@lifeaitools/clauth 0.4.1 → 0.5.1

package/cli/commands/scrub.js

@@ -1,231 +1,231 @@
-// cli/commands/scrub.js — Scrub credentials from Claude Code transcript logs
-//
-// clauth scrub          → scrub active transcript (most recent .jsonl)
-// clauth scrub <file>   → scrub a specific file
-// clauth scrub all      → scrub every transcript .jsonl
-// clauth scrub --force  → rescrub even if already marked
-
-import fs from "fs";
-import path from "path";
-import os from "os";
-import chalk from "chalk";
-import ora from "ora";
-
-const SCRUB_MARKER = "[CLAUTH-SCRUBBED]";
-const SCRUB_VERSION = "1.1";
-
-// ──────────────────────────────────────────────
-// Credential patterns — regex + replacement
-// ──────────────────────────────────────────────
-const PATTERNS = [
-  // Supabase JWTs (anon, service_role)
-  [/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/g,
-   "[SUPABASE_JWT_REDACTED]"],
-
-  // Vercel tokens
-  [/vcp_[A-Za-z0-9]{20,80}/g,
-   "[VERCEL_TOKEN_REDACTED]"],
-
-  // R2 / S3 secret access keys (64-char hex)
-  [/"secret_access_key"\s*:\s*"[a-f0-9]{64}"/g,
-   '"secret_access_key": "[R2_SECRET_REDACTED]"'],
-
-  // R2 / S3 access key IDs (32-char hex)
-  [/"access_key_id"\s*:\s*"[a-f0-9]{32}"/g,
-   '"access_key_id": "[R2_KEY_REDACTED]"'],
-
-  // Cloudflare admin tokens
-  [/"admin_token"\s*:\s*"[A-Za-z0-9_-]{20,60}"/g,
-   '"admin_token": "[CF_TOKEN_REDACTED]"'],
-
-  // Cloudflare account IDs (32-char hex)
-  [/"account_id"\s*:\s*"[a-f0-9]{32}"/g,
-   '"account_id": "[CF_ACCOUNT_REDACTED]"'],
-
-  // GitHub tokens
-  [/ghp_[A-Za-z0-9]{36}/g,
-   "[GITHUB_TOKEN_REDACTED]"],
-  [/github_pat_[A-Za-z0-9_]{40,100}/g,
-   "[GITHUB_PAT_REDACTED]"],
-
-  // Neo4j connection strings with passwords
-  [/neo4j\+s?:\/\/[^"\\]+/g,
-   "[NEO4J_CONNSTRING_REDACTED]"],
-
-  // Generic Bearer tokens in Authorization headers
-  [/Bearer [A-Za-z0-9_-]{20,}/g,
-   "Bearer [TOKEN_REDACTED]"],
-];
-
-// ──────────────────────────────────────────────
-// Marker check — read last 512 bytes
-// ──────────────────────────────────────────────
-function isAlreadyScrubbed(filePath) {
-  try {
-    const stat = fs.statSync(filePath);
-    const fd = fs.openSync(filePath, "r");
-    const bufSize = Math.min(512, stat.size);
-    const buf = Buffer.alloc(bufSize);
-    fs.readSync(fd, buf, 0, bufSize, Math.max(0, stat.size - bufSize));
-    fs.closeSync(fd);
-
-    const tail = buf.toString("utf-8");
-    const lastLine = tail.trim().split("\n").pop();
-    if (lastLine && lastLine.includes(SCRUB_MARKER)) {
-      try {
-        const marker = JSON.parse(lastLine);
-        return marker.version === SCRUB_VERSION;
-      } catch { return false; }
-    }
-    return false;
-  } catch { return false; }
-}
-
-// ──────────────────────────────────────────────
-// Stamp file as scrubbed
-// ──────────────────────────────────────────────
-function stampScrubbed(filePath) {
-  const marker = JSON.stringify({
-    type: SCRUB_MARKER,
-    version: SCRUB_VERSION,
-    scrubbed_at: new Date().toISOString(),
-    patterns: PATTERNS.length,
-  });
-  fs.appendFileSync(filePath, "\n" + marker + "\n", "utf-8");
-}
-
-// ──────────────────────────────────────────────
-// Scrub a single file
-// ──────────────────────────────────────────────
-function scrubFile(filePath, force = false) {
-  if (!force && isAlreadyScrubbed(filePath)) {
-    return "skipped";
-  }
-
-  let content = fs.readFileSync(filePath, "utf-8");
-  let total = 0;
-
-  for (const [pattern, replacement] of PATTERNS) {
-    // Reset lastIndex for global regexes
-    pattern.lastIndex = 0;
