mynth-logger 2.1.0 → 2.1.2

package/.github/workflows/CI.yaml

@@ -1,9 +1,6 @@
 name: CI
 
 on:
-  push:
-    branches:
-      - main
   pull_request:
 
 jobs:

package/.github/workflows/publish.yml

@@ -11,11 +11,13 @@ on:
           - patch
           - minor
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   publish:
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v6.0.2
@@ -26,6 +28,7 @@ jobs:
         uses: actions/setup-node@v6.2.0
         with:
           node-version: 24
+          registry-url: https://registry.npmjs.org
 
       - uses: pnpm/action-setup@v4
 
@@ -43,8 +46,6 @@ jobs:
 
       - name: Publish to npm
         run: npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Push to git repo
         run: git push --follow-tags

package/dist/src/format.d.ts

@@ -1,2 +1,4 @@
+import { type RedactConfig } from "./redact.js";
+declare const updateConfig: (newConfig: RedactConfig) => void;
 declare const format: (items: unknown[]) => string;
-export { format };
+export { format, updateConfig };

package/dist/src/format.js

@@ -1,6 +1,12 @@
 import { stringify } from "@ungap/structured-clone/json";
 import { type } from "arktype";
-import { redact } from "./redact.js";
+import { createRedact } from "./redact.js";
+const config = {
+    redact: createRedact({}),
+};
+const updateConfig = (newConfig) => {
+    config.redact = createRedact(newConfig);
+};
 const ErrorType = type({
     message: "string",
     "stack?": "string",
@@ -11,7 +17,7 @@ const formatItem = (item) => {
     // Remove colors from strings
     if (typeof item === "string")
         // biome-ignore lint/suspicious/noControlCharactersInRegex: stripping ANSI escape codes
-        return redact(item.replace(/\x1b\[[0-9;]*m/g, ""));
+        return config.redact(item.replace(/\x1b\[[0-9;]*m/g, ""));
     // Check if this is an Error
     const error = ErrorType(item);
     if (!(error instanceof type.errors))
@@ -24,9 +30,9 @@ const formatItem = (item) => {
             return String(item);
         }
     })();
-    return redact(stringified.replace(/^'|'$/g, ""));
+    return config.redact(stringified.replace(/^'|'$/g, ""));
 };
 const format = (items) => Array.from(items)
     .map((item) => formatItem(item))
     .join(" ");
-export { format };
+export { format, updateConfig };

package/dist/src/logging.d.ts

@@ -1,2 +1,3 @@
-declare const setupLogging: () => import("consola").ConsolaInstance;
+import type { RedactConfig } from "./redact.js";
+declare const setupLogging: (config?: RedactConfig) => import("consola").ConsolaInstance;
 export { setupLogging };

package/dist/src/logging.js

@@ -1,14 +1,17 @@
 import { createConsola } from "consola";
+import { updateConfig } from "./format.js";
 import DatadogReporter from "./reporters/datadog.js";
 import DiscordReporter from "./reporters/discord.js";
-const setupLogging = () => {
+const setupLogging = (config = {}) => {
+    updateConfig(config);
     const consola = createConsola({ fancy: true, level: 5 });
     if (process.env.NODE_ENV === "production")
         consola.setReporters([DatadogReporter]);
     // Set Discord reporter as first so it can remove
     // Discord-related config before other reporters process the
     // log
-    consola.setReporters([DiscordReporter, ...consola.options.reporters]);
+    else
+        consola.setReporters([DiscordReporter, ...consola.options.reporters]);
     consola.wrapConsole();
     return consola;
 };

package/dist/src/redact.d.ts

@@ -1,2 +1,39 @@
-declare const redact: (text: string) => string;
-export { redact };
+/**
+ * Configurable redaction for strings that *look like secrets*:
+ * - hex (optionally 0x-prefixed)
+ * - base64 blobs
+ * - base64url blobs
+ * - base58 blobs
+ * - BIP39 mnemonics (validated)
+ *
+ * Key idea:
+ * Each detector can be given "allow" context rules that prevent redaction when
+ * extra surrounding context indicates the value is safe/expected.
+ */
+type ContextRule = {
+    /**
+     * Test this regex against a slice of the input around the match.
+     * If it matches, the match is NOT redacted.
+     */
+    re: RegExp;
+    /** How many chars to include before the match when building the slice. */
+    before?: number;
+    /** How many chars to include after the match when building the slice. */
+    after?: number;
+};
+type DetectorConfig = {
+    /**
+     * Any rule match => do not redact that specific match.
+     */
+    allow?: ContextRule[];
+};
+type RedactConfig = {
+    hex?: DetectorConfig;
+    base64?: DetectorConfig;
+    base64url?: DetectorConfig;
+    base58?: DetectorConfig;
+    mnemonic?: DetectorConfig;
+};
+declare const createRedact: (config: RedactConfig) => (text: string) => string;
+export { createRedact };
+export type { RedactConfig };

