indexOf(groupValue);
+        if (groupStart !== -1) {
+          break;
+        }
+      }
+    }
+    const line = offsetToLine(content, matchStart);
+    const column = offsetToColumn(content, matchStart);
+    const lineText = getLineAtOffset(content, matchStart);
+    const varName = extractVarName(lineText, secretValue);
+    results.push({
+      type: pattern.name,
+      value: maskValue(secretValue),
+      file: filePath,
+      line,
+      column,
+      pattern,
+      confidence: pattern.confidence,
+      varName
+    });
+    if (fullMatch.length === 0) {
+      regex.lastIndex++;
+    }
+  }
+  return results;
+}
+function matchPatterns(content, filePath) {
+  const allDetections = [];
+  for (const pattern of patternRegistry) {
+    const detections = matchSinglePattern(content, pattern, filePath);
+    allDetections.push(...detections);
+  }
+  return allDetections;
+}
+function addCustomPattern(pattern) {
+  if (!(pattern.pattern instanceof RegExp)) {
+    throw new Error(`Pattern "${pattern.id}" must have a valid RegExp instance.`);
+  }
+  try {
+    pattern.pattern.lastIndex = 0;
+    pattern.pattern.test("");
+    pattern.pattern.lastIndex = 0;
+  } catch (err) {
+    throw new Error(`Pattern "${pattern.id}" has an invalid regex: ${err.message}`);
+  }
+  const existingIndex = patternRegistry.findIndex((p) => p.id === pattern.id);
+  if (existingIndex !== -1) {
+    patternRegistry[existingIndex] = pattern;
+  } else {
+    patternRegistry.push(pattern);
+  }
+}
+function removeCustomPattern(id) {
+  const index = patternRegistry.findIndex((p) => p.id === id);
+  if (index !== -1) {
+    patternRegistry.splice(index, 1);
+    return true;
+  }
+  return false;
+}
+function resetPatterns() {
+  patternRegistry.length = 0;
+  patternRegistry.push(...SECRET_PATTERNS);
+}
+
+// src/utils/entropy.ts
+function shannonEntropy(str) {
+  if (str.length === 0) return 0;
+  const freq = /* @__PURE__ */ new Map();
+  for (const char of str) {
+    freq.set(char, (freq.get(char) ?? 0) + 1);
+  }
+  const len = str.length;
+  let entropy = 0;
+  for (const count of freq.values()) {
+    const probability = count / len;
+    entropy -= probability * Math.log2(probability);
+  }
+  return entropy;
+}
+function isHighEntropy(str, threshold = 3.5) {
+  if (str.length === 0) return false;
+  return shannonEntropy(str) > threshold;
+}
+
+// src/scanner/entropy.ts
+var DEFAULT_ENTROPY_OPTIONS = {
+  threshold: 3.5,
+  minLength: 20,
+  maxLength: 500,
+  includeDefaultPattern: true
+};
+var UUID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
+var COMMIT_HASH_PATTERN = /^[0-9a-f]{7,40}$/;
+var SEMVER_PATTERN = /^v?[0-9]+\.[0-9]+\.[0-9]+(?:-[a-zA-Z0-9.]+)?(?:\+[a-zA-Z0-9.]+)?$/;
+var COMMON_WORDS = /* @__PURE__ */ new Set([
+  "the",
+  "quick",
+  "brown",
+  "jumps",
+  "over",
+  "lazy",
+  "undefined",
+  "null",
+  "boolean",
+  "string",
+  "number",
+  "object",
+  "function",
+  "prototype",
+  "constructor",
+  "return",
+  "typeof",
+  "instanceof"
+]);
+var PATH_PATTERN = /^(?:\/[a-zA-Z0-9_./-]+|[a-zA-Z]:\\[a-zA-Z0-9_.\\-]+)$/;
+var URL_PATTERN = /^https?:\/\/[a-zA-Z0-9._/-]+(?:\?[a-zA-Z0-9._/&=%-]+)?(?:#[a-zA-Z0-9._-]+)?$/;
+function isFalsePositive(candidate) {
+  if (candidate.length === 0) return true;
+  if (UUID_PATTERN.test(candidate)) return true;
+  if (COMMIT_HASH_PATTERN.test(candidate)) return true;
+  if (SEMVER_PATTERN.test(candidate)) return true;
+  if (COMMON_WORDS.has(candidate.toLowerCase())) return true;
+  if (PATH_PATTERN.test(candidate)) return true;
+  if (URL_PATTERN.test(candidate)) return true;
+  const nonAlphaNumeric = (candidate.match(/[^a-zA-Z0-9]/g) ?? []).length;
+  if (nonAlphaNumeric / candidate.length > 0.8) return true;
+  if (/^\d+$/.test(candidate)) return true;
+  if (/^(.)\1{10,}$/.test(candidate)) return true;
+  return false;
+}
+var ENTROPY_SECRET_PATTERN = {
+  id: "entropy-high-entropy-string",
+  name: "High-Entropy String",
+  pattern: /./,
+  // Placeholder; actual detection is entropy-based
+  confidence: 0.5,
+  severity: "medium",
+  description: "String with high Shannon entropy that may be a secret or token not caught by specific patterns.",
