Package Exports

This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (memorylink) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.

Readme

MemoryLink

CLI tool that prevents secret leaks before they happen.

🔒 100% local. Zero telemetry. Your secrets never leave your machine.

🎯 What is MemoryLink?

MemoryLink scans your code for secrets (API keys, passwords, tokens) and blocks them before commit.

Protection	What It Does	When
🔍 Scan	Detects 112 secret patterns (API keys, passwords, PII)	On demand
🪝 Git Hooks	Warns before you commit/push secrets	Every commit
🚫 CI/CD Block	Blocks PRs with secrets (19 CI platforms)	Every PR
🔐 Quarantine	Encrypts detected secrets (AES-256-GCM)	Automatic
📝 Audit	Tracks all detections with timestamps	Always

How It Works:

You Code → Git Commit → MemoryLink Scans → ⚠️ Warning (or 🚫 Block)
                                              ↓
                                    🔐 Secrets Quarantined

Result: Code confidently without worrying about leaking secrets!

🛠️ Works With

Category	Supported
OS	macOS, Linux, Windows (WSL2)
Node.js	v18+
Git	Any project with Git
CI/CD	GitHub Actions, GitLab CI, Jenkins, CircleCI, Travis, Buildkite, Azure Pipelines, and 12 more

Use it with any editor, any language, any framework.

👀 What You'll See

When MemoryLink finds a secret:

┌─────────────────────────────────────────────────────┐
│  ⚠️  WARNING: 2 SECRETS DETECTED                    │
├─────────────────────────────────────────────────────┤
│                                                     │
│  🔴 HIGH: AWS Access Key                            │
│     File: src/config.ts:15                          │
│     Found: AKIA************WXYZ                     │
│                                                     │
│  🟡 MEDIUM: Generic API Key                         │
│     File: .env.local:3                              │
│     Found: api_key=****...****                      │
│                                                     │
├─────────────────────────────────────────────────────┤
│  Mode: INACTIVE (warnings only)                     │
│                                                     │
│  💡 To block commits with secrets:                  │
│     ml mode active                                  │
└─────────────────────────────────────────────────────┘

Modes:

INACTIVE (default): Warns but allows commits ← Good for learning
ACTIVE: Blocks commits with secrets ← Good for teams/CI

📦 Installation

Prerequisites

Node.js 18+ (install)
npm or pnpm
Windows users: WSL2 recommended (install guide)

Install from npm

npm install -g memorylink

Verify Installation

ml --version

🚀 Quick Start (30 seconds)

1. Initialize MemoryLink

cd your-project
ml init

What happens:

✅ Scans your entire project for existing secrets
✅ Creates .memorylink/ directory
✅ Installs Git hooks (pre-commit + pre-push)
✅ Updates .gitignore
💡 Shows any detected issues

2. That's It! You're Protected

From now on, every git commit and git push is automatically scanned.

🎯 Core Commands

Command	What It Does
`ml init`	Setup project + install Git hooks
`ml scan`	Find secrets in your project
`ml gate`	Check before commit/push
`ml mode`	Switch active (block) / inactive (warn)
`ml audit`	View security history

`ml scan` - Find Secrets

ml scan                    # Scan entire project
ml scan --path src/        # Scan specific directory

`ml mode` - Switch Protection Level

ml mode                    # View current mode
ml mode active             # Block on secrets (teams/CI)
ml mode inactive           # Warn only (default)

`ml gate` - Manual Check

ml gate --rule block-quarantined              # Check project
ml gate --rule block-quarantined --diff       # Check staged files only
ml gate --rule block-quarantined --history    # Check git history

🔒 7-Layer Protection

Layer 1: On-demand scan      → ml scan catches secrets immediately
Layer 2: Pre-commit hook     → Blocks before commit (staged files)
Layer 3: Pre-push hook       → Blocks before push (full scan)
Layer 4: Git history scan    → ml gate --history finds old leaks
Layer 5: Quarantine          → AES-256-GCM encrypted isolation
Layer 6: CI/CD gate          → Auto-enforces when runs in CI
Layer 7: Audit trail         → Tracks everything

