@sickr/replay 0.9.0-beta.3 → 0.9.1

package/dist/live.js

@@ -183,16 +183,7 @@ async function sessionLoop(creds, urlid, opts) {
             tailTimer = setInterval(() => pumpNewLines(ws, offsets, opts), 500);
         });
         ws.addEventListener('message', (ev) => {
-            // Decode payload — the `ws` npm package delivers text frames as a
-            // Buffer (not a string) on the browser-style addEventListener API.
-            // Without explicit decode we'd silently treat every message as '{}'.
-            let raw = '';
-            const d = ev.data;
-            if (typeof d === 'string')
-                raw = d;
-            else if (d && typeof d.toString === 'function') {
-                raw = d.toString('utf8');
-            }
+            const raw = decodeWsPayload(ev.data);
             if (opts.verbose)
                 process.stderr.write(`sickr: ws recv (${raw.length}b): ${raw.slice(0, 120)}\n`);
             let m;
@@ -255,19 +246,101 @@ function pumpNewLines(ws, offsets, opts) {
             continue;
         }
         for (const line of result.lines) {
-            try {
-                const event = JSON.parse(line);
-                ws.send(JSON.stringify({ kind: 'event', event }));
-            }
-            catch (e) {
-                if (opts.verbose)
-                    process.stderr.write(`sickr: skipped malformed event line (${e.message})\n`);
+            // Tolerant parse: one NDJSON line may contain multiple concatenated
+            // JSON objects if the OS interleaved two appendFileSync writes
+            // (observed on Windows when Claude + Codex hooks fire near-simultaneously).
+            // Split on `}{` boundaries and try each fragment.
+            for (const fragment of splitJsonObjects(line)) {
+                try {
+                    const event = JSON.parse(fragment);
+                    ws.send(JSON.stringify({ kind: 'event', event }));
+                }
+                catch (e) {
+                    if (opts.verbose)
+                        process.stderr.write(`sickr: skipped malformed event fragment (${e.message})\n`);
+                }
             }
         }
         offsets[runId] = result.newOffset;
     }
     writeOffsets(offsets);
 }
+/** Split a line that may contain MULTIPLE concatenated JSON objects into
+ *  individual object strings. Defensive splitter that respects quotes +
+ *  escapes (so a `}{` inside a string doesn't split). Used to recover from
+ *  the rare case where two `appendFileSync` writes interleave on the same
+ *  NDJSON file and produce `{...}{...}\n` instead of `{...}\n{...}\n`.
+ *
+ *  Returns `[line]` unchanged for normal single-object lines. Exported for
+ *  test coverage. */
+export function splitJsonObjects(line) {
+    const out = [];
+    let depth = 0;
+    let inString = false;
+    let escape = false;
+    let start = 0;
+    for (let i = 0; i < line.length; i++) {
+        const c = line[i];
+        if (escape) {
+            escape = false;
+            continue;
+        }
+        if (inString) {
+            if (c === '\\')
+                escape = true;
+            else if (c === '"')
+                inString = false;
+            continue;
+        }
+        if (c === '"') {
+            inString = true;
+            continue;
+        }
+        if (c === '{') {
+            if (depth === 0)
+                start = i;
+            depth++;
+        }
+        else if (c === '}') {
+            depth--;
+            if (depth === 0) {
+                out.push(line.slice(start, i + 1));
+            }
+        }
+    }
+    // No braces found at all (or unbalanced)? Return the original line so the
+    // outer JSON.parse can still try (and fail loudly if it's not JSON).
+    if (out.length === 0)
+        return [line];
+    return out;
+}
+/** Decode a WebSocket `MessageEvent.data` payload into a UTF-8 string.
+ *  The browser WebSocket gives strings for text frames; the Node `ws`
+ *  package gives Buffers; some shims give ArrayBuffer/Uint8Array. Reading
+ *  any of those as `typeof === 'string'` silently produces empty JSON,
+ *  which dropped steer messages on the CLI side in 0.9.0-beta.2 (#bug6).
+ *  Always run inbound frames through this. Exported for test coverage. */
+export function decodeWsPayload(data) {
+    if (typeof data === 'string')
+        return data;
+    if (data == null)
+        return '';
+    // Buffer / Uint8Array / ArrayBuffer all expose toString — but ArrayBuffer's
+    // default toString returns "[object ArrayBuffer]", so coerce via Uint8Array.
+    if (data instanceof ArrayBuffer)
+        return Buffer.from(new Uint8Array(data)).toString('utf8');
+    if (ArrayBuffer.isView(data))
+        return Buffer.from(data.buffer, data.byteOffset, data.byteLength).toString('utf8');
+    if (typeof data.toString === 'function') {
+        try {
+            return data.toString('utf8');
+        }
+        catch {
+            return '';
+        }
+    }
+    return '';
+}
 function isAlive(pid) {
     try {
         process.kill(pid, 0);

package/dist/redact.js

@@ -1,19 +1,132 @@
-const MASK = '‹redacted›'; // ‹redacted›
-// Assignment of a secret-ish-named var: KEY=..., TOKEN: "...", etc.
