logshield-cli 0.4.0 → 0.4.2

package/CHANGELOG.md

@@ -1,5 +1,34 @@
 # Changelog
 
+## v0.4.2
+
+### Fixed
+
+- CLI errors are now written to stderr (CI-safe piping)
+- JSON output is newline-terminated
+- URL redaction is no longer overly aggressive; only credentials and sensitive parameters are redacted
+- PASSWORD redaction preserves original delimiter and spacing
+- Improved dry-run reporting consistency
+- Added contract tests for CLI output and URL behavior
+
+## v0.4.1
+
+### Fixed
+
+- Prevented secret leakage in `--json` output by removing raw match values from the public result shape
+- Forwarded `--dry-run` into the engine to ensure consistent, future-proof behavior
+
+### Improved
+
+- Expanded credential detection for common API key variants (`api_key`, `api-key`, `apikey`) and `Authorization: Bearer ...`
+- Hardened AWS secret key strict detection to reduce false positives while keeping strict mode safe
+
+### Notes
+
+- No breaking changes
+- No new features
+- Stability and safety hardening release
+
 ## v0.4.0
 
 ### Changed
@@ -21,8 +50,6 @@
 ### Improved
 
 - CLI documentation clarity
-- Blog and docs structure consistency
-- Shared `styles.css` and `main.js` across site pages
 
 ### Notes
 

package/README.md

@@ -1,18 +1,59 @@
----
 # LogShield
 
 [![npm version](https://img.shields.io/npm/v/logshield-cli)](https://www.npmjs.com/package/logshield-cli)
 [![npm downloads](https://img.shields.io/npm/dm/logshield-cli)](https://www.npmjs.com/package/logshield-cli)
 [![CI](https://github.com/afria85/LogShield/actions/workflows/ci.yml/badge.svg)](https://github.com/afria85/LogShield/actions/workflows/ci.yml)
 
-Deterministic log sanitization for developers.
+Your logs already contain secrets. You just don’t see them.
+
+LogShield is a small CLI that automatically redacts secrets from logs **before**
+you paste them into CI, GitHub issues, Slack, or send them to third-party support.
+
+No configuration. No cloud. Deterministic output.
+
+---
 
 ## Quick start (30 seconds)
 
 ```bash
-# Install (CLI command: logshield)
-npm install -g logshield-cli
+# Sanitize logs before sharing them
+cat app.log | logshield scan
+```
+
+**Example input**
+
+```txt
+POSTGRES_URL=postgres://user:supersecret@db.internal
+Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
+```
+
+These are typical raw logs -- with secrets -- before you share them.
+
+**Output**
+
+```txt
+POSTGRES_URL=postgres://user:<REDACTED_PASSWORD>@db.internal
+Authorization: Bearer <REDACTED_TOKEN>
+```
 
+After LogShield, the same logs are safe to share.
+
+---
+
+## When should I use LogShield?
+
+Use LogShield whenever logs leave your system:
+
+- Before pasting logs into CI
+- Before attaching logs to GitHub issues
+- Before sending logs to third-party support
+- Before sharing logs in Slack or email
+
+---
+
+## Preview before enforcing (dry-run)
+
+```bash
 # Preview what would be redacted (does not modify output)
 echo "email=test@example.com token=sk_live_123" | logshield scan --dry-run
 ```
@@ -35,7 +76,9 @@ echo "email=test@example.com token=sk_live_123" | logshield scan
 - Prefer `--dry-run` first in CI to verify you are not over-redacting.
 - Then switch to enforced mode once you are satisfied with the preview.
 
-LogShield is a CLI tool that scans logs and redacts **real secrets** (API keys, tokens, credentials) before logs are shared with others, AI tools, CI systems, or public channels.
+LogShield is a CLI tool that scans logs and redacts **real secrets**
+(API keys, tokens, credentials) before logs are shared with others,
+AI tools, CI systems, or public channels.
 
 It is designed to be **predictable, conservative, and safe for production pipelines**.
 
@@ -148,28 +191,28 @@ If a file is not provided and input is piped, LogShield automatically reads from
 
 ## CLI Flags
 
-- `--strict`
+- `--strict`  
   Aggressive, security-first redaction
 
-- `--stdin`
+- `--stdin`  
   Explicitly force reading from STDIN
 
-- `--dry-run`
+- `--dry-run`  
   Detect sensitive data without modifying output
 
-- `--fail-on-detect`
+- `--fail-on-detect`  
   Exit with code `1` if any redaction is detected (CI-friendly)
 
-- `--summary`
+- `--summary`  
   Print a compact redaction summary
 
-- `--json`
+- `--json`  
   JSON output (cannot be combined with `--dry-run`)
 
