logshield-cli 0.1.0

package/README.md

@@ -0,0 +1,119 @@
+# LogShield
+
+**Safe log sanitization for developers.**
+
+LogShield is a lightweight, developer-focused utility to automatically redact secrets, tokens, credentials, and sensitive data from logs before they are stored, shared, or shipped.
+
+It is designed to be:
+- **Deterministic** – predictable behavior, no AI, no guesswork
+- **Safe by default** – minimal false positives in default mode
+- **Strict when needed** – aggressive redaction via `strict` mode
+- **Composable** – rule-based engine, easy to extend
+
+---
+
+## Why LogShield?
+
+Logs are copied everywhere: CI output, bug reports, Slack, tickets, LLM prompts.
+
+One leaked key is enough to:
+- Compromise production systems
+- Invalidate compliance (GDPR, SOC2)
+- Burn trust instantly
+
+LogShield exists to solve one problem extremely well:
+
+> **Make logs safe to share.**
+
+---
+
+## Features
+
+- Redacts common secrets:
+  - API keys
+  - Passwords
+  - JWT tokens
+  - Bearer tokens
+  - Stripe keys
+  - Cloud credentials (AWS, etc.)
+  - Credit cards (Luhn-validated)
+- Two modes:
+  - **Default**: conservative, low false positives
+  - **Strict**: aggressive, security-first
+- Snapshot-tested, contract-tested
+- Zero runtime dependencies
+
+---
+
+## Installation
+
+```bash
+npm install logshield
+```
+
+---
+
+## Usage
+
+### Basic
+
+```ts
+import { sanitizeLog } from "logshield";
+
+const result = sanitizeLog("password=supersecret");
+console.log(result.output);
+// password=<REDACTED_PASSWORD>
+```
+
+### Strict mode
+
+```ts
+sanitizeLog(input, { strict: true });
+```
+
+---
+
+## API
+
+### `sanitizeLog(input: string, options?)`
+
+Returns:
+
+```ts
+{
+  output: string;
+  matches: {
+    rule: string;
+    match: string;
+  }[];
+}
+```
+
+- `output` – sanitized log string
+- `matches` – what was redacted and why (for auditing/debugging)
+
+---
+
+## Design Principles
+
+- **No heuristics** – explicit rules only
+- **No mutation magic** – transparent replacements
+- **Locked behavior** – breaking changes require intent
+
+This is a boring utility by design.
+
+---
+
+## Roadmap
+
+- CLI (`logshield scan file.log`)
+- GitHub Action
+- Pre-commit hook
+- Pro ruleset (enterprise patterns)
+
+---
+
+## License
+
+MIT
+

package/dist/cli/cli/index.cjs

@@ -0,0 +1,54 @@
+#!/usr/bin/env node
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const readInput_1 = require("./readInput");
+const writeOutput_1 = require("./writeOutput");
+const summary_1 = require("./summary");
+const sanitizeLog_1 = require("../engine/sanitizeLog");
+const args = process.argv.slice(2);
+function hasFlag(flag) {
+    return args.includes(flag);
+}
+function getFileArg() {
+    return args.find((a) => !a.startsWith("--"));
+}
+async function main() {
+    if (hasFlag("--help")) {
+        console.log(`Usage: logshield scan [file]
+
+Options:
+  --strict
+  --json
+  --summary
+  --version
+  --help
+`);
+        process.exit(0);
+    }
+    if (hasFlag("--version")) {
+        console.log("logshield v0.1.0");
+        process.exit(0);
+    }
+    const command = args[0];
+    if (command !== "scan") {
+        console.error("Unknown command");
+        process.exit(1);
+    }
+    const strict = hasFlag("--strict");
+    const json = hasFlag("--json");
+    const summary = hasFlag("--summary");
+    const file = getFileArg();
+    try {
+        const input = await (0, readInput_1.readInput)(file);
+        const result = (0, sanitizeLog_1.sanitizeLog)(input, { strict });
+        (0, writeOutput_1.writeOutput)(result, { json });
+        if (summary) {
+            (0, summary_1.printSummary)(result.matches);
+        }
+    }
+    catch (err) {
+        console.error(err.message || "Unexpected error");
+        process.exit(2);
+    }
+}
+main();

