npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

agentwarden

v0.0.3

Published

Agent Warden CLI - A TypeScript CLI application built with Bun and Commander.js

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

gulivangulivan

Keywords

clitypescriptbunagentwarden

Readme

Agent Warden

Fully local CLI that scans AI agent sessions for exposed secrets and masks them in place. No external connections.

Supports Claude Code, Codex, Gemini CLI, and OpenCode session storage.

Installation

# Run without installing
npx agentwarden@latest scan

# Install globally
npm install -g agentwarden

Usage

scan — Find exposed secrets

Scans local session files and reports findings. Running without flags opens an interactive wizard where you pick providers, finding types, and output options.

# Interactive wizard
agentwarden scan

# Skip wizard, scan everything
agentwarden scan --direct

# Scan specific providers with masked samples
agentwarden scan --direct --agents codex,claude --samples

# Only high-confidence finding types
agentwarden scan --direct --types high_precision

# JSON output
agentwarden scan --direct --json

| Flag | Description | | --- | --- | | --agent <name> | Scan one provider | | --agents <list> | Comma-separated providers | | --details | Per-session breakdown table | | --samples | Show masked sample values | | --raw-samples | Show unmasked values (sensitive) | | --types <list> | Only these finding types or groups | | --exclude-types <list> | Skip these finding types or groups | | --json | JSON output | | --direct | Skip interactive wizard | | --interactive | Force wizard even when flags are set |

Saved reports go to ~/.agentwarden/reports (owner-only permissions).

mask_secrets — Redact secrets on disk

Detects findings and overwrites them with masked values. Backups are saved to ~/.agentwarden/backups/ by default.

# Preview changes
agentwarden mask_secrets --dry-run

# Mask everything
agentwarden mask_secrets

# Mask only API keys for one provider
agentwarden mask_secrets --agent gemini --types api_keys

| Flag | Description | | --- | --- | | --agent <name> | Mask one provider | | --agents <list> | Comma-separated providers | | --dry-run | Preview without writing | | --no-backup | Skip backup | | --types <list> | Only these finding types or groups | | --exclude-types <list> | Skip these finding types or groups |

Finding types

By default all types are checked. Use --types or --exclude-types to filter.

| Group | Includes | | --- | --- | | high_precision | authorization_header, signed_query, basic_auth, private_key, jwt, raw_token, url_credentials | | api_keys | secret_assignment, signed_query, raw_token, base64_secret | | session_auth | authorization_header, cookie, basic_auth, jwt | | credentials | url_credentials, private_key | | user_data | path_username, email |

| Type | Description | | --- | --- | | secret_assignment | API keys, tokens, or passwords assigned to a variable | | authorization_header | Bearer/Basic/Token auth headers | | cookie | Cookie or Set-Cookie header values | | url_credentials | user:password@host in URLs | | signed_query | Sensitive query params (access_token, api_key, signatures) | | basic_auth | Base64 credentials in Basic auth | | base64_secret | Base64 text that decodes to secret-looking content | | private_key | PEM-formatted private keys | | jwt | JSON Web Tokens | | raw_token | Known token formats (OpenAI, Anthropic, GitHub, Google, Slack, etc.) | | path_username | Usernames in filesystem paths | | email | Email addresses |

Development

bun install
bun run build:native  # compile the current-platform Rust scanner
bun run dev           # watch mode
bun run build         # production build
bun run src/index.ts  # run directly

Set AGENTWARDEN_DISABLE_RUST_SCANNER=1 to force the TypeScript scanner fallback. Set AGENTWARDEN_DISABLE_SCAN_CACHE=1 to benchmark cold scans, or AGENTWARDEN_SCAN_CACHE_PATH to override the cache file location. The scan cache stores fingerprints and masked previews only; scans that request raw samples bypass the cache, and cached files are invalidated using file size, timestamps, and a small content probe hash.

License

MIT