We Shipped Our Passwords to npm (And Built a System So It Never Happens Again)

We build The Nervous System - an MCP server that enforces behavioral guardrails on LLM agents. It has security audit tools built in. It scans for exposed secrets, hardcoded paths, and misconfigurations. Then we published it to npm with our passwords in the source code. How It Happened The Nervous System has 18 tools. One of them is security_audit - it scans project files for leaked credentials, open ports, and config mistakes. It works great. But it scans the user's files. It never scans itself . During development on our VPS, internal references to family data directories, hardcoded /root/ paths, and personal naming conventions crept into the codebase. The security audit caught none of it because we never pointed it at its own source. The Fix: pre_publish_audit We wrote a tool that scans the Nervous System's own source before every npm publish . Here's the actual implementation: function runPrePublishAudit ( sourceFile ) { const findings = []; const file = sourceFile || __filename ; c