-const ASSIGN = /\b([A-Z0-9_]*(?:KEY|TOKEN|SECRET|PASSWORD|PASSWD|CREDENTIAL)[A-Z0-9_]*)\s*[:=]\s*("?)([^\s"']+)\2/g;
-// Standalone secret shapes.
+// Redaction layer — the SOLE filter between captured Claude / Codex
+// hook payloads and (a) on-disk NDJSON in ~/.sickr/runs/, (b) HTML
+// rendering, and (c) the gzipped POST to sickr.ai/api/replay.
+//
+// Treat every change here as security-critical. The threat model:
+//   - A user's session contains real secrets (Bearer tokens, Stripe keys,
+//     DB passwords, PEM blocks, etc.)
+//   - One `replay share` publishes the redacted transcript to a public URL
+//   - Anyone with the link (or guessing it) sees the unredacted bytes
+//
+// Two failure modes to guard against:
+//   1. Variable-style assignments (`KEY=...`, `password: "..."`, JSON
+//      `"api_key":"..."`, CLI `-p<pwd>`) where the NAME hints "this is a
+//      secret"
+//   2. Known-shape secrets that are recognisable from their format
+//      regardless of context (Stripe `sk_live_...`, GitHub `ghp_...`,
+//      Slack `xoxb-...`, PEM private keys, URL userinfo, etc.)
+//
+// 2026-05-31 security review surfaced gaps in both layers — see
+// tests/redact.test.ts for the regression corpus mirroring those findings.
+//
+// When adding new patterns: ALWAYS pair with a positive + negative test in
+// tests/redact.test.ts. False positives (over-redaction) are far better
+// than false negatives (leaked secrets), but the bar for both should be
+// raised case-by-case.
+const MASK = '‹redacted›';
+// ── 1. Assignments of secret-named variables ─────────────────────────────
+//
+// Matches both env-style (KEY=value, key=value, mysql_password=…) and
+// JSON / object key forms ("password":"value", api_key: "value").
+//
+// Case-insensitive so lowercase variables hit. Char class includes
+// [A-Za-z0-9_-] so `mysql-password`, `api-key`, `my_secret_token` all hit.
+// The keyword list is bounded — we want anything CONTAINING key/token/
+// secret/password/passwd/credential/auth/bearer/apikey.
+const ASSIGN = /\b([A-Za-z0-9_-]*(?:key|token|secret|password|passwd|credential|apikey|api[_-]?key|auth|bearer)[A-Za-z0-9_-]*)\s*[:=]\s*("?)([^\s"',;)}\]]+)\2/gi;
+// JSON-style keys ("password":"value") — separate from ASSIGN because the
+// quoted-key+quoted-value shape isn't reliably caught by the loose ASSIGN
+// above (which allows unquoted values). Treats `key`/`token`/etc. as the
+// match-anywhere keyword set.
+const JSON_KEY = /"([A-Za-z0-9_-]*(?:key|token|secret|password|passwd|credential|apikey|api[_-]?key|auth|bearer)[A-Za-z0-9_-]*)"\s*:\s*"([^"]+)"/gi;
+// CLI -p<pwd> form — MySQL, PostgreSQL, MongoDB, basic-auth tools.
+// Constrained: must be immediately preceded by whitespace or start-of-line
+// AND have at least 4 chars after -p. We deliberately don't redact
+// short -p switches (typically port numbers, not passwords).
+const CLI_PSWITCH = /(^|\s)(-p)([^\s'"]{4,})/g;
+// ── 2. Known-shape secrets (no surrounding context needed) ───────────────
+//
+// Each entry is a literal regex + a one-line provenance note. When you add
+// one, also add a fixture line to tests/redact.test.ts to lock the shape.
 const SHAPES = [
-    /\bBearer\s+[A-Za-z0-9._\-]+/g,
-    /\bsk-[A-Za-z0-9]{16,}/g,
+    // Generic OAuth-style Bearer header.
+    /\bBearer\s+[A-Za-z0-9._\-+/=]+/g,
+    // OpenAI: sk-..., sk-proj-..., sk-svcacct-...
+    /\bsk(?:-[A-Za-z0-9_-]+)?-[A-Za-z0-9_-]{16,}/g,
+    // Anthropic: sk-ant-..., sk-ant-api03-..., sk-ant-sid01-...
+    /\bsk-ant(?:-[a-z0-9]+)?-[A-Za-z0-9_-]{16,}/g,
+    // GitHub: classic personal access token (ghp_), fine-grained
+    // (github_pat_), OAuth (gho_), server-to-server (ghs_), refresh (ghr_),
+    // user-to-server (ghu_).
     /\bghp_[A-Za-z0-9]{20,}/g,
     /\bgithub_pat_[A-Za-z0-9_]{20,}/g,
+    /\bghs_[A-Za-z0-9]{20,}/g,
+    /\bgho_[A-Za-z0-9]{20,}/g,
+    /\bghr_[A-Za-z0-9]{20,}/g,
+    /\bghu_[A-Za-z0-9]{20,}/g,
+    // AWS Access Key ID (note: only the ID — the SECRET key has no
+    // recognisable shape and must come through ASSIGN / known env var name).
