deepline 0.1.67 → 0.1.69

package/dist/repo/shared_libs/play-runtime/secret-redaction.ts

@@ -0,0 +1,90 @@
+export const SECRET_REDACTION_PLACEHOLDER = '[REDACTED_SECRET]';
+
+const BEARER_TOKEN_RE = /\bBearer\s+[A-Za-z0-9._~+/=-]{12,}\b/g;
+const JWT_RE =
+  /\beyJ[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\b/g;
+const PRIVATE_KEY_RE =
+  /-----BEGIN [A-Z0-9 ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z0-9 ]*PRIVATE KEY-----/g;
+const COMMON_SECRET_RE =
+  /\b(?:sk|pk|rk|pat|ghp|github_pat|xox[baprs]|key|token|secret|api[_-]?key)[A-Za-z0-9_./+=:-]{12,}\b/gi;
+const HIGH_ENTROPY_ASSIGNMENT_RE =
+  /\b(?:api[_-]?key|token|secret|password|authorization|access[_-]?token|refresh[_-]?token)\b\s*[:=]\s*["']?[^"',\s]{16,}["']?/gi;
+
+function escapeRegExp(value: string): string {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return Boolean(value) && typeof value === 'object' && !Array.isArray(value);
+}
+
+export function redactSecretLikeString(value: string): string {
+  return value
+    .replace(PRIVATE_KEY_RE, SECRET_REDACTION_PLACEHOLDER)
+    .replace(BEARER_TOKEN_RE, `Bearer ${SECRET_REDACTION_PLACEHOLDER}`)
+    .replace(JWT_RE, SECRET_REDACTION_PLACEHOLDER)
+    .replace(COMMON_SECRET_RE, SECRET_REDACTION_PLACEHOLDER)
+    .replace(HIGH_ENTROPY_ASSIGNMENT_RE, (match) => {
+      const separator = match.includes('=') ? '=' : ':';
+      const [key] = match.split(separator, 1);
+      return `${key.trim()}${separator}${SECRET_REDACTION_PLACEHOLDER}`;
+    });
+}
+
+export type SecretRedactionContext = {
+  register(value: string): void;
+  redactString(value: string): string;
+  redact<T>(value: T): T;
+};
+
+export function createSecretRedactionContext(
+  initialValues: readonly string[] = [],
+): SecretRedactionContext {
+  const exactSecrets = new Set<string>();
+
+  function register(value: string): void {
+    if (value.length >= 4) exactSecrets.add(value);
+  }
+
+  for (const value of initialValues) register(value);
+
+  function redactString(value: string): string {
+    let output = value;
+    for (const secret of exactSecrets) {
+      output = output.replace(
+        new RegExp(escapeRegExp(secret), 'g'),
+        SECRET_REDACTION_PLACEHOLDER,
+      );
+      try {
+        const encoded = encodeURIComponent(secret);
+        if (encoded !== secret) {
+          output = output.replace(
+            new RegExp(escapeRegExp(encoded), 'g'),
+            SECRET_REDACTION_PLACEHOLDER,
+          );
+        }
+      } catch {
+        // encodeURIComponent only fails on malformed surrogate pairs. Exact
+        // redaction above still applies in that rare case.
+      }
+    }
+    return redactSecretLikeString(output);
+  }
+
+  function redact<T>(value: T): T {
+    if (typeof value === 'string') return redactString(value) as T;
+    if (Array.isArray(value)) return value.map((entry) => redact(entry)) as T;
+    if (isRecord(value)) {
+      return Object.fromEntries(
+        Object.entries(value).map(([key, entry]) => [key, redact(entry)]),
+      ) as T;
+    }
+    return value;
+  }
+
+  return {
+    register,
+    redactString,
+    redact,
+  };
+}

package/dist/repo/shared_libs/plays/bundling/index.ts

@@ -25,6 +25,7 @@ import type {
   PlayRuntimeFeature,
 } from '../artifact-types';
 import { buildPlayContractCompatibility } from '../contracts';
+import { validatePlaySourceFilesHaveNoInlineSecrets } from '../secret-guardrails';
 
