@aictrl/hush 0.1.6 → 0.1.7

package/.gitlab-ci.yml

@@ -0,0 +1,59 @@
+stages:
+  - build
+  - e2e
+
+build:
+  stage: build
+  image: node:22-slim
+  script:
+    - npm ci
+    - npm run build
+    - npm test
+  artifacts:
+    paths:
+      - dist/
+    expire_in: 1 hour
+  cache:
+    key:
+      files:
+        - package-lock.json
+    paths:
+      - node_modules/
+
+e2e-plugin-blocks-env:
+  stage: e2e
+  image: node:22-slim
+  needs: [build]
+  cache:
+    key:
+      files:
+        - package-lock.json
+    paths:
+      - node_modules/
+    policy: pull
+  before_script:
+    - npm install -g opencode
+  script:
+    - chmod +x scripts/e2e-plugin-block.sh
+    - ./scripts/e2e-plugin-block.sh
+  variables:
+    ZHIPUAI_API_KEY: $ZHIPUAI_API_KEY
+
+e2e-proxy-redacts-pii:
+  stage: e2e
+  image: node:22-slim
+  needs: [build]
+  cache:
+    key:
+      files:
+        - package-lock.json
+    paths:
+      - node_modules/
+    policy: pull
+  before_script:
+    - npm install -g opencode
+  script:
+    - chmod +x scripts/e2e-proxy-live.sh
+    - ./scripts/e2e-proxy-live.sh
+  variables:
+    ZHIPUAI_API_KEY: $ZHIPUAI_API_KEY

package/README.md

@@ -57,12 +57,15 @@ Create `opencode.json` in your project root:
 
 ### Gemini CLI
 
-Gemini CLI only supports env vars for endpoint override (no settings file option):
+Add `.gemini/.env` to your project root (or set the env var directly):
 
 ```bash
-CODE_ASSIST_ENDPOINT=http://127.0.0.1:4000 gemini
+# .gemini/.env
+CODE_ASSIST_ENDPOINT=http://127.0.0.1:4000
 ```
 
+Or: `CODE_ASSIST_ENDPOINT=http://127.0.0.1:4000 gemini`
+
 ### Verify it works
 
 When your AI tool sends a request containing PII, the hush terminal shows:
@@ -73,6 +76,150 @@ INFO: Redacted sensitive data from request  path="/v1/messages"  tokenCount=2  d
 
 Your tool still sees the real data (rehydrated locally). The LLM provider only ever sees tokens like `[USER_EMAIL_f22c5a]`.
 
