build: update bundled dist files

Author: actions-user

dist/index.js

@@ -1,8 +1,8 @@
 #!/usr/bin/env node
 process.env.VISOR_VERSION = '0.1.42';
 process.env.PROBE_VERSION = '0.6.0-rc196';
-process.env.VISOR_COMMIT_SHA = '8a20306e9bc48e85fc025cf8da037d8728958df9';
-process.env.VISOR_COMMIT_SHORT = '8a20306e';
+process.env.VISOR_COMMIT_SHA = '187c3397892ea711fe760101774035e24dd3639a';
+process.env.VISOR_COMMIT_SHORT = '187c3397';
 /******/ (() => { // webpackBootstrap
 /******/ 	var __webpack_modules__ = ({
 
@@ -138833,7 +138833,8 @@ class AICheckProvider extends check_provider_interface_1.CheckProvider {
         // Fallback NDJSON for input context (non-OTEL environments)
         try {
             const checkId = config.checkName || config.id || 'unknown';
-            const ctxJson = JSON.stringify(templateContext);
+            // Sanitize context to avoid leaking API keys in traces
+            const ctxJson = JSON.stringify((0, state_capture_1.sanitizeContextForTelemetry)(templateContext));
             const { emitNdjsonSpanWithEvents } = __nccwpck_require__(35938);
             emitNdjsonSpanWithEvents('visor.check', { 'visor.check.id': checkId, 'visor.check.input.context': ctxJson }, []);
         }
@@ -140125,7 +140126,8 @@ class CommandCheckProvider extends check_provider_interface_1.CheckProvider {
         // Fallback NDJSON for input context (non-OTEL environments)
         try {
             const checkId = config.checkName || config.id || 'unknown';
-            const ctxJson = JSON.stringify(templateContext);
+            // Sanitize context to avoid leaking API keys in traces
+            const ctxJson = JSON.stringify((0, state_capture_1.sanitizeContextForTelemetry)(templateContext));
             const { emitNdjsonSpanWithEvents } = __nccwpck_require__(35938);
             // Emit both start and completion markers together for deterministic E2E assertions
             emitNdjsonSpanWithEvents('visor.check', { 'visor.check.id': checkId, 'visor.check.input.context': ctxJson }, [{ name: 'check.started' }, { name: 'check.completed' }]);
@@ -158754,6 +158756,7 @@ function patchConsole() {
  * attributes, enabling time-travel debugging and full state inspection.
  */
 Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.sanitizeContextForTelemetry = sanitizeContextForTelemetry;
 exports.captureCheckInputContext = captureCheckInputContext;
 exports.captureCheckOutput = captureCheckOutput;
 exports.captureForEachState = captureForEachState;
@@ -158765,6 +158768,47 @@ exports.captureRoutingDecision = captureRoutingDecision;
 exports.captureStateSnapshot = captureStateSnapshot;
 const MAX_ATTRIBUTE_LENGTH = 10000; // Truncate large values
 const MAX_ARRAY_ITEMS = 100; // Limit array size in attributes
+// Patterns that indicate sensitive environment variables (case-insensitive)
+const SENSITIVE_ENV_PATTERNS = [
+    /api[_-]?key/i,
+    /secret/i,
+    /token/i,
+    /password/i,
+    /auth/i,
+    /credential/i,
+    /private[_-]?key/i,
+    /^sk-/i, // OpenAI-style keys
+    /^AIza/i, // Google API keys
+];
+/**
+ * Check if an environment variable name is sensitive
+ */
+function isSensitiveEnvVar(name) {
+    return SENSITIVE_ENV_PATTERNS.some(pattern => pattern.test(name));
+}
+/**
+ * Sanitize context for telemetry by redacting sensitive environment variables.
+ * Returns a new object with env values redacted (keys preserved).
+ */
+function sanitizeContextForTelemetry(context) {
+    if (!context || typeof context !== 'object')
+        return context;
+    const sanitized = { ...context };
+    // Sanitize env object if present
+    if (sanitized.env && typeof sanitized.env === 'object') {
+        const sanitizedEnv = {};
+        for (const [key, value] of Object.entries(sanitized.env)) {
+            if (isSensitiveEnvVar(key)) {
+                sanitizedEnv[key] = '[REDACTED]';
+            }
+            else {
+                sanitizedEnv[key] = String(value);
+            }
+        }
+        sanitized.env = sanitizedEnv;
+    }
+    return sanitized;
+}
 /**
  * Safely serialize a value for OTEL span attributes.
  * Handles truncation, circular refs, and type conversions.
@@ -158801,21 +158845,24 @@ function safeSerialize(value, maxLength = MAX_ATTRIBUTE_LENGTH) {
  */
 function captureCheckInputContext(span, context) {
     try {
+        // Sanitize context to redact sensitive env vars before capturing
+        const sanitizedContext = sanitizeContextForTelemetry(context);
         // Capture key context variables
-        const keys = Object.keys(context);
+        const keys = Object.keys(sanitizedContext);
         span.setAttribute('visor.check.input.keys', keys.join(','));
         span.setAttribute('visor.check.input.count', keys.length);
-        // Capture full context as JSON (with size limit)
-        span.setAttribute('visor.check.input.context', safeSerialize(context));
+        // Capture full context as JSON (with size limit) - now sanitized
+        span.setAttribute('visor.check.input.context', safeSerialize(sanitizedContext));
         // Capture specific important variables separately for easy querying
-        if (context.pr) {
-            span.setAttribute('visor.check.input.pr', safeSerialize(context.pr, 1000));
+        // Use sanitizedContext consistently to avoid leaking sensitive data
+        if (sanitizedContext.pr) {
+            span.setAttribute('visor.check.input.pr', safeSerialize(sanitizedContext.pr, 1000));
         }
-        if (context.outputs) {
-            span.setAttribute('visor.check.input.outputs', safeSerialize(context.outputs, 5000));
+        if (sanitizedContext.outputs) {
+            span.setAttribute('visor.check.input.outputs', safeSerialize(sanitizedContext.outputs, 5000));
         }
-        if (context.env) {
-            span.setAttribute('visor.check.input.env_keys', Object.keys(context.env).join(','));
+        if (sanitizedContext.env) {
+            span.setAttribute('visor.check.input.env_keys', Object.keys(sanitizedContext.env).join(','));
         }
     }
     catch (err) {