+  remediation: "Review this value to determine if it is sensitive. If confirmed as a secret, move to a vault or environment variable.",
+  category: "entropy"
+};
+function extractCandidates(line) {
+  const candidates = [];
+  const quotePatterns = [
+    { regex: /"([^"]+)"/g, offset: 0 },
+    { regex: /'([^']+)'/g, offset: 0 },
+    { regex: /`([^`]+)`/g, offset: 0 }
+  ];
+  for (const { regex } of quotePatterns) {
+    let match;
+    while ((match = regex.exec(line)) !== null) {
+      const captured = match[1];
+      if (captured !== void 0) {
+        candidates.push({ value: captured, column: match.index + 1 });
+      }
+    }
+  }
+  const assignPattern = /(?:^|[;\s])([A-Z][A-Z0-9_]*)\s*[=:]\s*([^\s;'"`]+)/gi;
+  let assignMatch;
+  while ((assignMatch = assignPattern.exec(line)) !== null) {
+    const value = assignMatch[2];
+    if (value !== void 0 && value.length >= DEFAULT_ENTROPY_OPTIONS.minLength) {
+      const valueStart = line.indexOf(value, assignMatch.index);
+      candidates.push({ value, column: valueStart + 1 });
+    }
+  }
+  const tokenPattern = /([A-Za-z0-9+/=_-]{20,})/g;
+  let tokenMatch;
+  while ((tokenMatch = tokenPattern.exec(line)) !== null) {
+    const captured = tokenMatch[1];
+    if (captured === void 0) continue;
+    const tokenIndex = tokenMatch.index + 1;
+    const existing = candidates.some(
+      (c) => c.value === captured && c.column === tokenIndex
+    );
+    if (!existing) {
+      candidates.push({ value: captured, column: tokenMatch.index + 1 });
+    }
+  }
+  return candidates;
+}
+function scanLineForEntropy(line, lineNumber, filePath, options) {
+  const opts = { ...DEFAULT_ENTROPY_OPTIONS, ...options };
+  const detections = [];
+  if (line.trim().length === 0) return detections;
+  const candidates = extractCandidates(line);
+  for (const candidate of candidates) {
+    const { value, column } = candidate;
+    if (value.length < opts.minLength || value.length > opts.maxLength) continue;
+    if (isFalsePositive(value)) continue;
+    const entropy = shannonEntropy(value);
+    if (entropy >= opts.threshold) {
+      const excessEntropy = entropy - opts.threshold;
+      const confidence = Math.min(0.9, 0.4 + excessEntropy * 0.15);
+      detections.push({
+        type: ENTROPY_SECRET_PATTERN.name,
+        value: maskValue(value),
+        file: filePath,
+        line: lineNumber,
+        column,
+        pattern: ENTROPY_SECRET_PATTERN,
+        confidence
+      });
+    }
+  }
+  return detections;
+}
+function detectHighEntropyStrings(content, filePath, options) {
+  const lines = content.split("\n");
+  const allDetections = [];
+  for (let i = 0; i < lines.length; i++) {
+    const lineNumber = i + 1;
+    const line = lines[i];
+    if (line === void 0) continue;
+    const detections = scanLineForEntropy(line, lineNumber, filePath, options);
+    allDetections.push(...detections);
+  }
+  return allDetections;
+}
+
+// src/scanner/file-scanner.ts
+import { promises as fsp } from "fs";
+import { join, resolve, relative } from "path";
+var DEFAULT_SKIP_PATHS = /* @__PURE__ */ new Set([
+  "node_modules",
+  ".git",
+  "dist",
+  "build",
+  ".next",
+  ".nuxt",
+  "coverage",
+  ".cache",
+  ".turbo",
+  ".vercel",
+  ".netlify",
+  "__pycache__",
+  ".eggs",
+  "*.egg-info",
+  ".tox",
+  ".mypy_cache",
+  ".pytest_cache",
+  "vendor",
+  ".bundle"
+]);
+var BINARY_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".png",
+  ".jpg",
+  ".jpeg",
+  ".gif",
+  ".bmp",
+  ".ico",
+  ".webp",
+  ".svg",
+  ".tiff",
+  ".mp3",
+  ".mp4",
+  ".avi",
+  ".mov",
+  ".wmv",
+  ".flv",
+  ".wav",
+  ".ogg",
+  ".m4a",
+  ".zip",
+  ".tar",
+  ".gz",
+  ".bz2",
+  ".7z",
+  ".rar",
+  ".xz",
+  ".zst",
+  ".pdf",
+  ".doc",
+  ".docx",
+  ".xls",
+  ".xlsx",
+  ".ppt",
+  ".pptx",
+  ".exe",
+  ".dll",
+  ".so",
+  ".dylib",
+  ".bin",
+  ".dat",
+  ".wasm",
+  ".ttf",
+  ".otf",
+  ".woff",
+  ".woff2",
+  ".eot",
+  ".sqlite",
+  ".sqlite3",
+  ".db",
+  ".class",
+  ".jar",
+  ".war",
+  ".ear",
+  ".pyc",
+  ".pyo",
+  ".o",
+  ".obj",
+  ".a",
