npm - @mushi-mushi/core - Versions diffs - 0.2.0 → 0.3.0 - Mend

@mushi-mushi/core 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.js CHANGED Viewed

@@ -348,6 +348,98 @@ var noopLogger = {
   }
 };
+// src/queue-crypto.ts
+var KEY_DB = "mushi-mushi-keyring";
+var KEY_STORE = "keys";
+var KEY_RECORD_ID = "offline-queue/v1";
+var cachedKey = null;
+var cachedKeyPromise = null;
+function hasWebCrypto() {
+  return typeof globalThis !== "undefined" && typeof globalThis.crypto !== "undefined" && typeof globalThis.crypto.subtle !== "undefined" && typeof indexedDB !== "undefined";
+}
+function openKeyDb() {
+  return new Promise((resolve, reject) => {
+    const req = indexedDB.open(KEY_DB, 1);
+    req.onupgradeneeded = () => {
+      const db = req.result;
+      if (!db.objectStoreNames.contains(KEY_STORE)) {
+        db.createObjectStore(KEY_STORE);
+      }
+    };
+    req.onsuccess = () => resolve(req.result);
+    req.onerror = () => reject(req.error);
+  });
+}
+async function loadKey() {
+  const db = await openKeyDb();
+  return new Promise((resolve, reject) => {
+    const tx = db.transaction(KEY_STORE, "readonly");
+    const req = tx.objectStore(KEY_STORE).get(KEY_RECORD_ID);
+    req.onsuccess = () => resolve(req.result ?? null);
+    req.onerror = () => reject(req.error);
+  });
+}
+async function storeKey(key) {
+  const db = await openKeyDb();
+  return new Promise((resolve, reject) => {
+    const tx = db.transaction(KEY_STORE, "readwrite");
+    tx.objectStore(KEY_STORE).put(key, KEY_RECORD_ID);
+    tx.oncomplete = () => resolve();
+    tx.onerror = () => reject(tx.error);
+  });
+}
+async function getOfflineQueueKey() {
+  if (cachedKey) return cachedKey;
+  if (cachedKeyPromise) return cachedKeyPromise;
+  if (!hasWebCrypto()) {
+    throw new Error("Web Crypto + IndexedDB required for offline queue encryption");
+  }
+  cachedKeyPromise = (async () => {
+    const existing = await loadKey();
+    if (existing) {
+      cachedKey = existing;
+      return existing;
+    }
+    const key = await crypto.subtle.generateKey(
+      { name: "AES-GCM", length: 256 },
+      false,
+      ["encrypt", "decrypt"]
+    );
+    await storeKey(key);
+    cachedKey = key;
+    return key;
+  })();
+  return cachedKeyPromise;
+}
+function bytesToB64(bytes) {
+  let s = "";
+  for (const b of bytes) s += String.fromCharCode(b);
+  return btoa(s);
+}
+function b64ToBytes(s) {
+  const bin = atob(s);
+  const out = new Uint8Array(new ArrayBuffer(bin.length));
+  for (let i = 0; i < bin.length; i++) out[i] = bin.charCodeAt(i);
+  return out;
+}
+async function encryptJson(plain) {
+  const key = await getOfflineQueueKey();
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+  const data = new TextEncoder().encode(JSON.stringify(plain));
+  const cipher = new Uint8Array(await crypto.subtle.encrypt({ name: "AES-GCM", iv }, key, data));
+  return { _mme: 1, iv: bytesToB64(iv), ct: bytesToB64(cipher) };
+}
+function isEncryptedPayload(v) {
+  return !!v && typeof v === "object" && v._mme === 1 && typeof v.iv === "string" && typeof v.ct === "string";
+}
+async function decryptJson(payload) {
+  const key = await getOfflineQueueKey();
+  const iv = b64ToBytes(payload.iv);
+  const ct = b64ToBytes(payload.ct);
+  const plain = await crypto.subtle.decrypt({ name: "AES-GCM", iv }, key, ct);
+  return JSON.parse(new TextDecoder().decode(plain));
+}
 // src/queue.ts