…sdk/check-provider-registry-U7K54IC3.mjs …sdk/check-provider-registry-534KL5HT.mjsdist/sdk/check-provider-registry-U7K54IC3.mjs renamed to dist/sdk/check-provider-registry-534KL5HT.mjs dist/sdk/check-provider-registry-U7K54IC3.mjs renamed to dist/sdk/check-provider-registry-534KL5HT.mjs

@@ -1,7 +1,7 @@
 import {
   CheckProviderRegistry,
   init_check_provider_registry
-} from "./chunk-VW46O2SP.mjs";
+} from "./chunk-23L3QRYX.mjs";
 import "./chunk-NAW3DB3I.mjs";
 import "./chunk-AUT26LHW.mjs";
 import "./chunk-HTOKWMPO.mjs";
@@ -24,4 +24,4 @@ init_check_provider_registry();
 export {
   CheckProviderRegistry
 };
-//# sourceMappingURL=check-provider-registry-U7K54IC3.mjs.map
+//# sourceMappingURL=check-provider-registry-534KL5HT.mjs.map

…check-provider-registry-U7K54IC3.mjs.map …check-provider-registry-534KL5HT.mjs.mapdist/sdk/check-provider-registry-U7K54IC3.mjs.map renamed to dist/sdk/check-provider-registry-534KL5HT.mjs.map dist/sdk/check-provider-registry-U7K54IC3.mjs.map renamed to dist/sdk/check-provider-registry-534KL5HT.mjs.map

