logshield-cli 0.4.4 → 0.6.0

package/CHANGELOG.md

@@ -1,5 +1,40 @@
 # Changelog
 
+## v0.6.0
+
+### Added
+
+- Redact modern platform tokens (GitHub, Slack, npm, PyPI, SendGrid)
+- Redact npmrc auth tokens (`:_authToken=...`)
+- Redact private key blocks (PEM/OpenSSH, including ENCRYPTED PRIVATE KEY)
+
+### Docs
+
+- Clarified redaction coverage by mode (Default vs Strict) in README and docs
+- Documented the 200KB input safety cap
+
+### Notes
+
+- No CLI flag changes
+- This release may redact more secrets in default mode (intended)
+
+## v0.5.0
+
+### Security
+
+- Hardened dry-run result shape: dry-run no longer returns the raw input in `output` (safe to serialize and avoids re-leakage in programmatic contexts)
+- `--dry-run` can be combined with `--json` for machine-readable detection without leaking log content (`output` is intentionally empty)
+
+### Added
+
+- Added detection-only helper `scanLog(input)` (internal only; safe to serialize)
+
+### Compatibility
+
+- CLI behavior is unchanged: dry-run still prints a human report and never echoes log content
+- Programmatic consumers: `dryRun` now returns `output: ""` (intentional)
+- npm package ships CLI only; no supported JS API surface is published
+
 ## v0.4.4
 
 ### Fixed
@@ -18,7 +53,7 @@
 
 - Prevented API key redaction from corrupting header names (`x-api-key`)
 - Preserved key labels when redacting `api_key=...` values
-- Corrected CLI exit code for invalid flag combinations (`--json --dry-run` now exits with code 2)
+- Corrected CLI exit code for invalid flag combinations (e.g., `--summary --json` exits with code 2)
 
 ### Improved
 

package/README.md

@@ -3,6 +3,8 @@
 [![npm version](https://img.shields.io/npm/v/logshield-cli)](https://www.npmjs.com/package/logshield-cli)
 [![npm downloads](https://img.shields.io/npm/dm/logshield-cli)](https://www.npmjs.com/package/logshield-cli)
 [![CI](https://github.com/afria85/LogShield/actions/workflows/ci.yml/badge.svg)](https://github.com/afria85/LogShield/actions/workflows/ci.yml)
+[![license](https://img.shields.io/badge/license-Apache--2.0-3a3a3a)](https://github.com/afria85/LogShield/blob/main/LICENSE)
+[![Sponsor](https://img.shields.io/badge/sponsor-GitHub%20Sponsors-3a3a3a)](https://github.com/sponsors/afria85)
 
 Your logs already contain secrets. You just don't see them.
 
@@ -44,7 +46,7 @@ After LogShield, the same logs are safe to share.
 
 Use LogShield whenever logs leave your system:
 
-- Before pasting logs into CI
+- Before logs end up in CI output or artifacts
 - Before attaching logs to GitHub issues
 - Before sending logs to third-party support
 - Before sharing logs in Slack or email
@@ -70,9 +72,9 @@ Use without --dry-run to apply.
 
 Notes:
 
