logshield-cli 0.3.2 → 0.3.4

package/LICENSE

@@ -0,0 +1,15 @@
+ISC License
+
+Copyright (c) 2025 Hendra Afria
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

package/README.md

@@ -1,12 +1,111 @@
-# ?? LogShield
+---
+
+# LogShield
+
+[![npm version](https://img.shields.io/npm/v/logshield-cli)](https://www.npmjs.com/package/logshield-cli)
+[![npm downloads](https://img.shields.io/npm/dm/logshield-cli)](https://www.npmjs.com/package/logshield-cli)
+[![CI](https://github.com/afria85/LogShield/actions/workflows/ci.yml/badge.svg)](https://github.com/afria85/LogShield/actions/workflows/ci.yml)
+
+Deterministic log sanitization for developers.
+
+LogShield is a CLI tool that scans logs and redacts **real secrets** (API keys, tokens, credentials) before logs are shared with others, AI tools, CI systems, or public channels.
+
+It is designed to be **predictable, conservative, and safe for production pipelines**.
+
+---
+
+## Website & Documentation
+
+The website and documentation live in the `/docs` directory.
+They are deployed to **[https://logshield.dev](https://logshield.dev)** via Vercel.
+
+---
+
+## Why LogShield exists
+
+Logs are frequently copied into:
+
+- CI/CD logs
+- Error reports
+- Issue trackers
+- Chat tools
+- AI assistants
+
+Once a secret appears there, it is already leaked.
+
+Most existing tools fail because they:
+
+- Redact too aggressively (false positives)
+- Behave differently across runs
+- Hide what was redacted and why
+
+LogShield intentionally avoids those failures.
+
+---
+
+## Core principles (non-negotiable)
+
+### 1. Deterministic output
+
+The same input always produces the same output.
+
+- No randomness
+- No environment-dependent behavior
+- Safe for CI, audits, and reproducibility
+
+---
+
+### 2. Zero false-positive fatality
+
+LogShield must **not** redact non-secrets.
+
+- IDs, hashes, order numbers, references must survive
+- Losing debugging context is worse than missing a secret
+
+When in doubt, LogShield prefers **not** to redact.
+
+---
 
-LogShield is a CLI tool to **redact real sensitive data from logs** before sharing them with others, AI tools, CI systems, or public channels.
+### 3. Explicit redaction markers
 
-It is designed to be **deterministic**, **safe by default**, and free of runtime dependencies.
+Every redaction is explicit and consistent.
+
+Examples:
+
+```
+<REDACTED_PASSWORD>
+<REDACTED_API_KEY_HEADER>
+<REDACTED_AUTH_BEARER>
+<REDACTED_EMAIL>
+```
+
+No generic `[REDACTED]` placeholders.
 
 ---
 
-## Install
+## What LogShield does
+
+- Scans plain-text logs
+- Applies a fixed, deterministic rule set
+- Replaces matched secrets with explicit markers
+
+It does **not** learn, guess, or infer intent.
+
+---
+
+## What LogShield deliberately does NOT do
+
+- No AI / LLM inference
+- No entropy or probabilistic guessing
+- No silent behavior changes
+- No telemetry
+- No network calls
+
+These are intentional design decisions.
+
+---
+
+## Installation
 
 ```bash
 npm install -g logshield-cli
@@ -14,102 +113,244 @@ npm install -g logshield-cli
 
 ---
 
-## Usage
+## CLI Usage
+
+```bash
+logshield scan [file]
+```
+
+If a file is not provided and input is piped, LogShield automatically reads from **STDIN**.
+
+---
+
+## CLI Flags
+
+- `--strict`
+  Aggressive, security-first redaction
+
+- `--stdin`
+  Explicitly force reading from STDIN
+
+- `--dry-run`
+  Detect sensitive data without modifying output
+
+- `--fail-on-detect`
+  Exit with code `1` if any redaction is detected (CI-friendly)
+
+- `--summary`
+  Print a compact redaction summary
+
+- `--json`
+  JSON output (cannot be combined with `--dry-run`)
+
+- `--version`
+  Print CLI version
+
+- `--help`
+  Show help
+
+---
+
+## Basic usage
 
-Scan a log file:
+### Scan a file
 
 ```bash
 logshield scan app.log
 ```
 
-Scan from stdin (auto-detected):
+### Scan from STDIN (recommended for CI)
 
 ```bash
 cat app.log | logshield scan
 ```
 
-Explicit stdin mode:
+`--stdin` is optional; piped input is auto-detected.
+
+---
+
+## Dry-run (REPORT MODE, CI-safe)
+
+Use `--dry-run` to **detect** sensitive data without modifying output.
 