package/dist/src/redact.js

@@ -2,67 +2,135 @@ import { DeepRedact } from "@hackylabs/deep-redact/index.ts";
 import { validateMnemonic } from "@scure/bip39";
 import { wordlist } from "@scure/bip39/wordlists/english.js";
 const replacement = "[REDACTED]";
+const cloneRegex = (re) => {
+    const flags = re.flags.includes("g") ? re.flags : `${re.flags}g`;
+    return new RegExp(re.source, flags);
+};
+const sliceAround = (value, offset, matchLen, rule) => {
+    const before = rule.before ?? 10;
+    const after = rule.after ?? 0;
+    const start = Math.max(0, offset - before);
+    const end = Math.min(value.length, offset + matchLen + after);
+    return value.slice(start, end);
+};
+const shouldAllowByRules = (value, match, offset, rules) => {
+    if (!rules?.length)
+        return false;
+    for (const rule of rules) {
+        const chunk = sliceAround(value, offset, match.length, rule);
+        // If a consumer provides a /g or /y regex, .test() mutates lastIndex.
+        // Reset to ensure consistent behavior.
+        rule.re.lastIndex = 0;
+        if (rule.re.test(chunk))
+            return true;
+    }
+    return false;
+};
+const getReplaceMeta = (args) => {
+    const offset = args.at(-2);
+    const whole = args.at(-1);
+    if (typeof offset !== "number")
+        return null;
+    if (typeof whole !== "string")
+        return null;
+    return { offset, whole };
+};
+const replaceAllMatchesWithContext = (value, pattern, replacement, allow) => {
+    const re = cloneRegex(pattern);
+    return value.replace(re, (...args) => {
+        const match = args[0];
+        if (typeof match !== "string")
+            return replacement;
+        const meta = getReplaceMeta(args);
+        if (!meta)
+            return replacement;
+        if (shouldAllowByRules(meta.whole, match, meta.offset, allow))
+            return match;
+        return replacement;
+    });
+};
 /**
- * Create a redactor that censors things that *look like secrets* inside
- * strings:
- * - long hex (optionally 0x-prefixed)
- * - long base64 blobs
- * - long base58 blobs
- * - mnemonic seed phrases (validated via BIP39 english wordlist)
+ * BIP39 contextual replacer:
+ * - Only redacts if the captured phrase validates as a BIP39 mnemonic
+ * - Still supports allow-rules (to suppress redaction in “safe” contexts)
  */
-// Generic replacer: redact ALL matches within the string.
-const replaceAllMatches = (value, pattern) => value.replace(pattern, replacement);
-// Mnemonic replacer: only redact if the captured phrase is a valid BIP39 mnemonic.
-const replaceBip39MnemonicMatches = (value, pattern) => value.replace(pattern, (match, phrase) => {
-    // Normalize spacing; validateMnemonic expects words separated by single spaces
-    const normalized = phrase.trim().toLowerCase().replace(/\s+/g, " ");
-    if (!validateMnemonic(normalized, wordlist))
-        return match;
-    // Replace only the phrase portion (preserves surrounding quotes/keywords if any)
-    return match.replace(phrase, replacement);
-});
-// --- Patterns ---
-// 1) Hex secrets (API keys, hashes, tokens)
-//    - 32+ hex chars (optionally 0x)
-//    - word boundaries help avoid eating normal words
-const HEX = /\b(?:0x)?[a-fA-F0-9]{32,}\b/g;
-// 2) Base64 blobs (JWT parts, keys, encoded payloads)
-//    - requires a decent minimum length to reduce false positives
-//    - supports optional padding
-const BASE64 = /\b(?:[A-Za-z0-9+/]{4}){8,}(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?\b/g;
-// 3) Base58 blobs (common in crypto keys/ids)
-//    - base58 alphabet excludes 0, O, I, l
-//    - require 32+ chars to reduce false positives
-const BASE58 = /\b[1-9A-HJ-NP-Za-km-z]{32,}\b/g;
-// 4) Mnemonic seed phrases
-//    We validate candidates with @scure/bip39 to avoid false positives.
-//    - 12 to 24 words separated by whitespace
-const WORD = "[a-zA-Z]{2,8}";
-const PHRASE_12_TO_24 = `(?:${WORD}\\s+){11,23}${WORD}`;
-const MNEMONIC_WITH_KEYWORD = new RegExp(
-// keyword then up to ~40 chars (like ":" or whitespace) then the phrase
-String.raw `\b(?:mnemonic|seed|recovery\s+phrase|secret\s+phrase)\b[\s:=-]{0,40}(${PHRASE_12_TO_24})\b`, "gi");
-const MNEMONIC_QUOTED = new RegExp(
-// quoted/bracketed phrase alone
-String.raw `(?:["'(\[])\s*(${PHRASE_12_TO_24})\s*(?:["')\]])`, "gi");
-// NEW: Bare mnemonic phrases (no keyword, no quotes).