-- The report is printed to stdout
+- The report is printed to **stdout** (human-readable)
 - No log content is echoed
-- Output is deterministic and CI-safe
+- In non-`--dry-run` mode, sanitized logs/JSON are written to stdout; summaries/errors go to stderr
 
 ```bash
 # Enforce redaction (sanitized output)
@@ -82,10 +84,6 @@ echo "email=test@example.com Authorization: Bearer abcdefghijklmnop" | logshield
 - Prefer `--dry-run` first in CI to verify you are not over-redacting.
 - Then switch to enforced mode once you are satisfied with the preview.
 
-LogShield is a CLI tool that scans logs and redacts **real secrets**
-(API keys, tokens, credentials) before logs are shared with others,
-AI tools, CI systems, or public channels.
-
 It is designed to be **predictable, conservative, and safe for production pipelines**.
 
 ---
@@ -95,7 +93,12 @@ It is designed to be **predictable, conservative, and safe for production pipeli
 The website and documentation live in the `/docs` directory.
 They are deployed to **https://logshield.dev** via Vercel.
 
----
+## Project links
+
+- Website: https://logshield.dev
+- Docs: https://logshield.dev/docs.html
+- GitHub: https://github.com/afria85/LogShield
+- Sponsor: https://github.com/sponsors/afria85
 
 ## Why LogShield exists
 
@@ -129,7 +132,7 @@ The same input always produces the same output.
 - No environment-dependent behavior
 - Safe for CI, audits, and reproducibility
 
-### 2. Zero false-positive fatality
+### 2. Prefer precision over recall
 
 LogShield must **not** redact non-secrets.
 
@@ -193,6 +196,23 @@ logshield scan [file]
 
 If a file is not provided and input is piped, LogShield automatically reads from **STDIN**.
 
+Note: the npm package ships the CLI only; there is no supported JS API surface.
+
+### Limits
+
+- Maximum input size: **200KB** (safety cap). Oversized input exits with code `2`.
+
+
+### Windows note
+
+If `logshield` is not found after a global install, ensure your npm global bin directory is on `PATH`.
+
+Check it with:
+
+- `npm prefix -g` (add this directory to PATH)
+
+Restart your terminal after updating PATH.
+
 ---
 
 ## CLI Flags
@@ -213,7 +233,7 @@ If a file is not provided and input is piped, LogShield automatically reads from
   Print a compact redaction summary
 
 - `--json`  
-  JSON output (cannot be combined with `--dry-run`)
+  JSON output (can be combined with `--dry-run`; output is empty in dry-run)
 
 - `--version`  
   Print CLI version
@@ -237,7 +257,7 @@ logshield scan app.log
 cat app.log | logshield scan
 ```
 
-`--stdin` is optional; piped input is auto-detected.
+`--stdin` is optional; piped input is auto-detected. Use `--stdin` to force reading from stdin in TTY/paste workflows.
 
 ---
 
@@ -306,7 +326,7 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: 18
+          node-version: 22
 