+  ".lib"
+]);
+var BINARY_CHECK_SIZE = 8192;
+var DEFAULT_MAX_FILE_SIZE = 1024 * 1024;
+function getExtension(filePath) {
+  const lastDot = filePath.lastIndexOf(".");
+  if (lastDot === -1) return "";
+  return filePath.slice(lastDot).toLowerCase();
+}
+function isBinaryExtension(filePath) {
+  return BINARY_EXTENSIONS.has(getExtension(filePath));
+}
+function isInSkippedDirectory(filePath) {
+  const parts = filePath.replace(/\\/g, "/").split("/");
+  return parts.some((part) => DEFAULT_SKIP_PATHS.has(part));
+}
+function matchesExcludePattern(relPath, excludes) {
+  for (const pattern of excludes) {
+    const normalizedPattern = pattern.replace(/\\/g, "/").replace(/\./g, "\\.");
+    if (normalizedPattern.includes("**")) {
+      const regexStr = normalizedPattern.replace(/\*\*/g, "<<DOUBLESTAR>>").replace(/\*/g, "[^/]*").replace(/<<DOUBLESTAR>>/g, ".*");
+      const regex = new RegExp(`^${regexStr}$`);
+      if (regex.test(relPath)) return true;
+    } else if (normalizedPattern.includes("*")) {
+      const regexStr = normalizedPattern.replace(/\*/g, "[^/]*");
+      const regex = new RegExp(`^${regexStr}$`);
+      if (regex.test(relPath)) return true;
+    } else {
+      if (relPath === normalizedPattern || relPath.startsWith(normalizedPattern + "/")) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+function matchesIncludePattern(relPath, includes) {
+  if (includes.length === 0) return true;
+  for (const pattern of includes) {
+    const normalizedPattern = pattern.replace(/\\/g, "/").replace(/\./g, "\\.");
+    if (normalizedPattern.includes("**")) {
+      const regexStr = normalizedPattern.replace(/\*\*/g, "<<DOUBLESTAR>>").replace(/\*/g, "[^/]*").replace(/<<DOUBLESTAR>>/g, ".*");
+      const regex = new RegExp(`^${regexStr}$`);
+      if (regex.test(relPath)) return true;
+    } else if (normalizedPattern.includes("*")) {
+      const regexStr = normalizedPattern.replace(/\*/g, "[^/]*");
+      const regex = new RegExp(`^${regexStr}$`);
+      if (regex.test(relPath)) return true;
+    } else {
+      if (relPath === normalizedPattern || relPath.startsWith(normalizedPattern + "/")) {
+        return true;
+      }
+    }
+  }
+  return false;
+}
+function isBinaryContent(buffer) {
+  for (let i = 0; i < Math.min(buffer.length, BINARY_CHECK_SIZE); i++) {
+    if (buffer[i] === 0) return true;
+  }
+  return false;
+}
+async function collectFiles(basePaths, options) {
+  const files = [];
+  const skipped = [];
+  const visited = /* @__PURE__ */ new Set();
+  async function walk(dir) {
+    const absDir = resolve(options.cwd, dir);
+    const canonicalDir = resolve(absDir);
+    if (visited.has(canonicalDir)) return;
+    visited.add(canonicalDir);
+    let entries;
+    try {
+      entries = await fsp.readdir(absDir, { withFileTypes: true });
+    } catch {
+      return;
+    }
+    for (const entry of entries) {
+      const fullPath = join(absDir, entry.name);
+      const relPath = relative(options.cwd, fullPath).replace(/\\/g, "/");
+      if (matchesExcludePattern(relPath, options.excludes)) {
+        skipped.push(relPath);
+        continue;
+      }
+      if (entry.isDirectory() && DEFAULT_SKIP_PATHS.has(entry.name)) {
+        skipped.push(relPath);
+        continue;
+      }
+      if (entry.isDirectory()) {
+        await walk(relPath);
+      } else if (entry.isFile()) {
+        if (!matchesIncludePattern(relPath, options.includes)) {
+          skipped.push(relPath);
+          continue;
+        }
+        if (isBinaryExtension(relPath)) {
+          skipped.push(relPath);
+          continue;
+        }
+        files.push(relPath);
+      }
+    }
+  }
+  for (const basePath of basePaths) {
+    const absPath = resolve(options.cwd, basePath);
+    try {
+      const stat = await fsp.stat(absPath);
+      if (stat.isFile()) {
+        const relPath = relative(options.cwd, absPath).replace(/\\/g, "/");
+        if (!matchesExcludePattern(relPath, options.excludes) && matchesIncludePattern(relPath, options.includes) && !isBinaryExtension(relPath)) {
+          files.push(relPath);
+        } else {
+          skipped.push(relPath);