-// This is what your console.log example is: just the phrase by itself.
-// Validation keeps false-positives low.
-const MNEMONIC_BARE = new RegExp(String.raw `\b(${PHRASE_12_TO_24})\b`, "gi");
-const redactor = new DeepRedact({
-    // stringTests runs regex checks against string values (including flat strings)
-    // and lets us partially redact via replacer.
-    stringTests: [
-        { pattern: HEX, replacer: replaceAllMatches },
-        { pattern: BASE64, replacer: replaceAllMatches },
-        { pattern: BASE58, replacer: replaceAllMatches },
-        { pattern: MNEMONIC_WITH_KEYWORD, replacer: replaceBip39MnemonicMatches },
-        { pattern: MNEMONIC_QUOTED, replacer: replaceBip39MnemonicMatches },
-        { pattern: MNEMONIC_BARE, replacer: replaceBip39MnemonicMatches },
-    ],
-    replacement,
-    // serialise mainly matters for objects; keeping it false avoids surprises.
-    serialise: false,
-});
-const redact = (text) => redactor.redact(text);
-export { redact };
+const replaceBip39MnemonicMatchesWithContext = (value, pattern, replacement, allow) => {
+    const re = cloneRegex(pattern);
+    return value.replace(re, (...args) => {
+        const match = args[0];
+        const phrase = args[1];
+        if (typeof match !== "string")
+            return replacement;
+        if (typeof phrase !== "string")
+            return match;
+        const meta = getReplaceMeta(args);
+        if (!meta)
+            return match;
+        if (shouldAllowByRules(meta.whole, match, meta.offset, allow))
+            return match;
+        const normalized = phrase.trim().toLowerCase().replace(/\s+/g, " ");
+        if (!validateMnemonic(normalized, wordlist))
+            return match;
+        return match.replace(phrase, replacement);
+    });
+};
+const createRedactor = (config = {}) => {
+    const HEX_MIN_LEN = 16;
+    const BASE64_MIN_BLOCKS = 4;
+    const BASE58_MIN_LEN = 16;
+    const HEX = new RegExp(String.raw `(?<![a-fA-F0-9])(?:0x)?[a-fA-F0-9]{${HEX_MIN_LEN},}(?![a-fA-F0-9])`, "g");
+    const hexAllow = config.hex?.allow ?? [];
+    const BASE64 = new RegExp(String.raw `(?<![A-Za-z0-9+/=])(?:[A-Za-z0-9+/]{4}){${BASE64_MIN_BLOCKS},}(?:[A-Za-z0-9+/]{2,3})?(?:={0,2})(?![A-Za-z0-9+/=])`, "g");
+    const base64Allow = config.base64?.allow ?? [];
+    const BASE64URL = new RegExp(String.raw `(?<![A-Za-z0-9\-_])[A-Za-z0-9\-_]{16,}(?:={0,2})?(?![A-Za-z0-9\-_])`, "g");
+    const base64urlAllow = config.base64url?.allow ?? [];
+    const BASE58 = new RegExp(String.raw `(?<![1-9A-HJ-NP-Za-km-z])[1-9A-HJ-NP-Za-km-z]{${BASE58_MIN_LEN},}(?![1-9A-HJ-NP-Za-km-z])`, "g");
+    const base58Allow = config.base58?.allow ?? [];
+    const WORD = "[a-zA-Z]{2,8}";
+    const PHRASE_12_TO_24 = `(?:${WORD}\\s+){11,23}${WORD}`;
+    const MNEMONIC = new RegExp(String.raw `(?<![A-Za-z])(${PHRASE_12_TO_24})(?![A-Za-z])`, "gi");
+    const mnemonicAllow = config.mnemonic?.allow ?? [];
+    const stringTests = [
+        {
+            pattern: HEX,
+            replacer: (v, p) => replaceAllMatchesWithContext(v, p, replacement, hexAllow),
+        },
+        {
+            pattern: BASE64URL,
+            replacer: (v, p) => replaceAllMatchesWithContext(v, p, replacement, base64urlAllow),
+        },
+        {
+            pattern: BASE64,
+            replacer: (v, p) => replaceAllMatchesWithContext(v, p, replacement, base64Allow),
+        },
+        {
+            pattern: BASE58,
+            replacer: (v, p) => replaceAllMatchesWithContext(v, p, replacement, base58Allow),
+        },
+        {
+            pattern: MNEMONIC,
+            replacer: (v, p) => replaceBip39MnemonicMatchesWithContext(v, p, replacement, mnemonicAllow),
+        },
+    ];
+    return new DeepRedact({
+        stringTests,
+        replacement,
+        serialise: false,
+    });
+};
+const createRedact = (config) => {
+    const redactor = createRedactor(config);
+    // DeepRedact applies only the first matching stringTest per pass.
+    // Run multiple passes until stable so different detectors can redact
+    // different tokens in the same string.
+    return (text) => {
+        let out = text;
+        while (true) {
+            const next = redactor.redact(out);
+            if (next === out)
+                return out;
+            out = next;
+        }
+    };
+};
+export { createRedact };

