logshield-cli 0.4.1 → 0.4.3

package/CHANGELOG.md

@@ -1,5 +1,36 @@
 # Changelog
 
+## v0.4.3
+
+### Fixed
+
+- Prevented API key redaction from corrupting header names (`x-api-key`)
+- Preserved key labels when redacting `api_key=...` values
+- Corrected CLI exit code for invalid flag combinations (`--json --dry-run` now exits with code 2)
+
+### Improved
+
+- Deterministic and aligned `--summary` output (alphabetical, indented)
+- Hardened CLI behavior with end-to-end golden tests
+- Strengthened regression coverage for rule overlap and precedence
+
+### Notes
+
+- No breaking changes
+- No new features
+- Hardening and correctness release
+
+## v0.4.2
+
+### Fixed
+
+- CLI errors are now written to stderr (CI-safe piping)
+- JSON output is newline-terminated
+- URL redaction is no longer overly aggressive; only credentials and sensitive parameters are redacted
+- PASSWORD redaction preserves original delimiter and spacing
+- Improved dry-run reporting consistency
+- Added contract tests for CLI output and URL behavior
+
 ## v0.4.1
 
 ### Fixed

package/README.md

@@ -1,41 +1,90 @@
----
 # LogShield
 
 [![npm version](https://img.shields.io/npm/v/logshield-cli)](https://www.npmjs.com/package/logshield-cli)
 [![npm downloads](https://img.shields.io/npm/dm/logshield-cli)](https://www.npmjs.com/package/logshield-cli)
 [![CI](https://github.com/afria85/LogShield/actions/workflows/ci.yml/badge.svg)](https://github.com/afria85/LogShield/actions/workflows/ci.yml)
 
-Deterministic log sanitization for developers.
+Your logs already contain secrets. You just don't see them.
+
+LogShield is a small CLI that automatically redacts secrets from logs **before**
+you paste them into CI, GitHub issues, Slack, or send them to third-party support.
+
+No configuration. No cloud. Deterministic output.
+
+---
 
 ## Quick start (30 seconds)
 
 ```bash
-# Install (CLI command: logshield)
-npm install -g logshield-cli
+# Sanitize logs before sharing them
+cat app.log | logshield scan
+```
+
+**Example input**
+
+```txt
+POSTGRES_URL=postgres://user:supersecret@db.internal
+Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
+```
+
+These are typical raw logs -- with secrets -- before you share them.
+
+**Output**
+
+```txt
+POSTGRES_URL=postgres://user:<REDACTED_PASSWORD>@db.internal
+Authorization: Bearer <REDACTED_TOKEN>
+```
+
+After LogShield, the same logs are safe to share.
+
+---
+
+## When should I use LogShield?
 
+Use LogShield whenever logs leave your system:
+
+- Before pasting logs into CI
+- Before attaching logs to GitHub issues
+- Before sending logs to third-party support
+- Before sharing logs in Slack or email
+
+---
+
+## Preview before enforcing (dry-run)
+
+```bash
 # Preview what would be redacted (does not modify output)
-echo "email=test@example.com token=sk_live_123" | logshield scan --dry-run
+echo "email=test@example.com Authorization: Bearer abcdefghijklmnop" | logshield scan --dry-run
 ```
 
 ```
 logshield (dry-run)
 Detected 2 redactions:
-  EMAIL               x1
-  STRIPE_SECRET_KEY   x1
+  AUTH_BEARER          x1
+  EMAIL                x1
 
 No output was modified.
 Use without --dry-run to apply.
 ```
 
+Notes:
+
+- The report is printed to stdout
+- No log content is echoed
+- Output is deterministic and CI-safe
+
 ```bash
 # Enforce redaction (sanitized output)
-echo "email=test@example.com token=sk_live_123" | logshield scan
+echo "email=test@example.com Authorization: Bearer abcdefghijklmnop" | logshield scan
 ```
 
 - Prefer `--dry-run` first in CI to verify you are not over-redacting.
 - Then switch to enforced mode once you are satisfied with the preview.
 