 var queueLog = createLogger({ scope: "mushi:queue", level: "warn" });
 var DB_NAME = "mushi-mushi";
@@ -357,9 +449,36 @@ var LS_KEY = "mushi_offline_queue";
 var BATCH_SIZE = 10;
 var MAX_BACKOFF_MS = 6e4;
 function createOfflineQueue(config = {}) {
-  const { enabled = true, maxQueueSize = 50, syncOnReconnect = true } = config;
+  const { enabled = true, maxQueueSize = 50, syncOnReconnect = true, encryptAtRest = true } = config;
   let syncCleanup = null;
   let backendType = null;
+  async function wrapForStorage(report) {
+    const queuedAt = (/* @__PURE__ */ new Date()).toISOString();
+    if (!encryptAtRest) {
+      return { ...report, queuedAt };
+    }
+    try {
+      const payload = await encryptJson(report);
+      return { id: report.id, queuedAt, payload };
+    } catch (err) {
+      queueLog.warn("Offline queue: encryption failed, storing plaintext", { err: String(err) });
+      return { ...report, queuedAt };
+    }
+  }
+  async function unwrapForSend(row) {
+    if (isEncryptedRecord(row)) {
+      try {
+        return await decryptJson(row.payload);
+      } catch (err) {
+        queueLog.warn("Offline queue: decrypt failed, dropping row", { err: String(err), id: row.id });
+        return null;
+      }
+    }
+    return row;
+  }
+  function isEncryptedRecord(row) {
+    return !!row.payload && isEncryptedPayload(row.payload);
+  }
   function detectBackend() {
     if (backendType) return backendType;
     if (typeof indexedDB !== "undefined") {
@@ -389,9 +508,10 @@ function createOfflineQueue(config = {}) {
   }
   async function idbEnqueue(report) {
     const db = await openDb();
+    const row = await wrapForStorage(report);
     return new Promise((resolve, reject) => {
       const tx = db.transaction(STORE_NAME, "readwrite");
-      tx.objectStore(STORE_NAME).put({ ...report, queuedAt: (/* @__PURE__ */ new Date()).toISOString() });
+      tx.objectStore(STORE_NAME).put(row);
       tx.oncomplete = () => resolve();
       tx.onerror = () => reject(tx.error);
     });
@@ -440,20 +560,20 @@ function createOfflineQueue(config = {}) {
       return [];
     }
   }
-  function lsWrite(reports) {
+  function lsWrite(rows) {
     try {
-      localStorage.setItem(LS_KEY, JSON.stringify(reports));
+      localStorage.setItem(LS_KEY, JSON.stringify(rows));
     } catch {
     }
   }
-  function lsEnqueue(report) {
-    const reports = lsRead();
-    reports.push({ ...report, queuedAt: (/* @__PURE__ */ new Date()).toISOString() });
-    lsWrite(reports);
+  async function lsEnqueue(report) {
+    const rows = lsRead();
+    rows.push(await wrapForStorage(report));
+    lsWrite(rows);
   }
   function lsDelete(id) {
-    const reports = lsRead().filter((r) => r.id !== id);
-    lsWrite(reports);
+    const rows = lsRead().filter((r) => r.id !== id);
+    lsWrite(rows);
   }
   async function enqueue(report) {
     if (!enabled) return;
@@ -472,7 +592,7 @@ function createOfflineQueue(config = {}) {
       }
     }
     if (backend === "localstorage" || backendType === "localstorage") {
-      lsEnqueue(report);
+      await lsEnqueue(report);
       return;
     }
   }
@@ -484,29 +604,41 @@ function createOfflineQueue(config = {}) {
   }
   async function flush(client) {
     if (!enabled) return { sent: 0, failed: 0 };
-    let reports;
+    let rows;
     const backend = detectBackend();
     if (backend === "indexeddb") {
