feat: redact replication-log secrets + bump core for registry deploy auth

[kriszyp]

Summary

Harper-pro half of the private-registry deploy-by-reference feature (deploy_component package=npm:@org/app@1.2.3 against a private npm registry). The token-handling core change lives in HarperFast/harper#1158 — this PR bumps the core submodule to it and adds the harper-pro-side defense-in-depth redaction.

• replication/logRedaction.ts (new): redactOperationForLog() masks top-level token/key/password/hdbAuthHeader and nested registryAuth[].token before an operation is written to a debug log. Returns the same object reference when there is nothing sensitive, so the common (no-secret) path allocates nothing.
• Wired into the two replication debug-log sites:
  • replicator.ts — guarded by logger.logsAtLevel('debug') (module-namespace logger, so the redaction call only runs when debug logging is on).
  • replicationConnection.ts — logger.debug?.(…) short-circuits when debug is off, so no separate guard needed.
• core submodule → ea0d9e9ce (the registry-auth feature + its review fixes).
• @harperfast/rocksdb-js → ^1.4.2 (package.json + lockfile).

Purpose

The registry token must never persist or be exposed on a data-plane node — not in the package reference, harperdb-config.yaml, the hdb_deployment row, logs, or replication. The core PR strips the token from the replicated operation; this PR closes the logging surface as a second, independent layer (the token can't leak via a debug-level operation dump even if an upstream strip is ever missed).

Where to focus

• logRedaction.ts correctness — confirm the masked-key set is complete and the nested registryAuth[].token walk matches the contract shape registryAuth: [{ registry, token, scope? }]. The no-allocation fast-path (same-ref return when nothing sensitive) is the one bit of cleverness worth a look.
• rocksdb-js ^1.4.2 root bump — this rides along because the core pointer advances ~14 commits to current main, which depends on rocksdb-js 1.4.2 (now the latest dist-tag); syncing the harper-pro root + lockfile avoids a resolved-version skew between core and the integrated build. Called out by the Codex pre-review; bundled here deliberately rather than as a separate PR.

Notes

• Depends on feat: transient private-registry auth for deploy_component harper#1158 — merge that first; this PR's core pointer references its head commit.
• 🤖 Generated by Claude (Opus 4.7). The cross-model (Codex) pre-review findings referenced above are already addressed in-diff; no open review items carried into this description.

[gemini-code-assist]

Code Review

This pull request introduces a log redaction utility to mask sensitive fields, such as SSH keys, passwords, and registry tokens, in replicated or forwarded operations before they are written to debug logs. It also updates the @harperfast/rocksdb-js dependency and adds corresponding unit tests. Feedback on the changes suggests optimizing the redaction logic for registryAuth arrays to avoid eagerly cloning the operation object when no tokens are present, thereby preserving the zero-allocation fast-path.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[claude]

Reviewed; no blockers found.

[cb1kenobi]

Nice!