+        }
+      } else if (stat.isDirectory()) {
+        await walk(basePath);
+      }
+    } catch {
+      skipped.push(basePath);
+    }
+  }
+  return { files, skipped };
+}
+async function scanFile(filePath, cwd) {
+  const relPath = relative(cwd, filePath).replace(/\\/g, "/");
+  if (isBinaryExtension(relPath)) return [];
+  if (isInSkippedDirectory(relPath)) return [];
+  let content;
+  try {
+    const buffer = await fsp.readFile(filePath);
+    if (isBinaryContent(buffer)) return [];
+    content = buffer.toString("utf-8");
+  } catch {
+    return [];
+  }
+  const patternDetections = matchPatterns(content, relPath);
+  const entropyDetections = detectHighEntropyStrings(content, relPath);
+  return [...patternDetections, ...entropyDetections];
+}
+async function scanFiles(paths, options) {
+  const startTime = performance.now();
+  const resolvedOptions = {
+    include: options?.include ?? ["**"],
+    exclude: options?.exclude ?? [],
+    scanGitHistory: options?.scanGitHistory ?? false,
+    maxFileSize: options?.maxFileSize ?? DEFAULT_MAX_FILE_SIZE,
+    customPatterns: options?.customPatterns ?? [],
+    includeDefaults: options?.includeDefaults ?? true,
+    failFast: options?.failFast ?? false
+  };
+  const cwd = process.cwd();
+  const { files, skipped: preSkipped } = await collectFiles(paths, {
+    excludes: resolvedOptions.exclude,
+    includes: resolvedOptions.include,
+    maxFileSize: resolvedOptions.maxFileSize,
+    cwd
+  });
+  const filesScanned = [];
+  const filesSkipped = [...preSkipped];
+  const allSecrets = [];
+  for (const relPath of files) {
+    const absPath = resolve(cwd, relPath);
+    if (await isGitIgnored(relPath, cwd)) {
+      filesSkipped.push(relPath);
+      continue;
+    }
+    try {
+      const stat = await fsp.stat(absPath);
+      if (stat.size > resolvedOptions.maxFileSize) {
+        filesSkipped.push(relPath);
+        continue;
+      }
+    } catch {
+      filesSkipped.push(relPath);
+      continue;
+    }
+    const secrets = await scanFile(absPath, cwd);
+    filesScanned.push(relPath);
+    allSecrets.push(...secrets);
+    if (resolvedOptions.failFast && allSecrets.length > 0) {
+      break;
+    }
+  }
+  const scanTimeMs = performance.now() - startTime;
+  return {
+    found: allSecrets.length > 0,
+    secrets: allSecrets,
+    filesScanned,
+    filesSkipped,
+    scanTimeMs,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+
+// src/scanner/git-scanner.ts
+import { execFile } from "child_process";
+import { promisify } from "util";
+var execFileAsync = promisify(execFile);
+async function gitExec(args, cwd) {
+  const { stdout } = await execFileAsync("git", [...args], {
+    cwd: cwd ?? process.cwd(),
+    maxBuffer: 50 * 1024 * 1024,
+    // 50MB for history scanning
+    encoding: "utf-8",
+    timeout: 6e4
+  });
+  return stdout;
+}
+function parseCommitBlocks(rawOutput) {
+  const blocks = [];
+  const lines = rawOutput.split("\n");
+  let currentHash = "";
+  let currentContent = [];
+  for (const line of lines) {
+    if (line.startsWith("commit ")) {
+      if (currentHash !== "") {
+        blocks.push({ hash: currentHash, content: currentContent.join("\n") });
+      }
+      currentHash = line.slice(7).trim().split(/\s+/)[0] ?? "";
+      currentContent = [line];
+    } else {
+      currentContent.push(line);
+    }
+  }
+  if (currentHash !== "") {
+    blocks.push({ hash: currentHash, content: currentContent.join("\n") });
+  }
+  return blocks;
+}
+function extractDiffFiles(patchContent) {
+  const files = /* @__PURE__ */ new Set();
+  const diffFilePattern = /^diff --git a\/(.+?) b\/(.+?)$/gm;
+  let match;
+  while ((match = diffFilePattern.exec(patchContent)) !== null) {
+    files.add(match[2] ?? match[1] ?? "");
+  }
+  return files;
+}
+function scanContentBlock(content, filePath, commitHash) {
+  const patternDetections = matchPatterns(content, filePath);
+  const entropyDetections = detectHighEntropyStrings(content, filePath);
+  const detections = [...patternDetections, ...entropyDetections];
+  if (commitHash !== void 0) {
+    return detections.map((d) => ({