+## Enforce for Your Team
+
+Commit config files to your repo so every developer automatically routes through hush — no manual setup per person.
+
+Copy the files from [`examples/team-config/`](examples/team-config/) into your project root:
+
+```
+your-project/
+├── .claude/settings.json     # Claude Code → hush
+├── .codex/config.toml        # Codex → hush
+├── .gemini/.env              # Gemini CLI → hush
+└── opencode.json             # OpenCode → hush
+```
+
+**Claude Code** — `.claude/settings.json`:
+```json
+{
+  "env": {
+    "ANTHROPIC_BASE_URL": "http://127.0.0.1:4000"
+  }
+}
+```
+
+**Codex** — `.codex/config.toml`:
+```toml
+model_provider = "hush"
+
+[model_providers.hush]
+base_url = "http://127.0.0.1:4000/v1"
+```
+
+**OpenCode** — `opencode.json`:
+```json
+{
+  "provider": {
+    "zai-coding-plan": {
+      "options": {
+        "baseURL": "http://127.0.0.1:4000/api/coding/paas/v4"
+      }
+    }
+  }
+}
+```
+
+**Gemini CLI** — `.gemini/.env`:
+```
+CODE_ASSIST_ENDPOINT=http://127.0.0.1:4000
+```
+
+Each developer just needs `hush` running locally. All AI tools in the project will route through it automatically.
+
+## Hooks Mode (Claude Code)
+
+Hush can also run as a **Claude Code hook** — redacting PII from tool outputs *before Claude ever sees them*. No proxy required.
+
+### Setup
+
+```bash
+hush init --hooks
+```
+
+This adds a `PostToolUse` hook to `.claude/settings.json` that runs `hush redact-hook` after every `Bash`, `Read`, `Grep`, and `WebFetch` tool call.
+
+Use `--local` to write to `settings.local.json` instead (for personal overrides not committed to the repo).
+
+### How it works
+
+```
+Local files/commands → [Hook: redact before Claude sees] → Claude's context
+                                                               ↓
+                                                          API request
+                                                               ↓
+                                                    [Proxy: redact before cloud]
+                                                               ↓
+                                                          LLM Provider
+```
+
+When a tool runs (e.g., `cat .env`), the hook inspects the response for PII. If PII is found, the hook **blocks** the raw output and provides Claude with the redacted version instead. Claude only ever sees `[USER_EMAIL_f22c5a]`, not `alice@company.com`.
+
+### Hooks vs Proxy
+
+| | Hooks Mode | Proxy Mode |
+|---|---|---|
+| **What's protected** | Tool outputs (before Claude sees them) | API requests (before they leave your machine) |
+| **Setup** | `hush init --hooks` | `hush` + point `ANTHROPIC_BASE_URL` |
+| **Works with** | Claude Code only | Any AI tool |
+| **Defense-in-depth** | Use both for maximum coverage | Use both for maximum coverage |
+
+### Defense-in-depth
+
+For maximum protection, use both modes together. The team config example in [`examples/team-config/`](examples/team-config/) shows this setup — hooks redact tool outputs and the proxy redacts API requests.
+
+## OpenCode Plugin
+
+Hush provides an **OpenCode plugin** that blocks reads of sensitive files (`.env`, `*.pem`, `credentials.*`, `id_rsa`, etc.) before the tool executes — the AI model never sees the contents.
+
+### Drop-in setup
+
+Copy the plugin file and update your `opencode.json`:
+
+```
+your-project/
+├── .opencode/plugins/hush.ts    # plugin file
+└── opencode.json                # add "plugin" array
+```
+
+```json
+{
+  "provider": {
+    "zai-coding-plan": {
+      "options": {
+        "baseURL": "http://127.0.0.1:4000/api/coding/paas/v4"
+      }
+    }
+  },
+  "plugin": [".opencode/plugins/hush.ts"]
+}
+```
+
+Find the drop-in plugin at [`examples/team-config/.opencode/plugins/hush.ts`](examples/team-config/.opencode/plugins/hush.ts).
+
+### npm import
+
+```typescript
+import { HushPlugin } from '@aictrl/hush/opencode-plugin'
+```
+
+### What it blocks
+
+| Tool | Blocked when |
+|------|-------------|
+| `read` | File path matches `.env*`, `*credentials*`, `*secret*`, `*.pem`, `*.key`, `*.p12`, `*.pfx`, `*.jks`, `*.keystore`, `*.asc`, `id_rsa*`, `.netrc`, `.pgpass` |
+| `bash` | Commands like `cat`, `head`, `tail`, `less`, `more`, `bat` target a sensitive file |
+
+### Plugin + Proxy = Defense-in-depth
+
+The plugin blocks reads of known-sensitive filenames. The proxy catches PII in files with normal names (e.g., `config.txt` containing an email). Together they provide two layers of protection:
+
+```
+Tool reads .env       → [Plugin: BLOCKED]           → model never sees it
+Tool reads config.txt → [Plugin: allowed]            → proxy redacts PII → model sees tokens
+                         (not a sensitive filename)
+```
+
 ## How it Works
 
 1. **Intercept** — Hush sits on your machine between your AI tool and the LLM provider.
@@ -88,7 +235,7 @@ Your tool still sees the real data (rehydrated locally). The LLM provider only e
 | Claude Code | `~/.claude/settings.json` | `/v1/messages` → Anthropic |
 | Codex | `~/.codex/config.toml` | `/v1/chat/completions` → OpenAI |
 | OpenCode | `opencode.json` | `/api/paas/v4/**` → ZhipuAI |
-| Gemini CLI | `CODE_ASSIST_ENDPOINT` env var | `/v1beta/models/**` → Google |
+| Gemini CLI | `.gemini/.env` | `/v1beta/models/**` → Google |
 | Any tool | Point base URL at hush | `/*` catch-all with auto-detect |
 
 Hush forwards your existing auth headers transparently — no API keys need to be reconfigured.