package/dist/cli/cli/index.js

@@ -0,0 +1,57 @@
+#!/usr/bin/env node
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const readInput_1 = require("./readInput");
+const writeOutput_1 = require("./writeOutput");
+const summary_1 = require("./summary");
+const sanitizeLog_1 = require("../engine/sanitizeLog");
+const args = process.argv.slice(2);
+function hasFlag(flag) {
+    return args.includes(flag);
+}
+function getFileArg() {
+    const file = args[1];
+    if (!file || file.startsWith("--"))
+        return undefined;
+    return file;
+}
+async function main() {
+    if (hasFlag("--help")) {
+        console.log(`Usage: logshield scan [file]
+
+Options:
+  --strict
+  --json
+  --summary
+  --version
+  --help
+`);
+        process.exit(0);
+    }
+    if (hasFlag("--version")) {
+        console.log("logshield v0.1.0");
+        process.exit(0);
+    }
+    const command = args[0];
+    if (command !== "scan") {
+        console.error("Unknown command");
+        process.exit(1);
+    }
+    const strict = hasFlag("--strict");
+    const json = hasFlag("--json");
+    const summary = hasFlag("--summary");
+    const file = getFileArg();
+    try {
+        const input = await (0, readInput_1.readInput)(file);
+        const result = (0, sanitizeLog_1.sanitizeLog)(input, { strict });
+        (0, writeOutput_1.writeOutput)(result, { json });
+        if (summary) {
+            (0, summary_1.printSummary)(result.matches);
+        }
+    }
+    catch (err) {
+        console.error(err.message || "Unexpected error");
+        process.exit(2);
+    }
+}
+main();

package/dist/cli/cli/readInput.js

@@ -0,0 +1,27 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.readInput = readInput;
+const node_fs_1 = __importDefault(require("node:fs"));
+async function readInput(file) {
+    if (file) {
+        if (!node_fs_1.default.existsSync(file)) {
+            throw new Error(`File not found: ${file}`);
+        }
+        return node_fs_1.default.readFileSync(file, "utf8");
+    }
+    if (!process.stdin.isTTY) {
+        return new Promise((resolve, reject) => {
+            let data = "";
+            process.stdin.setEncoding("utf8");
+            process.stdin.on("data", chunk => {
+                data += chunk;
+            });
+            process.stdin.on("end", () => resolve(data));
+            process.stdin.on("error", reject);
+        });
+    }
+    throw new Error("No input provided");
+}

package/dist/cli/cli/summary.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.printSummary = printSummary;
+function printSummary(matches) {
+    const counter = {};
+    for (const m of matches) {
+        counter[m.rule] = (counter[m.rule] || 0) + 1;
+    }
+    process.stderr.write("LogShield Summary\n");
+    for (const [rule, count] of Object.entries(counter)) {
+        process.stderr.write(`${rule}: ${count}\n`);
+    }
+}

package/dist/cli/cli/writeOutput.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.writeOutput = writeOutput;
+function writeOutput(result, opts) {
+    if (opts.json) {
+        process.stdout.write(JSON.stringify(result));
+    }
+    else {
+        process.stdout.write(result.output);
+    }
+}

package/dist/cli/engine/applyRules.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.applyRules = applyRules;
+function applyRules(input, rules, ctx, matches) {
+    let output = input;
+    for (const rule of rules) {
+        output = output.replace(rule.pattern, (...args) => {
+            const match = args[0];
+            const groups = args.slice(1, -2);
+            const replaced = rule.replace(match, ctx, groups);
+            if (replaced !== match) {
+                matches.push({
+                    rule: rule.name,
+                    value: match,
+                });
+            }
+            return replaced;
+        });
+    }
+    return output;
+}