+      ...d,
+      file: `${d.file} (commit: ${commitHash.slice(0, 8)})`
+    }));
+  }
+  return detections;
+}
+async function scanStagedFiles(cwd) {
+  const workingDir = cwd ?? process.cwd();
+  if (!await isGitRepository(workingDir)) {
+    return [];
+  }
+  const stagedFilesList = await getStagedFiles(workingDir);
+  if (stagedFilesList.length === 0) {
+    return [];
+  }
+  const allSecrets = [];
+  for (const filePath of stagedFilesList) {
+    if (await isGitIgnored(filePath, workingDir)) continue;
+    try {
+      const stagedContent = await gitExec(["show", `:${filePath}`], workingDir);
+      const secrets = scanContentBlock(stagedContent, filePath);
+      allSecrets.push(...secrets);
+    } catch {
+      continue;
+    }
+  }
+  return allSecrets;
+}
+async function scanDiff(from, to, cwd) {
+  const workingDir = cwd ?? process.cwd();
+  if (!await isGitRepository(workingDir)) {
+    return [];
+  }
+  const args = ["diff", from];
+  if (to !== void 0) {
+    args.push(to);
+  }
+  let diffContent;
+  try {
+    diffContent = await gitExec(args, workingDir);
+  } catch {
+    return [];
+  }
+  if (diffContent.trim() === "") {
+    return [];
+  }
+  const allSecrets = [];
+  const diffFiles = extractDiffFiles(diffContent);
+  for (const filePath of diffFiles) {
+    const fileDiffRegex = new RegExp(
+      `diff --git a/${escapeRegex(filePath)} b/${escapeRegex(filePath)}[\\s\\S]*?(?=diff --git |$)`,
+      "g"
+    );
+    let fileMatch;
+    while ((fileMatch = fileDiffRegex.exec(diffContent)) !== null) {
+      const patchContent = fileMatch[0];
+      const secrets = scanContentBlock(patchContent, filePath, from);
+      allSecrets.push(...secrets);
+    }
+  }
+  return allSecrets;
+}
+async function scanGitHistory(options) {
+  const startTime = performance.now();
+  const workingDir = options?.cwd ?? process.cwd();
+  if (!await isGitRepository(workingDir)) {
+    return {
+      found: false,
+      secrets: [],
+      filesScanned: [],
+      filesSkipped: [],
+      scanTimeMs: performance.now() - startTime,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  const toRef = options?.to ?? "HEAD";
+  const depth = options?.allHistory ? void 0 : options?.depth ?? 100;
+  const fromRef = options?.from ?? (depth !== void 0 ? `HEAD~${depth}` : void 0);
+  const logArgs = ["log", "-p", "--format=commit %H"];
+  if (fromRef !== void 0) {
+    logArgs.push(`${fromRef}..${toRef}`);
+  } else if (depth !== void 0) {
+    logArgs.push(`-${depth}`, toRef);
+  } else {
+    logArgs.push("--all");
+  }
+  let logOutput;
+  try {
+    logOutput = await gitExec(logArgs, workingDir);
+  } catch {
+    return {
+      found: false,
+      secrets: [],
+      filesScanned: [],
+      filesSkipped: [],
+      scanTimeMs: performance.now() - startTime,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  if (logOutput.trim() === "") {
+    return {
+      found: false,
+      secrets: [],
+      filesScanned: [],
+      filesSkipped: [],
+      scanTimeMs: performance.now() - startTime,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  const commitBlocks = parseCommitBlocks(logOutput);
+  const allSecrets = [];
+  const filesScanned = /* @__PURE__ */ new Set();
+  for (const block of commitBlocks) {
+    if (block.content.trim() === "") continue;
+    const commitFiles = extractDiffFiles(block.content);
+    for (const filePath of commitFiles) {
+      filesScanned.add(filePath);
+      const fileDiffRegex = new RegExp(
+        `diff --git a/${escapeRegex(filePath)} b/${escapeRegex(filePath)}[\\s\\S]*?(?=diff --git |$)`,
+        "g"
+      );
+      let fileMatch;
+      while ((fileMatch = fileDiffRegex.exec(block.content)) !== null) {
+        const patchContent = fileMatch[0];
+        const secrets = scanContentBlock(patchContent, filePath, block.hash);
+        allSecrets.push(...secrets);
+      }
+    }
+  }
+  return {
+    found: allSecrets.length > 0,
+    secrets: allSecrets,
+    filesScanned: [...filesScanned],
+    filesSkipped: [],
+    scanTimeMs: performance.now() - startTime,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function escapeRegex(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+
