rigjs 4.0.17 → 4.0.18

package/lib/classes/cicd/Deploy/CDN.ts

@@ -4,6 +4,7 @@ import crypto from 'crypto';
 import axios from 'axios';
 import * as uuid from 'uuid';
 import { DeployTarget } from '../CICD';
+import { redactCdnUrl } from '@/utils/redact';
 
 type TFlag = 'break' | 'enhance_break' | null;
 
@@ -64,7 +65,7 @@ class CDN {
     });
 
     const url = `http://cdn.ap-southeast-1.aliyuncs.com?${paramConfig}`;
-    console.log('cdn update url:', url);
+    console.log('cdn update url:', redactCdnUrl(url));
     const res = await axios.create().get(url);
     return res.data;
   }

package/lib/deploy/index.ts

@@ -3,6 +3,7 @@ import path from 'path';
 import CICD from '@/classes/cicd/CICD';
 import CICDCmd from '@/classes/cicd/CICDCmd';
 import AliOSS from '@/classes/cicd/Deploy/AliDeploy';
+import { redactTarget } from '@/utils/redact';
 
 let filesList: string[] = [];
 const traverseFolder = (url: string) => {
@@ -33,7 +34,7 @@ export default async (cmd: any) => {
     const target = Array.isArray(cicdCmd.cicd.target)
       ? cicdCmd.cicd.target[0]
       : cicdCmd.cicd.target;
-    console.log('oss tagert', target);
+    console.log('oss tagert', redactTarget(target));
     const aliOss = new AliOSS(target);
     console.log('Please Wait for Upload OSS...');
     if (!cicdCmd.endpoints || cicdCmd.endpoints.length === 0) {

package/lib/utils/redact.test.ts

@@ -0,0 +1,43 @@
+import { maskSecret, redactTarget, redactCdnUrl } from '@/utils/redact';
+
+test('maskSecret keeps a head+tail hint for long secrets', () => {
+	const ak = 'LTAI5t9GjXQc7itTohf68ZLq';
+	const masked = maskSecret(ak);
+	expect(masked).not.toContain('GjXQc7it'); // no middle bytes
+	expect(masked.startsWith('LTAI')).toBe(true);
+	expect(masked.endsWith('8ZLq')).toBe(true);
+});
+
+test('maskSecret returns plain mask for short / empty input', () => {
+	expect(maskSecret('')).toBe('');
+	expect(maskSecret(undefined)).toBe('');
+	expect(maskSecret('abc')).toBe('****');
+	expect(maskSecret('abcdefgh')).toBe('****');
+});
+
+test('redactTarget masks access_key / access_secret only', () => {
+	const out = redactTarget({
+		id: 'alicloud',
+		type: 'alicloud',
+		bucket: 'my-bucket',
+		region: 'oss-ap-southeast-1',
+		access_key: 'LTAI5t9GjXQc7itTohf68ZLq',
+		access_secret: '8jfykQQoK66RldfSo9YlfdLh423GXA',
+		root_path: '/',
+	});
+	expect(out.bucket).toBe('my-bucket');
+	expect(out.region).toBe('oss-ap-southeast-1');
+	expect(out.root_path).toBe('/');
+	expect(out.access_key).not.toContain('GjXQc7it');
+	expect(out.access_secret).not.toContain('QQoK66Rld');
+});
+
+test('redactCdnUrl masks AccessKeyId and Signature only', () => {
+	const url =
+		'http://cdn.ap-southeast-1.aliyuncs.com?AccessKeyId=LTAI5t9GjXQc7itTohf68ZLq&Action=BatchSetCdnDomainConfig&Signature=iUppVaZSIecVi3DhZZeBCf24Ag0%3D&Timestamp=2026-05-25T08%3A40%3A51.135Z';
+	const masked = redactCdnUrl(url);
+	expect(masked).not.toContain('LTAI5t9GjXQc7itTohf68ZLq');
+	expect(masked).not.toContain('iUppVaZSIecVi3DhZZeBCf24Ag0');
+	expect(masked).toContain('Action=BatchSetCdnDomainConfig');
+	expect(masked).toContain('Timestamp=2026-05-25');
+});

package/lib/utils/redact.ts

@@ -0,0 +1,48 @@
+// Helpers to keep cloud credentials out of stdout.
+//
+// rig's deploy/publish flow prints (a) the resolved deploy target and
+// (b) every Aliyun CDN API URL. Both carry the AccessKeyId / AccessKeySecret
+// in clear, which makes the console output unsafe to copy/paste into issues,
+// CI logs, or chat.
+//
+// Use `maskSecret` for short identifiers (keeps a head+tail hint so two
+// different keys are still distinguishable in logs), `redactTarget` before
+// console-logging a DeployTarget, and `redactCdnUrl` before logging any
+// signed Aliyun OpenAPI URL.
+
+/** Mask a credential while keeping a short prefix + suffix for debuggability. */
+export function maskSecret(s: string | undefined | null): string {
+	if (!s) return '';
+	if (s.length <= 8) return '****';
+	return `${s.slice(0, 4)}…${s.slice(-4)}`;
+}
+
+/**
+ * Return a shallow copy of a DeployTarget-shaped object with `access_key`
+ * and `access_secret` masked. Unknown keys pass through unchanged.
+ */
+export function redactTarget<T extends Record<string, any>>(target: T): T {
+	if (!target || typeof target !== 'object') return target;
+	const out: Record<string, any> = { ...target };
+	if (typeof out.access_key === 'string') out.access_key = maskSecret(out.access_key);
+	if (typeof out.access_secret === 'string') out.access_secret = maskSecret(out.access_secret);
+	return out as T;
+}
+
+/**
+ * Redact `AccessKeyId` and `Signature` query parameters from an Aliyun
+ * OpenAPI URL so the URL can be safely logged. Leaves all other params
+ * (Action, Timestamp, etc.) intact for debugging.
+ */
+export function redactCdnUrl(url: string): string {
+	if (!url) return url;
+	return url
+		.replace(/([?&]AccessKeyId=)([^&]+)/i, (_m, p1, v) => `${p1}${maskSecret(v)}`)
+		.replace(/([?&]Signature=)([^&]+)/i, (_m, p1) => `${p1}REDACTED`);
+}
+
+export default {
+	maskSecret,
+	redactTarget,
+	redactCdnUrl,
+};

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "rigjs",
-  "version": "4.0.17",
-  "versionCode": 26052424,
+  "version": "4.0.18",
+  "versionCode": 26052501,
   "description": "A multi-repos dev tool based on yarn and git.Rigjs is intended to be the simplest way to develop,share and deliver codes between different developers or different projects.",
   "keywords": [
     "modular",