@wayai/cli 0.3.44 → 0.3.45

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.js CHANGED
@@ -15,6 +15,34 @@ var __export = (target, all) => {
15
15
  __defProp(target, name, { get: all[name], enumerable: true });
16
16
  };
17
17
 
18
+ // src/lib/redact.ts
19
+ function redactSecrets(text) {
20
+ let out = text;
21
+ for (const [pattern, replacement] of PATTERNS) {
22
+ out = out.replace(pattern, replacement);
23
+ }
24
+ return out;
25
+ }
26
+ var PATTERNS;
27
+ var init_redact = __esm({
28
+ "src/lib/redact.ts"() {
29
+ "use strict";
30
+ PATTERNS = [
31
+ // JWTs (header.payload.signature) — WorkOS access/refresh tokens, OAuth JWTs.
32
+ // Run first so a `Bearer <jwt>` collapses to the JWT placeholder.
33
+ [/eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/g, "[REDACTED_JWT]"],
34
+ // way_ scoped API tokens (keyring/CI credentials). Leading \b avoids
35
+ // over-redacting benign substrings (e.g. `gateway_config`); the charset is
36
+ // base64url (no `.`) so a trailing sentence period stays outside the match.
37
+ [/\bway_[A-Za-z0-9_-]{8,}/g, "way_[REDACTED]"],
38
+ // wst_ single-use WebSocket tickets (same opaque base64url format).
39
+ [/\bwst_[A-Za-z0-9_-]{8,}/g, "wst_[REDACTED]"],
40
+ // Authorization: Bearer <opaque token> (anything not already masked above).
41
+ [/(Bearer\s+)[A-Za-z0-9._~+/=-]{8,}/gi, "$1[REDACTED]"]
42
+ ];
43
+ }
44
+ });
45
+
18
46
  // src/lib/sentry.ts
19
47
  import * as Sentry from "@sentry/node";
20
48
  import { readFileSync } from "fs";
@@ -51,15 +79,26 @@ function initSentry(command2) {
51
79
  defaultIntegrations: false,
52
80
  beforeSend(event) {
53
81
  const home = homedir();
54
- if (home && event.exception?.values) {
82
+ if (event.exception?.values) {
55
83
  for (const value of event.exception.values) {
56
- if (value.stacktrace?.frames) {
84
+ if (home && value.stacktrace?.frames) {
57
85
  for (const frame of value.stacktrace.frames) {
58
86
  if (frame.filename && frame.filename.includes(home)) {
59
87
  frame.filename = frame.filename.replace(home, "~");
60
88
  }
61
89
  }
62
90
  }
91
+ if (value.value) value.value = redactSecrets(value.value);
92
+ }
93
+ }
94
+ if (event.breadcrumbs) {
95
+ for (const crumb of event.breadcrumbs) {
96
+ if (crumb.message) crumb.message = redactSecrets(crumb.message);
97
+ }
98
+ }
99
+ if (event.extra) {
100
+ for (const [key, val] of Object.entries(event.extra)) {
101
+ if (typeof val === "string") event.extra[key] = redactSecrets(val);
63
102
  }
64
103
  }
65
104
  return event;
@@ -127,6 +166,7 @@ var HARDCODED_DSN, initialized;
127
166
  var init_sentry = __esm({
128
167
  "src/lib/sentry.ts"() {
129
168
  "use strict";
169
+ init_redact();
130
170
  HARDCODED_DSN = "https://ffe500121277babcabf32e5868f00f9e@o4510669417807872.ingest.us.sentry.io/4510960145465344";
131
171
  initialized = false;
132
172
  }
@@ -138,14 +178,16 @@ var init_api_client = __esm({
138
178
  "src/lib/api-client.ts"() {
139
179
  "use strict";
140
180
  init_sentry();
181
+ init_redact();
141
182
  ApiError = class extends Error {
142
183
  status;
143
184
  body;
144
185
  constructor(method, path19, status, body) {
145
- super(`API request failed: ${method} ${path19} (${status}): ${body}`);
186
+ const safeBody = redactSecrets(body);
187
+ super(`API request failed: ${method} ${path19} (${status}): ${safeBody}`);
146
188
  this.name = "ApiError";
147
189
  this.status = status;
148
- this.body = body;
190
+ this.body = safeBody;
149
191
  }
150
192
  /** True when the status code is a 4xx client error (expected user-facing condition, not a bug). */
151
193
  get isExpected() {
@@ -8230,7 +8272,7 @@ async function exchangeCodeForTokens(authkitDomain, clientId, code, codeVerifier
8230
8272
  });
8231
8273
  if (!response.ok) {
8232
8274
  const body = await response.text();
8233
- throw new Error(`Token exchange failed (${response.status}): ${body}`);
8275
+ throw new Error(`Token exchange failed (${response.status}): ${redactSecrets(body)}`);
8234
8276
  }
8235
8277
  return response.json();
8236
8278
  }
@@ -8256,7 +8298,7 @@ async function refreshAccessToken(authkitDomain, clientId, refreshToken) {
8256
8298
  }
8257
8299
  if (isInvalidGrant) throw new Error("SESSION_EXPIRED");
8258
8300
  }
8259
- throw new Error(`Token refresh failed (${status}): ${body}`);
8301
+ throw new Error(`Token refresh failed (${status}): ${redactSecrets(body)}`);
8260
8302
  }
8261
8303
  return response.json();
8262
8304
  }
@@ -8388,6 +8430,7 @@ var init_auth = __esm({
8388
8430
  init_config();
8389
8431
  init_token_store();
8390
8432
  init_sentry();
8433
+ init_redact();
8391
8434
  OAUTH_CALLBACK_PORT = 3829;
8392
8435
  AUTHKIT_DOMAIN = "https://sprightly-comic-51.authkit.app";
8393
8436
  AUTHKIT_CLIENT_ID = "client_01KMZHB50KENM5SV90ZA80VXK4";
@@ -16691,6 +16734,7 @@ function friendlyHint(err) {
16691
16734
  }
16692
16735
 
16693
16736
  // src/index.ts
16737
+ init_redact();
16694
16738
  init_utils();
16695
16739
 
16696
16740
  // src/lib/version-refresh.ts
@@ -17072,7 +17116,7 @@ async function runForeground() {
17072
17116
  captureException2(err);
17073
17117
  }
17074
17118
  await closeSentry();
17075
- console.error(err instanceof Error ? err.message : String(err));
17119
+ console.error(redactSecrets(err instanceof Error ? err.message : String(err)));
17076
17120
  const hint = friendlyHint(err);
17077
17121
  if (hint) console.error(hint);
17078
17122
  process.exit(1);