npm - logshield-cli - Versions diffs - 0.5.0 → 0.7.0 - Mend

logshield-cli 0.5.0 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,46 @@
 # Changelog
+## v0.7.0
+### Security
+- Added a per-line safety cap (`64KB`) alongside the existing `200KB` total input cap
+- Overlong single-line input now fails with a deterministic bounded error instead of flowing into rule evaluation
+- Hardened the strict-mode credit card detector to reduce ambiguous separator-heavy matching on pathological near-miss input
+### Improved
+- Added adversarial regression coverage for line-length boundaries, multiline line reporting, and regex near-miss cases
+- Added bounded-failure contract coverage for CLI and detection-only code paths
+### Docs
+- Synced README limits documentation with the final bounded input behavior and error contract
+### Notes
+- No new CLI flags
+- No breaking changes to normal successful scan output
+- Input/usage bounded failures continue to exit with code `2`
+## v0.6.0
+### Added
+- Redact modern platform tokens (GitHub, Slack, npm, PyPI, SendGrid)
+- Redact npmrc auth tokens (`:_authToken=...`)
+- Redact private key blocks (PEM/OpenSSH, including ENCRYPTED PRIVATE KEY)
+### Docs
+- Clarified redaction coverage by mode (Default vs Strict) in README and docs
+- Documented the 200KB input safety cap
+### Notes
+- No CLI flag changes
+- This release may redact more secrets in default mode (intended)
 ## v0.5.0
 ### Security

package/README.md CHANGED Viewed

@@ -46,7 +46,7 @@ After LogShield, the same logs are safe to share.
 Use LogShield whenever logs leave your system:
-- Before pasting logs into CI
+- Before logs end up in CI output or artifacts
 - Before attaching logs to GitHub issues
 - Before sending logs to third-party support
 - Before sharing logs in Slack or email
@@ -72,9 +72,9 @@ Use without --dry-run to apply.
 Notes:
-- The report is printed to stdout
+- The report is printed to **stdout** (human-readable)
 - No log content is echoed
-- Output is deterministic and CI-safe
+- In non-`--dry-run` mode, sanitized logs/JSON are written to stdout; summaries/errors go to stderr
 ```bash
 # Enforce redaction (sanitized output)
@@ -84,10 +84,6 @@ echo "email=test@example.com Authorization: Bearer abcdefghijklmnop" | logshield
 - Prefer `--dry-run` first in CI to verify you are not over-redacting.
 - Then switch to enforced mode once you are satisfied with the preview.
-LogShield is a CLI tool that scans logs and redacts **real secrets**
-(API keys, tokens, credentials) before logs are shared with others,
-AI tools, CI systems, or public channels.
 It is designed to be **predictable, conservative, and safe for production pipelines**.
 ---
@@ -104,24 +100,6 @@ They are deployed to **https://logshield.dev** via Vercel.
 - GitHub: https://github.com/afria85/LogShield
 - Sponsor: https://github.com/sponsors/afria85
-## Local preview (website)
-To preview the website on your computer:
-```bash
-npm run dev
-```
-To preview on a phone/tablet on the same Wi-Fi:
-```bash
-npm run dev:lan
-```
-Then open the printed LAN URL on your device.
----
 ## Why LogShield exists
 Logs are frequently copied into:
@@ -154,7 +132,7 @@ The same input always produces the same output.
 - No environment-dependent behavior
 - Safe for CI, audits, and reproducibility
-### 2. Zero false-positive fatality
+### 2. Prefer precision over recall
 LogShield must **not** redact non-secrets.
@@ -220,6 +198,22 @@ If a file is not provided and input is piped, LogShield automatically reads from
 Note: the npm package ships the CLI only; there is no supported JS API surface.
+### Limits
+- Maximum input size: **200KB** (safety cap). Oversized input exits with code `2`.
+- Maximum line length: **64KB** per line. If any single line exceeds the cap, LogShield exits with code `2` and a deterministic `Log line <n> exceeds 64KB limit` error.
+### Windows note
+If `logshield` is not found after a global install, ensure your npm global bin directory is on `PATH`.
+Check it with:
+- `npm prefix -g` (add this directory to PATH)
+Restart your terminal after updating PATH.
 ---
 ## CLI Flags
@@ -264,7 +258,7 @@ logshield scan app.log
 cat app.log | logshield scan
 ```
-`--stdin` is optional; piped input is auto-detected.
+`--stdin` is optional; piped input is auto-detected. Use `--stdin` to force reading from stdin in TTY/paste workflows.
 ---
@@ -333,7 +327,7 @@ jobs:
       - uses: actions/setup-node@v4
         with:
-          node-version: 18
+          node-version: 22
       - run: npm install -g logshield-cli
@@ -425,16 +419,32 @@ Notes:
 ## What gets redacted
-Depending on rules and mode:
+LogShield uses a fixed, deterministic rule set. The exact coverage depends on the selected mode.
+### Default mode (recommended)
-- Passwords (supports quoted and JSON forms)
-- API key headers
-- Authorization bearer tokens
+- Passwords (quoted and JSON forms)
+- API key headers (e.g. `x-api-key: ...`)
+- API keys (e.g. `api_key=...`, `api-key: ...`)
+- Authorization Bearer tokens
 - JWTs
+- GitHub tokens (`ghp_`, `gho_`, `ghu_`, `ghs_`, `ghr_`, and `github_pat_...`)
+- Slack tokens (`xox*` and `xapp-...`)
+- npm access tokens (`npm_...`)
+- npmrc auth tokens (`:_authToken=...`)
+- PyPI API tokens (`pypi-...`)
+- SendGrid API keys (`SG.<...>.<...>`)
+- Private key blocks (PEM/OpenSSH)
 - Emails
 - URLs with embedded credentials
-- Database credentials (including redis:// and mssql://)
-- Cloud provider credentials
+- Database URL credentials (including `redis://...` and `mssql://...`)
+- Cloud credentials in explicit labeled forms (e.g. `AWS_SECRET_ACCESS_KEY=...`)
+### Strict mode (adds)
+- Stripe secret keys (e.g. `sk_live_...`, `sk_test_...`)
+- AWS access keys (`AKIA...`)
+- AWS secret keys (strict fallback)
 - Credit card numbers (Luhn-validated)
 ---
@@ -460,7 +470,7 @@ Depending on rules and mode:
 LogShield guarantees:
 - Deterministic output
-- Stable behavior within the current minor line **v0.5.x**
+- Stable behavior within the current minor line **v0.6.x**
 - No runtime dependencies
 - Snapshot-tested and contract-tested
 - No telemetry
@@ -490,8 +500,7 @@ It is a **last-line safety net**, not a primary defense.
 ## License
-Apache-2.0
----
+Apache-2.0 &mdash; see `LICENSE`.
 ## Contributing