package/dist/cli.js

@@ -1,19 +1,32 @@
 #!/usr/bin/env node
-import { app } from './index.js';
-import { createLogger } from './lib/logger.js';
-const log = createLogger('hush-cli');
-const PORT = process.env.PORT || 4000;
-const server = app.listen(PORT, () => {
-    log.info(`Hush Semantic Gateway is listening on http://localhost:${PORT}`);
-    log.info(`Routes: /v1/messages → Anthropic, /v1/chat/completions → OpenAI, /api/paas/v4/** → ZhipuAI, * → Google`);
-});
-server.on('error', (err) => {
-    if (err.code === 'EADDRINUSE') {
-        log.error(`Port ${PORT} is already in use. Stop the other process or use PORT=<number> hush`);
-    }
-    else {
-        log.error({ err }, 'Failed to start server');
-    }
-    process.exit(1);
-});
+const subcommand = process.argv[2];
+if (subcommand === 'redact-hook') {
+    const { run } = await import('./commands/redact-hook.js');
+    await run();
+}
+else if (subcommand === 'init') {
+    const { run } = await import('./commands/init.js');
+    run(process.argv.slice(3));
+}
+else {
+    // Default: start the proxy server
+    const { app } = await import('./index.js');
+    const { createLogger } = await import('./lib/logger.js');
+    const log = createLogger('hush-cli');
+    const PORT = process.env.PORT || 4000;
+    const server = app.listen(PORT, () => {
+        log.info(`Hush Semantic Gateway is listening on http://localhost:${PORT}`);
+        log.info(`Routes: /v1/messages → Anthropic, /v1/chat/completions → OpenAI, /api/paas/v4/** → ZhipuAI, * → Google`);
+    });
+    server.on('error', (err) => {
+        if (err.code === 'EADDRINUSE') {
+            log.error(`Port ${PORT} is already in use. Stop the other process or use PORT=<number> hush`);
+        }
+        else {
+            log.error({ err }, 'Failed to start server');
+        }
+        process.exit(1);
+    });
+}
+export {};
 //# sourceMappingURL=cli.js.map

package/dist/cli.js.map

@@ -1 +1 @@
-{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,GAAG,EAAE,MAAM,YAAY,CAAC;AACjC,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAE/C,MAAM,GAAG,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC;AACrC,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI,CAAC;AAEtC,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,GAAG,EAAE;IACnC,GAAG,CAAC,IAAI,CAAC,0DAA0D,IAAI,EAAE,CAAC,CAAC;IAC3E,GAAG,CAAC,IAAI,CAAC,wGAAwG,CAAC,CAAC;AACrH,CAAC,CAAC,CAAC;AAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAA0B,EAAE,EAAE;IAChD,IAAI,GAAG,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAC9B,GAAG,CAAC,KAAK,CAAC,QAAQ,IAAI,sEAAsE,CAAC,CAAC;IAChG,CAAC;SAAM,CAAC;QACN,GAAG,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,EAAE,wBAAwB,CAAC,CAAC;IAC/C,CAAC;IACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AAEA,MAAM,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAEnC,IAAI,UAAU,KAAK,aAAa,EAAE,CAAC;IACjC,MAAM,EAAE,GAAG,EAAE,GAAG,MAAM,MAAM,CAAC,2BAA2B,CAAC,CAAC;IAC1D,MAAM,GAAG,EAAE,CAAC;AACd,CAAC;KAAM,IAAI,UAAU,KAAK,MAAM,EAAE,CAAC;IACjC,MAAM,EAAE,GAAG,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;IACnD,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;AAC7B,CAAC;KAAM,CAAC;IACN,kCAAkC;IAClC,MAAM,EAAE,GAAG,EAAE,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,CAAC;IAC3C,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;IAEzD,MAAM,GAAG,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC;IACrC,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,IAAI,CAAC;IAEtC,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,GAAG,EAAE;QACnC,GAAG,CAAC,IAAI,CAAC,0DAA0D,IAAI,EAAE,CAAC,CAAC;QAC3E,GAAG,CAAC,IAAI,CAAC,wGAAwG,CAAC,CAAC;IACrH,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAA0B,EAAE,EAAE;QAChD,IAAI,GAAG,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;YAC9B,GAAG,CAAC,KAAK,CAAC,QAAQ,IAAI,sEAAsE,CAAC,CAAC;QAChG,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,EAAE,wBAAwB,CAAC,CAAC;QAC/C,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/commands/init.d.ts

