react-doctor 0.2.14-dev.7b4ddf7 → 0.2.14-dev.ac3ca1a

package/README.md

@@ -71,6 +71,17 @@ React Doctor scans the files changed in the pull request, emits inline annotatio
 
 [Add GitHub Action →](https://github.com/marketplace/actions/react-doctor)
 
+### 4. Configure rules in `react-doctor.config.json`
+
+Point the `$schema` key at `https://react.doctor/schema/config.json` to get autocomplete, hover docs, and typo warnings for every option in any editor that understands JSON Schema.
+
+```jsonc
+{
+  "$schema": "https://react.doctor/schema/config.json",
+  "lint": true,
+}
+```
+
 ## Contributing
 
 [Issues welcome!](https://github.com/millionco/react-doctor/issues)

package/dist/{cli-logger-CSZagq1E.js → cli-logger-Cqq0L4Uo.js}

@@ -3189,6 +3189,7 @@ const isTailwindAtLeast = (detected, required) => {
 const JSX_FILE_PATTERN = /\.(tsx|jsx)$/;
 const MILLISECONDS_PER_SECOND = 1e3;
 const SCORE_API_URL = "https://www.react.doctor/api/score";
+const ENTERPRISE_CONTACT_URL = "https://react.doctor/enterprise";
 const SHARE_BASE_URL = "https://www.react.doctor/share";
 const PROMPTS_RULES_BASE_URL = "https://www.react.doctor/prompts/rules";
 const FETCH_TIMEOUT_MS = 1e4;
@@ -5909,6 +5910,149 @@ const appendReanimatedSharedValueHint = (help, rule, project) => {
 	if (!help) return REANIMATED_SHARED_VALUE_HINT;
 	return `${help}\n\n${REANIMATED_SHARED_VALUE_HINT}`;
 };
+const REDACTED_PLACEHOLDER = "<redacted>";
+const KEEP_PREFIX = `$1${REDACTED_PLACEHOLDER}`;
+const KNOWN_SECRET_RULES = [
+	{
+		pattern: /-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----/g,
+		replacement: REDACTED_PLACEHOLDER
+	},
+	{
+		pattern: /\beyJ[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}/g,
+		replacement: REDACTED_PLACEHOLDER
+	},
+	{
+		pattern: /(?<=:\/\/)[^\s/:@]+:[^\s/@]+(?=@)/g,
+		replacement: REDACTED_PLACEHOLDER
+	},
+	{
+		pattern: /\b(AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA|A3T[A-Z0-9])[0-9A-Z]{16,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(gh[pousr]_)[A-Za-z0-9]{36,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(github_pat_)[A-Za-z0-9_]{22,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(glpat-)[A-Za-z0-9_-]{20,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(xox[baprs]-)[A-Za-z0-9-]{10,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /(?<=hooks\.slack\.com\/services\/)[A-Za-z0-9/+_-]{20,}/g,
+		replacement: REDACTED_PLACEHOLDER
+	},
+	{
+		pattern: /\b((?:sk|rk)_(?:live|test)_)[0-9A-Za-z]{10,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(sk-(?:proj-|ant-)?)[A-Za-z0-9_-]{20,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(AIza)[0-9A-Za-z_-]{35,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(ya29\.)[0-9A-Za-z_-]{20,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(npm_)[A-Za-z0-9]{36,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(SG\.)[A-Za-z0-9_-]{22,}\.[A-Za-z0-9_-]{43,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(SK)[0-9a-fA-F]{32,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(dop_v1_)[a-f0-9]{64,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(shp(?:at|ca|pa|ss)_)[a-fA-F0-9]{32,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(sq0[a-z]{3}-)[0-9A-Za-z_-]{22,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b([0-9]{8,10}:AA)[0-9A-Za-z_-]{32,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /(?<=\bBearer\s)[A-Za-z0-9._~+/=-]{16,}/g,
