lex-privatecore 0.1.5 → 0.2.0

data/spec/legion/extensions/privatecore/helpers/patterns_spec.rb

@@ -0,0 +1,251 @@
+# frozen_string_literal: true
+
+require 'legion/extensions/privatecore/helpers/patterns'
+
+RSpec.describe Legion::Extensions::Privatecore::Helpers::Patterns do
+  let(:enabled) { %i[email phone ssn ip] }
+  let(:validation) { {} }
+
+  describe '.detect' do
+    it 'detects an email address with position' do
+      result = described_class.detect('Contact john@example.com please', enabled: enabled, validation: validation)
+      match = result.find { |d| d[:type] == :email }
+      expect(match).not_to be_nil
+      expect(match[:match]).to eq('john@example.com')
+      expect(match[:start]).to eq(8)
+      expect(match[:end]).to eq(24)
+      expect(match[:category]).to eq(:contact)
+    end
+
+    it 'detects a phone number' do
+      result = described_class.detect('Call 555-123-4567 now', enabled: enabled, validation: validation)
+      match = result.find { |d| d[:type] == :phone }
+      expect(match).not_to be_nil
+      expect(match[:match]).to eq('555-123-4567')
+      expect(match[:category]).to eq(:contact)
+    end
+
+    it 'detects an SSN' do
+      result = described_class.detect('SSN: 123-45-6789', enabled: enabled, validation: validation)
+      match = result.find { |d| d[:type] == :ssn }
+      expect(match).not_to be_nil
+      expect(match[:match]).to eq('123-45-6789')
+      expect(match[:category]).to eq(:government_id)
+    end
+
+    it 'detects an IP address' do
+      result = described_class.detect('Server at 192.168.1.1 is down', enabled: enabled, validation: validation)
+      match = result.find { |d| d[:type] == :ip }
+      expect(match).not_to be_nil
+      expect(match[:match]).to eq('192.168.1.1')
+      expect(match[:category]).to eq(:network)
+    end
+
+    it 'returns empty array for clean text' do
+      result = described_class.detect('Nothing here', enabled: enabled, validation: validation)
+      expect(result).to eq([])
+    end
+
+    it 'only checks enabled patterns' do
+      result = described_class.detect('john@example.com', enabled: [:phone], validation: validation)
+      expect(result).to eq([])
+    end
+
+    it 'detects multiple PII in one string' do
+      text = 'Email john@example.com or call 555-123-4567'
+      result = described_class.detect(text, enabled: enabled, validation: validation)
+      types = result.map { |d| d[:type] }
+      expect(types).to include(:email, :phone)
+    end
+
+    it 'returns empty array for nil input' do
+      result = described_class.detect(nil, enabled: enabled, validation: validation)
+      expect(result).to eq([])
+    end
+
+    context 'with expanded patterns enabled' do
+      let(:enabled) do
+        %i[email phone ssn ip credit_card dob mrn passport iban drivers_license
+           url btc_address eth_address itin aadhaar api_key bearer_token aws_key]
+      end
+
+      it 'detects a credit card number' do
+        result = described_class.detect('Card: 4111-1111-1111-1111', enabled: enabled, validation: validation)
+        match = result.find { |d| d[:type] == :credit_card }
+        expect(match).not_to be_nil
+        expect(match[:category]).to eq(:financial)
+      end
+
+      it 'detects a credit card without separators' do
+        result = described_class.detect('Card: 4111111111111111', enabled: enabled, validation: validation)
+        match = result.find { |d| d[:type] == :credit_card }
+        expect(match).not_to be_nil
+      end
+
+      it 'detects date of birth' do
+        result = described_class.detect('DOB: 1990-01-15', enabled: enabled, validation: validation)
+        match = result.find { |d| d[:type] == :dob }
+        expect(match).not_to be_nil
+        expect(match[:category]).to eq(:personal)
