Data Masking & String Truncation Improvements (#866)

* Fixed issues in the existing data masking rules for social security numbers, Visa, and Mastercard
    * Previously, they would incorrectly mask some values that were not the targeted sensitive data

* Added new bundled data mask rule for AMEX credit card numbers

* Refactored repetitive logic in LogEntryEventBuilder for truncating + masking various text values

* Added another round of string truncation after applying data masking to fix issues where string values could still be too long for the corresponding fields

* Added several new *Truncated__c fields on LogEntryEvent__e & LogEntry__c for some data points where it would be helpful to have the context that data has been truncated

* Added the new *Truncated__c fields on LogEntry__c to the LogEntryRecordPage flexipage

* Scope creep: Added more pipeline-only tests for validating the CMDT records bundled with Nebula Logger have the expected values
    * These tests are intended to validate that the bundled data masking rules work correctly out-of-the-box, but people are free to edit these in their own orgs, so the this level of testing needs to happen in the pipeline only

* Scope creep: restructured extra-tests directory to add some organization, things were getting a bit messy

* Bumped the managed package's sfdx-project.json file to v4.17.0 (Summer '25 release)

Author: jongpie

.github/workflows/build.yml

@@ -174,9 +174,6 @@ jobs:
       - name: 'Assign Logger Admin Permission Set'
         run: npm run permset:assign:admin
 
-      - name: 'Validate Custom Metadata Records'
-        run: npx sf apex run --file ./scripts/build/validate-custom-metadata-records.apex
-
       # Nebula Logger has functionality that queries the AuthSession object when the current user has an active session.
       # The code should work with or without an active session, so the pipeline runs the tests twice - asynchronously and synchronously.
       # This is done because, based on how you execute Apex tests, the running user may have an active session (synchrously) or not (asynchronously).
@@ -242,9 +239,6 @@ jobs:
       - name: 'Assign Logger Admin Permission Set'
         run: npm run permset:assign:admin
 
-      - name: 'Validate Custom Metadata Records'
-        run: npx sf apex run --file ./scripts/build/validate-custom-metadata-records.apex
-
       # Nebula Logger has functionality that queries the AuthSession object when the current user has an active session.
       # The code should work with or without an active session, so the pipeline runs the tests twice - asynchronously and synchronously.
       # This is done because, based on how you execute Apex tests, the running user may have an active session (synchrously) or not (asynchronously).
@@ -310,9 +304,6 @@ jobs:
       - name: 'Assign Logger Admin Permission Set'
         run: npm run permset:assign:admin
 
-      - name: 'Validate Custom Metadata Records'
-        run: npx sf apex run --file ./scripts/build/validate-custom-metadata-records.apex
-
       # Nebula Logger has functionality that queries the AuthSession object when the current user has an active session.
       # The code should work with or without an active session, so the pipeline runs the tests twice - asynchronously and synchronously.
       # This is done because, based on how you execute Apex tests, the running user may have an active session (synchrously) or not (asynchronously).
@@ -381,9 +372,6 @@ jobs:
       - name: 'Assign Logger Admin Permission Set'
         run: npm run permset:assign:admin
 
-      - name: 'Validate Custom Metadata Records'
-        run: npx sf apex run --file ./scripts/build/validate-custom-metadata-records.apex
-
       # Nebula Logger has functionality that queries the AuthSession object when the current user has an active session.
       # The code should work with or without an active session, so the pipeline runs the tests twice - asynchronously and synchronously.
       # This is done because, based on how you execute Apex tests, the running user may have an active session (synchrously) or not (asynchronously).
@@ -456,9 +444,6 @@ jobs:
       - name: 'Assign Logger Admin Permission Set'
         run: npm run permset:assign:admin
 
