syntropylog 0.9.12 → 0.9.13

package/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## 0.9.13
+
+### Patch Changes
+
+- a1498cb: - **MaskingEngine**: On masking failure (timeout/error), return a safe fallback payload with `_maskingFailed` and allowed keys only (`level`, `timestamp`, `message`, `service`) instead of raw metadata to avoid leaking sensitive data.
+  - **RedisConnectionManager**: Call `removeAllListeners()` when client was never open in `disconnect()` to avoid listener leaks.
+  - **RedisManager**: Clear `instances` and `defaultInstance` in `shutdown()` after closing connections.
+- eca5f56: **Fix: ~3–6s delay per log call (logger.info/warn/error)**
+  - **Cause**: `MaskingEngine` used the `regex-test` package for every key×rule check. That package runs each test in a child-process worker with a single queue, so many sequential IPC round-trips added up to several seconds per log.
+  - **Change**: Built-in default rules (password, email, token, credit_card, SSN, phone) now use synchronous `RegExp.test()` in-process; they use safe, known patterns with no ReDoS risk. Custom rules added via `masking.rules` still use `regex-test` with timeout for safety.
+  - **Result**: Log calls complete in milliseconds again. README documents the behavior under "Data Masking → Performance".
+
 All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),

package/CONTRIBUTING.md

@@ -86,6 +86,16 @@ We welcome code contributions! To contribute code, please follow these steps:
 - Keep API documentation current
 - Include usage examples
 
+## Release process (maintainers)
+
+Releases use [Changesets](https://github.com/changesets/changesets) and GitHub Actions:
+
+1. **Add a changeset** when changing the library: `pnpm changeset` (choose version type and describe the change).
+2. **Push to `main`** (or merge a PR that includes the changeset). The Release workflow runs and:
+   - Creates a **"Version Packages"** PR with the version bump (e.g. 0.9.12 → 0.9.13) and CHANGELOG updates.
+   - **Publishes to npm** from that same run (so npm may already have the new version).
+3. **Merge the "Version Packages" PR** into `main`. This step is required so that `main` has the same `package.json` version and CHANGELOG as what was published to npm. If you skip it, `main` will stay on the old version while npm has the new one.
+
 ## Getting Help
 
 If you need help with your contribution, please:

package/README.md

@@ -446,6 +446,8 @@ await syntropyLog.init({
 
 > **Silent Observer guarantee**: if the masking engine fails for any reason, it returns the original object and the application keeps running — it never throws.
 
+**Performance**: Built-in rules use synchronous regex matching (safe, known patterns). Custom rules you add still use the timeout-protected `regex-test` worker to guard against ReDoS. This avoids the ~3–6s delay per log that occurred when every key was tested via the worker queue.
+
 ---
 