-- `--version`
+- `--version`  
   Print CLI version
 
-- `--help`
+- `--help`  
   Show help
 
 ---
@@ -204,10 +247,10 @@ cat app.log | logshield scan --dry-run
 
 ```
 logshield (dry-run)
-Detected 3 redactions:
-  OAUTH_ACCESS_TOKEN   x1
+Detected 5 redactions:
   AUTH_BEARER          x2
   EMAIL                x1
+  OAUTH_ACCESS_TOKEN   x1
   PASSWORD             x1
 
 No output was modified.
@@ -319,7 +362,7 @@ logshield scan --json < logs.txt
 Notes:
 
 - `--json` **cannot** be combined with `--dry-run`
-- Output schema is stable within v0.3.x
+- Output schema is stable within v0.4.x
 
 ---
 
@@ -370,7 +413,7 @@ Depending on rules and mode:
 LogShield guarantees:
 
 - Deterministic output
-- Stable behavior within **v0.3.x**
+- Stable behavior within **v0.4.x**
 - No runtime dependencies
 - Snapshot-tested and contract-tested
 - No telemetry
@@ -401,5 +444,3 @@ It is a **last-line safety net**, not a primary defense.
 ## License
 
 Apache-2.0
-
----

package/dist/cli/index.cjs

@@ -70,7 +70,8 @@ __export(writeOutput_exports, {
 });
 function writeOutput(result, opts) {
   if (opts.json) {
-    process.stdout.write(JSON.stringify(result));
+    process.stdout.write(`${JSON.stringify(result)}
+`);
   } else {
     process.stdout.write(result.output);
   }
@@ -126,8 +127,7 @@ function applyRules(input, rules, ctx, matches) {
       const replaced = rule.replace(match, ctx, groups);
       if (replaced !== match) {
         matches.push({
-          rule: rule.name,
-          value: match
+          rule: rule.name
         });
       }
       if (ctx.dryRun) {
@@ -185,8 +185,12 @@ var init_tokens = __esm({
       },
       {
         name: "EMAIL",
-        pattern: /\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b/gi,
-        replace: () => "<REDACTED_EMAIL>"
+        // Avoid corrupting URLs with embedded credentials like:
+        //   https://user:pass@host
+        // In those cases, `pass@host` can look like an email.
+        // We therefore require a safe delimiter (whitespace/quotes/brackets/`=` or `: `) before the email.
+        pattern: /(^|[\s"'\(\[\{<>,;]|=|:\s)([A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,})/gim,
+        replace: (_match, _ctx, groups) => `${groups[0]}<REDACTED_EMAIL>`
       }
     ];
   }
@@ -197,10 +201,15 @@ var credentialRules;
 var init_credentials = __esm({
   "src/rules/credentials.ts"() {
     credentialRules = [
+      // password=... or password: ...
       {
         name: "PASSWORD",
-        pattern: /\bpassword=([^\s]+)/gi,
-        replace: () => "password=<REDACTED_PASSWORD>"
+        // Preserve delimiter and spacing so logs remain readable and diff-friendly.
+        // Examples:
+        //   password=secret  -> password=<REDACTED_PASSWORD>
+        //   Password : 123   -> Password : <REDACTED_PASSWORD>
+        pattern: /\b(password)(\s*[:=]\s*)([^\s]+)/gi,
+        replace: (_match, _ctx, groups) => `${groups[0]}${groups[1]}<REDACTED_PASSWORD>`
       },
       // DB URL credential: postgres://user:pass@host
       {
@@ -208,17 +217,30 @@ var init_credentials = __esm({
         pattern: /\b(postgres|mysql|mongodb):\/\/([^:\s]+):([^@\s]+)@/gi,
         replace: (_match, _ctx, groups) => `${groups[0]}://${groups[1]}:<REDACTED_PASSWORD>@`
       },
-      // apiKey=...
+      /**
+       * API key (common variants):
+       * - apiKey=...
+       * - api_key=...
+       * - api-key: ...
+       * - apikey=...
+       * Supports '=' or ':' and optional quotes/spaces.
+       */
       {
         name: "API_KEY",
-        pattern: /\bapiKey=([A-Za-z0-9_\-]{16,})\b/g,
+        pattern: /\bapi(?:[_-]?key)\s*[:=]\s*["']?([A-Za-z0-9_\-]{16,})["']?\b/gi,
         replace: () => "<REDACTED_API_KEY>"
       },
       // x-api-key: ....
       {
         name: "API_KEY_HEADER",
-        pattern: /\bx-api-key:\s*[A-Za-z0-9_\-]{16,}\b/gi,
+        pattern: /\bx-api-key\s*:\s*["']?[A-Za-z0-9_\-]{16,}["']?\b/gi,
         replace: () => "x-api-key: <REDACTED_API_KEY>"
+      },
+      // authorization: Bearer ...