+		replacement: REDACTED_PLACEHOLDER
+	},
+	{
+		pattern: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b/g,
+		replacement: REDACTED_PLACEHOLDER
+	}
+];
+const CANDIDATE_TOKEN_PATTERN = /[A-Za-z0-9_][A-Za-z0-9_-]*/g;
+const GIT_OBJECT_ID_PATTERN = /^(?:[0-9a-f]{40}|[0-9a-f]{64})$/;
+const UUID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+const HAS_LETTER_PATTERN = /[A-Za-z]/;
+const HAS_DIGIT_PATTERN = /[0-9]/;
+const shannonEntropyBits = (value) => {
+	const counts = /* @__PURE__ */ new Map();
+	for (const char of value) counts.set(char, (counts.get(char) ?? 0) + 1);
+	let bits = 0;
+	for (const count of counts.values()) {
+		const probability = count / value.length;
+		bits -= probability * Math.log2(probability);
+	}
+	return bits;
+};
+const looksLikeHighEntropySecret = (token) => {
+	if (token.length < 32) return false;
+	if (!HAS_LETTER_PATTERN.test(token) || !HAS_DIGIT_PATTERN.test(token)) return false;
+	if (GIT_OBJECT_ID_PATTERN.test(token) || UUID_PATTERN.test(token)) return false;
+	return shannonEntropyBits(token) >= 3;
+};
+const redactHighEntropyTokens = (text) => text.replace(CANDIDATE_TOKEN_PATTERN, (token) => looksLikeHighEntropySecret(token) ? REDACTED_PLACEHOLDER : token);
+/**
+* Masks API keys, tokens, private keys, credentialed URLs, and emails
+* found anywhere inside a free-text string, returning the scrubbed text.
+* Applied to every diagnostic's `message` / `help` at construction time
+* so secrets never reach the terminal, the JSON report, or the score
+* API — react-doctor must never echo or transmit a user's secrets.
+*
+* Provider tokens keep their non-secret, type-identifying prefix (e.g.
+* `sk_live_<redacted>`, `ghp_<redacted>`, `AKIA<redacted>`) so the leaked
+* credential's type stays visible; structural or unknown-format secrets
+* with no meaningful prefix are masked whole.
+*
+* Runs the high-precision known-shape detectors first, then a generic
+* entropy-gated sweep for unknown-format secrets. Idempotent: the inert
+* `<redacted>` placeholder matches none of the detectors and is too
+* short for the generic sweep, so re-running leaves the text unchanged.
+*
+* Accepts `unknown` on purpose: callers feed it diagnostic `message` /
+* `help` that originate from oxlint JSON, which is only shape-checked at
+* the top level (the per-field `string` types are assumed, not validated).
+* A malformed non-string value returns `""` instead of throwing on
+* `.replace`, so one bad diagnostic can't abort parsing the whole batch.
+*/
+const redactSensitiveText = (text) => {
+	if (typeof text !== "string" || text === "") return "";
+	let redacted = text;
+	for (const rule of KNOWN_SECRET_RULES) redacted = redacted.replace(rule.pattern, rule.replacement);
+	return redactHighEntropyTokens(redacted);
+};
 const REACT_MODULE_SOURCE = "react";
 const REQUIRE_IDENTIFIER = "require";
 const USE_IDENTIFIER = "use";
@@ -6230,6 +6374,13 @@ const getRuleRecommendation = (ruleName, project) => {
