logshield-cli 0.4.3 → 0.5.0

package/CHANGELOG.md

@@ -1,120 +1,149 @@
-# Changelog
-
-## v0.4.3
-
-### Fixed
-
-- Prevented API key redaction from corrupting header names (`x-api-key`)
-- Preserved key labels when redacting `api_key=...` values
-- Corrected CLI exit code for invalid flag combinations (`--json --dry-run` now exits with code 2)
-
-### Improved
-
-- Deterministic and aligned `--summary` output (alphabetical, indented)
-- Hardened CLI behavior with end-to-end golden tests
-- Strengthened regression coverage for rule overlap and precedence
-
-### Notes
-
-- No breaking changes
-- No new features
-- Hardening and correctness release
-
-## v0.4.2
-
-### Fixed
-
-- CLI errors are now written to stderr (CI-safe piping)
-- JSON output is newline-terminated
-- URL redaction is no longer overly aggressive; only credentials and sensitive parameters are redacted
-- PASSWORD redaction preserves original delimiter and spacing
-- Improved dry-run reporting consistency
-- Added contract tests for CLI output and URL behavior
-
-## v0.4.1
-
-### Fixed
-
-- Prevented secret leakage in `--json` output by removing raw match values from the public result shape
-- Forwarded `--dry-run` into the engine to ensure consistent, future-proof behavior
-
-### Improved
-
-- Expanded credential detection for common API key variants (`api_key`, `api-key`, `apikey`) and `Authorization: Bearer ...`
-- Hardened AWS secret key strict detection to reduce false positives while keeping strict mode safe
-
-### Notes
-
-- No breaking changes
-- No new features
-- Stability and safety hardening release
-
-## v0.4.0
-
-### Changed
-
-- License updated to Apache-2.0
-- README, website, and blog content aligned to reflect the new license and current project state
-
-### Notes
-
-- No engine or CLI behavior changes
-- No breaking changes
-
-## v0.3.6
-
-### Fixed
-
-- `--summary` output now correctly written to stderr (safe for piping & redirects)
-
-### Improved
-
-- CLI documentation clarity
-
-### Notes
-
-- No breaking changes
-
-## v0.3.5
-
-### Fixed
-
-- Corrected CLI version injection in built CJS output
-- Ensured published npm package reflects actual CLI version
-
-### Improved
-
-- Deterministic `--dry-run` report formatting (aligned, CI-safe)
-- Dry-run output now strictly non-contextual and stdout-only
-
-### Notes
-
-- No engine or rule behavior changes
-- Pure CLI/build correctness release
-
----
-
-## v0.3.4
-
-### Fixed
-
-- README CI badge link on npmjs.com
-
----
-
-## v0.3.3
-
-### Added
-
-- `--dry-run` mode to detect secrets without modifying output
-- CI-friendly detection workflow (`--dry-run --fail-on-detect`)
-
-### Improved
-
-- CLI UX consistency
-- README documentation clarity
-
-### Notes
-
-- No breaking changes
-- Engine behavior unchanged
+# Changelog
+
+## v0.5.0
+
+### Security
+
+- Hardened dry-run result shape: dry-run no longer returns the raw input in `output` (safe to serialize and avoids re-leakage in programmatic contexts)
+- `--dry-run` can be combined with `--json` for machine-readable detection without leaking log content (`output` is intentionally empty)
+
+### Added
+
+- Added detection-only helper `scanLog(input)` (internal only; safe to serialize)
+
+### Compatibility
+
+- CLI behavior is unchanged: dry-run still prints a human report and never echoes log content
+- Programmatic consumers: `dryRun` now returns `output: ""` (intentional)
+- npm package ships CLI only; no supported JS API surface is published
+
+## v0.4.4
+
+### Fixed
+
+- Expanded PASSWORD redaction to cover quoted values (including spaces) and JSON forms (`"password": "..."`)
+- Expanded DB URL credential redaction to cover additional common schemes (`redis://`, `mssql://`, and variants)
+
+### Notes
+
+- No breaking changes
+- Behavior is still deterministic; this release reduces false negatives in common log formats
+
+## v0.4.3
+
+### Fixed
+
+- Prevented API key redaction from corrupting header names (`x-api-key`)
+- Preserved key labels when redacting `api_key=...` values
+- Corrected CLI exit code for invalid flag combinations (e.g., `--summary --json` exits with code 2)
+
+### Improved
+
+- Deterministic and aligned `--summary` output (alphabetical, indented)
+- Hardened CLI behavior with end-to-end golden tests
+- Strengthened regression coverage for rule overlap and precedence
+
+### Notes
+
+- No breaking changes
+- No new features
+- Hardening and correctness release
+
+## v0.4.2
+
+### Fixed
+
+- CLI errors are now written to stderr (CI-safe piping)
+- JSON output is newline-terminated
+- URL redaction is no longer overly aggressive; only credentials and sensitive parameters are redacted
+- PASSWORD redaction preserves original delimiter and spacing
+- Improved dry-run reporting consistency
+- Added contract tests for CLI output and URL behavior
+
+## v0.4.1
+
+### Fixed
+
+- Prevented secret leakage in `--json` output by removing raw match values from the public result shape
+- Forwarded `--dry-run` into the engine to ensure consistent, future-proof behavior
+
+### Improved
+
+- Expanded credential detection for common API key variants (`api_key`, `api-key`, `apikey`) and `Authorization: Bearer ...`
+- Hardened AWS secret key strict detection to reduce false positives while keeping strict mode safe
+
+### Notes
+
+- No breaking changes
+- No new features
+- Stability and safety hardening release
+
+## v0.4.0
+
+### Changed
+
+- License updated to Apache-2.0
+- README, website, and blog content aligned to reflect the new license and current project state
+
+### Notes
+
+- No engine or CLI behavior changes
+- No breaking changes
+
+## v0.3.6
+
+### Fixed
+
+- `--summary` output now correctly written to stderr (safe for piping & redirects)
+
+### Improved
+
+- CLI documentation clarity
+
+### Notes
+
+- No breaking changes
+
+## v0.3.5
+
+### Fixed
+
+- Corrected CLI version injection in built CJS output
+- Ensured published npm package reflects actual CLI version
+
+### Improved
+
+- Deterministic `--dry-run` report formatting (aligned, CI-safe)
+- Dry-run output now strictly non-contextual and stdout-only
+
+### Notes
+
+- No engine or rule behavior changes
+- Pure CLI/build correctness release
+
+---
+
+## v0.3.4
+
+### Fixed
+
+- README CI badge link on npmjs.com
+
+---
+
+## v0.3.3
+
+### Added
+
+- `--dry-run` mode to detect secrets without modifying output
+- CI-friendly detection workflow (`--dry-run --fail-on-detect`)
+
+### Improved
+
+- CLI UX consistency
+- README documentation clarity
+
+### Notes
+
+- No breaking changes
+- Engine behavior unchanged

