@riotprompt/riotprompt 0.0.21 → 1.0.0

package/dist/cli.js

@@ -3,14 +3,17 @@ import "dotenv/config";
 import { Command } from "commander";
 import { create as create$7 } from "@theunwalked/cardigantime";
 import { z } from "zod";
+import Logging from "@fjell/logging";
 import * as path from "path";
 import path__default from "path";
+import { SafeRegex } from "@theunwalked/pressurelid";
 import "zod-to-json-schema";
 import "tiktoken";
 import { XMLParser } from "fast-xml-parser";
 import OpenAI from "openai";
 import Anthropic from "@anthropic-ai/sdk";
 import { GoogleGenerativeAI } from "@google/generative-ai";
+import { createSafeError as createSafeError$1 } from "@theunwalked/spotclean";
 import { glob } from "glob";
 import * as fs from "fs";
 import crypto from "crypto";
@@ -225,19 +228,60 @@ const DEFAULT_FORMAT_OPTIONS = {
   sectionTitleProperty: DEFAULT_SECTION_TITLE_PROPERTY,
   sectionDepth: 0
 };
-const DEFAULT_LOGGER = {
-  name: "default",
-  debug: (message, ...args) => console.debug(message, ...args),
-  info: (message, ...args) => console.info(message, ...args),
-  warn: (message, ...args) => console.warn(message, ...args),
-  error: (message, ...args) => console.error(message, ...args),
-  // eslint-disable-next-line @typescript-eslint/no-unused-vars
-  verbose: (message, ...args) => {
-  },
-  // eslint-disable-next-line @typescript-eslint/no-unused-vars
-  silly: (message, ...args) => {
+const LibLogger = Logging.getLogger("@theunwalked/riotprompt");
+function createSilentLogger(name) {
+  return {
+    name,
+    debug: () => {
+    },
+    info: () => {
+    },
+    warn: () => {
+    },
+    error: () => {
+    },
+    verbose: () => {
+    },
+    silly: () => {
+    },
+    get: (...components) => createSilentLogger(`${name}:${components.join(":")}`)
+  };
+}
+const SILENT_LOGGER = createSilentLogger("silent");
+const isLoggingEnabled = () => {
+  return process.env.RIOTPROMPT_LOGGING === "true" || process.env.DEBUG?.includes("riotprompt") || process.env.NODE_ENV === "development";
+};
+function createLoggerFromFjell(fjellLogger, name) {
+  return {
+    name,
+    debug: (message, ...args) => fjellLogger.debug(message, ...args),
+    info: (message, ...args) => fjellLogger.info(message, ...args),
+    warn: (message, ...args) => fjellLogger.warning(message, ...args),
+    error: (message, ...args) => fjellLogger.error(message, ...args),
+    verbose: (message, ...args) => fjellLogger.debug(message, ...args),
+    // Map to debug
+    silly: (message, ...args) => fjellLogger.debug(message, ...args),
+    // Map to debug
+    get: (...components) => {
+      const childLogger = fjellLogger.get(...components);
+      return createLoggerFromFjell(childLogger, `${name}:${components.join(":")}`);
+    }
+  };
+}
+const FJELL_LOGGER = {
+  name: "fjell",
+  debug: (message, ...args) => LibLogger.debug(message, ...args),
+  info: (message, ...args) => LibLogger.info(message, ...args),
+  warn: (message, ...args) => LibLogger.warning(message, ...args),
+  error: (message, ...args) => LibLogger.error(message, ...args),
+  verbose: (message, ...args) => LibLogger.debug(message, ...args),
+  silly: (message, ...args) => LibLogger.debug(message, ...args),
+  get: (...components) => {
+    const childLogger = LibLogger.get(...components);
+    return createLoggerFromFjell(childLogger, components.join(":"));
   }
 };
+const DEFAULT_LOGGER = isLoggingEnabled() ? FJELL_LOGGER : SILENT_LOGGER;
 const wrapLogger = (toWrap, name) => {
   const requiredMethods = ["debug", "info", "warn", "error", "verbose", "silly"];