-      - name: 'Validate Custom Metadata Records'
-        run: npx sf apex run --file ./scripts/build/validate-custom-metadata-records.apex
-
       # Nebula Logger has functionality that queries the AuthSession object when the current user has an active session.
       # The code should work with or without an active session, so the pipeline runs the tests twice - asynchronously and synchronously.
       # This is done because, based on how you execute Apex tests, the running user may have an active session (synchrously) or not (asynchronously).
@@ -524,9 +509,6 @@ jobs:
       - name: 'Assign Logger Admin Permission Set'
         run: npm run permset:assign:admin
 
-      - name: 'Validate Custom Metadata Records'
-        run: npx sf apex run --file ./scripts/build/validate-custom-metadata-records.apex
-
       # Nebula Logger has functionality that queries the AuthSession object when the current user has an active session.
       # The code should work with or without an active session, so the pipeline runs the tests twice - asynchronously and synchronously.
       # This is done because, based on how you execute Apex tests, the running user may have an active session (synchrously) or not (asynchronously).

README.md

@@ -5,13 +5,13 @@
 
 The most robust observability solution for Salesforce experts. Built 100% natively on the platform, and designed to work seamlessly with Apex, Lightning Components, Flow, OmniStudio, and integrations.
 
-## Unlocked Package - v4.16.0
+## Unlocked Package - v4.16.1
 
-[![Install Unlocked Package in a Sandbox](./images/btn-install-unlocked-package-sandbox.png)](https://test.salesforce.com/packaging/installPackage.apexp?p0=04t5Y0000015pGyQAI)
-[![Install Unlocked Package in Production](./images/btn-install-unlocked-package-production.png)](https://login.salesforce.com/packaging/installPackage.apexp?p0=04t5Y0000015pGyQAI)
+[![Install Unlocked Package in a Sandbox](./images/btn-install-unlocked-package-sandbox.png)](https://test.salesforce.com/packaging/installPackage.apexp?p0=04tKe0000011MXEIA2)
+[![Install Unlocked Package in Production](./images/btn-install-unlocked-package-production.png)](https://login.salesforce.com/packaging/installPackage.apexp?p0=04tKe0000011MXEIA2)
 [![View Documentation](./images/btn-view-documentation.png)](https://github.com/jongpie/NebulaLogger/wiki)
 
-`sf package install --wait 20 --security-type AdminsOnly --package 04t5Y0000015pGyQAI`
+`sf package install --wait 20 --security-type AdminsOnly --package 04tKe0000011MXEIA2`
 