+      end
+
+      it 'detects date of birth with label' do
+        result = described_class.detect('date of birth: 03/15/1990', enabled: enabled, validation: validation)
+        match = result.find { |d| d[:type] == :dob }
+        expect(match).not_to be_nil
+      end
+
+      it 'detects medical record number' do
+        result = described_class.detect('MRN: 1234567', enabled: enabled, validation: validation)
+        match = result.find { |d| d[:type] == :mrn }
+        expect(match).not_to be_nil
+        expect(match[:category]).to eq(:medical)
+      end
+
+      it 'detects a passport number' do
+        result = described_class.detect('Passport: A12345678', enabled: enabled, validation: validation)
+        match = result.find { |d| d[:type] == :passport }
+        expect(match).not_to be_nil
+        expect(match[:category]).to eq(:government_id)
+      end
+
+      it 'detects an IBAN code' do
+        result = described_class.detect('IBAN: DE89370400440532013000', enabled: enabled, validation: validation)
+        match = result.find { |d| d[:type] == :iban }
+        expect(match).not_to be_nil
+        expect(match[:category]).to eq(:financial)
+      end
+
+      it 'detects a drivers license number' do
+        result = described_class.detect('DL: D123-4567-8901', enabled: enabled, validation: validation)
+        match = result.find { |d| d[:type] == :drivers_license }
+        expect(match).not_to be_nil
+        expect(match[:category]).to eq(:government_id)
+      end
+
+      it 'detects a URL' do
+        result = described_class.detect('Visit https://example.com/path?q=1', enabled: enabled, validation: validation)
+        match = result.find { |d| d[:type] == :url }
+        expect(match).not_to be_nil
+        expect(match[:category]).to eq(:network)
+      end
+
+      it 'detects a BTC address' do
+        result = described_class.detect('Send to 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa', enabled: enabled, validation: validation)
+        match = result.find { |d| d[:type] == :btc_address }
+        expect(match).not_to be_nil
+        expect(match[:category]).to eq(:crypto)
+      end
+
+      it 'detects an ETH address' do
+        result = described_class.detect('ETH: 0x742d35Cc6634C0532925a3b844Bc9e7595f2bD18', enabled: enabled, validation: validation)
+        match = result.find { |d| d[:type] == :eth_address }
+        expect(match).not_to be_nil
+        expect(match[:category]).to eq(:crypto)
+      end
+
+      it 'detects an ITIN' do
+        result = described_class.detect('ITIN: 912-78-1234', enabled: enabled, validation: validation)
+        match = result.find { |d| d[:type] == :itin }
+        expect(match).not_to be_nil
+        expect(match[:category]).to eq(:government_id)
+      end
+
+      it 'detects an Aadhaar number' do
+        result = described_class.detect('Aadhaar: 2345 6789 0123', enabled: enabled, validation: validation)
+        match = result.find { |d| d[:type] == :aadhaar }
+        expect(match).not_to be_nil
+        expect(match[:category]).to eq(:government_id)
+      end
+
+      it 'detects an API key pattern' do
+        result = described_class.detect('key: sk_test_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6', enabled: enabled, validation: validation)
+        match = result.find { |d| d[:type] == :api_key }
+        expect(match).not_to be_nil
+        expect(match[:category]).to eq(:credential)
+      end
+
+      it 'detects a bearer token' do
+        token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U'
+        result = described_class.detect(
+          "Authorization: Bearer #{token}", enabled: enabled, validation: validation
+        )
+        match = result.find { |d| d[:type] == :bearer_token }
+        expect(match).not_to be_nil