-    const matches = content.match(pattern);
-    if (matches) {
-      total += matches.length;
-      content = content.replace(pattern, replacement);
-    }
-  }
-
-  if (total > 0) {
-    fs.writeFileSync(filePath, content, "utf-8");
-  }
-
-  // Stamp as clean (whether creds found or not)
-  stampScrubbed(filePath);
-  return total;
-}
-
-// ──────────────────────────────────────────────
-// Find all transcript .jsonl files
-// ──────────────────────────────────────────────
-function findTranscripts() {
-  const claudeDir = path.join(os.homedir(), ".claude", "projects");
-  if (!fs.existsSync(claudeDir)) return [];
-
-  const results = [];
-  function walk(dir) {
-    for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
-      const full = path.join(dir, entry.name);
-      if (entry.isDirectory()) walk(full);
-      else if (entry.name.endsWith(".jsonl")) results.push(full);
-    }
-  }
-  walk(claudeDir);
-  return results;
-}
-
-// ──────────────────────────────────────────────
-// Find the most recent transcript (active session)
-// ──────────────────────────────────────────────
-function findMostRecent() {
-  const files = findTranscripts();
-  if (files.length === 0) return null;
-
-  let newest = files[0];
-  let newestMtime = fs.statSync(files[0]).mtimeMs;
-  for (const f of files.slice(1)) {
-    const mt = fs.statSync(f).mtimeMs;
-    if (mt > newestMtime) { newest = f; newestMtime = mt; }
-  }
-  return newest;
-}
-
-// ──────────────────────────────────────────────
-// Exported runner
-// ──────────────────────────────────────────────
-export async function runScrub(target, opts = {}) {
-  const force = opts.force || false;
-
-  // Determine which files to scrub
-  let files;
-  if (target === "all") {
-    files = findTranscripts();
-    if (files.length === 0) {
-      console.log(chalk.yellow("\n  No transcript files found.\n"));
-      return;
-    }
-    console.log(chalk.cyan(`\n  Scrubbing ${files.length} transcript file(s)...\n`));
-  } else if (target && target !== "all") {
-    // Specific file
-    const resolved = path.resolve(target);
-    if (!fs.existsSync(resolved)) {
-      console.log(chalk.red(`\n  File not found: ${resolved}\n`));
-      process.exit(1);
-    }
-    files = [resolved];
-  } else {
-    // No target — find most recent
-    const recent = findMostRecent();
-    if (!recent) {
-      console.log(chalk.yellow("\n  No transcript files found.\n"));
-      return;
-    }
-    files = [recent];
-    console.log(chalk.gray(`\n  Active transcript: ${path.basename(recent)}`));
-  }
-
-  // Scrub
-  const spinner = ora("Scrubbing credentials...").start();
-  let grandTotal = 0;
-  let skipped = 0;
-  let scanned = 0;
-
-  for (const f of files) {
-    const result = scrubFile(f, force);
-    if (result === "skipped") {
-      skipped++;
-    } else {
-      scanned++;
-      if (result > 0) {
-        spinner.stop();
-        console.log(chalk.yellow(`  ${result} redaction(s) in ${path.basename(f)}`));
-        spinner.start("Scrubbing credentials...");
-        grandTotal += result;
-      }
-    }
-  }
-
-  spinner.stop();
-
-  // Summary
-  const parts = [];
-  if (scanned) parts.push(`scanned ${scanned}`);
-  if (skipped) parts.push(chalk.gray(`skipped ${skipped} (already clean)`));
-  if (grandTotal) parts.push(chalk.green(`${grandTotal} credential(s) scrubbed`));
-  else if (scanned) parts.push(chalk.green("no credentials found"));
-
-  console.log(`\n  ${files.length} file(s): ${parts.join(", ")}.`);
-  if (skipped && !force) {
-    console.log(chalk.gray("  (use --force to rescan all files)"));