 };
 const getRuleCategory = (ruleName) => reactDoctorPlugin.rules[ruleName]?.category;
 const cleanDiagnosticMessage = (message, help, plugin, rule, project) => {
+	const cleaned = resolveCleanedDiagnostic(typeof message === "string" ? message : "", typeof help === "string" ? help : "", plugin, rule, project);
+	return {
+		message: redactSensitiveText(cleaned.message),
+		help: redactSensitiveText(cleaned.help)
+	};
+};
+const resolveCleanedDiagnostic = (message, help, plugin, rule, project) => {
 	if (plugin === "react-hooks-js") return {
 		message: REACT_COMPILER_MESSAGE,
 		help: appendReanimatedSharedValueHint(message.replace(FILEPATH_WITH_LOCATION_PATTERN, "").trim() || help, rule, project)
@@ -6434,11 +6585,14 @@ const spawnLintBatches = async (input) => {
 				onFileProgress(scannedFileCount + batchFileIndex, totalFileCount);
 			}
 		}, 50) : null;
-		const batchDiagnostics = await spawnLintBatch(batch);
-		if (progressInterval !== null) clearInterval(progressInterval);
-		allDiagnostics.push(...batchDiagnostics);
-		scannedFileCount += batch.length;
-		onFileProgress?.(scannedFileCount, totalFileCount);
+		try {
+			const batchDiagnostics = await spawnLintBatch(batch);
+			allDiagnostics.push(...batchDiagnostics);
+			scannedFileCount += batch.length;
+			onFileProgress?.(scannedFileCount, totalFileCount);
+		} finally {
+			if (progressInterval !== null) clearInterval(progressInterval);
+		}
 	}
 	if (droppedFiles.length > 0 && onPartialFailure) {
 		const previewFiles = droppedFiles.slice(0, 3).join(", ");
@@ -7559,6 +7713,6 @@ const cliLogger = {
 	}
 };
 //#endregion
-export { isMonorepoRoot as A, filterDiagnosticsForSurface as C, getDiffInfo as D, formatReactDoctorError as E, restoreLegacyThrow as F, runInspect as I, toRelativePath as L, layerOtlp as M, listWorkspacePackages as N, groupBy as O, resolveScanTarget as P, discoverReactSubprojects as S, formatErrorChain as T, Score as _, DeadCode as a, buildJsonReportError as b, LintPartialFailures as c, OXLINT_NODE_REQUIREMENT as d, Progress as f, SKILL_NAME as g, SHARE_BASE_URL as h, Config as i, isReactDoctorError as j, highlighter as k, Linter as l, Reporter as m, cli_logger_exports as n, Files as o, Project as p, CANONICAL_GITHUB_URL as r, Git as s, cliLogger as t, NodeResolver as u, StagedFiles as v, filterSourceFiles as w, buildRulePromptUrl as x, buildJsonReport as y };
+export { highlighter as A, discoverReactSubprojects as C, formatReactDoctorError as D, formatErrorChain as E, resolveScanTarget as F, restoreLegacyThrow as I, runInspect as L, isReactDoctorError as M, layerOtlp as N, getDiffInfo as O, listWorkspacePackages as P, toRelativePath as R, buildRulePromptUrl as S, filterSourceFiles as T, SKILL_NAME as _, DeadCode as a, buildJsonReport as b, Git as c, NodeResolver as d, OXLINT_NODE_REQUIREMENT as f, SHARE_BASE_URL as g, Reporter as h, Config as i, isMonorepoRoot as j, groupBy as k, LintPartialFailures as l, Project as m, cli_logger_exports as n, ENTERPRISE_CONTACT_URL as o, Progress as p, CANONICAL_GITHUB_URL as r, Files as s, cliLogger as t, Linter as u, Score as v, filterDiagnosticsForSurface as w, buildJsonReportError as x, StagedFiles as y };
 