       - run: npm install -g logshield-cli
 
@@ -371,9 +391,16 @@ Structured output for tooling and automation:
 logshield scan --json < logs.txt
 ```
 
+Detection-only JSON (safe to serialize; no log content):
+
+```bash
+logshield scan --json --dry-run < logs.txt
+```
+
 Notes:
 
-- `--json` **cannot** be combined with `--dry-run`
+- `--json` can be combined with `--dry-run` for machine-readable detection
+- In `--dry-run` JSON mode, `output` is intentionally an empty string
 - Usage errors exit with code `2`
 - Output is always newline-terminated
 
@@ -391,16 +418,32 @@ Notes:
 
 ## What gets redacted
 
-Depending on rules and mode:
+LogShield uses a fixed, deterministic rule set. The exact coverage depends on the selected mode.
 
-- Passwords (supports quoted and JSON forms)
-- API key headers
-- Authorization bearer tokens
+### Default mode (recommended)
+
+- Passwords (quoted and JSON forms)
+- API key headers (e.g. `x-api-key: ...`)
+- API keys (e.g. `api_key=...`, `api-key: ...`)
+- Authorization Bearer tokens
 - JWTs
+- GitHub tokens (`ghp_`, `gho_`, `ghu_`, `ghs_`, `ghr_`, and `github_pat_...`)
+- Slack tokens (`xox*` and `xapp-...`)
+- npm access tokens (`npm_...`)
+- npmrc auth tokens (`:_authToken=...`)
+- PyPI API tokens (`pypi-...`)
+- SendGrid API keys (`SG.<...>.<...>`)
+- Private key blocks (PEM/OpenSSH)
 - Emails
 - URLs with embedded credentials
-- Database credentials (including redis:// and mssql://)
-- Cloud provider credentials
+- Database URL credentials (including `redis://...` and `mssql://...`)
+- Cloud credentials in explicit labeled forms (e.g. `AWS_SECRET_ACCESS_KEY=...`)
+
+### Strict mode (adds)
+
+- Stripe secret keys (e.g. `sk_live_...`, `sk_test_...`)
+- AWS access keys (`AKIA...`)
+- AWS secret keys (strict fallback)
 - Credit card numbers (Luhn-validated)
 
 ---
@@ -426,7 +469,7 @@ Depending on rules and mode:
 LogShield guarantees:
 
 - Deterministic output
-- Stable behavior within **v0.4.x**
+- Stable behavior within the current minor line **v0.6.x**
 - No runtime dependencies
 - Snapshot-tested and contract-tested
 - No telemetry
@@ -456,4 +499,16 @@ It is a **last-line safety net**, not a primary defense.
 
 ## License
 
-Apache-2.0
+Apache-2.0 &mdash; see `LICENSE`.
+
+## Contributing
+
+See `CONTRIBUTING.md`.
+
+## Security
+
+See `SECURITY.md`.
+
+## Support
+
+See `SUPPORT.md`.

package/dist/cli/index.cjs

@@ -36,22 +36,24 @@ var readInput_exports = {};
 __export(readInput_exports, {
   readInput: () => readInput
 });
-async function readInput(file) {
+async function readInput(file, opts) {
   if (file) {
     if (!import_node_fs.default.existsSync(file)) {
       throw new Error(`File not found: ${file}`);
     }
     return import_node_fs.default.readFileSync(file, "utf8");
   }
-  if (!process.stdin.isTTY) {
+  const stdin = opts?.stdin ?? process.stdin;
+  const forceStdin = Boolean(opts?.forceStdin);
+  if (!stdin.isTTY || forceStdin) {
     return new Promise((resolve, reject) => {
       let data = "";
-      process.stdin.setEncoding("utf8");
-      process.stdin.on("data", (chunk) => {
+      stdin.setEncoding?.("utf8");
+      stdin.on("data", (chunk) => {
         data += chunk;
       });
-      process.stdin.on("end", () => resolve(data));
-      process.stdin.on("error", reject);
+      stdin.on("end", () => resolve(data));
+      stdin.on("error", reject);
     });
   }
   throw new Error("No input provided");
@@ -155,6 +157,66 @@ var tokenRules;
 var init_tokens = __esm({
   "src/rules/tokens.ts"() {
     tokenRules = [
