dx(lint): extend no-credential-in-logger to the Nuxt package + rename lock-test + record vocab decision (#262)#309
Merged
Conversation
… lock-test + record vocab decision (#262) Follow-up hardening of the no-credential-in-logger ESLint rule (defence-in-depth against the #39/#40 webhook-secret-leak class). Delivers #262 items 2-4: - Item 2 — widen scope: the rule now also lints packages/jssdk-nuxt/src/** so a #39-class leak is caught in the Nuxt module, not just the core SDK. Rule logic is unchanged — only an added `files` glob. Verified the rule genuinely fires there (a credential-shaped logger call under jssdk-nuxt/src is reported). - Item 3 — vocabulary decision: `auth`/`sessid` stay OUT of the lint layer. The linter fails loud on identifier names (`auth` hits author/authManager/…), so mirroring the runtime redactor vocabulary would train developers to disable the rule; the runtime redactSensitiveParams() (which DOES mask auth/sessid) is the broad net, the linter the narrow high-signal one. Recorded in the rule fileoverview with a note to add lock-spec cases if that ever changes. - Item 4 — rename the lock-test http-logger-eslint-guard.unit.spec.ts → no-credential-in-logger.unit.spec.ts (the old name was from the narrow core/http scope) and add an assertion pinning the new Nuxt glob into CI. Item 1 (IDE hasSuggestions/autofix) is deferred to #308 — there is no single mechanical fix per rule shape, and a wrong autofix on a security rule is worse than none. Docs: AGENTS.md "No secrets in logs" updated — it wrongly described the guard as a core/http-only `no-restricted-syntax` rule; it is the custom `local/no-credential-in-logger` rule over the whole SDK + the Nuxt package. All 7 lock-spec cases + full unit suite (377) green; rule wiring in the Nuxt package and the new Nuxt-scope assertion are mutation-verified. Closes #262 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01H6MQtPUx9MZjXY2rbLZhbv
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #262 (items 2–4). Item 1 (autofix) deferred to #308.
Hardens the
no-credential-in-loggerESLint rule — the lint-layer defence against the #39/#40 webhook-secret-leak class. No rule-logic change; scope + test + docs only.Item 2 — widen scope to the Nuxt package
The rule now also lints
packages/jssdk-nuxt/src/**, so a #39-class leak is caught in the Nuxt module, not just the core SDK. Only an addedfilesglob — the matcher regexes and AST logic are untouched. Verified the rule genuinely fires there (a probe with a credential-shaped logger call underjssdk-nuxt/srcis reported by ESLint).Item 3 — vocabulary decision (
auth/sessid)Decision: keep them out of the lint layer. The linter fails loud on identifier names (
authhitsauthor,authManager,isAdminAuth,useAuth…), so mirroring the runtime redactor vocabulary would train developers to reflexively disable the rule — eroding the control. The runtimeredactSensitiveParams()(which does maskauth/sessid, confirmed atredact.ts) is the broad net; the linter is the narrow high-signal one. Recorded in the rule fileoverview with a note to add lock-spec cases if that ever changes.Item 4 — rename the lock-test
http-logger-eslint-guard.unit.spec.ts→no-credential-in-logger.unit.spec.ts(the old name was from the narrowcore/httpscope) + a new assertion pinning the Nuxt glob into CI.Item 1 — deferred (#308)
IDE
hasSuggestions/autofix: no single mechanical fix per rule shape, and a wrong autofix on a security rule is worse than none. Tracked as #308.Docs
AGENTS.md"No secrets in logs" corrected — it described the guard as acore/http-onlyno-restricted-syntaxrule; it is the customlocal/no-credential-in-loggerrule over the whole SDK and the Nuxt package.Verification
pnpm run lint— 0 errors (1 pre-existing unrelated warning)pnpm run package-jssdk:test:run-unit— 377 passed; lock-spec 22/22pnpm --filter @bitrix24/b24jssdk typecheck— cleannode scripts/docs-lint.mjs --strict— 0 errors, 0 warningsReviewed by a 5-perspective pass (correctness, security, tester/mutation, edge/docs, tech-director) — all SHIP. The Nuxt-scope assertion is mutation-verified (removing the glob fails the lock-test); the guard is only widened, never weakened; the runtime redactor genuinely covers
auth/sessid.🤖 Generated with Claude Code
https://claude.ai/code/session_01H6MQtPUx9MZjXY2rbLZhbv
Generated by Claude Code