-  }
-  console.log();
-}
+// cli/commands/scrub.js — Scrub credentials from Claude Code transcript logs
+//
+// clauth scrub          → scrub active transcript (most recent .jsonl)
+// clauth scrub <file>   → scrub a specific file
+// clauth scrub all      → scrub every transcript .jsonl
+// clauth scrub --force  → rescrub even if already marked
+
+import fs from "fs";
+import path from "path";
+import os from "os";
+import chalk from "chalk";
+import ora from "ora";
+
+const SCRUB_MARKER = "[CLAUTH-SCRUBBED]";
+const SCRUB_VERSION = "1.1";
+
+// ──────────────────────────────────────────────
+// Credential patterns — regex + replacement
+// ──────────────────────────────────────────────
+const PATTERNS = [
+  // Supabase JWTs (anon, service_role)
+  [/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/g,
+   "[SUPABASE_JWT_REDACTED]"],
+
+  // Vercel tokens
+  [/vcp_[A-Za-z0-9]{20,80}/g,
+   "[VERCEL_TOKEN_REDACTED]"],
+
+  // R2 / S3 secret access keys (64-char hex)
+  [/"secret_access_key"\s*:\s*"[a-f0-9]{64}"/g,
+   '"secret_access_key": "[R2_SECRET_REDACTED]"'],
+
+  // R2 / S3 access key IDs (32-char hex)
+  [/"access_key_id"\s*:\s*"[a-f0-9]{32}"/g,
+   '"access_key_id": "[R2_KEY_REDACTED]"'],
+
+  // Cloudflare admin tokens
+  [/"admin_token"\s*:\s*"[A-Za-z0-9_-]{20,60}"/g,
+   '"admin_token": "[CF_TOKEN_REDACTED]"'],
+
+  // Cloudflare account IDs (32-char hex)
+  [/"account_id"\s*:\s*"[a-f0-9]{32}"/g,
+   '"account_id": "[CF_ACCOUNT_REDACTED]"'],
+
+  // GitHub tokens
+  [/ghp_[A-Za-z0-9]{36}/g,
+   "[GITHUB_TOKEN_REDACTED]"],
+  [/github_pat_[A-Za-z0-9_]{40,100}/g,
+   "[GITHUB_PAT_REDACTED]"],
+
+  // Neo4j connection strings with passwords
+  [/neo4j\+s?:\/\/[^"\\]+/g,
+   "[NEO4J_CONNSTRING_REDACTED]"],
+
+  // Generic Bearer tokens in Authorization headers
+  [/Bearer [A-Za-z0-9_-]{20,}/g,
+   "Bearer [TOKEN_REDACTED]"],
+];
+
+// ──────────────────────────────────────────────
+// Marker check — read last 512 bytes
+// ──────────────────────────────────────────────
+function isAlreadyScrubbed(filePath) {
+  try {
+    const stat = fs.statSync(filePath);
+    const fd = fs.openSync(filePath, "r");
+    const bufSize = Math.min(512, stat.size);
+    const buf = Buffer.alloc(bufSize);
+    fs.readSync(fd, buf, 0, bufSize, Math.max(0, stat.size - bufSize));
+    fs.closeSync(fd);
+
+    const tail = buf.toString("utf-8");
+    const lastLine = tail.trim().split("\n").pop();
+    if (lastLine && lastLine.includes(SCRUB_MARKER)) {
+      try {
+        const marker = JSON.parse(lastLine);
+        return marker.version === SCRUB_VERSION;
+      } catch { return false; }
+    }
+    return false;
+  } catch { return false; }
+}
+
+// ──────────────────────────────────────────────
+// Stamp file as scrubbed
+// ──────────────────────────────────────────────
+function stampScrubbed(filePath) {
+  const marker = JSON.stringify({
+    type: SCRUB_MARKER,
+    version: SCRUB_VERSION,
+    scrubbed_at: new Date().toISOString(),
+    patterns: PATTERNS.length,
+  });
+  fs.appendFileSync(filePath, "\n" + marker + "\n", "utf-8");
+}
+
+// ──────────────────────────────────────────────
+// Scrub a single file
+// ──────────────────────────────────────────────
+function scrubFile(filePath, force = false) {
+  if (!force && isAlreadyScrubbed(filePath)) {
+    return "skipped";
+  }
+
+  let content = fs.readFileSync(filePath, "utf-8");
+  let total = 0;
+
+  for (const [pattern, replacement] of PATTERNS) {
+    // Reset lastIndex for global regexes
+    pattern.lastIndex = 0;
+    const matches = content.match(pattern);