       try {
-        reports = await idbGetAll();
+        rows = await idbGetAll();
       } catch {
-        reports = lsRead();
+        rows = lsRead();
       }
     } else {
-      reports = lsRead();
+      rows = lsRead();
     }
-    const batch = reports.slice(0, BATCH_SIZE);
+    const batch = rows.slice(0, BATCH_SIZE);
     let sent = 0;
     let failed = 0;
     for (let i = 0; i < batch.length; i++) {
-      const report = batch[i];
+      const row = batch[i];
+      const rowId = row.id;
+      const report = await unwrapForSend(row);
+      if (!report) {
+        try {
+          if (backend === "indexeddb") await idbDelete(rowId);
+          else lsDelete(rowId);
+        } catch {
+          lsDelete(rowId);
+        }
+        failed++;
+        continue;
+      }
       const result = await client.submitReport(report);
       if (result.ok) {
         try {
-          if (backend === "indexeddb") await idbDelete(report.id);
-          else lsDelete(report.id);
+          if (backend === "indexeddb") await idbDelete(rowId);
+          else lsDelete(rowId);
         } catch {
-          lsDelete(report.id);
+          lsDelete(rowId);
         }
         sent++;
       } else {
@@ -620,6 +752,54 @@ function generateToken() {
   return `mushi_${hex}`;
 }
+// src/fingerprint.ts
+var CACHE_KEY = "mushi_fingerprint_hash";
+function collectInputs() {
+  const nav = typeof navigator !== "undefined" ? navigator : void 0;
+  const scr = typeof screen !== "undefined" ? screen : void 0;
+  const win = typeof window !== "undefined" ? window : void 0;
+  return {
+    userAgent: nav?.userAgent ?? "unknown",
+    platform: nav?.platform ?? "unknown",
+    language: nav?.language ?? "en",
+    timezone: Intl?.DateTimeFormat?.()?.resolvedOptions?.()?.timeZone ?? "UTC",
+    screenWidth: scr?.width ?? 0,
+    screenHeight: scr?.height ?? 0,
+    pixelRatio: win?.devicePixelRatio ?? 1,
+    deviceMemory: nav?.deviceMemory,
+    hardwareConcurrency: nav?.hardwareConcurrency
+  };
+}
+async function sha256Hex(input) {
+  if (typeof crypto !== "undefined" && crypto.subtle) {
+    const buf = new TextEncoder().encode(input);
+    const digest = await crypto.subtle.digest("SHA-256", buf);
+    return Array.from(new Uint8Array(digest)).map((b) => b.toString(16).padStart(2, "0")).join("");
+  }
+  let hash = 0;
+  for (let i = 0; i < input.length; i++) {
+    hash = (hash << 5) - hash + input.charCodeAt(i);
+    hash |= 0;
+  }
+  return `fbk_${(hash >>> 0).toString(16).padStart(8, "0")}`;
+}
+async function getDeviceFingerprintHash() {
+  if (typeof localStorage !== "undefined") {
+    const cached = localStorage.getItem(CACHE_KEY);
+    if (cached) return cached;
+  }
+  const inputs = collectInputs();
+  const serialised = JSON.stringify(inputs);
+  const hash = await sha256Hex(serialised);
+  if (typeof localStorage !== "undefined") {
+    try {
+      localStorage.setItem(CACHE_KEY, hash);
+    } catch {
+    }
+  }
+  return hash;
+}
 // src/session.ts
 var SESSION_KEY = "mushi_session_id";
 var cachedSessionId = null;
@@ -692,16 +872,33 @@ function createRateLimiter(config = {}) {
 var ORDERED_PATTERNS = [
   { key: "ssns", regex: /\b\d{3}-\d{2}-\d{4}\b/g, replacement: "[REDACTED_SSN]" },
   { key: "creditCards", regex: /\b(?:\d[ -]*){12,18}\d\b/g, replacement: "[REDACTED_CC]" },
+  // Vendor secret tokens — mirrors packages/server/.../pii-scrubber.ts exactly.
