@hasna/logs 0.3.28 → 0.3.29

package/dist/cli/index.js

@@ -8,7 +8,7 @@ import {
   runJob,
   structuredLogToEntry,
   validateStructuredLogReferences
-} from "../index-y2y0mdtd.js";
+} from "../index-89jb7jg9.js";
 import {
   PACKAGE_VERSION,
   createPage,
@@ -30,7 +30,7 @@ import {
   searchTestReports,
   summarizeLogs,
   validateUniversalEventInput
-} from "../index-qk8dbvbc.js";
+} from "../index-dbhpykkz.js";
 import {
   getStorageStatus,
   storagePull,

package/dist/{index-y2y0mdtd.js → index-89jb7jg9.js}

@@ -8,7 +8,7 @@ import {
   redactValue,
   saveSnapshot,
   touchPage
-} from "./index-qk8dbvbc.js";
+} from "./index-dbhpykkz.js";
 import {
   getEventStoreDataDir
 } from "./index-t3x838zw.js";

package/dist/{index-qk8dbvbc.js → index-dbhpykkz.js}

@@ -508,9 +508,9 @@ function readPositiveInt(name, fallback) {
 
 // src/lib/redaction.ts
 var REDACTED = "[REDACTED]";
-var SENSITIVE_KEY = /(?:authorization|cookie|set-cookie|api[_-]?key|token|secret|password|passwd|pwd|private[_-]?key|access[_-]?token|refresh[_-]?token|session[_-]?secret|client[_-]?secret)/i;
-var SENSITIVE_FLAG = /^(?:authorization|auth|api[-_]?key|token|secret|password|passwd|pwd|private[-_]?key|access[-_]?token|refresh[-_]?token|session[-_]?secret|client[-_]?secret)$/i;
-var SENSITIVE_FLAG_NAME = /(?:authorization|api[-_]?key|token|secret|password|passwd|pwd|private[-_]?key|access[-_]?token|refresh[-_]?token|session[-_]?secret|client[-_]?secret)/i;
+var SENSITIVE_KEY = /(?:authorization|cookie|set-cookie|credentials?\b|api[_-]?key|token|secret|password|passwd|pwd|private[_-]?key|access[_-]?token|refresh[_-]?token|session[_-]?secret|client[_-]?(?:secret|credentials?))/i;
+var SENSITIVE_FLAG = /^(?:authorization|auth|credentials?|api[-_]?key|token|secret|password|passwd|pwd|private[-_]?key|access[-_]?token|refresh[-_]?token|session[-_]?secret|client[-_]?(?:secret|credentials?))$/i;
+var SENSITIVE_FLAG_NAME = /(?:authorization|credentials?\b|api[-_]?key|token|secret|password|passwd|pwd|private[-_]?key|access[-_]?token|refresh[-_]?token|session[-_]?secret|client[-_]?(?:secret|credentials?))/i;
 var STRING_PATTERNS = [
   {
     label: "openlogs_canary",
@@ -564,12 +564,12 @@ var STRING_PATTERNS = [
   },
   {
     label: "secret_assignment",
-    pattern: /\b(api[_-]?key|token|secret|password|passwd|pwd|access[_-]?token|refresh[_-]?token|client[_-]?secret)\s*[:=]\s*("[^"]*"|'[^']*'|[^\s,;&}]+)/gi,
-    replacement: (_match, key) => `${key}=${REDACTED}`
+    pattern: /(?<![?&])\b(credentials?|api[_-]?key|token|secret|password|passwd|pwd|access[_-]?token|refresh[_-]?token|client[_-]?(?:secret|credentials?))\s*[:=]\s*("[^"]*"|'[^']*'|[^\s,;&}]+)/gi,
+    replacement: (match, key, value) => isKnownNonSecretCredentialAssignment(key, value) ? match : `${key}=${REDACTED}`
   },
   {
     label: "secret_flag_argument",
-    pattern: /(--[A-Za-z0-9._-]*(?:authorization|api[-_]?key|token|secret|password|passwd|pwd|private[-_]?key|access[-_]?token|refresh[-_]?token|session[-_]?secret|client[-_]?secret)[A-Za-z0-9._-]*\s+)(?:"[^"]*"|'[^']*'|[^\s,;&}]+)/gi,
+    pattern: /(--[A-Za-z0-9._-]*(?:authorization|credentials?(?!ed)|api[-_]?key|token|secret|password|passwd|pwd|private[-_]?key|access[-_]?token|refresh[-_]?token|session[-_]?secret|client[-_]?(?:secret|credentials?(?!ed)))[A-Za-z0-9._-]*\s+)(?:"[^"]*"|'[^']*'|[^\s,;&}]+)/gi,
     replacement: (_match, prefix) => `${prefix}${REDACTED}`
   },
   {
@@ -579,7 +579,7 @@ var STRING_PATTERNS = [
   },
   {
     label: "secret_query_param",
-    pattern: /([?&](?:api[_-]?key|token|secret|password|passwd|pwd|access[_-]?token|refresh[_-]?token|auth|code)=)[^&#\s]+/gi,
+    pattern: /([?&](?:credentials?|api[_-]?key|token|secret|password|passwd|pwd|access[_-]?token|refresh[_-]?token|client[_-]?credentials?|auth|code)=)[^&#\s]+/gi,
     replacement: (_match, prefix) => `${prefix}${REDACTED}`
   }
 ];
@@ -622,11 +622,13 @@ function redactString(input, path = "$") {
   for (const { label, pattern, replacement } of STRING_PATTERNS) {
     let matched = false;
     output = output.replace(pattern, (...args) => {
-      matched = true;
-      replacements += 1;
-      if (typeof replacement === "function")
-        return replacement(args[0] ?? "", ...args.slice(1));
-      return replacement;
+      const original = args[0] ?? "";
+      const next = typeof replacement === "function" ? replacement(original, ...args.slice(1)) : replacement;
+      if (next !== original) {
+        matched = true;
+        replacements += 1;
+      }
+      return next;
     });
     if (matched)
       fields.push(`${path}:${label}`);
@@ -669,7 +671,7 @@ function redactValue(input, path = "$", depth = 0) {
   const reports = [];
   for (const [key, value] of Object.entries(input)) {
     const childPath = `${path}.${key}`;
-    if (SENSITIVE_KEY.test(key) && value !== null && value !== undefined) {
+    if (shouldRedactSensitiveKeyValue(key, value)) {
       values[key] = REDACTED;
       reports.push({ applied: true, fields: [childPath], replacements: 1 });
       continue;
@@ -705,6 +707,24 @@ function isSensitiveFlag(value) {
     return false;
   return SENSITIVE_FLAG.test(normalized) || SENSITIVE_FLAG_NAME.test(normalized) || SENSITIVE_KEY.test(normalized.replace(/-/g, "_"));
 }
+function shouldRedactSensitiveKeyValue(key, value) {
+  if (value === null || value === undefined)
+    return false;
+  if (!SENSITIVE_KEY.test(key))
+    return false;
+  return !isKnownNonSecretCredentialMode(key, value);
+}
+function isKnownNonSecretCredentialMode(key, value) {
+  return key.toLowerCase() === "credentials" && typeof value === "string" && isKnownFetchCredentialMode(value);
+}
+function isKnownNonSecretCredentialAssignment(key, value) {
+  return key.toLowerCase() === "credentials" && isKnownFetchCredentialMode(value);
+}
+function isKnownFetchCredentialMode(value) {
+  const trimmed = value.trim();
+  const unquoted = trimmed.startsWith('"') && trimmed.endsWith('"') || trimmed.startsWith("'") && trimmed.endsWith("'") ? trimmed.slice(1, -1) : trimmed;
+  return /^(?:include|omit|same-origin)$/i.test(unquoted);
+}
 