+      // Multi-line private key blocks (PEM/OpenSSH). Run early to avoid leaking
+      // partial material through other rules.
+      {
+        name: "PRIVATE_KEY_BLOCK",
+        pattern: /-----BEGIN\s+(?:(?:RSA|EC|DSA)\s+)?(?:ENCRYPTED\s+)?PRIVATE\s+KEY-----[\s\S]*?-----END\s+(?:(?:RSA|EC|DSA)\s+)?(?:ENCRYPTED\s+)?PRIVATE\s+KEY-----/gi,
+        replace: () => "<REDACTED_PRIVATE_KEY_BLOCK>"
+      },
+      {
+        name: "OPENSSH_PRIVATE_KEY_BLOCK",
+        pattern: /-----BEGIN OPENSSH PRIVATE KEY-----[\s\S]*?-----END OPENSSH PRIVATE KEY-----/g,
+        replace: () => "<REDACTED_PRIVATE_KEY_BLOCK>"
+      },
+      {
+        name: "PRIVATE_KEY_HEADER",
+        pattern: /-----BEGIN\s+(?:(?:RSA|EC|DSA)\s+)?(?:ENCRYPTED\s+)?PRIVATE\s+KEY-----|-----BEGIN OPENSSH PRIVATE KEY-----/gi,
+        replace: () => "<REDACTED_PRIVATE_KEY_HEADER>"
+      },
+      // Modern platform tokens (prefix-anchored, low false-positive).
+      {
+        name: "GITHUB_TOKEN",
+        pattern: /\b(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9]{36,255}\b/g,
+        replace: () => "<REDACTED_GITHUB_TOKEN>"
+      },
+      {
+        name: "GITHUB_FINE_GRAINED_TOKEN",
+        pattern: /\bgithub_pat_[A-Za-z0-9]{22}_[A-Za-z0-9]{59}\b/g,
+        replace: () => "<REDACTED_GITHUB_TOKEN>"
+      },
+      {
+        name: "SLACK_TOKEN",
+        pattern: /\bxox(?:b|p|a|s|r)-[A-Za-z0-9-]{10,250}\b/g,
+        replace: () => "<REDACTED_SLACK_TOKEN>"
+      },
+      {
+        name: "SLACK_APP_TOKEN",
+        pattern: /\bxapp-\d-[A-Za-z0-9-]{10,250}\b/g,
+        replace: () => "<REDACTED_SLACK_TOKEN>"
+      },
+      {
+        name: "NPM_TOKEN",
+        pattern: /\bnpm_[A-Za-z0-9]{36}\b/g,
+        replace: () => "<REDACTED_NPM_TOKEN>"
+      },
+      {
+        name: "NPMRC_AUTH_TOKEN",
+        // .npmrc-style auth token, commonly seen as:
+        //   //registry.npmjs.org/:_authToken=...
+        pattern: /(:_authToken\s*=\s*)([^\s\r\n]+)/gi,
+        replace: (_match, _ctx, groups) => `${groups[0]}<REDACTED_NPM_TOKEN>`
+      },
+      {
+        name: "PYPI_TOKEN",
+        pattern: /\bpypi-[A-Za-z0-9_-]{85,200}\b/g,
+        replace: () => "<REDACTED_PYPI_TOKEN>"
+      },
+      {
+        name: "SENDGRID_API_KEY",
+        pattern: /\bSG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}\b/g,
+        replace: () => "<REDACTED_SENDGRID_KEY>"
+      },
       {
         name: "JWT",
         pattern: /\beyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\b/g,
@@ -503,7 +565,7 @@ function sanitizeLog(input, options) {
   const matches = [];
   if (ctx.dryRun) {
     applyRules(input, allRules, ctx, matches);
-    return { output: input, matches };
+    return { output: "", matches };
   }
   const output = applyRules(input, allRules, ctx, matches);
   return { output, matches };
@@ -522,8 +584,18 @@ var { writeOutput: writeOutput2 } = (init_writeOutput(), __toCommonJS(writeOutpu
 var { printSummary: printSummary2 } = (init_summary(), __toCommonJS(summary_exports));
 var { sanitizeLog: sanitizeLog2 } = (init_sanitizeLog(), __toCommonJS(sanitizeLog_exports));
 var rawArgs = process.argv.slice(2).map((arg) => arg === "-h" ? "--help" : arg);
+var ALLOWED_FLAGS = /* @__PURE__ */ new Set([
+  "--strict",
+  "--dry-run",
+  "--stdin",
+  "--fail-on-detect",
+  "--json",
+  "--summary",
+  "--version",
+  "--help"
+]);
 function getVersion() {
-  return true ? "0.4.4" : "unknown";
+  return true ? "0.6.0" : "unknown";
 }
 function printHelp() {
