@saptools/cf-inspector 0.3.7 → 0.3.8

package/README.md

@@ -22,7 +22,7 @@ Built so an AI agent (or a CI job) can drive a debugger from a single shell comm
 - ✅ **Conditional breakpoints** — `--condition 'req.userId === "abc"'` only pauses when the predicate is truthy
 - 🎭 **Multi-breakpoint** — repeat `--bp` to race several locations; first hit wins
 - 📡 **Non-pausing logpoints** — `cf-inspector log --at file:line --expr 'JSON.stringify({…})'` streams JSON Lines as the line executes, **without ever pausing the inspectee** (safe for production traffic)
-- 🧠 **Agent-friendly** — JSON-by-default I/O, deterministic shape, sensitive-name redaction (`password`, `credentials`, `token`, `secret`, `cookie`, …) baked in
+- 🧠 **Agent-friendly** — JSON-by-default I/O, deterministic shape, bounded value previews for large debugger payloads
 - 🧭 **Path mapping** — local `src/handler.ts:42` is matched against the remote URL via a `urlRegex`, with optional `--remote-root` literal or regex (same DSL as `cds-debug`)
 - 🔁 **Composes with `cf-debugger`** — pass `--app/--region/--org/--space` and the tunnel is opened automatically; pass `--port` to attach to anything CDP-speaking
 - 🪶 **Tiny dependency footprint** — `commander` + `ws` only, no heavy CDP framework
@@ -120,7 +120,9 @@ cf-inspector snapshot --port 9229 \
 JSON output includes frame metadata and `captures` by default. `topFrame.scopes`
 is only present with `--include-scopes`, because Cloud Foundry Node apps often
 carry large local/closure/module objects that drown out targeted captures. The
-output also includes `pausedDurationMs`, the client-observed time from receiving
+output contains raw debugger values; use it only against trusted targets and be
+careful when sharing logs. The output also includes `pausedDurationMs`, the
+client-observed time from receiving
 the matching pause event until `Debugger.resume` completes. It does not include
 the time spent waiting for the breakpoint to hit. When `--keep-paused` is used,
 `pausedDurationMs` is `null` because `cf-inspector` intentionally skips

package/dist/cli.js

@@ -1072,7 +1072,6 @@ var MAX_SCOPE_VARIABLES = 20;
 var MAX_CHILD_VARIABLES = 8;
 var MAX_VARIABLE_DEPTH = 2;
 var MAX_VALUE_LENGTH = 240;
-var SENSITIVE_NAME_REGEX = /(pass(?:word)?|credentials?|creds?|token|secret|api[_-]?key|authorization|cookie|session|private[_-]?key)/i;
 var PRIORITY_BY_TYPE = {
   local: 0,
   arguments: 1,
@@ -1133,13 +1132,7 @@ function formatPrimitive(value) {
   }
   return String(value);
 }
-function isSensitiveName(name) {
-  return SENSITIVE_NAME_REGEX.test(name);
-}
-function sanitizeValue(name, raw) {
-  if (isSensitiveName(name)) {
-    return "[REDACTED]";
-  }
+function limitValueLength(raw) {
   if (raw.length <= MAX_VALUE_LENGTH) {
     return raw;
   }
@@ -1155,9 +1148,8 @@ async function captureProperties(session, objectId, limit, depth) {
     limited.map(async (prop) => {
       const name = typeof prop.name === "string" ? prop.name : "?";
       const described = describeProperty(prop);
-      const sensitive = isSensitiveName(name);
       let children;
-      if (!sensitive && depth > 0 && described.objectId !== void 0 && isExpandable(described.type)) {
+      if (depth > 0 && described.objectId !== void 0 && isExpandable(described.type)) {
         try {
           const nested = await captureProperties(
             session,
@@ -1171,7 +1163,7 @@ async function captureProperties(session, objectId, limit, depth) {
         } catch {
         }
       }
-      const sanitizedValue = sensitive ? "[REDACTED]" : sanitizeValue(name, described.value);
+      const sanitizedValue = limitValueLength(described.value);
       const base = { name, value: sanitizedValue };
       const withType = described.type === void 0 ? base : { ...base, type: described.type };
       return children === void 0 ? withType : { ...withType, children };
@@ -1206,7 +1198,7 @@ async function captureScopes(session, frame) {
 function evalResultToCaptured(expression, result) {
   if (result.exceptionDetails !== void 0) {
     const text = typeof result.exceptionDetails.exception?.description === "string" ? result.exceptionDetails.exception.description : typeof result.exceptionDetails.text === "string" ? result.exceptionDetails.text : "evaluation failed";
-    return { expression, error: sanitizeValue(expression, text) };
+    return { expression, error: limitValueLength(text) };
   }
   const inner = result.result;
   if (!inner) {
@@ -1214,7 +1206,7 @@ function evalResultToCaptured(expression, result) {
   }
   const type = typeof inner.type === "string" ? inner.type : void 0;
   const buildCaptured = (rendered) => {
-    const sanitized = sanitizeValue(expression, rendered);
+    const sanitized = limitValueLength(rendered);
     const base = { expression, value: sanitized };
     return type === void 0 ? base : { ...base, type };
   };
@@ -1346,7 +1338,7 @@ async function withSerializedObjectCapture(session, expression, evalResult, capt
   if (normalized === void 0) {
     return captured;
   }
-  const value = sanitizeValue(expression, normalized);
+  const value = limitValueLength(normalized);
   return captured.type === void 0 ? { expression, value } : { expression, value, type: captured.type };
 }
 async function captureSnapshot(session, pause, options = {}) {
@@ -1373,7 +1365,7 @@ async function captureSnapshot(session, pause, options = {}) {
             return await withSerializedObjectCapture(session, expression, result, captured);
           } catch (err) {
             const message = err instanceof Error ? err.message : String(err);
-            return { expression, error: message };
+            return { expression, error: limitValueLength(message) };
           }
         })
       );