 ---
 

nebula-logger/core.package.xml

@@ -156,6 +156,7 @@
         <members>LogEntryEvent__e.ExceptionStackTrace__c</members>
         <members>LogEntryEvent__e.ExceptionType__c</members>
         <members>LogEntryEvent__e.HttpRequestBodyMasked__c</members>
+        <members>LogEntryEvent__e.HttpRequestBodyTruncated__c</members>
         <members>LogEntryEvent__e.HttpRequestBody__c</members>
         <members>LogEntryEvent__e.HttpRequestCompressed__c</members>
         <members>LogEntryEvent__e.HttpRequestEndpointAddress__c</members>
@@ -164,6 +165,7 @@
         <members>LogEntryEvent__e.HttpRequestHeaders__c</members>
         <members>LogEntryEvent__e.HttpRequestMethod__c</members>
         <members>LogEntryEvent__e.HttpResponseBodyMasked__c</members>
+        <members>LogEntryEvent__e.HttpResponseBodyTruncated__c</members>
         <members>LogEntryEvent__e.HttpResponseBody__c</members>
         <members>LogEntryEvent__e.HttpResponseHeaderKeys__c</members>
         <members>LogEntryEvent__e.HttpResponseHeaders__c</members>
@@ -248,12 +250,14 @@
         <members>LogEntryEvent__e.RecordCollectionType__c</members>
         <members>LogEntryEvent__e.RecordId__c</members>
         <members>LogEntryEvent__e.RecordJsonMasked__c</members>
+        <members>LogEntryEvent__e.RecordJsonTruncated__c</members>
         <members>LogEntryEvent__e.RecordJson__c</members>
         <members>LogEntryEvent__e.RecordSObjectClassification__c</members>
         <members>LogEntryEvent__e.RecordSObjectTypeNamespace__c</members>
         <members>LogEntryEvent__e.RecordSObjectType__c</members>
         <members>LogEntryEvent__e.RequestId__c</members>
         <members>LogEntryEvent__e.RestRequestBodyMasked__c</members>
+        <members>LogEntryEvent__e.RestRequestBodyTruncated__c</members>
         <members>LogEntryEvent__e.RestRequestBody__c</members>
         <members>LogEntryEvent__e.RestRequestHeaderKeys__c</members>
         <members>LogEntryEvent__e.RestRequestHeaders__c</members>
@@ -263,6 +267,7 @@
         <members>LogEntryEvent__e.RestRequestResourcePath__c</members>
         <members>LogEntryEvent__e.RestRequestUri__c</members>
         <members>LogEntryEvent__e.RestResponseBodyMasked__c</members>
+        <members>LogEntryEvent__e.RestResponseBodyTruncated__c</members>
         <members>LogEntryEvent__e.RestResponseBody__c</members>
         <members>LogEntryEvent__e.RestResponseHeaderKeys__c</members>
         <members>LogEntryEvent__e.RestResponseHeaders__c</members>
@@ -394,6 +399,7 @@
         <members>LogEntry__c.HasRestResponseHeaders__c</members>
         <members>LogEntry__c.HasStackTrace__c</members>
         <members>LogEntry__c.HttpRequestBodyMasked__c</members>
+        <members>LogEntry__c.HttpRequestBodyTruncated__c</members>
         <members>LogEntry__c.HttpRequestBody__c</members>
         <members>LogEntry__c.HttpRequestCompressed__c</members>
         <members>LogEntry__c.HttpRequestEndpointAddress__c</members>
@@ -402,6 +408,7 @@
         <members>LogEntry__c.HttpRequestHeaders__c</members>
         <members>LogEntry__c.HttpRequestMethod__c</members>
         <members>LogEntry__c.HttpResponseBodyMasked__c</members>
+        <members>LogEntry__c.HttpResponseBodyTruncated__c</members>
         <members>LogEntry__c.HttpResponseBody__c</members>
         <members>LogEntry__c.HttpResponseHeaderKeys__c</members>
         <members>LogEntry__c.HttpResponseHeaders__c</members>
@@ -490,13 +497,15 @@
         <members>LogEntry__c.RecordDetailedLink__c</members>
         <members>LogEntry__c.RecordId__c</members>
         <members>LogEntry__c.RecordJsonMasked__c</members>
+        <members>LogEntry__c.RecordJsonTruncated__c</members>
         <members>LogEntry__c.RecordJson__c</members>
         <members>LogEntry__c.RecordLink__c</members>
         <members>LogEntry__c.RecordName__c</members>
         <members>LogEntry__c.RecordSObjectClassification__c</members>
         <members>LogEntry__c.RecordSObjectTypeNamespace__c</members>
         <members>LogEntry__c.RecordSObjectType__c</members>
         <members>LogEntry__c.RestRequestBodyMasked__c</members>
+        <members>LogEntry__c.RestRequestBodyTruncated__c</members>
         <members>LogEntry__c.RestRequestBody__c</members>
         <members>LogEntry__c.RestRequestHeaderKeys__c</members>
         <members>LogEntry__c.RestRequestHeaders__c</members>
@@ -506,6 +515,7 @@
         <members>LogEntry__c.RestRequestResourcePath__c</members>
         <members>LogEntry__c.RestRequestUri__c</members>
         <members>LogEntry__c.RestResponseBodyMasked__c</members>
+        <members>LogEntry__c.RestResponseBodyTruncated__c</members>
         <members>LogEntry__c.RestResponseBody__c</members>
         <members>LogEntry__c.RestResponseHeaderKeys__c</members>
         <members>LogEntry__c.RestResponseHeaders__c</members>
@@ -700,6 +710,7 @@
         <name>CustomIndex</name>
     </types>
     <types>
+        <members>LogEntryDataMaskRule.AmericanExpressCreditCardNumber</members>
         <members>LogEntryDataMaskRule.MastercardCreditCardNumber</members>
         <members>LogEntryDataMaskRule.SocialSecurityNumber</members>
         <members>LogEntryDataMaskRule.VisaCreditCardNumber</members>

nebula-logger/core/main/configuration/customMetadata/LogEntryDataMaskRule.AmericanExpressCreditCardNumber.md-meta.xml