 const PLAY_BUNDLE_CACHE_VERSION = 24;
 const MAX_PLAY_BUNDLE_BYTES = 30 * 1024 * 1024;
@@ -1450,6 +1451,15 @@ export async function bundlePlayFile(
         `${analysis.graphHash}\nworkers-harness:${harnessFingerprint}`,
       );
     }
+    try {
+      validatePlaySourceFilesHaveNoInlineSecrets(analysis.sourceFiles);
+    } catch (error) {
+      return {
+        success: false,
+        filePath: absolutePath,
+        errors: [error instanceof Error ? error.message : String(error)],
+      };
+    }
     const typecheckErrors = [
       ...((await adapter.typecheckPlaySource?.({
         sourceCode: analysis.sourceCode,

package/dist/repo/shared_libs/plays/secret-guardrails.ts

@@ -0,0 +1,57 @@
+const SECRET_ENV_PATTERN =
+  /\bprocess(?:\.env|\[['"]env['"]\])(?:\.|\[['"])([A-Z0-9_]*(?:API[_-]?KEY|TOKEN|SECRET|PASSWORD|PRIVATE[_-]?KEY|ACCESS[_-]?KEY)[A-Z0-9_]*)(?:['"]\])?/g;
+const PRIVATE_KEY_PATTERN =
+  /-----BEGIN (?:RSA |EC |OPENSSH |PGP )?PRIVATE KEY-----/;
+const BEARER_LITERAL_PATTERN = /\bBearer\s+[A-Za-z0-9._~+/=-]{16,}/i;
+const ASSIGNMENT_SECRET_LITERAL_PATTERN =
+  /\b(?:api[_-]?key|token|secret|password)\b\s*[:=]\s*['"][^'"]{12,}['"]/i;
+const HIGH_ENTROPY_LITERAL_PATTERN =
+  /['"]([A-Za-z0-9+/=_-]{32,})['"]/g;
+
+function shannonEntropy(value: string): number {
+  const counts = new Map<string, number>();
+  for (const char of value) counts.set(char, (counts.get(char) ?? 0) + 1);
+  return [...counts.values()].reduce((entropy, count) => {
+    const p = count / value.length;
+    return entropy - p * Math.log2(p);
+  }, 0);
+}
+
+export function validatePlaySourceHasNoInlineSecrets(input: {
+  sourceCode: string;
+  filePath: string;
+}): void {
+  const findings: string[] = [];
+  for (const match of input.sourceCode.matchAll(SECRET_ENV_PATTERN)) {
+    findings.push(`process.env.${match[1]}`);
+  }
+  if (PRIVATE_KEY_PATTERN.test(input.sourceCode)) findings.push('private key block');
+  if (BEARER_LITERAL_PATTERN.test(input.sourceCode)) findings.push('bearer token literal');
+  if (ASSIGNMENT_SECRET_LITERAL_PATTERN.test(input.sourceCode)) {
+    findings.push('secret-looking assignment literal');
+  }
+  for (const match of input.sourceCode.matchAll(HIGH_ENTROPY_LITERAL_PATTERN)) {
+    const literal = match[1] ?? '';
+    if (literal.length >= 40 && shannonEntropy(literal) >= 4.2) {
+      findings.push('high-entropy string literal');
+      break;
+    }
+  }
+  if (!findings.length) return;
+  throw new Error(
+    [
+      `Play source ${input.filePath} appears to contain inline secret material: ${[
+        ...new Set(findings),
+      ].join(', ')}.`,
+      'Author secrets in the dashboard and use ctx.secrets.get("NAME") with an approved helper such as ctx.secrets.bearer(handle).',
+    ].join(' '),
+  );
+}
+
+export function validatePlaySourceFilesHaveNoInlineSecrets(
+  sourceFiles: Record<string, string>,
+): void {
+  for (const [filePath, sourceCode] of Object.entries(sourceFiles)) {
+    validatePlaySourceHasNoInlineSecrets({ filePath, sourceCode });
+  }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "deepline",
-  "version": "0.1.67",
+  "version": "0.1.69",
   "description": "Deepline SDK + CLI — B2B data enrichment powered by durable cloud execution",
   "license": "MIT",
   "repository": {