-LogShield is a CLI tool that scans logs and redacts **real secrets** (API keys, tokens, credentials) before logs are shared with others, AI tools, CI systems, or public channels.
+LogShield is a CLI tool that scans logs and redacts **real secrets**
+(API keys, tokens, credentials) before logs are shared with others,
+AI tools, CI systems, or public channels.
 
 It is designed to be **predictable, conservative, and safe for production pipelines**.
 
@@ -97,8 +146,8 @@ Examples:
 
 ```
 <REDACTED_PASSWORD>
-<REDACTED_API_KEY_HEADER>
-<REDACTED_AUTH_BEARER>
+<REDACTED_API_KEY>
+<REDACTED_TOKEN>
 <REDACTED_EMAIL>
 ```
 
@@ -148,28 +197,28 @@ If a file is not provided and input is piped, LogShield automatically reads from
 
 ## CLI Flags
 
-- `--strict`
+- `--strict`  
   Aggressive, security-first redaction
 
-- `--stdin`
+- `--stdin`  
   Explicitly force reading from STDIN
 
-- `--dry-run`
+- `--dry-run`  
   Detect sensitive data without modifying output
 
-- `--fail-on-detect`
+- `--fail-on-detect`  
   Exit with code `1` if any redaction is detected (CI-friendly)
 
-- `--summary`
+- `--summary`  
   Print a compact redaction summary
 
-- `--json`
+- `--json`  
   JSON output (cannot be combined with `--dry-run`)
 
-- `--version`
+- `--version`  
   Print CLI version
 
-- `--help`
+- `--help`  
   Show help
 
 ---
@@ -204,10 +253,10 @@ cat app.log | logshield scan --dry-run
 
 ```
 logshield (dry-run)
-Detected 3 redactions:
-  OAUTH_ACCESS_TOKEN   x1
-  AUTH_BEARER          x2
+Detected 4 redactions:
+  AUTH_BEARER          x1
   EMAIL                x1
+  OAUTH_ACCESS_TOKEN   x1
   PASSWORD             x1
 
 No output was modified.
@@ -302,10 +351,16 @@ Example:
 
