@hasna/logs 0.3.28 → 0.3.30

package/dist/cli/index.js

@@ -8,7 +8,7 @@ import {
   runJob,
   structuredLogToEntry,
   validateStructuredLogReferences
-} from "../index-y2y0mdtd.js";
+} from "../index-k9w7zfsv.js";
 import {
   PACKAGE_VERSION,
   createPage,
@@ -30,7 +30,7 @@ import {
   searchTestReports,
   summarizeLogs,
   validateUniversalEventInput
-} from "../index-qk8dbvbc.js";
+} from "../index-mx0f61s2.js";
 import {
   getStorageStatus,
   storagePull,

package/dist/{index-y2y0mdtd.js → index-k9w7zfsv.js}

@@ -8,7 +8,7 @@ import {
   redactValue,
   saveSnapshot,
   touchPage
-} from "./index-qk8dbvbc.js";
+} from "./index-mx0f61s2.js";
 import {
   getEventStoreDataDir
 } from "./index-t3x838zw.js";

package/dist/{index-qk8dbvbc.js → index-mx0f61s2.js}

@@ -237,7 +237,7 @@ async function fireAlert(db, rule, count) {
 }
 
 // src/lib/ingest.ts
-import { randomBytes } from "crypto";
+import { createHash, randomBytes } from "crypto";
 
 // src/lib/event-bus.ts
 class LogEventBus {
@@ -508,9 +508,26 @@ function readPositiveInt(name, fallback) {
 
