@yemi33/minions 0.1.1727 → 0.1.1728

package/CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## 0.1.1728 (2026-05-05)
+
+### Features
+- redact repository URLs in filed issues (#2069)
+
 ## 0.1.1727 (2026-05-05)
 
 ### Features

package/engine/copilot-models.json

@@ -1,5 +1,5 @@
 {
   "runtime": "copilot",
   "models": null,
-  "cachedAt": "2026-05-05T09:16:20.222Z"
+  "cachedAt": "2026-05-05T09:46:15.037Z"
 }

package/engine/issues.js

@@ -5,6 +5,7 @@
 const fs = require('fs');
 const path = require('path');
 const { execFileSync: _execFileSync } = require('child_process');
+const shared = require('./shared');
 
 const DEFAULT_REPO = 'yemi33/minions';
 const DEFAULT_LABELS = ['bug'];
@@ -117,6 +118,63 @@ function buildWarning(labelsSkipped, filedWithoutLabels) {
   return filedWithoutLabels ? `${base} Filed without labels.` : base;
 }
 
+function _addRedactionIdentifier(entries, seen, value, replacement) {
+  const clean = String(value || '').trim().replace(/\/+$/, '');
+  if (clean.length < 4) return;
+  const key = `${replacement}:${clean.toLowerCase()}`;
+  if (seen.has(key)) return;
+  seen.add(key);
+  entries.push({ value: clean, replacement });
+}
+
+function _stripPrUrlBase(url) {
+  return String(url || '')
+    .trim()
+    .replace(/\/(?:pull|pullrequest)\/?$/i, '')
+    .replace(/\/+$/, '');
+}
+
+function _buildIssueRedactionIdentifiers({ repo, projects = [] } = {}) {
+  const entries = [];
+  const seen = new Set();
+  _addRedactionIdentifier(entries, seen, repo, '[REDACTED_REPO]');
+
+  for (const project of projects || []) {
+    if (!project || typeof project !== 'object') continue;
+    const owner = project.adoOrg || project.org || project.owner || '';
+    const repoName = project.repoName || project.repositoryName || '';
+    const adoProject = project.adoProject || project.project || '';
+
+    if (owner && repoName) {
+      _addRedactionIdentifier(entries, seen, `${owner}/${repoName}`, '[REDACTED_REPO]');
+    }
+    if (owner && adoProject && repoName) {
+      _addRedactionIdentifier(entries, seen, `${owner}/${adoProject}/_git/${repoName}`, '[REDACTED_REPO]');
+      _addRedactionIdentifier(entries, seen, `${owner}/${adoProject}/${repoName}`, '[REDACTED_REPO]');
+    }
+    const repositoryId = String(project.repositoryId || '').trim();
+    if (repositoryId.length >= 8) {
+      _addRedactionIdentifier(entries, seen, repositoryId, '[REDACTED_REPOSITORY_ID]');
+    }
+
+    for (const field of ['remoteUrl', 'repositoryUrl', 'cloneUrl', 'sshUrl', 'webUrl']) {
+      _addRedactionIdentifier(entries, seen, project[field], '[REDACTED_REPO_URL]');
+    }
+    const prBase = _stripPrUrlBase(project.prUrlBase);
+    _addRedactionIdentifier(entries, seen, prBase, '[REDACTED_REPO_URL]');
+  }
+
+  entries.sort((a, b) => b.value.length - a.value.length);
+  return entries;
+}
+
+function _redactIssueContent(value, { repo, projects } = {}) {
+  return shared.redactSecrets(String(value || ''), {
+    redactRepositoryUrls: true,
+    repositoryIdentifiers: _buildIssueRedactionIdentifiers({ repo, projects }),
+  });
+}
+
 function createIssueWithLabels({ title, bodyFile, repo, labels, execFileSync }) {
   const args = ['issue', 'create', '--repo', repo, '--title', title, '--body-file', bodyFile];
   if (labels.length > 0) args.push('--label', labels.join(','));
@@ -133,6 +191,7 @@ function createGitHubIssue({
   description = '',
   labels,
   repo = DEFAULT_REPO,
+  projects,
   tmpDir,
   execFileSync = _execFileSync,
 } = {}) {
@@ -144,7 +203,10 @@ function createGitHubIssue({
     throw new GitHubIssueError('gh CLI not found. Install from https://cli.github.com/');
   }
 