@@ -2483,8 +2483,28 @@ __export(state_capture_exports, {
   captureProviderCall: () => captureProviderCall,
   captureRoutingDecision: () => captureRoutingDecision,
   captureStateSnapshot: () => captureStateSnapshot,
-  captureTransformJS: () => captureTransformJS
+  captureTransformJS: () => captureTransformJS,
+  sanitizeContextForTelemetry: () => sanitizeContextForTelemetry
 });
+function isSensitiveEnvVar(name) {
+  return SENSITIVE_ENV_PATTERNS.some((pattern) => pattern.test(name));
+}
+function sanitizeContextForTelemetry(context2) {
+  if (!context2 || typeof context2 !== "object") return context2;
+  const sanitized = { ...context2 };
+  if (sanitized.env && typeof sanitized.env === "object") {
+    const sanitizedEnv = {};
+    for (const [key, value] of Object.entries(sanitized.env)) {
+      if (isSensitiveEnvVar(key)) {
+        sanitizedEnv[key] = "[REDACTED]";
+      } else {
+        sanitizedEnv[key] = String(value);
+      }
+    }
+    sanitized.env = sanitizedEnv;
+  }
+  return sanitized;
+}
 function safeSerialize(value, maxLength = MAX_ATTRIBUTE_LENGTH) {
   try {
     if (value === void 0 || value === null) return String(value);
@@ -2509,18 +2529,22 @@ function safeSerialize(value, maxLength = MAX_ATTRIBUTE_LENGTH) {
 }
 function captureCheckInputContext(span, context2) {
   try {
-    const keys = Object.keys(context2);
+    const sanitizedContext = sanitizeContextForTelemetry(context2);
+    const keys = Object.keys(sanitizedContext);
     span.setAttribute("visor.check.input.keys", keys.join(","));
     span.setAttribute("visor.check.input.count", keys.length);
-    span.setAttribute("visor.check.input.context", safeSerialize(context2));
-    if (context2.pr) {
-      span.setAttribute("visor.check.input.pr", safeSerialize(context2.pr, 1e3));
+    span.setAttribute("visor.check.input.context", safeSerialize(sanitizedContext));
+    if (sanitizedContext.pr) {
+      span.setAttribute("visor.check.input.pr", safeSerialize(sanitizedContext.pr, 1e3));
     }
-    if (context2.outputs) {
-      span.setAttribute("visor.check.input.outputs", safeSerialize(context2.outputs, 5e3));
+    if (sanitizedContext.outputs) {
+      span.setAttribute("visor.check.input.outputs", safeSerialize(sanitizedContext.outputs, 5e3));
     }
-    if (context2.env) {
-      span.setAttribute("visor.check.input.env_keys", Object.keys(context2.env).join(","));
+    if (sanitizedContext.env) {
+      span.setAttribute(
+        "visor.check.input.env_keys",
+        Object.keys(sanitizedContext.env).join(",")
+      );
     }
   } catch (err) {
     try {
@@ -2643,12 +2667,25 @@ function captureStateSnapshot(span, checkId, outputs, memory) {
     span.setAttribute("visor.snapshot.error", String(err));
   }
 }
-var MAX_ATTRIBUTE_LENGTH, MAX_ARRAY_ITEMS;
+var MAX_ATTRIBUTE_LENGTH, MAX_ARRAY_ITEMS, SENSITIVE_ENV_PATTERNS;
 var init_state_capture = __esm({
   "src/telemetry/state-capture.ts"() {
     "use strict";
     MAX_ATTRIBUTE_LENGTH = 1e4;
     MAX_ARRAY_ITEMS = 100;
+    SENSITIVE_ENV_PATTERNS = [
+      /api[_-]?key/i,
+      /secret/i,
+      /token/i,
+      /password/i,
+      /auth/i,
+      /credential/i,
+      /private[_-]?key/i,
+      /^sk-/i,
+      // OpenAI-style keys
+      /^AIza/i
+      // Google API keys
+    ];
   }
 });
 