 ```
 LogShield Summary
-PASSWORD: 2
-API_KEY_HEADER: 1
+  API_KEY_HEADER: 1
+  PASSWORD:       2
 ```
 
+Notes:
+
+- Sanitized log output is written to stdout
+- The summary is written to stderr
+- Rules are sorted alphabetically
+
 ---
 
 ## JSON output
@@ -319,7 +374,8 @@ logshield scan --json < logs.txt
 Notes:
 
 - `--json` **cannot** be combined with `--dry-run`
-- Output schema is stable within v0.3.x
+- Usage errors exit with code `2`
+- Output is always newline-terminated
 
 ---
 
@@ -370,7 +426,7 @@ Depending on rules and mode:
 LogShield guarantees:
 
 - Deterministic output
-- Stable behavior within **v0.3.x**
+- Stable behavior within **v0.4.x**
 - No runtime dependencies
 - Snapshot-tested and contract-tested
 - No telemetry
@@ -401,5 +457,3 @@ It is a **last-line safety net**, not a primary defense.
 ## License
 
 Apache-2.0
-
----

package/dist/cli/index.cjs

@@ -70,7 +70,8 @@ __export(writeOutput_exports, {
 });
 function writeOutput(result, opts) {
   if (opts.json) {
-    process.stdout.write(JSON.stringify(result));
+    process.stdout.write(`${JSON.stringify(result)}
+`);
   } else {
     process.stdout.write(result.output);
   }
@@ -86,33 +87,25 @@ __export(summary_exports, {
   printSummary: () => printSummary
 });
 function printSummary(matches) {
-  if (!matches || matches.length === 0) {
-    process.stderr.write("logshield: no redactions detected\n");
+  if (!matches.length) {
+    process.stderr.write("LogShield Summary\n(no redactions detected)\n");
     return;
   }
-  const counter = {};
+  const counts = {};
   for (const m of matches) {
-    counter[m.rule] = (counter[m.rule] || 0) + 1;
+    counts[m.rule] = (counts[m.rule] ?? 0) + 1;
   }
-  const entries = Object.entries(counter).map(([rule, count]) => ({ rule, count })).sort((a, b) => {
-    if (b.count !== a.count) return b.count - a.count;
-    return a.rule.localeCompare(b.rule);
-  });
-  const maxLen = Math.max(...entries.map((e) => e.rule.length));
-  const total = matches.length;
-  const label = total === 1 ? "redaction" : "redactions";
-  process.stderr.write(`logshield summary: ${total} ${label}
+  const rules = Object.keys(counts).sort((a, b) => a.localeCompare(b));
+  const maxNameLen = Math.max(...rules.map((r) => r.length));
+  process.stderr.write("LogShield Summary\n");
+  for (const rule of rules) {
+    const padded = rule.padEnd(maxNameLen, " ");
+    process.stderr.write(`  ${padded}  x${counts[rule]}
 `);
-  for (const { rule, count } of entries) {
-    process.stderr.write(
-      `  ${rule.padEnd(maxLen)}  x${count}
-`
-    );
   }
 }
 var init_summary = __esm({
   "src/cli/summary.ts"() {
-    "use strict";
   }
 });
 
@@ -184,8 +177,12 @@ var init_tokens = __esm({
       },
       {
         name: "EMAIL",
-        pattern: /\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b/gi,
-        replace: () => "<REDACTED_EMAIL>"
+        // Avoid corrupting URLs with embedded credentials like:
+        //   https://user:pass@host
+        // In those cases, `pass@host` can look like an email.
+        // We therefore require a safe delimiter (whitespace/quotes/brackets/`=` or `: `) before the email.
+        pattern: /(^|[\s"'\(\[\{<>,;]|=|:\s)([A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,})/gim,
+        replace: (_match, _ctx, groups) => `${groups[0]}<REDACTED_EMAIL>`
       }
     ];
   }
@@ -199,8 +196,12 @@ var init_credentials = __esm({
       // password=... or password: ...
       {
         name: "PASSWORD",
-        pattern: /\bpassword\s*[:=]\s*([^\s]+)/gi,
-        replace: () => "password=<REDACTED_PASSWORD>"
+        // Preserve delimiter and spacing so logs remain readable and diff-friendly.
+        // Examples:
+        //   password=secret  -> password=<REDACTED_PASSWORD>
+        //   Password : 123   -> Password : <REDACTED_PASSWORD>
+        pattern: /\b(password)(\s*[:=]\s*)([^\s]+)/gi,
+        replace: (_match, _ctx, groups) => `${groups[0]}${groups[1]}<REDACTED_PASSWORD>`
       },
       // DB URL credential: postgres://user:pass@host
       {
@@ -208,6 +209,15 @@ var init_credentials = __esm({
         pattern: /\b(postgres|mysql|mongodb):\/\/([^:\s]+):([^@\s]+)@/gi,