   process.stdout.write(`Usage: logshield scan [file]
@@ -550,14 +622,23 @@ function writeErr(message) {
 function parseArgs(args) {
   const flags = /* @__PURE__ */ new Set();
   const positionals = [];
+  const unknownFlags = [];
   for (const arg of args) {
-    if (arg.startsWith("--")) {
-      flags.add(arg);
+    if (arg.startsWith("-")) {
+      if (arg.startsWith("--")) {
+        if (!ALLOWED_FLAGS.has(arg)) {
+          unknownFlags.push(arg);
+        } else {
+          flags.add(arg);
+        }
+      } else {
+        unknownFlags.push(arg);
+      }
     } else {
       positionals.push(arg);
     }
   }
-  return { flags, positionals };
+  return { flags, positionals, unknownFlags };
 }
 function isStdinPiped() {
   return !process.stdin.isTTY;
@@ -596,16 +677,23 @@ function exitUsageError(message) {
   process.exit(2);
 }
 async function main() {
-  if (rawArgs.length === 0 || rawArgs.includes("--help")) {
+  if (rawArgs.length === 0) {
     printHelp();
     process.exit(0);
   }
-  if (rawArgs.includes("--version")) {
+  const { flags, positionals, unknownFlags } = parseArgs(rawArgs);
+  if (unknownFlags.length > 0) {
+    exitUsageError(`Unknown flag: ${unknownFlags[0]}`);
+  }
+  if (flags.has("--help")) {
+    printHelp();
+    process.exit(0);
+  }
+  if (flags.has("--version")) {
     process.stdout.write(`logshield v${getVersion()}
 `);
     process.exit(0);
   }
-  const { flags, positionals } = parseArgs(rawArgs);
   const command = positionals[0];
   if (command !== "scan") {
     exitUsageError("Unknown command");
@@ -622,16 +710,22 @@ async function main() {
   if (useStdin && file) {
     exitUsageError("Cannot read from both STDIN and file");
   }
-  if (dryRun && json) {
-    exitUsageError("--dry-run cannot be used with --json");
-  }
   if (json && summary) {
     exitUsageError("--summary cannot be used with --json");
   }
   try {
-    const input = await readInput2(useStdin ? void 0 : file);
+    const input = await readInput2(useStdin ? void 0 : file, {
+      forceStdin: stdinFlag
+    });
     const result = sanitizeLog2(input, { strict, dryRun });
     if (dryRun) {
+      if (json) {
+        writeOutput2(result, { json: true });
+        if (failOnDetect && result.matches.length > 0) {
+          process.exit(1);
+        }
+        process.exit(0);
+      }
       renderDryRunReport(result.matches);
       if (failOnDetect && result.matches.length > 0) {
         process.exit(1);

package/package.json

@@ -1,35 +1,63 @@
 {
   "name": "logshield-cli",
-  "version": "0.4.4",
+  "version": "0.6.0",
   "license": "Apache-2.0",
   "type": "commonjs",
   "bin": {
     "logshield": "dist/cli/index.cjs"
   },
   "files": [
-    "dist",
+    "dist/cli",
     "README.md",
     "CHANGELOG.md",
     "LICENSE"
   ],
   "scripts": {
     "build": "node scripts/build-cli.cjs",
-    "build:web": "vite build --outDir dist-web",
     "build:blog": "node scripts/build-blog.js",
-    "dev:web": "vite",
     "typecheck": "tsc -p tsconfig.core.json && tsc -p tsconfig.cli.json --noEmit",
     "pretest": "npm run build",
     "test": "vitest",
+    "lint": "npm run typecheck",
+    "clean:dist": "node scripts/clean-dist.mjs",
+    "prepack": "npm run clean:dist && npm run build",
+    "pack:check": "npm pack --dry-run",
+    "release:check": "npm run prepublish:check && npm run pack:check",
     "prepublish:check": "npm run typecheck && npm test",
-    "prepublishOnly": "npm run prepublish:check"
+    "prepublishOnly": "npm run prepublish:check",
+    "dev": "node scripts/dev-docs-server.mjs",