 // src/lib/redaction.ts
 var REDACTED = "[REDACTED]";
-var SENSITIVE_KEY = /(?:authorization|cookie|set-cookie|api[_-]?key|token|secret|password|passwd|pwd|private[_-]?key|access[_-]?token|refresh[_-]?token|session[_-]?secret|client[_-]?secret)/i;
-var SENSITIVE_FLAG = /^(?:authorization|auth|api[-_]?key|token|secret|password|passwd|pwd|private[-_]?key|access[-_]?token|refresh[-_]?token|session[-_]?secret|client[-_]?secret)$/i;
-var SENSITIVE_FLAG_NAME = /(?:authorization|api[-_]?key|token|secret|password|passwd|pwd|private[-_]?key|access[-_]?token|refresh[-_]?token|session[-_]?secret|client[-_]?secret)/i;
+var SENSITIVE_KEY = /(?:authorization|cookie|set-cookie|credentials?\b|api[_-]?key|token|secret|password|passwd|pwd|private[_-]?key|access[_-]?token|refresh[_-]?token|session[_-]?secret|client[_-]?(?:secret|credentials?))/i;
+var SENSITIVE_FLAG = /^(?:authorization|auth|credentials?|api[-_]?key|token|secret|password|passwd|pwd|private[-_]?key|access[-_]?token|refresh[-_]?token|session[-_]?secret|client[-_]?(?:secret|credentials?))$/i;
+var SENSITIVE_FLAG_NAME = /(?:authorization|credentials?\b|api[-_]?key|token|secret|password|passwd|pwd|private[-_]?key|access[-_]?token|refresh[-_]?token|session[-_]?secret|client[-_]?(?:secret|credentials?))/i;
+var LOG_ENTRY_REDACTABLE_TOP_LEVEL_FIELDS = [
+  "id",
+  "source_event_id",
+  "service",
+  "machine_id",
+  "repo_id",
+  "app_id",
+  "process_id",
+  "run_id",
+  "trace_id",
+  "span_id",
+  "parent_span_id",
+  "session_id",
+  "release_id",
+  "environment",
+  "agent"
+];
 var STRING_PATTERNS = [
   {
     label: "openlogs_canary",
@@ -564,12 +581,12 @@ var STRING_PATTERNS = [
   },
   {
     label: "secret_assignment",
-    pattern: /\b(api[_-]?key|token|secret|password|passwd|pwd|access[_-]?token|refresh[_-]?token|client[_-]?secret)\s*[:=]\s*("[^"]*"|'[^']*'|[^\s,;&}]+)/gi,
-    replacement: (_match, key) => `${key}=${REDACTED}`
+    pattern: /(?<![?&])\b(credentials?|api[_-]?key|token|secret|password|passwd|pwd|access[_-]?token|refresh[_-]?token|client[_-]?(?:secret|credentials?))\s*[:=]\s*("[^"]*"|'[^']*'|[^\s,;&}]+)/gi,
+    replacement: (match, key, value) => isKnownNonSecretCredentialAssignment(key, value) ? match : `${key}=${REDACTED}`
   },
   {
     label: "secret_flag_argument",
-    pattern: /(--[A-Za-z0-9._-]*(?:authorization|api[-_]?key|token|secret|password|passwd|pwd|private[-_]?key|access[-_]?token|refresh[-_]?token|session[-_]?secret|client[-_]?secret)[A-Za-z0-9._-]*\s+)(?:"[^"]*"|'[^']*'|[^\s,;&}]+)/gi,
+    pattern: /(--[A-Za-z0-9._-]*(?:authorization|credentials?(?!ed)|api[-_]?key|token|secret|password|passwd|pwd|private[-_]?key|access[-_]?token|refresh[-_]?token|session[-_]?secret|client[-_]?(?:secret|credentials?(?!ed)))[A-Za-z0-9._-]*\s+)(?:"[^"]*"|'[^']*'|[^\s,;&}]+)/gi,
     replacement: (_match, prefix) => `${prefix}${REDACTED}`
   },
   {
@@ -579,13 +596,21 @@ var STRING_PATTERNS = [
   },
   {
     label: "secret_query_param",
-    pattern: /([?&](?:api[_-]?key|token|secret|password|passwd|pwd|access[_-]?token|refresh[_-]?token|auth|code)=)[^&#\s]+/gi,
+    pattern: /([?&](?:credentials?|api[_-]?key|token|secret|password|passwd|pwd|access[_-]?token|refresh[_-]?token|client[_-]?credentials?|auth|code)=)[^&#\s]+/gi,
     replacement: (_match, prefix) => `${prefix}${REDACTED}`
   }
 ];
 function redactLogEntry(entry) {
   const reports = [];
   const next = { ...entry };
+  for (const field of LOG_ENTRY_REDACTABLE_TOP_LEVEL_FIELDS) {
+    const value = entry[field];
+    if (typeof value !== "string")
+      continue;
+    const result = redactString(value, field);
+    next[field] = result.value;
+    reports.push(result.report);
+  }
   if (typeof entry.message === "string") {
     const result = redactString(entry.message, "message");
     next.message = result.value;
@@ -622,11 +647,13 @@ function redactString(input, path = "$") {
   for (const { label, pattern, replacement } of STRING_PATTERNS) {
     let matched = false;
     output = output.replace(pattern, (...args) => {
-      matched = true;
-      replacements += 1;
-      if (typeof replacement === "function")
-        return replacement(args[0] ?? "", ...args.slice(1));
-      return replacement;
+      const original = args[0] ?? "";
+      const next = typeof replacement === "function" ? replacement(original, ...args.slice(1)) : replacement;
+      if (next !== original) {
+        matched = true;
+        replacements += 1;
+      }
+      return next;
     });
     if (matched)
       fields.push(`${path}:${label}`);
@@ -669,7 +696,7 @@ function redactValue(input, path = "$", depth = 0) {
   const reports = [];
   for (const [key, value] of Object.entries(input)) {
     const childPath = `${path}.${key}`;
-    if (SENSITIVE_KEY.test(key) && value !== null && value !== undefined) {
+    if (shouldRedactSensitiveKeyValue(key, value)) {
       values[key] = REDACTED;
       reports.push({ applied: true, fields: [childPath], replacements: 1 });
       continue;
@@ -705,6 +732,24 @@ function isSensitiveFlag(value) {
     return false;
   return SENSITIVE_FLAG.test(normalized) || SENSITIVE_FLAG_NAME.test(normalized) || SENSITIVE_KEY.test(normalized.replace(/-/g, "_"));
 }
+function shouldRedactSensitiveKeyValue(key, value) {
+  if (value === null || value === undefined)
+    return false;
+  if (!SENSITIVE_KEY.test(key))
+    return false;
+  return !isKnownNonSecretCredentialMode(key, value);
+}
+function isKnownNonSecretCredentialMode(key, value) {
+  return key.toLowerCase() === "credentials" && typeof value === "string" && isKnownFetchCredentialMode(value);
+}
+function isKnownNonSecretCredentialAssignment(key, value) {
+  return key.toLowerCase() === "credentials" && isKnownFetchCredentialMode(value);
+}
+function isKnownFetchCredentialMode(value) {
+  const trimmed = value.trim();
+  const unquoted = trimmed.startsWith('"') && trimmed.endsWith('"') || trimmed.startsWith("'") && trimmed.endsWith("'") ? trimmed.slice(1, -1) : trimmed;
+  return /^(?:include|omit|same-origin)$/i.test(unquoted);
+}
 
