@sparkleideas/shared 3.0.0-alpha.7

package/src/utils/secure-logger.ts

@@ -0,0 +1,257 @@
+/**
+ * Secure Logger Utility
+ *
+ * Provides sanitized error logging that strips sensitive information
+ * before logging to prevent information disclosure.
+ *
+ * Security features:
+ * - Removes stack traces in production
+ * - Sanitizes file paths to prevent internal structure disclosure
+ * - Filters sensitive keys from error objects
+ * - Truncates long messages to prevent log injection
+ *
+ * @module @sparkleideas/shared/utils/secure-logger
+ */
+
+// ============================================================================
+// Configuration
+// ============================================================================
+
+interface LoggerConfig {
+  /** Environment mode */
+  environment: 'development' | 'production' | 'test';
+  /** Maximum message length */
+  maxMessageLength: number;
+  /** Whether to include stack traces */
+  includeStackTrace: boolean;
+  /** Sensitive keys to filter */
+  sensitiveKeys: string[];
+  /** Path patterns to sanitize */
+  pathPatterns: RegExp[];
+}
+
+const DEFAULT_CONFIG: LoggerConfig = {
+  environment: (process.env.NODE_ENV as LoggerConfig['environment']) || 'development',
+  maxMessageLength: 1000,
+  includeStackTrace: process.env.NODE_ENV === 'development',
+  sensitiveKeys: [
+    'password', 'passwd', 'secret', 'token', 'apikey', 'api_key',
+    'authorization', 'auth', 'credential', 'private', 'key',
+    'session', 'cookie', 'jwt', 'bearer', 'access_token', 'refresh_token',
+  ],
+  pathPatterns: [
+    /\/home\/[^/]+/g,      // Unix home directories
+    /\/Users\/[^/]+/g,     // macOS home directories
+    /C:\\Users\\[^\\]+/gi, // Windows user directories
+    /\/var\/[^/]+/g,       // Var directories
+    /\/tmp\/[^/]+/g,       // Temp directories
+  ],
+};
+
+// ============================================================================
+// Sanitization Functions
+// ============================================================================
+
+/**
+ * Sanitize a string message
+ */
+function sanitizeMessage(message: string, config: LoggerConfig): string {
+  let sanitized = message;
+
+  // Truncate long messages
+  if (sanitized.length > config.maxMessageLength) {
+    sanitized = sanitized.substring(0, config.maxMessageLength) + '... [truncated]';
+  }
+
+  // Sanitize paths
+  for (const pattern of config.pathPatterns) {
+    sanitized = sanitized.replace(pattern, '[PATH]');
+  }
+
+  // Remove potential sensitive data patterns
+  sanitized = sanitized.replace(/[a-zA-Z0-9+/]{40,}={0,2}/g, '[REDACTED_KEY]');
+  sanitized = sanitized.replace(/Bearer\s+[^\s]+/gi, 'Bearer [REDACTED]');
+  sanitized = sanitized.replace(/token[=:]\s*[^\s&]+/gi, 'token=[REDACTED]');
+
+  return sanitized;
+}
+
+/**
+ * Sanitize an error object
+ */
+function sanitizeError(error: unknown, config: LoggerConfig): Record<string, unknown> {
+  if (error === null || error === undefined) {
+    return { message: 'Unknown error' };
+  }
+
+  if (typeof error === 'string') {
+    return { message: sanitizeMessage(error, config) };
+  }
+
+  if (error instanceof Error) {
+    const sanitized: Record<string, unknown> = {
+      name: error.name,
+      message: sanitizeMessage(error.message, config),
+    };
+
+    // Only include stack in development
+    if (config.includeStackTrace && error.stack) {
+      sanitized.stack = sanitizeMessage(error.stack, config);
+    }
+
+    // Include code if present (common in Node.js errors)
+    if ('code' in error) {
+      sanitized.code = (error as { code: unknown }).code;
+    }
+
+    return sanitized;
+  }
+
+  if (typeof error === 'object') {
+    return sanitizeObject(error as Record<string, unknown>, config);
+  }
+
+  return { message: String(error) };
+}
+
+/**
+ * Sanitize a plain object
+ */
+function sanitizeObject(obj: Record<string, unknown>, config: LoggerConfig): Record<string, unknown> {
+  const sanitized: Record<string, unknown> = {};
+
+  for (const [key, value] of Object.entries(obj)) {
+    const lowerKey = key.toLowerCase();
+
+    // Skip sensitive keys
+    if (config.sensitiveKeys.some(sk => lowerKey.includes(sk))) {
+      sanitized[key] = '[REDACTED]';
+      continue;
+    }
+
+    // Recursively sanitize nested objects