@@ -0,0 +1,9 @@
+/**
+ * hush init — Generate Claude Code hook configuration
+ *
+ * Usage:
+ *   hush init --hooks           Write to .claude/settings.json
+ *   hush init --hooks --local   Write to .claude/settings.local.json
+ */
+export declare function run(args: string[]): void;
+//# sourceMappingURL=init.d.ts.map

package/dist/commands/init.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../src/commands/init.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AA0DH,wBAAgB,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,IAAI,CA0CxC"}

package/dist/commands/init.js

@@ -0,0 +1,81 @@
+/**
+ * hush init — Generate Claude Code hook configuration
+ *
+ * Usage:
+ *   hush init --hooks           Write to .claude/settings.json
+ *   hush init --hooks --local   Write to .claude/settings.local.json
+ */
+import { readFileSync, writeFileSync, mkdirSync, existsSync } from 'fs';
+import { join } from 'path';
+const HOOK_CONFIG = {
+    hooks: {
+        PostToolUse: [
+            {
+                matcher: 'Bash|Read|Grep|WebFetch',
+                hooks: [
+                    {
+                        type: 'command',
+                        command: 'hush redact-hook',
+                        timeout: 10,
+                    },
+                ],
+            },
+        ],
+    },
+};
+function hasHushHook(settings) {
+    const postToolUse = settings.hooks?.PostToolUse;
+    if (!Array.isArray(postToolUse))
+        return false;
+    return postToolUse.some((entry) => entry.hooks?.some((h) => h.command?.includes('hush redact-hook')));
+}
+function mergeHooks(existing) {
+    const merged = { ...existing };
+    if (!merged.hooks) {
+        merged.hooks = {};
+    }
+    if (!Array.isArray(merged.hooks.PostToolUse)) {
+        merged.hooks.PostToolUse = [];
+    }
+    merged.hooks = { ...merged.hooks, PostToolUse: [...merged.hooks.PostToolUse, ...HOOK_CONFIG.hooks.PostToolUse] };
+    return merged;
+}
+export function run(args) {
+    const hasHooksFlag = args.includes('--hooks');
+    const isLocal = args.includes('--local');
+    if (!hasHooksFlag) {
+        process.stderr.write('Usage: hush init --hooks [--local]\n');
+        process.stderr.write('\n');
+        process.stderr.write('Options:\n');
+        process.stderr.write('  --hooks   Generate Claude Code PostToolUse hook config\n');
+        process.stderr.write('  --local   Write to settings.local.json instead of settings.json\n');
+        process.exit(1);
+    }
+    const claudeDir = join(process.cwd(), '.claude');
+    const filename = isLocal ? 'settings.local.json' : 'settings.json';
+    const filePath = join(claudeDir, filename);
+    // Ensure .claude/ exists
+    if (!existsSync(claudeDir)) {
+        mkdirSync(claudeDir, { recursive: true });
+    }
+    // Read existing settings or start fresh
+    let settings = {};
+    if (existsSync(filePath)) {
+        try {
+            const raw = readFileSync(filePath, 'utf-8');
+            settings = JSON.parse(raw);
+        }
+        catch {
+            process.stderr.write(`Warning: could not parse ${filePath}, starting fresh\n`);
+        }
+    }
+    // Idempotency check
+    if (hasHushHook(settings)) {
+        process.stdout.write(`hush hooks already configured in ${filePath}\n`);
+        return;
+    }
+    const merged = mergeHooks(settings);
+    writeFileSync(filePath, JSON.stringify(merged, null, 2) + '\n');
+    process.stdout.write(`Wrote hush hooks config to ${filePath}\n`);
+}
+//# sourceMappingURL=init.js.map

