@cortexkit/opencode-magic-context 0.27.0 → 0.27.1

package/dist/index.js

@@ -190163,6 +190163,12 @@ function redactionTypeForKey(key) {
   const suffix = normalized.split(".").filter(Boolean).at(-1) ?? normalized;
   return suffix || "secret";
 }
+function isNonSecretScalarValue(value) {
+  const v = value.trim();
+  if (v === "true" || v === "false" || v === "null" || v === "undefined")
+    return true;
+  return /^[+-]?\d+(?:\.\d+)?(?:[eE][+-]?\d+)?$/.test(v);
+}
 var SECRET_QUALIFIERS = new Set([
   "api",
   "access",
@@ -190242,11 +190248,11 @@ var SECRET_TEXT_PATTERNS = [
   },
   {
     pattern: /(["'])([^"']*(?:key|token|secret|password|auth|bearer|credential)[^"']*)\1(\s*:\s*)(["'])([^"']*)\4/gi,
-    replacement: (_full, quote, key, separator, valueQuote) => `${quote}${key}${quote}${separator}${valueQuote}<REDACTED:${redactionTypeForKey(key)}>${valueQuote}`
+    replacement: (full, quote, key, separator, valueQuote, value) => isNonSecretScalarValue(value) ? full : `${quote}${key}${quote}${separator}${valueQuote}<REDACTED:${redactionTypeForKey(key)}>${valueQuote}`
   },
   {
     pattern: /\b([A-Za-z0-9_.-]*(?:key|token|secret|password|auth|bearer|credential)[A-Za-z0-9_.-]*)\s*=\s*([^\s'"`]+)/gi,
-    replacement: (_full, key) => `${key}=<REDACTED:${redactionTypeForKey(key)}>`
+    replacement: (full, key, value) => isNonSecretScalarValue(value) ? full : `${key}=<REDACTED:${redactionTypeForKey(key)}>`
   }
 ];
 function redactSecretText(value) {

package/dist/shared/redaction.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"redaction.d.ts","sourceRoot":"","sources":["../../src/shared/redaction.ts"],"names":[],"mappings":"AAyDA,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAkChD;AAED,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAcxD;AAkED,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAatD;AAED,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAE5D;AAsBD,wBAAgB,4BAA4B,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAOlE;AAED,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,GAAE,MAAM,EAAO,GAAG,OAAO,CAkBnF"}
+{"version":3,"file":"redaction.d.ts","sourceRoot":"","sources":["../../src/shared/redaction.ts"],"names":[],"mappings":"AAyEA,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAkChD;AAED,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAcxD;AA0ED,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAatD;AAED,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAE5D;AAsBD,wBAAgB,4BAA4B,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAOlE;AAED,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,GAAE,MAAM,EAAO,GAAG,OAAO,CAkBnF"}

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@cortexkit/opencode-magic-context",
-	"version": "0.27.0",
+	"version": "0.27.1",
 	"type": "module",
 	"description": "OpenCode plugin for Magic Context — cross-session memory and context management",
 	"main": "dist/index.js",

package/src/shared/redaction.test.ts

@@ -2,7 +2,43 @@
 
 import { describe, expect, test } from "bun:test";
 
