feat: implement log redaction and semantic parser enhancements (#1)

* feat: implement log redaction and semantic parser enhancements

- Add redactSecrets to mask credentials in audit logs
- Improve analyzeShellCommand to identify path-based commands (/usr/bin/rm)
- Finalize v0.2.0 architectural leap with full validation

* style: fix formatting in redactor tests

---------

Co-authored-by: nadav <isr.nadav@gmail.com>

Author: node9ai

examples/demo.ts

@@ -13,8 +13,9 @@ async function main() {
 
   try {
     await secureDelete('production-db-v1');
-  } catch (err: any) {
-    console.log(chalk.yellow(`\n🛡️ Node9 caught it: ${err.message}`));
+  } catch (err: unknown) {
+    const msg = err instanceof Error ? err.message : String(err);
+    console.log(chalk.yellow(`\n🛡️ Node9 caught it: ${msg}`));
   }
 }
 

package.json

@@ -54,12 +54,14 @@
     "test": "vitest run",
     "test:watch": "vitest",
     "typecheck": "tsc --noEmit",
-    "lint": "eslint src/",
-    "lint:fix": "eslint src/ --fix",
-    "format": "prettier --write src/",
-    "format:check": "prettier --check src/",
+    "lint": "eslint .",
+    "lint:fix": "eslint . --fix",
+    "format": "prettier --write .",
+    "format:check": "prettier --check .",
+    "fix": "npm run format && npm run lint:fix",
+    "validate": "npm run format && npm run lint && npm run typecheck && npm run test && npm run test:e2e && npm run build",
     "test:e2e": "bash scripts/e2e.sh",
-    "prepublishOnly": "npm run build"
+    "prepublishOnly": "npm run validate"
   },
   "dependencies": {
     "@inquirer/prompts": "^8.3.0",

src/__tests__/redactor.test.ts

@@ -0,0 +1,43 @@
+import { describe, it, expect } from 'vitest';
+import { redactSecrets } from '../core';
+
+describe('redactSecrets', () => {
+  it('masks authorization bearer headers but keeps prefix', () => {
+    const input = 'curl -H "Authorization: Bearer sk-1234567890abcdef"';
+    const output = redactSecrets(input);
+    expect(output).toContain('Authorization: Bearer ********');
+    expect(output).not.toContain('sk-1234567890abcdef');
+  });
+
+  it('masks api keys but keeps labels', () => {
+    expect(redactSecrets('api_key="ABCDEFGHIJ1234567890"')).toContain('api_key="********');
+    expect(redactSecrets('apikey: KEY_VALUE_9876543210')).toContain('apikey: ********');
+    expect(redactSecrets('API-KEY=SOME_SECRET_VALUE_HERE')).toContain('API-KEY=********');
+  });
+
+  it('masks tokens and passwords', () => {
+    expect(redactSecrets('GITHUB_TOKEN=token_1234567890abcdefghijk')).toContain(
+      'GITHUB_TOKEN=********'
+    );
+    expect(redactSecrets('password: "password_example_123"')).toContain('password: "********');
+  });
+
+  it('masks generic long entropy strings', () => {
+    const input = 'The hash is a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6a7b8c9d0e1f2';
+    const output = redactSecrets(input);
+    expect(output).toContain('********');
+  });
+
+  it('does not mask short, safe words', () => {
+    const input = 'npm install express';
+    const output = redactSecrets(input);
+    expect(output).toBe(input);
+  });
+
+  it('handles JSON strings correctly', () => {
+    const obj = { command: 'curl -H "Authorization: Bearer 12345678901234567890"' };
+    const input = JSON.stringify(obj);
+    const output = redactSecrets(input);
+    expect(output).toContain('Bearer ********');
+  });
+});

src/cli.ts

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { Command } from 'commander';
-import { authorizeAction, authorizeHeadless } from './core';
+import { authorizeAction, authorizeHeadless, redactSecrets } from './core';
 import { setupClaude, setupGemini, setupCursor } from './setup';
 import { spawn } from 'child_process';
 import { parseCommandString } from 'execa';
@@ -94,6 +94,9 @@ program
     if (target === 'claude') return await setupClaude();
     if (target === 'cursor') return await setupCursor();
   });
+
+import { DANGEROUS_WORDS } from './core';
+
 // 3. INIT
 program
   .command('init')
@@ -182,7 +185,7 @@ program
             decision: 'block',
             reason: msg,
             hookSpecificOutput: {
-              hookEventName: 'PreToolUse',
+              hookEvent_name: 'PreToolUse',
               permissionDecision: 'deny',
               permissionDecisionReason: msg,
             },
@@ -219,11 +222,14 @@ program
       try {
         if (!raw || raw.trim() === '') process.exit(0);
         const payload = JSON.parse(raw) as { tool_name?: string; tool_input?: unknown };
+
+        // Redact secrets from the input before stringifying for the log
         const entry = {
           ts: new Date().toISOString(),
           tool: sanitize(payload.tool_name ?? 'unknown'),
-          input: payload.tool_input,
+          input: JSON.parse(redactSecrets(JSON.stringify(payload.tool_input || {}))),
         };
+
         const logPath = path.join(os.homedir(), '.node9', 'audit.log');
         if (!fs.existsSync(path.dirname(logPath)))
           fs.mkdirSync(path.dirname(logPath), { recursive: true });
@@ -268,5 +274,4 @@ program
     }
   });
 
-import { DANGEROUS_WORDS } from './core';
 program.parse();