package/dist/cli/index.cjs CHANGED Viewed

@@ -140,15 +140,23 @@ var init_applyRules = __esm({
 // src/engine/guard.ts
 function guardInput(input) {
   if (!input) return "";
-  if (input.length > MAX_SIZE) {
+  if (input.length > MAX_INPUT_SIZE) {
     throw new Error("Log size exceeds 200KB limit");
   }
+  const lines = input.split(/\r?\n/);
+  for (let i = 0; i < lines.length; i += 1) {
+    if (lines[i].length > MAX_LINE_LENGTH) {
+      const lineNumber = i + 1;
+      throw new Error(`Log line ${lineNumber} exceeds 64KB limit`);
+    }
+  }
   return input;
 }
-var MAX_SIZE;
+var MAX_INPUT_SIZE, MAX_LINE_LENGTH;
 var init_guard = __esm({
   "src/engine/guard.ts"() {
-    MAX_SIZE = 200 * 1024;
+    MAX_INPUT_SIZE = 200 * 1024;
+    MAX_LINE_LENGTH = 64 * 1024;
   }
 });
@@ -157,6 +165,66 @@ var tokenRules;
 var init_tokens = __esm({
   "src/rules/tokens.ts"() {
     tokenRules = [
+      // Multi-line private key blocks (PEM/OpenSSH). Run early to avoid leaking
+      // partial material through other rules.
+      {
+        name: "PRIVATE_KEY_BLOCK",
+        pattern: /-----BEGIN\s+(?:(?:RSA|EC|DSA)\s+)?(?:ENCRYPTED\s+)?PRIVATE\s+KEY-----[\s\S]*?-----END\s+(?:(?:RSA|EC|DSA)\s+)?(?:ENCRYPTED\s+)?PRIVATE\s+KEY-----/gi,
+        replace: () => "<REDACTED_PRIVATE_KEY_BLOCK>"
+      },
+      {
+        name: "OPENSSH_PRIVATE_KEY_BLOCK",
+        pattern: /-----BEGIN OPENSSH PRIVATE KEY-----[\s\S]*?-----END OPENSSH PRIVATE KEY-----/g,
+        replace: () => "<REDACTED_PRIVATE_KEY_BLOCK>"
+      },
+      {
+        name: "PRIVATE_KEY_HEADER",
+        pattern: /-----BEGIN\s+(?:(?:RSA|EC|DSA)\s+)?(?:ENCRYPTED\s+)?PRIVATE\s+KEY-----|-----BEGIN OPENSSH PRIVATE KEY-----/gi,
+        replace: () => "<REDACTED_PRIVATE_KEY_HEADER>"
+      },
+      // Modern platform tokens (prefix-anchored, low false-positive).
+      {
+        name: "GITHUB_TOKEN",
+        pattern: /\b(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9]{36,255}\b/g,
+        replace: () => "<REDACTED_GITHUB_TOKEN>"
+      },
+      {
+        name: "GITHUB_FINE_GRAINED_TOKEN",
+        pattern: /\bgithub_pat_[A-Za-z0-9]{22}_[A-Za-z0-9]{59}\b/g,
+        replace: () => "<REDACTED_GITHUB_TOKEN>"
+      },
+      {
+        name: "SLACK_TOKEN",
+        pattern: /\bxox(?:b|p|a|s|r)-[A-Za-z0-9-]{10,250}\b/g,
+        replace: () => "<REDACTED_SLACK_TOKEN>"
+      },
+      {
+        name: "SLACK_APP_TOKEN",
+        pattern: /\bxapp-\d-[A-Za-z0-9-]{10,250}\b/g,
+        replace: () => "<REDACTED_SLACK_TOKEN>"
+      },
+      {
+        name: "NPM_TOKEN",
+        pattern: /\bnpm_[A-Za-z0-9]{36}\b/g,
+        replace: () => "<REDACTED_NPM_TOKEN>"
+      },
+      {
+        name: "NPMRC_AUTH_TOKEN",
+        // .npmrc-style auth token, commonly seen as:
+        //   //registry.npmjs.org/:_authToken=...
+        pattern: /(:_authToken\s*=\s*)([^\s\r\n]+)/gi,
+        replace: (_match, _ctx, groups) => `${groups[0]}<REDACTED_NPM_TOKEN>`
+      },
+      {
+        name: "PYPI_TOKEN",
+        pattern: /\bpypi-[A-Za-z0-9_-]{85,200}\b/g,
+        replace: () => "<REDACTED_PYPI_TOKEN>"
+      },
+      {
+        name: "SENDGRID_API_KEY",
+        pattern: /\bSG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}\b/g,
+        replace: () => "<REDACTED_SENDGRID_KEY>"
+      },
       {
         name: "JWT",
         pattern: /\beyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\b/g,
@@ -327,7 +395,9 @@ var init_creditCard = __esm({
     creditCardRules = [
       {
         name: "CREDIT_CARD",
-        pattern: /\b(?:\d[ -]*?){13,19}\b/g,
+        // Keep separators simple and bounded between digits to avoid ambiguous
+        // repetition on long near-miss inputs.
+        pattern: /\b\d(?:[ -]?\d){12,18}\b/g,
         replace: (match, { strict }) => {
           if (!strict) return match;
           return isValidLuhn(match) ? "<REDACTED_CC>" : match;
@@ -535,7 +605,7 @@ var ALLOWED_FLAGS = /* @__PURE__ */ new Set([
   "--help"
 ]);
 function getVersion() {
-  return true ? "0.5.0" : "unknown";
+  return true ? "0.7.0" : "unknown";
 }
 function printHelp() {
   process.stdout.write(`Usage: logshield scan [file]

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "logshield-cli",
-  "version": "0.5.0",
+  "version": "0.7.0",
   "license": "Apache-2.0",
   "type": "commonjs",
   "bin": {