@mushi-mushi/core 0.2.1 → 0.3.0

package/dist/index.d.cts

@@ -95,6 +95,21 @@ interface MushiOfflineConfig {
     enabled?: boolean;
     maxQueueSize?: number;
     syncOnReconnect?: boolean;
+    /**
+     * Encrypt queued reports at rest (IndexedDB + localStorage) with AES-GCM.
+     *
+     * Wave S1 / D-16: on a shared device (kiosks, iPads, support-agent
+     * laptops) any queued report sits in plaintext until the next online flush.
+     * With this flag set we generate a non-extractable AES-GCM key at first use,
+     * stash it in a single tightly-scoped IndexedDB record, and wrap every
+     * queued report payload under it. The key never leaves the origin's
+     * IndexedDB; stealing the DB file on disk still requires the OS-level
+     * Web Crypto keystore to decrypt.
+     *
+     * Defaults to `true`. Set false only if you need to inspect raw queue
+     * contents during local dev.
+     */
+    encryptAtRest?: boolean;
 }
 interface MushiRewardsConfig {
     enabled?: boolean;
@@ -120,7 +135,7 @@ interface MushiReport {
     sessionId?: string;
     reporterToken: string;
     /**
-     * Wave E §3c — stable per-device hash from `getDeviceFingerprintHash()`.
+     * §3c — stable per-device hash from `getDeviceFingerprintHash()`.
      * Sent so the server can run the cross-account anti-gaming check; falls
      * back to IP+UA fingerprinting when omitted.
      */
@@ -215,6 +230,43 @@ interface MushiSDKInstance {
     open(): void;
     close(): void;
     destroy(): void;
+    /**
+     * Wave G4 — unified `captureEvent` API. Submits a bug report
+     * programmatically without opening the widget. Useful for adapters
+     * that translate errors from Datadog / Honeycomb / Sentry /
+     * Grafana into Mushi reports.
+     *
+     * Returns the server-assigned report id when the submit succeeds.
+     */
+    captureEvent(event: MushiCaptureEventInput): Promise<string | null>;
+    /**
+     * Wave G4 — sugar alias for `setUser()`. Name mirrors the
+     * identify/track/capture vocabulary that PostHog/Segment/Mixpanel
+     * users already know.
+     */
+    identify(userId: string, traits?: {
+        email?: string;
+        name?: string;
+        [k: string]: unknown;
+    }): void;
+}
+interface MushiCaptureEventInput {
+    /** Human-readable summary; becomes `reports.description`. */
+    description: string;
+    category?: MushiReportCategory;
+    severity?: 'critical' | 'high' | 'medium' | 'low';
+    component?: string;
+    /** Arbitrary tags merged into `reports.metadata.tags`. */
+    tags?: Record<string, string | number | boolean>;
+    /** Source-of-truth adapter that produced this event (e.g. `'datadog'`). */
+    source?: string;
+    /** Optional error payload (name/message/stack) captured from the host app. */
+    error?: {
+        name?: string;
+        message?: string;
+        stack?: string;
+    };
+    metadata?: Record<string, unknown>;
 }
 interface MushiApiClient {
     submitReport(report: MushiReport): Promise<MushiApiResponse<{
@@ -248,7 +300,7 @@ declare const DEFAULT_API_ENDPOINT = "https://dxptnwrhwsqckaftyymj.supabase.co/f
 declare function createApiClient(options: ApiClientOptions): MushiApiClient;
 
 /**
- * Wave C C7: Data residency region resolution.
+ * C7: Data residency region resolution.
  *
  * The SDK supports four regional clouds:
  *   - 'us'   → United States (default; legacy `dxptnwrhwsqckaftyymj`)
@@ -306,7 +358,7 @@ declare function captureEnvironment(): MushiEnvironment;
 declare function getReporterToken(): string;
 
