refactor(branding): Rename rule prefixes from LM to PL

Updates all rule and finding codes from the legacy 'LM' (LogMaster) prefix to 'PL' (Privlog) for complete brand consistency.

This change affects the Semgrep rules, the AST checker, the runner, and the documentation.

Author: aureliuscanon

CONTRIBUTING.md

@@ -1,4 +1,4 @@
-# Contributing to privlog
+# Contributing to Privlog
 
 This guide is for developers who want to contribute to the `privlog` project. It explains the project's architecture and where key logic lives.
 
@@ -47,10 +47,10 @@ This guide is for developers who want to contribute to the `privlog` project. It
     4.  **Heuristic Analysis**: Flags risky patterns like logging with `extra=...` or `json.dumps()`.
     5.  **Custom Wrapper Analysis**: Receives the `PrivlogConfig` object and inspects function calls to see if they match a name in the `custom_wrappers` configuration, checking their keyword arguments accordingly.
   - **Finding Codes**:
-    - `LM2101`: A direct sensitive identifier was found in a logging call.
-    - `LM2201-2203`: A heuristic pattern (like `extra=...` or `json.dumps`) was found in a logging call.
-    - `LM2301-2303`: A sensitive identifier or heuristic pattern was found in a `print()` call.
-    - `LM2401`: A sensitive argument was passed to a custom logging wrapper defined in the user's configuration.
+    - `PL2101`: A direct sensitive identifier was found in a logging call.
+    - `PL2201-2203`: A heuristic pattern (like `extra=...` or `json.dumps`) was found in a logging call.
+    - `PL2301-2303`: A sensitive identifier or heuristic pattern was found in a `print()` call.
+    - `PL2401`: A sensitive argument was passed to a custom logging wrapper defined in the user's configuration.
 
 - `privlog/rules/privlog.yml`
   - **Purpose:** The core Semgrep ruleset, which complements the AST checker.

README.md

@@ -1,4 +1,8 @@
-# privlog
+# Privlog
+
+[![PyPI](https://img.shields.io/pypi/v/privlog)](https://pypi.org/project/privlog/)
+[![Python](https://img.shields.io/pypi/pyversions/privlog)](https://pypi.org/project/privlog)
+[![License](https://img.shields.io/github/license/privlog-dev/privlog)](https://github.com/privlog-dev/privlog/blob/main/LICENSE)
 
 A privacy-aware linter for Python projects, designed to catch accidental leaks of sensitive data in logs and `print` statements before they reach production.
 

privlog/ast_checks.py

@@ -179,7 +179,7 @@ def visit_Call(self, node: ast.Call) -> None:
             for arg in args_to_check:
                 severity = _get_expr_sensitivity(arg)
                 if severity:
-                    code = "LM2301" if is_print else "LM2101"
+                    code = "PL2301" if is_print else "PL2101"
                     call_type = "print()" if is_print else "log"
                     self._add_finding(node, code, f"Sensitive identifier passed to {call_type}. Hash/pseudonymize or omit.", severity)
                     break
@@ -188,7 +188,7 @@ def visit_Call(self, node: ast.Call) -> None:
         if is_log:
             for keyword in node.keywords:
                 if keyword.arg == 'extra':
-                    self._add_finding(node, "LM2201", "Logging with 'extra' can hide sensitive data. Review manually.", "WARNING")
+                    self._add_finding(node, "PL2201", "Logging with 'extra' can hide sensitive data. Review manually.", "WARNING")
                     break
 
         # Check 3: Custom wrapper checks
@@ -197,16 +197,16 @@ def visit_Call(self, node: ast.Call) -> None:
             for kw in node.keywords:
                 if kw.arg in wrapper_rules:
                     severity = wrapper_rules[kw.arg]
-                    self._add_finding(node, "LM2401", f"Sensitive argument '{kw.arg}' passed to custom wrapper '{func_name}'.", severity)
+                    self._add_finding(node, "PL2401", f"Sensitive argument '{kw.arg}' passed to custom wrapper '{func_name}'.", severity)
 
         # Common heuristic checks for all call types
         for arg in node.args:
             if isinstance(arg, ast.Call) and isinstance(arg.func, ast.Attribute):
                 if isinstance(arg.func.value, ast.Name) and arg.func.value.id == 'json' and arg.func.attr == 'dumps':
-                    code = "LM2302" if is_print else "LM2202"
+                    code = "PL2302" if is_print else "PL2202"
                     self._add_finding(node, code, "Object serialized as JSON may be sensitive. Review manually.", "WARNING")
                 if arg.func.attr == 'to_dict':
-                    code = "LM2303" if is_print else "LM2203"
+                    code = "PL2303" if is_print else "PL2203"
                     self._add_finding(node, code, "Object converted to dict may be sensitive. Review manually.", "WARNING")
 
         self.generic_visit(node)

privlog/rules/privlog.yml

@@ -1,16 +1,16 @@
 rules:
   #
   # ==========================================================
-  # privlog (LM) — Privacy/Log Hygiene "F-like" checks
+  # privlog (PL) — Privacy/Log Hygiene "F-like" checks
   # Focus: High-signal findings with low false positives.
   # ==========================================================
   #
 
   #
-  # LM110x — Direct identifier logging (ERROR)
+  # PL110x — Direct identifier logging (ERROR)
   #
 
-  - id: LM1101.no-direct-wix-user-id-in-logs
+  - id: PL1101.no-direct-wix-user-id-in-logs
     message: "Do not log raw wix_user_id. Use get_salted_identifier(wix_user_id) (or equivalent) before logging."
     severity: ERROR
     languages: [python]
@@ -24,7 +24,7 @@ rules:
       - pattern-not: logging.$L(..., get_salted_identifier($WIXID), ...)
       - pattern-not: logger.$L(..., get_salted_identifier($WIXID), ...)
 
