Skip to content

fix(security): deep-redact --debug logs, rotate debug files, guard unhandled rejections#277

Merged
cdot65 merged 2 commits into
mainfrom
cdot65/fix/debug-logger-redaction
Jul 7, 2026
Merged

fix(security): deep-redact --debug logs, rotate debug files, guard unhandled rejections#277
cdot65 merged 2 commits into
mainfrom
cdot65/fix/debug-logger-redaction

Conversation

@cdot65

@cdot65 cdot65 commented Jul 7, 2026

Copy link
Copy Markdown
Owner

Summary

Hardens the --debug fetch interceptor. Previously only authorization/x-pan-token headers were masked — and kept an 8-char prefix — while request/response bodies and query params were written to ~/.prisma-airs/debug-api-*.jsonl unredacted, and files accumulated forever.

Changes

  • Recursive body redaction (request + response) for credential-like keys (token|secret|password|credential|authorization|cookie|api[-_]?key)
  • Query-param redaction in logged URLs; response headers now redacted too
  • Sensitive headers fully masked (***) — no prefix retained
  • Debug files rotated: newest 10 kept, older pruned on install
  • New src/cli/process-guards.ts: unhandledRejection → friendly stderr message + exit 1
  • Docs: scanning.md debug section documents scrubbing + rotation

Testing

  • 12 new unit tests (redaction fns, pruning, interceptor integration with mocked fetch, process guards)
  • Full suite 640/640; lint + tsc clean

Checklist

  • TDD (failing tests committed first)
  • All gates pass locally
  • Docs updated
  • Changeset added (patch)

Closes #265

@cdot65 cdot65 merged commit a6db791 into main Jul 7, 2026
4 checks passed
@cdot65 cdot65 deleted the cdot65/fix/debug-logger-redaction branch July 7, 2026 01:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix(security): redact bodies/query params in --debug logger + rotate debug files

1 participant