-//# sourceMappingURL=cli-logger-CSZagq1E.js.map
+//# sourceMappingURL=cli-logger-Cqq0L4Uo.js.map

package/dist/cli.js

@@ -1,5 +1,5 @@
 import { i as __toESM, n as __exportAll, r as __require, t as __commonJSMin } from "./rolldown-runtime-uZX_iqCz.js";
-import { A as isMonorepoRoot, C as filterDiagnosticsForSurface, D as getDiffInfo, E as formatReactDoctorError, F as restoreLegacyThrow, I as runInspect, L as toRelativePath, M as layerOtlp, N as listWorkspacePackages, O as groupBy, P as resolveScanTarget, S as discoverReactSubprojects, T as formatErrorChain, _ as Score, a as DeadCode, b as buildJsonReportError, c as LintPartialFailures, d as OXLINT_NODE_REQUIREMENT, f as Progress, g as SKILL_NAME, h as SHARE_BASE_URL, i as Config, j as isReactDoctorError, k as highlighter, l as Linter, m as Reporter, o as Files, p as Project, r as CANONICAL_GITHUB_URL, s as Git, t as cliLogger, u as NodeResolver, v as StagedFiles, w as filterSourceFiles, x as buildRulePromptUrl, y as buildJsonReport } from "./cli-logger-CSZagq1E.js";
+import { A as highlighter, C as discoverReactSubprojects, D as formatReactDoctorError, E as formatErrorChain, F as resolveScanTarget, I as restoreLegacyThrow, L as runInspect, M as isReactDoctorError, N as layerOtlp, O as getDiffInfo, P as listWorkspacePackages, R as toRelativePath, S as buildRulePromptUrl, T as filterSourceFiles, _ as SKILL_NAME, a as DeadCode, b as buildJsonReport, c as Git, d as NodeResolver, f as OXLINT_NODE_REQUIREMENT, g as SHARE_BASE_URL, h as Reporter, i as Config, j as isMonorepoRoot, k as groupBy, l as LintPartialFailures, m as Project, o as ENTERPRISE_CONTACT_URL, p as Progress, r as CANONICAL_GITHUB_URL, s as Files, t as cliLogger, u as Linter, v as Score, w as filterDiagnosticsForSurface, x as buildJsonReportError, y as StagedFiles } from "./cli-logger-Cqq0L4Uo.js";
 import { createRequire } from "node:module";
 import { execFileSync, execSync } from "node:child_process";
 import path, { join } from "node:path";
@@ -6161,6 +6161,12 @@ const makeNoopConsole = () => ({
 	warn: () => {}
 });
 //#endregion
+//#region src/cli/utils/build-no-score-message.ts
+const ENTERPRISE_CONTACT_HINT = `Want something custom to your company? Contact us at ${ENTERPRISE_CONTACT_URL}.`;
+const buildNoScoreMessage = (isScoreDisabled) => {
+	return `${isScoreDisabled ? "Score disabled by --no-score." : "Score unavailable (could not reach the score API)."} ${ENTERPRISE_CONTACT_HINT}`;
+};
+//#endregion
 //#region src/cli/utils/render-agent-guidance.ts
 const AGENT_GUIDANCE_LINES = [
 	"Treat React Doctor diagnostics as starting hypotheses. Read the relevant code before confirming or suppressing each finding.",
@@ -6680,7 +6686,7 @@ const resolveOxlintNodeEffect = (isLintEnabled, isQuiet) => Effect.gen(function*
 const resolveOxlintNode = (isLintEnabled, isQuiet) => Effect.runPromise(resolveOxlintNodeEffect(isLintEnabled, isQuiet).pipe(Effect.provide(NodeResolver.layerNode)));
 //#endregion
 //#region src/cli/utils/version.ts
-const VERSION = "0.2.14-dev.7b4ddf7";
+const VERSION = "0.2.14-dev.ac3ca1a";
 //#endregion
 //#region src/inspect.ts
 const silentConsole = makeNoopConsole();
@@ -6804,7 +6810,7 @@ const finalizeAndRender = (input) => Effect.gen(function* () {
 	if (didLintFail) skippedChecks.push("lint");
 	if (didDeadCodeFail) skippedChecks.push("dead-code");
 	const hasSkippedChecks = skippedChecks.length > 0;
-	const noScoreMessage = options.noScore ? "Score disabled by --no-score." : "Score unavailable (could not reach the score API).";
+	const noScoreMessage = buildNoScoreMessage(options.noScore);
 	const skippedCheckReasons = {};
 	if (didLintFail && lintFailureReason !== null) skippedCheckReasons.lint = lintFailureReason;
 	else if (lintPartialFailures.length > 0) skippedCheckReasons["lint:partial"] = lintPartialFailures.join("; ");
@@ -7501,7 +7507,7 @@ const warnSetupPromptFailure = async (options, error) => {
 		return;
 	}
 	try {
-		const { cliLogger } = await import("./cli-logger-CSZagq1E.js").then((n) => n.n);
+		const { cliLogger } = await import("./cli-logger-Cqq0L4Uo.js").then((n) => n.n);
 		cliLogger.warn(message);
 	} catch {}
 };

package/dist/index.d.ts

@@ -20,9 +20,9 @@ interface ReactDoctorIgnoreConfig {
  * locally but excluded from PR comments, the score, or the CI gate:
  *
  * - `cli` — local terminal output from `react-doctor` (`printDiagnostics`).
- * - `prComment` — output captured by the GitHub Action for the sticky
- *   PR comment. Enabled when the CLI is run with `--pr-comment` (the
- *   action sets this automatically when `github-token` is provided).
+ * - `prComment` — diagnostics destined for a sticky pull-request
+ *   summary comment. Selected by running the CLI with `--pr-comment`
+ *   (sets `outputSurface: "prComment"`).
  * - `score` — diagnostics shipped to the React Doctor score API
  *   (or counted toward local score calculations).
  * - `ciFailure` — diagnostics that count toward the `--fail-on` exit