+// src/scanner/reporter.ts
+var SEVERITY_CONFIG = {
+  critical: {
+    icon: "\u274C",
+    // ❌
+    color: "#dc2626",
+    terminalColor: "\x1B[31m",
+    // red
+    label: "CRITICAL",
+    sarifLevel: "error"
+  },
+  high: {
+    icon: "\u26A0\uFE0F",
+    // ⚠️
+    color: "#ea580c",
+    terminalColor: "\x1B[33m",
+    // yellow
+    label: "HIGH",
+    sarifLevel: "error"
+  },
+  medium: {
+    icon: "\u2139\uFE0F",
+    // ℹ️
+    color: "#2563eb",
+    terminalColor: "\x1B[36m",
+    // cyan
+    label: "MEDIUM",
+    sarifLevel: "warning"
+  },
+  low: {
+    icon: "\u2022",
+    // •
+    color: "#6b7280",
+    terminalColor: "\x1B[90m",
+    // gray
+    label: "LOW",
+    sarifLevel: "note"
+  }
+};
+function getSeverity(pattern) {
+  const severity = pattern.severity;
+  if (severity !== void 0 && severity in SEVERITY_CONFIG) {
+    return severity;
+  }
+  if (pattern.confidence >= 0.9) return "critical";
+  if (pattern.confidence >= 0.7) return "high";
+  return "medium";
+}
+var RESET = "\x1B[0m";
+var BOLD = "\x1B[1m";
+var DIM = "\x1B[2m";
+function formatTerminal(result) {
+  const lines = [];
+  const totalCount = result.secrets.length;
+  const criticalCount = result.secrets.filter(
+    (s) => getSeverity(s.pattern) === "critical"
+  ).length;
+  const highCount = result.secrets.filter(
+    (s) => getSeverity(s.pattern) === "high"
+  ).length;
+  const mediumCount = result.secrets.filter(
+    (s) => getSeverity(s.pattern) === "medium"
+  ).length;
+  lines.push("");
+  lines.push(`${BOLD}=== ultraenv Secret Scan Report ===${RESET}`);
+  lines.push("");
+  lines.push(`  Files scanned: ${result.filesScanned.length}`);
+  lines.push(`  Files skipped: ${result.filesSkipped.length}`);
+  lines.push(`  Scan time:      ${result.scanTimeMs.toFixed(0)}ms`);
+  lines.push(`  Timestamp:      ${result.timestamp}`);
+  lines.push("");
+  if (totalCount === 0) {
+    lines.push(`${BOLD}\u2705 No secrets detected.${RESET}`);
+    lines.push("");
+    return lines.join("\n");
+  }
+  const summaryParts = [];
+  if (criticalCount > 0) {
+    summaryParts.push(`${SEVERITY_CONFIG.critical.terminalColor}${BOLD}${criticalCount} critical${RESET}`);
+  }
+  if (highCount > 0) {
+    summaryParts.push(`${SEVERITY_CONFIG.high.terminalColor}${BOLD}${highCount} high${RESET}`);
+  }
+  if (mediumCount > 0) {
+    summaryParts.push(`${SEVERITY_CONFIG.medium.terminalColor}${mediumCount} medium${RESET}`);
+  }
+  lines.push(`${BOLD}Found ${totalCount} secret(s):${RESET} ${summaryParts.join(", ")}`);
+  lines.push("");
+  const colSev = " SEV ";
+  const colFile = " FILE ";
+  const colLine = "LINE";
+  const colType = " TYPE ";
+  const colValue = " VALUE ";
+  lines.push(
+    `  ${DIM}${colSev}  ${colFile.padEnd(35)} ${colLine.padStart(4)}  ${colType.padEnd(28)} ${colValue}${RESET}`
+  );
+  lines.push(`  ${DIM}${"\u2500".repeat(95)}${RESET}`);
+  for (const secret of result.secrets) {
+    const severity = getSeverity(secret.pattern);
+    const config = SEVERITY_CONFIG[severity];
+    const sevStr = `${config.terminalColor}${config.label.padEnd(8)}${RESET}`;
+    const fileStr = secret.file.length > 34 ? "..." + secret.file.slice(-31) : secret.file.padEnd(35);
+    const lineStr = String(secret.line).padStart(4);
+    const typeStr = secret.type.length > 27 ? secret.type.slice(0, 25) + ".." : secret.type.padEnd(28);
+    const valueStr = secret.value.length > 25 ? secret.value.slice(0, 23) + ".." : secret.value;
+    lines.push(`  ${sevStr}  ${DIM}${fileStr}${RESET} ${lineStr}  ${typeStr} ${valueStr}`);
+  }
+  lines.push("");
+  lines.push(`${BOLD}Remediation:${RESET}`);
+  const seenRemediations = /* @__PURE__ */ new Set();
+  let remediationCount = 0;
+  for (const secret of result.secrets) {
+    if (seenRemediations.has(secret.pattern.remediation)) continue;
+    if (remediationCount >= 5) {
+      const remaining = result.secrets.length - remediationCount;
+      lines.push(`  ${DIM}... and ${remaining} more finding(s)${RESET}`);
+      break;
+    }
+    seenRemediations.add(secret.pattern.remediation);