   const missingMethods = requiredMethods.filter((method) => typeof toWrap[method] !== "function");
@@ -254,13 +298,14 @@ const wrapLogger = (toWrap, name) => {
     else if (level === "silly") toWrap.silly(message, ...args);
   };
   return {
-    name: "wrapped",
+    name: name || "wrapped",
     debug: (message, ...args) => log("debug", message, ...args),
     info: (message, ...args) => log("info", message, ...args),
     warn: (message, ...args) => log("warn", message, ...args),
     error: (message, ...args) => log("error", message, ...args),
     verbose: (message, ...args) => log("verbose", message, ...args),
-    silly: (message, ...args) => log("silly", message, ...args)
+    silly: (message, ...args) => log("silly", message, ...args),
+    get: (...components) => wrapLogger(toWrap, name ? `${name}:${components.join(":")}` : components.join(":"))
   };
 };
 class ModelRegistry {
@@ -716,11 +761,268 @@ const create$1 = (params) => {
     listFiles
   };
 };
+const DEFAULT_CONFIG = {
+  enabled: true,
+  logLevel: "warning",
+  includeContext: true,
+  maxContextSize: 1e3
+};
+class SecurityAuditLogger {
+  config;
+  logger;
+  eventCount = /* @__PURE__ */ new Map();
+  constructor(config = {}, logger) {
+    this.config = { ...DEFAULT_CONFIG, ...config };
+    this.logger = wrapLogger(logger || DEFAULT_LOGGER, "SecurityAudit");
+  }
+  /**
+   * Log a security event
+   */
+  log(event) {
+    if (!this.config.enabled) return;
+    const fullEvent = {
+      ...event,
+      timestamp: /* @__PURE__ */ new Date(),
+      context: this.sanitizeContext(event.context)
+    };
+    const count = this.eventCount.get(event.type) || 0;
+    this.eventCount.set(event.type, count + 1);
+    this.config.onEvent?.(fullEvent);
+    if (!this.shouldLog(event.severity)) return;
+    const logMessage = this.formatEvent(fullEvent);
+    switch (event.severity) {
+      case "critical":
+        this.logger.error(`[CRITICAL] ${logMessage}`);
+        break;
+      case "error":
+        this.logger.error(logMessage);
+        break;
+      case "warning":
+        this.logger.warn(logMessage);
+        break;
+      case "info":
+        this.logger.info(logMessage);
+        break;
+    }
+  }
+  /**
+   * Convenience methods for common events
+   */
+  pathTraversalBlocked(path2, reason) {
+    this.log({
+      type: "path_traversal_blocked",
+      severity: "warning",
+      message: `Path traversal attempt blocked: ${reason}`,
+      context: { attemptedPath: this.sanitizePath(path2) }
+    });
+  }
+  pathValidationFailed(path2, reason) {
+    this.log({
+      type: "path_validation_failed",
+      severity: "warning",
+      message: `Path validation failed: ${reason}`,
+      context: { attemptedPath: this.sanitizePath(path2) }
+    });
+  }
+  toolValidationFailed(toolName, reason) {
+    this.log({
+      type: "tool_validation_failed",
+      severity: "warning",
+      message: `Tool parameter validation failed for "${toolName}": ${reason}`,
+      context: { toolName }
+    });
+  }
+  toolExecutionBlocked(toolName, reason) {
+    this.log({
+      type: "tool_execution_blocked",
+      severity: "error",
+      message: `Tool execution blocked for "${toolName}": ${reason}`,
+      context: { toolName }
+    });
+  }
+  toolTimeout(toolName, timeoutMs) {
+    this.log({
+      type: "tool_timeout",
+      severity: "warning",
+      message: `Tool "${toolName}" timed out after ${timeoutMs}ms`,
+      context: { toolName, timeoutMs }
+    });
+  }
+  secretRedacted(source) {
+    this.log({
