@foundation0/git 1.3.0 → 1.3.2

package/mcp/src/redaction.ts

@@ -1,207 +1,207 @@
-const REDACTED = '[REDACTED]'
-
-const normalizeKey = (value: string): string => value.toLowerCase().replace(/[^a-z0-9]/g, '')
-
-const SENSITIVE_OBJECT_KEYS = new Set(
-  [
-    'authorization',
-    'proxyauthorization',
-    'cookie',
-    'setcookie',
-    'xapikey',
-    'xauthtoken',
-    'xaccesstoken',
-    'apikey',
-    'accesstoken',
-    'refreshtoken',
-    'idtoken',
-    'clientsecret',
-    'secret',
-    'password',
-    'passphrase',
-    'privatekey',
-    'token',
-    'session',
-    'sessionid',
-  ].map(normalizeKey),
-)
-
-const SENSITIVE_QUERY_KEYS = new Set(
-  [
-    'access_token',
-    'refresh_token',
-    'id_token',
-    'token',
-    'api_key',
-    'apikey',
-    'key',
-    'auth',
-    'authorization',
-    'client_secret',
-  ].map(normalizeKey),
-)
-
-const isRecord = (value: unknown): value is Record<string, unknown> =>
-  typeof value === 'object' && value !== null && !Array.isArray(value)
-
-const isSensitiveObjectKey = (key: string): boolean => SENSITIVE_OBJECT_KEYS.has(normalizeKey(key))
-
-const isSensitiveQueryKey = (key: string): boolean => SENSITIVE_QUERY_KEYS.has(normalizeKey(key))
-
-const redactQueryEntry = (entry: string): string => {
-  const separatorIndex = entry.indexOf('=')
-  if (separatorIndex < 0) return entry
-
-  const key = entry.slice(0, separatorIndex).trim()
-  if (!key || !isSensitiveQueryKey(key)) return entry
-
-  return `${key}=${REDACTED}`
-}
-
-const redactHeaderLine = (entry: string): string => {
-  const separatorIndex = entry.indexOf(':')
-  if (separatorIndex < 0) return entry
-
-  const name = entry.slice(0, separatorIndex).trim()
-  if (!name || !isSensitiveObjectKey(name)) return entry
-
-  return `${name}: ${REDACTED}`
-}
-
-const redactHeaderRecord = (headers: Record<string, unknown>): Record<string, unknown> => {
-  const next: Record<string, unknown> = {}
-
-  for (const [key, value] of Object.entries(headers)) {
-    if (isSensitiveObjectKey(key)) {
-      next[key] = REDACTED
-      continue
-    }
-
-    next[key] = value
-  }
-
-  return next
-}
-
-const redactUrl = (value: string): string => {
-  const trimmed = value.trim()
-  if (!trimmed) return value
-
-  try {
-    const url = new URL(trimmed)
-    for (const key of Array.from(url.searchParams.keys())) {
-      if (isSensitiveQueryKey(key)) {
-        url.searchParams.set(key, REDACTED)
-      }
-    }
-    return url.toString()
-  } catch {
-    return value
-  }
-}
-
-const looksLikeHeaderList = (value: unknown[]): value is string[] =>
-  value.length === 0 || value.every((entry) => typeof entry === 'string' && entry.includes(':'))
-
-const looksLikeQueryList = (value: unknown[]): value is string[] =>
-  value.length === 0 || value.every((entry) => typeof entry === 'string' && entry.includes('='))
-
-const shouldTreatAsUrlKey = (key: string): boolean => normalizeKey(key) === 'url'
-
-const shouldTreatAsHeadersKey = (key: string): boolean => normalizeKey(key) === 'headers'
-
-const shouldTreatAsQueryKey = (key: string): boolean => normalizeKey(key) === 'query'
-
-export const redactSecretsForMcpOutput = (value: unknown): unknown => {
-  const seen = new WeakMap<object, unknown>()
-
-  const redact = (current: unknown, keyHint?: string): unknown => {
-    if (current === null || current === undefined) {
-      return current
-    }
-
-    if (typeof current === 'string') {
-      if (keyHint && shouldTreatAsUrlKey(keyHint)) {
-        return redactUrl(current)
-      }
-      return current
-    }
-
-    if (typeof current !== 'object') {
-      return current
-    }
-
-    if (seen.has(current as object)) {
-      return seen.get(current as object)
-    }
-
-    if (Array.isArray(current)) {
-      if (keyHint && shouldTreatAsHeadersKey(keyHint) && looksLikeHeaderList(current)) {
