@smithers-orchestrator/observability 0.25.1 → 0.25.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/src/_traceRedaction.js +10 -2
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@smithers-orchestrator/observability",
3
- "version": "0.25.1",
3
+ "version": "0.25.2",
4
4
  "description": "Concrete Smithers metrics, logging, tracing, and observability integrations",
5
5
  "type": "module",
6
6
  "sideEffects": false,
package/src/_traceRedaction.js CHANGED
@@ -6,7 +6,12 @@
6
6
  const rules = [
7
7
  {
8
8
  id: "api-key",
9
- pattern: /\b(?:sk|pk)_[A-Za-z0-9_-]{8,}\b/g,
9
+ // Covers Stripe-style `sk_`/`pk_` AND the hyphenated provider keys
10
+ // Smithers actually drives: OpenAI `sk-…`/`sk-proj-…` and Anthropic
11
+ // `sk-ant-api03-…`. The separator after sk/pk may be `-` or `_`, and the
12
+ // body may contain further `-`/`_` segments (namespaces like `proj-`,
13
+ // `ant-`, `api03-`).
14
+ pattern: /\b(?:sk|pk)[-_][A-Za-z0-9][A-Za-z0-9_-]{7,}\b/g,
10
15
  replace: "[REDACTED_API_KEY]",
11
16
  },
12
17
  {
@@ -26,7 +31,10 @@ const rules = [
26
31
  },
27
32
  {
28
33
  id: "secret-ish",
29
- pattern: /\b(?:api[_-]?key|token|secret|password)=([^\s"']+)/gi,
34
+ // Negative lookbehind (not `\b`) so an underscore-joined prefix like
35
+ // `ANTHROPIC_API_KEY=` still matches: `_` is a word char, so `\bapi`
36
+ // never fired after it, leaking env-style key dumps.
37
+ pattern: /(?<![A-Za-z0-9])(?:api[_-]?key|token|secret|password)=([^\s"']+)/gi,
30
38
  // No `replace` field: redactValue special-cases this rule by id and
31
39
  // rewrites the captured value itself, so a top-level replace is never read.
32
40
  },