+  { key: "secretTokens", regex: /\b(?:AKIA|ASIA)[0-9A-Z]{16}\b/g, replacement: "[REDACTED_AWS_KEY]" },
+  { key: "secretTokens", regex: /(?:aws_secret_access_key|secret_access_key)["'\s:=]+[A-Za-z0-9/+=]{40}\b/gi, replacement: "aws_secret_access_key=[REDACTED_AWS_SECRET]" },
+  { key: "secretTokens", regex: /\b(?:sk|rk)_(?:live|test)_[A-Za-z0-9]{24,}\b/g, replacement: "[REDACTED_STRIPE_KEY]" },
+  { key: "secretTokens", regex: /\bpk_(?:live|test)_[A-Za-z0-9]{24,}\b/g, replacement: "[REDACTED_STRIPE_PK]" },
+  { key: "secretTokens", regex: /\bxox[abpor]-[A-Za-z0-9-]{10,}\b/g, replacement: "[REDACTED_SLACK_TOKEN]" },
+  { key: "secretTokens", regex: /\bghp_[A-Za-z0-9]{36}\b/g, replacement: "[REDACTED_GITHUB_PAT]" },
+  { key: "secretTokens", regex: /\bgithub_pat_[A-Za-z0-9_]{80,}\b/g, replacement: "[REDACTED_GITHUB_PAT]" },
+  { key: "secretTokens", regex: /\bsk-(?:proj-)?[A-Za-z0-9_-]{20,}\b/g, replacement: "[REDACTED_OPENAI_KEY]" },
+  { key: "secretTokens", regex: /\bsk-ant-[A-Za-z0-9_-]{20,}\b/g, replacement: "[REDACTED_ANTHROPIC_KEY]" },
+  { key: "secretTokens", regex: /\bAIza[0-9A-Za-z_-]{35}\b/g, replacement: "[REDACTED_GOOGLE_KEY]" },
+  { key: "secretTokens", regex: /\beyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\b/g, replacement: "[REDACTED_JWT]" },
   { key: "emails", regex: /\b[A-Za-z0-9._%+\-]+@[A-Za-z0-9.\-]+\.[A-Za-z]{2,}\b/g, replacement: "[REDACTED_EMAIL]" },
   { key: "phones", regex: /(?:\+\d{1,3}[\s.-])?\(?\d{2,4}\)?[\s.-]\d{3,4}[\s.-]\d{3,4}\b/g, replacement: "[REDACTED_PHONE]" },
-  { key: "ipAddresses", regex: /\b(?:\d{1,3}\.){3}\d{1,3}\b/g, replacement: "[REDACTED_IP]" }
+  { key: "ipAddresses", regex: /\b(?:\d{1,3}\.){3}\d{1,3}\b/g, replacement: "[REDACTED_IP]" },
+  { key: "ipv6", regex: /\b(?:[A-Fa-f0-9]{1,4}:){2,7}[A-Fa-f0-9]{0,4}\b/g, replacement: "[REDACTED_IPV6]" }
 ];
 var DEFAULT_CONFIG = {
   emails: true,
   phones: true,
   creditCards: true,
   ssns: true,
-  ipAddresses: false
+  ipAddresses: false,
+  // Secret tokens default ON — if they leak into a bug report there's no
+  // good reason to ship them to our servers. Cheaper to scrub client-side.
+  secretTokens: true,
+  ipv6: false
 };
 function createPiiScrubber(config = {}) {
   const merged = { ...DEFAULT_CONFIG, ...config };
@@ -729,6 +926,6 @@ function scrubPii(text, config) {
   return createPiiScrubber(config).scrub(text);
 }
-export { DEFAULT_API_ENDPOINT, REGION_ENDPOINTS, captureEnvironment, createApiClient, createLogger, createOfflineQueue, createPiiScrubber, createPreFilter, createRateLimiter, getReporterToken, getSessionId, noopLogger, resolveRegionEndpoint, scrubPii };
+export { DEFAULT_API_ENDPOINT, REGION_ENDPOINTS, captureEnvironment, createApiClient, createLogger, createOfflineQueue, createPiiScrubber, createPreFilter, createRateLimiter, getDeviceFingerprintHash, getReporterToken, getSessionId, noopLogger, resolveRegionEndpoint, scrubPii };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map