 /**
- * Wave E §3c — stable device fingerprint hash.
+ * §3c — stable device fingerprint hash.
  *
  * Hashes a deliberately small set of long-lived device characteristics so
  * the same browser keeps the same hash across sessions, but moving to a
@@ -350,6 +402,19 @@ interface PiiScrubberConfig {
     creditCards?: boolean;
     ssns?: boolean;
     ipAddresses?: boolean;
+    /**
+     * Scrub vendor-shaped secret tokens (AWS access keys, Stripe keys,
+     * Slack/GitHub PATs, OpenAI/Anthropic/Google keys, JWTs).
+     *
+     * Wave S1 / D-15: SDK parity with the server-side scrubber. The server
+     * scrubs these on every LLM invocation; the SDK now scrubs them at
+     * capture so they never hit the wire in the first place — important for
+     * users who `console.log(stripeKey)` during dev and later ship bug
+     * reports with the error text attached.
+     */
+    secretTokens?: boolean;
+    /** IPv6 addresses. Defaults off for the same reason IPv4 does. */
+    ipv6?: boolean;
 }
 declare function createPiiScrubber(config?: PiiScrubberConfig): {
     scrub: (text: string) => string;
@@ -423,4 +488,4 @@ declare function createLogger(options: LoggerOptions): Logger;
  */
 declare const noopLogger: Logger;
 
-export { type ApiClientOptions, DEFAULT_API_ENDPOINT, type LogEntry, type LogFormat, type LogLevel, type Logger, type LoggerOptions, type MushiApiClient, type MushiApiResponse, type MushiCaptureConfig, type MushiConfig, type MushiConsoleEntry, type MushiCooldownConfig, type MushiEnvironment, type MushiEventHandler, type MushiEventType, type MushiIntegrationsConfig, type MushiNetworkEntry, type MushiOfflineConfig, type MushiOnDeviceClassifier, type MushiOnDeviceClassifierInput, type MushiOnDeviceClassifierResult, type MushiPerformanceMetrics, type MushiPreFilterConfig, type MushiProactiveConfig, type MushiRegion, type MushiReport, type MushiReportBuilder, type MushiReportCategory, type MushiReportStatus, type MushiRewardsConfig, type MushiSDKInstance, type MushiSelectedElement, type MushiSentryConfig, type MushiWidgetConfig, type OfflineQueue, type PiiScrubberConfig, type PreFilterResult, REGION_ENDPOINTS, type RateLimiter, type RateLimiterConfig, captureEnvironment, createApiClient, createLogger, createOfflineQueue, createPiiScrubber, createPreFilter, createRateLimiter, getDeviceFingerprintHash, getReporterToken, getSessionId, noopLogger, resolveRegionEndpoint, scrubPii };
+export { type ApiClientOptions, DEFAULT_API_ENDPOINT, type LogEntry, type LogFormat, type LogLevel, type Logger, type LoggerOptions, type MushiApiClient, type MushiApiResponse, type MushiCaptureConfig, type MushiCaptureEventInput, type MushiConfig, type MushiConsoleEntry, type MushiCooldownConfig, type MushiEnvironment, type MushiEventHandler, type MushiEventType, type MushiIntegrationsConfig, type MushiNetworkEntry, type MushiOfflineConfig, type MushiOnDeviceClassifier, type MushiOnDeviceClassifierInput, type MushiOnDeviceClassifierResult, type MushiPerformanceMetrics, type MushiPreFilterConfig, type MushiProactiveConfig, type MushiRegion, type MushiReport, type MushiReportBuilder, type MushiReportCategory, type MushiReportStatus, type MushiRewardsConfig, type MushiSDKInstance, type MushiSelectedElement, type MushiSentryConfig, type MushiWidgetConfig, type OfflineQueue, type PiiScrubberConfig, type PreFilterResult, REGION_ENDPOINTS, type RateLimiter, type RateLimiterConfig, captureEnvironment, createApiClient, createLogger, createOfflineQueue, createPiiScrubber, createPreFilter, createRateLimiter, getDeviceFingerprintHash, getReporterToken, getSessionId, noopLogger, resolveRegionEndpoint, scrubPii };