 // src/lib/ingest.ts
 var ERROR_LEVELS = new Set(["warn", "error", "fatal"]);
@@ -712,7 +757,8 @@ function ingestLog(db, entry) {
   return withEventStoreLock(db, () => ingestLogLocked(db, entry));
 }
 function ingestLogLocked(db, entry) {
-  const eventId = entry.id ?? createEventId();
+  const eventIdRedaction = typeof entry.id === "string" ? redactString(entry.id, "id") : null;
+  const eventId = entry.id ? eventIdRedaction?.report.applied ? createRedactedEventId(entry.id) : entry.id : createEventId();
   const existing = db.prepare("SELECT * FROM logs WHERE id = ?").get(eventId);
   if (existing)
     return existing;
@@ -730,6 +776,14 @@ function ingestLogLocked(db, entry) {
   };
   const redacted = redactLogEntry(normalized);
   const safeEntry = redacted.value;
+  if (eventIdRedaction?.report.applied) {
+    const report = mergeRedactionReports(eventIdRedaction.report, redacted.report);
+    safeEntry.metadata = {
+      ...safeEntry.metadata ?? {},
+      redaction: redactionMetadata(report)
+    };
+  }
+  const safeSourceEventId = safeEntry.source_event_id ?? null;
   const identity = extractIdentity(safeEntry);
   const envelope = createLogEnvelope(safeEntry, eventId, eventTime, ingestTime, identity);
   const write = appendRawEvent(db, envelope);
@@ -758,7 +812,7 @@ function ingestLogLocked(db, entry) {
     indexRawEvent(db, {
       event_id: eventId,
       schema_version: envelope.schema_version,
-      source_event_id: sourceEventId,
+      source_event_id: safeSourceEventId,
       event_type: envelope.type,
       event_time: eventTime,
       ingest_time: ingestTime,
@@ -898,6 +952,10 @@ function stringMetadata(metadata, key) {
 function createEventId() {
   return randomBytes(16).toString("hex");
 }
+function createRedactedEventId(value) {
+  const digest = createHash("sha256").update(value).digest("hex").slice(0, 32);
+  return `log_redacted_${digest}`;
+}
 
 // src/lib/package-meta.ts
 import { existsSync, readFileSync } from "fs";
@@ -1282,7 +1340,7 @@ function clampNonNegativeInt2(value, fallback) {
 }
 
 // src/lib/universal-ingest.ts
-import { createHash, randomBytes as randomBytes2 } from "crypto";
+import { createHash as createHash2, randomBytes as randomBytes2 } from "crypto";
 var UNIVERSAL_EVENT_TYPES = [
   "log",
   "exception",
@@ -1802,7 +1860,7 @@ function normalizeIsoTime(value, field) {
 function deterministicSourceEventId(source, sourceEventId) {
   if (!sourceEventId)
     return;
-  const digest = createHash("sha256").update(source).update("\x00").update(sourceEventId).digest("hex").slice(0, 32);
+  const digest = createHash2("sha256").update(source).update("\x00").update(sourceEventId).digest("hex").slice(0, 32);
   return `evt_src_${digest}`;
 }
 function compactObject(value) {

package/dist/mcp/index.js

@@ -93,7 +93,7 @@ import {
   searchTestReports,
   summarizeLogs,
   validateUniversalEventInput
-} from "../index-qk8dbvbc.js";
+} from "../index-mx0f61s2.js";
 import {
   getStoragePg,
   getStorageStatus,

package/dist/server/index.js

@@ -8,7 +8,7 @@ import {
   startScheduler,
   structuredLogPayloadToEntries,
   validateStructuredLogReferences
-} from "../index-y2y0mdtd.js";
+} from "../index-k9w7zfsv.js";
 import {
   countLogs
 } from "../index-gcd14q2f.js";
@@ -50,7 +50,7 @@ import {
   updateAlertRule,
   updateProject,
   validateUniversalEventInput
-} from "../index-qk8dbvbc.js";
+} from "../index-mx0f61s2.js";
 import {
   getDb,
   getIssue,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hasna/logs",
-  "version": "0.3.28",
+  "version": "0.3.30",
   "description": "Log aggregation + browser script + headless page scanner + performance monitoring for AI agents",
   "type": "module",
   "main": "./dist/index.js",
@@ -19,7 +19,10 @@
     "logs-mcp": "./dist/mcp/index.js",
     "logs-serve": "./dist/server/index.js"
   },
-  "files": ["dist", "dashboard/dist"],
+  "files": [
+    "dist",
+    "dashboard/dist"
+  ],
   "scripts": {
     "build": "rm -rf dist && bun build src/cli/index.ts src/mcp/index.ts src/server/index.ts src/index.ts src/storage.ts --outdir dist --target bun --splitting --external playwright --external playwright-core --external electron --external chromium-bidi --external lighthouse",
     "build:dashboard": "cd dashboard && bun run build",