+      type: "secret_redacted",
+      severity: "info",
+      message: `Sensitive data redacted from ${source}`,
+      context: { source }
+    });
+  }
+  apiKeyUsed(provider) {
+    this.log({
+      type: "api_key_used",
+      severity: "info",
+      message: `API key accessed for provider: ${provider}`,
+      context: { provider }
+    });
+  }
+  deserializationFailed(source, reason) {
+    this.log({
+      type: "deserialization_failed",
+      severity: "warning",
+      message: `Deserialization failed from ${source}: ${reason}`,
+      context: { source }
+    });
+  }
+  regexTimeout(pattern, timeoutMs) {
+    this.log({
+      type: "regex_timeout",
+      severity: "warning",
+      message: `Regex operation timed out after ${timeoutMs}ms`,
+      context: { patternLength: pattern.length, timeoutMs }
+    });
+  }
+  requestTimeout(operation, timeoutMs) {
+    this.log({
+      type: "request_timeout",
+      severity: "warning",
+      message: `Operation "${operation}" timed out after ${timeoutMs}ms`,
+      context: { operation, timeoutMs }
+    });
+  }
+  rateLimitExceeded(resource, limit) {
+    this.log({
+      type: "rate_limit_exceeded",
+      severity: "warning",
+      message: `Rate limit exceeded for ${resource}: limit is ${limit}`,
+      context: { resource, limit }
+    });
+  }
+  /**
+   * Get event statistics
+   */
+  getStats() {
+    return new Map(this.eventCount);
+  }
+  /**
+   * Get total event count
+   */
+  getTotalEventCount() {
+    let total = 0;
+    for (const count of this.eventCount.values()) {
+      total += count;
+    }
+    return total;
+  }
+  /**
+   * Reset statistics
+   */
+  resetStats() {
+    this.eventCount.clear();
+  }
+  /**
+   * Check if any events of a specific type have been logged
+   */
+  hasEventsOfType(type) {
+    return (this.eventCount.get(type) || 0) > 0;
+  }
+  /**
+   * Get count for a specific event type
+   */
+  getEventCount(type) {
+    return this.eventCount.get(type) || 0;
+  }
+  shouldLog(severity) {
+    const levels = ["info", "warning", "error", "critical"];
+    const configLevel = levels.indexOf(this.config.logLevel === "all" ? "info" : this.config.logLevel);
+    const eventLevel = levels.indexOf(severity);
+    return eventLevel >= configLevel;
+  }
+  formatEvent(event) {
+    let message = `[${event.type}] ${event.message}`;
+    if (this.config.includeContext && event.context) {
+      message += ` | Context: ${JSON.stringify(event.context)}`;
+    }
+    return message;
+  }
+  sanitizeContext(context) {
+    if (!context || !this.config.includeContext) return void 0;
+    const sanitized = {};
+    let size = 0;
+    for (const [key, value] of Object.entries(context)) {
+      const stringValue = String(value);
+      if (size + stringValue.length > this.config.maxContextSize) break;
+      if (this.looksLikeSensitiveKey(key)) {
+        sanitized[key] = "[REDACTED]";
+      } else {
+        sanitized[key] = value;
+      }
+      size += stringValue.length;
+    }
+    return sanitized;
+  }
+  sanitizePath(path2) {
+    const parts = path2.split(/[/\\]/);
+    const lastPart = parts[parts.length - 1];
+    return `.../${lastPart} (${path2.length} chars)`;
+  }
+  looksLikeSensitiveKey(key) {
+    const sensitivePatterns = [
+      /key/i,
+      /secret/i,
+      /password/i,
+      /token/i,
+      /auth/i,
+      /credential/i
+    ];
+    return sensitivePatterns.some((p) => p.test(key));
+  }
+}
+let globalAuditLogger = null;
+function getAuditLogger() {
+  if (!globalAuditLogger) {