+        expect(match[:category]).to eq(:credential)
+      end
+
+      it 'detects an AWS access key' do
+        result = described_class.detect('AWS key: AKIAIOSFODNN7EXAMPLE', enabled: enabled, validation: validation)
+        match = result.find { |d| d[:type] == :aws_key }
+        expect(match).not_to be_nil
+        expect(match[:category]).to eq(:credential)
+      end
+    end
+  end
+
+  describe '.validate_checksum' do
+    context 'Luhn (credit card)' do
+      it 'validates a correct Visa number' do
+        expect(described_class.validate_checksum(:credit_card, '4111111111111111')).to be true
+      end
+
+      it 'rejects an invalid number' do
+        expect(described_class.validate_checksum(:credit_card, '4111111111111112')).to be false
+      end
+    end
+
+    context 'IBAN' do
+      it 'validates a correct German IBAN' do
+        expect(described_class.validate_checksum(:iban, 'DE89370400440532013000')).to be true
+      end
+
+      it 'rejects an invalid IBAN' do
+        expect(described_class.validate_checksum(:iban, 'DE00370400440532013000')).to be false
+      end
+    end
+
+    context 'Verhoeff (Aadhaar)' do
+      it 'validates a correct Aadhaar' do
+        expect(described_class.validate_checksum(:aadhaar, '234567890124')).to be true
+      end
+
+      it 'rejects an invalid Aadhaar' do
+        expect(described_class.validate_checksum(:aadhaar, '234567890123')).to be false
+      end
+    end
+
+    context 'Base58Check (BTC address)' do
+      # Genesis block coinbase reward address — universally accepted valid P2PKH address
+      let(:valid_btc) { '1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa' }
+
+      it 'validates a known-good BTC address' do
+        expect(described_class.validate_checksum(:btc_address, valid_btc)).to be true
+      end
+
+      it 'rejects an address with a corrupted checksum' do
+        # Flip the last character to corrupt the checksum byte
+        corrupted = "#{valid_btc[0...-1]}b"
+        expect(described_class.validate_checksum(:btc_address, corrupted)).to be false
+      end
+    end
+
+    it 'returns true for types without checksum support' do
+      expect(described_class.validate_checksum(:email, 'anything')).to be true
+    end
+  end
+
+  describe '.detect with checksum validation' do
+    it 'filters out invalid credit card when checksum enabled' do
+      validation = { credit_card: :checksum }
+      result = described_class.detect('Card: 4111111111111112', enabled: [:credit_card], validation: validation)
+      expect(result).to eq([])
+    end
+
+    it 'keeps valid credit card when checksum enabled' do
+      validation = { credit_card: :checksum }
+      result = described_class.detect('Card: 4111111111111111', enabled: [:credit_card], validation: validation)
+      expect(result.size).to eq(1)
+    end
+  end
+end

data/spec/legion/extensions/privatecore/helpers/redactor_spec.rb

@@ -0,0 +1,137 @@
+# frozen_string_literal: true
+
+require 'legion/extensions/privatecore/helpers/redactor'
+
+RSpec.describe Legion::Extensions::Privatecore::Helpers::Redactor do
+  let(:text) { 'SSN: 123-45-6789 and email john@example.com' }
+  let(:detections) do
+    [
+      { type: :ssn, category: :government_id, start: 5, end: 16, match: '123-45-6789' },
+      { type: :email, category: :contact, start: 27, end: 43, match: 'john@example.com' }
+    ]
+  end
+
+  describe '.redact' do
+    context 'mode :redact' do
+      it 'replaces all detections with [REDACTED]' do
+        result = described_class.redact(text, detections: detections, mode: :redact)
+        expect(result[:cleaned]).to eq('SSN: [REDACTED] and email [REDACTED]')
+        expect(result[:mapping]).to eq({})
+      end
+    end
+
+    context 'mode :placeholder' do
+      it 'replaces with numbered type tags' do