package/dist/cli/engine/guard.js

@@ -0,0 +1,12 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.guardInput = guardInput;
+const MAX_SIZE = 200 * 1024; // 200KB
+function guardInput(input) {
+    if (!input)
+        return "";
+    if (input.length > MAX_SIZE) {
+        throw new Error("Log size exceeds 200KB limit");
+    }
+    return input;
+}

package/dist/cli/engine/sanitizeLog.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sanitizeLog = sanitizeLog;
+const applyRules_1 = require("./applyRules");
+const guard_1 = require("./guard");
+const rules_1 = require("../rules");
+function sanitizeLog(input, options) {
+    (0, guard_1.guardInput)(input);
+    if (!input) {
+        return { output: "", matches: [] };
+    }
+    const ctx = {
+        strict: Boolean(options?.strict),
+    };
+    const matches = [];
+    const output = (0, applyRules_1.applyRules)(input, rules_1.allRules, ctx, matches);
+    return { output, matches };
+}

package/dist/cli/index.js

@@ -0,0 +1,52 @@
+#!/usr/bin/env node
+import { readInput } from "./readInput";
+import { writeOutput } from "./writeOutput";
+import { printSummary } from "./summary";
+import { sanitizeLog } from "../engine/sanitizeLog";
+const args = process.argv.slice(2);
+function hasFlag(flag) {
+    return args.includes(flag);
+}
+function getFileArg() {
+    return args.find((a) => !a.startsWith("--"));
+}
+async function main() {
+    if (hasFlag("--help")) {
+        console.log(`Usage: logshield scan [file]
+
+Options:
+  --strict
+  --json
+  --summary
+  --version
+  --help
+`);
+        process.exit(0);
+    }
+    if (hasFlag("--version")) {
+        console.log("logshield v0.1.0");
+        process.exit(0);
+    }
+    const command = args[0];
+    if (command !== "scan") {
+        console.error("Unknown command");
+        process.exit(1);
+    }
+    const strict = hasFlag("--strict");
+    const json = hasFlag("--json");
+    const summary = hasFlag("--summary");
+    const file = getFileArg();
+    try {
+        const input = await readInput(file);
+        const result = sanitizeLog(input, { strict });
+        writeOutput(result, { json });
+        if (summary) {
+            printSummary(result.matches);
+        }
+    }
+    catch (err) {
+        console.error(err.message || "Unexpected error");
+        process.exit(2);
+    }
+}
+main();

package/dist/cli/package.json

@@ -0,0 +1,3 @@
+{
+  "type": "commonjs"
+}

package/dist/cli/readInput.js

@@ -0,0 +1,15 @@
+import fs from "fs";
+export function readInput(file) {
+    if (file) {
+        if (!fs.existsSync(file)) {
+            throw new Error(`File not found: ${file}`);
+        }
+        return Promise.resolve(fs.readFileSync(file, "utf8"));
+    }
+    return new Promise((resolve) => {
+        let data = "";
+        process.stdin.setEncoding("utf8");
+        process.stdin.on("data", (chunk) => (data += chunk));
+        process.stdin.on("end", () => resolve(data));
+    });
+}

package/dist/cli/rules/cloud.js

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.cloudRules = void 0;
+exports.cloudRules = [
+    {
+        name: "AWS_ACCESS_KEY",
+        pattern: /\bAKIA[0-9A-Z]{16,20}\b/g,
+        replace: (match, { strict }) => strict ? "<REDACTED_AWS_KEY>" : match,
+    },
+    {
+        name: "STRIPE_SECRET_KEY",
+        pattern: /\b(?:LS_STRIPE_(?:TEST|LIVE)_KEY_[A-Z0-9_]{10,}|sk_(?:test|live)_[A-Za-z0-9]{16,})\b/g,
+        replace: (match, ctx) => ctx.strict ? "<REDACTED_STRIPE_KEY>" : match,
+    },
+];

package/dist/cli/rules/credentials.js

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.credentialRules = void 0;
+exports.credentialRules = [
+    {
+        name: "PASSWORD",
+        pattern: /\bpassword=([^\s]+)/gi,
+        replace: (_match, _value, _ctx) => "password=<REDACTED_PASSWORD>",
+    },
+    {
+        name: "API_KEY",
+        pattern: /\bapiKey=([A-Za-z0-9_\-]{16,})\b/g,
+        replace: () => "<REDACTED_API_KEY>",
+    },
+];