package/dist/index.js

@@ -5939,6 +5939,149 @@ const appendReanimatedSharedValueHint = (help, rule, project) => {
 	if (!help) return REANIMATED_SHARED_VALUE_HINT;
 	return `${help}\n\n${REANIMATED_SHARED_VALUE_HINT}`;
 };
+const REDACTED_PLACEHOLDER = "<redacted>";
+const KEEP_PREFIX = `$1${REDACTED_PLACEHOLDER}`;
+const KNOWN_SECRET_RULES = [
+	{
+		pattern: /-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----/g,
+		replacement: REDACTED_PLACEHOLDER
+	},
+	{
+		pattern: /\beyJ[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}/g,
+		replacement: REDACTED_PLACEHOLDER
+	},
+	{
+		pattern: /(?<=:\/\/)[^\s/:@]+:[^\s/@]+(?=@)/g,
+		replacement: REDACTED_PLACEHOLDER
+	},
+	{
+		pattern: /\b(AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA|A3T[A-Z0-9])[0-9A-Z]{16,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(gh[pousr]_)[A-Za-z0-9]{36,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(github_pat_)[A-Za-z0-9_]{22,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(glpat-)[A-Za-z0-9_-]{20,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(xox[baprs]-)[A-Za-z0-9-]{10,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /(?<=hooks\.slack\.com\/services\/)[A-Za-z0-9/+_-]{20,}/g,
+		replacement: REDACTED_PLACEHOLDER
+	},
+	{
+		pattern: /\b((?:sk|rk)_(?:live|test)_)[0-9A-Za-z]{10,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(sk-(?:proj-|ant-)?)[A-Za-z0-9_-]{20,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(AIza)[0-9A-Za-z_-]{35,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(ya29\.)[0-9A-Za-z_-]{20,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(npm_)[A-Za-z0-9]{36,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(SG\.)[A-Za-z0-9_-]{22,}\.[A-Za-z0-9_-]{43,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(SK)[0-9a-fA-F]{32,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(dop_v1_)[a-f0-9]{64,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(shp(?:at|ca|pa|ss)_)[a-fA-F0-9]{32,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b(sq0[a-z]{3}-)[0-9A-Za-z_-]{22,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /\b([0-9]{8,10}:AA)[0-9A-Za-z_-]{32,}/g,
+		replacement: KEEP_PREFIX
+	},
+	{
+		pattern: /(?<=\bBearer\s)[A-Za-z0-9._~+/=-]{16,}/g,
+		replacement: REDACTED_PLACEHOLDER
+	},
+	{
+		pattern: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b/g,
+		replacement: REDACTED_PLACEHOLDER
+	}
+];
+const CANDIDATE_TOKEN_PATTERN = /[A-Za-z0-9_][A-Za-z0-9_-]*/g;
+const GIT_OBJECT_ID_PATTERN = /^(?:[0-9a-f]{40}|[0-9a-f]{64})$/;
+const UUID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+const HAS_LETTER_PATTERN = /[A-Za-z]/;
+const HAS_DIGIT_PATTERN = /[0-9]/;
+const shannonEntropyBits = (value) => {
+	const counts = /* @__PURE__ */ new Map();
+	for (const char of value) counts.set(char, (counts.get(char) ?? 0) + 1);
+	let bits = 0;
+	for (const count of counts.values()) {
+		const probability = count / value.length;
+		bits -= probability * Math.log2(probability);
+	}
+	return bits;
+};
+const looksLikeHighEntropySecret = (token) => {
+	if (token.length < 32) return false;
+	if (!HAS_LETTER_PATTERN.test(token) || !HAS_DIGIT_PATTERN.test(token)) return false;
+	if (GIT_OBJECT_ID_PATTERN.test(token) || UUID_PATTERN.test(token)) return false;
+	return shannonEntropyBits(token) >= 3;
+};
+const redactHighEntropyTokens = (text) => text.replace(CANDIDATE_TOKEN_PATTERN, (token) => looksLikeHighEntropySecret(token) ? REDACTED_PLACEHOLDER : token);
+/**
+* Masks API keys, tokens, private keys, credentialed URLs, and emails
+* found anywhere inside a free-text string, returning the scrubbed text.
+* Applied to every diagnostic's `message` / `help` at construction time
+* so secrets never reach the terminal, the JSON report, or the score
+* API — react-doctor must never echo or transmit a user's secrets.
+*
+* Provider tokens keep their non-secret, type-identifying prefix (e.g.