package/dist/tests/app.js

@@ -1,6 +1,8 @@
 import { setupLogging } from "../src/index.js";
 const run = async () => {
-    setupLogging();
+    setupLogging({
+        hex: { allow: [{ re: /\b(intent|hash)\b/i }] },
+    });
     console.log("Hello, this is a log");
     console.info("Hello, this is an info log");
     console.debug("Hello, this is a debug log");
@@ -8,6 +10,8 @@ const run = async () => {
     console.error("Hello, this is an error log");
     console.log("This is my seed phrase: ordinary quality amount solid fox guess peasant merit midnight noodle final brown pretty stable six fox beef engage waste uniform evoke flat survey crane");
     console.log("This is my private key: 4fa7614bdd07ab15b11d2365466536ba160c06050ade0888a3aa985a5522ab22");
+    console.log("This is log for intent c8adcfef7255ad2c117f68111500997ab66de3c923e9ea9e71aaed5829d0acb8 and private key c99960eaeecb17d77d7c88f440383ccbaf93237471236a739185c0ebd62c5741");
+    console.log("this is my Discord webhook (https://discord.com/api/webhooks/1473664170267246593/V9xRwhrxrgEIJZL8inMMiEC8wDTwrMQye-VxLyBmkH6vbeTGNNBCjqkbtnUIA_dIVh3d) URL");
     try {
         throw new Error("An Error was thrown");
     }

package/dist/tests/redact.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/tests/redact.test.js

@@ -0,0 +1,14 @@
+import { describe, expect, it } from "vitest";
+import { createRedact } from "../src/redact.js";
+describe("redact", () => {
+    it("redacts base64url", () => {
+        const redact = createRedact({});
+        const result = redact("Should base64url-ish V9xRwhrxrgEIJZL8inMMiEC8wDTwrMQye-VxLyBmkH6vbeTGNNBCjqkbtnUIA_dIVh3d data");
+        expect(result).toBe("Should base64url-ish [REDACTED] data");
+    });
+    it("redacts hex and base64url in same string", () => {
+        const redact = createRedact({});
+        const result = redact("Should redact private key (b49bd63e67e2cd11aba17befead483934939df828cb833a846c58661726d3b00) and API key (djOqmjzVb0GAGdqS0p0NtiEwvb6u1lx509JEkpDJLgnvMhmOMtBc9vqolpktd1OK7Xas)");
+        expect(result).toBe("Should redact private key ([REDACTED]) and API key ([REDACTED])");
+    });
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mynth-logger",
-  "version": "2.1.0",
+  "version": "2.1.2",
   "description": "Package to format logs for mynth microservices.",
   "main": "dist/src/index.js",
   "typings": "dist/src/index.d.ts",
@@ -32,7 +32,7 @@
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "git@github.com-mynth:MynthAI/mynth-logger.git"
+    "url": "https://github.com/MynthAI/mynth-logger.git"
   },
   "peerDependencies": {
     "arktype": "^2.1.29"