package/dist/cli/rules/creditCard.js

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.creditCardRules = void 0;
+const luhn_1 = require("../utils/luhn");
+exports.creditCardRules = [
+    {
+        name: "CREDIT_CARD",
+        pattern: /\b(?:\d[ -]*?){13,19}\b/g,
+        replace: (match, { strict }) => {
+            if (!strict)
+                return match;
+            return (0, luhn_1.isValidLuhn)(match) ? "<REDACTED_CC>" : match;
+        },
+    },
+];

package/dist/cli/rules/custom.js

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.customRules = void 0;
+exports.customRules = [
+    {
+        name: "GENERIC_SECRET_KV",
+        pattern: /"(\w+)":"([^"]{12,})"/g,
+        replace: (match, ctx, groups) => {
+            if (!ctx.strict)
+                return match;
+            const key = groups[0] ?? "token";
+            return `"${key}":"<REDACTED_SECRET>"`;
+        },
+    },
+];

package/dist/cli/rules/index.js

@@ -0,0 +1,38 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.allRules = void 0;
+const tokens_1 = require("./tokens");
+const credentials_1 = require("./credentials");
+const cloud_1 = require("./cloud");
+const creditCard_1 = require("./creditCard");
+const urls_1 = require("./urls");
+const custom_1 = require("./custom");
+function normalize(rules) {
+    return rules.map((rule) => {
+        if (typeof rule.replace === "function") {
+            return rule;
+        }
+        const value = rule.replace;
+        return {
+            ...rule,
+            replace: () => value,
+        };
+    });
+}
+/**
+ * ORDER IS CONTRACT:
+ * 1. tokenRules   ? JWT first
+ * 2. credential   ? password, api key
+ * 3. cloud
+ * 4. credit card
+ * 5. urls
+ * 6. custom
+ */
+exports.allRules = normalize([
+    ...tokens_1.tokenRules,
+    ...credentials_1.credentialRules,
+    ...cloud_1.cloudRules,
+    ...creditCard_1.creditCardRules,
+    ...urls_1.urlRules,
+    ...custom_1.customRules,
+]);

package/dist/cli/rules/tokens.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.tokenRules = void 0;
+exports.tokenRules = [
+    {
+        name: "JWT",
+        pattern: /\beyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\b/g,
+        replace: () => "<REDACTED_JWT>",
+    },
+    {
+        name: "AUTH_BEARER",
+        pattern: /\bBearer\s+[A-Za-z0-9._-]+\b/g,
+        replace: () => "Bearer <REDACTED_TOKEN>",
+    },
+    {
+        name: "EMAIL",
+        pattern: /\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b/gi,
+        replace: () => "<REDACTED_EMAIL>",
+    },
+];

package/dist/cli/rules/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/cli/rules/urls.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.urlRules = void 0;
+exports.urlRules = [
+    {
+        name: "URL",
+        pattern: /\bhttps?:\/\/[^\s/$.?#].[^\s]*\b/gi,
+        replace: () => "<REDACTED_URL>",
+    },
+];

package/dist/cli/summary.js

@@ -0,0 +1,10 @@
+export function printSummary(matches) {
+    const counter = {};
+    for (const m of matches) {
+        counter[m.rule] = (counter[m.rule] || 0) + 1;
+    }
+    process.stderr.write("LogShield Summary\n");
+    for (const [rule, count] of Object.entries(counter)) {
+        process.stderr.write(`${rule}: ${count}\n`);
+    }
+}

package/dist/cli/utils/luhn.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isValidLuhn = isValidLuhn;
+function isValidLuhn(input) {
+    const digits = input.replace(/\D/g, "");
+    let sum = 0;
+    let alt = false;
+    for (let i = digits.length - 1; i >= 0; i--) {
+        let n = parseInt(digits[i], 10);
+        if (alt) {
+            n *= 2;
+            if (n > 9)
+                n -= 9;
+        }
+        sum += n;
+        alt = !alt;
+    }
+    return sum % 10 === 0;
+}