+    globalAuditLogger = new SecurityAuditLogger();
+  }
+  return globalAuditLogger;
+}
+function createSafeError(error, context) {
+  const err = error instanceof Error ? error : new Error(String(error));
+  return createSafeError$1(err, context);
+}
 const OptionsSchema = z.object({
   logger: z.any().optional().default(DEFAULT_LOGGER),
   ignorePatterns: z.array(z.string()).optional().default(DEFAULT_IGNORE_PATTERNS),
   parameters: ParametersSchema.optional().default({})
 });
+function createSafeIgnorePatterns(patterns, logger) {
+  const auditLogger = getAuditLogger();
+  const safeRegex = new SafeRegex({
+    maxLength: 500,
+    timeoutMs: 1e3,
+    onBlock: (message, pattern) => {
+      logger.warn(`Blocked unsafe ignore pattern: ${message}`, { patternLength: pattern.length });
+      auditLogger.log({
+        type: "regex_blocked",
+        severity: "warning",
+        message: `Blocked unsafe regex pattern: ${message}`,
+        context: { patternLength: pattern.length }
+      });
+    },
+    onWarning: (message, _pattern) => {
+      logger.debug(`Regex warning: ${message}`);
+    }
+  });
+  return patterns.map((pattern) => {
+    const result = safeRegex.create(pattern, "i");
+    if (result.safe && result.regex) {
+      return result.regex;
+    }
+    const globResult = safeRegex.globToRegex(pattern);
+    if (globResult.safe && globResult.regex) {
+      return globResult.regex;
+    }
+    logger.warn(`Invalid or unsafe ignore pattern "${pattern}": ${result.error || globResult.error}`);
+    return null;
+  }).filter((regex) => regex !== null);
+}
 function extractFirstHeader(markdownText) {
   const headerRegex = /^(#{1,6})\s+(.+?)(?:\n|$)/m;
   const match = markdownText.match(headerRegex);
@@ -782,14 +1084,7 @@ const create = (loaderOptions) => {
           mainContextSection = create$4({ ...sectionOptions, title: dirName });
         }
         const files = await storage.listFiles(contextDir);
-        const ignorePatternsRegex = ignorePatterns.map((pattern) => {
-          try {
-            return new RegExp(pattern, "i");
-          } catch (error) {
-            logger.error(`Invalid ignore pattern: ${pattern}`, { error });
-            return /(?!)/;
-          }
-        });
+        const ignorePatternsRegex = createSafeIgnorePatterns(ignorePatterns, logger);
         const filteredFiles = files.filter((file) => {
           const fullPath = path__default.join(contextDir, file);
           return !ignorePatternsRegex.some((regex) => regex.test(file) || regex.test(fullPath));
@@ -816,7 +1111,8 @@ const create = (loaderOptions) => {
         }
         contextSections.push(mainContextSection);
       } catch (error) {
-        logger.error(`Error processing context directory ${contextDir}: ${error}`);
+        const safeError = createSafeError(error, { operation: "load", directory: path__default.basename(contextDir) });
+        logger.error(`Error processing context directory: ${safeError.message}`);
       }
     }
     return contextSections;
@@ -838,6 +1134,7 @@ z.object({
   overrides: z.boolean().optional().default(false),
   parameters: ParametersSchema.optional().default({})
 });
+Logging.getLogger("@theunwalked/riotprompt");
 z.object({
   model: z.string(),
   formatter: z.any().optional(),
@@ -1344,6 +1641,168 @@ const execute = async (request, options = {}) => {
   const manager = new ExecutionManager();
   return manager.execute(request, options);
 };
+const PathSecurityConfigSchema = z.object({
+  enabled: z.boolean().optional().default(true),
+  basePaths: z.array(z.string()).optional().default([]),
