/**
 * redact-error.ts — Internal credential-scrubbing helper.
 *
 * The `postgres` npm package can embed the full DSN (including the password)
 * in connection-failure error messages. This module provides a single helper
 * that strips the user:password portion from any such message before it is
 * re-thrown, logged, or surfaced in a structured health report.
 *
 * This file is intentionally NOT re-exported from the package index — it is
 * an internal utility for use within packages/storage/src only.
 */

/**
 * Redacts credentials from error messages that may include connection URLs.
 * The `postgres` npm package can embed the full DSN in connection-failure
 * messages, and ioredis can embed `redis://` / `rediss://` URLs similarly.
 * This helper strips the user:password portion before display.
 *
 * Handles `postgres://`, `postgresql://`, `redis://`, and `rediss://`
 * schemes (case-insensitive). Everything between `://` and `@` (the userinfo
 * component) is replaced with `***` so that the host, port, and database name
 * remain visible for diagnostics while the secret is never written to logs or
 * CI output.
 *
 * @example
 *   redactErrMsg('connect ECONNREFUSED postgres://admin:s3cr3t@db:5432/mosaic')
 *   // → 'connect ECONNREFUSED postgres://***@db:5432/mosaic'
 *
 *   redactErrMsg('connect ECONNREFUSED redis://user:pass@cache:6379')
 *   // → 'connect ECONNREFUSED redis://***@cache:6379'
 */
const CREDENTIAL_URL_RE = /(postgres(?:ql)?|rediss?):\/\/[^@\s]*@/gi;

export function redactErrMsg(msg: string): string {
  return msg.replace(
    CREDENTIAL_URL_RE,
    (_match, scheme: string) => `${scheme.toLowerCase()}://***@`,
  );
}