package/dist/index.d.ts

@@ -95,6 +95,21 @@ interface MushiOfflineConfig {
     enabled?: boolean;
     maxQueueSize?: number;
     syncOnReconnect?: boolean;
+    /**
+     * Encrypt queued reports at rest (IndexedDB + localStorage) with AES-GCM.
+     *
+     * Wave S1 / D-16: on a shared device (kiosks, iPads, support-agent
+     * laptops) any queued report sits in plaintext until the next online flush.
+     * With this flag set we generate a non-extractable AES-GCM key at first use,
+     * stash it in a single tightly-scoped IndexedDB record, and wrap every
+     * queued report payload under it. The key never leaves the origin's
+     * IndexedDB; stealing the DB file on disk still requires the OS-level
+     * Web Crypto keystore to decrypt.
+     *
+     * Defaults to `true`. Set false only if you need to inspect raw queue
+     * contents during local dev.
+     */
+    encryptAtRest?: boolean;
 }
 interface MushiRewardsConfig {
     enabled?: boolean;
@@ -120,7 +135,7 @@ interface MushiReport {
     sessionId?: string;
     reporterToken: string;
     /**
-     * Wave E §3c — stable per-device hash from `getDeviceFingerprintHash()`.
+     * §3c — stable per-device hash from `getDeviceFingerprintHash()`.
      * Sent so the server can run the cross-account anti-gaming check; falls
      * back to IP+UA fingerprinting when omitted.
      */
@@ -215,6 +230,43 @@ interface MushiSDKInstance {
     open(): void;
     close(): void;
     destroy(): void;
+    /**
+     * Wave G4 — unified `captureEvent` API. Submits a bug report
+     * programmatically without opening the widget. Useful for adapters
+     * that translate errors from Datadog / Honeycomb / Sentry /
+     * Grafana into Mushi reports.
+     *
+     * Returns the server-assigned report id when the submit succeeds.
+     */
+    captureEvent(event: MushiCaptureEventInput): Promise<string | null>;
+    /**
+     * Wave G4 — sugar alias for `setUser()`. Name mirrors the
+     * identify/track/capture vocabulary that PostHog/Segment/Mixpanel
+     * users already know.
+     */
+    identify(userId: string, traits?: {
+        email?: string;
+        name?: string;
+        [k: string]: unknown;
+    }): void;
+}
+interface MushiCaptureEventInput {
+    /** Human-readable summary; becomes `reports.description`. */
+    description: string;
+    category?: MushiReportCategory;
+    severity?: 'critical' | 'high' | 'medium' | 'low';
+    component?: string;
+    /** Arbitrary tags merged into `reports.metadata.tags`. */
+    tags?: Record<string, string | number | boolean>;
+    /** Source-of-truth adapter that produced this event (e.g. `'datadog'`). */
+    source?: string;
+    /** Optional error payload (name/message/stack) captured from the host app. */
+    error?: {
+        name?: string;
+        message?: string;
+        stack?: string;
+    };
+    metadata?: Record<string, unknown>;
 }
 interface MushiApiClient {
     submitReport(report: MushiReport): Promise<MushiApiResponse<{
@@ -248,7 +300,7 @@ declare const DEFAULT_API_ENDPOINT = "https://dxptnwrhwsqckaftyymj.supabase.co/f
 declare function createApiClient(options: ApiClientOptions): MushiApiClient;
 
 /**
- * Wave C C7: Data residency region resolution.
+ * C7: Data residency region resolution.
  *
  * The SDK supports four regional clouds:
  *   - 'us'   → United States (default; legacy `dxptnwrhwsqckaftyymj`)
@@ -306,7 +358,7 @@ declare function captureEnvironment(): MushiEnvironment;
 declare function getReporterToken(): string;
 