package/src/format.ts

@@ -1,6 +1,14 @@
 import { stringify } from "@ungap/structured-clone/json";
 import { type } from "arktype";
-import { redact } from "./redact.js";
+import { createRedact, type RedactConfig } from "./redact.js";
+
+const config = {
+  redact: createRedact({}),
+};
+
+const updateConfig = (newConfig: RedactConfig) => {
+  config.redact = createRedact(newConfig);
+};
 
 const ErrorType = type({
   message: "string",
@@ -13,7 +21,7 @@ const formatItem = (item: unknown): string => {
   // Remove colors from strings
   if (typeof item === "string")
     // biome-ignore lint/suspicious/noControlCharactersInRegex: stripping ANSI escape codes
-    return redact(item.replace(/\x1b\[[0-9;]*m/g, ""));
+    return config.redact(item.replace(/\x1b\[[0-9;]*m/g, ""));
 
   // Check if this is an Error
   const error = ErrorType(item);
@@ -27,7 +35,7 @@ const formatItem = (item: unknown): string => {
     }
   })();
 
-  return redact(stringified.replace(/^'|'$/g, ""));
+  return config.redact(stringified.replace(/^'|'$/g, ""));
 };
 
 const format = (items: unknown[]): string =>
@@ -35,4 +43,4 @@ const format = (items: unknown[]): string =>
     .map((item) => formatItem(item))
     .join(" ");
 
-export { format };
+export { format, updateConfig };

package/src/logging.ts

@@ -1,22 +1,22 @@
-import { ConsolaOptions, createConsola } from "consola";
+import { createConsola } from "consola";
+import { updateConfig } from "./format.js";
+import type { RedactConfig } from "./redact.js";
 import DatadogReporter from "./reporters/datadog.js";
 import DiscordReporter from "./reporters/discord.js";
 
-const setupLogging = () => {
-  const consola = createConsola({ fancy: true, level: 5 } as Options);
+const setupLogging = (config: RedactConfig = {}) => {
+  updateConfig(config);
+  const consola = createConsola({ fancy: true, level: 5 });
 
   if (process.env.NODE_ENV === "production")
     consola.setReporters([DatadogReporter]);
-
   // Set Discord reporter as first so it can remove
   // Discord-related config before other reporters process the
   // log
-  consola.setReporters([DiscordReporter, ...consola.options.reporters]);
+  else consola.setReporters([DiscordReporter, ...consola.options.reporters]);
 
   consola.wrapConsole();
   return consola;
 };
 
-type Options = ConsolaOptions & { fancy?: boolean };
-
 export { setupLogging };

package/src/redact.ts

@@ -2,88 +2,245 @@ import { DeepRedact } from "@hackylabs/deep-redact/index.ts";
 import { validateMnemonic } from "@scure/bip39";
 import { wordlist } from "@scure/bip39/wordlists/english.js";
 
+/**
+ * Configurable redaction for strings that *look like secrets*:
+ * - hex (optionally 0x-prefixed)
+ * - base64 blobs
+ * - base64url blobs
+ * - base58 blobs
+ * - BIP39 mnemonics (validated)
+ *
+ * Key idea:
+ * Each detector can be given "allow" context rules that prevent redaction when
+ * extra surrounding context indicates the value is safe/expected.
+ */
+
+type ContextRule = {
+  /**
+   * Test this regex against a slice of the input around the match.
+   * If it matches, the match is NOT redacted.
+   */
+  re: RegExp;
+  /** How many chars to include before the match when building the slice. */
+  before?: number; // default 10
+  /** How many chars to include after the match when building the slice. */
+  after?: number; // default 0
+};
+
+type DetectorConfig = {
+  /**
+   * Any rule match => do not redact that specific match.
+   */
+  allow?: ContextRule[];
+};
+
+type RedactConfig = {
+  hex?: DetectorConfig;
+  base64?: DetectorConfig;
+  base64url?: DetectorConfig;
+  base58?: DetectorConfig;
+  mnemonic?: DetectorConfig;
+};
+
 const replacement = "[REDACTED]";
 
