@mnemonik/shared 5.136.1 → 5.137.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -25,12 +25,5 @@
25
25
  */
26
26
  export declare const SECRET_REDACTION_PLACEHOLDER = "[REDACTED]";
27
27
  export declare const SECRET_PATTERNS: ReadonlyArray<RegExp>;
28
- /**
29
- * Replace recognized secret shapes in `text` with the redaction
30
- * placeholder. Returns the input unchanged when no patterns match.
31
- *
32
- * Idempotent: scrubbing already-scrubbed text returns the same text
33
- * (the placeholder itself doesn't match any pattern).
34
- */
35
28
  export declare function scrubSecrets(text: string): string;
36
29
  //# sourceMappingURL=secretPatterns.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"secretPatterns.d.ts","sourceRoot":"","sources":["../src/secretPatterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,eAAO,MAAM,4BAA4B,eAAe,CAAC;AAEzD,eAAO,MAAM,eAAe,EAAE,aAAa,CAAC,MAAM,CAYjD,CAAC;AAEF;;;;;;GAMG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAOjD"}
1
+ {"version":3,"file":"secretPatterns.d.ts","sourceRoot":"","sources":["../src/secretPatterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,eAAO,MAAM,4BAA4B,eAAe,CAAC;AAGzD,eAAO,MAAM,eAAe,EAAE,aAAa,CAAC,MAAM,CAYjD,CAAC;AAkBF,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CASjD"}
@@ -24,6 +24,7 @@
24
24
  * while catching the common credential leak vectors.
25
25
  */
26
26
  export const SECRET_REDACTION_PLACEHOLDER = '[REDACTED]';
27
+ // Shared by the scanner daemon and server-side scrub paths.
27
28
  export const SECRET_PATTERNS = [
28
29
  /(?:api[_-]?key|secret|token|password|credential|auth)\s*[:=]\s*\S+/gi,
29
30
  // Stripe-shape: (sk|pk)_(live|test)_<24+ alphanumerics>. Catches modern
@@ -44,12 +45,20 @@ export const SECRET_PATTERNS = [
44
45
  * Idempotent: scrubbing already-scrubbed text returns the same text
45
46
  * (the placeholder itself doesn't match any pattern).
46
47
  */
48
+ /**
49
+ * A key=value match whose value side is a code REFERENCE to an env read
50
+ * (`process.env.X`, `process.env['X']`, `import.meta.env.X`) contains no
51
+ * literal secret — redacting it destroys information (it blinded the
52
+ * doc-truth env_vars authority to every secret-named variable) without
53
+ * protecting anything.
54
+ */
55
+ const ENV_READ_VALUE_RE = /[:=]\s*(?:await\s+)?(?:process\.env[.[]|import\.meta\.env[.[])/;
47
56
  export function scrubSecrets(text) {
48
57
  if (!text)
49
58
  return text;
50
59
  let result = text;
51
60
  for (const pattern of SECRET_PATTERNS) {
52
- result = result.replace(pattern, SECRET_REDACTION_PLACEHOLDER);
61
+ result = result.replace(pattern, (match) => ENV_READ_VALUE_RE.test(match) ? match : SECRET_REDACTION_PLACEHOLDER);
53
62
  }
54
63
  return result;
55
64
  }
@@ -1 +1 @@
1
- {"version":3,"file":"secretPatterns.js","sourceRoot":"","sources":["../src/secretPatterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,MAAM,CAAC,MAAM,4BAA4B,GAAG,YAAY,CAAC;AAEzD,MAAM,CAAC,MAAM,eAAe,GAA0B;IACpD,sEAAsE;IACtE,wEAAwE;IACxE,oEAAoE;IACpE,qEAAqE;IACrE,kEAAkE;IAClE,2CAA2C;IAC3C,2CAA2C;IAC3C,gCAAgC;IAChC,sBAAsB;IACtB,0BAA0B;IAC1B,yDAAyD;CAC1D,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,UAAU,YAAY,CAAC,IAAY;IACvC,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IACvB,IAAI,MAAM,GAAG,IAAI,CAAC;IAClB,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;QACtC,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,4BAA4B,CAAC,CAAC;IACjE,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}
1
+ {"version":3,"file":"secretPatterns.js","sourceRoot":"","sources":["../src/secretPatterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,MAAM,CAAC,MAAM,4BAA4B,GAAG,YAAY,CAAC;AAEzD,4DAA4D;AAC5D,MAAM,CAAC,MAAM,eAAe,GAA0B;IACpD,sEAAsE;IACtE,wEAAwE;IACxE,oEAAoE;IACpE,qEAAqE;IACrE,kEAAkE;IAClE,2CAA2C;IAC3C,2CAA2C;IAC3C,gCAAgC;IAChC,sBAAsB;IACtB,0BAA0B;IAC1B,yDAAyD;CAC1D,CAAC;AAEF;;;;;;GAMG;AACH;;;;;;GAMG;AACH,MAAM,iBAAiB,GAAG,gEAAgE,CAAC;AAE3F,MAAM,UAAU,YAAY,CAAC,IAAY;IACvC,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IACvB,IAAI,MAAM,GAAG,IAAI,CAAC;IAClB,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;QACtC,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE,CACzC,iBAAiB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,4BAA4B,CACrE,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@mnemonik/shared",
3
- "version": "5.136.1",
3
+ "version": "5.137.0",
4
4
  "description": "Shared constants and utilities for Mnemonik packages",
5
5
  "type": "module",
6
6
  "main": "dist/index.js",
@@ -26,6 +26,7 @@
26
26
 
27
27
  export const SECRET_REDACTION_PLACEHOLDER = '[REDACTED]';
28
28
 
29
+ // Shared by the scanner daemon and server-side scrub paths.
29
30
  export const SECRET_PATTERNS: ReadonlyArray<RegExp> = [
30
31
  /(?:api[_-]?key|secret|token|password|credential|auth)\s*[:=]\s*\S+/gi,
31
32
  // Stripe-shape: (sk|pk)_(live|test)_<24+ alphanumerics>. Catches modern
@@ -47,11 +48,22 @@ export const SECRET_PATTERNS: ReadonlyArray<RegExp> = [
47
48
  * Idempotent: scrubbing already-scrubbed text returns the same text
48
49
  * (the placeholder itself doesn't match any pattern).
49
50
  */
51
+ /**
52
+ * A key=value match whose value side is a code REFERENCE to an env read
53
+ * (`process.env.X`, `process.env['X']`, `import.meta.env.X`) contains no
54
+ * literal secret — redacting it destroys information (it blinded the
55
+ * doc-truth env_vars authority to every secret-named variable) without
56
+ * protecting anything.
57
+ */
58
+ const ENV_READ_VALUE_RE = /[:=]\s*(?:await\s+)?(?:process\.env[.[]|import\.meta\.env[.[])/;
59
+
50
60
  export function scrubSecrets(text: string): string {
51
61
  if (!text) return text;
52
62
  let result = text;
53
63
  for (const pattern of SECRET_PATTERNS) {
54
- result = result.replace(pattern, SECRET_REDACTION_PLACEHOLDER);
64
+ result = result.replace(pattern, (match) =>
65
+ ENV_READ_VALUE_RE.test(match) ? match : SECRET_REDACTION_PLACEHOLDER
66
+ );
55
67
  }
56
68
  return result;
57
69
  }