+* `sk_live_<redacted>`, `ghp_<redacted>`, `AKIA<redacted>`) so the leaked
+* credential's type stays visible; structural or unknown-format secrets
+* with no meaningful prefix are masked whole.
+*
+* Runs the high-precision known-shape detectors first, then a generic
+* entropy-gated sweep for unknown-format secrets. Idempotent: the inert
+* `<redacted>` placeholder matches none of the detectors and is too
+* short for the generic sweep, so re-running leaves the text unchanged.
+*
+* Accepts `unknown` on purpose: callers feed it diagnostic `message` /
+* `help` that originate from oxlint JSON, which is only shape-checked at
+* the top level (the per-field `string` types are assumed, not validated).
+* A malformed non-string value returns `""` instead of throwing on
+* `.replace`, so one bad diagnostic can't abort parsing the whole batch.
+*/
+const redactSensitiveText = (text) => {
+	if (typeof text !== "string" || text === "") return "";
+	let redacted = text;
+	for (const rule of KNOWN_SECRET_RULES) redacted = redacted.replace(rule.pattern, rule.replacement);
+	return redactHighEntropyTokens(redacted);
+};
 const REACT_MODULE_SOURCE = "react";
 const REQUIRE_IDENTIFIER = "require";
 const USE_IDENTIFIER = "use";
@@ -6260,6 +6403,13 @@ const getRuleRecommendation = (ruleName, project) => {
 };
 const getRuleCategory = (ruleName) => reactDoctorPlugin.rules[ruleName]?.category;
 const cleanDiagnosticMessage = (message, help, plugin, rule, project) => {
+	const cleaned = resolveCleanedDiagnostic(typeof message === "string" ? message : "", typeof help === "string" ? help : "", plugin, rule, project);
+	return {
+		message: redactSensitiveText(cleaned.message),
+		help: redactSensitiveText(cleaned.help)
+	};
+};
+const resolveCleanedDiagnostic = (message, help, plugin, rule, project) => {
 	if (plugin === "react-hooks-js") return {
 		message: REACT_COMPILER_MESSAGE,
 		help: appendReanimatedSharedValueHint(message.replace(FILEPATH_WITH_LOCATION_PATTERN, "").trim() || help, rule, project)
@@ -6464,11 +6614,14 @@ const spawnLintBatches = async (input) => {
 				onFileProgress(scannedFileCount + batchFileIndex, totalFileCount);
 			}
 		}, 50) : null;
-		const batchDiagnostics = await spawnLintBatch(batch);
-		if (progressInterval !== null) clearInterval(progressInterval);
-		allDiagnostics.push(...batchDiagnostics);
-		scannedFileCount += batch.length;
-		onFileProgress?.(scannedFileCount, totalFileCount);
+		try {
+			const batchDiagnostics = await spawnLintBatch(batch);
+			allDiagnostics.push(...batchDiagnostics);
+			scannedFileCount += batch.length;
+			onFileProgress?.(scannedFileCount, totalFileCount);
+		} finally {
+			if (progressInterval !== null) clearInterval(progressInterval);
+		}
 	}
 	if (droppedFiles.length > 0 && onPartialFailure) {
 		const previewFiles = droppedFiles.slice(0, 3).join(", ");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "react-doctor",
-  "version": "0.2.14-dev.7b4ddf7",
+  "version": "0.2.14-dev.ac3ca1a",
   "description": "Diagnose and fix React codebases for security, performance, correctness, accessibility, bundle-size, and architecture issues",
   "keywords": [
     "accessibility",
@@ -52,20 +52,20 @@
     "@effect/platform-node-shared": "4.0.0-beta.70",
     "agent-install": "0.0.5",
     "conf": "^15.1.0",
-    "deslop-js": "^0.0.13",
+    "deslop-js": "^0.0.14",
     "effect": "4.0.0-beta.70",
     "eslint-plugin-react-hooks": "^7.1.1",
     "oxlint": "^1.66.0",
     "prompts": "^2.4.2",
     "typescript": ">=5.0.4 <7",
-    "oxlint-plugin-react-doctor": "0.2.14-dev.7b4ddf7"
+    "oxlint-plugin-react-doctor": "0.2.14-dev.ac3ca1a"
   },
   "devDependencies": {
     "@types/prompts": "^2.4.9",
     "commander": "^14.0.3",
     "ora": "^9.4.0",
-    "@react-doctor/api": "0.2.14",
-    "@react-doctor/core": "0.2.14"
+    "@react-doctor/core": "0.2.14",
+    "@react-doctor/api": "0.2.14"
   },
   "engines": {
     "node": "^20.19.0 || >=22.12.0"