-        return current.map(redactHeaderLine)
-      }
-
-      if (keyHint && shouldTreatAsQueryKey(keyHint) && looksLikeQueryList(current)) {
-        return current.map(redactQueryEntry)
-      }
-
-      const next = current.map((entry) => redact(entry))
-      seen.set(current, next)
-      return next
-    }
-
-    if (!isRecord(current)) {
-      return current
-    }
-
-    if (keyHint && shouldTreatAsHeadersKey(keyHint)) {
-      const next = redactHeaderRecord(current)
-      seen.set(current, next)
-      return next
-    }
-
-    const next: Record<string, unknown> = {}
-    seen.set(current, next)
-
-    for (const [key, entryValue] of Object.entries(current)) {
-      if (isSensitiveObjectKey(key)) {
-        next[key] = REDACTED
-        continue
-      }
-
-      if (shouldTreatAsHeadersKey(key) && isRecord(entryValue)) {
-        next[key] = redactHeaderRecord(entryValue)
-        continue
-      }
-
-      if (shouldTreatAsHeadersKey(key) && Array.isArray(entryValue) && looksLikeHeaderList(entryValue)) {
-        next[key] = entryValue.map(redactHeaderLine)
-        continue
-      }
-
-      if (shouldTreatAsQueryKey(key) && Array.isArray(entryValue) && looksLikeQueryList(entryValue)) {
-        next[key] = entryValue.map(redactQueryEntry)
-        continue
-      }
-
-      next[key] = redact(entryValue, key)
-    }
-
-    return next
-  }
-
-  return redact(value)
-}
-
-export const redactSecretsInText = (text: string): string => {
-  if (!text) return text
-
-  const redactedHeaders = text.replace(
-    /(Authorization|Proxy-Authorization|Cookie|Set-Cookie|X-API-Key|X-Auth-Token|X-Access-Token)\s*:\s*([^\r\n]*)/gi,
-    (_match, name: string) => `${name}: ${REDACTED}`,
-  )
-
-  return redactedHeaders.replace(
-    /(access_token|refresh_token|id_token|token|api_key|apikey|client_secret)\s*=\s*([^&\s]+)/gi,
-    (_match, key: string) => `${key}=${REDACTED}`,
-  )
-}
+const REDACTED = '[REDACTED]'
+
+const normalizeKey = (value: string): string => value.toLowerCase().replace(/[^a-z0-9]/g, '')
+
+const SENSITIVE_OBJECT_KEYS = new Set(
+  [
+    'authorization',
+    'proxyauthorization',
+    'cookie',
+    'setcookie',
+    'xapikey',
+    'xauthtoken',
+    'xaccesstoken',
+    'apikey',
+    'accesstoken',
+    'refreshtoken',
+    'idtoken',
+    'clientsecret',
+    'secret',
+    'password',
+    'passphrase',
+    'privatekey',
+    'token',
+    'session',
+    'sessionid',
+  ].map(normalizeKey),
+)
+
+const SENSITIVE_QUERY_KEYS = new Set(
+  [
+    'access_token',
+    'refresh_token',
+    'id_token',
+    'token',
+    'api_key',
+    'apikey',
+    'key',
+    'auth',
+    'authorization',
+    'client_secret',
+  ].map(normalizeKey),
+)
+
+const isRecord = (value: unknown): value is Record<string, unknown> =>
+  typeof value === 'object' && value !== null && !Array.isArray(value)
+
+const isSensitiveObjectKey = (key: string): boolean => SENSITIVE_OBJECT_KEYS.has(normalizeKey(key))
+
+const isSensitiveQueryKey = (key: string): boolean => SENSITIVE_QUERY_KEYS.has(normalizeKey(key))
+
+const redactQueryEntry = (entry: string): string => {
+  const separatorIndex = entry.indexOf('=')
+  if (separatorIndex < 0) return entry
+
+  const key = entry.slice(0, separatorIndex).trim()
+  if (!key || !isSensitiveQueryKey(key)) return entry
+
+  return `${key}=${REDACTED}`
+}
+
+const redactHeaderLine = (entry: string): string => {
+  const separatorIndex = entry.indexOf(':')
+  if (separatorIndex < 0) return entry
+
+  const name = entry.slice(0, separatorIndex).trim()
+  if (!name || !isSensitiveObjectKey(name)) return entry
+
+  return `${name}: ${REDACTED}`
+}
+
+const redactHeaderRecord = (headers: Record<string, unknown>): Record<string, unknown> => {
+  const next: Record<string, unknown> = {}
+