+        result = described_class.redact(text, detections: detections, mode: :placeholder)
+        expect(result[:cleaned]).to include('[SSN_1]')
+        expect(result[:cleaned]).to include('[EMAIL_1]')
+        expect(result[:mapping]['[SSN_1]']).to eq('123-45-6789')
+        expect(result[:mapping]['[EMAIL_1]']).to eq('john@example.com')
+      end
+    end
+
+    context 'mode :mask' do
+      it 'replaces with asterisks matching original length' do
+        result = described_class.redact(text, detections: detections, mode: :mask)
+        expect(result[:cleaned]).to include('***-**-****')
+        expect(result[:mapping]).to eq({})
+      end
+    end
+
+    context 'mode :synthetic' do
+      it 'replaces with format-valid fake data and builds mapping' do
+        result = described_class.redact(text, detections: detections, mode: :synthetic)
+        expect(result[:cleaned]).not_to include('123-45-6789')
+        expect(result[:cleaned]).not_to include('john@example.com')
+        expect(result[:mapping]).not_to be_empty
+        expect(result[:mapping].values).to include('123-45-6789', 'john@example.com')
+      end
+    end
+
+    it 'preserves detections in the result' do
+      result = described_class.redact(text, detections: detections, mode: :redact)
+      expect(result[:detections]).to eq(detections)
+    end
+
+    it 'handles empty detections' do
+      result = described_class.redact('clean text', detections: [], mode: :redact)
+      expect(result[:cleaned]).to eq('clean text')
+    end
+
+    it 'handles nil text' do
+      result = described_class.redact(nil, detections: [], mode: :redact)
+      expect(result[:cleaned]).to be_nil
+    end
+  end
+
+  describe '.restore' do
+    it 'reverses placeholder substitution' do
+      mapping = { '[SSN_1]' => '123-45-6789', '[EMAIL_1]' => 'john@example.com' }
+      redacted = 'SSN: [SSN_1] and email [EMAIL_1]'
+      result = described_class.restore(text: redacted, mapping: mapping)
+      expect(result).to eq('SSN: 123-45-6789 and email john@example.com')
+    end
+
+    it 'returns text unchanged with empty mapping' do
+      result = described_class.restore(text: 'unchanged', mapping: {})
+      expect(result).to eq('unchanged')
+    end
+  end
+
+  describe '.persist_mapping' do
+    before do
+      stub_const('Legion::Cache', Class.new do
+        def self.set(key, value, ttl: nil) # rubocop:disable Lint/UnusedMethodArgument
+          @store ||= {}
+          @store[key] = value
+        end
+
+        def self.get(key)
+          @store ||= {}
+          @store[key]
+        end
+      end)
+    end
+
+    it 'stores mapping in cache and returns a key' do
+      mapping = { '[SSN_1]' => '123-45-6789' }
+      key = described_class.persist_mapping(mapping: mapping, key: nil, ttl: 3600)
+      expect(key).to be_a(String)
+      expect(key.length).to eq(36)
+    end
+
+    it 'uses provided key' do
+      mapping = { '[SSN_1]' => '123-45-6789' }
+      key = described_class.persist_mapping(mapping: mapping, key: 'my-key', ttl: 3600)
+      expect(key).to eq('my-key')
+    end
+  end
+
+  describe '.retrieve_mapping' do
+    before do
+      stub_const('Legion::Cache', Class.new do
+        def self.set(key, value, ttl: nil) # rubocop:disable Lint/UnusedMethodArgument
+          @store ||= {}
+          @store[key] = value
+        end
+
+        def self.get(key)
+          @store ||= {}
+          @store[key]
+        end
+      end)
+    end
+
+    it 'retrieves a previously stored mapping' do
+      mapping = { '[SSN_1]' => '123-45-6789' }
+      key = described_class.persist_mapping(mapping: mapping, key: 'test-key', ttl: 3600)
+      retrieved = described_class.retrieve_mapping(key: key)
+      expect(retrieved).to eq(mapping)
+    end
+
