agentsentinel-cli 0.5.2__tar.gz → 0.5.4__tar.gz

{agentsentinel_cli-0.5.2 → agentsentinel_cli-0.5.4}/DOCUMENTATION.md

@@ -15,6 +15,7 @@ No server required. No Docker. Works on any Python agent file or live HTTP endpo
 - [Commands](#commands)
   - [sentinel inspect](#sentinel-inspect)
   - [sentinel scan](#sentinel-scan)
+  - [sentinel secrets](#sentinel-secrets)
   - [sentinel discover](#sentinel-discover)
   - [sentinel mcp scan](#sentinel-mcp-scan)
   - [sentinel probe](#sentinel-probe)
@@ -68,7 +69,7 @@ sentinel --version
 
 ## Quick Start
 
-Five commands that cover the full picture in under 5 minutes:
+Six commands that cover the full picture in under 10 minutes:
 
 ```bash
 # 1. What is this agent? (fingerprint + plain English summary)
@@ -77,13 +78,16 @@ sentinel inspect my_agent.py
 # 2. Does it have dangerous permissions? (posture audit)
 sentinel scan my_agent.py
 
-# 3. Is the MCP server it connects to secure?
+# 3. Has it leaked credentials or customer PII into memory files?
+sentinel secrets .
+
+# 4. Is the MCP server it connects to secure?
 sentinel mcp scan http://localhost:3000
 
-# 4. Can it be jailbroken? (42-payload attack battery)
+# 5. Can it be jailbroken? (42-payload attack battery)
 sentinel probe http://my-agent.com/chat
 
-# 5. Deep red-team with Claude as the attacker (needs ANTHROPIC_API_KEY)
+# 6. Deep red-team with Claude as the attacker (needs ANTHROPIC_API_KEY)
 sentinel ai-probe http://my-agent.com/chat
 ```
 
@@ -281,6 +285,323 @@ sentinel scan my_agent.py --connect http://localhost:9000 --api-key $AGENTSENTIN
 