-import { hasShareabilitySensitiveText } from "./redaction";
+import { hasShareabilitySensitiveText, redactSecretText } from "./redaction";
+
+describe("redactSecretText — token counts and scalar diagnostics stay visible", () => {
+    test("keeps numeric/boolean values whose key merely contains a secret word", () => {
+        // These log shapes are counts/flags, not secrets, so they must stay readable.
+        expect(redactSecretText("tokens.input=45000 cache.read=0 cache.write=0")).toBe(
+            "tokens.input=45000 cache.read=0 cache.write=0",
+        );
+        expect(redactSecretText("hasUsageTokens=true")).toBe("hasUsageTokens=true");
+        expect(redactSecretText("totalInputTokens=132000")).toBe("totalInputTokens=132000");
+        expect(redactSecretText("max_tokens=4096")).toBe("max_tokens=4096");
+    });
+
+    test("keeps quoted numeric values matched only on the key word", () => {
+        expect(redactSecretText('"max_tokens": "4096"')).toBe('"max_tokens": "4096"');
+    });
+
+    test("still redacts real secret string values", () => {
+        // High-entropy / non-scalar values must always be redacted; only bare
+        // numeric/boolean scalars are exempt from the key-based match.
+        expect(redactSecretText("api_key=sk-abc123XYZsecretvalue")).toContain("<REDACTED:");
+        expect(redactSecretText("api_key=sk-abc123XYZsecretvalue")).not.toContain(
+            "sk-abc123XYZsecretvalue",
+        );
+        expect(redactSecretText('"auth_token": "tok_live_9f8e7d6c5b"')).toContain("<REDACTED:");
+    });
+
+    test("value-shaped secret patterns still fire independent of key name", () => {
+        // A bearer/JWT value is caught by its own pattern even if its key is bland.
+        expect(redactSecretText("Authorization: Bearer abc123def456ghi789")).toContain(
+            "<REDACTED:bearer>",
+        );
+        expect(redactSecretText("blob=eyJhbGciOi.eyJzdWIiOiIx.SflKxwRJSMeKKF2QT4")).toContain(
+            "<JWT_REDACTED>",
+        );
+    });
+});
 
 describe("hasShareabilitySensitiveText", () => {
     test("safe project facts are shareable", () => {

package/src/shared/redaction.ts

@@ -33,6 +33,22 @@ function redactionTypeForKey(key: string): string {
     return suffix || "secret";
 }
 
+// A bare number / boolean / null is never a secret — an API key, bearer token,
+// password, or credential is always a high-entropy string. So when a key-based
+// pattern (the `name=value` / `"name":"value"` forms below) matches purely on
+// the KEY containing a word like "token", but the VALUE is numeric/boolean, it's
+// a count or flag, not a secret. These must stay readable in logs:
+// `tokens.input=45000`, `hasUsageTokens=true`, `max_tokens=4096` are diagnostics,
+// not credentials. (High-entropy secret VALUES are still caught by the
+// value-shaped patterns above — bearer, JWT, AKIA, gh*_, etc. — independent of
+// the key name, so relaxing the key-based match for scalars loses no coverage.)
+function isNonSecretScalarValue(value: string): boolean {
+    const v = value.trim();
+    if (v === "true" || v === "false" || v === "null" || v === "undefined") return true;
+    // Integer or decimal, optional sign/exponent — token counts, ports, sizes.
+    return /^[+-]?\d+(?:\.\d+)?(?:[eE][+-]?\d+)?$/.test(v);
+}
+
 const SECRET_QUALIFIERS = new Set([
     "api",
     "access",
@@ -155,19 +171,27 @@ const SECRET_TEXT_PATTERNS: Array<{
         pattern:
             /(["'])([^"']*(?:key|token|secret|password|auth|bearer|credential)[^"']*)\1(\s*:\s*)(["'])([^"']*)\4/gi,
         replacement: (
-            _full: string,
+            full: string,
             quote: string,
             key: string,
             separator: string,
             valueQuote: string,
+            value: string,
         ) =>
-            `${quote}${key}${quote}${separator}${valueQuote}<REDACTED:${redactionTypeForKey(key)}>${valueQuote}`,
+            // A numeric/boolean value matched only because the KEY contains a
+            // secret word (e.g. "max_tokens": "4096") is a count, not a secret.
+            isNonSecretScalarValue(value)
+                ? full
+                : `${quote}${key}${quote}${separator}${valueQuote}<REDACTED:${redactionTypeForKey(key)}>${valueQuote}`,
     },
     {
         pattern:
             /\b([A-Za-z0-9_.-]*(?:key|token|secret|password|auth|bearer|credential)[A-Za-z0-9_.-]*)\s*=\s*([^\s'"`]+)/gi,
-        replacement: (_full: string, key: string) =>
-            `${key}=<REDACTED:${redactionTypeForKey(key)}>`,
+        replacement: (full: string, key: string, value: string) =>
+            // tokens.input=45000 / hasUsageTokens=true are diagnostics, not
+            // secrets — keep them readable. Real secret values are still caught
+            // by the value-shaped patterns above.
+            isNonSecretScalarValue(value) ? full : `${key}=<REDACTED:${redactionTypeForKey(key)}>`,
     },
 ];