package/dist/cli/writeOutput.js

@@ -0,0 +1,8 @@
+export function writeOutput(result, opts) {
+    if (opts.json) {
+        process.stdout.write(JSON.stringify(result));
+    }
+    else {
+        process.stdout.write(result.output);
+    }
+}

package/dist/engine/applyRules.js

@@ -0,0 +1,27 @@
+export function applyRules(input, rules, ctx, matches) {
+    let output = input;
+    for (const rule of rules) {
+        output = output.replace(rule.pattern, (...args) => {
+            const match = args[0];
+            const groups = args.slice(1, -2);
+            let replaced;
+            if (rule.replace.length === 1) {
+                replaced = rule.replace(match);
+            }
+            else if (rule.replace.length === 2) {
+                replaced = rule.replace(match, ctx);
+            }
+            else {
+                replaced = rule.replace(match, groups[0], ctx);
+            }
+            if (replaced !== match) {
+                matches.push({
+                    rule: rule.name,
+                    value: match,
+                });
+            }
+            return replaced;
+        });
+    }
+    return output;
+}

package/dist/engine/engine/applyRules.d.ts

@@ -0,0 +1,5 @@
+import type { Rule, RuleContext } from "../rules/types";
+export declare function applyRules(input: string, rules: Rule[], ctx: RuleContext, matches: {
+    rule: string;
+    value: string;
+}[]): string;

package/dist/engine/engine/applyRules.js

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.applyRules = applyRules;
+function applyRules(input, rules, ctx, matches) {
+    let output = input;
+    for (const rule of rules) {
+        output = output.replace(rule.pattern, (...args) => {
+            const match = args[0];
+            const groups = args.slice(1, -2);
+            let replaced;
+            if (rule.replace.length === 1) {
+                replaced = rule.replace(match);
+            }
+            else if (rule.replace.length === 2) {
+                replaced = rule.replace(match, ctx);
+            }
+            else {
+                replaced = rule.replace(match, groups[0], ctx);
+            }
+            if (replaced !== match) {
+                matches.push({
+                    rule: rule.name,
+                    value: match,
+                });
+            }
+            return replaced;
+        });
+    }
+    return output;
+}

package/dist/engine/engine/guard.d.ts

@@ -0,0 +1 @@
+export declare function guardInput(input: string): string;

package/dist/engine/engine/guard.js

@@ -0,0 +1,12 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.guardInput = guardInput;
+const MAX_SIZE = 200 * 1024; // 200KB
+function guardInput(input) {
+    if (!input)
+        return "";
+    if (input.length > MAX_SIZE) {
+        throw new Error("Log size exceeds 200KB limit");
+    }
+    return input;
+}

package/dist/engine/engine/sanitizeLog.d.ts

@@ -0,0 +1,11 @@
+export type SanitizeMatch = {
+    rule: string;
+    index: number;
+    length: number;
+};
+export declare function sanitizeLog(input: string, options?: {
+    strict?: boolean;
+}): {
+    output: string;
+    matches: SanitizeMatch[];
+};

package/dist/engine/engine/sanitizeLog.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sanitizeLog = sanitizeLog;
+const applyRules_1 = require("./applyRules");
+const guard_1 = require("./guard");
+const rules_1 = require("../rules");
+function sanitizeLog(input, options) {
+    (0, guard_1.guardInput)(input);
+    if (!input) {
+        return { output: "", matches: [] };
+    }
+    const ctx = {
+        strict: Boolean(options?.strict),
+    };
+    const matches = [];
+    const output = (0, applyRules_1.applyRules)(input, rules_1.allRules, ctx, matches);
+    return { output, matches };
+}

package/dist/engine/guard.js

@@ -0,0 +1,9 @@
+const MAX_SIZE = 200 * 1024; // 200KB
+export function guardInput(input) {
+    if (!input)
+        return "";
+    if (input.length > MAX_SIZE) {
+        throw new Error("Log size exceeds 200KB limit");
+    }
+    return input;
+}