@@ -3869,7 +3906,7 @@ var init_ai_check_provider = __esm({
         }
         try {
           const checkId = config.checkName || config.id || "unknown";
-          const ctxJson = JSON.stringify(templateContext);
+          const ctxJson = JSON.stringify(sanitizeContextForTelemetry(templateContext));
           const { emitNdjsonSpanWithEvents: emitNdjsonSpanWithEvents2 } = (init_fallback_ndjson(), __toCommonJS(fallback_ndjson_exports));
           emitNdjsonSpanWithEvents2(
             "visor.check",
@@ -6380,7 +6417,7 @@ var init_command_check_provider = __esm({
         }
         try {
           const checkId = config.checkName || config.id || "unknown";
-          const ctxJson = JSON.stringify(templateContext);
+          const ctxJson = JSON.stringify(sanitizeContextForTelemetry(templateContext));
           const { emitNdjsonSpanWithEvents: emitNdjsonSpanWithEvents2 } = (init_fallback_ndjson(), __toCommonJS(fallback_ndjson_exports));
           emitNdjsonSpanWithEvents2(
             "visor.check",
@@ -16832,4 +16869,4 @@ export {
   StateMachineRunner,
   init_runner
 };
-//# sourceMappingURL=chunk-VW46O2SP.mjs.map
+//# sourceMappingURL=chunk-23L3QRYX.mjs.map

dist/sdk/chunk-VW46O2SP.mjs dist/sdk/chunk-23L3QRYX.mjsdist/sdk/chunk-VW46O2SP.mjs renamed to dist/sdk/chunk-23L3QRYX.mjs

@@ -7888,8 +7888,28 @@ __export(state_capture_exports, {
   captureProviderCall: () => captureProviderCall,
   captureRoutingDecision: () => captureRoutingDecision,
   captureStateSnapshot: () => captureStateSnapshot,
-  captureTransformJS: () => captureTransformJS
+  captureTransformJS: () => captureTransformJS,
+  sanitizeContextForTelemetry: () => sanitizeContextForTelemetry
 });
+function isSensitiveEnvVar(name) {
+  return SENSITIVE_ENV_PATTERNS.some((pattern) => pattern.test(name));
+}
+function sanitizeContextForTelemetry(context2) {
+  if (!context2 || typeof context2 !== "object") return context2;
+  const sanitized = { ...context2 };
+  if (sanitized.env && typeof sanitized.env === "object") {
+    const sanitizedEnv = {};
+    for (const [key, value] of Object.entries(sanitized.env)) {
+      if (isSensitiveEnvVar(key)) {
+        sanitizedEnv[key] = "[REDACTED]";
+      } else {
+        sanitizedEnv[key] = String(value);
+      }
+    }
+    sanitized.env = sanitizedEnv;
+  }
+  return sanitized;
+}
 function safeSerialize(value, maxLength = MAX_ATTRIBUTE_LENGTH) {
   try {
     if (value === void 0 || value === null) return String(value);
@@ -7914,18 +7934,22 @@ function safeSerialize(value, maxLength = MAX_ATTRIBUTE_LENGTH) {
 }
 function captureCheckInputContext(span, context2) {
   try {
-    const keys = Object.keys(context2);
+    const sanitizedContext = sanitizeContextForTelemetry(context2);
+    const keys = Object.keys(sanitizedContext);
     span.setAttribute("visor.check.input.keys", keys.join(","));
     span.setAttribute("visor.check.input.count", keys.length);
-    span.setAttribute("visor.check.input.context", safeSerialize(context2));
-    if (context2.pr) {
-      span.setAttribute("visor.check.input.pr", safeSerialize(context2.pr, 1e3));
+    span.setAttribute("visor.check.input.context", safeSerialize(sanitizedContext));
+    if (sanitizedContext.pr) {
+      span.setAttribute("visor.check.input.pr", safeSerialize(sanitizedContext.pr, 1e3));
     }
-    if (context2.outputs) {
-      span.setAttribute("visor.check.input.outputs", safeSerialize(context2.outputs, 5e3));
+    if (sanitizedContext.outputs) {
+      span.setAttribute("visor.check.input.outputs", safeSerialize(sanitizedContext.outputs, 5e3));
     }
-    if (context2.env) {
-      span.setAttribute("visor.check.input.env_keys", Object.keys(context2.env).join(","));
+    if (sanitizedContext.env) {
+      span.setAttribute(
+        "visor.check.input.env_keys",
+        Object.keys(sanitizedContext.env).join(",")
+      );
     }
   } catch (err) {
     try {
@@ -8048,12 +8072,25 @@ function captureStateSnapshot(span, checkId, outputs, memory) {
     span.setAttribute("visor.snapshot.error", String(err));
   }
 }
-var MAX_ATTRIBUTE_LENGTH, MAX_ARRAY_ITEMS;
+var MAX_ATTRIBUTE_LENGTH, MAX_ARRAY_ITEMS, SENSITIVE_ENV_PATTERNS;
 var init_state_capture = __esm({
   "src/telemetry/state-capture.ts"() {
     "use strict";
     MAX_ATTRIBUTE_LENGTH = 1e4;
     MAX_ARRAY_ITEMS = 100;
+    SENSITIVE_ENV_PATTERNS = [
+      /api[_-]?key/i,
+      /secret/i,
+      /token/i,
+      /password/i,
+      /auth/i,
+      /credential/i,
+      /private[_-]?key/i,
+      /^sk-/i,
+      // OpenAI-style keys
+      /^AIza/i
+      // Google API keys
+    ];
   }
 });
 
