logshield-cli 0.4.1 → 0.4.2

package/CHANGELOG.md

@@ -1,5 +1,16 @@
 # Changelog
 
+## v0.4.2
+
+### Fixed
+
+- CLI errors are now written to stderr (CI-safe piping)
+- JSON output is newline-terminated
+- URL redaction is no longer overly aggressive; only credentials and sensitive parameters are redacted
+- PASSWORD redaction preserves original delimiter and spacing
+- Improved dry-run reporting consistency
+- Added contract tests for CLI output and URL behavior
+
 ## v0.4.1
 
 ### Fixed

package/README.md

@@ -1,18 +1,59 @@
----
 # LogShield
 
 [![npm version](https://img.shields.io/npm/v/logshield-cli)](https://www.npmjs.com/package/logshield-cli)
 [![npm downloads](https://img.shields.io/npm/dm/logshield-cli)](https://www.npmjs.com/package/logshield-cli)
 [![CI](https://github.com/afria85/LogShield/actions/workflows/ci.yml/badge.svg)](https://github.com/afria85/LogShield/actions/workflows/ci.yml)
 
-Deterministic log sanitization for developers.
+Your logs already contain secrets. You just don’t see them.
+
+LogShield is a small CLI that automatically redacts secrets from logs **before**
+you paste them into CI, GitHub issues, Slack, or send them to third-party support.
+
+No configuration. No cloud. Deterministic output.
+
+---
 
 ## Quick start (30 seconds)
 
 ```bash
-# Install (CLI command: logshield)
-npm install -g logshield-cli
+# Sanitize logs before sharing them
+cat app.log | logshield scan
+```
+
+**Example input**
+
+```txt
+POSTGRES_URL=postgres://user:supersecret@db.internal
+Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
+```
+
+These are typical raw logs -- with secrets -- before you share them.
+
+**Output**
+
+```txt
+POSTGRES_URL=postgres://user:<REDACTED_PASSWORD>@db.internal
+Authorization: Bearer <REDACTED_TOKEN>
+```
 
+After LogShield, the same logs are safe to share.
+
+---
+
+## When should I use LogShield?
+
+Use LogShield whenever logs leave your system:
+
+- Before pasting logs into CI
+- Before attaching logs to GitHub issues
+- Before sending logs to third-party support
+- Before sharing logs in Slack or email
+
+---
+
+## Preview before enforcing (dry-run)
+
+```bash
 # Preview what would be redacted (does not modify output)
 echo "email=test@example.com token=sk_live_123" | logshield scan --dry-run
 ```
@@ -35,7 +76,9 @@ echo "email=test@example.com token=sk_live_123" | logshield scan
 - Prefer `--dry-run` first in CI to verify you are not over-redacting.
 - Then switch to enforced mode once you are satisfied with the preview.
 
-LogShield is a CLI tool that scans logs and redacts **real secrets** (API keys, tokens, credentials) before logs are shared with others, AI tools, CI systems, or public channels.
+LogShield is a CLI tool that scans logs and redacts **real secrets**
+(API keys, tokens, credentials) before logs are shared with others,
+AI tools, CI systems, or public channels.
 
 It is designed to be **predictable, conservative, and safe for production pipelines**.
 
@@ -148,28 +191,28 @@ If a file is not provided and input is piped, LogShield automatically reads from
 
 ## CLI Flags
 
-- `--strict`
+- `--strict`  
   Aggressive, security-first redaction
 
-- `--stdin`
+- `--stdin`  
   Explicitly force reading from STDIN
 
-- `--dry-run`
+- `--dry-run`  
   Detect sensitive data without modifying output
 
-- `--fail-on-detect`
+- `--fail-on-detect`  
   Exit with code `1` if any redaction is detected (CI-friendly)
 
-- `--summary`
+- `--summary`  
   Print a compact redaction summary
 
-- `--json`
+- `--json`  
   JSON output (cannot be combined with `--dry-run`)
 