package/dist/engine/rules/cloud.d.ts

@@ -0,0 +1,2 @@
+import type { Rule } from "./types";
+export declare const cloudRules: Rule[];

package/dist/engine/rules/cloud.js

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.cloudRules = void 0;
+exports.cloudRules = [
+    {
+        name: "AWS_ACCESS_KEY",
+        pattern: /\bAKIA[0-9A-Z]{16,20}\b/g,
+        replace: (match, { strict }) => strict ? "<REDACTED_AWS_KEY>" : match,
+    },
+    {
+        name: "STRIPE_SECRET_KEY",
+        pattern: /\b(?:LS_STRIPE_(?:TEST|LIVE)_KEY_[A-Z0-9_]{10,}|sk_(?:test|live)_[A-Za-z0-9]{16,})\b/g,
+        replace: (match, ctx) => ctx.strict ? "<REDACTED_STRIPE_KEY>" : match,
+    },
+];

package/dist/engine/rules/credentials.d.ts

@@ -0,0 +1,2 @@
+import type { Rule } from "./types";
+export declare const credentialRules: Rule[];

package/dist/engine/rules/credentials.js

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.credentialRules = void 0;
+exports.credentialRules = [
+    {
+        name: "PASSWORD",
+        pattern: /\bpassword=([^\s]+)/gi,
+        replace: (_match, _value, _ctx) => "password=<REDACTED_PASSWORD>",
+    },
+    {
+        name: "API_KEY",
+        pattern: /\bapiKey=([A-Za-z0-9_\-]{16,})\b/g,
+        replace: () => "<REDACTED_API_KEY>",
+    },
+];

package/dist/engine/rules/creditCard.d.ts

@@ -0,0 +1,2 @@
+import type { Rule } from "./types";
+export declare const creditCardRules: Rule[];

package/dist/engine/rules/creditCard.js

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.creditCardRules = void 0;
+const luhn_1 = require("../utils/luhn");
+exports.creditCardRules = [
+    {
+        name: "CREDIT_CARD",
+        pattern: /\b(?:\d[ -]*?){13,19}\b/g,
+        replace: (match, { strict }) => {
+            if (!strict)
+                return match;
+            return (0, luhn_1.isValidLuhn)(match) ? "<REDACTED_CC>" : match;
+        },
+    },
+];

package/dist/engine/rules/custom.d.ts

@@ -0,0 +1,2 @@
+import type { Rule } from "./types";
+export declare const customRules: Rule[];

package/dist/engine/rules/custom.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.customRules = void 0;
+exports.customRules = [
+    {
+        name: "GENERIC_SECRET_KV",
+        pattern: /"(\w+)":"([^"]{12,})"/g,
+        replace: (match, value, ctx) => {
+            if (!ctx.strict)
+                return match;
+            return `"${value ? value : "token"}":"<REDACTED_SECRET>"`;
+        },
+    },
+];

package/dist/engine/rules/index.d.ts

@@ -0,0 +1,11 @@
+import type { Rule } from "./types";
+/**
+ * ORDER IS CONTRACT:
+ * 1. tokenRules   ? JWT first
+ * 2. credential   ? password, api key
+ * 3. cloud
+ * 4. credit card
+ * 5. urls
+ * 6. custom
+ */
+export declare const allRules: Rule[];

package/dist/engine/rules/index.js

@@ -0,0 +1,38 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.allRules = void 0;
+const tokens_1 = require("./tokens");
+const credentials_1 = require("./credentials");
+const cloud_1 = require("./cloud");
+const creditCard_1 = require("./creditCard");
+const urls_1 = require("./urls");
+const custom_1 = require("./custom");
+function normalize(rules) {
+    return rules.map((rule) => {
+        if (typeof rule.replace === "function") {
+            return rule;
+        }
+        const value = rule.replace;
+        return {
+            ...rule,
+            replace: () => value,
+        };
+    });
+}
+/**
+ * ORDER IS CONTRACT:
+ * 1. tokenRules   ? JWT first
+ * 2. credential   ? password, api key
+ * 3. cloud
+ * 4. credit card
+ * 5. urls
+ * 6. custom
+ */
+exports.allRules = normalize([
+    ...tokens_1.tokenRules,
+    ...credentials_1.credentialRules,
+    ...cloud_1.cloudRules,
+    ...creditCard_1.creditCardRules,
+    ...urls_1.urlRules,
+    ...custom_1.customRules,
+]);