 ```bash
-cat app.log | logshield scan --stdin
+cat app.log | logshield scan --dry-run
 ```
 
-Strict mode (more aggressive redaction):
+### Output
+
+```
+[DRY RUN] Detected redactions:
+  OAUTH_ACCESS_TOKEN   x1
+  AUTH_BEARER          x2
+  EMAIL                x1
+  PASSWORD             x1
+
+No output was modified.
+Use without --dry-run to apply.
+```
+
+### Properties
+
+- No log content is echoed
+- Deterministic and snapshot-friendly
+- Safe for CI pipelines
+
+---
+
+## Fail CI on detection
+
+Use `--fail-on-detect` to exit with code `1` when secrets are found.
 
 ```bash
-logshield scan app.log --strict
+cat app.log | logshield scan --dry-run --fail-on-detect
 ```
 
-JSON output (machine-readable):
+Typical CI pattern:
 
 ```bash
-logshield scan app.log --json
+logshield scan --dry-run --fail-on-detect < logs.txt
+```
+
+---
+
+## GitHub Actions (example)
+
+Minimal CI integration example:
+
+```yaml
+name: LogShield
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  logshield:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 18
+
+      - run: npm install -g logshield-cli
+
+      - name: Scan logs
+        run: |
+          cat logs.txt | logshield scan --dry-run --fail-on-detect
 ```
 
-Print summary to stderr:
+This will **fail the pipeline** if any secret is detected.
+
+---
+
+## Apply redaction
+
+To actually sanitize logs, run **without** `--dry-run`:
 
 ```bash
-logshield scan app.log --summary
+cat app.log | logshield scan > sanitized.log
 ```
 
-Fail CI if any secret is detected:
+---
+
+## Strict mode
+
+Enable more aggressive detection rules:
 