 ---
 
+### sentinel secrets
+
+**What problem it solves:** AI agents process sensitive data — customer records, credentials,
+system prompts — and many frameworks persist this to local memory files (`.md`, `.json`,
+conversation logs). Developers commit these files to git without realising they contain
+customer NRICs, email addresses, or API keys captured from tool call results.
+`sentinel secrets` finds what leaked where — before an attacker does.
+
+Zero extra dependencies. Fully offline. No API calls.
+
+```
+sentinel secrets [TARGET] [OPTIONS]
+```
+
+TARGET defaults to `.` (current directory, scanned recursively).
+
+#### Running it for the first time
+
+Start with the broadest scan — current directory, default severity (MEDIUM and above):
+
+```bash
+cd your-agent-project/
+sentinel secrets .
+```
+
+If you get no output, your project is clean at MEDIUM+. Run with `--severity LOW` to see
+everything including low-confidence findings.
+
+If you get findings, work through them top to bottom — CRITICAL first. Credentials must be
+rotated immediately. PII in memory files needs to be purged and the source (which tool call
+produced it) investigated.
+
+**Recommended scan order for a new project:**
+
+```bash
+# 1. Full scan, see the big picture
+sentinel secrets .
+
+# 2. Narrow to memory files — this is where PII most often hides
+sentinel secrets . --scope memory --severity LOW
+
+# 3. Check configs separately (credential focus)
+sentinel secrets . --scope config
+
+# 4. Scan Claude Code's own memory for this project
+sentinel secrets ~/.claude/projects/ --severity LOW
+```
+
+#### Options
+
+| Flag | Default | Description |
+|------|---------|-------------|
+| `--scope [all\|memory\|config]` | `all` | Restrict scan to memory files, config/env files, or both |
+| `--severity [CRITICAL\|HIGH\|MEDIUM\|LOW]` | `MEDIUM` | Minimum severity level to display |
+| `--format [text\|json]` | `text` | Output format |
+| `--fail-on [CRITICAL\|HIGH\|MEDIUM\|LOW]` | — | Exit code 1 if findings reach this severity |
+| `--no-redact` | off | Show full matched values instead of masking them |
+
+#### Choosing the right scope
+
+| Scope | What it scans | When to use |
+|-------|--------------|-------------|
+| `all` (default) | Memory files + config files + source files | First run, CI/CD gate, general audit |
+| `memory` | Agent memory files only (`.md`, `.json` in memory dirs, conversation logs) | Daily monitoring, post-session audit, fastest scan |
+| `config` | `.env`, `*.yaml`, `*.toml`, `docker-compose.yml`, etc. | Pre-commit hook on config changes, credential audit |
+
+Source files (`.py`, `.js`) are always scanned for credentials regardless of scope — a
+hardcoded `sk-ant-...` in Python source is CRITICAL no matter what scope is selected.
+
+#### Detection layers
+
+**Layer 1 — Credentials** (all file types)
+
+| Rule ID | Severity | Pattern |
+|---------|----------|---------|
+| `ANTHROPIC_KEY` | CRITICAL | `sk-ant-api03-...` |
+| `OPENAI_KEY` | CRITICAL | `sk-...` / `sk-proj-...` |
+| `AWS_ACCESS_KEY` | CRITICAL | `AKIA[16 chars]` |
+| `GITHUB_TOKEN` | CRITICAL | `ghp_...` / `github_pat_...` |
+| `STRIPE_SECRET` | CRITICAL | `sk_live_...` |
+| `PRIVATE_KEY_BLOCK` | CRITICAL | `-----BEGIN ... PRIVATE KEY-----` |
+| `SLACK_TOKEN` | HIGH | `xoxb-...` / `xoxp-...` |
+| `GOOGLE_API_KEY` | HIGH | `AIza[35 chars]` |
+| `HUGGINGFACE_TOKEN` | HIGH | `hf_[34 chars]` |
+| `DATABASE_URL` | HIGH | `postgresql://user:pass@host` |
+| `JWT_TOKEN` | MEDIUM | `eyJ...eyJ...` (memory + config only) |
+| `GENERIC_API_KEY` | MEDIUM | `api_key = "..."` (config files only) |
+| `GENERIC_PASSWORD` | MEDIUM | `password = "..."` (config files only) |
+
+> **Note:** Any credential found inside an agent memory file is automatically upgraded to
+> CRITICAL severity. Memory files are routinely committed to git with no secrets management.
+
+**Layer 2 — PII (global)** (memory + config files)
+
+| Rule ID | Severity | Description |
+|---------|----------|-------------|
+| `EMAIL_ADDRESS` | MEDIUM | Email addresses (`user@domain.tld`) |
+| `CREDIT_CARD` | HIGH | Visa / MC / Amex / Discover — Luhn-validated |
+| `US_SSN` | HIGH | US Social Security Number (`DDD-DD-DDDD`) — structurally validated |
+| `US_PHONE` | LOW | US phone numbers (memory files only) |
+
+**Layer 2 — PII (Singapore / PDPA)** (memory + config files unless noted)
+
+| Rule ID | Severity | Description |
+|---------|----------|-------------|
+| `SG_NRIC` | HIGH | NRIC/FIN — weighted mod-11 checksum validated (S/T/F/G/M prefix). Scans all file types. |
+| `SG_PASSPORT` | HIGH | Singapore passport (E/K series). Scans all file types. |
+| `SG_PHONE_MOBILE` | MEDIUM | Mobile number (`+65 8xxx xxxx` / `+65 9xxx xxxx`) |
+| `SG_PHONE_LANDLINE` | LOW | Landline — requires explicit `+65` prefix to reduce false positives |
+| `SG_UEN` | LOW | Unique Entity Number (business registration) |
+| `SG_ADDRESS_POSTAL` | LOW | `Singapore XXXXXX` postal address |
+
+**Layer 3 — Memory contamination** (memory files only)
+
+These compound rules look at file content holistically, not line by line.
+
+| Rule ID | Severity | Trigger condition |
+|---------|----------|-------------------|
+| `CONVERSATION_PII` | HIGH | Email + NRIC (SGP) **or** Email + SSN (USA) within 5 lines of each other. Strong indicator that a raw CRM or database tool call result leaked into memory. |
+| `SYSTEM_PROMPT_IN_MEMORY` | MEDIUM | "You are a..." / "Your instructions are..." patterns in the first 30 lines of a memory file. System prompts in memory reveal agent instructions if the file is committed to git. |
+
+#### Memory path registry
+
+`sentinel secrets` knows where agent frameworks store memory and automatically classifies these
+as high-sensitivity memory files:
+
+| Framework | Paths scanned |
+|-----------|--------------|
+| Claude Code | `~/.claude/projects/*/memory/` |
+| LangChain | `.langchain/`, `memory/*.json`, `langchain_cache/` |
+| AutoGen | `.autogen/`, `autogen_cache/` |
+| CrewAI | `crew_workspace/`, `.crewai/` |
+| Mem0 | `.mem0/`, `mem0_storage/` |
+| OpenAI Agents | `.openai_agents/`, `agent_workspace/` |
+| Generic | `memory/`, `*_memory.md`, `conversation_history*.json`, `agent_logs/` |
+
+Any file inside one of these directories is treated as a memory file and scanned with all
+three detection layers. Config files (`.env`, `*.yaml`, `*.toml`, etc.) receive credential
+and PII scanning. Source files receive credential scanning only (to avoid false positives
+from example data in docstrings and comments).
+
+#### .gitignore check
+
+`sentinel secrets` warns if agent memory directories are not covered by `.gitignore`, since
+memory files often contain the most sensitive data in an AI project.
+
+#### Examples
+
+```bash
+# Scan everything in the current directory
+sentinel secrets .
+
+# Scan your Claude Code agent memory for leaked PII
+sentinel secrets ~/.claude/projects/
+
+# Memory files only (fastest, most sensitive findings)
+sentinel secrets . --scope memory
+
+# Config and env files only (credential scan)
+sentinel secrets . --scope config
+
+# Only show HIGH and CRITICAL (for daily monitoring)
+sentinel secrets . --severity HIGH
+
+# CI gate — break the build if HIGH+ findings exist
+sentinel secrets . --fail-on HIGH
+
+# Machine-readable output for SIEM or dashboards
+sentinel secrets . --format json
+
+# Show full matched values (for investigation — use carefully)
+sentinel secrets . --no-redact
+
+# Scan a specific agent workspace
+sentinel secrets /path/to/my-agent/ --severity LOW
+
+# JSON output, extract only Singapore PII findings
+sentinel secrets . --format json | jq '.findings[] | select(.jurisdiction == "SGP")'
+