package/README.md

@@ -3,6 +3,8 @@
 [![npm version](https://img.shields.io/npm/v/logshield-cli)](https://www.npmjs.com/package/logshield-cli)
 [![npm downloads](https://img.shields.io/npm/dm/logshield-cli)](https://www.npmjs.com/package/logshield-cli)
 [![CI](https://github.com/afria85/LogShield/actions/workflows/ci.yml/badge.svg)](https://github.com/afria85/LogShield/actions/workflows/ci.yml)
+[![license](https://img.shields.io/badge/license-Apache--2.0-3a3a3a)](https://github.com/afria85/LogShield/blob/main/LICENSE)
+[![Sponsor](https://img.shields.io/badge/sponsor-GitHub%20Sponsors-3a3a3a)](https://github.com/sponsors/afria85)
 
 Your logs already contain secrets. You just don't see them.
 
@@ -95,6 +97,29 @@ It is designed to be **predictable, conservative, and safe for production pipeli
 The website and documentation live in the `/docs` directory.
 They are deployed to **https://logshield.dev** via Vercel.
 
+## Project links
+
+- Website: https://logshield.dev
+- Docs: https://logshield.dev/docs.html
+- GitHub: https://github.com/afria85/LogShield
+- Sponsor: https://github.com/sponsors/afria85
+
+## Local preview (website)
+
+To preview the website on your computer:
+
+```bash
+npm run dev
+```
+
+To preview on a phone/tablet on the same Wi-Fi:
+
+```bash
+npm run dev:lan
+```
+
+Then open the printed LAN URL on your device.
+
 ---
 
 ## Why LogShield exists
@@ -193,6 +218,8 @@ logshield scan [file]
 
 If a file is not provided and input is piped, LogShield automatically reads from **STDIN**.
 