 ```bash
-logshield scan app.log --strict --fail-on-detect
+logshield scan --strict < logs.txt
 ```
 
 ---
 
-## What Gets Redacted
+## Summary output
+
+Print a compact rule-based summary:
 
-- Passwords (`password=...`, DB URLs)
-- API keys (query params, headers)
-- JWT tokens
-- `Authorization: Bearer <TOKEN>`
-- Stripe secret keys
-- Cloud credentials (AWS access & secret keys)
-- OAuth access & refresh tokens
-- Credit cards (Luhn-validated, strict mode)
-- URLs (sanitized to avoid leaking endpoints)
+```bash
+logshield scan --summary < logs.txt
+```
+
+Example:
+
+```
+LogShield Summary
+PASSWORD: 2
+API_KEY_HEADER: 1
+```
 
 ---
 
-## Modes
+## JSON output
 
-### Default (recommended)
+Structured output for tooling and automation:
 
-- Conservative
-- Very low false positives
-- Preserves debugging context
+```bash
+logshield scan --json < logs.txt
+```
 
-### Strict
+Notes:
 
-- Security-first
-- Redacts more aggressively
-- Suitable for CI, support bundles, and AI sharing
+- `--json` **cannot** be combined with `--dry-run`
+- Output schema is stable within v0.3.x
 
 ---
 
-## Design Guarantees
+## Exit codes
 
-These guarantees are **locked for v0.3.x**:
+| Code | Meaning                              |
+| ---: | ------------------------------------ |
+|    0 | Success / no detection               |
+|    1 | Detection found (`--fail-on-detect`) |
+|    2 | Runtime or input error               |
 
-- Deterministic output (same input ? same output)
-- Zero runtime dependencies
-- No network calls
-- No telemetry or tracking
-- Snapshot-tested & contract-tested
-- Fixed rule order (token ? credential ? cloud ? CC ? URL ? custom)
+---
 
-When in doubt, LogShield prefers **not** to redact.
+## What gets redacted
+
+Depending on rules and mode:
+
+- Passwords
+- API key headers
+- Authorization bearer tokens
+- JWTs
+- Emails
+- URLs with embedded credentials
+- Database credentials
+- Cloud provider credentials
+- Credit card numbers (Luhn-validated)
 
 ---
 
-## Example
+## Modes
 
-```bash
-cat server.log | logshield scan --strict --summary
-```
+### Default mode (recommended)
+
+- Conservative
+- Low false positives
+- Safe for sharing logs publicly
+
+### Strict mode
+
+- Aggressive
+- Security-first
+- May redact more than necessary
+
+---
+
+## Guarantees
+
+LogShield guarantees:
+
+- Deterministic output
+- Stable behavior within **v0.3.x**
+- No runtime dependencies
+- Snapshot-tested and contract-tested
+- No telemetry
+- No network access
 
 ---
 
@@ -119,12 +360,22 @@ LogShield is **not**:
 
 - A DLP system
 - A runtime security monitor
-- A replacement for secret rotation
+- A secret rotation solution
 
 It is a **last-line safety net**, not a primary defense.
 
 ---
 
+## Status
+
+- Engine behavior locked
+- Rule set evolving conservatively
+- Open and free by design
+
+---
+
 ## License
 
 ISC
+
+---

package/dist/cli/index.cjs

@@ -9,6 +9,9 @@ var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __esm = (fn, res) => function __init() {
   return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
 };
+var __commonJS = (cb, mod) => function __require() {
+  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
+};
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, { get: all[name], enumerable: true });
@@ -59,7 +62,6 @@ async function readInput(file) {
 var import_node_fs;
 var init_readInput = __esm({
   "src/cli/readInput.ts"() {
-    "use strict";
     import_node_fs = __toESM(require("node:fs"));
   }
 });
@@ -78,29 +80,6 @@ function writeOutput(result, opts) {
 }
 var init_writeOutput = __esm({
   "src/cli/writeOutput.ts"() {
-    "use strict";
-  }
-});
-
-// src/cli/summary.ts
-var summary_exports = {};
-__export(summary_exports, {
-  printSummary: () => printSummary
-});
-function printSummary(matches) {
-  const counter = {};
-  for (const m of matches) {
-    counter[m.rule] = (counter[m.rule] || 0) + 1;
-  }
-  process.stderr.write("LogShield Summary\n");
-  for (const [rule, count] of Object.entries(counter)) {
-    process.stderr.write(`${rule}: ${count}
-`);
-  }
-}
-var init_summary = __esm({
-  "src/cli/summary.ts"() {
-    "use strict";
   }
 });
 
@@ -118,6 +97,9 @@ function applyRules(input, rules, ctx, matches) {
           value: match
         });
       }
+      if (ctx.dryRun) {
+        return match;
+      }
       return replaced;
     });
   }
@@ -125,7 +107,6 @@ function applyRules(input, rules, ctx, matches) {