@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<CustomMetadata xmlns="http://soap.sforce.com/2006/04/metadata" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+    <label>American Express Credit Card Number</label>
+    <protected>false</protected>
+    <values>
+        <field>ApplyToMessage__c</field>
+        <value xsi:type="xsd:boolean">true</value>
+    </values>
+    <values>
+        <field>ApplyToRecordJson__c</field>
+        <value xsi:type="xsd:boolean">true</value>
+    </values>
+    <values>
+        <field>IsEnabled__c</field>
+        <value xsi:type="xsd:boolean">true</value>
+    </values>
+    <values>
+        <field>ReplacementRegEx__c</field>
+        <value xsi:type="xsd:string">$1****-******-$4</value>
+    </values>
+    <values>
+        <field>SensitiveDataRegEx__c</field>
+        <value xsi:type="xsd:string">(^|[^0-9A-Za-z])(3[47]\d{2})([- ]?)\d{6}\3(\d{5})(?=[^0-9A-Za-z]|$)</value>
+    </values>
+</CustomMetadata>

nebula-logger/core/main/configuration/customMetadata/LogEntryDataMaskRule.MastercardCreditCardNumber.md-meta.xml

@@ -16,10 +16,10 @@
     </values>
     <values>
         <field>ReplacementRegEx__c</field>
-        <value xsi:type="xsd:string">$1****-****-****-$5</value>
+        <value xsi:type="xsd:string">$1****-****-****-$4</value>
     </values>
     <values>
         <field>SensitiveDataRegEx__c</field>
-        <value xsi:type="xsd:string">(^|[ ])(5\d{3})[- ]*(\d{4})[- ]*(\d{4})[- ]*(\d{4})</value>
+        <value xsi:type="xsd:string">(^|[^0-9])(5[1-5]\d{2}|222[1-9]|22[3-9]\d|2[3-6]\d{2}|27[01]\d|2720)([- ]?)\d{4}\3\d{4}\3(\d{4})(?!\d)</value>
     </values>
 </CustomMetadata>

nebula-logger/core/main/configuration/customMetadata/LogEntryDataMaskRule.SocialSecurityNumber.md-meta.xml

@@ -16,10 +16,10 @@
     </values>
     <values>
         <field>ReplacementRegEx__c</field>
-        <value xsi:type="xsd:string">$1XXX-XX-$4$5</value>
+        <value xsi:type="xsd:string">$1XXX-XX-$4</value>
     </values>
     <values>
         <field>SensitiveDataRegEx__c</field>
-        <value xsi:type="xsd:string">(^|[ ])(\d{3})[- ]*(\d{2})[- ]*(\d{4})([ ]|$)</value>
+        <value xsi:type="xsd:string">(^|[^0-9A-Za-z])(\d{3})[- ]?(\d{2})[- ]?(\d{4})(?=[^0-9A-Za-z]|$)</value>
     </values>
 </CustomMetadata>

nebula-logger/core/main/configuration/customMetadata/LogEntryDataMaskRule.VisaCreditCardNumber.md-meta.xml