 // src/lib/ingest.ts
 var ERROR_LEVELS = new Set(["warn", "error", "fatal"]);

package/dist/mcp/index.js

@@ -93,7 +93,7 @@ import {
   searchTestReports,
   summarizeLogs,
   validateUniversalEventInput
-} from "../index-qk8dbvbc.js";
+} from "../index-dbhpykkz.js";
 import {
   getStoragePg,
   getStorageStatus,

package/dist/server/index.js

@@ -8,7 +8,7 @@ import {
   startScheduler,
   structuredLogPayloadToEntries,
   validateStructuredLogReferences
-} from "../index-y2y0mdtd.js";
+} from "../index-89jb7jg9.js";
 import {
   countLogs
 } from "../index-gcd14q2f.js";
@@ -50,7 +50,7 @@ import {
   updateAlertRule,
   updateProject,
   validateUniversalEventInput
-} from "../index-qk8dbvbc.js";
+} from "../index-dbhpykkz.js";
 import {
   getDb,
   getIssue,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hasna/logs",
-  "version": "0.3.28",
+  "version": "0.3.29",
   "description": "Log aggregation + browser script + headless page scanner + performance monitoring for AI agents",
   "type": "module",
   "main": "./dist/index.js",
@@ -19,7 +19,10 @@
     "logs-mcp": "./dist/mcp/index.js",
     "logs-serve": "./dist/server/index.js"
   },
-  "files": ["dist", "dashboard/dist"],
+  "files": [
+    "dist",
+    "dashboard/dist"
+  ],
   "scripts": {
     "build": "rm -rf dist && bun build src/cli/index.ts src/mcp/index.ts src/server/index.ts src/index.ts src/storage.ts --outdir dist --target bun --splitting --external playwright --external playwright-core --external electron --external chromium-bidi --external lighthouse",
     "build:dashboard": "cd dashboard && bun run build",