+const cloneRegex = (re: RegExp): RegExp => {
+  const flags = re.flags.includes("g") ? re.flags : `${re.flags}g`;
+  return new RegExp(re.source, flags);
+};
+
+const sliceAround = (
+  value: string,
+  offset: number,
+  matchLen: number,
+  rule: ContextRule,
+) => {
+  const before = rule.before ?? 10;
+  const after = rule.after ?? 0;
+
+  const start = Math.max(0, offset - before);
+  const end = Math.min(value.length, offset + matchLen + after);
+  return value.slice(start, end);
+};
+
+const shouldAllowByRules = (
+  value: string,
+  match: string,
+  offset: number,
+  rules?: ContextRule[],
+): boolean => {
+  if (!rules?.length) return false;
+  for (const rule of rules) {
+    const chunk = sliceAround(value, offset, match.length, rule);
+
+    // If a consumer provides a /g or /y regex, .test() mutates lastIndex.
+    // Reset to ensure consistent behavior.
+    rule.re.lastIndex = 0;
+
+    if (rule.re.test(chunk)) return true;
+  }
+  return false;
+};
+
+type ReplaceMeta = {
+  offset: number;
+  whole: string;
+};
+
+const getReplaceMeta = (args: unknown[]): ReplaceMeta | null => {
+  const offset = args.at(-2);
+  const whole = args.at(-1);
+  if (typeof offset !== "number") return null;
+  if (typeof whole !== "string") return null;
+  return { offset, whole };
+};
+
+const replaceAllMatchesWithContext = (
+  value: string,
+  pattern: RegExp,
+  replacement: string,
+  allow?: ContextRule[],
+) => {
+  const re = cloneRegex(pattern);
+  return value.replace(re, (...args: unknown[]) => {
+    const match = args[0];
+    if (typeof match !== "string") return replacement;
+
+    const meta = getReplaceMeta(args);
+    if (!meta) return replacement;
+
+    if (shouldAllowByRules(meta.whole, match, meta.offset, allow)) return match;
+    return replacement;
+  });
+};
+
 /**
- * Create a redactor that censors things that *look like secrets* inside
- * strings:
- * - long hex (optionally 0x-prefixed)
- * - long base64 blobs
- * - long base58 blobs
- * - mnemonic seed phrases (validated via BIP39 english wordlist)
+ * BIP39 contextual replacer:
+ * - Only redacts if the captured phrase validates as a BIP39 mnemonic
+ * - Still supports allow-rules (to suppress redaction in “safe” contexts)
  */
+const replaceBip39MnemonicMatchesWithContext = (
+  value: string,
+  pattern: RegExp,
+  replacement: string,
+  allow?: ContextRule[],
+) => {
+  const re = cloneRegex(pattern);
+  return value.replace(re, (...args: unknown[]) => {
+    const match = args[0];
+    const phrase = args[1];
+
+    if (typeof match !== "string") return replacement;
+    if (typeof phrase !== "string") return match;
+
+    const meta = getReplaceMeta(args);
+    if (!meta) return match;
 
-// Generic replacer: redact ALL matches within the string.
-const replaceAllMatches = (value: string, pattern: RegExp) =>
-  value.replace(pattern, replacement);
+    if (shouldAllowByRules(meta.whole, match, meta.offset, allow)) return match;
 
-// Mnemonic replacer: only redact if the captured phrase is a valid BIP39 mnemonic.
-const replaceBip39MnemonicMatches = (value: string, pattern: RegExp) =>
-  value.replace(pattern, (match: string, phrase: string) => {
-    // Normalize spacing; validateMnemonic expects words separated by single spaces
     const normalized = phrase.trim().toLowerCase().replace(/\s+/g, " ");
     if (!validateMnemonic(normalized, wordlist)) return match;
 