@@ -16,10 +16,10 @@
     </values>
     <values>
         <field>ReplacementRegEx__c</field>
-        <value xsi:type="xsd:string">$1****-****-****-$5</value>
+        <value xsi:type="xsd:string">$1****-****-****-$4</value>
     </values>
     <values>
         <field>SensitiveDataRegEx__c</field>
-        <value xsi:type="xsd:string">(^|[ ])(4\d{3})[- ]*(\d{4})[- ]*(\d{4})[- ]*(\d{4})</value>
+        <value xsi:type="xsd:string">(^|[^0-9])(4\d{3})([- ]?)\d{4}\3\d{4}\3(\d{4})(?!\d)</value>
     </values>
 </CustomMetadata>

nebula-logger/core/main/log-management/classes/LogEntryEventHandler.cls

@@ -287,6 +287,7 @@ public without sharing class LogEntryEventHandler extends LoggerSObjectHandler {
         ExceptionType__c = logEntryEvent.ExceptionType__c,
         HttpRequestBody__c = logEntryEvent.HttpRequestBody__c,
         HttpRequestBodyMasked__c = logEntryEvent.HttpRequestBodyMasked__c,
+        HttpRequestBodyTruncated__c = logEntryEvent.HttpRequestBodyTruncated__c,
         HttpRequestCompressed__c = logEntryEvent.HttpRequestCompressed__c,
         HttpRequestEndpoint__c = logEntryEvent.HttpRequestEndpoint__c,
         HttpRequestEndpointAddress__c = logEntryEvent.HttpRequestEndpointAddress__c,
@@ -295,6 +296,7 @@ public without sharing class LogEntryEventHandler extends LoggerSObjectHandler {
         HttpRequestMethod__c = logEntryEvent.HttpRequestMethod__c,
         HttpResponseBody__c = logEntryEvent.HttpResponseBody__c,
         HttpResponseBodyMasked__c = logEntryEvent.HttpResponseBodyMasked__c,
+        HttpResponseBodyTruncated__c = logEntryEvent.HttpResponseBodyTruncated__c,
         HttpResponseHeaderKeys__c = logEntryEvent.HttpResponseHeaderKeys__c,
         HttpResponseHeaders__c = logEntryEvent.HttpResponseHeaders__c,
         HttpResponseStatus__c = logEntryEvent.HttpResponseStatus__c,
@@ -349,11 +351,13 @@ public without sharing class LogEntryEventHandler extends LoggerSObjectHandler {
         RecordId__c = logEntryEvent.RecordId__c,
         RecordJson__c = logEntryEvent.RecordJson__c,
         RecordJsonMasked__c = logEntryEvent.RecordJsonMasked__c,
+        RecordJsonTruncated__c = logEntryEvent.RecordJsonTruncated__c,
         RecordSObjectClassification__c = logEntryEvent.RecordSObjectClassification__c,
         RecordSObjectType__c = logEntryEvent.RecordSObjectType__c,
         RecordSObjectTypeNamespace__c = logEntryEvent.RecordSObjectTypeNamespace__c,
         RestRequestBody__c = logEntryEvent.RestRequestBody__c,
         RestRequestBodyMasked__c = logEntryEvent.RestRequestBodyMasked__c,
+        RestRequestBodyTruncated__c = logEntryEvent.RestRequestBodyTruncated__c,
         RestRequestHeaderKeys__c = logEntryEvent.RestRequestHeaderKeys__c,
         RestRequestHeaders__c = logEntryEvent.RestRequestHeaders__c,
         RestRequestMethod__c = logEntryEvent.RestRequestMethod__c,
@@ -363,6 +367,7 @@ public without sharing class LogEntryEventHandler extends LoggerSObjectHandler {
         RestRequestUri__c = logEntryEvent.RestRequestUri__c,
         RestResponseBody__c = logEntryEvent.RestResponseBody__c,
         RestResponseBodyMasked__c = logEntryEvent.RestResponseBodyMasked__c,
+        RestResponseBodyTruncated__c = logEntryEvent.RestResponseBodyTruncated__c,
         RestResponseHeaderKeys__c = logEntryEvent.RestResponseHeaderKeys__c,
         RestResponseHeaders__c = logEntryEvent.RestResponseHeaders__c,
         RestResponseStatusCode__c = logEntryEvent.RestResponseStatusCode__c,