package/dist/engine/rules/tokens.d.ts

@@ -0,0 +1,2 @@
+import type { Rule } from "./types";
+export declare const tokenRules: Rule[];

package/dist/engine/rules/tokens.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.tokenRules = void 0;
+exports.tokenRules = [
+    {
+        name: "JWT",
+        pattern: /\beyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\b/g,
+        replace: "<REDACTED_JWT>",
+    },
+    {
+        name: "AUTH_BEARER",
+        pattern: /Bearer\s+[A-Za-z0-9._-]+/gi,
+        replace: "Bearer <REDACTED_TOKEN>",
+    },
+    {
+        name: "EMAIL",
+        pattern: /\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b/gi,
+        replace: "<REDACTED_EMAIL>",
+    },
+];

package/dist/engine/rules/types.d.ts

@@ -0,0 +1,9 @@
+export type RuleContext = {
+    strict: boolean;
+};
+export type RuleReplace = string | ((match: string, ctx: RuleContext, groups: string[]) => string);
+export type Rule = {
+    name: string;
+    pattern: RegExp;
+    replace: RuleReplace;
+};

package/dist/engine/rules/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/engine/rules/urls.d.ts

@@ -0,0 +1,2 @@
+import type { Rule } from "../types/rule";
+export declare const urlRules: Rule[];

package/dist/engine/rules/urls.js

@@ -0,0 +1,10 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.urlRules = void 0;
+exports.urlRules = [
+    {
+        name: "EMAIL",
+        pattern: /\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b/gi,
+        replace: () => "<REDACTED_EMAIL>",
+    },
+];

package/dist/engine/sanitizeLog.js

@@ -0,0 +1,15 @@
+import { applyRules } from "./applyRules";
+import { guardInput } from "./guard";
+import { allRules } from "../rules";
+export function sanitizeLog(input, options) {
+    guardInput(input);
+    if (!input) {
+        return { output: "", matches: [] };
+    }
+    const ctx = {
+        strict: Boolean(options?.strict),
+    };
+    const matches = [];
+    const output = applyRules(input, allRules, ctx, matches);
+    return { output, matches };
+}

package/dist/engine/utils/luhn.d.ts

@@ -0,0 +1 @@
+export declare function isValidLuhn(input: string): boolean;

package/dist/engine/utils/luhn.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isValidLuhn = isValidLuhn;
+function isValidLuhn(input) {
+    const digits = input.replace(/\D/g, "");
+    let sum = 0;
+    let alt = false;
+    for (let i = digits.length - 1; i >= 0; i--) {
+        let n = parseInt(digits[i], 10);
+        if (alt) {
+            n *= 2;
+            if (n > 9)
+                n -= 9;
+        }
+        sum += n;
+        alt = !alt;
+    }
+    return sum % 10 === 0;
+}

package/dist/rules/cloud.js

@@ -0,0 +1,12 @@
+export const cloudRules = [
+    {
+        name: "AWS_ACCESS_KEY",
+        pattern: /\bAKIA[0-9A-Z]{16,20}\b/g,
+        replace: (match, { strict }) => strict ? "<REDACTED_AWS_KEY>" : match,
+    },
+    {
+        name: "STRIPE_SECRET_KEY",
+        pattern: /\b(?:LS_STRIPE_(?:TEST|LIVE)_KEY_[A-Z0-9_]{10,}|sk_(?:test|live)_[A-Za-z0-9]{16,})\b/g,
+        replace: (match, ctx) => ctx.strict ? "<REDACTED_STRIPE_KEY>" : match,
+    },
+];