+    if (matches) {
+      total += matches.length;
+      content = content.replace(pattern, replacement);
+    }
+  }
+
+  if (total > 0) {
+    fs.writeFileSync(filePath, content, "utf-8");
+  }
+
+  // Stamp as clean (whether creds found or not)
+  stampScrubbed(filePath);
+  return total;
+}
+
+// ──────────────────────────────────────────────
+// Find all transcript .jsonl files
+// ──────────────────────────────────────────────
+function findTranscripts() {
+  const claudeDir = path.join(os.homedir(), ".claude", "projects");
+  if (!fs.existsSync(claudeDir)) return [];
+
+  const results = [];
+  function walk(dir) {
+    for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+      const full = path.join(dir, entry.name);
+      if (entry.isDirectory()) walk(full);
+      else if (entry.name.endsWith(".jsonl")) results.push(full);
+    }
+  }
+  walk(claudeDir);
+  return results;
+}
+
+// ──────────────────────────────────────────────
+// Find the most recent transcript (active session)
+// ──────────────────────────────────────────────
+function findMostRecent() {
+  const files = findTranscripts();
+  if (files.length === 0) return null;
+
+  let newest = files[0];
+  let newestMtime = fs.statSync(files[0]).mtimeMs;
+  for (const f of files.slice(1)) {
+    const mt = fs.statSync(f).mtimeMs;
+    if (mt > newestMtime) { newest = f; newestMtime = mt; }
+  }
+  return newest;
+}
+
+// ──────────────────────────────────────────────
+// Exported runner
+// ──────────────────────────────────────────────
+export async function runScrub(target, opts = {}) {
+  const force = opts.force || false;
+
+  // Determine which files to scrub
+  let files;
+  if (target === "all") {
+    files = findTranscripts();
+    if (files.length === 0) {
+      console.log(chalk.yellow("\n  No transcript files found.\n"));
+      return;
+    }
+    console.log(chalk.cyan(`\n  Scrubbing ${files.length} transcript file(s)...\n`));
+  } else if (target && target !== "all") {
+    // Specific file
+    const resolved = path.resolve(target);
+    if (!fs.existsSync(resolved)) {
+      console.log(chalk.red(`\n  File not found: ${resolved}\n`));
+      process.exit(1);
+    }
+    files = [resolved];
+  } else {
+    // No target — find most recent
+    const recent = findMostRecent();
+    if (!recent) {
+      console.log(chalk.yellow("\n  No transcript files found.\n"));
+      return;
+    }
+    files = [recent];
+    console.log(chalk.gray(`\n  Active transcript: ${path.basename(recent)}`));
+  }
+
+  // Scrub
+  const spinner = ora("Scrubbing credentials...").start();
+  let grandTotal = 0;
+  let skipped = 0;
+  let scanned = 0;
+
+  for (const f of files) {
+    const result = scrubFile(f, force);
+    if (result === "skipped") {
+      skipped++;
+    } else {
+      scanned++;
+      if (result > 0) {
+        spinner.stop();
+        console.log(chalk.yellow(`  ${result} redaction(s) in ${path.basename(f)}`));
+        spinner.start("Scrubbing credentials...");
+        grandTotal += result;
+      }
+    }
+  }
+
+  spinner.stop();
+
+  // Summary
+  const parts = [];
+  if (scanned) parts.push(`scanned ${scanned}`);
+  if (skipped) parts.push(chalk.gray(`skipped ${skipped} (already clean)`));
+  if (grandTotal) parts.push(chalk.green(`${grandTotal} credential(s) scrubbed`));
+  else if (scanned) parts.push(chalk.green("no credentials found"));
+
+  console.log(`\n  ${files.length} file(s): ${parts.join(", ")}.`);
+  if (skipped && !force) {
+    console.log(chalk.gray("  (use --force to rescan all files)"));
+  }
+  console.log();
+}