+    lines.push(`  ${DIM}\u2022 ${secret.pattern.remediation}${RESET}`);
+    remediationCount++;
+  }
+  lines.push("");
+  lines.push(`${BOLD}Scan again with: ultraenv scan${RESET}`);
+  lines.push("");
+  return lines.join("\n");
+}
+function formatJson(result) {
+  const output = {
+    found: result.found,
+    summary: {
+      total: result.secrets.length,
+      critical: result.secrets.filter((s) => getSeverity(s.pattern) === "critical").length,
+      high: result.secrets.filter((s) => getSeverity(s.pattern) === "high").length,
+      medium: result.secrets.filter((s) => getSeverity(s.pattern) === "medium").length
+    },
+    filesScanned: result.filesScanned,
+    filesSkipped: result.filesSkipped,
+    scanTimeMs: Math.round(result.scanTimeMs),
+    timestamp: result.timestamp,
+    secrets: result.secrets.map((secret) => ({
+      type: secret.type,
+      value: secret.value,
+      file: secret.file,
+      line: secret.line,
+      column: secret.column,
+      severity: getSeverity(secret.pattern),
+      confidence: Math.round(secret.confidence * 100) / 100,
+      patternId: secret.pattern.id,
+      patternName: secret.pattern.name,
+      category: secret.pattern.category ?? "unknown",
+      description: secret.pattern.description,
+      remediation: secret.pattern.remediation,
+      varName: secret.varName
+    }))
+  };
+  return JSON.stringify(output, null, 2);
+}
+function formatSarif(result) {
+  const ruleMap = /* @__PURE__ */ new Map();
+  for (const secret of result.secrets) {
+    if (!ruleMap.has(secret.pattern.id)) {
+      const severity = getSeverity(secret.pattern);
+      const severityScore = severity === "critical" ? "9.0" : severity === "high" ? "7.0" : "4.0";
+      const category = secret.pattern.category ?? "unknown";
+      ruleMap.set(secret.pattern.id, {
+        id: secret.pattern.id,
+        name: secret.pattern.name,
+        shortDescription: { text: secret.pattern.description },
+        fullDescription: { text: `${secret.pattern.description}
+
+${secret.pattern.remediation}` },
+        helpUri: "https://docs.github.com/en/code-security/secret-scanning",
+        properties: {
+          "security-severity": severityScore,
+          tags: ["security", "secret", category]
+        },
+        defaultConfiguration: {
+          level: SEVERITY_CONFIG[severity].sarifLevel
+        }
+      });
+    }
+  }
+  const sarifResults = result.secrets.map((secret) => ({
+    ruleId: secret.pattern.id,
+    level: SEVERITY_CONFIG[getSeverity(secret.pattern)].sarifLevel,
+    message: {
+      text: `Potential ${secret.type} detected (confidence: ${Math.round(secret.confidence * 100)}%). ${secret.pattern.description}`
+    },
+    locations: [
+      {
+        physicalLocation: {
+          artifactLocation: {
+            uri: secret.file
+          },
+          region: {
+            startLine: secret.line,
+            startColumn: secret.column
+          }
+        }
+      }
+    ],
+    properties: {
+      confidence: Math.round(secret.confidence * 100) / 100,
+      category: secret.pattern.category ?? "unknown"
+    }
+  }));
+  const sarifDocument = {
+    $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+    version: "2.1.0",
+    runs: [
+      {
+        tool: {
+          driver: {
+            name: "ultraenv",
+            version: "1.0.0",
+            informationUri: "https://github.com/Avinashvelu03/ultraenv",
+            rules: [...ruleMap.values()]
+          }
+        },
+        results: sarifResults
+      }
+    ]
+  };
+  return JSON.stringify(sarifDocument, null, 2);
+}
+function formatScanResult(result, format) {
+  switch (format) {
+    case "terminal":
+      return formatTerminal(result);
+    case "json":
+      return formatJson(result);
+    case "sarif":
+      return formatSarif(result);
+    default: {
+      const _exhaustive = format;
+      throw new Error(`Unknown format: ${String(_exhaustive)}`);
+    }
+  }
+}
+
+// src/scanner/index.ts
+var CONFIG_FILENAME = ".ultraenvrc.json";
+async function loadConfig(cwd) {
+  const { join: join2 } = await import("path");