+    "dev:lan": "node scripts/dev-docs-server.mjs --host 0.0.0.0"
   },
   "devDependencies": {
     "@types/node": "^25.0.3",
-    "autoprefixer": "^10.4.23",
     "esbuild": "^0.25.0",
-    "postcss": "^8.5.6",
-    "tailwindcss": "^3.4.19",
     "typescript": "^5.9.3",
     "vitest": "^4.0.0"
+  },
+  "description": "Deterministic, rule-based CLI to sanitize secrets from logs. No AI. No cloud. No config.",
+  "keywords": [
+    "log-sanitization",
+    "secret-detection",
+    "redaction",
+    "security",
+    "devops",
+    "cli",
+    "deterministic",
+    "no-ai"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/afria85/LogShield.git"
+  },
+  "homepage": "https://logshield.dev",
+  "bugs": {
+    "url": "https://github.com/afria85/LogShield/issues"
+  },
+  "funding": {
+    "type": "github",
+    "url": "https://github.com/sponsors/afria85"
+  },
+  "engines": {
+    "node": ">=18"
   }
 }

package/dist/assets/index-B3qxIuiz.css

@@ -1 +0,0 @@
-*,:before,:after{--tw-border-spacing-x: 0;--tw-border-spacing-y: 0;--tw-translate-x: 0;--tw-translate-y: 0;--tw-rotate: 0;--tw-skew-x: 0;--tw-skew-y: 0;--tw-scale-x: 1;--tw-scale-y: 1;--tw-pan-x: ;--tw-pan-y: ;--tw-pinch-zoom: ;--tw-scroll-snap-strictness: proximity;--tw-gradient-from-position: ;--tw-gradient-via-position: ;--tw-gradient-to-position: ;--tw-ordinal: ;--tw-slashed-zero: ;--tw-numeric-figure: ;--tw-numeric-spacing: ;--tw-numeric-fraction: ;--tw-ring-inset: ;--tw-ring-offset-width: 0px;--tw-ring-offset-color: #fff;--tw-ring-color: rgb(59 130 246 / .5);--tw-ring-offset-shadow: 0 0 #0000;--tw-ring-shadow: 0 0 #0000;--tw-shadow: 0 0 #0000;--tw-shadow-colored: 0 0 #0000;--tw-blur: ;--tw-brightness: ;--tw-contrast: ;--tw-grayscale: ;--tw-hue-rotate: ;--tw-invert: ;--tw-saturate: ;--tw-sepia: ;--tw-drop-shadow: ;--tw-backdrop-blur: ;--tw-backdrop-brightness: ;--tw-backdrop-contrast: ;--tw-backdrop-grayscale: ;--tw-backdrop-hue-rotate: ;--tw-backdrop-invert: ;--tw-backdrop-opacity: ;--tw-backdrop-saturate: ;--tw-backdrop-sepia: ;--tw-contain-size: ;--tw-contain-layout: ;--tw-contain-paint: ;--tw-contain-style: }::backdrop{--tw-border-spacing-x: 0;--tw-border-spacing-y: 0;--tw-translate-x: 0;--tw-translate-y: 0;--tw-rotate: 0;--tw-skew-x: 0;--tw-skew-y: 0;--tw-scale-x: 1;--tw-scale-y: 1;--tw-pan-x: ;--tw-pan-y: ;--tw-pinch-zoom: ;--tw-scroll-snap-strictness: proximity;--tw-gradient-from-position: ;--tw-gradient-via-position: ;--tw-gradient-to-position: ;--tw-ordinal: ;--tw-slashed-zero: ;--tw-numeric-figure: ;--tw-numeric-spacing: ;--tw-numeric-fraction: ;--tw-ring-inset: ;--tw-ring-offset-width: 0px;--tw-ring-offset-color: #fff;--tw-ring-color: rgb(59 130 246 / .5);--tw-ring-offset-shadow: 0 0 #0000;--tw-ring-shadow: 0 0 #0000;--tw-shadow: 0 0 #0000;--tw-shadow-colored: 0 0 #0000;--tw-blur: ;--tw-brightness: ;--tw-contrast: ;--tw-grayscale: ;--tw-hue-rotate: ;--tw-invert: ;--tw-saturate: ;--tw-sepia: ;--tw-drop-shadow: ;--tw-backdrop-blur: ;--tw-backdrop-brightness: ;--tw-backdrop-contrast: ;--tw-backdrop-grayscale: ;--tw-backdrop-hue-rotate: ;--tw-backdrop-invert: ;--tw-backdrop-opacity: ;--tw-backdrop-saturate: ;--tw-backdrop-sepia: ;--tw-contain-size: ;--tw-contain-layout: ;--tw-contain-paint: ;--tw-contain-style: }*,:before,:after{box-sizing:border-box;border-width:0;border-style:solid;border-color:#e5e7eb}:before,:after{--tw-content: ""}html,:host{line-height:1.5;-webkit-text-size-adjust:100%;-moz-tab-size:4;-o-tab-size:4;tab-size:4;font-family:ui-sans-serif,system-ui,sans-serif,"Apple Color Emoji","Segoe