@wrongstack/core 0.256.0 → 0.257.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/defaults/index.d.ts +1 -1
- package/dist/defaults/index.js +128 -22
- package/dist/defaults/index.js.map +1 -1
- package/dist/execution/index.js +107 -20
- package/dist/execution/index.js.map +1 -1
- package/dist/index.d.ts +6 -2
- package/dist/index.js +144 -38
- package/dist/index.js.map +1 -1
- package/dist/infrastructure/index.js +9 -8
- package/dist/infrastructure/index.js.map +1 -1
- package/dist/models/index.js +9 -8
- package/dist/models/index.js.map +1 -1
- package/dist/sdd/index.js +7 -2
- package/dist/sdd/index.js.map +1 -1
- package/dist/{secret-vault-BkYkJWQs.d.ts → secret-vault-gxtFZYBt.d.ts} +7 -0
- package/dist/security/index.d.ts +1 -1
- package/dist/security/index.js +23 -9
- package/dist/security/index.js.map +1 -1
- package/dist/storage/index.js +1 -1
- package/dist/storage/index.js.map +1 -1
- package/dist/types/index.d.ts +1 -1
- package/dist/types/index.js +137 -36
- package/dist/types/index.js.map +1 -1
- package/dist/utils/index.js +9 -8
- package/dist/utils/index.js.map +1 -1
- package/package.json +1 -1
|
@@ -5,6 +5,13 @@ import { S as SecretVault } from './secret-vault-BJDY28ev.js';
|
|
|
5
5
|
declare class DefaultSecretScrubber implements SecretScrubber {
|
|
6
6
|
scrub(text: string): string;
|
|
7
7
|
private scrubOne;
|
|
8
|
+
/**
|
|
9
|
+
* Recursively scrub every string value in an object/array graph. Secrets can
|
|
10
|
+
* appear under any key — a URL query param, an `authorization` header, an
|
|
11
|
+
* arbitrarily-named nested field — so we don't gate recursion on key names.
|
|
12
|
+
* The per-string `scrub()` fast-path (anchor pre-scan) keeps this cheap: any
|
|
13
|
+
* value without a credential anchor returns immediately without regex work.
|
|
14
|
+
*/
|
|
8
15
|
scrubObject<T>(obj: T): T;
|
|
9
16
|
}
|
|
10
17
|
|
package/dist/security/index.d.ts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
export { D as DefaultSecretScrubber, a as DefaultSecretVault, S as SecretVaultOptions, d as decryptConfigSecrets, e as encryptConfigSecrets, i as isSecretField, m as migratePlaintextSecrets, r as rewriteConfigEncrypted } from '../secret-vault-
|
|
1
|
+
export { D as DefaultSecretScrubber, a as DefaultSecretVault, S as SecretVaultOptions, d as decryptConfigSecrets, e as encryptConfigSecrets, i as isSecretField, m as migratePlaintextSecrets, r as rewriteConfigEncrypted } from '../secret-vault-gxtFZYBt.js';
|
|
2
2
|
export { A as AutoApprovePermissionPolicy, D as DefaultPermissionPolicy, P as PermissionPolicyOptions } from '../permission-policy-B8rSu908.js';
|
|
3
3
|
import '../permission-CwBBpCoF.js';
|
|
4
4
|
import '../context-CGdgA0q6.js';
|
package/dist/security/index.js
CHANGED
|
@@ -60,6 +60,10 @@ var PATTERNS = [
|
|
|
60
60
|
regex: /(?:^|\s)([A-Z_]{4,}(?:KEY|TOKEN|SECRET|PASSWORD|PWD))\s*[:=]\s*['"]?([A-Za-z0-9_/+=-]{20,512})['"]?(?:\s|$)/g
|
|
61
61
|
}
|
|
62
62
|
];
|
|
63
|
+
var SIMPLE_PATTERNS = PATTERNS.filter((p) => p.type !== "high_entropy_env");
|
|
64
|
+
var COMBINED_REGEX = new RegExp(SIMPLE_PATTERNS.map((p) => `(${p.regex.source})`).join("|"), "g");
|
|
65
|
+
var HIGH_ENTROPY_REGEX = PATTERNS.find((p) => p.type === "high_entropy_env").regex;
|
|
66
|
+
var COMBINED_REPLACEMENTS = SIMPLE_PATTERNS.map((p) => `[REDACTED:${p.type}]`);
|
|
63
67
|
var SCRUB_CHUNK_BYTES = 64 * 1024;
|
|
64
68
|
function hasCredentialAnchors(text) {
|
|
65
69
|
return text.includes("-----BEGIN") || // Private keys (most unique → cheap reject)
|
|
@@ -101,17 +105,27 @@ var DefaultSecretScrubber = class {
|
|
|
101
105
|
}
|
|
102
106
|
scrubOne(text) {
|
|
103
107
|
if (!hasCredentialAnchors(text)) return text;
|
|
104
|
-
let out = text
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
return
|
|
111
|
-
}
|
|
112
|
-
|
|
108
|
+
let out = text.replace(
|
|
109
|
+
COMBINED_REGEX,
|
|
110
|
+
(match, ...groups) => {
|
|
111
|
+
const idx = groups.findIndex((g) => g !== void 0);
|
|
112
|
+
if (idx < 0) return match;
|
|
113
|
+
const replacement = COMBINED_REPLACEMENTS[idx];
|
|
114
|
+
return replacement !== void 0 ? replacement : match;
|
|
115
|
+
}
|
|
116
|
+
);
|
|
117
|
+
out = out.replace(HIGH_ENTROPY_REGEX, (_match, group1, _group2) => {
|
|
118
|
+
return `${group1}=[REDACTED:high_entropy_env]`;
|
|
119
|
+
});
|
|
113
120
|
return out;
|
|
114
121
|
}
|
|
122
|
+
/**
|
|
123
|
+
* Recursively scrub every string value in an object/array graph. Secrets can
|
|
124
|
+
* appear under any key — a URL query param, an `authorization` header, an
|
|
125
|
+
* arbitrarily-named nested field — so we don't gate recursion on key names.
|
|
126
|
+
* The per-string `scrub()` fast-path (anchor pre-scan) keeps this cheap: any
|
|
127
|
+
* value without a credential anchor returns immediately without regex work.
|
|
128
|
+
*/
|
|
115
129
|
scrubObject(obj) {
|
|
116
130
|
const seen = /* @__PURE__ */ new WeakSet();
|
|
117
131
|
const visit = (v) => {
|