         replace: (_match, _ctx, groups) => `${groups[0]}://${groups[1]}:<REDACTED_PASSWORD>@`
       },
+      // x-api-key: ....
+      // IMPORTANT: this must run BEFORE the generic API_KEY rule. Otherwise the
+      // generic API_KEY rule can match the "api-key: <value>" substring first and
+      // corrupt the header name (e.g. "x-api-key" -> "x-").
+      {
+        name: "API_KEY_HEADER",
+        pattern: /\bx-api-key\s*:\s*["']?[A-Za-z0-9_\-]{16,}["']?\b/gi,
+        replace: () => "x-api-key: <REDACTED_API_KEY>"
+      },
       /**
        * API key (common variants):
        * - apiKey=...
@@ -215,23 +225,19 @@ var init_credentials = __esm({
        * - api-key: ...
        * - apikey=...
        * Supports '=' or ':' and optional quotes/spaces.
+       *
+       * NOTE:
+       * Do NOT try to handle "Authorization: Bearer ..." here; that causes overlap
+       * with token rules. Token redaction is handled in tokens.ts.
        */
       {
         name: "API_KEY",
-        pattern: /\bapi(?:[_-]?key)\s*[:=]\s*["']?([A-Za-z0-9_\-]{16,})["']?\b/gi,
-        replace: () => "<REDACTED_API_KEY>"
-      },
-      // x-api-key: ....
-      {
-        name: "API_KEY_HEADER",
-        pattern: /\bx-api-key\s*:\s*["']?[A-Za-z0-9_\-]{16,}["']?\b/gi,
-        replace: () => "x-api-key: <REDACTED_API_KEY>"
-      },
-      // authorization: Bearer ...
-      {
-        name: "AUTHORIZATION_BEARER",
-        pattern: /\bauthorization\s*:\s*bearer\s+([A-Za-z0-9._\-]{16,})\b/gi,
-        replace: () => "authorization: Bearer <REDACTED_TOKEN>"
+        // Preserve the key label + delimiter, redact only the value.
+        // Examples:
+        //   api_key=abcdef... -> api_key=<REDACTED_API_KEY>
+        //   api-key: "abcdef..." -> api-key: "<REDACTED_API_KEY>"
+        pattern: /\b(api(?:[_-]?key)\s*[:=]\s*["']?)([A-Za-z0-9_\-]{16,})(["']?)\b/gi,
+        replace: (_match, _ctx, groups) => `${groups[0]}<REDACTED_API_KEY>${groups[2]}`
       }
     ];
   }
@@ -316,14 +322,100 @@ var init_creditCard = __esm({
 });
 
 // src/rules/urls.ts
-var urlRules;
+function redactQueryLike(segment) {
+  if (segment.length < 2) return segment;
+  const prefix = segment[0];
+  const raw = segment.slice(1);
+  if (!raw.includes("=")) return segment;
+  const parts = raw.split("&");
+  const redacted = parts.map((p) => {
+    const eq = p.indexOf("=");
+    if (eq === -1) return p;
+    const key = p.slice(0, eq);
+    const value = p.slice(eq + 1);
+    const normalized = key.trim().toLowerCase();
+    if (!SENSITIVE_PARAM_KEYS.has(normalized)) return p;
+    if (value.length === 0) return `${key}=`;
+    return `${key}=<REDACTED_URL_PARAM>`;
+  });
+  return `${prefix}${redacted.join("&")}`;
+}
+function redactUrl(match) {
+  const schemeIdx = match.indexOf("://");
+  if (schemeIdx === -1) return match;
+  const scheme = match.slice(0, schemeIdx + 3);
+  const rest = match.slice(schemeIdx + 3);
+  const authorityEnd = (() => {
+    const slash = rest.indexOf("/");
+    const q = rest.indexOf("?");
+    const h = rest.indexOf("#");
+    const candidates = [slash, q, h].filter((i) => i !== -1);
+    return candidates.length === 0 ? rest.length : Math.min(...candidates);
+  })();
+  let authority = rest.slice(0, authorityEnd);
+  let tail = rest.slice(authorityEnd);
+  const at = authority.lastIndexOf("@");
+  if (at !== -1) {
+    const userinfo = authority.slice(0, at);
+    const host = authority.slice(at + 1);
+    const colon = userinfo.indexOf(":");
+    if (colon !== -1) {
+      const user = userinfo.slice(0, colon);
+      authority = `${user}:<REDACTED_PASSWORD>@${host}`;
+    } else {
+      authority = `<REDACTED_PASSWORD>@${host}`;
+    }
+  }
+  const hashIdx = tail.indexOf("#");
+  const queryIdx = tail.indexOf("?");
+  if (queryIdx !== -1 && (hashIdx === -1 || queryIdx < hashIdx)) {
+    const before = tail.slice(0, queryIdx);
+    const after = tail.slice(queryIdx);
+    const hashInside = after.indexOf("#");
+    if (hashInside === -1) {
+      tail = `${before}${redactQueryLike(after)}`;
+    } else {
+      const qPart = after.slice(0, hashInside);
+      const hPart = after.slice(hashInside);