 }
 var init_applyRules = __esm({
   "src/engine/applyRules.ts"() {
-    "use strict";
   }
 });
 
@@ -140,7 +121,6 @@ function guardInput(input) {
 var MAX_SIZE;
 var init_guard = __esm({
   "src/engine/guard.ts"() {
-    "use strict";
     MAX_SIZE = 200 * 1024;
   }
 });
@@ -149,7 +129,6 @@ var init_guard = __esm({
 var tokenRules;
 var init_tokens = __esm({
   "src/rules/tokens.ts"() {
-    "use strict";
     tokenRules = [
       {
         name: "JWT",
@@ -184,7 +163,6 @@ var init_tokens = __esm({
 var credentialRules;
 var init_credentials = __esm({
   "src/rules/credentials.ts"() {
-    "use strict";
     credentialRules = [
       {
         name: "PASSWORD",
@@ -217,7 +195,6 @@ var init_credentials = __esm({
 var cloudRules;
 var init_cloud = __esm({
   "src/rules/cloud.ts"() {
-    "use strict";
     cloudRules = [
       {
         name: "AWS_ACCESS_KEY",
@@ -256,7 +233,6 @@ function isValidLuhn(input) {
 }
 var init_luhn = __esm({
   "src/utils/luhn.ts"() {
-    "use strict";
   }
 });
 
@@ -264,7 +240,6 @@ var init_luhn = __esm({
 var creditCardRules;
 var init_creditCard = __esm({
   "src/rules/creditCard.ts"() {
-    "use strict";
     init_luhn();
     creditCardRules = [
       {
@@ -283,7 +258,6 @@ var init_creditCard = __esm({
 var urlRules;
 var init_urls = __esm({
   "src/rules/urls.ts"() {
-    "use strict";
     urlRules = [
       {
         name: "URL",
@@ -298,7 +272,6 @@ var init_urls = __esm({
 var customRules;
 var init_custom = __esm({
   "src/rules/custom.ts"() {
-    "use strict";
     customRules = [
       {
         name: "GENERIC_SECRET_KV",
@@ -329,7 +302,6 @@ function normalize(rules) {
 var allRules;
 var init_rules = __esm({
   "src/rules/index.ts"() {
-    "use strict";
     init_tokens();
     init_credentials();
     init_cloud();
@@ -358,36 +330,176 @@ function sanitizeLog(input, options) {
     return { output: "", matches: [] };
   }
   const ctx = {
-    strict: Boolean(options?.strict)
+    strict: Boolean(options?.strict),
+    dryRun: Boolean(options?.dryRun)
   };
   const matches = [];
+  if (ctx.dryRun) {
+    applyRules(input, allRules, ctx, matches);
+    return { output: input, matches };
+  }
   const output = applyRules(input, allRules, ctx, matches);
   return { output, matches };
 }
 var init_sanitizeLog = __esm({
   "src/engine/sanitizeLog.ts"() {
-    "use strict";
     init_applyRules();
     init_guard();
     init_rules();
   }
 });
 
+// src/cli/summary.ts
+var require_summary = __commonJS({
+  "src/cli/summary.ts"() {
+    "use strict";
+    var { readInput: readInput3 } = (init_readInput(), __toCommonJS(readInput_exports));
+    var { writeOutput: writeOutput3 } = (init_writeOutput(), __toCommonJS(writeOutput_exports));
+    var { printSummary: printSummary2 } = require_summary();
+    var { sanitizeLog: sanitizeLog3 } = (init_sanitizeLog(), __toCommonJS(sanitizeLog_exports));
+    var rawArgs2 = process.argv.slice(2).map((arg) => arg === "-h" ? "--help" : arg);
+    function getVersion2() {
+      return true ? "0.3.2" : "unknown";
+    }
+    function printHelp2() {
+      process.stdout.write(`Usage: logshield scan [file]
+
+Behavior:
+  - If a file is provided, LogShield reads from that file
+  - If input is piped, LogShield reads from STDIN automatically
+  - --stdin is optional and only needed for explicitness
+
+Options:
+  --strict            Aggressive redaction
+  --dry-run           Preview redactions without modifying output
+  --stdin             Force read from STDIN
+  --fail-on-detect    Exit with code 1 if any redaction occurs
+  --json              JSON output
+  --summary           Print summary
+  --version           Print version
+  --help              Show help
+`);
+    }
+    function parseArgs2(args) {
+      const flags = /* @__PURE__ */ new Set();
+      const positionals = [];
+      for (const arg of args) {
+        if (arg.startsWith("--")) {
+          flags.add(arg);
+        } else {
+          positionals.push(arg);
+        }
+      }
+      return { flags, positionals };
+    }
+    function isStdinPiped2() {
+      return !process.stdin.isTTY;
+    }
+    function renderDryRunReport2(matches) {
+      if (matches.length === 0) {
+        process.stdout.write("[DRY RUN] No redactions detected.\n");
+        process.stdout.write("No output was modified.\n");
+        return;
+      }
+      const counts = /* @__PURE__ */ new Map();
