logshield-cli 0.4.2 → 0.4.3

package/CHANGELOG.md

@@ -1,5 +1,25 @@
 # Changelog
 
+## v0.4.3
+
+### Fixed
+
+- Prevented API key redaction from corrupting header names (`x-api-key`)
+- Preserved key labels when redacting `api_key=...` values
+- Corrected CLI exit code for invalid flag combinations (`--json --dry-run` now exits with code 2)
+
+### Improved
+
+- Deterministic and aligned `--summary` output (alphabetical, indented)
+- Hardened CLI behavior with end-to-end golden tests
+- Strengthened regression coverage for rule overlap and precedence
+
+### Notes
+
+- No breaking changes
+- No new features
+- Hardening and correctness release
+
 ## v0.4.2
 
 ### Fixed

package/README.md

@@ -4,7 +4,7 @@
 [![npm downloads](https://img.shields.io/npm/dm/logshield-cli)](https://www.npmjs.com/package/logshield-cli)
 [![CI](https://github.com/afria85/LogShield/actions/workflows/ci.yml/badge.svg)](https://github.com/afria85/LogShield/actions/workflows/ci.yml)
 
-Your logs already contain secrets. You just don’t see them.
+Your logs already contain secrets. You just don't see them.
 
 LogShield is a small CLI that automatically redacts secrets from logs **before**
 you paste them into CI, GitHub issues, Slack, or send them to third-party support.
@@ -55,22 +55,28 @@ Use LogShield whenever logs leave your system:
 
 ```bash
 # Preview what would be redacted (does not modify output)
-echo "email=test@example.com token=sk_live_123" | logshield scan --dry-run
+echo "email=test@example.com Authorization: Bearer abcdefghijklmnop" | logshield scan --dry-run
 ```
 
 ```
 logshield (dry-run)
 Detected 2 redactions:
-  EMAIL               x1
-  STRIPE_SECRET_KEY   x1
+  AUTH_BEARER          x1
+  EMAIL                x1
 
 No output was modified.
 Use without --dry-run to apply.
 ```
 
+Notes:
+
+- The report is printed to stdout
+- No log content is echoed
+- Output is deterministic and CI-safe
+
 ```bash
 # Enforce redaction (sanitized output)
-echo "email=test@example.com token=sk_live_123" | logshield scan
+echo "email=test@example.com Authorization: Bearer abcdefghijklmnop" | logshield scan
 ```
 
 - Prefer `--dry-run` first in CI to verify you are not over-redacting.
@@ -140,8 +146,8 @@ Examples:
 
 ```
 <REDACTED_PASSWORD>
-<REDACTED_API_KEY_HEADER>
-<REDACTED_AUTH_BEARER>
+<REDACTED_API_KEY>
+<REDACTED_TOKEN>
 <REDACTED_EMAIL>
 ```
 
@@ -247,8 +253,8 @@ cat app.log | logshield scan --dry-run
 
 ```
 logshield (dry-run)
-Detected 5 redactions:
-  AUTH_BEARER          x2
+Detected 4 redactions:
+  AUTH_BEARER          x1
   EMAIL                x1
   OAUTH_ACCESS_TOKEN   x1
   PASSWORD             x1
@@ -345,10 +351,16 @@ Example:
 