 /**
- * Wave E §3c — stable device fingerprint hash.
+ * §3c — stable device fingerprint hash.
  *
  * Hashes a deliberately small set of long-lived device characteristics so
  * the same browser keeps the same hash across sessions, but moving to a
@@ -350,6 +402,19 @@ interface PiiScrubberConfig {
     creditCards?: boolean;
     ssns?: boolean;
     ipAddresses?: boolean;
+    /**
+     * Scrub vendor-shaped secret tokens (AWS access keys, Stripe keys,
+     * Slack/GitHub PATs, OpenAI/Anthropic/Google keys, JWTs).
+     *
+     * Wave S1 / D-15: SDK parity with the server-side scrubber. The server
+     * scrubs these on every LLM invocation; the SDK now scrubs them at
+     * capture so they never hit the wire in the first place — important for
+     * users who `console.log(stripeKey)` during dev and later ship bug
+     * reports with the error text attached.
+     */
+    secretTokens?: boolean;
+    /** IPv6 addresses. Defaults off for the same reason IPv4 does. */
+    ipv6?: boolean;
 }
 declare function createPiiScrubber(config?: PiiScrubberConfig): {
     scrub: (text: string) => string;
@@ -423,4 +488,4 @@ declare function createLogger(options: LoggerOptions): Logger;
  */
 declare const noopLogger: Logger;
 
-export { type ApiClientOptions, DEFAULT_API_ENDPOINT, type LogEntry, type LogFormat, type LogLevel, type Logger, type LoggerOptions, type MushiApiClient, type MushiApiResponse, type MushiCaptureConfig, type MushiConfig, type MushiConsoleEntry, type MushiCooldownConfig, type MushiEnvironment, type MushiEventHandler, type MushiEventType, type MushiIntegrationsConfig, type MushiNetworkEntry, type MushiOfflineConfig, type MushiOnDeviceClassifier, type MushiOnDeviceClassifierInput, type MushiOnDeviceClassifierResult, type MushiPerformanceMetrics, type MushiPreFilterConfig, type MushiProactiveConfig, type MushiRegion, type MushiReport, type MushiReportBuilder, type MushiReportCategory, type MushiReportStatus, type MushiRewardsConfig, type MushiSDKInstance, type MushiSelectedElement, type MushiSentryConfig, type MushiWidgetConfig, type OfflineQueue, type PiiScrubberConfig, type PreFilterResult, REGION_ENDPOINTS, type RateLimiter, type RateLimiterConfig, captureEnvironment, createApiClient, createLogger, createOfflineQueue, createPiiScrubber, createPreFilter, createRateLimiter, getDeviceFingerprintHash, getReporterToken, getSessionId, noopLogger, resolveRegionEndpoint, scrubPii };
+export { type ApiClientOptions, DEFAULT_API_ENDPOINT, type LogEntry, type LogFormat, type LogLevel, type Logger, type LoggerOptions, type MushiApiClient, type MushiApiResponse, type MushiCaptureConfig, type MushiCaptureEventInput, type MushiConfig, type MushiConsoleEntry, type MushiCooldownConfig, type MushiEnvironment, type MushiEventHandler, type MushiEventType, type MushiIntegrationsConfig, type MushiNetworkEntry, type MushiOfflineConfig, type MushiOnDeviceClassifier, type MushiOnDeviceClassifierInput, type MushiOnDeviceClassifierResult, type MushiPerformanceMetrics, type MushiPreFilterConfig, type MushiProactiveConfig, type MushiRegion, type MushiReport, type MushiReportBuilder, type MushiReportCategory, type MushiReportStatus, type MushiRewardsConfig, type MushiSDKInstance, type MushiSelectedElement, type MushiSentryConfig, type MushiWidgetConfig, type OfflineQueue, type PiiScrubberConfig, type PreFilterResult, REGION_ENDPOINTS, type RateLimiter, type RateLimiterConfig, captureEnvironment, createApiClient, createLogger, createOfflineQueue, createPiiScrubber, createPreFilter, createRateLimiter, getDeviceFingerprintHash, getReporterToken, getSessionId, noopLogger, resolveRegionEndpoint, scrubPii };

package/dist/index.js

@@ -348,6 +348,98 @@ var noopLogger = {
   }
 };
 