-    // Replace only the phrase portion (preserves surrounding quotes/keywords if any)
     return match.replace(phrase, replacement);
   });
+};
+
+const createRedactor = (config: RedactConfig = {}) => {
+  const HEX_MIN_LEN = 16;
+  const BASE64_MIN_BLOCKS = 4;
+  const BASE58_MIN_LEN = 16;
+
+  const HEX = new RegExp(
+    String.raw`(?<![a-fA-F0-9])(?:0x)?[a-fA-F0-9]{${HEX_MIN_LEN},}(?![a-fA-F0-9])`,
+    "g",
+  );
+  const hexAllow: ContextRule[] = config.hex?.allow ?? [];
+
+  const BASE64 = new RegExp(
+    String.raw`(?<![A-Za-z0-9+/=])(?:[A-Za-z0-9+/]{4}){${BASE64_MIN_BLOCKS},}(?:[A-Za-z0-9+/]{2,3})?(?:={0,2})(?![A-Za-z0-9+/=])`,
+    "g",
+  );
+  const base64Allow = config.base64?.allow ?? [];
+
+  const BASE64URL = new RegExp(
+    String.raw`(?<![A-Za-z0-9\-_])[A-Za-z0-9\-_]{16,}(?:={0,2})?(?![A-Za-z0-9\-_])`,
+    "g",
+  );
+  const base64urlAllow = config.base64url?.allow ?? [];
+
+  const BASE58 = new RegExp(
+    String.raw`(?<![1-9A-HJ-NP-Za-km-z])[1-9A-HJ-NP-Za-km-z]{${BASE58_MIN_LEN},}(?![1-9A-HJ-NP-Za-km-z])`,
+    "g",
+  );
+  const base58Allow = config.base58?.allow ?? [];
+
+  const WORD = "[a-zA-Z]{2,8}";
+  const PHRASE_12_TO_24 = `(?:${WORD}\\s+){11,23}${WORD}`;
+  const MNEMONIC = new RegExp(
+    String.raw`(?<![A-Za-z])(${PHRASE_12_TO_24})(?![A-Za-z])`,
+    "gi",
+  );
+  const mnemonicAllow = config.mnemonic?.allow ?? [];
+
+  const stringTests: Array<{
+    pattern: RegExp;
+    replacer: (v: string, p: RegExp) => string;
+  }> = [
+    {
+      pattern: HEX,
+      replacer: (v, p) =>
+        replaceAllMatchesWithContext(v, p, replacement, hexAllow),
+    },
+    {
+      pattern: BASE64URL,
+      replacer: (v, p) =>
+        replaceAllMatchesWithContext(v, p, replacement, base64urlAllow),
+    },
+    {
+      pattern: BASE64,
+      replacer: (v, p) =>
+        replaceAllMatchesWithContext(v, p, replacement, base64Allow),
+    },
+    {
+      pattern: BASE58,
+      replacer: (v, p) =>
+        replaceAllMatchesWithContext(v, p, replacement, base58Allow),
+    },
+    {
+      pattern: MNEMONIC,
+      replacer: (v, p) =>
+        replaceBip39MnemonicMatchesWithContext(
+          v,
+          p,
+          replacement,
+          mnemonicAllow,
+        ),
+    },
+  ];
+
+  return new DeepRedact({
+    stringTests,
+    replacement,
+    serialise: false,
+  });
+};
+
+const createRedact = (config: RedactConfig) => {
+  const redactor = createRedactor(config);
+
+  // DeepRedact applies only the first matching stringTest per pass.
+  // Run multiple passes until stable so different detectors can redact
+  // different tokens in the same string.
+  return (text: string) => {
+    let out = text;
+
+    while (true) {
+      const next = redactor.redact(out) as string;
+      if (next === out) return out;
+      out = next;
+    }
+  };
+};
 