+Note: the npm package ships the CLI only; there is no supported JS API surface.
+
 ---
 
 ## CLI Flags
@@ -213,7 +240,7 @@ If a file is not provided and input is piped, LogShield automatically reads from
   Print a compact redaction summary
 
 - `--json`  
-  JSON output (cannot be combined with `--dry-run`)
+  JSON output (can be combined with `--dry-run`; output is empty in dry-run)
 
 - `--version`  
   Print CLI version
@@ -351,8 +378,8 @@ Example:
 
 ```
 LogShield Summary
-  API_KEY_HEADER: 1
-  PASSWORD:       2
+  API_KEY_HEADER  x1
+  PASSWORD        x2
 ```
 
 Notes:
@@ -371,9 +398,16 @@ Structured output for tooling and automation:
 logshield scan --json < logs.txt
 ```
 
+Detection-only JSON (safe to serialize; no log content):
+
+```bash
+logshield scan --json --dry-run < logs.txt
+```
+
 Notes:
 
-- `--json` **cannot** be combined with `--dry-run`
+- `--json` can be combined with `--dry-run` for machine-readable detection
+- In `--dry-run` JSON mode, `output` is intentionally an empty string
 - Usage errors exit with code `2`
 - Output is always newline-terminated
 
@@ -381,11 +415,11 @@ Notes:
 
 ## Exit codes
 
-| Code | Meaning                              |
-| ---: | ------------------------------------ |
-|    0 | Success / no detection               |
-|    1 | Detection found (`--fail-on-detect`) |
-|    2 | Runtime or input error               |
+| Code | Meaning                                       |
+| ---: | --------------------------------------------- |
+|    0 | Success (detection does not change exit code) |
+|    1 | Detection found (`--fail-on-detect`)          |
+|    2 | Runtime or input error                        |
 
 ---
 
@@ -393,13 +427,13 @@ Notes:
 
 Depending on rules and mode:
 
-- Passwords
+- Passwords (supports quoted and JSON forms)
 - API key headers
 - Authorization bearer tokens
 - JWTs
 - Emails
 - URLs with embedded credentials
-- Database credentials
+- Database credentials (including redis:// and mssql://)
 - Cloud provider credentials
 - Credit card numbers (Luhn-validated)
 
@@ -426,7 +460,7 @@ Depending on rules and mode:
 LogShield guarantees:
 
 - Deterministic output
-- Stable behavior within **v0.4.x**
+- Stable behavior within the current minor line **v0.5.x**
 - No runtime dependencies
 - Snapshot-tested and contract-tested
 - No telemetry
@@ -457,3 +491,16 @@ It is a **last-line safety net**, not a primary defense.
 ## License
 
 Apache-2.0
+---
+
+## Contributing
+
+See `CONTRIBUTING.md`.
+
+## Security
+
+See `SECURITY.md`.
+
+## Support
+
+See `SUPPORT.md`.

package/dist/cli/index.cjs

@@ -36,22 +36,24 @@ var readInput_exports = {};
 __export(readInput_exports, {
   readInput: () => readInput
 });
-async function readInput(file) {
+async function readInput(file, opts) {
   if (file) {
     if (!import_node_fs.default.existsSync(file)) {
       throw new Error(`File not found: ${file}`);
     }
     return import_node_fs.default.readFileSync(file, "utf8");
   }
-  if (!process.stdin.isTTY) {
+  const stdin = opts?.stdin ?? process.stdin;
+  const forceStdin = Boolean(opts?.forceStdin);
+  if (!stdin.isTTY || forceStdin) {
     return new Promise((resolve, reject) => {
       let data = "";
-      process.stdin.setEncoding("utf8");
-      process.stdin.on("data", (chunk) => {
+      stdin.setEncoding?.("utf8");
+      stdin.on("data", (chunk) => {
         data += chunk;
       });
-      process.stdin.on("end", () => resolve(data));
-      process.stdin.on("error", reject);
+      stdin.on("end", () => resolve(data));
+      stdin.on("error", reject);
     });