+      for (const m of matches) {
+        counts.set(m.rule, (counts.get(m.rule) || 0) + 1);
+      }
+      process.stdout.write("[DRY RUN] Detected redactions:\n");
+      const maxLen = Math.max(
+        ...Array.from(counts.keys()).map((k) => k.length)
+      );
+      for (const [rule, count] of counts.entries()) {
+        process.stdout.write(
+          `  ${rule.padEnd(maxLen)}  x${count}
+`
+        );
+      }
+      process.stdout.write("\n");
+      process.stdout.write("No output was modified.\n");
+      process.stdout.write("Use without --dry-run to apply.\n");
+    }
+    async function main2() {
+      if (rawArgs2.length === 0 || rawArgs2.includes("--help")) {
+        printHelp2();
+        process.exit(0);
+      }
+      if (rawArgs2.includes("--version")) {
+        console.log(`logshield v${getVersion2()}`);
+        process.exit(0);
+      }
+      const { flags, positionals } = parseArgs2(rawArgs2);
+      const command = positionals[0];
+      if (command !== "scan") {
+        process.stdout.write("Unknown command\n");
+        process.exit(1);
+      }
+      const file = positionals[1];
+      const strict = flags.has("--strict");
+      const json = flags.has("--json");
+      const summary = flags.has("--summary");
+      const stdinFlag = flags.has("--stdin");
+      const failOnDetect = flags.has("--fail-on-detect");
+      const dryRun = flags.has("--dry-run");
+      const stdinAuto = isStdinPiped2();
+      const useStdin = stdinFlag || stdinAuto;
+      if (useStdin && file) {
+        process.stdout.write("Cannot read from both STDIN and file\n");
+        process.exit(1);
+      }
+      if (dryRun && json) {
+        process.stdout.write("--dry-run cannot be used with --json\n");
+        process.exit(1);
+      }
+      try {
+        const input = await readInput3(useStdin ? void 0 : file);
+        const result = sanitizeLog3(input, { strict });
+        if (dryRun) {
+          renderDryRunReport2(result.matches);
+          if (failOnDetect && result.matches.length > 0) {
+            process.exit(1);
+          }
+          process.exit(0);
+        }
+        writeOutput3(result, { json });
+        if (summary) {
+          printSummary2(result.matches);
+        }
+        if (failOnDetect && result.matches.length > 0) {
+          process.exit(1);
+        }
+        process.exit(0);
+      } catch (err) {
+        process.stdout.write(err?.message || "Unexpected error");
+        process.stdout.write("\n");
+        process.exit(2);
+      }
+    }
+    main2();
+  }
+});
+
 // src/cli/index.ts
 var { readInput: readInput2 } = (init_readInput(), __toCommonJS(readInput_exports));
 var { writeOutput: writeOutput2 } = (init_writeOutput(), __toCommonJS(writeOutput_exports));
-var { printSummary: printSummary2 } = (init_summary(), __toCommonJS(summary_exports));
+var { printSummary } = require_summary();
 var { sanitizeLog: sanitizeLog2 } = (init_sanitizeLog(), __toCommonJS(sanitizeLog_exports));
-var rawArgs = process.argv.slice(2);
+var rawArgs = process.argv.slice(2).map((arg) => arg === "-h" ? "--help" : arg);
 function getVersion() {
   return true ? "0.3.2" : "unknown";
 }
 function printHelp() {
   process.stdout.write(`Usage: logshield scan [file]
 
+Behavior:
+  - If a file is provided, LogShield reads from that file
+  - If input is piped, LogShield reads from STDIN automatically
+  - --stdin is optional and only needed for explicitness
+
 Options:
   --strict            Aggressive redaction
-  --stdin             Read input from STDIN explicitly
+  --dry-run           Report detected redactions only
+  --stdin             Force read from STDIN
   --fail-on-detect    Exit with code 1 if any redaction occurs
   --json              JSON output
   --summary           Print summary
@@ -407,45 +519,94 @@ function parseArgs(args) {
   }
   return { flags, positionals };
 }
+function isStdinPiped() {
+  return !process.stdin.isTTY;
+}
+function renderDryRunReport(matches) {
+  if (matches.length === 0) {
+    process.stdout.write("logshield (dry-run)\n");
+    process.stdout.write("Detected 0 redactions.\n");
+    process.stdout.write("No output was modified.\n");
+    return;
+  }
+  const counter = {};
+  for (const m of matches) {
+    counter[m.rule] = (counter[m.rule] || 0) + 1;
+  }
+  const entries = Object.entries(counter).map(([rule, count]) => ({ rule, count })).sort((a, b) => {