UI Emoji",Segoe UI Symbol,"Noto Color Emoji";font-feature-settings:normal;font-variation-settings:normal;-webkit-tap-highlight-color:transparent}body{margin:0;line-height:inherit}hr{height:0;color:inherit;border-top-width:1px}abbr:where([title]){-webkit-text-decoration:underline dotted;text-decoration:underline dotted}h1,h2,h3,h4,h5,h6{font-size:inherit;font-weight:inherit}a{color:inherit;text-decoration:inherit}b,strong{font-weight:bolder}code,kbd,samp,pre{font-family:ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,Liberation Mono,Courier New,monospace;font-feature-settings:normal;font-variation-settings:normal;font-size:1em}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sub{bottom:-.25em}sup{top:-.5em}table{text-indent:0;border-color:inherit;border-collapse:collapse}button,input,optgroup,select,textarea{font-family:inherit;font-feature-settings:inherit;font-variation-settings:inherit;font-size:100%;font-weight:inherit;line-height:inherit;letter-spacing:inherit;color:inherit;margin:0;padding:0}button,select{text-transform:none}button,input:where([type=button]),input:where([type=reset]),input:where([type=submit]){-webkit-appearance:button;background-color:transparent;background-image:none}:-moz-focusring{outline:auto}:-moz-ui-invalid{box-shadow:none}progress{vertical-align:baseline}::-webkit-inner-spin-button,::-webkit-outer-spin-button{height:auto}[type=search]{-webkit-appearance:textfield;outline-offset:-2px}::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}summary{display:list-item}blockquote,dl,dd,h1,h2,h3,h4,h5,h6,hr,figure,p,pre{margin:0}fieldset{margin:0;padding:0}legend{padding:0}ol,ul,menu{list-style:none;margin:0;padding:0}dialog{padding:0}textarea{resize:vertical}input::-moz-placeholder,textarea::-moz-placeholder{opacity:1;color:#9ca3af}input::placeholder,textarea::placeholder{opacity:1;color:#9ca3af}button,[role=button]{cursor:pointer}:disabled{cursor:default}img,svg,video,canvas,audio,iframe,embed,object{display:block;vertical-align:middle}img,video{max-width:100%;height:auto}[hidden]:where(:not([hidden=until-found])){display:none}:root{--color-bg-primary: 248 250 252;--color-bg-secondary: 241 245 249;--color-bg-card: 255 255 255;--color-text-primary: 15 23 42;--color-text-secondary: 71 85 105;--color-text-muted: 148 163 184;--color-border: 226 232 240;--color-accent: 59 130 246;--color-accent-hover: 37 99 235;--gradient-start: 239 246 255;--gradient-mid: 238 242 255;--gradient-end: 248 250 252}*{--tw-border-opacity: 1;border-color:rgb(229 231 235 / var(--tw-border-opacity, 1))}@media (prefers-color-scheme: dark){*{--tw-border-opacity: 1;border-color:rgb(51 65 85 / var(--tw-border-opacity, 1))}}html{scroll-behavior:smooth}body{--tw-bg-opacity: 1;background-color:rgb(248 250 252 / var(--tw-bg-opacity, 1));--tw-text-opacity: 1;color:rgb(15 23 42 / var(--tw-text-opacity, 1));-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;transition-property:color,background-color,border-color,text-decoration-color,fill,stroke;transition-timing-function:cubic-bezier(.4,0,.2,1);transition-duration:.3s}@media (prefers-color-scheme: dark){body{--tw-bg-opacity: 1;background-color:rgb(15 23 42 / var(--tw-bg-opacity, 1));--tw-text-opacity: 1;color:rgb(241 245 249 / var(--tw-text-opacity, 1))}}body{margin:0;padding:0;font-family:Inter,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Oxygen,Ubuntu,Cantarell,Fira Sans,Droid Sans,Helvetica Neue,sans-serif;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}code{font-family:JetBrains Mono,Fira