   }
   throw new Error("No input provided");
@@ -200,13 +202,27 @@ var init_credentials = __esm({
         // Examples:
         //   password=secret  -> password=<REDACTED_PASSWORD>
         //   Password : 123   -> Password : <REDACTED_PASSWORD>
-        pattern: /\b(password)(\s*[:=]\s*)([^\s]+)/gi,
-        replace: (_match, _ctx, groups) => `${groups[0]}${groups[1]}<REDACTED_PASSWORD>`
+        // Supports quoted keys/values and JSON forms:
+        //   password="secret value"        -> password="<REDACTED_PASSWORD>"
+        //   "password": "secret value"    -> "password": "<REDACTED_PASSWORD>"
+        // NOTE: for unquoted values, we stop at whitespace and common JSON delimiters.
+        pattern: /\b(["']?password["']?)(\s*[:=]\s*)(?:(["'])([^"'\r\n]*?)\3|([^\s,}\]]+))/gi,
+        replace: (_match, _ctx, groups) => {
+          const key = groups[0];
+          const delim = groups[1];
+          const quote = groups[2];
+          if (quote) {
+            return `${key}${delim}${quote}<REDACTED_PASSWORD>${quote}`;
+          }
+          return `${key}${delim}<REDACTED_PASSWORD>`;
+        }
       },
       // DB URL credential: postgres://user:pass@host
       {
         name: "DB_URL_CREDENTIAL",
-        pattern: /\b(postgres|mysql|mongodb):\/\/([^:\s]+):([^@\s]+)@/gi,
+        // Support the most common DB/cache schemes.
+        // This focuses only on the user:pass@ authority portion.
+        pattern: /\b(postgres(?:ql)?|mysql|mariadb|mongodb(?:\+srv)?|redis|rediss|mssql|sqlserver):\/\/([^:\s]+):([^@\s]+)@/gi,
         replace: (_match, _ctx, groups) => `${groups[0]}://${groups[1]}:<REDACTED_PASSWORD>@`
       },
       // x-api-key: ....
@@ -489,7 +505,7 @@ function sanitizeLog(input, options) {
   const matches = [];
   if (ctx.dryRun) {
     applyRules(input, allRules, ctx, matches);
-    return { output: input, matches };
+    return { output: "", matches };
   }
   const output = applyRules(input, allRules, ctx, matches);
   return { output, matches };
@@ -508,8 +524,18 @@ var { writeOutput: writeOutput2 } = (init_writeOutput(), __toCommonJS(writeOutpu
 var { printSummary: printSummary2 } = (init_summary(), __toCommonJS(summary_exports));
 var { sanitizeLog: sanitizeLog2 } = (init_sanitizeLog(), __toCommonJS(sanitizeLog_exports));
 var rawArgs = process.argv.slice(2).map((arg) => arg === "-h" ? "--help" : arg);
+var ALLOWED_FLAGS = /* @__PURE__ */ new Set([
+  "--strict",
+  "--dry-run",
+  "--stdin",
+  "--fail-on-detect",
+  "--json",
+  "--summary",
+  "--version",
+  "--help"
+]);
 function getVersion() {
-  return true ? "0.4.3" : "unknown";
+  return true ? "0.5.0" : "unknown";
 }
 function printHelp() {
   process.stdout.write(`Usage: logshield scan [file]
@@ -536,14 +562,23 @@ function writeErr(message) {
 function parseArgs(args) {
   const flags = /* @__PURE__ */ new Set();
   const positionals = [];
+  const unknownFlags = [];
   for (const arg of args) {
-    if (arg.startsWith("--")) {
-      flags.add(arg);
+    if (arg.startsWith("-")) {
+      if (arg.startsWith("--")) {
+        if (!ALLOWED_FLAGS.has(arg)) {
+          unknownFlags.push(arg);
+        } else {
+          flags.add(arg);
+        }
+      } else {
+        unknownFlags.push(arg);
+      }
     } else {
       positionals.push(arg);
     }
   }
-  return { flags, positionals };
+  return { flags, positionals, unknownFlags };
 }
 function isStdinPiped() {
   return !process.stdin.isTTY;
@@ -582,16 +617,23 @@ function exitUsageError(message) {
   process.exit(2);
 }
 async function main() {