-  const issueBody = `${description || ''}\n\n---\n_Filed via Minions dashboard_`;
+  const redactionProjects = projects || shared.getProjects();
+  const safeTitle = _redactIssueContent(title, { repo, projects: redactionProjects });
+  const safeDescription = _redactIssueContent(description || '', { repo, projects: redactionProjects });
+  const issueBody = `${safeDescription}\n\n---\n_Filed via Minions dashboard_`;
   const dir = tmpDir || path.join(__dirname, 'tmp');
   fs.mkdirSync(dir, { recursive: true });
   const bodyFile = path.join(dir, `bug-body-${process.pid}-${Date.now()}-${Math.random().toString(36).slice(2)}.md`);
@@ -154,7 +216,7 @@ function createGitHubIssue({
   try {
     resolved = resolveLabels({ labels, repo, execFileSync });
     const created = createIssueWithLabels({
-      title,
+      title: safeTitle,
       bodyFile,
       repo,
       labels: resolved.labelsToApply,
@@ -175,7 +237,7 @@ function createGitHubIssue({
     if (isAuthError(e)) throw new GitHubIssueError('GitHub auth required. Run: gh auth login', 401);
     if (resolved && resolved.labelsToApply.length > 0 && isLabelUnavailableError(e)) {
       try {
-        const created = createIssueWithLabels({ title, bodyFile, repo, labels: [], execFileSync });
+        const created = createIssueWithLabels({ title: safeTitle, bodyFile, repo, labels: [], execFileSync });
         const skipped = normalizeLabels([...resolved.labelsSkipped, ...resolved.labelsToApply], []);
         return {
           ok: true,
@@ -203,4 +265,5 @@ module.exports = {
   normalizeLabels,
   isLabelUnavailableError,
   createGitHubIssue,
+  _buildIssueRedactionIdentifiers,
 };

package/engine/shared.js

@@ -42,22 +42,71 @@ function dateStamp() { return new Date().toISOString().slice(0, 10); }
 const _BEARER_RE = /Bearer\s+[A-Za-z0-9+/=._\-]{20,}/g;
 const _JWT_RE = /ey[A-Za-z0-9_\-]{10,}\.[A-Za-z0-9_\-]{10,}(?:\.[A-Za-z0-9_\-]{10,})?/g;
 const _AZUREAUTH_RE = /"token"\s*:\s*"[A-Za-z0-9+/=._\-]{20,}"/g;
+const _URL_RE = /\b(?:https?|ssh):\/\/[^\s<>"'`]+/gi;
+const _GITHUB_REPO_URL_RE = /\b(?:(?:https?:\/\/|ssh:\/\/git@)github\.com[/:]|git@github\.com:)[A-Za-z0-9_.-]+\/[A-Za-z0-9_.-]+(?:\.git)?(?:\/[^\s<>"'`]*)?/gi;
+const _ADO_DEV_REPO_URL_RE = /\bhttps?:\/\/dev\.azure\.com\/[^/\s<>"'`]+\/[^/\s<>"'`]+\/_git\/[^/\s<>"'`)]+(?:\/[^\s<>"'`]*)?/gi;
+const _ADO_VISUALSTUDIO_REPO_URL_RE = /\bhttps?:\/\/[^/\s<>"'`]+\.visualstudio\.com\/(?:DefaultCollection\/)?[^/\s<>"'`]+\/_git\/[^/\s<>"'`)]+(?:\/[^\s<>"'`]*)?/gi;
+const _ADO_SSH_REPO_URL_RE = /\b(?:ssh:\/\/)?git@ssh\.dev\.azure\.com[:/]v3\/[^/\s<>"'`]+\/[^/\s<>"'`]+\/[^/\s<>"'`)]+/gi;
+const _TOKEN_URL_PARAM_RE = /[?&](?:access[_-]?token|auth[_-]?token|token|api[_-]?key|sig|signature|pat)=/i;
+const _URL_CREDENTIALS_RE = /^[a-z][a-z0-9+.-]*:\/\/[^/\s@]+@/i;
 