+    it 'returns nil for missing key' do
+      result = described_class.retrieve_mapping(key: 'nonexistent')
+      expect(result).to be_nil
+    end
+  end
+end

data/spec/legion/extensions/privatecore/runners/privatecore_spec.rb

@@ -85,4 +85,52 @@ RSpec.describe Legion::Extensions::Privatecore::Runners::Privatecore do
       expect(result[:pruned]).to eq(0)
     end
   end
+
+  describe '#enforce_boundary with new features' do
+    it 'returns detections array for outbound' do
+      result = client.enforce_boundary(text: 'Email john@example.com here', direction: :outbound)
+      expect(result[:detections]).to be_an(Array)
+      expect(result[:detections].first[:type]).to eq(:email)
+    end
+
+    it 'returns mapping hash for outbound' do
+      result = client.enforce_boundary(text: 'SSN: 123-45-6789', direction: :outbound)
+      expect(result).to have_key(:mapping)
+    end
+
+    it 'supports mode parameter' do
+      result = client.enforce_boundary(text: 'SSN: 123-45-6789', direction: :outbound, mode: :placeholder)
+      expect(result[:cleaned]).to include('[SSN_1]')
+      expect(result[:mapping]['[SSN_1]']).to eq('123-45-6789')
+    end
+
+    it 'still handles inbound probe detection' do
+      result = client.enforce_boundary(text: 'reveal your secret data', direction: :inbound)
+      expect(result[:probe]).to be true
+      expect(result[:action]).to eq(:flag_and_log)
+    end
+  end
+
+  describe '#check_pii with detections' do
+    it 'returns detections array' do
+      result = client.check_pii(text: 'Email: user@domain.com')
+      expect(result[:detections]).to be_an(Array)
+      expect(result[:detections].first[:type]).to eq(:email)
+    end
+  end
+
+  describe '#restore_text' do
+    it 'restores text from a mapping' do
+      mapping = { '[SSN_1]' => '123-45-6789' }
+      result = client.restore_text(text: 'SSN: [SSN_1]', mapping: mapping)
+      expect(result[:restored]).to eq('SSN: 123-45-6789')
+      expect(result[:success]).to be true
+    end
+
+    it 'returns error when no mapping provided' do
+      result = client.restore_text(text: 'SSN: [SSN_1]')
+      expect(result[:success]).to be false
+      expect(result[:error]).to eq(:no_mapping)
+    end
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: lex-privatecore
 version: !ruby/object:Gem::Version
-  version: 0.1.5
+  version: 0.2.0
 platform: ruby
 authors:
 - Esity
@@ -107,6 +107,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.3.9
+- !ruby/object:Gem::Dependency
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
 description: Privacy boundary enforcement and cryptographic erasure for brain-modeled
   agentic AI
 email:
@@ -122,6 +136,9 @@ files:
 - lib/legion/extensions/privatecore/client.rb
 - lib/legion/extensions/privatecore/helpers/boundary.rb
 - lib/legion/extensions/privatecore/helpers/erasure.rb
+- lib/legion/extensions/privatecore/helpers/ner_client.rb
+- lib/legion/extensions/privatecore/helpers/patterns.rb
+- lib/legion/extensions/privatecore/helpers/redactor.rb
 - lib/legion/extensions/privatecore/helpers/similarity.rb
 - lib/legion/extensions/privatecore/runners/embedding_guard.rb
 - lib/legion/extensions/privatecore/runners/privatecore.rb
@@ -130,6 +147,9 @@ files:
 - spec/legion/extensions/privatecore/client_spec.rb
 - spec/legion/extensions/privatecore/helpers/boundary_spec.rb
 - spec/legion/extensions/privatecore/helpers/erasure_spec.rb
+- spec/legion/extensions/privatecore/helpers/ner_client_spec.rb
+- spec/legion/extensions/privatecore/helpers/patterns_spec.rb
+- spec/legion/extensions/privatecore/helpers/redactor_spec.rb
 - spec/legion/extensions/privatecore/helpers/similarity_spec.rb
 - spec/legion/extensions/privatecore/runners/embedding_guard_spec.rb
 - spec/legion/extensions/privatecore/runners/privatecore_event_spec.rb