-  - id: LM1102.no-direct-email-in-logs
+  - id: PL1102.no-direct-email-in-logs
     message: "Do not log raw emails. Hash/pseudonymize (e.g., get_salted_identifier(email)) or omit."
     severity: ERROR
     languages: [python]
@@ -38,7 +38,7 @@ rules:
       - pattern-not: logging.$L(..., get_salted_identifier($EMAIL), ...)
       - pattern-not: logger.$L(..., get_salted_identifier($EMAIL), ...)
 
-  - id: LM1103.no-raw-ip-in-logs
+  - id: PL1103.no-raw-ip-in-logs
     message: "Do not log raw IP addresses. Prefer hashed_ip / salted hash."
     severity: ERROR
     languages: [python]
@@ -56,10 +56,10 @@ rules:
           regex: "(?i)^(hashed_ip|salted_hash|ip_hash|identifier_hash)$"
 
   #
-  # LM120x — Secrets and auth artifacts (ERROR/WARNING)
+  # PL120x — Secrets and auth artifacts (ERROR/WARNING)
   #
 
-  - id: LM1201.no-auth-headers-in-logs
+  - id: PL1201.no-auth-headers-in-logs
     message: "Do not log Authorization/Cookie headers."
     severity: ERROR
     languages: [python]
@@ -79,10 +79,10 @@ rules:
           - pattern: logger.$L(..., $H.get('Set-Cookie'), ...)
 
   #
-  # LM130x — Payload dumping (ERROR)
+  # PL130x — Payload dumping (ERROR)
   #
 
-  - id: LM1301.no-request-body-logging
+  - id: PL1301.no-request-body-logging
     message: "Do not log request body/json/payload content."
     severity: ERROR
     languages: [python]
@@ -96,7 +96,7 @@ rules:
       - pattern: logger.$L(..., await request.json(), ...)
       - pattern: logger.$L(..., await request.body(), ...)
 
-  - id: LM1302.no-headers-dict-logging
+  - id: PL1302.no-headers-dict-logging
     message: "Avoid logging full request headers (may contain cookies/tokens). Log minimal safe fields."
     severity: ERROR
     languages: [python]
@@ -107,7 +107,7 @@ rules:
       - pattern: logger.$L(..., dict(request.headers), ...)
 
   #
-  # LM140x — Exception logging hygiene (ERROR)
+  # PL140x — Exception logging hygiene (ERROR)
   #
   # Goal: Encourage your privacy-safe exception pattern:
   #   except Exception:
@@ -116,15 +116,15 @@ rules:
   # Flag patterns that often leak sensitive objects.
   #
 
-  - id: LM1401.no-logger-exception-with-object
+  - id: PL1401.no-logger-exception-with-object
     message: "Avoid logger.exception(e) / logging.exception(e). Exception objects may contain sensitive data."
     severity: ERROR
     languages: [python]
     pattern-either:
       - pattern: logging.exception($E, ...)
       - pattern: logger.exception($E, ...)
 
-  - id: LM1402.no-error-logging-exception-object
+  - id: PL1402.no-error-logging-exception-object
     message: "Avoid logging.error(e) with raw exception objects; log a generic message + safe identifiers."
     severity: WARNING
     languages: [python]
@@ -138,13 +138,13 @@ rules:
           regex: "^(e|err|error|exc|exception)$"
 
   #
-  # LM150x — Vendor response logging (WARNING)
+  # PL150x — Vendor response logging (WARNING)
   #
   # Your pattern is: status_code + response.text[:200]
   # That's generally OK if truncated. Flag only if response.text is logged unbounded.
   #
 
-  - id: LM1501.no-unbounded-response-text
+  - id: PL1501.no-unbounded-response-text
     message: "Avoid logging full vendor response.text; truncate (e.g., response.text[:200])."
     severity: WARNING
     languages: [python]

privlog/runner.py

@@ -92,8 +92,8 @@ def _run_semgrep(path: Path, config: Path | None, rules: Path | None, verbose: b
         data = json.loads(raw)
         for r in data.get("results", []):
             raw_rid = r.get("check_id", "UNKNOWN")
-            lm_index = raw_rid.find("LM")
-            rid = raw_rid[lm_index:] if lm_index != -1 else raw_rid
+            pl_index = raw_rid.find("PL")
+            rid = raw_rid[pl_index:] if pl_index != -1 else raw_rid
 
             findings.append(
                 Finding(