npm - logshield-cli - Versions diffs - 0.3.1 → 0.3.2 - Mend

logshield-cli 0.3.1 → 0.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -1,9 +1,9 @@
----
-# LogShield
+# ?? LogShield
+LogShield is a CLI tool to **redact real sensitive data from logs** before sharing them with others, AI tools, CI systems, or public channels.
-LogShield is a CLI tool to **redact sensitive data from logs** before sharing them with others, AI tools, or public channels.
+It is designed to be **deterministic**, **safe by default**, and free of runtime dependencies.
-Designed to be safe by default, deterministic, and free of runtime dependencies.
 ---
 ## Install
@@ -22,41 +22,55 @@ Scan a log file:
 logshield scan app.log
 ```
-Scan from stdin:
+Scan from stdin (auto-detected):
 ```bash
 cat app.log | logshield scan
 ```
-Strict mode (more aggressive):
+Explicit stdin mode:
+```bash
+cat app.log | logshield scan --stdin
+```
+Strict mode (more aggressive redaction):
 ```bash
 logshield scan app.log --strict
 ```
-JSON output:
+JSON output (machine-readable):
 ```bash
 logshield scan app.log --json
 ```
-Summary only (printed to stderr):
+Print summary to stderr:
 ```bash
 logshield scan app.log --summary
 ```
+Fail CI if any secret is detected:
+```bash
+logshield scan app.log --strict --fail-on-detect
+```
 ---
 ## What Gets Redacted
-- API keys
-- Passwords
+- Passwords (`password=...`, DB URLs)
+- API keys (query params, headers)
 - JWT tokens
-- `Bearer <TOKEN>` (always redacted)
-- Stripe keys
-- Cloud credentials (AWS, etc.)
-- Credit cards (Luhn-validated)
+- `Authorization: Bearer <TOKEN>`
+- Stripe secret keys
+- Cloud credentials (AWS access & secret keys)
+- OAuth access & refresh tokens
+- Credit cards (Luhn-validated, strict mode)
+- URLs (sanitized to avoid leaking endpoints)
 ---
@@ -65,24 +79,29 @@ logshield scan app.log --summary
 ### Default (recommended)
 - Conservative
-- Low false positives
-- Safe for sharing logs publicly
+- Very low false positives
+- Preserves debugging context
 ### Strict
-- Aggressive
 - Security-first
-- May redact more than necessary
+- Redacts more aggressively
+- Suitable for CI, support bundles, and AI sharing
 ---
 ## Design Guarantees
-- Deterministic output
+These guarantees are **locked for v0.3.x**:
+- Deterministic output (same input ? same output)
 - Zero runtime dependencies
-- Snapshot-tested & contract-tested
 - No network calls
-- No telemetry
+- No telemetry or tracking
+- Snapshot-tested & contract-tested
+- Fixed rule order (token ? credential ? cloud ? CC ? URL ? custom)
+When in doubt, LogShield prefers **not** to redact.
 ---
@@ -94,8 +113,18 @@ cat server.log | logshield scan --strict --summary
 ---
-## License
+## Non-goals
-ISC
+LogShield is **not**:
+- A DLP system
+- A runtime security monitor
+- A replacement for secret rotation
+It is a **last-line safety net**, not a primary defense.
 ---
+## License
+ISC

package/dist/cli/index.cjs CHANGED Viewed

@@ -380,17 +380,19 @@ var { printSummary: printSummary2 } = (init_summary(), __toCommonJS(summary_expo
 var { sanitizeLog: sanitizeLog2 } = (init_sanitizeLog(), __toCommonJS(sanitizeLog_exports));
 var rawArgs = process.argv.slice(2);
 function getVersion() {
-  return true ? "0.3.0" : "unknown";
+  return true ? "0.3.2" : "unknown";
 }
 function printHelp() {
   process.stdout.write(`Usage: logshield scan [file]
 Options:
-  --strict     Aggressive redaction
-  --json       JSON output
-  --summary    Print summary
-  --version    Print version
-  --help       Show help
+  --strict            Aggressive redaction
+  --stdin             Read input from STDIN explicitly
+  --fail-on-detect    Exit with code 1 if any redaction occurs
+  --json              JSON output
+  --summary           Print summary
+  --version           Print version
+  --help              Show help
 `);
 }
 function parseArgs(args) {
@@ -424,13 +426,22 @@ async function main() {
   const strict = flags.has("--strict");
   const json = flags.has("--json");
   const summary = flags.has("--summary");
+  const stdin = flags.has("--stdin");
+  const failOnDetect = flags.has("--fail-on-detect");
+  if (stdin && file) {
+    process.stderr.write("Cannot use --stdin with file argument\n");
+    process.exit(1);
+  }
   try {
-    const input = await readInput2(file);
+    const input = await readInput2(stdin ? void 0 : file);
     const result = sanitizeLog2(input, { strict });
     writeOutput2(result, { json });
     if (summary) {
       printSummary2(result.matches);
     }
+    if (failOnDetect && result.matches.length > 0) {
+      process.exit(1);
+    }
     process.exit(0);
   } catch (err) {
     process.stderr.write(err?.message || "Unexpected error");

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "logshield-cli",
-  "version": "0.3.1",
+  "version": "0.3.2",
   "type": "commonjs",
   "bin": {
     "logshield": "dist/cli/index.cjs"