     /\bAKIA[0-9A-Z]{16}\b/g,
-    /\beyJ[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+/g, // JWT
+    /\bASIA[0-9A-Z]{16}\b/g, // STS temporary creds
+    // JWT — three base64url segments separated by dots. Anchored on the
+    // typical eyJ prefix (the base64url of `{"`).
+    /\beyJ[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+/g,
+    // Stripe API keys: secret / restricted / publishable, live + test modes.
+    /\b(?:sk|rk|pk)_(?:live|test)_[A-Za-z0-9]{16,}/g,
+    // Stripe webhook signing secret — no live/test split in this prefix.
+    /\bwhsec_[A-Za-z0-9]{16,}/g,
+    // Slack: bot/user/oauth/refresh/app tokens.
+    /\bxox[abprsoaur]-[A-Za-z0-9-]{10,}/g,
+    // Google API keys (and Firebase, OAuth client id collision is OK — we
+    // over-redact rather than leak).
+    /\bAIza[0-9A-Za-z_-]{35}/g,
+    // GitLab Personal Access Token.
+    /\bglpat-[A-Za-z0-9_-]{20,}/g,
+    // npm: automation + publish tokens.
+    /\bnpm_[A-Za-z0-9]{36}/g,
+    // SendGrid.
+    /\bSG\.[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,}/g,
+    // Twilio: Account SID (AC...) + API Key SID (SK...).
+    /\bAC[0-9a-f]{32}\b/g,
+    /\bSK[0-9a-f]{32}\b/g,
+    // Square: bare and OAuth.
+    /\b(?:EAAA|sq0(?:atp|csp|idp))-[A-Za-z0-9_-]{20,}/g,
+    // Mailgun.
+    /\bkey-[a-f0-9]{32}\b/g,
+    // URL userinfo — https://user:password@host. Redacts the entire
+    // userinfo block; we re-emit a scheme://[redacted]@host marker so the
+    // resulting text still reads as a URL.
+    /\b(https?|ftp|ssh|git|mysql|postgres(?:ql)?|mongodb(?:\+srv)?|redis|amqp):\/\/[^\s/@:]+:[^\s/@]+@/gi,
+    // PEM private key blocks — match the entire wrapper including header
+    // and footer. Multi-line; the `[\s\S]+?` is non-greedy so adjacent
+    // blocks don't merge.
+    /-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]+?-----END [A-Z ]*PRIVATE KEY-----/g,
+    // SSH private keys (OpenSSH format header).
+    /-----BEGIN OPENSSH PRIVATE KEY-----[\s\S]+?-----END OPENSSH PRIVATE KEY-----/g,
+    // PGP private blocks.
+    /-----BEGIN PGP PRIVATE KEY BLOCK-----[\s\S]+?-----END PGP PRIVATE KEY BLOCK-----/g,
 ];
-/** Mask secrets before anything is written to disk or shared. */
+/** Mask secrets before anything is written to disk or shared.
+ *  Applied in three passes:
+ *    1. JSON-key form first (most precise)
+ *    2. ASSIGN form (env / object literal)
+ *    3. SHAPES (context-free known formats)
+ *    4. CLI -p<pwd> form last (after shape matches don't capture them)
+ *  Idempotent: redact(redact(x)) == redact(x). */
 export function redact(input) {
-    let out = input.replace(ASSIGN, (_m, key) => `${key}=${MASK}`);
-    for (const re of SHAPES)
-        out = out.replace(re, MASK);
+    let out = input;
+    out = out.replace(JSON_KEY, (_m, key) => `"${key}":"${MASK}"`);
+    out = out.replace(ASSIGN, (_m, key) => `${key}=${MASK}`);
+    for (const re of SHAPES) {
+        // Lambda preserves a URL-userinfo marker so the result still parses
+        // as a URL; everything else collapses to MASK.
+        out = out.replace(re, (m) => {
+            const urlMatch = /^([a-z]+):\/\//i.exec(m);
+            if (urlMatch && m.endsWith('@'))
+                return `${urlMatch[1]}://${MASK}@`;
+            return MASK;
+        });
+    }
+    out = out.replace(CLI_PSWITCH, (_m, pre, flag) => `${pre}${flag}${MASK}`);
     return out;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sickr/replay",
-  "version": "0.9.0-beta.3",
+  "version": "0.9.1",
   "type": "module",
   "description": "npx @sickr/replay — local Claude Code audit + one-click share. The free wedge into SICKR.",
   "bin": { "replay": "dist/cli.js", "sickr": "dist/cli.js" },
@@ -9,7 +9,8 @@
   "scripts": {
     "build": "tsc",
     "test": "vitest run",
-    "dev": "tsc -w"
+    "dev": "tsc -w",
+    "prepublishOnly": "npm run build && npm test && node scripts/pre-publish-check.mjs"
   },
   "engines": { "node": ">=20" },
   "license": "UNLICENSED",