norn-cli 1.6.1 → 1.6.2

package/out/cli/redaction.js

@@ -1,237 +0,0 @@
-"use strict";
-/**
- * Redaction module for sensitive data in CLI output
- *
- * Automatically redacts:
- * - Authorization headers (Bearer tokens, Basic auth, API keys)
- * - Common sensitive field names (password, secret, token, api_key, etc.)
- * - User-defined secrets from .nornenv `secret` declarations
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.createRedactionOptions = createRedactionOptions;
-exports.redactHeaders = redactHeaders;
-exports.redactString = redactString;
-exports.redactBody = redactBody;
-exports.redactUrl = redactUrl;
-exports.getRedactedMarker = getRedactedMarker;
-const REDACTED = '***REDACTED***';
-/**
- * Common header names that should always be redacted
- */
-const SENSITIVE_HEADERS = new Set([
-    'authorization',
-    'x-api-key',
-    'x-auth-token',
-    'x-access-token',
-    'api-key',
-    'apikey',
-    'cookie',
-    'set-cookie',
-    'x-csrf-token',
-    'x-xsrf-token',
-]);
-/**
- * Patterns for sensitive values in headers/bodies
- * These patterns match common token/key formats
- */
-const SENSITIVE_PATTERNS = [
-    // Bearer tokens
-    /Bearer\s+[A-Za-z0-9\-_=]+\.?[A-Za-z0-9\-_=]*\.?[A-Za-z0-9\-_=]*/gi,
-    // Basic auth
-    /Basic\s+[A-Za-z0-9+/=]+/gi,
-    // API keys (common formats)
-    /api[_-]?key[=:]\s*["']?[A-Za-z0-9\-_]+["']?/gi,
-];
-/**
- * Field names in JSON that should have their values redacted
- */
-const SENSITIVE_FIELD_NAMES = new Set([
-    'password',
-    'passwd',
-    'secret',
-    'token',
-    'access_token',
-    'accesstoken',
-    'refresh_token',
-    'refreshtoken',
-    'api_key',
-    'apikey',
-    'api-key',
-    'private_key',
-    'privatekey',
-    'client_secret',
-    'clientsecret',
-    'auth',
-    'authorization',
-    'credential',
-    'credentials',
-]);
-/**
- * Create default redaction options
- */
-function createRedactionOptions(secretNames = new Set(), secretValues = new Map(), enabled = true) {
-    return { secretNames, secretValues, enabled };
-}
-/**
- * Redact sensitive headers
- */
-function redactHeaders(headers, options) {
-    if (!options.enabled) {
-        return headers;
-    }
-    const redacted = {};
-    for (const [key, value] of Object.entries(headers)) {
-        const lowerKey = key.toLowerCase();
-        // Check if header name is sensitive
-        if (SENSITIVE_HEADERS.has(lowerKey)) {
-            redacted[key] = REDACTED;
-            continue;
-        }
-        // Check for Bearer/Basic patterns in value
-        let redactedValue = value;
-        for (const pattern of SENSITIVE_PATTERNS) {
-            redactedValue = redactedValue.replace(pattern, REDACTED);
-        }
-        // Check if value matches any secret values
-        redactedValue = redactSecretValues(redactedValue, options);
-        redacted[key] = redactedValue;
-    }
-    return redacted;
-}
-/**
- * Redact sensitive values in a string
- */
-function redactString(text, options) {
-    if (!options.enabled || !text) {
-        return text;
-    }
-    let result = text;
-    // Apply pattern-based redaction
-    for (const pattern of SENSITIVE_PATTERNS) {
-        result = result.replace(pattern, REDACTED);
-    }
-    // Redact user-defined secret values
-    result = redactSecretValues(result, options);
-    return result;
-}
-/**
- * Redact secret values from .nornenv
- */
-function redactSecretValues(text, options) {
-    if (!text || options.secretValues.size === 0) {
-        return text;
-    }
-    let result = text;
-    // Replace each secret value with redacted marker
-    for (const [, value] of options.secretValues) {
-        if (value && value.length > 0) {
-            // Escape special regex characters in the value
-            const escaped = value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-            result = result.replace(new RegExp(escaped, 'g'), REDACTED);
-        }
-    }
-    return result;
-}
-/**
- * Redact sensitive fields in JSON body
- */
-function redactBody(body, options) {
-    if (!options.enabled) {
-        return body;
-    }
-    if (typeof body === 'string') {
-        // Try to parse as JSON first
-        try {
-            const parsed = JSON.parse(body);
-            return JSON.stringify(redactObject(parsed, options), null, 2);
-        }
-        catch {
-            // Not JSON, apply string redaction
-            return redactString(body, options);
-        }
-    }
-    if (typeof body === 'object' && body !== null) {
-        return redactObject(body, options);
-    }
-    return body;
-}
-/**
- * Recursively redact sensitive fields in an object
- */
-function redactObject(obj, options) {
-    if (Array.isArray(obj)) {
-        return obj.map(item => redactObject(item, options));
-    }
-    if (typeof obj !== 'object' || obj === null) {
-        if (typeof obj === 'string') {
-            return redactSecretValues(obj, options);
-        }
-        return obj;
-    }
-    const result = {};
-    for (const [key, value] of Object.entries(obj)) {
-        const lowerKey = key.toLowerCase();
-        // Check if field name indicates sensitive data
-        if (SENSITIVE_FIELD_NAMES.has(lowerKey)) {
-            result[key] = REDACTED;
-            continue;
-        }
-        // Check if this is a user-defined secret variable name
-        if (options.secretNames.has(key)) {
-            result[key] = REDACTED;
-            continue;
-        }
-        // Recursively process nested objects
-        if (typeof value === 'object' && value !== null) {
-            result[key] = redactObject(value, options);
-        }
-        else if (typeof value === 'string') {
-            result[key] = redactSecretValues(value, options);
-        }
-        else {
-            result[key] = value;
-        }
-    }
-    return result;
-}
-/**
- * Redact a URL (query parameters with sensitive names)
- */
-function redactUrl(url, options) {
-    if (!options.enabled) {
-        return url;
-    }
-    try {
-        const urlObj = new URL(url);
-        const params = new URLSearchParams(urlObj.search);
-        let modified = false;
-        for (const [key] of params.entries()) {
-            const lowerKey = key.toLowerCase();
-            if (SENSITIVE_FIELD_NAMES.has(lowerKey) ||
-                lowerKey.includes('token') ||
-                lowerKey.includes('key') ||
-                lowerKey.includes('secret') ||
-                lowerKey.includes('password')) {
-                params.set(key, REDACTED);
-                modified = true;
-            }
-        }
-        if (modified) {
-            urlObj.search = params.toString();
-            return urlObj.toString();
-        }
-        // Also redact secret values that appear in the URL
-        return redactSecretValues(url, options);
-    }
-    catch {
-        // If URL parsing fails, just do string-based redaction
-        return redactSecretValues(url, options);
-    }
-}
-/**
- * Get the redaction marker (for display purposes)
- */
-function getRedactedMarker() {
-    return REDACTED;
-}
-//# sourceMappingURL=redaction.js.map