+  for (const [key, value] of Object.entries(headers)) {
+    if (isSensitiveObjectKey(key)) {
+      next[key] = REDACTED
+      continue
+    }
+
+    next[key] = value
+  }
+
+  return next
+}
+
+const redactUrl = (value: string): string => {
+  const trimmed = value.trim()
+  if (!trimmed) return value
+
+  try {
+    const url = new URL(trimmed)
+    for (const key of Array.from(url.searchParams.keys())) {
+      if (isSensitiveQueryKey(key)) {
+        url.searchParams.set(key, REDACTED)
+      }
+    }
+    return url.toString()
+  } catch {
+    return value
+  }
+}
+
+const looksLikeHeaderList = (value: unknown[]): value is string[] =>
+  value.length === 0 || value.every((entry) => typeof entry === 'string' && entry.includes(':'))
+
+const looksLikeQueryList = (value: unknown[]): value is string[] =>
+  value.length === 0 || value.every((entry) => typeof entry === 'string' && entry.includes('='))
+
+const shouldTreatAsUrlKey = (key: string): boolean => normalizeKey(key) === 'url'
+
+const shouldTreatAsHeadersKey = (key: string): boolean => normalizeKey(key) === 'headers'
+
+const shouldTreatAsQueryKey = (key: string): boolean => normalizeKey(key) === 'query'
+
+export const redactSecretsForMcpOutput = (value: unknown): unknown => {
+  const seen = new WeakMap<object, unknown>()
+
+  const redact = (current: unknown, keyHint?: string): unknown => {
+    if (current === null || current === undefined) {
+      return current
+    }
+
+    if (typeof current === 'string') {
+      if (keyHint && shouldTreatAsUrlKey(keyHint)) {
+        return redactUrl(current)
+      }
+      return current
+    }
+
+    if (typeof current !== 'object') {
+      return current
+    }
+
+    if (seen.has(current as object)) {
+      return seen.get(current as object)
+    }
+
+    if (Array.isArray(current)) {
+      if (keyHint && shouldTreatAsHeadersKey(keyHint) && looksLikeHeaderList(current)) {
+        return current.map(redactHeaderLine)
+      }
+
+      if (keyHint && shouldTreatAsQueryKey(keyHint) && looksLikeQueryList(current)) {
+        return current.map(redactQueryEntry)
+      }
+
+      const next = current.map((entry) => redact(entry))
+      seen.set(current, next)
+      return next
+    }
+
+    if (!isRecord(current)) {
+      return current
+    }
+
+    if (keyHint && shouldTreatAsHeadersKey(keyHint)) {
+      const next = redactHeaderRecord(current)
+      seen.set(current, next)
+      return next
+    }
+
+    const next: Record<string, unknown> = {}
+    seen.set(current, next)
+
+    for (const [key, entryValue] of Object.entries(current)) {
+      if (isSensitiveObjectKey(key)) {
+        next[key] = REDACTED
+        continue
+      }
+
+      if (shouldTreatAsHeadersKey(key) && isRecord(entryValue)) {
+        next[key] = redactHeaderRecord(entryValue)
+        continue
+      }
+
+      if (shouldTreatAsHeadersKey(key) && Array.isArray(entryValue) && looksLikeHeaderList(entryValue)) {
+        next[key] = entryValue.map(redactHeaderLine)
+        continue
+      }
+
+      if (shouldTreatAsQueryKey(key) && Array.isArray(entryValue) && looksLikeQueryList(entryValue)) {
+        next[key] = entryValue.map(redactQueryEntry)
+        continue
+      }
+
+      next[key] = redact(entryValue, key)
+    }
+
+    return next
+  }
+
+  return redact(value)
+}
+
+export const redactSecretsInText = (text: string): string => {
+  if (!text) return text
+
+  const redactedHeaders = text.replace(
+    /(Authorization|Proxy-Authorization|Cookie|Set-Cookie|X-API-Key|X-Auth-Token|X-Access-Token)\s*:\s*([^\r\n]*)/gi,
+    (_match, name: string) => `${name}: ${REDACTED}`,
+  )
+
+  return redactedHeaders.replace(
+    /(access_token|refresh_token|id_token|token|api_key|apikey|client_secret)\s*=\s*([^&\s]+)/gi,
+    (_match, key: string) => `${key}=${REDACTED}`,
+  )
+}