-  if (rawArgs.length === 0 || rawArgs.includes("--help")) {
+  if (rawArgs.length === 0) {
     printHelp();
     process.exit(0);
   }
-  if (rawArgs.includes("--version")) {
+  const { flags, positionals, unknownFlags } = parseArgs(rawArgs);
+  if (unknownFlags.length > 0) {
+    exitUsageError(`Unknown flag: ${unknownFlags[0]}`);
+  }
+  if (flags.has("--help")) {
+    printHelp();
+    process.exit(0);
+  }
+  if (flags.has("--version")) {
     process.stdout.write(`logshield v${getVersion()}
 `);
     process.exit(0);
   }
-  const { flags, positionals } = parseArgs(rawArgs);
   const command = positionals[0];
   if (command !== "scan") {
     exitUsageError("Unknown command");
@@ -608,16 +650,22 @@ async function main() {
   if (useStdin && file) {
     exitUsageError("Cannot read from both STDIN and file");
   }
-  if (dryRun && json) {
-    exitUsageError("--dry-run cannot be used with --json");
-  }
   if (json && summary) {
     exitUsageError("--summary cannot be used with --json");
   }
   try {
-    const input = await readInput2(useStdin ? void 0 : file);
+    const input = await readInput2(useStdin ? void 0 : file, {
+      forceStdin: stdinFlag
+    });
     const result = sanitizeLog2(input, { strict, dryRun });
     if (dryRun) {
+      if (json) {
+        writeOutput2(result, { json: true });
+        if (failOnDetect && result.matches.length > 0) {
+          process.exit(1);
+        }
+        process.exit(0);
+      }
       renderDryRunReport(result.matches);
       if (failOnDetect && result.matches.length > 0) {
         process.exit(1);

package/package.json

@@ -1,35 +1,63 @@
 {
   "name": "logshield-cli",
-  "version": "0.4.3",
+  "version": "0.5.0",
   "license": "Apache-2.0",
   "type": "commonjs",
   "bin": {
     "logshield": "dist/cli/index.cjs"
   },
   "files": [
-    "dist",
+    "dist/cli",
     "README.md",
     "CHANGELOG.md",
     "LICENSE"
   ],
   "scripts": {
     "build": "node scripts/build-cli.cjs",
-    "build:web": "vite build --outDir dist-web",
     "build:blog": "node scripts/build-blog.js",
-    "dev:web": "vite",
     "typecheck": "tsc -p tsconfig.core.json && tsc -p tsconfig.cli.json --noEmit",
     "pretest": "npm run build",
     "test": "vitest",
+    "lint": "npm run typecheck",
+    "clean:dist": "node scripts/clean-dist.mjs",
+    "prepack": "npm run clean:dist && npm run build",
+    "pack:check": "npm pack --dry-run",
+    "release:check": "npm run prepublish:check && npm run pack:check",
     "prepublish:check": "npm run typecheck && npm test",
-    "prepublishOnly": "npm run prepublish:check"
+    "prepublishOnly": "npm run prepublish:check",
+    "dev": "node scripts/dev-docs-server.mjs",
+    "dev:lan": "node scripts/dev-docs-server.mjs --host 0.0.0.0"
   },
   "devDependencies": {
     "@types/node": "^25.0.3",
-    "autoprefixer": "^10.4.23",
     "esbuild": "^0.25.0",
-    "postcss": "^8.5.6",
-    "tailwindcss": "^3.4.19",
     "typescript": "^5.9.3",
     "vitest": "^4.0.0"
+  },
+  "description": "Deterministic, rule-based CLI to sanitize secrets from logs. No AI. No cloud. No config.",
+  "keywords": [
+    "log-sanitization",
+    "secret-detection",
+    "redaction",
+    "security",
+    "devops",
+    "cli",
+    "deterministic",
+    "no-ai"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/afria85/LogShield.git"
+  },
+  "homepage": "https://logshield.dev",
+  "bugs": {
+    "url": "https://github.com/afria85/LogShield/issues"
+  },
+  "funding": {
+    "type": "github",
+    "url": "https://github.com/sponsors/afria85"
+  },
+  "engines": {
+    "node": ">=18"
   }
 }