📊 Active vs Inactive Mode

Mode	Behavior	Exit Code	Use Case
INACTIVE (default)	⚠️ Warns but allows	0	Local development
ACTIVE	❌ Blocks commit/push	1	Production, CI/CD

Mode Priority

MemoryLink checks these in order (highest to lowest):

1. CLI Flag         --mode active / --enforce / --monitor
2. ENV Variable     ML_MODE=active / ML_MODE=inactive
3. CI Detection     GitHub Actions, GitLab CI, etc. (auto ACTIVE!)
4. Config File      .memorylink/config.json
5. Default          inactive

One-Time Override

ML_MODE=active git push      # Force blocking for this push
ML_MODE=inactive git push    # Allow this push (temporary)
git push --no-verify         # Emergency bypass (Git built-in)

🎨 112 Secret Patterns

Category	Examples
Cloud	AWS, Azure, GCP, DigitalOcean, Heroku
AI/ML	OpenAI, Claude/Anthropic, HuggingFace, Cohere
Payment	Stripe, PayPal, Square, Razorpay
Auth	GitHub, GitLab, Slack, Discord, JWT, OAuth
India	Aadhaar, PAN, GSTIN, UPI, IFSC, Paytm
Personal	SSN, Credit Card, Phone, Email
Browser	localStorage, sessionStorage, cookies

🌐 19 CI Platforms Auto-Detected

✅ GitHub Actions    ✅ GitLab CI       ✅ Jenkins
✅ CircleCI          ✅ Travis CI       ✅ Buildkite
✅ Azure Pipelines   ✅ TeamCity        ✅ Bitbucket
✅ Drone CI          ✅ AppVeyor        ✅ Semaphore
✅ Buddy             ✅ Vercel          ✅ Netlify
✅ Bitrise           ✅ Codeship        ✅ Generic CI

CI always enforces ACTIVE mode automatically!

🛠️ CI/CD Setup

GitHub Actions

Add to .github/workflows/memorylink.yml:

name: MemoryLink Gate
on: [pull_request, push]
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: npm install -g memorylink
      - run: ml gate --rule block-quarantined

Quick Setup Command

ml ci --provider github    # Creates the workflow file for you

🚫 Handling False Positives

Option 1: Inline Comment

const API_ENDPOINT = "https://api.example.com"; // ml:ignore

Option 2: Mark as False Positive

ml gate --mark-false <finding-id>

Option 3: Config File

Add to .memorylink/config.json:

{
  "ignores": {
    "values": ["test_key_not_real"],
    "patterns": ["example-api-key"],
    "files": ["tests/**", "docs/**"]
  }
}

📁 Directory Structure

.memorylink/
├── config.json         # User preferences
├── records/            # Safe content storage
├── quarantined/        # Encrypted secrets
├── audit/              # Security audit logs
└── falsePositives.json # Ignored findings

🔐 Security Features

Feature	Implementation
Key Location	`~/.memorylink/keys/` (NOT in project!)
Encryption	AES-256-GCM (industry standard)
Secret Masking	`AKIA****MPLE` in all output
Zero Telemetry	100% local, no network calls
Package Safety	`.gitattributes` + `files` field

🔧 Troubleshooting

Problem	Quick Fix
`ml: command not found`	`npx memorylink` or fix PATH
Hooks not running	`ml hooks --install`
False positive	Add `// ml:ignore` comment
Mode not changing	Check `ml mode` output
CI not blocking	Verify `CI=true` is set

📚 Documentation

Quick Reference - Cheat sheet
FAQ - Common questions
Troubleshooting - Problem solutions
Patterns - All 112 patterns
Comparisons - vs other tools

🤝 Contributing

See CONTRIBUTING.md for guidelines.

📄 License

MIT License - see LICENSE

🙏 Support

Issues: GitHub Issues
Discussions: GitHub Discussions

MemoryLink - Protect your secrets from AI leaks 🔒

memorylink