+  allowAbsolute: z.boolean().optional().default(false),
+  allowSymlinks: z.boolean().optional().default(false),
+  denyPatterns: z.array(z.string()).optional().default([
+    "\\.\\.",
+    // Parent directory
+    "~",
+    // Home directory expansion
+    "\\$\\{"
+    // Variable expansion
+  ])
+});
+const ToolSecurityConfigSchema = z.object({
+  enabled: z.boolean().optional().default(true),
+  validateParams: z.boolean().optional().default(true),
+  sandboxExecution: z.boolean().optional().default(false),
+  allowedTools: z.array(z.string()).optional(),
+  deniedTools: z.array(z.string()).optional().default([]),
+  maxExecutionTime: z.number().optional().default(3e4),
+  // 30 seconds
+  maxConcurrentCalls: z.number().optional().default(10)
+});
+const SecretSecurityConfigSchema = z.object({
+  enabled: z.boolean().optional().default(true),
+  redactInLogs: z.boolean().optional().default(true),
+  redactInErrors: z.boolean().optional().default(true),
+  patterns: z.array(z.instanceof(RegExp)).optional().default([
+    /api[_-]?key[\s:="']+[\w-]+/gi,
+    /password[\s:="']+[\w-]+/gi,
+    /Bearer\s+[\w-]+/gi,
+    /sk-[a-zA-Z0-9]{48,}/g,
+    /AKIA[0-9A-Z]{16}/g
+    // AWS Access Key
+  ]),
+  customPatterns: z.array(z.instanceof(RegExp)).optional().default([])
+});
+const LogSecurityConfigSchema = z.object({
+  enabled: z.boolean().optional().default(true),
+  auditSecurityEvents: z.boolean().optional().default(true),
+  sanitizeStackTraces: z.boolean().optional().default(true),
+  maxContentLength: z.number().optional().default(1e4)
+});
+const TimeoutConfigSchema = z.object({
+  enabled: z.boolean().optional().default(true),
+  defaultTimeout: z.number().optional().default(3e4),
+  llmTimeout: z.number().optional().default(12e4),
+  // 2 minutes for LLM calls
+  toolTimeout: z.number().optional().default(3e4),
+  fileTimeout: z.number().optional().default(5e3)
+});
+function createDefaultPathSecurityConfig() {
+  return PathSecurityConfigSchema.parse({});
+}
+function createDefaultToolSecurityConfig() {
+  return ToolSecurityConfigSchema.parse({});
+}
+function createDefaultSecretSecurityConfig() {
+  return SecretSecurityConfigSchema.parse({});
+}
+function createDefaultLogSecurityConfig() {
+  return LogSecurityConfigSchema.parse({});
+}
+function createDefaultTimeoutConfig() {
+  return TimeoutConfigSchema.parse({});
+}
+const SecurityConfigSchema = z.object({
+  paths: PathSecurityConfigSchema.optional().default(createDefaultPathSecurityConfig),
+  tools: ToolSecurityConfigSchema.optional().default(createDefaultToolSecurityConfig),
+  secrets: SecretSecurityConfigSchema.optional().default(createDefaultSecretSecurityConfig),
+  logging: LogSecurityConfigSchema.optional().default(createDefaultLogSecurityConfig),
+  timeouts: TimeoutConfigSchema.optional().default(createDefaultTimeoutConfig)
+});
+SecurityConfigSchema.parse({});
+const SERIALIZATION_LIMITS = {
+  maxContentLength: 1e6,
+  // 1MB per message
+  maxArgumentsLength: 1e5,
+  // 100KB for tool arguments
+  maxMessages: 1e4,
+  // 10k messages per conversation
+  maxContextItems: 1e3,
+  // 1k context items
+  maxStringLength: 100,
+  // 100 chars for names/ids
+  maxToolCalls: 100
+  // 100 tool calls per message
+};
+const ToolCallSchema = z.object({
+  id: z.string().max(SERIALIZATION_LIMITS.maxStringLength),
+  type: z.literal("function"),
+  function: z.object({
+    name: z.string().max(SERIALIZATION_LIMITS.maxStringLength),
+    arguments: z.string().max(SERIALIZATION_LIMITS.maxArgumentsLength)
+  })
+});