@@ -9405,7 +9442,7 @@ var init_ai_check_provider = __esm({
         }
         try {
           const checkId = config.checkName || config.id || "unknown";
-          const ctxJson = JSON.stringify(templateContext);
+          const ctxJson = JSON.stringify(sanitizeContextForTelemetry(templateContext));
           const { emitNdjsonSpanWithEvents: emitNdjsonSpanWithEvents2 } = (init_fallback_ndjson(), __toCommonJS(fallback_ndjson_exports));
           emitNdjsonSpanWithEvents2(
             "visor.check",
@@ -11916,7 +11953,7 @@ var init_command_check_provider = __esm({
         }
         try {
           const checkId = config.checkName || config.id || "unknown";
-          const ctxJson = JSON.stringify(templateContext);
+          const ctxJson = JSON.stringify(sanitizeContextForTelemetry(templateContext));
           const { emitNdjsonSpanWithEvents: emitNdjsonSpanWithEvents2 } = (init_fallback_ndjson(), __toCommonJS(fallback_ndjson_exports));
           emitNdjsonSpanWithEvents2(
             "visor.check",

dist/sdk/chunk-23L3QRYX.mjs.map

@@ -3,7 +3,7 @@ import {
   check_provider_registry_exports,
   init_check_provider_registry,
   init_runner
-} from "./chunk-VW46O2SP.mjs";
+} from "./chunk-23L3QRYX.mjs";
 import "./chunk-NAW3DB3I.mjs";
 import {
   commandExecutor,
@@ -549,7 +549,7 @@ var StateMachineExecutionEngine = class _StateMachineExecutionEngine {
       try {
         const map = options?.webhookContext?.webhookData;
         if (map) {
-          const { CheckProviderRegistry } = await import("./check-provider-registry-U7K54IC3.mjs");
+          const { CheckProviderRegistry } = await import("./check-provider-registry-534KL5HT.mjs");
           const reg = CheckProviderRegistry.getInstance();
           const p = reg.getProvider("http_input");
           if (p && typeof p.setWebhookContext === "function") p.setWebhookContext(map);