+# Extract all CRITICAL findings with file locations
+sentinel secrets . --format json | jq '.findings[] | select(.severity == "CRITICAL") | {rule_id, file, line}'
+```
+
+#### Example output
+
+```
+╭──────────────────────────────────────────────────╮
+│  AgentSentinel Secrets                           │
+│  Target: /my-agent/                              │
+╰──────────────────────────────────────────────────╯
+
+──────────────── CREDENTIALS ─────────────────────
+
+  ● CRITICAL  ANTHROPIC_KEY ✓validated  memory/session_42.md:14
+              sk-ant[REDACTED]
+              → Rotate at console.anthropic.com/settings/api-keys
+
+  ● HIGH      DATABASE_URL ✓validated  .env:3
+              postgr[REDACTED]
+              → Move database credentials to environment variables
+
+──────────────────── PII ─────────────────────────
+
+  ● HIGH      SG_NRIC (SGP — PDPA) ✓validated  memory/session_42.md:23
+              S12345[REDACTED]
+              NRIC: S123[REDACTED]
+              → NRIC/FIN is protected under Singapore PDPA. Purge from memory.
+
+  ● MEDIUM    EMAIL_ADDRESS  memory/session_42.md:24
+              john.t[REDACTED]
+              → Remove personal email from agent memory files.
+
+──────────────── MEMORY CONTAMINATION ────────────
+
+  ● HIGH      CONVERSATION_PII (SGP — PDPA) ✓validated  memory/session_42.md:23
+              [email + NRIC cluster]
+              Email line 24, NRIC line 23
+              → Singapore customer PII cluster — likely leaked from CRM tool call.
+
+  ● MEDIUM    SYSTEM_PROMPT_IN_MEMORY ✓validated  memory/session_42.md:1
+              You are a helpful customer service assistant for...
+              → System prompt content in memory file. Will be committed to git.
+
+──────────────── WARNINGS ────────────────────────
+
+  ⚠  memory/ is not covered by .gitignore — memory files may be committed to git
+
+──────────────────────────────────────────────────
+  12 files scanned (4 memory · 3 config)  ·  CRITICAL:1  HIGH:3  MEDIUM:2  LOW:0  ·  0.1s
+```
+
+#### Understanding the output
+
+Each finding block has four lines:
+
+```
+  ● CRITICAL  SG_NRIC (SGP — PDPA) ✓validated  memory/session_42.md:23
+              S12345[REDACTED]
+              NRIC: S123[REDACTED]
+              → NRIC/FIN is protected under Singapore PDPA. Purge from memory.
+```
+
+| Part | Meaning |
+|------|---------|
+| `●` + colour | Severity: red = CRITICAL, orange = HIGH, yellow = MEDIUM, dim = LOW |
+| `SG_NRIC` | Rule ID — matches the rule tables above |
+| `(SGP — PDPA)` | Jurisdiction tag — tells you which privacy law applies. `(SGP — PDPA)` = Singapore Personal Data Protection Act; no tag = globally applicable |
+| `✓validated` | The match passed a checksum or structural validator (NRIC mod-11, Luhn for credit cards, area-code check for SSNs). A validated finding is a confirmed true positive — not just a regex match. Absence of `✓validated` means the rule relies on pattern alone and has a higher false positive rate. |
+| `memory/session_42.md:23` | File path and line number — click to open directly in most editors |
+| `S12345[REDACTED]` | First 6 characters of the match + `[REDACTED]`. Enough to identify the type, not enough to reconstruct the secret. Use `--no-redact` to see the full value during investigation. |
+| `NRIC: S123[REDACTED]` | The surrounding line of text, with the sensitive part masked — gives context for where the data came from |
+| `→ ...` | Recommended remediation action |
+
+The **WARNINGS** section at the bottom is separate from findings — it reports structural
+problems like memory directories not covered by `.gitignore`.
+
+The **summary bar** shows total files scanned broken down by type, finding counts by severity,
+and scan duration.
+
+#### What to do when you find something
+
+**CRITICAL — credentials**
+
+Act immediately. A leaked API key is live until you rotate it.
+
+1. Rotate the credential first — do not wait. Links are in the `→` line of each finding.
+2. Check if the key appeared in git history: `git log --all -p | grep sk-ant-` — if yes, the history is compromised even if the file is deleted.
+3. Audit usage logs (Anthropic Console, AWS CloudTrail, GitHub audit log) for activity you did not authorise.
+4. Add the file or directory to `.gitignore` and remove the secret from the file.
+5. Consider using a secrets manager (AWS Secrets Manager, HashiCorp Vault, Doppler) to prevent recurrence.
+
+**HIGH — PII (NRIC, credit card, SSN)**
+
+1. Identify which tool call produced this data — look at the surrounding lines in the file for context (tool name, timestamp, query).
+2. Delete or purge the memory file contents: `echo "" > memory/session_42.md` or delete the file if the session is complete.
+3. If the file was ever committed to git, the PII is in history. Consider a history rewrite with `git filter-repo` or treat the repo as compromised for that data type.
+4. Review your agent's tool definitions — if a CRM or database tool is returning full customer records (including NRIC/SSN), add field filtering to return only what the agent needs.
+5. For Singapore NRIC under PDPA: if the data was accessed without consent or leaked outside the system, a data breach notification may be required.
+
+**MEDIUM — email addresses, system prompt leakage**
+
+1. Email addresses in memory files are lower urgency but indicate your agent is retaining more data than it needs. Check if memory retention is configured and reduce the session window.
+2. `SYSTEM_PROMPT_IN_MEMORY` is usually intentional (the agent wrote its own instructions to memory) but is a problem if the file gets committed — add `memory/` to `.gitignore`.
+
+**Memory contamination (`CONVERSATION_PII`)**
+
+This finding fires when an email address and an NRIC (or SSN) appear within 5 lines of
+each other in a memory file — a strong signal that a raw database or CRM record was written
+to memory by a tool call. The record contains at minimum two linked PII fields, which is
+more serious than either in isolation.
+
+Steps:
+1. Open the file at the reported line. Read the surrounding context to identify the tool that produced the data.
+2. Determine whether the tool call was authorised and whether the data was needed.
+3. Purge the memory file.
+4. If the tool legitimately needs customer records, modify it to return only the fields required (not full rows).
+
+#### False positives
+
+`✓validated` findings are rarely false positives — the validators are conservative by design.
+Findings without `✓validated` have a higher false positive rate.
+
+Common false positives and how to handle them:
+
+| Finding | Common false positive cause | How to confirm |
+|---------|----------------------------|----------------|
+| `SG_PHONE_MOBILE` | Version numbers, port numbers like `8080 9000` | Use `--no-redact` and read the full match. A Singapore mobile is always 8 digits starting with 8 or 9. |
+| `EMAIL_ADDRESS` | Example emails in documentation (`user@example.com`) | Read the context line — documentation examples are usually surrounded by descriptive text |
+| `GENERIC_API_KEY` | Example keys in comments or README snippets | Check if the value looks like a real key (random alphanumeric, 20+ chars) vs a placeholder (`your-api-key-here`) |
+| `SG_UEN` | 9-digit numbers that happen to end in a letter | UENs are common in business documents — confirm the surrounding context |
+
+If a finding is a confirmed false positive, it does not affect the finding count for `--fail-on`
+evaluation — you still need to address it or suppress it by restructuring the content.
+Suppression via ignore-lists is not yet implemented (planned for v0.6).
+
+---
+
 ### sentinel discover
 