+const ConversationMessageSchema = z.object({
+  role: z.enum(["system", "user", "assistant", "tool"]),
+  content: z.string().nullable().refine(
+    (val) => val === null || val.length <= SERIALIZATION_LIMITS.maxContentLength,
+    { message: `Content exceeds maximum length of ${SERIALIZATION_LIMITS.maxContentLength}` }
+  ),
+  name: z.string().max(SERIALIZATION_LIMITS.maxStringLength).optional(),
+  tool_calls: z.array(ToolCallSchema).max(SERIALIZATION_LIMITS.maxToolCalls).optional(),
+  tool_call_id: z.string().max(SERIALIZATION_LIMITS.maxStringLength).optional()
+});
+const ConversationMetadataSchema = z.object({
+  model: z.string().max(SERIALIZATION_LIMITS.maxStringLength),
+  created: z.string().datetime(),
+  lastModified: z.string().datetime(),
+  messageCount: z.number().int().nonnegative(),
+  toolCallCount: z.number().int().nonnegative()
+});
+z.object({
+  // Optional version for forward compatibility
+  version: z.string().optional(),
+  messages: z.array(ConversationMessageSchema).max(SERIALIZATION_LIMITS.maxMessages),
+  metadata: ConversationMetadataSchema,
+  contextProvided: z.array(z.string().max(1e3)).max(SERIALIZATION_LIMITS.maxContextItems).optional()
+});
+z.object({
+  version: z.string().optional(),
+  persona: z.any().optional(),
+  instructions: z.any().optional(),
+  contexts: z.any().optional(),
+  content: z.any().optional()
+});
+z.object({
+  id: z.string().max(200),
+  metadata: z.object({
+    startTime: z.union([z.string().datetime(), z.date()]),
+    endTime: z.union([z.string().datetime(), z.date()]).optional(),
+    duration: z.number().nonnegative().optional(),
+    model: z.string().max(SERIALIZATION_LIMITS.maxStringLength),
+    template: z.string().max(SERIALIZATION_LIMITS.maxStringLength).optional(),
+    userContext: z.record(z.string(), z.any()).optional()
+  }),
+  prompt: z.object({
+    persona: z.string().optional(),
+    instructions: z.string().optional(),
+    content: z.array(z.string()).optional(),
+    context: z.array(z.string()).optional()
+  }).optional(),
+  messages: z.array(z.object({
+    index: z.number().int().nonnegative(),
+    timestamp: z.string(),
+    role: z.string(),
+    content: z.string().nullable(),
+    tool_calls: z.array(ToolCallSchema).optional(),
+    tool_call_id: z.string().optional(),
+    metadata: z.record(z.string(), z.any()).optional()
+  })).max(SERIALIZATION_LIMITS.maxMessages),
+  summary: z.object({
+    totalMessages: z.number().int().nonnegative(),
+    totalTokens: z.number().int().nonnegative().optional(),
+    toolCallsExecuted: z.number().int().nonnegative(),
+    iterations: z.number().int().nonnegative(),
+    finalOutput: z.string().optional(),
+    success: z.boolean()
+  })
+});
 const program = new Command();
 const configManager = create$7({
   configShape: ConfigSchema.shape,

package/dist/context-manager.js

@@ -239,5 +239,5 @@ function _define_property(obj, key, value) {
     }
 }
 
-export { ContextManager, ContextManager as default };
+export { ContextManager };
 //# sourceMappingURL=context-manager.js.map

package/dist/conversation-logger.d.ts

@@ -1,3 +1,4 @@
+import { MaskingConfig } from './logging-config';
 import { ConversationMessage, ToolCall } from './conversation';
 /**
  * Log format
@@ -13,8 +14,14 @@ export interface LogConfig {
     filenameTemplate?: string;
     includeMetadata?: boolean;
     includePrompt?: boolean;
+    /** Enable sensitive data redaction (defaults to true) */
     redactSensitive?: boolean;
+    /**
+     * @deprecated Use maskingConfig instead. Custom regex patterns for redaction.