+  const { existsSync, readFileSync } = await import("fs");
+  const configPath = join2(cwd, CONFIG_FILENAME);
+  if (!existsSync(configPath)) return {};
+  try {
+    const raw = readFileSync(configPath, "utf-8");
+    const parsed = JSON.parse(raw);
+    return parsed.scan ?? {};
+  } catch {
+    return {};
+  }
+}
+function dedupeKey(secret) {
+  return `${secret.type}|${secret.file}|${secret.line}|${secret.column}`;
+}
+function deduplicateSecrets(secrets) {
+  const map = /* @__PURE__ */ new Map();
+  for (const secret of secrets) {
+    const key = dedupeKey(secret);
+    const existing = map.get(key);
+    if (existing === void 0 || secret.confidence > existing.confidence) {
+      map.set(key, secret);
+    }
+  }
+  return [...map.values()];
+}
+var SEVERITY_ORDER = {
+  critical: 0,
+  high: 1,
+  medium: 2,
+  low: 3
+};
+function getSeverityFromPattern(pattern) {
+  const patternWithSeverity = pattern;
+  if (patternWithSeverity.severity !== void 0 && patternWithSeverity.severity in SEVERITY_ORDER) {
+    return patternWithSeverity.severity;
+  }
+  if (pattern.confidence >= 0.9) return "critical";
+  if (pattern.confidence >= 0.7) return "high";
+  return "medium";
+}
+function sortBySeverity(secrets) {
+  return [...secrets].sort((a, b) => {
+    const sevA = SEVERITY_ORDER[getSeverityFromPattern(a.pattern)];
+    const sevB = SEVERITY_ORDER[getSeverityFromPattern(b.pattern)];
+    if (sevA !== sevB) return sevA - sevB;
+    return b.confidence - a.confidence;
+  });
+}
+async function scan(options) {
+  const startTime = performance.now();
+  const cwd = options?.cwd ?? process.cwd();
+  const paths = options?.paths ?? ["."];
+  const fileConfig = await loadConfig(cwd);
+  const mergedOptions = {
+    include: options?.include ?? fileConfig.include ?? ["**"],
+    exclude: options?.exclude ?? fileConfig.exclude ?? [],
+    scanGitHistory: options?.scanGitHistory ?? fileConfig.scanGitHistory ?? false,
+    maxFileSize: options?.maxFileSize ?? fileConfig.maxFileSize ?? 1024 * 1024,
+    customPatterns: options?.customPatterns ?? [],
+    includeDefaults: options?.includeDefaults ?? true,
+    failFast: options?.failFast ?? false
+  };
+  for (const customPattern of mergedOptions.customPatterns) {
+    addCustomPattern(customPattern);
+  }
+  const allSecrets = [];
+  const allFilesScanned = [];
+  const allFilesSkipped = [];
+  const fileResult = await scanFiles(paths, mergedOptions);
+  allSecrets.push(...fileResult.secrets);
+  allFilesScanned.push(...fileResult.filesScanned);
+  allFilesSkipped.push(...fileResult.filesSkipped);
+  if (mergedOptions.scanGitHistory) {
+    const { isGitRepository: isGitRepository2 } = await import("./git-BZS4DPAI.js");
+    if (await isGitRepository2(cwd)) {
+      const gitResult = await scanGitHistory({
+        depth: options?.gitDepth,
+        allHistory: options?.gitAllHistory,
+        cwd
+      });
+      allSecrets.push(...gitResult.secrets);
+      allFilesScanned.push(...gitResult.filesScanned);
+    }
+  }
+  if (options?.scanStaged) {
+    const { isGitRepository: isGitRepository2 } = await import("./git-BZS4DPAI.js");
+    if (await isGitRepository2(cwd)) {
+      const stagedSecrets = await scanStagedFiles(cwd);
+      allSecrets.push(...stagedSecrets);
+    }
+  }
+  if (options?.diffFrom !== void 0) {
+    const diffSecrets = await scanDiff(options.diffFrom, options?.diffTo, cwd);
+    allSecrets.push(...diffSecrets);
+  }
+  const dedupedSecrets = deduplicateSecrets(allSecrets);
+  const sortedSecrets = sortBySeverity(dedupedSecrets);
+  const scanTimeMs = performance.now() - startTime;
+  return {
+    found: sortedSecrets.length > 0,
+    secrets: sortedSecrets,
+    filesScanned: [...new Set(allFilesScanned)],
+    filesSkipped: [...new Set(allFilesSkipped)],
+    scanTimeMs,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+
+export {
+  matchPatterns,
+  addCustomPattern,
+  removeCustomPattern,
+  resetPatterns,
+  shannonEntropy,
+  isHighEntropy,
+  scanLineForEntropy,
+  detectHighEntropyStrings,
+  scanFiles,
+  scanStagedFiles,
+  scanDiff,
+  scanGitHistory,
+  formatScanResult,
+  scan
+};