package/dist/rules/credentials.js

@@ -0,0 +1,12 @@
+export const credentialRules = [
+    {
+        name: "PASSWORD",
+        pattern: /\bpassword=([^\s]+)/gi,
+        replace: (_match, _value, _ctx) => "password=<REDACTED_PASSWORD>",
+    },
+    {
+        name: "API_KEY",
+        pattern: /\bapiKey=([A-Za-z0-9_\-]{16,})\b/g,
+        replace: () => "<REDACTED_API_KEY>",
+    },
+];

package/dist/rules/creditCard.js

@@ -0,0 +1,12 @@
+import { isValidLuhn } from "../utils/luhn";
+export const creditCardRules = [
+    {
+        name: "CREDIT_CARD",
+        pattern: /\b(?:\d[ -]*?){13,19}\b/g,
+        replace: (match, { strict }) => {
+            if (!strict)
+                return match;
+            return isValidLuhn(match) ? "<REDACTED_CC>" : match;
+        },
+    },
+];

package/dist/rules/custom.js

@@ -0,0 +1,11 @@
+export const customRules = [
+    {
+        name: "GENERIC_SECRET_KV",
+        pattern: /"(\w+)":"([^"]{12,})"/g,
+        replace: (match, value, ctx) => {
+            if (!ctx.strict)
+                return match;
+            return `"${value ? value : "token"}":"<REDACTED_SECRET>"`;
+        },
+    },
+];

package/dist/rules/index.js

@@ -0,0 +1,35 @@
+import { tokenRules } from "./tokens";
+import { credentialRules } from "./credentials";
+import { cloudRules } from "./cloud";
+import { creditCardRules } from "./creditCard";
+import { urlRules } from "./urls";
+import { customRules } from "./custom";
+function normalize(rules) {
+    return rules.map((rule) => {
+        if (typeof rule.replace === "function") {
+            return rule;
+        }
+        const value = rule.replace;
+        return {
+            ...rule,
+            replace: () => value,
+        };
+    });
+}
+/**
+ * ORDER IS CONTRACT:
+ * 1. tokenRules   ? JWT first
+ * 2. credential   ? password, api key
+ * 3. cloud
+ * 4. credit card
+ * 5. urls
+ * 6. custom
+ */
+export const allRules = normalize([
+    ...tokenRules,
+    ...credentialRules,
+    ...cloudRules,
+    ...creditCardRules,
+    ...urlRules,
+    ...customRules,
+]);

package/dist/rules/tokens.js

@@ -0,0 +1,17 @@
+export const tokenRules = [
+    {
+        name: "JWT",
+        pattern: /\beyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\b/g,
+        replace: "<REDACTED_JWT>",
+    },
+    {
+        name: "AUTH_BEARER",
+        pattern: /Bearer\s+[A-Za-z0-9._-]+/gi,
+        replace: "Bearer <REDACTED_TOKEN>",
+    },
+    {
+        name: "EMAIL",
+        pattern: /\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b/gi,
+        replace: "<REDACTED_EMAIL>",
+    },
+];

package/dist/rules/types.js

@@ -0,0 +1 @@
+export {};

package/dist/rules/urls.js

@@ -0,0 +1,7 @@
+export const urlRules = [
+    {
+        name: "EMAIL",
+        pattern: /\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b/gi,
+        replace: () => "<REDACTED_EMAIL>",
+    },
+];

package/package.json

@@ -0,0 +1,25 @@
+{
+  "name": "logshield-cli",
+  "version": "0.1.0",
+  "type": "module",
+  "bin": {
+    "logshield": "dist/cli/cli/index.js"
+  },
+  "files": [
+    "dist/cli",
+    "dist/engine",
+    "dist/rules",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "vite build",
+    "test": "vitest"
+  },
+  "dependencies": {},
+  "devDependencies": {
+    "vite": "^5.4.0",
+    "vitest": "^4.0.15",
+    "terser": "^5.31.3"
+  }
+}