+     */
     redactPatterns?: RegExp[];
+    /** Masking configuration for @fjell/logging integration */
+    maskingConfig?: MaskingConfig;
     onSaved?: (path: string) => void;
     onError?: (error: Error) => void;
 }
@@ -178,7 +185,16 @@ export declare class ConversationLogger {
      */
     private appendToJSONL;
     /**
-     * Redact sensitive content
+     * Redact sensitive content using @fjell/logging masking
+     *
+     * Automatically masks:
+     * - API keys (OpenAI, Anthropic, AWS, GitHub, etc.)
+     * - Passwords and secrets
+     * - Email addresses
+     * - SSNs
+     * - Private keys
+     * - JWTs
+     * - Large base64 blobs
      */
     private redactContent;
 }

package/dist/conversation-logger.js

@@ -1,6 +1,7 @@
 import fs__default from 'fs/promises';
 import path__default from 'path';
 import { wrapLogger, DEFAULT_LOGGER } from './logger.js';
+import { maskSensitive } from './logging-config.js';
 
 function _define_property(obj, key, value) {
     if (key in obj) {
@@ -252,22 +253,24 @@ function _define_property(obj, key, value) {
         await fs__default.appendFile(outputPath, line, 'utf-8');
     }
     /**
-     * Redact sensitive content
+     * Redact sensitive content using @fjell/logging masking
+     * 
+     * Automatically masks:
+     * - API keys (OpenAI, Anthropic, AWS, GitHub, etc.)
+     * - Passwords and secrets
+     * - Email addresses
+     * - SSNs
+     * - Private keys
+     * - JWTs
+     * - Large base64 blobs
      */ redactContent(content) {
-        let redacted = content;
-        // Apply custom patterns
-        for (const pattern of this.config.redactPatterns){
-            redacted = redacted.replace(pattern, '[REDACTED]');
-        }
-        // Default patterns
-        const defaultPatterns = [
-            /api[_-]?key[\s:="']+[\w-]+/gi,
-            /password[\s:="']+[\w-]+/gi,
-            /Bearer\s+[\w-]+/gi,
-            /sk-[a-zA-Z0-9]{48}/g
-        ];
-        for (const pattern of defaultPatterns){
-            redacted = redacted.replace(pattern, '[REDACTED]');
+        // Use Fjell's comprehensive masking
+        let redacted = maskSensitive(content, this.config.maskingConfig);
+        // Also apply any legacy custom patterns for backwards compatibility
+        if (this.config.redactPatterns && this.config.redactPatterns.length > 0) {
+            for (const pattern of this.config.redactPatterns){
+                redacted = redacted.replace(pattern, '[REDACTED]');
+            }
         }
         return redacted;
     }
@@ -288,8 +291,9 @@ function _define_property(obj, key, value) {
             filenameTemplate: 'conversation-{timestamp}',
             includeMetadata: true,
             includePrompt: false,
-            redactSensitive: false,
+            redactSensitive: true,
             redactPatterns: [],
+            maskingConfig: undefined,
             onSaved: ()=>{},
             onError: ()=>{},
             ...config
@@ -492,5 +496,5 @@ function _define_property(obj, key, value) {
     }
 }
 
-export { ConversationLogger, ConversationReplayer, ConversationLogger as default };
+export { ConversationLogger, ConversationReplayer };
 //# sourceMappingURL=conversation-logger.js.map