// Scan a diff, branch, or working tree for leaked secrets, API keys, tokens, private keys, and PII before commit. Blocks the operation on CRITICAL findings, warns on MEDIUM. Pairs with the pre_commit hook.
Use ast-grep for structural (AST-aware) code search and refactoring instead of plain ripgrep when the intent depends on code structure — not just text matching. Triggers on refactors, codemods, "find all X that don't Y", or any search where naive grep would miss edge cases.
Guides proactive /compact usage with preservation instructions to prevent context rot in long Cascade sessions. Triggers when context reaches ~50% of window, before large tool outputs, or when the user mentions "context", "compact", "drift", or "forgetting".
Use when any non-trivial task (>20 LOC or >1 file) would otherwise be done without a persistent plan. Produces and maintains a markdown plan file that survives session compaction and restarts. Based on the Manus-style planning pattern popularized by OthmanAdi/planning-with-files (18.4k⭐).
Turn a feature branch into a clean, reviewable PR. Squash WIP commits, polish messages, verify green checks, draft PR description. Invoke right before opening a PR.
Fill test coverage gaps to hit the project's target (AGENTS.md says ≥80% on src/). Reads existing tests to match style, prioritizes public-API and error paths, runs the suite after every batch.
Read the project wiki (vault/) before starting any non-trivial task. Surfaces relevant decisions, ownership, incidents, and glossary entries for the task at hand.
| name | secret-scrubber |
| description | Scan a diff, branch, or working tree for leaked secrets, API keys, tokens, private keys, and PII before commit. Blocks the operation on CRITICAL findings, warns on MEDIUM. Pairs with the pre_commit hook. |
Keep secrets out of the repo, logs, and tests.
| Pattern | Example |
|---|---|
| AWS access key | AKIA[0-9A-Z]{16} |
| AWS secret | [A-Za-z0-9/+=]{40} near AKIA... |
| GitHub PAT | ghp_[A-Za-z0-9]{36}, gho_, ghu_, ghs_, ghr_ |
| GitHub fine-grained | github_pat_[A-Za-z0-9_]{82} |
| Slack token | xox[baprs]-[A-Za-z0-9-]+ |
| Google API key | AIza[0-9A-Za-z\-_]{35} |
| Stripe | sk_live_[A-Za-z0-9]{24,}, rk_live_... |
| OpenAI | sk-[A-Za-z0-9]{48}, sk-proj-[A-Za-z0-9]{48,} |
| Anthropic | sk-ant-[A-Za-z0-9_-]{90,} |
| JWT | eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+ |
| Private key block | `-----BEGIN (RSA |
| SSH key | `ssh-(rsa |
| Pattern | Example |
|---|---|
High-entropy string in .env* file | random-looking strings outside .env.example |
password = "<non-empty-literal>" | hardcoded password in source |
api_key = "<non-empty-literal>" | hardcoded key in source |
| Connection string with password | postgres://user:PASSWORD@host/db |
| Pattern | Example |
|---|---|
[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z]{2,} in logs / fixtures without consent | |
| Credit card | 13–19 digit strings with Luhn checksum |
| SSN | \b\d{3}-\d{2}-\d{4}\b |
| Phone | international phone patterns |
.env.example, .env.sample*.md — unless the match is a real token (check format).gitallowed file (like .gitignore but for scanner allow-list)git filter-repo / bfg — warn this is a history-rewrite🚨 SECRET DETECTED — commit blocked
File: src/config.ts:12
Type: Stripe live key
Value: sk_live_...abcd
1. Rotate the key NOW — https://dashboard.stripe.com/apikeys
2. Remove from source:
- Replace the literal with process.env.STRIPE_KEY
- Commit the removal
3. If already pushed:
- The key is compromised — rotating is mandatory, not optional
- Consider rewriting history with bfg / git filter-repo
- Notify security team if policy requires it
Override (NOT recommended):
git commit --no-verify