Code,source-code-pro,Menlo,Monaco,Consolas,Courier New,monospace}::-webkit-scrollbar{width:8px;height:8px}::-webkit-scrollbar-track{--tw-bg-opacity: 1;background-color:rgb(241 245 249 / var(--tw-bg-opacity, 1))}@media (prefers-color-scheme: dark){::-webkit-scrollbar-track{--tw-bg-opacity: 1;background-color:rgb(30 41 59 / var(--tw-bg-opacity, 1))}}::-webkit-scrollbar-thumb{border-radius:9999px;--tw-bg-opacity: 1;background-color:rgb(203 213 225 / var(--tw-bg-opacity, 1))}@media (prefers-color-scheme: dark){::-webkit-scrollbar-thumb{--tw-bg-opacity: 1;background-color:rgb(71 85 105 / var(--tw-bg-opacity, 1))}}::-webkit-scrollbar-thumb:hover{--tw-bg-opacity: 1;background-color:rgb(148 163 184 / var(--tw-bg-opacity, 1))}@media (prefers-color-scheme: dark){::-webkit-scrollbar-thumb:hover{--tw-bg-opacity: 1;background-color:rgb(100 116 139 / var(--tw-bg-opacity, 1))}}::-moz-selection{background-color:#3b82f64d;--tw-text-opacity: 1;color:rgb(30 58 138 / var(--tw-text-opacity, 1))}::selection{background-color:#3b82f64d;--tw-text-opacity: 1;color:rgb(30 58 138 / var(--tw-text-opacity, 1))}@media (prefers-color-scheme: dark){::-moz-selection{--tw-text-opacity: 1;color:rgb(219 234 254 / var(--tw-text-opacity, 1))}::selection{--tw-text-opacity: 1;color:rgb(219 234 254 / var(--tw-text-opacity, 1))}}@keyframes fadeIn{0%{opacity:0;transform:translateY(10px)}to{opacity:1;transform:translateY(0)}}@keyframes slideUp{0%{opacity:0;transform:translateY(20px)}to{opacity:1;transform:translateY(0)}}@keyframes pulseGlow{0%,to{box-shadow:0 0 #3b82f666}50%{box-shadow:0 0 20px 5px #3b82f633}}@keyframes gradientShift{0%{background-position:0% 50%}50%{background-position:100% 50%}to{background-position:0% 50%}}@keyframes float{0%,to{transform:translateY(0)}50%{transform:translateY(-10px)}}@keyframes shine{0%{background-position:-200% center}to{background-position:200% center}}@keyframes bounceUp{0%,to{transform:translateY(0)}50%{transform:translateY(-4px)}}@media print{.no-print{display:none!important}body{--tw-bg-opacity: 1;background-color:rgb(255 255 255 / var(--tw-bg-opacity, 1));--tw-text-opacity: 1;color:rgb(0 0 0 / var(--tw-text-opacity, 1))}}:root{--bg: #0f1115;--panel: #151922;--border: #252a36;--text: #e6e8eb;--muted: #9aa1ad;--accent: #ff4d4f}*{box-sizing:border-box}body{margin:0;font-family:ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,Liberation Mono,monospace;background:var(--bg);color:var(--text)}.ls-root{min-height:100vh;display:flex;flex-direction:column}.ls-header{padding:16px 24px;border-bottom:1px solid var(--border)}.ls-header h1{margin:0;font-size:20px}.ls-header p{margin:4px 0 0;color:var(--muted);font-size:13px}.ls-controls{display:flex;gap:16px;align-items:center;padding:12px 24px;border-bottom:1px solid var(--border);font-size:13px}.ls-controls label{display:flex;align-items:center;gap:6px;cursor:pointer}.ls-controls button{margin-left:auto;background:transparent;border:1px solid var(--border);color:var(--text);padding:6px 12px;cursor:pointer}.ls-controls button:hover{border-color:var(--accent)}.ls-main{flex:1;display:grid;grid-template-columns:1fr 1fr}.ls-input{width:100%;height:100%;resize:none;border:none;outline:none;padding:16px;background:var(--panel);color:var(--text);border-right:1px solid var(--border);font-size:13px;line-height:1.5}.ls-output{padding:16px;background:#0c0f14;font-size:13px;line-height:1.5;white-space:pre-wrap;overflow:auto}.ls-highlight{background:#ff4d4f40;color:#fff}.ls-footer{padding:8px 24px;border-top:1px solid var(--border);font-size:12px;color:var(--muted)}