+      {
+        name: "AUTHORIZATION_BEARER",
+        pattern: /\bauthorization\s*:\s*bearer\s+([A-Za-z0-9._\-]{16,})\b/gi,
+        replace: () => "authorization: Bearer <REDACTED_TOKEN>"
       }
     ];
   }
@@ -234,9 +256,24 @@ var init_cloud = __esm({
         pattern: /\bAKIA[0-9A-Z]{16,20}\b/g,
         replace: (match, { strict }) => strict ? "<REDACTED_AWS_KEY>" : match
       },
+      /**
+       * Prefer contextual AWS secret key detection first:
+       * - AWS_SECRET_ACCESS_KEY=...
+       * - aws_secret_access_key: ...
+       * - secretAccessKey=...
+       */
+      {
+        name: "AWS_SECRET_ACCESS_KEY",
+        pattern: /\b(?:AWS_SECRET_ACCESS_KEY|aws_secret_access_key|secretAccessKey|awsSecretAccessKey)\s*[:=]\s*["']?([A-Za-z0-9\/+=]{40})["']?\b/g,
+        replace: (_match, { strict }, groups) => strict ? "<REDACTED_AWS_SECRET>" : _match.replace(groups[0], "<REDACTED_AWS_SECRET>")
+      },
+      /**
+       * Strict-only broad fallback, but require at least one of / + = inside the 40 chars
+       * to reduce false positives on purely alphanumeric 40-char strings.
+       */
       {
         name: "AWS_SECRET_KEY",
-        pattern: /\b[A-Za-z0-9\/+=]{40}\b/g,
+        pattern: /\b(?=[A-Za-z0-9\/+=]{40}\b)(?=[A-Za-z0-9\/+=]*[\/+=])[A-Za-z0-9\/+=]{40}\b/g,
         replace: (match, { strict }) => strict ? "<REDACTED_AWS_SECRET>" : match
       },
       {
@@ -288,14 +325,100 @@ var init_creditCard = __esm({
 });
 
 // src/rules/urls.ts
-var urlRules;
+function redactQueryLike(segment) {
+  if (segment.length < 2) return segment;
+  const prefix = segment[0];
+  const raw = segment.slice(1);
+  if (!raw.includes("=")) return segment;
+  const parts = raw.split("&");
+  const redacted = parts.map((p) => {
+    const eq = p.indexOf("=");
+    if (eq === -1) return p;
+    const key = p.slice(0, eq);
+    const value = p.slice(eq + 1);
+    const normalized = key.trim().toLowerCase();
+    if (!SENSITIVE_PARAM_KEYS.has(normalized)) return p;
+    if (value.length === 0) return `${key}=`;
+    return `${key}=<REDACTED_URL_PARAM>`;
+  });
+  return `${prefix}${redacted.join("&")}`;
+}
+function redactUrl(match) {
+  const schemeIdx = match.indexOf("://");
+  if (schemeIdx === -1) return match;
+  const scheme = match.slice(0, schemeIdx + 3);
+  const rest = match.slice(schemeIdx + 3);
+  const authorityEnd = (() => {
+    const slash = rest.indexOf("/");
+    const q = rest.indexOf("?");
+    const h = rest.indexOf("#");
+    const candidates = [slash, q, h].filter((i) => i !== -1);
+    return candidates.length === 0 ? rest.length : Math.min(...candidates);
+  })();
+  let authority = rest.slice(0, authorityEnd);
+  let tail = rest.slice(authorityEnd);
+  const at = authority.lastIndexOf("@");
+  if (at !== -1) {
+    const userinfo = authority.slice(0, at);
+    const host = authority.slice(at + 1);
+    const colon = userinfo.indexOf(":");
+    if (colon !== -1) {
+      const user = userinfo.slice(0, colon);
+      authority = `${user}:<REDACTED_PASSWORD>@${host}`;
+    } else {
+      authority = `<REDACTED_PASSWORD>@${host}`;
+    }
+  }
+  const hashIdx = tail.indexOf("#");
+  const queryIdx = tail.indexOf("?");
+  if (queryIdx !== -1 && (hashIdx === -1 || queryIdx < hashIdx)) {
+    const before = tail.slice(0, queryIdx);
+    const after = tail.slice(queryIdx);
+    const hashInside = after.indexOf("#");
+    if (hashInside === -1) {
+      tail = `${before}${redactQueryLike(after)}`;
+    } else {
+      const qPart = after.slice(0, hashInside);
+      const hPart = after.slice(hashInside);
+      tail = `${before}${redactQueryLike(qPart)}${redactQueryLike(hPart)}`;
+    }
+  } else if (hashIdx !== -1) {
+    const before = tail.slice(0, hashIdx);
+    const hPart = tail.slice(hashIdx);
+    tail = `${before}${redactQueryLike(hPart)}`;
+  }
+  return `${scheme}${authority}${tail}`;
+}
+var SENSITIVE_PARAM_KEYS, urlRules;
 var init_urls = __esm({
   "src/rules/urls.ts"() {
+    SENSITIVE_PARAM_KEYS = new Set(
+      [
+        "access_token",