-function _redactString(s) {
-  if (typeof s !== 'string' || s.length === 0) return s;
+function _escapeRegExp(s) {
+  return String(s).replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
+function _redactedWithTrailingPunctuation(raw, replacement) {
+  const match = String(raw).match(/^(.+?)([.,;:!?)]*)$/);
+  return replacement + (match ? match[2] : '');
+}
+
+function _redactUrlMatch(raw, replacement) {
+  return _redactedWithTrailingPunctuation(raw, replacement);
+}
+
+function _redactTokenBearingUrls(s) {
+  return s.replace(_URL_RE, url => (
+    _TOKEN_URL_PARAM_RE.test(url) || _URL_CREDENTIALS_RE.test(url)
+      ? _redactUrlMatch(url, '[REDACTED_URL]')
+      : url
+  ));
+}
+
+function _redactRepositoryUrls(s) {
   return s
+    .replace(_GITHUB_REPO_URL_RE, url => _redactUrlMatch(url, '[REDACTED_REPO_URL]'))
+    .replace(_ADO_DEV_REPO_URL_RE, url => _redactUrlMatch(url, '[REDACTED_REPO_URL]'))
+    .replace(_ADO_VISUALSTUDIO_REPO_URL_RE, url => _redactUrlMatch(url, '[REDACTED_REPO_URL]'))
+    .replace(_ADO_SSH_REPO_URL_RE, url => _redactUrlMatch(url, '[REDACTED_REPO_URL]'));
+}
+
+function _redactConfiguredRepositoryIdentifiers(s, options) {
+  const entries = Array.isArray(options?.repositoryIdentifiers) ? options.repositoryIdentifiers : [];
+  let out = s;
+  for (const entry of entries) {
+    const value = typeof entry === 'string' ? entry : entry?.value;
+    const replacement = typeof entry === 'string' ? '[REDACTED_REPO]' : (entry?.replacement || '[REDACTED_REPO]');
+    if (typeof value !== 'string' || value.length < 4) continue;
+    out = out.replace(new RegExp(_escapeRegExp(value), 'gi'), replacement);
+  }
+  return out;
+}
+
+function _redactString(s, options = {}) {
+  if (typeof s !== 'string' || s.length === 0) return s;
+  const repoRedacted = options.redactRepositoryUrls ? _redactRepositoryUrls(s) : s;
+  return _redactTokenBearingUrls(_redactConfiguredRepositoryIdentifiers(repoRedacted, options))
     .replace(_AZUREAUTH_RE, '"token":"[REDACTED_AZUREAUTH]"')
     .replace(_BEARER_RE, 'Bearer [REDACTED]')
     .replace(_JWT_RE, '[REDACTED_JWT]');
 }
 
-function redactSecrets(value) {
+function redactSecrets(value, options = {}) {
   if (value == null) return value;
-  if (typeof value === 'string') return _redactString(value);
-  if (Array.isArray(value)) return value.map(redactSecrets);
+  if (typeof value === 'string') return _redactString(value, options);
+  if (Array.isArray(value)) return value.map(v => redactSecrets(v, options));
   if (typeof value === 'object') {
     const out = {};
-    for (const k of Object.keys(value)) out[k] = redactSecrets(value[k]);
+    for (const k of Object.keys(value)) out[k] = redactSecrets(value[k], options);
     return out;
   }
   return value;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@yemi33/minions",
-  "version": "0.1.1727",
+  "version": "0.1.1728",
   "description": "Multi-agent AI dev team that runs from ~/.minions/ — five autonomous agents share a single engine, dashboard, and knowledge base",
   "bin": {
     "minions": "bin/minions.js"