+// src/queue-crypto.ts
+var KEY_DB = "mushi-mushi-keyring";
+var KEY_STORE = "keys";
+var KEY_RECORD_ID = "offline-queue/v1";
+var cachedKey = null;
+var cachedKeyPromise = null;
+function hasWebCrypto() {
+  return typeof globalThis !== "undefined" && typeof globalThis.crypto !== "undefined" && typeof globalThis.crypto.subtle !== "undefined" && typeof indexedDB !== "undefined";
+}
+function openKeyDb() {
+  return new Promise((resolve, reject) => {
+    const req = indexedDB.open(KEY_DB, 1);
+    req.onupgradeneeded = () => {
+      const db = req.result;
+      if (!db.objectStoreNames.contains(KEY_STORE)) {
+        db.createObjectStore(KEY_STORE);
+      }
+    };
+    req.onsuccess = () => resolve(req.result);
+    req.onerror = () => reject(req.error);
+  });
+}
+async function loadKey() {
+  const db = await openKeyDb();
+  return new Promise((resolve, reject) => {
+    const tx = db.transaction(KEY_STORE, "readonly");
+    const req = tx.objectStore(KEY_STORE).get(KEY_RECORD_ID);
+    req.onsuccess = () => resolve(req.result ?? null);
+    req.onerror = () => reject(req.error);
+  });
+}
+async function storeKey(key) {
+  const db = await openKeyDb();
+  return new Promise((resolve, reject) => {
+    const tx = db.transaction(KEY_STORE, "readwrite");
+    tx.objectStore(KEY_STORE).put(key, KEY_RECORD_ID);
+    tx.oncomplete = () => resolve();
+    tx.onerror = () => reject(tx.error);
+  });
+}
+async function getOfflineQueueKey() {
+  if (cachedKey) return cachedKey;
+  if (cachedKeyPromise) return cachedKeyPromise;
+  if (!hasWebCrypto()) {
+    throw new Error("Web Crypto + IndexedDB required for offline queue encryption");
+  }
+  cachedKeyPromise = (async () => {
+    const existing = await loadKey();
+    if (existing) {
+      cachedKey = existing;
+      return existing;
+    }
+    const key = await crypto.subtle.generateKey(
+      { name: "AES-GCM", length: 256 },
+      false,
+      ["encrypt", "decrypt"]
+    );
+    await storeKey(key);
+    cachedKey = key;
+    return key;
+  })();
+  return cachedKeyPromise;
+}
+function bytesToB64(bytes) {
+  let s = "";
+  for (const b of bytes) s += String.fromCharCode(b);
+  return btoa(s);
+}
+function b64ToBytes(s) {
+  const bin = atob(s);
+  const out = new Uint8Array(new ArrayBuffer(bin.length));
+  for (let i = 0; i < bin.length; i++) out[i] = bin.charCodeAt(i);
+  return out;
+}
+async function encryptJson(plain) {
+  const key = await getOfflineQueueKey();
+  const iv = crypto.getRandomValues(new Uint8Array(12));
+  const data = new TextEncoder().encode(JSON.stringify(plain));
+  const cipher = new Uint8Array(await crypto.subtle.encrypt({ name: "AES-GCM", iv }, key, data));
+  return { _mme: 1, iv: bytesToB64(iv), ct: bytesToB64(cipher) };
+}
+function isEncryptedPayload(v) {
+  return !!v && typeof v === "object" && v._mme === 1 && typeof v.iv === "string" && typeof v.ct === "string";
+}
+async function decryptJson(payload) {
+  const key = await getOfflineQueueKey();
+  const iv = b64ToBytes(payload.iv);
+  const ct = b64ToBytes(payload.ct);
+  const plain = await crypto.subtle.decrypt({ name: "AES-GCM", iv }, key, ct);
+  return JSON.parse(new TextDecoder().decode(plain));
+}
+
 // src/queue.ts
 var queueLog = createLogger({ scope: "mushi:queue", level: "warn" });
 var DB_NAME = "mushi-mushi";
@@ -357,9 +449,36 @@ var LS_KEY = "mushi_offline_queue";
 var BATCH_SIZE = 10;
 var MAX_BACKOFF_MS = 6e4;
 function createOfflineQueue(config = {}) {