 ```
 LogShield Summary
-PASSWORD: 2
-API_KEY_HEADER: 1
+  API_KEY_HEADER: 1
+  PASSWORD:       2
 ```
 
+Notes:
+
+- Sanitized log output is written to stdout
+- The summary is written to stderr
+- Rules are sorted alphabetically
+
 ---
 
 ## JSON output
@@ -362,7 +374,8 @@ logshield scan --json < logs.txt
 Notes:
 
 - `--json` **cannot** be combined with `--dry-run`
-- Output schema is stable within v0.4.x
+- Usage errors exit with code `2`
+- Output is always newline-terminated
 
 ---
 

package/dist/cli/index.cjs

@@ -87,33 +87,25 @@ __export(summary_exports, {
   printSummary: () => printSummary
 });
 function printSummary(matches) {
-  if (!matches || matches.length === 0) {
-    process.stderr.write("logshield: no redactions detected\n");
+  if (!matches.length) {
+    process.stderr.write("LogShield Summary\n(no redactions detected)\n");
     return;
   }
-  const counter = {};
+  const counts = {};
   for (const m of matches) {
-    counter[m.rule] = (counter[m.rule] || 0) + 1;
+    counts[m.rule] = (counts[m.rule] ?? 0) + 1;
   }
-  const entries = Object.entries(counter).map(([rule, count]) => ({ rule, count })).sort((a, b) => {
-    if (b.count !== a.count) return b.count - a.count;
-    return a.rule.localeCompare(b.rule);
-  });
-  const maxLen = Math.max(...entries.map((e) => e.rule.length));
-  const total = matches.length;
-  const label = total === 1 ? "redaction" : "redactions";
-  process.stderr.write(`logshield summary: ${total} ${label}
+  const rules = Object.keys(counts).sort((a, b) => a.localeCompare(b));
+  const maxNameLen = Math.max(...rules.map((r) => r.length));
+  process.stderr.write("LogShield Summary\n");
+  for (const rule of rules) {
+    const padded = rule.padEnd(maxNameLen, " ");
+    process.stderr.write(`  ${padded}  x${counts[rule]}
 `);
-  for (const { rule, count } of entries) {
-    process.stderr.write(
-      `  ${rule.padEnd(maxLen)}  x${count}
-`
-    );
   }
 }
 var init_summary = __esm({
   "src/cli/summary.ts"() {
-    "use strict";
   }
 });
 
@@ -217,6 +209,15 @@ var init_credentials = __esm({
         pattern: /\b(postgres|mysql|mongodb):\/\/([^:\s]+):([^@\s]+)@/gi,
         replace: (_match, _ctx, groups) => `${groups[0]}://${groups[1]}:<REDACTED_PASSWORD>@`
       },
+      // x-api-key: ....
+      // IMPORTANT: this must run BEFORE the generic API_KEY rule. Otherwise the
+      // generic API_KEY rule can match the "api-key: <value>" substring first and
+      // corrupt the header name (e.g. "x-api-key" -> "x-").
+      {
+        name: "API_KEY_HEADER",
+        pattern: /\bx-api-key\s*:\s*["']?[A-Za-z0-9_\-]{16,}["']?\b/gi,
+        replace: () => "x-api-key: <REDACTED_API_KEY>"
+      },
       /**
        * API key (common variants):
        * - apiKey=...
@@ -224,23 +225,19 @@ var init_credentials = __esm({
        * - api-key: ...
        * - apikey=...
        * Supports '=' or ':' and optional quotes/spaces.
+       *
+       * NOTE:
+       * Do NOT try to handle "Authorization: Bearer ..." here; that causes overlap
+       * with token rules. Token redaction is handled in tokens.ts.
        */
       {
         name: "API_KEY",
-        pattern: /\bapi(?:[_-]?key)\s*[:=]\s*["']?([A-Za-z0-9_\-]{16,})["']?\b/gi,
-        replace: () => "<REDACTED_API_KEY>"
-      },
-      // x-api-key: ....
-      {
-        name: "API_KEY_HEADER",
-        pattern: /\bx-api-key\s*:\s*["']?[A-Za-z0-9_\-]{16,}["']?\b/gi,
-        replace: () => "x-api-key: <REDACTED_API_KEY>"
-      },
-      // authorization: Bearer ...
-      {
-        name: "AUTHORIZATION_BEARER",
-        pattern: /\bauthorization\s*:\s*bearer\s+([A-Za-z0-9._\-]{16,})\b/gi,
-        replace: () => "authorization: Bearer <REDACTED_TOKEN>"
+        // Preserve the key label + delimiter, redact only the value.
+        // Examples:
+        //   api_key=abcdef... -> api_key=<REDACTED_API_KEY>
+        //   api-key: "abcdef..." -> api-key: "<REDACTED_API_KEY>"
+        pattern: /\b(api(?:[_-]?key)\s*[:=]\s*["']?)([A-Za-z0-9_\-]{16,})(["']?)\b/gi,
+        replace: (_match, _ctx, groups) => `${groups[0]}<REDACTED_API_KEY>${groups[2]}`
       }
     ];
   }
@@ -512,7 +509,7 @@ var { printSummary: printSummary2 } = (init_summary(), __toCommonJS(summary_expo
 var { sanitizeLog: sanitizeLog2 } = (init_sanitizeLog(), __toCommonJS(sanitizeLog_exports));
 var rawArgs = process.argv.slice(2).map((arg) => arg === "-h" ? "--help" : arg);
 function getVersion() {
-  return true ? "0.4.2" : "unknown";
+  return true ? "0.4.3" : "unknown";
 }
 function printHelp() {
   process.stdout.write(`Usage: logshield scan [file]
@@ -580,6 +577,10 @@ function renderDryRunReport(matches) {
   process.stdout.write("No output was modified.\n");
   process.stdout.write("Use without --dry-run to apply.\n");
 }
+function exitUsageError(message) {
+  writeErr(message.endsWith("\n") ? message : message + "\n");
+  process.exit(2);
+}
 async function main() {
   if (rawArgs.length === 0 || rawArgs.includes("--help")) {
     printHelp();
@@ -593,8 +594,7 @@ async function main() {
   const { flags, positionals } = parseArgs(rawArgs);
   const command = positionals[0];
   if (command !== "scan") {
-    writeErr("Unknown command\n");
-    process.exit(1);
+    exitUsageError("Unknown command");
   }
   const file = positionals[1];
   const strict = flags.has("--strict");
@@ -606,16 +606,13 @@ async function main() {
   const stdinAuto = isStdinPiped();
   const useStdin = stdinFlag || stdinAuto;
   if (useStdin && file) {
-    writeErr("Cannot read from both STDIN and file\n");
-    process.exit(1);
+    exitUsageError("Cannot read from both STDIN and file");
   }
   if (dryRun && json) {
-    writeErr("--dry-run cannot be used with --json\n");
-    process.exit(1);
+    exitUsageError("--dry-run cannot be used with --json");
   }
   if (json && summary) {
-    writeErr("--summary cannot be used with --json\n");
-    process.exit(1);
+    exitUsageError("--summary cannot be used with --json");
   }
   try {
     const input = await readInput2(useStdin ? void 0 : file);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "logshield-cli",
-  "version": "0.4.2",
+  "version": "0.4.3",
   "license": "Apache-2.0",
   "type": "commonjs",
   "bin": {
@@ -20,7 +20,8 @@
     "typecheck": "tsc -p tsconfig.core.json && tsc -p tsconfig.cli.json --noEmit",
     "pretest": "npm run build",
     "test": "vitest",
-    "prepublishOnly": "npm run build"
+    "prepublish:check": "npm run typecheck && npm test",
+    "prepublishOnly": "npm run prepublish:check"
   },
   "devDependencies": {
     "@types/node": "^25.0.3",