+    if (value !== null && typeof value === 'object' && !Array.isArray(value)) {
+      sanitized[key] = sanitizeObject(value as Record<string, unknown>, config);
+    } else if (typeof value === 'string') {
+      sanitized[key] = sanitizeMessage(value, config);
+    } else {
+      sanitized[key] = value;
+    }
+  }
+
+  return sanitized;
+}
+
+// ============================================================================
+// Logger Class
+// ============================================================================
+
+export class SecureLogger {
+  private config: LoggerConfig;
+  private prefix: string;
+
+  constructor(prefix: string = '', config: Partial<LoggerConfig> = {}) {
+    this.prefix = prefix;
+    this.config = { ...DEFAULT_CONFIG, ...config };
+  }
+
+  /**
+   * Log an info message
+   */
+  info(message: string, data?: Record<string, unknown>): void {
+    const sanitizedMessage = sanitizeMessage(message, this.config);
+    const sanitizedData = data ? sanitizeObject(data, this.config) : undefined;
+
+    if (sanitizedData) {
+      console.info(`[INFO]${this.prefix ? ` [${this.prefix}]` : ''} ${sanitizedMessage}`, sanitizedData);
+    } else {
+      console.info(`[INFO]${this.prefix ? ` [${this.prefix}]` : ''} ${sanitizedMessage}`);
+    }
+  }
+
+  /**
+   * Log a warning message
+   */
+  warn(message: string, data?: Record<string, unknown>): void {
+    const sanitizedMessage = sanitizeMessage(message, this.config);
+    const sanitizedData = data ? sanitizeObject(data, this.config) : undefined;
+
+    if (sanitizedData) {
+      console.warn(`[WARN]${this.prefix ? ` [${this.prefix}]` : ''} ${sanitizedMessage}`, sanitizedData);
+    } else {
+      console.warn(`[WARN]${this.prefix ? ` [${this.prefix}]` : ''} ${sanitizedMessage}`);
+    }
+  }
+
+  /**
+   * Log an error (sanitized for security)
+   */
+  error(message: string, error?: unknown): void {
+    const sanitizedMessage = sanitizeMessage(message, this.config);
+    const sanitizedError = error ? sanitizeError(error, this.config) : undefined;
+
+    if (sanitizedError) {
+      console.error(`[ERROR]${this.prefix ? ` [${this.prefix}]` : ''} ${sanitizedMessage}`, sanitizedError);
+    } else {
+      console.error(`[ERROR]${this.prefix ? ` [${this.prefix}]` : ''} ${sanitizedMessage}`);
+    }
+  }
+
+  /**
+   * Log debug message (only in development)
+   */
+  debug(message: string, data?: Record<string, unknown>): void {
+    if (this.config.environment !== 'development') {
+      return;
+    }
+
+    const sanitizedMessage = sanitizeMessage(message, this.config);
+    const sanitizedData = data ? sanitizeObject(data, this.config) : undefined;
+
+    if (sanitizedData) {
+      console.debug(`[DEBUG]${this.prefix ? ` [${this.prefix}]` : ''} ${sanitizedMessage}`, sanitizedData);
+    } else {
+      console.debug(`[DEBUG]${this.prefix ? ` [${this.prefix}]` : ''} ${sanitizedMessage}`);
+    }
+  }
+
+  /**
+   * Create a child logger with a sub-prefix
+   */
+  child(subPrefix: string): SecureLogger {
+    const newPrefix = this.prefix ? `${this.prefix}:${subPrefix}` : subPrefix;
+    return new SecureLogger(newPrefix, this.config);
+  }
+}
+
+// ============================================================================
+// Factory Functions
+// ============================================================================
+
+/**
+ * Create a secure logger instance
+ */
+export function createSecureLogger(prefix?: string, config?: Partial<LoggerConfig>): SecureLogger {
+  return new SecureLogger(prefix, config);
+}
+
+/**
+ * Default logger instance
+ */
+export const logger = createSecureLogger('@sparkleideas/claude-flow');
+
+/**
+ * Sanitize an error for safe logging/display
+ */
+export function sanitizeErrorForLogging(error: unknown): Record<string, unknown> {
+  return sanitizeError(error, DEFAULT_CONFIG);
+}
+
+/**
+ * Sanitize a message for safe logging/display
+ */
+export function sanitizeMessageForLogging(message: string): string {
+  return sanitizeMessage(message, DEFAULT_CONFIG);
+}
+
+export default SecureLogger;

package/tsconfig.json

@@ -0,0 +1,9 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "outDir": "./dist",
+    "rootDir": "./src"
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules", "dist"]
+}