 **What problem it solves:** Most organisations don't have a complete inventory of their AI
@@ -674,15 +995,18 @@ sentinel inspect ./my_agent.py
 # Step 2 — static posture check
 sentinel scan ./my_agent.py --fail-on HIGH
 
-# Step 3 — start the agent locally, probe it
+# Step 3 — check for leaked secrets or PII in the workspace
+sentinel secrets . --fail-on HIGH
+
+# Step 4 — start the agent locally, probe it
 sentinel probe http://localhost:8000/chat --attacks injection,jailbreak,extraction
 
-# Step 4 — deep AI red-team
+# Step 5 — deep AI red-team
 sentinel ai-probe http://localhost:8000/chat \
   --context "Customer-facing chatbot for e-commerce, handles order history and returns" \
   --max-probes 30
 
-# Step 5 — if it has an MCP server, audit that too
+# Step 6 — if it has an MCP server, audit that too
 sentinel mcp scan http://localhost:3000 --fail-on CRITICAL
 ```
 
@@ -736,6 +1060,9 @@ Run daily or on every deployment.
 
 set -e
 
+echo "=== Secrets and PII Scan ==="
+sentinel secrets . --fail-on HIGH --format json >> reports/secrets-$(date +%Y%m%d).json
+
 echo "=== Agent Posture Scan ==="
 sentinel scan ./agents/ --fail-on CRITICAL --format json >> reports/scan-$(date +%Y%m%d).json
 
@@ -752,6 +1079,33 @@ echo "Done."
 
 ---
 
+### Workflow 6: Singapore PDPA compliance check
+
+Your agent processes customer data under Singapore's Personal Data Protection Act.
+
+```bash
+# Scan for any Singapore PII that leaked into agent memory or configs
+sentinel secrets . --format json \
+  | jq '.findings[] | select(.jurisdiction == "SGP")' \
+  > pdpa-findings.json
+
+# Count NRIC exposures specifically
+sentinel secrets . --format json \
+  | jq '[.findings[] | select(.rule_id == "SG_NRIC")] | length'
+
+# Full audit — memory files only, all severity levels
+sentinel secrets . --scope memory --severity LOW
+
+# Fail CI if any Singapore PII found in memory files
+sentinel secrets . --scope memory --fail-on MEDIUM
+```
+
+NRICs are validated using the official Singapore weighted mod-11 checksum algorithm before
+being reported — false positive rate is negligible. Any `SG_NRIC` finding with
+`"validated": true` in JSON output is a structurally valid identity number.
+
+---
+
 ## CI/CD Integration
 
 ### GitHub Actions
@@ -774,6 +1128,9 @@ jobs:
       - name: Inspect agents
         run: sentinel inspect ./agents/ --no-ai --format json
 
+      - name: Secrets and PII scan — fail on HIGH
+        run: sentinel secrets . --fail-on HIGH
+
       - name: Posture scan — fail on CRITICAL
         run: sentinel scan ./agents/ --fail-on CRITICAL
 
@@ -797,6 +1154,7 @@ agent-security:
   before_script:
     - pip install "agentsentinel-cli[all]"
   script:
+    - sentinel secrets . --fail-on HIGH
     - sentinel scan ./agents/ --fail-on CRITICAL
     - sentinel mcp scan http://mcp-server:3000 --fail-on HIGH
   artifacts:
@@ -809,6 +1167,7 @@ agent-security:
 ```bash
 #!/bin/bash
 # .git/hooks/pre-commit
+sentinel secrets . --fail-on HIGH   # catch leaked keys/PII before they hit git history
 sentinel scan . --fail-on CRITICAL
 ```
 
@@ -821,9 +1180,9 @@ sentinel scan . --fail-on CRITICAL
 | OWASP LLM | Risk | sentinel command |
 |-----------|------|-----------------|
 | LLM01 Prompt Injection | Attackers manipulate agent via crafted inputs | `sentinel probe`, `sentinel ai-probe` |
-| LLM02 Sensitive Info Disclosure | Agent leaks system prompts, data | `sentinel probe --attacks extraction`, `sentinel ai-probe` |
+| LLM02 Sensitive Info Disclosure | Agent leaks credentials, PII, or customer data | `sentinel secrets`, `sentinel probe --attacks extraction` |
 | LLM06 Excessive Agency | Agent has more permissions than needed | `sentinel scan`, `sentinel discover` |
-| LLM07 System Prompt Leakage | System prompt extracted by attacker | `sentinel probe --attacks extraction` |
+| LLM07 System Prompt Leakage | System prompt extracted or persisted to memory | `sentinel secrets` (memory contamination), `sentinel probe --attacks extraction` |
 | LLM08 Vector/Embedding Weaknesses | MCP servers expose vector DB tools unsafely | `sentinel mcp scan` |
 
 ---
@@ -912,6 +1271,7 @@ sentinel mcp scan http://mcp-server.internal:3000 --format json \
 sentinel --help
 sentinel inspect --help
 sentinel scan --help
+sentinel secrets --help
 sentinel discover --help
 sentinel mcp scan --help
 sentinel probe --help

{agentsentinel_cli-0.5.2 → agentsentinel_cli-0.5.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: agentsentinel-cli
-Version: 0.5.2
+Version: 0.5.4
 Summary: Security scanner, red-team tool, and agent intelligence CLI — inspect, probe, MCP audit, and discovery for AI agents
 Project-URL: Homepage, https://github.com/jaydenaung/agentsentinel
 Project-URL: Repository, https://github.com/jaydenaung/agentsentinel
@@ -44,6 +44,7 @@ Security scanner, red-team tool, and MCP auditor for AI agents. No server, no Do
 pipx install "agentsentinel-cli[all]"
 sentinel inspect my_agent.py                  # what is this agent? plain English
 sentinel scan my_agent.py                     # posture audit
+sentinel secrets .                            # scan for leaked keys, PII, Singapore NRIC
 sentinel probe http://localhost:3000          # 42-payload attack battery
 sentinel ai-probe http://localhost:3000       # Claude-driven autonomous red-team
 sentinel mcp scan http://localhost:3001       # MCP server security audit
@@ -77,6 +78,7 @@ pip install "agentsentinel-cli[all]"           # everything
 | **Posture** — what can it do? | `sentinel scan` | Static AST analysis, 12 rules, CI gate |
 | **Posture** — what's running? | `sentinel discover` | Find unknown agents in processes, containers, subnets |
 | **Posture** — MCP exposure? | `sentinel mcp scan` | Enumerate and audit any MCP server |
+| **Secrets & PII** | `sentinel secrets` | Credentials, global PII, Singapore NRIC/FIN, memory contamination |
 | **Vulnerability** — static | `sentinel probe` | 42-payload attack battery, no API key required |
 | **Vulnerability** — AI-driven | `sentinel ai-probe` | Claude Opus as autonomous red-team agent |
 
@@ -275,6 +277,103 @@ that trigger every finding.
 
 ---
 
+### `sentinel secrets` — scan for exposed secrets, API keys, and PII
+
+AI agents process sensitive data — customer records, credentials, system prompts — and
+many frameworks persist this to local memory files (`.md`, `.json`, conversation logs).
+`sentinel secrets` finds what leaked where, before an attacker does.
+
+Three detection layers:
+- **Credentials** — 13 patterns: Anthropic, OpenAI, AWS, GitHub, Stripe, Google, HuggingFace, Slack, database URLs, JWT tokens, private key blocks
+- **PII (global)** — email addresses, credit cards (Luhn-validated), US SSNs
+- **PII (Singapore)** — NRIC/FIN with weighted mod-11 checksum validation, passport, mobile (+65 8xxx/9xxx), landline, UEN, postal codes
+- **Memory contamination** — PII clusters from tool call results, system prompt leakage in memory files
+
+```bash
+# Scan current directory (all file types)
+sentinel secrets .
+
+# Scan Claude Code agent memory
+sentinel secrets ~/.claude/projects/
+
+# Memory files only (conversation logs, agent memory dirs)
+sentinel secrets . --scope memory
+
+# Config and env files only
+sentinel secrets . --scope config
+
+# Show only HIGH and CRITICAL
+sentinel secrets . --severity HIGH
+
+# Machine-readable output for SIEM
+sentinel secrets . --format json
+
+# CI gate — fail build if HIGH+ findings exist
+sentinel secrets . --fail-on HIGH
+
+# Show full matched values (no masking)
+sentinel secrets . --no-redact
+```
+
+**Flags:**
+
+| Flag | Default | Description |
+|------|---------|-------------|
+| `--scope all\|memory\|config` | `all` | Restrict scan to memory files, config files, or both |
+| `--severity` | `MEDIUM` | Minimum severity to display |
+| `--format text\|json` | `text` | Output format |
+| `--fail-on` | — | Exit code 1 if findings at this severity or above |
+| `--no-redact` | off | Show full matched values instead of masking them |
+
+**Credential patterns detected:**
+
+| Rule ID | Severity | Pattern |
+|---------|----------|---------|
+| `ANTHROPIC_KEY` | CRITICAL | `sk-ant-...` |
+| `OPENAI_KEY` | CRITICAL | `sk-...` / `sk-proj-...` |
+| `AWS_ACCESS_KEY` | CRITICAL | `AKIA...` |
+| `GITHUB_TOKEN` | CRITICAL | `ghp_...` / `github_pat_...` |
+| `STRIPE_SECRET` | CRITICAL | `sk_live_...` |
+| `PRIVATE_KEY_BLOCK` | CRITICAL | `-----BEGIN ... PRIVATE KEY-----` |
+| `SLACK_TOKEN` | HIGH | `xoxb-...` / `xoxp-...` |
+| `GOOGLE_API_KEY` | HIGH | `AIza...` |
+| `HUGGINGFACE_TOKEN` | HIGH | `hf_...` |
+| `DATABASE_URL` | HIGH | `postgresql://user:pass@host` |
+| `JWT_TOKEN` | MEDIUM | `eyJ...eyJ...` (memory + config files only) |
+| `GENERIC_API_KEY` | MEDIUM | `api_key = "..."` (config files only) |
+| `GENERIC_PASSWORD` | MEDIUM | `password = "..."` (config files only) |
+
+Note: credentials found inside agent memory files are automatically upgraded to CRITICAL
+severity — memory files are commonly committed to git with no secrets management in place.
+
+**Singapore PII (PDPA-sensitive):**
+
+| Rule ID | Severity | Description |
+|---------|----------|-------------|
+| `SG_NRIC` | HIGH | NRIC/FIN — checksum-validated (S/T/F/G/M prefix + weighted mod-11) |
+| `SG_PASSPORT` | HIGH | Singapore passport number (E/K series) |
+| `SG_PHONE_MOBILE` | MEDIUM | Mobile (+65 8xxx / 9xxx) |
+| `SG_PHONE_LANDLINE` | LOW | Landline with explicit `+65` prefix |
+| `SG_UEN` | LOW | Business Unique Entity Number |
+| `SG_ADDRESS_POSTAL` | LOW | "Singapore XXXXXX" postal code |
+
+**Memory contamination rules:**
+
+| Rule ID | Severity | Trigger |
+|---------|----------|---------|
+| `CONVERSATION_PII` | HIGH | Email + NRIC (SGP) or Email + SSN (USA) within 5 lines — strong indicator of a raw tool call result leaked into memory |
+| `SYSTEM_PROMPT_IN_MEMORY` | MEDIUM | "You are a..." / "Your instructions are..." patterns in memory files — system prompts reveal agent instructions if memory committed to git |
+
+**Exit codes:**
+
+| Code | Meaning |
+|------|---------|
+| 0 | No findings at `--fail-on` threshold |
+| 1 | Findings at or above `--fail-on` severity |
+| 2 | Scan error (permission denied, no readable files) |
+
+---
+
 ### `sentinel discover` — find AI agents in your environment
 