-- `--version`
+- `--version`  
   Print CLI version
 
-- `--help`
+- `--help`  
   Show help
 
 ---
@@ -204,10 +247,10 @@ cat app.log | logshield scan --dry-run
 
 ```
 logshield (dry-run)
-Detected 3 redactions:
-  OAUTH_ACCESS_TOKEN   x1
+Detected 5 redactions:
   AUTH_BEARER          x2
   EMAIL                x1
+  OAUTH_ACCESS_TOKEN   x1
   PASSWORD             x1
 
 No output was modified.
@@ -319,7 +362,7 @@ logshield scan --json < logs.txt
 Notes:
 
 - `--json` **cannot** be combined with `--dry-run`
-- Output schema is stable within v0.3.x
+- Output schema is stable within v0.4.x
 
 ---
 
@@ -370,7 +413,7 @@ Depending on rules and mode:
 LogShield guarantees:
 
 - Deterministic output
-- Stable behavior within **v0.3.x**
+- Stable behavior within **v0.4.x**
 - No runtime dependencies
 - Snapshot-tested and contract-tested
 - No telemetry
@@ -401,5 +444,3 @@ It is a **last-line safety net**, not a primary defense.
 ## License
 
 Apache-2.0
-
----

package/dist/cli/index.cjs

@@ -70,7 +70,8 @@ __export(writeOutput_exports, {
 });
 function writeOutput(result, opts) {
   if (opts.json) {
-    process.stdout.write(JSON.stringify(result));
+    process.stdout.write(`${JSON.stringify(result)}
+`);
   } else {
     process.stdout.write(result.output);
   }
@@ -184,8 +185,12 @@ var init_tokens = __esm({
       },
       {
         name: "EMAIL",
-        pattern: /\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b/gi,
-        replace: () => "<REDACTED_EMAIL>"
+        // Avoid corrupting URLs with embedded credentials like:
+        //   https://user:pass@host
+        // In those cases, `pass@host` can look like an email.
+        // We therefore require a safe delimiter (whitespace/quotes/brackets/`=` or `: `) before the email.
+        pattern: /(^|[\s"'\(\[\{<>,;]|=|:\s)([A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,})/gim,
+        replace: (_match, _ctx, groups) => `${groups[0]}<REDACTED_EMAIL>`
       }
     ];
   }
@@ -199,8 +204,12 @@ var init_credentials = __esm({
       // password=... or password: ...
       {
         name: "PASSWORD",
-        pattern: /\bpassword\s*[:=]\s*([^\s]+)/gi,
-        replace: () => "password=<REDACTED_PASSWORD>"
+        // Preserve delimiter and spacing so logs remain readable and diff-friendly.
+        // Examples:
+        //   password=secret  -> password=<REDACTED_PASSWORD>
+        //   Password : 123   -> Password : <REDACTED_PASSWORD>
+        pattern: /\b(password)(\s*[:=]\s*)([^\s]+)/gi,
+        replace: (_match, _ctx, groups) => `${groups[0]}${groups[1]}<REDACTED_PASSWORD>`
       },
       // DB URL credential: postgres://user:pass@host
       {
@@ -316,14 +325,100 @@ var init_creditCard = __esm({
 });
 
 // src/rules/urls.ts
-var urlRules;
+function redactQueryLike(segment) {
+  if (segment.length < 2) return segment;
+  const prefix = segment[0];
+  const raw = segment.slice(1);
+  if (!raw.includes("=")) return segment;
+  const parts = raw.split("&");
+  const redacted = parts.map((p) => {
+    const eq = p.indexOf("=");
+    if (eq === -1) return p;
+    const key = p.slice(0, eq);
+    const value = p.slice(eq + 1);
+    const normalized = key.trim().toLowerCase();
+    if (!SENSITIVE_PARAM_KEYS.has(normalized)) return p;
+    if (value.length === 0) return `${key}=`;
+    return `${key}=<REDACTED_URL_PARAM>`;
+  });
+  return `${prefix}${redacted.join("&")}`;
+}
+function redactUrl(match) {
+  const schemeIdx = match.indexOf("://");
+  if (schemeIdx === -1) return match;
+  const scheme = match.slice(0, schemeIdx + 3);
+  const rest = match.slice(schemeIdx + 3);
+  const authorityEnd = (() => {
+    const slash = rest.indexOf("/");
+    const q = rest.indexOf("?");
+    const h = rest.indexOf("#");
+    const candidates = [slash, q, h].filter((i) => i !== -1);
+    return candidates.length === 0 ? rest.length : Math.min(...candidates);
+  })();
+  let authority = rest.slice(0, authorityEnd);
+  let tail = rest.slice(authorityEnd);
+  const at = authority.lastIndexOf("@");
+  if (at !== -1) {
+    const userinfo = authority.slice(0, at);
