Skip to content

Commit 80e1e5f

Browse files
authored
Merge pull request #5 from script-development/release-v0.1.0
Release v0.1.0 — inaugural publish (KD-0885 hardening folded in)
2 parents 95438d0 + 5c6f4d4 commit 80e1e5f

1 file changed

Lines changed: 12 additions & 10 deletions

File tree

CHANGELOG.md

Lines changed: 12 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -4,17 +4,11 @@ All notable changes to `script-development/kendo-error-tracker` are documented i
44

55
The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and the project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
66

7-
## [Unreleased]
7+
## [0.1.0] — 2026-06-08
88

9-
### Fixed
10-
11-
- **BSN scrub gaps (KD-0885, C-1):** the bare 9-digit pattern missed grouped forms (`123.456.782`, `123 456 782`, `123-456-782`) and BSNs embedded in a longer digit run (`0612345678`). The pattern now matches grouped separators and any run of 9-or-more digits. Tradeoff: increased over-redaction of legit 9+-digit IDs until the elfproef (11-proef) validator lands (v1.5).
12-
- **Email IDN / unicode leak (KD-0885, H-1):** the ASCII-only email pattern leaked IDN domains (`jan@müller.nl`) and unicode local parts. The pattern now uses the `u` flag and `\p{L}\p{N}` classes. Quoted local parts with an internal space remain out of scope (documented).
13-
- **Bearer credential reuse leak (KD-0885, H-2):** a credential redacted in a `Bearer <token>` value leaked again where the same value reappeared unprefixed (`token=<same>`). The Bearer scrub now captures the credential and redacts every bare reuse across the string. The `eyJ`-header requirement for JWT detection is documented as an explicit scope boundary.
14-
- **Timeout disabled by zero/negative config (KD-0885, H-3):** `ErrorTracker::configFloat()` accepted `0`/negative numeric timeouts (Guzzle-infinite), so a hung kendo host could block the caller in sync mode. A non-positive numeric now floors to the default for both `connect_timeout` and `timeout`.
15-
- **Bearer over-redaction (KD-0885, M-4):** the Bearer credential class included `/` and matched across newlines, so `Bearer /api/v1/users/123` ate the whole path. The class now drops `/` and bounds whitespace to horizontal characters.
16-
17-
## [0.1.0] — 2026-06-06
9+
Inaugural public release. The KD-0885 scrubber hardening below landed before
10+
first publish, so `0.1.0` is the first version available on packagist and the
11+
pre-hardening code was never distributed.
1812

1913
### Added
2014

@@ -26,3 +20,11 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and
2620
- Scrubbing layer redacting JWT, `Bearer` tokens, BSN, and email addresses from the message and stack trace before send.
2721
- Exact `base_path()` path normalization of each stack frame (mirrors `laravel/nightwatch`'s `Location::normalizeFile()`) for host-stable fingerprints.
2822
- POST to `{kendo_url}/api/projects/{project}/error-events` with Bearer auth and the `{environment, release?, exception_class, message, stack_trace}` body; treats `202` as success and swallows every failure (timeout, `401`/`403`/`422`, `5xx`, unreachable host).
23+
24+
### Fixed
25+
26+
- **BSN scrub gaps (KD-0885, C-1):** the bare 9-digit pattern missed grouped forms (`123.456.782`, `123 456 782`, `123-456-782`) and BSNs embedded in a longer digit run (`0612345678`). The pattern now matches grouped separators and any run of 9-or-more digits. Tradeoff: increased over-redaction of legit 9+-digit IDs until the elfproef (11-proef) validator lands (v1.5).
27+
- **Email IDN / unicode leak (KD-0885, H-1):** the ASCII-only email pattern leaked IDN domains (`jan@müller.nl`) and unicode local parts. The pattern now uses the `u` flag and `\p{L}\p{N}` classes. Quoted local parts with an internal space remain out of scope (documented).
28+
- **Bearer credential reuse leak (KD-0885, H-2):** a credential redacted in a `Bearer <token>` value leaked again where the same value reappeared unprefixed (`token=<same>`). The Bearer scrub now captures the credential and redacts every bare reuse across the string. The `eyJ`-header requirement for JWT detection is documented as an explicit scope boundary.
29+
- **Timeout disabled by zero/negative config (KD-0885, H-3):** `ErrorTracker::configFloat()` accepted `0`/negative numeric timeouts (Guzzle-infinite), so a hung kendo host could block the caller in sync mode. A non-positive numeric now floors to the default for both `connect_timeout` and `timeout`.
30+
- **Bearer over-redaction (KD-0885, M-4):** the Bearer credential class included `/` and matched across newlines, so `Bearer /api/v1/users/123` ate the whole path. The class now drops `/` and bounds whitespace to horizontal characters.

0 commit comments

Comments
 (0)