 ```bash
@@ -292,9 +391,9 @@ sentinel discover --format json          # machine-readable output
 | OWASP LLM | sentinel command |
 |-----------|-----------------|
 | LLM01 Prompt Injection | `sentinel probe`, `sentinel ai-probe` |
-| LLM02 Sensitive Info Disclosure | `sentinel probe` (extraction category) |
+| LLM02 Sensitive Info Disclosure | `sentinel secrets`, `sentinel probe` (extraction) |
 | LLM06 Excessive Agency | `sentinel scan`, `sentinel discover` |
-| LLM07 System Prompt Leakage | `sentinel probe` (extraction), `sentinel ai-probe` |
+| LLM07 System Prompt Leakage | `sentinel secrets` (memory contamination), `sentinel probe` (extraction) |
 | LLM08 Vector/Embedding Weaknesses | `sentinel mcp scan` |
 
 ---
@@ -303,6 +402,11 @@ sentinel discover --format json          # machine-readable output
 
 ```yaml
 # .github/workflows/security.yml
+- name: Scan for secrets and PII in agent memory
+  run: |
+    pip install agentsentinel-cli
+    sentinel secrets . --fail-on HIGH
+
 - name: Audit agent posture
   run: |
     pip install agentsentinel-cli
@@ -319,6 +423,8 @@ sentinel discover --format json          # machine-readable output
     sentinel mcp scan http://localhost:3001 --fail-on CRITICAL
 ```
 
+`sentinel secrets` requires no extra dependencies — it's included in the base install.
+
 ---
 
 ## Tool detection (`sentinel scan`)
@@ -334,9 +440,11 @@ The scanner detects tools defined via:
 ## Requirements
 
 - Python 3.10+
-- No API key required for `sentinel scan`, `sentinel inspect --no-ai`, `sentinel probe`
+- No API key required for `sentinel scan`, `sentinel secrets`, `sentinel inspect --no-ai`, `sentinel probe`
 - `ANTHROPIC_API_KEY` required for AI summary (`sentinel inspect`), `sentinel ai-probe`
 - `httpx` required for live endpoint inspection: `pip install "agentsentinel-cli[inspect]"`
 - `httpx` required for HTTP MCP scanning: `pip install "agentsentinel-cli[mcp]"`
 - `psutil` + `httpx` required for `sentinel discover`: `pip install "agentsentinel-cli[discover]"`
 - `httpx` + `anthropic` required for `sentinel ai-probe`: `pip install "agentsentinel-cli[ai-probe]"`
+
+`sentinel secrets` has zero extra dependencies — regex-based, fully offline, no API calls.

{agentsentinel_cli-0.5.2 → agentsentinel_cli-0.5.4}/README.md

@@ -6,6 +6,7 @@ Security scanner, red-team tool, and MCP auditor for AI agents. No server, no Do
 pipx install "agentsentinel-cli[all]"
 sentinel inspect my_agent.py                  # what is this agent? plain English
 sentinel scan my_agent.py                     # posture audit
+sentinel secrets .                            # scan for leaked keys, PII, Singapore NRIC
 sentinel probe http://localhost:3000          # 42-payload attack battery
 sentinel ai-probe http://localhost:3000       # Claude-driven autonomous red-team
 sentinel mcp scan http://localhost:3001       # MCP server security audit
@@ -39,6 +40,7 @@ pip install "agentsentinel-cli[all]"           # everything
 | **Posture** — what can it do? | `sentinel scan` | Static AST analysis, 12 rules, CI gate |
 | **Posture** — what's running? | `sentinel discover` | Find unknown agents in processes, containers, subnets |
 | **Posture** — MCP exposure? | `sentinel mcp scan` | Enumerate and audit any MCP server |
+| **Secrets & PII** | `sentinel secrets` | Credentials, global PII, Singapore NRIC/FIN, memory contamination |
 | **Vulnerability** — static | `sentinel probe` | 42-payload attack battery, no API key required |
 | **Vulnerability** — AI-driven | `sentinel ai-probe` | Claude Opus as autonomous red-team agent |
 
@@ -237,6 +239,103 @@ that trigger every finding.
 