+    const host = authority.slice(at + 1);
+    const colon = userinfo.indexOf(":");
+    if (colon !== -1) {
+      const user = userinfo.slice(0, colon);
+      authority = `${user}:<REDACTED_PASSWORD>@${host}`;
+    } else {
+      authority = `<REDACTED_PASSWORD>@${host}`;
+    }
+  }
+  const hashIdx = tail.indexOf("#");
+  const queryIdx = tail.indexOf("?");
+  if (queryIdx !== -1 && (hashIdx === -1 || queryIdx < hashIdx)) {
+    const before = tail.slice(0, queryIdx);
+    const after = tail.slice(queryIdx);
+    const hashInside = after.indexOf("#");
+    if (hashInside === -1) {
+      tail = `${before}${redactQueryLike(after)}`;
+    } else {
+      const qPart = after.slice(0, hashInside);
+      const hPart = after.slice(hashInside);
+      tail = `${before}${redactQueryLike(qPart)}${redactQueryLike(hPart)}`;
+    }
+  } else if (hashIdx !== -1) {
+    const before = tail.slice(0, hashIdx);
+    const hPart = tail.slice(hashIdx);
+    tail = `${before}${redactQueryLike(hPart)}`;
+  }
+  return `${scheme}${authority}${tail}`;
+}
+var SENSITIVE_PARAM_KEYS, urlRules;
 var init_urls = __esm({
   "src/rules/urls.ts"() {
+    SENSITIVE_PARAM_KEYS = new Set(
+      [
+        "access_token",
+        "token",
+        "id_token",
+        "refresh_token",
+        "auth",
+        "authorization",
+        "api_key",
+        "apikey",
+        "api-key",
+        "key",
+        "secret",
+        "password",
+        "passwd",
+        "signature",
+        "sig",
+        "session"
+      ].map((k) => k.toLowerCase())
+    );
     urlRules = [
       {
         name: "URL",
-        pattern: /\bhttps?:\/\/[^\s/$.?#].[^\s]*\b/gi,
-        replace: () => "<REDACTED_URL>"
+        // Match HTTP(S) URLs, stopping at whitespace.
+        // (Conservative: avoids attempting to be a full RFC URL parser.)
+        pattern: /\bhttps?:\/\/[^\s]+/gi,
+        replace: (match) => redactUrl(match)
       }
     ];
   }
@@ -417,7 +512,7 @@ var { printSummary: printSummary2 } = (init_summary(), __toCommonJS(summary_expo
 var { sanitizeLog: sanitizeLog2 } = (init_sanitizeLog(), __toCommonJS(sanitizeLog_exports));
 var rawArgs = process.argv.slice(2).map((arg) => arg === "-h" ? "--help" : arg);
 function getVersion() {
-  return true ? "0.4.1" : "unknown";
+  return true ? "0.4.2" : "unknown";
 }
 function printHelp() {
   process.stdout.write(`Usage: logshield scan [file]
@@ -438,6 +533,9 @@ Options:
   --help              Show help
 `);
 }
+function writeErr(message) {
+  process.stderr.write(message);
+}
 function parseArgs(args) {
   const flags = /* @__PURE__ */ new Set();
   const positionals = [];
@@ -495,7 +593,7 @@ async function main() {
   const { flags, positionals } = parseArgs(rawArgs);
   const command = positionals[0];
   if (command !== "scan") {
-    process.stdout.write("Unknown command\n");
+    writeErr("Unknown command\n");
     process.exit(1);
   }
   const file = positionals[1];
@@ -508,15 +606,15 @@ async function main() {
   const stdinAuto = isStdinPiped();
   const useStdin = stdinFlag || stdinAuto;
   if (useStdin && file) {
-    process.stdout.write("Cannot read from both STDIN and file\n");
+    writeErr("Cannot read from both STDIN and file\n");
     process.exit(1);
   }
   if (dryRun && json) {
-    process.stdout.write("--dry-run cannot be used with --json\n");
+    writeErr("--dry-run cannot be used with --json\n");
     process.exit(1);
   }
   if (json && summary) {
-    process.stdout.write("--summary cannot be used with --json\n");
+    writeErr("--summary cannot be used with --json\n");
     process.exit(1);
   }
   try {
@@ -538,8 +636,7 @@ async function main() {
     }
     process.exit(0);
   } catch (err) {
-    process.stdout.write(err?.message || "Unexpected error");
-    process.stdout.write("\n");
+    writeErr((err?.message || "Unexpected error") + "\n");
     process.exit(2);
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "logshield-cli",
-  "version": "0.4.1",
+  "version": "0.4.2",
   "license": "Apache-2.0",
   "type": "commonjs",
   "bin": {