+    if (b.count !== a.count) return b.count - a.count;
+    return a.rule.localeCompare(b.rule);
+  });
+  const maxLen = Math.max(...entries.map((e) => e.rule.length));
+  const total = matches.length;
+  const label = total === 1 ? "redaction" : "redactions";
+  process.stdout.write("logshield (dry-run)\n");
+  process.stdout.write(`Detected ${total} ${label}:
+`);
+  for (const { rule, count } of entries) {
+    process.stdout.write(
+      `  ${rule.padEnd(maxLen)}  x${count}
+`
+    );
+  }
+  process.stdout.write("\n");
+  process.stdout.write("No output was modified.\n");
+  process.stdout.write("Use without --dry-run to apply.\n");
+}
 async function main() {
   if (rawArgs.length === 0 || rawArgs.includes("--help")) {
     printHelp();
     process.exit(0);
   }
   if (rawArgs.includes("--version")) {
-    console.log(`logshield v${getVersion()}`);
+    process.stdout.write(`logshield v${getVersion()}
+`);
     process.exit(0);
   }
   const { flags, positionals } = parseArgs(rawArgs);
   const command = positionals[0];
   if (command !== "scan") {
-    process.stderr.write("Unknown command\n");
+    process.stdout.write("Unknown command\n");
     process.exit(1);
   }
   const file = positionals[1];
   const strict = flags.has("--strict");
   const json = flags.has("--json");
   const summary = flags.has("--summary");
-  const stdin = flags.has("--stdin");
+  const stdinFlag = flags.has("--stdin");
   const failOnDetect = flags.has("--fail-on-detect");
-  if (stdin && file) {
-    process.stderr.write("Cannot use --stdin with file argument\n");
+  const dryRun = flags.has("--dry-run");
+  const stdinAuto = isStdinPiped();
+  const useStdin = stdinFlag || stdinAuto;
+  if (useStdin && file) {
+    process.stdout.write("Cannot read from both STDIN and file\n");
+    process.exit(1);
+  }
+  if (dryRun && json) {
+    process.stdout.write("--dry-run cannot be used with --json\n");
     process.exit(1);
   }
   try {
-    const input = await readInput2(stdin ? void 0 : file);
+    const input = await readInput2(useStdin ? void 0 : file);
     const result = sanitizeLog2(input, { strict });
+    if (dryRun) {
+      renderDryRunReport(result.matches);
+      if (failOnDetect && result.matches.length > 0) {
+        process.exit(1);
+      }
+      process.exit(0);
+    }
     writeOutput2(result, { json });
     if (summary) {
-      printSummary2(result.matches);
+      printSummary(result.matches);
     }
     if (failOnDetect && result.matches.length > 0) {
       process.exit(1);
     }
     process.exit(0);
   } catch (err) {
-    process.stderr.write(err?.message || "Unexpected error");
-    process.stderr.write("\n");
+    process.stdout.write(err?.message || "Unexpected error");
+    process.stdout.write("\n");
     process.exit(2);
   }
 }

package/package.json

@@ -1,21 +1,29 @@
-{
-  "name": "logshield-cli",
-  "version": "0.3.2",
-  "type": "commonjs",
-  "bin": {
-    "logshield": "dist/cli/index.cjs"
-  },
-  "files": [
-    "dist",
-    "README.md",
-    "LICENSE"
-  ],
-  "scripts": {
-    "build": "node scripts/build-cli.cjs",
-    "test": "vitest"
-  },
-  "devDependencies": {
-    "esbuild": "^0.25.0",
-    "vitest": "^4.0.0"
-  }
-}
+{
+  "name": "logshield-cli",
+  "version": "0.3.4",
+  "license": "ISC",
+  "type": "commonjs",
+  "bin": {
+    "logshield": "dist/cli/index.cjs"
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "node scripts/build-cli.cjs",
+    "build:web": "vite build --outDir dist-web",
+    "dev:web": "vite",
+    "pretest": "npm run build",
+    "test": "vitest"
+  },
+  "devDependencies": {
+    "@types/node": "^25.0.3",
+    "autoprefixer": "^10.4.23",
+    "esbuild": "^0.25.0",
+    "postcss": "^8.5.6",
+    "tailwindcss": "^3.4.19",
+    "vitest": "^4.0.0"
+  }
+}

package/dist/index.html

@@ -1,16 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="UTF-8" />
-  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-  <meta name="description"
-    content="Privacy-first log sanitizer. Remove API keys, tokens, and PII instantly. 100% client-side." />
-  <title>LogShield</title>
-  <script defer data-domain="logshield.dev" src="https://plausible.io/js/script.js"></script>
-  <script type="module" crossorigin src="/assets/index-DDJ1Wxio.js"></script>
-  <link rel="stylesheet" crossorigin href="/assets/index-B3qxIuiz.css">
-</head>
-<body>
-  <div id="root"></div>
-</body>
-</html>