 ---
 
+### `sentinel secrets` — scan for exposed secrets, API keys, and PII
+
+AI agents process sensitive data — customer records, credentials, system prompts — and
+many frameworks persist this to local memory files (`.md`, `.json`, conversation logs).
+`sentinel secrets` finds what leaked where, before an attacker does.
+
+Three detection layers:
+- **Credentials** — 13 patterns: Anthropic, OpenAI, AWS, GitHub, Stripe, Google, HuggingFace, Slack, database URLs, JWT tokens, private key blocks
+- **PII (global)** — email addresses, credit cards (Luhn-validated), US SSNs
+- **PII (Singapore)** — NRIC/FIN with weighted mod-11 checksum validation, passport, mobile (+65 8xxx/9xxx), landline, UEN, postal codes
+- **Memory contamination** — PII clusters from tool call results, system prompt leakage in memory files
+
+```bash
+# Scan current directory (all file types)
+sentinel secrets .
+
+# Scan Claude Code agent memory
+sentinel secrets ~/.claude/projects/
+
+# Memory files only (conversation logs, agent memory dirs)
+sentinel secrets . --scope memory
+
+# Config and env files only
+sentinel secrets . --scope config
+
+# Show only HIGH and CRITICAL
+sentinel secrets . --severity HIGH
+
+# Machine-readable output for SIEM
+sentinel secrets . --format json
+
+# CI gate — fail build if HIGH+ findings exist
+sentinel secrets . --fail-on HIGH
+
+# Show full matched values (no masking)
+sentinel secrets . --no-redact
+```
+
+**Flags:**
+
+| Flag | Default | Description |
+|------|---------|-------------|
+| `--scope all\|memory\|config` | `all` | Restrict scan to memory files, config files, or both |
+| `--severity` | `MEDIUM` | Minimum severity to display |
+| `--format text\|json` | `text` | Output format |
+| `--fail-on` | — | Exit code 1 if findings at this severity or above |
+| `--no-redact` | off | Show full matched values instead of masking them |
+
+**Credential patterns detected:**
+
+| Rule ID | Severity | Pattern |
+|---------|----------|---------|
+| `ANTHROPIC_KEY` | CRITICAL | `sk-ant-...` |
+| `OPENAI_KEY` | CRITICAL | `sk-...` / `sk-proj-...` |
+| `AWS_ACCESS_KEY` | CRITICAL | `AKIA...` |
+| `GITHUB_TOKEN` | CRITICAL | `ghp_...` / `github_pat_...` |
+| `STRIPE_SECRET` | CRITICAL | `sk_live_...` |
+| `PRIVATE_KEY_BLOCK` | CRITICAL | `-----BEGIN ... PRIVATE KEY-----` |
+| `SLACK_TOKEN` | HIGH | `xoxb-...` / `xoxp-...` |
+| `GOOGLE_API_KEY` | HIGH | `AIza...` |
+| `HUGGINGFACE_TOKEN` | HIGH | `hf_...` |
+| `DATABASE_URL` | HIGH | `postgresql://user:pass@host` |
+| `JWT_TOKEN` | MEDIUM | `eyJ...eyJ...` (memory + config files only) |
+| `GENERIC_API_KEY` | MEDIUM | `api_key = "..."` (config files only) |
+| `GENERIC_PASSWORD` | MEDIUM | `password = "..."` (config files only) |
+
+Note: credentials found inside agent memory files are automatically upgraded to CRITICAL
+severity — memory files are commonly committed to git with no secrets management in place.
+
+**Singapore PII (PDPA-sensitive):**
+
+| Rule ID | Severity | Description |
+|---------|----------|-------------|
+| `SG_NRIC` | HIGH | NRIC/FIN — checksum-validated (S/T/F/G/M prefix + weighted mod-11) |
+| `SG_PASSPORT` | HIGH | Singapore passport number (E/K series) |
+| `SG_PHONE_MOBILE` | MEDIUM | Mobile (+65 8xxx / 9xxx) |
+| `SG_PHONE_LANDLINE` | LOW | Landline with explicit `+65` prefix |
+| `SG_UEN` | LOW | Business Unique Entity Number |
+| `SG_ADDRESS_POSTAL` | LOW | "Singapore XXXXXX" postal code |
+
+**Memory contamination rules:**
+
+| Rule ID | Severity | Trigger |
+|---------|----------|---------|
+| `CONVERSATION_PII` | HIGH | Email + NRIC (SGP) or Email + SSN (USA) within 5 lines — strong indicator of a raw tool call result leaked into memory |
+| `SYSTEM_PROMPT_IN_MEMORY` | MEDIUM | "You are a..." / "Your instructions are..." patterns in memory files — system prompts reveal agent instructions if memory committed to git |
+
+**Exit codes:**
+
+| Code | Meaning |
+|------|---------|
+| 0 | No findings at `--fail-on` threshold |
+| 1 | Findings at or above `--fail-on` severity |
+| 2 | Scan error (permission denied, no readable files) |
+
+---
+
 ### `sentinel discover` — find AI agents in your environment
 
 ```bash
@@ -254,9 +353,9 @@ sentinel discover --format json          # machine-readable output
 | OWASP LLM | sentinel command |
 |-----------|-----------------|
 | LLM01 Prompt Injection | `sentinel probe`, `sentinel ai-probe` |
-| LLM02 Sensitive Info Disclosure | `sentinel probe` (extraction category) |
+| LLM02 Sensitive Info Disclosure | `sentinel secrets`, `sentinel probe` (extraction) |
 | LLM06 Excessive Agency | `sentinel scan`, `sentinel discover` |
-| LLM07 System Prompt Leakage | `sentinel probe` (extraction), `sentinel ai-probe` |
+| LLM07 System Prompt Leakage | `sentinel secrets` (memory contamination), `sentinel probe` (extraction) |
 | LLM08 Vector/Embedding Weaknesses | `sentinel mcp scan` |
 
 ---
@@ -265,6 +364,11 @@ sentinel discover --format json          # machine-readable output
 