 ## 💾 Universal Persistence — Log to Any Database

package/dist/index.cjs

@@ -150,36 +150,42 @@ class MaskingEngine {
                 strategy: MaskingStrategy.CREDIT_CARD,
                 preserveLength: true,
                 maskChar: this.maskChar,
+                _isDefaultRule: true,
             },
             {
                 pattern: /ssn|social_security|security_number/i,
                 strategy: MaskingStrategy.SSN,
                 preserveLength: true,
                 maskChar: this.maskChar,
+                _isDefaultRule: true,
             },
             {
                 pattern: /email/i,
                 strategy: MaskingStrategy.EMAIL,
                 preserveLength: true,
                 maskChar: this.maskChar,
+                _isDefaultRule: true,
             },
             {
                 pattern: /phone|phone_number|mobile_number/i,
                 strategy: MaskingStrategy.PHONE,
                 preserveLength: true,
                 maskChar: this.maskChar,
+                _isDefaultRule: true,
             },
             {
                 pattern: /password|pass|pwd|secret/i,
                 strategy: MaskingStrategy.PASSWORD,
                 preserveLength: true,
                 maskChar: this.maskChar,
+                _isDefaultRule: true,
             },
             {
                 pattern: /token|api_key|auth_token|jwt|bearer/i,
                 strategy: MaskingStrategy.TOKEN,
                 preserveLength: true,
                 maskChar: this.maskChar,
+                _isDefaultRule: true,
             },
         ];
         for (const rule of defaultRules) {
@@ -206,8 +212,10 @@ class MaskingEngine {
     /**
      * Processes a metadata object and applies the configured masking rules.
      * Uses JSON flattening strategy for extreme performance.
+     * On failure (timeout, rule error, etc.) returns a safe redacted object with an explicit message
+     * instead of the original data, to avoid leaking sensitive content.
      * @param meta - The metadata object to process
-     * @returns A new object with the masked data
+     * @returns A new object with the masked data, or a safe fallback object if masking fails
      */
     async process(meta) {
         // Set initialized flag on first use
@@ -222,9 +230,27 @@ class MaskingEngine {
             return masked;
         }
         catch {
-            // Silent observer - return original data if masking fails
-            return meta;
+            // Do not return original data: emit a safe placeholder so sensitive payload is never logged
+            return {
+                ...MaskingEngine.buildSafeFallbackFromMeta(meta),
+                _maskingFailed: true,
+                _maskingFailedMessage: MaskingEngine.MASKING_FAILED_MESSAGE,
+            };
+        }
+    }
+    /**
+     * Builds a minimal safe object from meta (level, timestamp, message, service) for fallback.
+     * Avoids leaking any arbitrary keys/values when masking fails.
+     */
+    static buildSafeFallbackFromMeta(meta) {
+        const safe = {};
+        const allowedKeys = ['level', 'timestamp', 'message', 'service'];
+        for (const key of allowedKeys) {
+            if (key in meta && meta[key] !== undefined) {
+                safe[key] = meta[key];
+            }
         }
+        return safe;
     }
     /**
      * Applies masking rules to data recursively.
@@ -254,13 +280,20 @@ class MaskingEngine {
                     for (const rule of this.rules) {
                         let isMatch = false;
                         if (rule._compiledPattern) {
-                            try {
-                                // Use regex-test for safe execution with timeout
-                                isMatch = await this.regexTest.test(rule._compiledPattern, key);
+                            if (rule._isDefaultRule) {
+                                // Default rules use safe, known patterns (no ReDoS); sync test avoids
+                                // regex-test worker IPC queue which caused ~3–6s delay per log.
+                                isMatch = rule._compiledPattern.test(key);
                             }
-                            catch {
-                                // Silent failure on timeout/error - treat as no match
-                                isMatch = false;
+                            else {
+                                try {
+                                    // Custom rules: use regex-test for safe execution with timeout
+                                    isMatch = await this.regexTest.test(rule._compiledPattern, key);
+                                }
+                                catch {
+                                    // Silent failure on timeout/error - treat as no match
+                                    isMatch = false;
+                                }
                             }
                         }
                         if (isMatch) {
@@ -477,6 +510,8 @@ class MaskingEngine {
         }
     }
 }
+/** Message used when masking fails (e.g. timeout) so we never emit raw payload. */
+MaskingEngine.MASKING_FAILED_MESSAGE = '[SyntropyLog] Masking could not be applied (e.g. timeout or error); payload redacted for safety.';
 
 /**
  * FILE: src/config.schema.ts
@@ -3296,6 +3331,10 @@ class RedisConnectionManager {
             }
         }
         else {
+            // Client never connected or already closed: remove listeners to avoid leak
+            if (typeof this.client.removeAllListeners === 'function') {
+                this.client.removeAllListeners();
+            }
             this.logger.info('Client was not open. Quit operation effectively complete.');
         }
     }
@@ -4537,6 +4576,8 @@ class RedisManager {
         this.logger.info('Closing all Redis connections...');
         const shutdownPromises = Array.from(this.instances.values()).map((instance) => instance.quit());
         await Promise.allSettled(shutdownPromises);
+        this.instances.clear();
+        this.defaultInstance = undefined;
         this.logger.info('All Redis connections have been closed.');
     }
 }