-  const { enabled = true, maxQueueSize = 50, syncOnReconnect = true } = config;
+  const { enabled = true, maxQueueSize = 50, syncOnReconnect = true, encryptAtRest = true } = config;
   let syncCleanup = null;
   let backendType = null;
+  async function wrapForStorage(report) {
+    const queuedAt = (/* @__PURE__ */ new Date()).toISOString();
+    if (!encryptAtRest) {
+      return { ...report, queuedAt };
+    }
+    try {
+      const payload = await encryptJson(report);
+      return { id: report.id, queuedAt, payload };
+    } catch (err) {
+      queueLog.warn("Offline queue: encryption failed, storing plaintext", { err: String(err) });
+      return { ...report, queuedAt };
+    }
+  }
+  async function unwrapForSend(row) {
+    if (isEncryptedRecord(row)) {
+      try {
+        return await decryptJson(row.payload);
+      } catch (err) {
+        queueLog.warn("Offline queue: decrypt failed, dropping row", { err: String(err), id: row.id });
+        return null;
+      }
+    }
+    return row;
+  }
+  function isEncryptedRecord(row) {
+    return !!row.payload && isEncryptedPayload(row.payload);
+  }
   function detectBackend() {
     if (backendType) return backendType;
     if (typeof indexedDB !== "undefined") {
@@ -389,9 +508,10 @@ function createOfflineQueue(config = {}) {
   }
   async function idbEnqueue(report) {
     const db = await openDb();
+    const row = await wrapForStorage(report);
     return new Promise((resolve, reject) => {
       const tx = db.transaction(STORE_NAME, "readwrite");
-      tx.objectStore(STORE_NAME).put({ ...report, queuedAt: (/* @__PURE__ */ new Date()).toISOString() });
+      tx.objectStore(STORE_NAME).put(row);
       tx.oncomplete = () => resolve();
       tx.onerror = () => reject(tx.error);
     });
@@ -440,20 +560,20 @@ function createOfflineQueue(config = {}) {
       return [];
     }
   }
-  function lsWrite(reports) {
+  function lsWrite(rows) {
     try {
-      localStorage.setItem(LS_KEY, JSON.stringify(reports));
+      localStorage.setItem(LS_KEY, JSON.stringify(rows));
     } catch {
     }
   }
-  function lsEnqueue(report) {
-    const reports = lsRead();
-    reports.push({ ...report, queuedAt: (/* @__PURE__ */ new Date()).toISOString() });
-    lsWrite(reports);
+  async function lsEnqueue(report) {
+    const rows = lsRead();
+    rows.push(await wrapForStorage(report));
+    lsWrite(rows);
   }
   function lsDelete(id) {
-    const reports = lsRead().filter((r) => r.id !== id);
-    lsWrite(reports);
+    const rows = lsRead().filter((r) => r.id !== id);
+    lsWrite(rows);
   }
   async function enqueue(report) {
     if (!enabled) return;
@@ -472,7 +592,7 @@ function createOfflineQueue(config = {}) {
       }
     }
     if (backend === "localstorage" || backendType === "localstorage") {
-      lsEnqueue(report);
+      await lsEnqueue(report);
       return;
     }
   }
@@ -484,29 +604,41 @@ function createOfflineQueue(config = {}) {
   }
   async function flush(client) {
     if (!enabled) return { sent: 0, failed: 0 };
-    let reports;
+    let rows;
     const backend = detectBackend();
     if (backend === "indexeddb") {
       try {
-        reports = await idbGetAll();
+        rows = await idbGetAll();
       } catch {
-        reports = lsRead();
+        rows = lsRead();
       }
     } else {
-      reports = lsRead();
+      rows = lsRead();
     }
-    const batch = reports.slice(0, BATCH_SIZE);
+    const batch = rows.slice(0, BATCH_SIZE);
     let sent = 0;