 ```yaml
 # .github/workflows/security.yml
+- name: Scan for secrets and PII in agent memory
+  run: |
+    pip install agentsentinel-cli
+    sentinel secrets . --fail-on HIGH
+
 - name: Audit agent posture
   run: |
     pip install agentsentinel-cli
@@ -281,6 +385,8 @@ sentinel discover --format json          # machine-readable output
     sentinel mcp scan http://localhost:3001 --fail-on CRITICAL
 ```
 
+`sentinel secrets` requires no extra dependencies — it's included in the base install.
+
 ---
 
 ## Tool detection (`sentinel scan`)
@@ -296,9 +402,11 @@ The scanner detects tools defined via:
 ## Requirements
 
 - Python 3.10+
-- No API key required for `sentinel scan`, `sentinel inspect --no-ai`, `sentinel probe`
+- No API key required for `sentinel scan`, `sentinel secrets`, `sentinel inspect --no-ai`, `sentinel probe`
 - `ANTHROPIC_API_KEY` required for AI summary (`sentinel inspect`), `sentinel ai-probe`
 - `httpx` required for live endpoint inspection: `pip install "agentsentinel-cli[inspect]"`
 - `httpx` required for HTTP MCP scanning: `pip install "agentsentinel-cli[mcp]"`
 - `psutil` + `httpx` required for `sentinel discover`: `pip install "agentsentinel-cli[discover]"`
 - `httpx` + `anthropic` required for `sentinel ai-probe`: `pip install "agentsentinel-cli[ai-probe]"`
+
+`sentinel secrets` has zero extra dependencies — regex-based, fully offline, no API calls.

{agentsentinel_cli-0.5.2 → agentsentinel_cli-0.5.4}/agentsentinel_cli/cli.py

@@ -664,8 +664,28 @@ def secrets(
     """
     from agentsentinel_cli.secrets import scan_secrets
     from agentsentinel_cli.secrets_report import print_secrets_result, as_secrets_json
+    from rich.progress import Progress, SpinnerColumn, TextColumn, TimeElapsedColumn
 
-    report = scan_secrets(target, scope=scope, redact=not no_redact)
+    _report_holder: list = []
+
+    with Progress(
+        SpinnerColumn(),
+        TextColumn("[dim]{task.description}[/dim]"),
+        TimeElapsedColumn(),
+        console=console,
+        transient=True,   # clears the progress line when done
+    ) as progress:
+        task = progress.add_task("Scanning...", total=None)
+
+        def _on_progress(n: int, current: str) -> None:
+            short = current[-50:] if len(current) > 50 else current
+            progress.update(task, description=f"Scanning [bold]{n}[/bold] files  [dim]{short}[/dim]")
+
+        _report_holder.append(
+            scan_secrets(target, scope=scope, redact=not no_redact, progress_cb=_on_progress)
+        )
+
+    report = _report_holder[0]
 
     if fmt == "json":
         click.echo(as_secrets_json(report))

{agentsentinel_cli-0.5.2 → agentsentinel_cli-0.5.4}/agentsentinel_cli/secrets.py

@@ -6,7 +6,9 @@ credentials are found inside agent memory paths (higher impact — often git-com
 """
 
 import dataclasses
+import os
 import time
+from collections.abc import Callable, Iterator
 from pathlib import Path
 
 from agentsentinel_cli.secrets_rules import (
@@ -53,7 +55,7 @@ _MEMORY_NAME_KW: frozenset[str] = frozenset({
     "memory", "conversation", "session", "history", "cache", "agent_log", "chat_log",
 })
 
-_MEMORY_EXTS: frozenset[str] = frozenset({".md", ".txt", ".json", ""})
+_MEMORY_EXTS: frozenset[str] = frozenset({".md", ".txt", ".json", ".log", ".csv", ".tsv", ""})
 _CONFIG_EXTS: frozenset[str] = frozenset({".yaml", ".yml", ".toml", ".ini", ".cfg", ".conf"})
 _CONFIG_NAMES: frozenset[str] = frozenset({
     ".env", "config.json", "settings.json", "secrets.json",
@@ -68,13 +70,72 @@ _SKIP_EXTS: frozenset[str] = frozenset({
     ".dylib", ".zip", ".tar", ".gz", ".bz2", ".7z", ".pdf",
     ".pkl", ".pt", ".onnx", ".safetensors", ".parquet", ".arrow",
 })
-_SKIP_DIRS: frozenset[str] = frozenset({
-    "__pycache__", "node_modules", ".tox", "venv", ".venv",
-    "dist", "build", ".eggs", "site-packages",
+
+# Directories pruned at walk time — os.walk never descends into these.
+# This is what makes the scan fast: rglob("*") traverses everything first;
+# os.walk with pruning skips entire subtrees like node_modules and .venv.
+_PRUNE_DIRS: frozenset[str] = frozenset({
+    # Version control
+    ".git", ".svn", ".hg",
+    # Python virtual environments
+    "venv", ".venv", "env",
+    # Python build / caches
+    "__pycache__", ".mypy_cache", ".pytest_cache", ".ruff_cache",
+    ".tox", ".eggs", "site-packages", "dist", "build",
+    # JavaScript / frontend
+    "node_modules", ".next", ".nuxt", ".parcel-cache",
+    # Other language build outputs
+    "target",   # Rust
+    "vendor",   # Go / Ruby
+    # Test coverage
+    "htmlcov", ".coverage",
 })
 
 _MAX_FILE_BYTES = 1_000_000  # skip files larger than 1 MB
 
+# Binary file types that cannot be text-scanned but warrant a warning when
+# found inside agent memory directories (serialized memory, SQLite stores, etc.)
+_BINARY_MEMORY_EXTS: frozenset[str] = frozenset({
+    ".pkl", ".joblib",          # Python serialized objects (LangChain memory, sklearn)
+    ".pt", ".pth",              # PyTorch tensors / model checkpoints
+    ".db", ".sqlite", ".sqlite3",  # SQLite databases (common agent memory backend)
+})
+
+
+def _iter_files(root: Path) -> Iterator[Path]:
+    """Walk root using os.walk with directory pruning.
+
+    Prunes entire subtrees (node_modules, .venv, .git, etc.) before any file
+    enumeration. Also yields binary memory files from known memory directories
+    so they receive a BINARY_MEMORY_STORE warning finding.
+    """
+    for dirpath, dirnames, filenames in os.walk(root, followlinks=False):
+        dirnames[:] = [
+            d for d in dirnames
+            if d not in _PRUNE_DIRS
+            and not d.endswith(".egg-info")
+        ]
+        # Check once per directory whether we're inside a known memory path
+        dir_parts = set(Path(dirpath).parts)
+        in_memory_dir = bool(dir_parts & _MEMORY_DIRS)
+
+        for filename in filenames:
+            path = Path(dirpath) / filename
+            ext = path.suffix.lower()
+
+            # Yield binary memory files for a warning — skip the size check
+            # since we won't read their content anyway
+            if ext in _BINARY_MEMORY_EXTS and in_memory_dir:
+                yield path
+                continue
+
+            if ext not in _SKIP_EXTS:
+                try:
+                    if path.stat().st_size <= _MAX_FILE_BYTES:
+                        yield path
+                except OSError:
+                    pass
+
 
 def _classify_file(path: Path) -> str:
     """Classify a file as 'memory', 'config', 'source', or 'other'."""
@@ -105,18 +166,13 @@ def _classify_file(path: Path) -> str:
 
 
 def _should_skip(path: Path) -> bool:
-    """Return True if this file should not be scanned."""
+    """Return True for a single file that should not be scanned.
+
+    Directory-level pruning is handled by _iter_files; this function only needs