+      tail = `${before}${redactQueryLike(qPart)}${redactQueryLike(hPart)}`;
+    }
+  } else if (hashIdx !== -1) {
+    const before = tail.slice(0, hashIdx);
+    const hPart = tail.slice(hashIdx);
+    tail = `${before}${redactQueryLike(hPart)}`;
+  }
+  return `${scheme}${authority}${tail}`;
+}
+var SENSITIVE_PARAM_KEYS, urlRules;
 var init_urls = __esm({
   "src/rules/urls.ts"() {
+    SENSITIVE_PARAM_KEYS = new Set(
+      [
+        "access_token",
+        "token",
+        "id_token",
+        "refresh_token",
+        "auth",
+        "authorization",
+        "api_key",
+        "apikey",
+        "api-key",
+        "key",
+        "secret",
+        "password",
+        "passwd",
+        "signature",
+        "sig",
+        "session"
+      ].map((k) => k.toLowerCase())
+    );
     urlRules = [
       {
         name: "URL",
-        pattern: /\bhttps?:\/\/[^\s/$.?#].[^\s]*\b/gi,
-        replace: () => "<REDACTED_URL>"
+        // Match HTTP(S) URLs, stopping at whitespace.
+        // (Conservative: avoids attempting to be a full RFC URL parser.)
+        pattern: /\bhttps?:\/\/[^\s]+/gi,
+        replace: (match) => redactUrl(match)
       }
     ];
   }
@@ -417,7 +509,7 @@ var { printSummary: printSummary2 } = (init_summary(), __toCommonJS(summary_expo
 var { sanitizeLog: sanitizeLog2 } = (init_sanitizeLog(), __toCommonJS(sanitizeLog_exports));
 var rawArgs = process.argv.slice(2).map((arg) => arg === "-h" ? "--help" : arg);
 function getVersion() {
-  return true ? "0.4.1" : "unknown";
+  return true ? "0.4.3" : "unknown";
 }
 function printHelp() {
   process.stdout.write(`Usage: logshield scan [file]
@@ -438,6 +530,9 @@ Options:
   --help              Show help
 `);
 }
+function writeErr(message) {
+  process.stderr.write(message);
+}
 function parseArgs(args) {
   const flags = /* @__PURE__ */ new Set();
   const positionals = [];
@@ -482,6 +577,10 @@ function renderDryRunReport(matches) {
   process.stdout.write("No output was modified.\n");
   process.stdout.write("Use without --dry-run to apply.\n");
 }
+function exitUsageError(message) {
+  writeErr(message.endsWith("\n") ? message : message + "\n");
+  process.exit(2);
+}
 async function main() {
   if (rawArgs.length === 0 || rawArgs.includes("--help")) {
     printHelp();
@@ -495,8 +594,7 @@ async function main() {
   const { flags, positionals } = parseArgs(rawArgs);
   const command = positionals[0];
   if (command !== "scan") {
-    process.stdout.write("Unknown command\n");
-    process.exit(1);
+    exitUsageError("Unknown command");
   }
   const file = positionals[1];
   const strict = flags.has("--strict");
@@ -508,16 +606,13 @@ async function main() {
   const stdinAuto = isStdinPiped();
   const useStdin = stdinFlag || stdinAuto;
   if (useStdin && file) {
-    process.stdout.write("Cannot read from both STDIN and file\n");
-    process.exit(1);
+    exitUsageError("Cannot read from both STDIN and file");
   }
   if (dryRun && json) {
-    process.stdout.write("--dry-run cannot be used with --json\n");
-    process.exit(1);
+    exitUsageError("--dry-run cannot be used with --json");
   }
   if (json && summary) {
-    process.stdout.write("--summary cannot be used with --json\n");
-    process.exit(1);
+    exitUsageError("--summary cannot be used with --json");
   }
   try {
     const input = await readInput2(useStdin ? void 0 : file);
@@ -538,8 +633,7 @@ async function main() {
     }
     process.exit(0);
   } catch (err) {
-    process.stdout.write(err?.message || "Unexpected error");
-    process.stdout.write("\n");
+    writeErr((err?.message || "Unexpected error") + "\n");
     process.exit(2);
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "logshield-cli",
-  "version": "0.4.1",
+  "version": "0.4.3",
   "license": "Apache-2.0",
   "type": "commonjs",
   "bin": {
@@ -20,7 +20,8 @@
     "typecheck": "tsc -p tsconfig.core.json && tsc -p tsconfig.cli.json --noEmit",
     "pretest": "npm run build",
     "test": "vitest",
-    "prepublishOnly": "npm run build"
+    "prepublish:check": "npm run typecheck && npm test",
+    "prepublishOnly": "npm run prepublish:check"
   },
   "devDependencies": {
     "@types/node": "^25.0.3",