-// --- Patterns ---
-// 1) Hex secrets (API keys, hashes, tokens)
-//    - 32+ hex chars (optionally 0x)
-//    - word boundaries help avoid eating normal words
-const HEX = /\b(?:0x)?[a-fA-F0-9]{32,}\b/g;
-
-// 2) Base64 blobs (JWT parts, keys, encoded payloads)
-//    - requires a decent minimum length to reduce false positives
-//    - supports optional padding
-const BASE64 =
-  /\b(?:[A-Za-z0-9+/]{4}){8,}(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?\b/g;
-
-// 3) Base58 blobs (common in crypto keys/ids)
-//    - base58 alphabet excludes 0, O, I, l
-//    - require 32+ chars to reduce false positives
-const BASE58 = /\b[1-9A-HJ-NP-Za-km-z]{32,}\b/g;
-
-// 4) Mnemonic seed phrases
-//    We validate candidates with @scure/bip39 to avoid false positives.
-//    - 12 to 24 words separated by whitespace
-const WORD = "[a-zA-Z]{2,8}";
-const PHRASE_12_TO_24 = `(?:${WORD}\\s+){11,23}${WORD}`;
-
-const MNEMONIC_WITH_KEYWORD = new RegExp(
-  // keyword then up to ~40 chars (like ":" or whitespace) then the phrase
-  String.raw`\b(?:mnemonic|seed|recovery\s+phrase|secret\s+phrase)\b[\s:=-]{0,40}(${PHRASE_12_TO_24})\b`,
-  "gi",
-);
-
-const MNEMONIC_QUOTED = new RegExp(
-  // quoted/bracketed phrase alone
-  String.raw`(?:["'(\[])\s*(${PHRASE_12_TO_24})\s*(?:["')\]])`,
-  "gi",
-);
-
-// NEW: Bare mnemonic phrases (no keyword, no quotes).
-// This is what your console.log example is: just the phrase by itself.
-// Validation keeps false-positives low.
-const MNEMONIC_BARE = new RegExp(String.raw`\b(${PHRASE_12_TO_24})\b`, "gi");
-
-const redactor = new DeepRedact({
-  // stringTests runs regex checks against string values (including flat strings)
-  // and lets us partially redact via replacer.
-  stringTests: [
-    { pattern: HEX, replacer: replaceAllMatches },
-    { pattern: BASE64, replacer: replaceAllMatches },
-    { pattern: BASE58, replacer: replaceAllMatches },
-    { pattern: MNEMONIC_WITH_KEYWORD, replacer: replaceBip39MnemonicMatches },
-    { pattern: MNEMONIC_QUOTED, replacer: replaceBip39MnemonicMatches },
-    { pattern: MNEMONIC_BARE, replacer: replaceBip39MnemonicMatches },
-  ],
-  replacement,
-  // serialise mainly matters for objects; keeping it false avoids surprises.
-  serialise: false,
-});
-
-const redact = (text: string) => redactor.redact(text) as string;
-
-export { redact };
+export { createRedact };
+export type { RedactConfig };

package/tests/app.ts

@@ -1,7 +1,9 @@
 import { setupLogging } from "../src/index.js";
 
 const run = async () => {
-  setupLogging();
+  setupLogging({
+    hex: { allow: [{ re: /\b(intent|hash)\b/i }] },
+  });
 
   console.log("Hello, this is a log");
   console.info("Hello, this is an info log");
@@ -14,6 +16,12 @@ const run = async () => {
   console.log(
     "This is my private key: 4fa7614bdd07ab15b11d2365466536ba160c06050ade0888a3aa985a5522ab22",
   );
+  console.log(
+    "This is log for intent c8adcfef7255ad2c117f68111500997ab66de3c923e9ea9e71aaed5829d0acb8 and private key c99960eaeecb17d77d7c88f440383ccbaf93237471236a739185c0ebd62c5741",
+  );
+  console.log(
+    "this is my Discord webhook (https://discord.com/api/webhooks/1473664170267246593/V9xRwhrxrgEIJZL8inMMiEC8wDTwrMQye-VxLyBmkH6vbeTGNNBCjqkbtnUIA_dIVh3d) URL",
+  );
 
   try {
     throw new Error("An Error was thrown");

package/tests/redact.test.ts

@@ -0,0 +1,22 @@
+import { describe, expect, it } from "vitest";
+import { createRedact } from "../src/redact.js";
+
+describe("redact", () => {
+  it("redacts base64url", () => {
+    const redact = createRedact({});
+    const result = redact(
+      "Should base64url-ish V9xRwhrxrgEIJZL8inMMiEC8wDTwrMQye-VxLyBmkH6vbeTGNNBCjqkbtnUIA_dIVh3d data",
+    );
+    expect(result).toBe("Should base64url-ish [REDACTED] data");
+  });
+
+  it("redacts hex and base64url in same string", () => {
+    const redact = createRedact({});
+    const result = redact(
+      "Should redact private key (b49bd63e67e2cd11aba17befead483934939df828cb833a846c58661726d3b00) and API key (djOqmjzVb0GAGdqS0p0NtiEwvb6u1lx509JEkpDJLgnvMhmOMtBc9vqolpktd1OK7Xas)",
+    );
+    expect(result).toBe(
+      "Should redact private key ([REDACTED]) and API key ([REDACTED])",
+    );
+  });
+});