Skip to content

dx(lint): extend no-credential-in-logger to the Nuxt package + rename lock-test + record vocab decision (#262)#309

Merged
IgorShevchik merged 1 commit into
mainfrom
claude/wizardly-archimedes-w3n7v1
Jul 3, 2026
Merged

dx(lint): extend no-credential-in-logger to the Nuxt package + rename lock-test + record vocab decision (#262)#309
IgorShevchik merged 1 commit into
mainfrom
claude/wizardly-archimedes-w3n7v1

Conversation

@IgorShevchik

Copy link
Copy Markdown
Collaborator

Closes #262 (items 2–4). Item 1 (autofix) deferred to #308.

Hardens the no-credential-in-logger ESLint rule — the lint-layer defence against the #39/#40 webhook-secret-leak class. No rule-logic change; scope + test + docs only.

Item 2 — widen scope to the Nuxt package

The rule now also lints packages/jssdk-nuxt/src/**, so a #39-class leak is caught in the Nuxt module, not just the core SDK. Only an added files glob — the matcher regexes and AST logic are untouched. Verified the rule genuinely fires there (a probe with a credential-shaped logger call under jssdk-nuxt/src is reported by ESLint).

Item 3 — vocabulary decision (auth / sessid)

Decision: keep them out of the lint layer. The linter fails loud on identifier names (auth hits author, authManager, isAdminAuth, useAuth…), so mirroring the runtime redactor vocabulary would train developers to reflexively disable the rule — eroding the control. The runtime redactSensitiveParams() (which does mask auth/sessid, confirmed at redact.ts) is the broad net; the linter is the narrow high-signal one. Recorded in the rule fileoverview with a note to add lock-spec cases if that ever changes.

Item 4 — rename the lock-test

http-logger-eslint-guard.unit.spec.tsno-credential-in-logger.unit.spec.ts (the old name was from the narrow core/http scope) + a new assertion pinning the Nuxt glob into CI.

Item 1 — deferred (#308)

IDE hasSuggestions/autofix: no single mechanical fix per rule shape, and a wrong autofix on a security rule is worse than none. Tracked as #308.

Docs

AGENTS.md "No secrets in logs" corrected — it described the guard as a core/http-only no-restricted-syntax rule; it is the custom local/no-credential-in-logger rule over the whole SDK and the Nuxt package.

Verification

  • pnpm run lint — 0 errors (1 pre-existing unrelated warning)
  • pnpm run package-jssdk:test:run-unit377 passed; lock-spec 22/22
  • pnpm --filter @bitrix24/b24jssdk typecheck — clean
  • node scripts/docs-lint.mjs --strict — 0 errors, 0 warnings

Reviewed by a 5-perspective pass (correctness, security, tester/mutation, edge/docs, tech-director) — all SHIP. The Nuxt-scope assertion is mutation-verified (removing the glob fails the lock-test); the guard is only widened, never weakened; the runtime redactor genuinely covers auth/sessid.

🤖 Generated with Claude Code

https://claude.ai/code/session_01H6MQtPUx9MZjXY2rbLZhbv


Generated by Claude Code

… lock-test + record vocab decision (#262)

Follow-up hardening of the no-credential-in-logger ESLint rule (defence-in-depth
against the #39/#40 webhook-secret-leak class). Delivers #262 items 2-4:

- Item 2 — widen scope: the rule now also lints packages/jssdk-nuxt/src/** so a
  #39-class leak is caught in the Nuxt module, not just the core SDK. Rule logic
  is unchanged — only an added `files` glob. Verified the rule genuinely fires
  there (a credential-shaped logger call under jssdk-nuxt/src is reported).
- Item 3 — vocabulary decision: `auth`/`sessid` stay OUT of the lint layer. The
  linter fails loud on identifier names (`auth` hits author/authManager/…), so
  mirroring the runtime redactor vocabulary would train developers to disable
  the rule; the runtime redactSensitiveParams() (which DOES mask auth/sessid) is
  the broad net, the linter the narrow high-signal one. Recorded in the rule
  fileoverview with a note to add lock-spec cases if that ever changes.
- Item 4 — rename the lock-test http-logger-eslint-guard.unit.spec.ts →
  no-credential-in-logger.unit.spec.ts (the old name was from the narrow
  core/http scope) and add an assertion pinning the new Nuxt glob into CI.

Item 1 (IDE hasSuggestions/autofix) is deferred to #308 — there is no single
mechanical fix per rule shape, and a wrong autofix on a security rule is worse
than none.

Docs: AGENTS.md "No secrets in logs" updated — it wrongly described the guard as
a core/http-only `no-restricted-syntax` rule; it is the custom
`local/no-credential-in-logger` rule over the whole SDK + the Nuxt package.

All 7 lock-spec cases + full unit suite (377) green; rule wiring in the Nuxt
package and the new Nuxt-scope assertion are mutation-verified.

Closes #262

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01H6MQtPUx9MZjXY2rbLZhbv
@IgorShevchik IgorShevchik merged commit dd839f4 into main Jul 3, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

no-credential-in-logger: follow-up enhancements (autofix, wider package coverage, vocab review, test rename)

2 participants