     let failed = 0;
     for (let i = 0; i < batch.length; i++) {
-      const report = batch[i];
+      const row = batch[i];
+      const rowId = row.id;
+      const report = await unwrapForSend(row);
+      if (!report) {
+        try {
+          if (backend === "indexeddb") await idbDelete(rowId);
+          else lsDelete(rowId);
+        } catch {
+          lsDelete(rowId);
+        }
+        failed++;
+        continue;
+      }
       const result = await client.submitReport(report);
       if (result.ok) {
         try {
-          if (backend === "indexeddb") await idbDelete(report.id);
-          else lsDelete(report.id);
+          if (backend === "indexeddb") await idbDelete(rowId);
+          else lsDelete(rowId);
         } catch {
-          lsDelete(report.id);
+          lsDelete(rowId);
         }
         sent++;
       } else {
@@ -740,16 +872,33 @@ function createRateLimiter(config = {}) {
 var ORDERED_PATTERNS = [
   { key: "ssns", regex: /\b\d{3}-\d{2}-\d{4}\b/g, replacement: "[REDACTED_SSN]" },
   { key: "creditCards", regex: /\b(?:\d[ -]*){12,18}\d\b/g, replacement: "[REDACTED_CC]" },
+  // Vendor secret tokens — mirrors packages/server/.../pii-scrubber.ts exactly.
+  { key: "secretTokens", regex: /\b(?:AKIA|ASIA)[0-9A-Z]{16}\b/g, replacement: "[REDACTED_AWS_KEY]" },
+  { key: "secretTokens", regex: /(?:aws_secret_access_key|secret_access_key)["'\s:=]+[A-Za-z0-9/+=]{40}\b/gi, replacement: "aws_secret_access_key=[REDACTED_AWS_SECRET]" },
+  { key: "secretTokens", regex: /\b(?:sk|rk)_(?:live|test)_[A-Za-z0-9]{24,}\b/g, replacement: "[REDACTED_STRIPE_KEY]" },
+  { key: "secretTokens", regex: /\bpk_(?:live|test)_[A-Za-z0-9]{24,}\b/g, replacement: "[REDACTED_STRIPE_PK]" },
+  { key: "secretTokens", regex: /\bxox[abpor]-[A-Za-z0-9-]{10,}\b/g, replacement: "[REDACTED_SLACK_TOKEN]" },
+  { key: "secretTokens", regex: /\bghp_[A-Za-z0-9]{36}\b/g, replacement: "[REDACTED_GITHUB_PAT]" },
+  { key: "secretTokens", regex: /\bgithub_pat_[A-Za-z0-9_]{80,}\b/g, replacement: "[REDACTED_GITHUB_PAT]" },
+  { key: "secretTokens", regex: /\bsk-(?:proj-)?[A-Za-z0-9_-]{20,}\b/g, replacement: "[REDACTED_OPENAI_KEY]" },
+  { key: "secretTokens", regex: /\bsk-ant-[A-Za-z0-9_-]{20,}\b/g, replacement: "[REDACTED_ANTHROPIC_KEY]" },
+  { key: "secretTokens", regex: /\bAIza[0-9A-Za-z_-]{35}\b/g, replacement: "[REDACTED_GOOGLE_KEY]" },
+  { key: "secretTokens", regex: /\beyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\b/g, replacement: "[REDACTED_JWT]" },
   { key: "emails", regex: /\b[A-Za-z0-9._%+\-]+@[A-Za-z0-9.\-]+\.[A-Za-z]{2,}\b/g, replacement: "[REDACTED_EMAIL]" },
   { key: "phones", regex: /(?:\+\d{1,3}[\s.-])?\(?\d{2,4}\)?[\s.-]\d{3,4}[\s.-]\d{3,4}\b/g, replacement: "[REDACTED_PHONE]" },
-  { key: "ipAddresses", regex: /\b(?:\d{1,3}\.){3}\d{1,3}\b/g, replacement: "[REDACTED_IP]" }
+  { key: "ipAddresses", regex: /\b(?:\d{1,3}\.){3}\d{1,3}\b/g, replacement: "[REDACTED_IP]" },
+  { key: "ipv6", regex: /\b(?:[A-Fa-f0-9]{1,4}:){2,7}[A-Fa-f0-9]{0,4}\b/g, replacement: "[REDACTED_IPV6]" }
 ];
 var DEFAULT_CONFIG = {
   emails: true,
   phones: true,
   creditCards: true,
   ssns: true,
-  ipAddresses: false
+  ipAddresses: false,
+  // Secret tokens default ON — if they leak into a bug report there's no
+  // good reason to ship them to our servers. Cheaper to scrub client-side.
+  secretTokens: true,
+  ipv6: false
 };
 function createPiiScrubber(config = {}) {
   const merged = { ...DEFAULT_CONFIG, ...config };