+        "token",
+        "id_token",
+        "refresh_token",
+        "auth",
+        "authorization",
+        "api_key",
+        "apikey",
+        "api-key",
+        "key",
+        "secret",
+        "password",
+        "passwd",
+        "signature",
+        "sig",
+        "session"
+      ].map((k) => k.toLowerCase())
+    );
     urlRules = [
       {
         name: "URL",
-        pattern: /\bhttps?:\/\/[^\s/$.?#].[^\s]*\b/gi,
-        replace: () => "<REDACTED_URL>"
+        // Match HTTP(S) URLs, stopping at whitespace.
+        // (Conservative: avoids attempting to be a full RFC URL parser.)
+        pattern: /\bhttps?:\/\/[^\s]+/gi,
+        replace: (match) => redactUrl(match)
       }
     ];
   }
@@ -389,7 +512,7 @@ var { printSummary: printSummary2 } = (init_summary(), __toCommonJS(summary_expo
 var { sanitizeLog: sanitizeLog2 } = (init_sanitizeLog(), __toCommonJS(sanitizeLog_exports));
 var rawArgs = process.argv.slice(2).map((arg) => arg === "-h" ? "--help" : arg);
 function getVersion() {
-  return true ? "0.4.0" : "unknown";
+  return true ? "0.4.2" : "unknown";
 }
 function printHelp() {
   process.stdout.write(`Usage: logshield scan [file]
@@ -410,6 +533,9 @@ Options:
   --help              Show help
 `);
 }
+function writeErr(message) {
+  process.stderr.write(message);
+}
 function parseArgs(args) {
   const flags = /* @__PURE__ */ new Set();
   const positionals = [];
@@ -447,10 +573,8 @@ function renderDryRunReport(matches) {
   process.stdout.write(`Detected ${total} ${label}:
 `);
   for (const { rule, count } of entries) {
-    process.stdout.write(
-      `  ${rule.padEnd(maxLen)}  x${count}
-`
-    );
+    process.stdout.write(`  ${rule.padEnd(maxLen)}  x${count}
+`);
   }
   process.stdout.write("\n");
   process.stdout.write("No output was modified.\n");
@@ -469,7 +593,7 @@ async function main() {
   const { flags, positionals } = parseArgs(rawArgs);
   const command = positionals[0];
   if (command !== "scan") {
-    process.stdout.write("Unknown command\n");
+    writeErr("Unknown command\n");
     process.exit(1);
   }
   const file = positionals[1];
@@ -482,20 +606,20 @@ async function main() {
   const stdinAuto = isStdinPiped();
   const useStdin = stdinFlag || stdinAuto;
   if (useStdin && file) {
-    process.stdout.write("Cannot read from both STDIN and file\n");
+    writeErr("Cannot read from both STDIN and file\n");
     process.exit(1);
   }
   if (dryRun && json) {
-    process.stdout.write("--dry-run cannot be used with --json\n");
+    writeErr("--dry-run cannot be used with --json\n");
     process.exit(1);
   }
   if (json && summary) {
-    process.stdout.write("--summary cannot be used with --json\n");
+    writeErr("--summary cannot be used with --json\n");
     process.exit(1);
   }
   try {
     const input = await readInput2(useStdin ? void 0 : file);
-    const result = sanitizeLog2(input, { strict });
+    const result = sanitizeLog2(input, { strict, dryRun });
     if (dryRun) {
       renderDryRunReport(result.matches);
       if (failOnDetect && result.matches.length > 0) {
@@ -512,8 +636,7 @@ async function main() {
     }
     process.exit(0);
   } catch (err) {
-    process.stdout.write(err?.message || "Unexpected error");
-    process.stdout.write("\n");
+    writeErr((err?.message || "Unexpected error") + "\n");
     process.exit(2);
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "logshield-cli",
-  "version": "0.4.0",
+  "version": "0.4.2",
   "license": "Apache-2.0",
   "type": "commonjs",
   "bin": {
@@ -17,6 +17,7 @@
     "build:web": "vite build --outDir dist-web",
     "build:blog": "node scripts/build-blog.js",
     "dev:web": "vite",
+    "typecheck": "tsc -p tsconfig.core.json && tsc -p tsconfig.cli.json --noEmit",
     "pretest": "npm run build",
     "test": "vitest",
     "prepublishOnly": "npm run build"
@@ -27,6 +28,7 @@
     "esbuild": "^0.25.0",
     "postcss": "^8.5.6",
     "tailwindcss": "^3.4.19",
+    "typescript": "^5.9.3",
     "vitest": "^4.0.0"
   }
 }