+    to check extension and size for individual files.
+    """
     if path.suffix.lower() in _SKIP_EXTS:
         return True
-    parts = set(path.parts)
-    if parts & _SKIP_DIRS:
-        return True
-    # Skip hidden directories except .env files and .claude
-    for part in path.parts[:-1]:
-        if part.startswith(".") and part not in {".claude", ".env", ".langchain",
-                                                  ".autogen", ".crewai", ".mem0",
-                                                  ".openai_agents"}:
-            return True
     try:
         return path.stat().st_size > _MAX_FILE_BYTES
     except OSError:
@@ -145,6 +201,25 @@ def _scan_file(
     if scope == "config" and file_type not in {"memory", "config"}:
         return []
 
+    # Binary memory stores can't be text-scanned — emit a single advisory finding
+    if path.suffix.lower() in _BINARY_MEMORY_EXTS:
+        return [SecretFinding(
+            rule_id="BINARY_MEMORY_STORE",
+            severity="MEDIUM",
+            category="memory_contamination",
+            jurisdiction="global",
+            file=path,
+            line=0,
+            match_preview=path.name,
+            context_line=f"Binary {path.suffix} file in agent memory directory — cannot be text-scanned",
+            recommendation=(
+                f"Serialized memory store found ({path.suffix}). May contain customer PII or "
+                "credentials captured from tool calls. "
+                "Inspect manually or delete if the session data is no longer needed."
+            ),
+            validated=False,
+        )]
+
     lines = _read_lines(path)
     if lines is None:
         return []
@@ -264,25 +339,30 @@ def scan_secrets(
     target: Path,
     scope: str = "all",
     redact: bool = True,
+    progress_cb: Callable[[int, str], None] | None = None,
 ) -> SecretsReport:
     """Scan target path for secrets, PII, and AI memory contamination.
 
     Args:
-        target: File or directory to scan.
-        scope:  'all' | 'memory' | 'config' — restricts which file types are scanned.
-        redact: If True (default), match previews are partially masked in the report.
+        target:      File or directory to scan.
+        scope:       'all' | 'memory' | 'config' — restricts which file types are scanned.
+        redact:      If True (default), match previews are partially masked in the report.
+        progress_cb: Optional callable(n_files_done, current_file_path) for live progress.
     """
     t0 = time.monotonic()
     target = target.resolve()
 
-    candidates = list(target.rglob("*")) if target.is_dir() else [target]
-    files = [f for f in candidates if f.is_file() and not _should_skip(f)]
-
     findings: list[SecretFinding] = []
     memory_files: list[Path] = []
-    n_memory = n_config = 0
+    n_scanned = n_memory = n_config = 0
+
+    file_iter = _iter_files(target) if target.is_dir() else iter([target])
+
+    for f in file_iter:
+        n_scanned += 1
+        if progress_cb:
+            progress_cb(n_scanned, str(f))
 
-    for f in files:
         ft = _classify_file(f)
         if ft == "memory":
             memory_files.append(f)
@@ -294,13 +374,12 @@ def scan_secrets(
     root = target if target.is_dir() else target.parent
     gitignore_warnings = _check_gitignore(root, memory_files)
 
-    # Sort by severity rank, then file path, then line number
     _rank = {"CRITICAL": 0, "HIGH": 1, "MEDIUM": 2, "LOW": 3}
     findings.sort(key=lambda x: (_rank.get(x.severity, 4), str(x.file), x.line))
 
     return SecretsReport(
         target=target,
-        files_scanned=len(files),
+        files_scanned=n_scanned,
         memory_files_scanned=n_memory,
         config_files_scanned=n_config,
         findings=findings,

{agentsentinel_cli-0.5.2 → agentsentinel_cli-0.5.4}/agentsentinel_cli/secrets_report.py

@@ -74,11 +74,12 @@ def _print_finding(f: SecretFinding) -> None:
     color = _SEV_COLOR.get(f.severity, "white")
     jtag = _JURISDICTION_TAG.get(f.jurisdiction, "")
     val_mark = " [dim green]✓validated[/dim green]" if f.validated else ""
+    location = str(f.file) if f.line == 0 else f"{f.file}:{f.line}"
 
     console.print(
         f"  [{color}]● {f.severity:<8}[/{color}]  "
         f"[bold white]{f.rule_id}[/bold white]{jtag}{val_mark}"
-        f"  [dim]{f.file}:{f.line}[/dim]"
+        f"  [dim]{location}[/dim]"
     )
     if f.match_preview:
         console.print(f"  [dim]{'':11}{f.match_preview}[/dim]")

{agentsentinel_cli-0.5.2 → agentsentinel_cli-0.5.4}/agentsentinel_cli/secrets_rules.py

@@ -37,6 +37,7 @@ class SecretFinding:
 
 _ALL: frozenset[str] = frozenset({"memory", "config", "source", "other"})
 _MEM_CFG: frozenset[str] = frozenset({"memory", "config"})
+_MEM_CFG_OTHER: frozenset[str] = frozenset({"memory", "config", "other"})  # includes logs, CSVs
 _MEM_ONLY: frozenset[str] = frozenset({"memory"})
 _CFG_ONLY: frozenset[str] = frozenset({"config"})
 
@@ -171,7 +172,7 @@ _PII_RULES: list[_PiiRule] = [
              # Negative lookbehind: must not be preceded by alphanumeric/URL chars
              # This prevents matching mid-word substrings like password@host in DB URLs
              re.compile(r"(?<![a-zA-Z0-9._%+\-/:])[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}"),
-             _MEM_CFG,
+             _MEM_CFG_OTHER,  # also covers log files and CSV exports
              "Remove personal email addresses from agent memory. "
              "Audit which tool call produced this."),
     _PiiRule("CREDIT_CARD", "HIGH", "global",
@@ -179,14 +180,14 @@ _PII_RULES: list[_PiiRule] = [
                  r"\b(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}"
                  r"|3[47][0-9]{13}|6(?:011|5[0-9]{2})[0-9]{12})\b"
              ),
-             _MEM_CFG,
-             "Credit card numbers must not appear in agent memory. "
+             _MEM_CFG_OTHER,  # also covers data export files
+             "Credit card numbers must not appear in agent files. "
              "Purge and audit tool call history.",
              validator=lambda m: _luhn_check(re.sub(r"\D", "", m))),
     # USA
     _PiiRule("US_SSN", "HIGH", "USA",
              re.compile(r"\b\d{3}-\d{2}-\d{4}\b"),
-             _MEM_CFG,
+             _MEM_CFG_OTHER,  # also covers log files and data exports
              "US SSNs are protected under US privacy law. "
              "Purge from memory files and audit data flows.",
              validator=_valid_ssn),

{agentsentinel_cli-0.5.2 → agentsentinel_cli-0.5.4}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "agentsentinel-cli"
-version = "0.5.2"
+version = "0.5.4"
 description = "Security scanner, red-team tool, and agent intelligence CLI — inspect, probe, MCP audit, and discovery for AI agents"
 readme = "README.md"
 requires-python = ">=3.10"