Fix(Keyboard): Mask code field for sensitive inputs in keydown/keyup

[mkh-user]

This PR fixes #8 an issue where the code field in keydown and keyup events was not masked for sensitive input elements (e.g. password fields, credit card inputs).

Related Issue

• Closes [SECURITY] Bug: code field is not masked for sensitive inputs in keydown / keyup events #8

Problem

Currently, when a keyboard event occurs on a sensitive element:

• key → correctly masked to [masked]
• code → remains unmasked (e.g. "KeyA", "Digit1")

This leaks potentially sensitive interaction patterns despite the key value being masked.

Solution

• Add isSensitive(e.target) check for the code field
• Mask code to [masked] when target is sensitive
• Remove redundant target masking (keep original elSummary(e.target) as it's already safe)

Changes

handlers.keydown = (e) => record('keydown', {
  key:    isSensitive(e.target) ? '[masked]' : e.key,
- code:   e.code,
- target: isSensitive(e.target) ? '[sensitive]' : elSummary(e.target),
+ code:   isSensitive(e.target) ? '[masked]' : e.code,
+ target: elSummary(e.target),
});

Same change applied to the keyup handler.

Testing

• Tested on password input → code is [masked]
• Tested on normal input → code shows actual value (e.g. "KeyA")
• Tested on credit card-like field (name/id containing "card") → code masked
• Verified target field still contains valid element summary

Breaking Changes

None. This is a bug fix with backward compatible behavior.

Version Change Suggestion

0.2.0 → 0.2.1 (patch)

Note

There is only one major version currently (and Telesense is in 0.x initial development), so no backport is needed until user request.