package/dist/commands/init.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"init.js","sourceRoot":"","sources":["../../src/commands/init.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AACxE,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAE5B,MAAM,WAAW,GAAG;IAClB,KAAK,EAAE;QACL,WAAW,EAAE;YACX;gBACE,OAAO,EAAE,yBAAyB;gBAClC,KAAK,EAAE;oBACL;wBACE,IAAI,EAAE,SAAkB;wBACxB,OAAO,EAAE,kBAAkB;wBAC3B,OAAO,EAAE,EAAE;qBACZ;iBACF;aACF;SACF;KACF;CACF,CAAC;AAaF,SAAS,WAAW,CAAC,QAAsB;IACzC,MAAM,WAAW,GAAG,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC;IAChD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,WAAW,CAAC;QAAE,OAAO,KAAK,CAAC;IAE9C,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAChC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,kBAAkB,CAAC,CAAC,CAClE,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CAAC,QAAsB;IACxC,MAAM,MAAM,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;IAE/B,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;QAClB,MAAM,CAAC,KAAK,GAAG,EAAE,CAAC;IACpB,CAAC;IAED,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,CAAC;QAC7C,MAAM,CAAC,KAAK,CAAC,WAAW,GAAG,EAAE,CAAC;IAChC,CAAC;IAED,MAAM,CAAC,KAAK,GAAG,EAAE,GAAG,MAAM,CAAC,KAAK,EAAE,WAAW,EAAE,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,WAAW,EAAE,GAAG,WAAW,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,CAAC;IAEjH,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,GAAG,CAAC,IAAc;IAChC,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IAC9C,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IAEzC,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC7D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC3B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;QACnC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,4DAA4D,CAAC,CAAC;QACnF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,qEAAqE,CAAC,CAAC;QAC5F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC;IACjD,MAAM,QAAQ,GAAG,OAAO,CAAC,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,eAAe,CAAC;IACnE,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IAE3C,yBAAyB;IACzB,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC3B,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC5C,CAAC;IAED,wCAAwC;IACxC,IAAI,QAAQ,GAAiB,EAAE,CAAC;IAChC,IAAI,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QACzB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAC5C,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAiB,CAAC;QAC7C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,4BAA4B,QAAQ,oBAAoB,CAAC,CAAC;QACjF,CAAC;IACH,CAAC;IAED,oBAAoB;IACpB,IAAI,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,oCAAoC,QAAQ,IAAI,CAAC,CAAC;QACvE,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IACpC,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAChE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,8BAA8B,QAAQ,IAAI,CAAC,CAAC;AACnE,CAAC"}

package/dist/commands/redact-hook.d.ts

@@ -0,0 +1,12 @@
+/**
+ * hush redact-hook — Claude Code PostToolUse hook handler
+ *
+ * Reads the hook payload from stdin, redacts PII from the tool response,
+ * and blocks the output (replacing it with redacted text) if PII was found.
+ *
+ * Exit codes:
+ *   0 — success (may or may not block)
+ *   2 — malformed input (blocks the tool call per hooks spec)
+ */
+export declare function run(): Promise<void>;
+//# sourceMappingURL=redact-hook.d.ts.map

package/dist/commands/redact-hook.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"redact-hook.d.ts","sourceRoot":"","sources":["../../src/commands/redact-hook.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAwEH,wBAAsB,GAAG,IAAI,OAAO,CAAC,IAAI,CAAC,CA0CzC"}

package/dist/commands/redact-hook.js

@@ -0,0 +1,89 @@
+/**
+ * hush redact-hook — Claude Code PostToolUse hook handler
+ *
+ * Reads the hook payload from stdin, redacts PII from the tool response,
+ * and blocks the output (replacing it with redacted text) if PII was found.
+ *
+ * Exit codes:
+ *   0 — success (may or may not block)
+ *   2 — malformed input (blocks the tool call per hooks spec)
+ */
+import { Redactor } from '../middleware/redactor.js';
+/** Collect all text from a tool_response object. */
+function extractText(toolResponse) {
+    if (!toolResponse || typeof toolResponse !== 'object')
+        return null;
+    const parts = [];
+    if (typeof toolResponse.stdout === 'string' && toolResponse.stdout) {
+        parts.push(toolResponse.stdout);
+    }
+    if (typeof toolResponse.stderr === 'string' && toolResponse.stderr) {
+        parts.push(toolResponse.stderr);
+    }
+    // Read tool nests content under file.content
+    if (toolResponse.file && typeof toolResponse.file.content === 'string' && toolResponse.file.content) {
+        parts.push(toolResponse.file.content);
+    }
+    if (typeof toolResponse.content === 'string' && toolResponse.content) {
+        parts.push(toolResponse.content);
+    }
+    if (typeof toolResponse.output === 'string' && toolResponse.output) {
+        parts.push(toolResponse.output);
+    }
+    return parts.length > 0 ? parts.join('\n') : null;
+}
+/** Redact PII from the tool response text. */
+function redactToolResponse(toolResponse, redactor) {
+    const text = extractText(toolResponse);
+    if (!text)
+        return { text: '', hasRedacted: false };
+    const { content, hasRedacted } = redactor.redact(text);
+    return { text: content, hasRedacted };
+}
+function readStdin() {
+    return new Promise((resolve, reject) => {
+        const chunks = [];
+        process.stdin.on('data', (chunk) => chunks.push(chunk));
+        process.stdin.on('end', () => resolve(Buffer.concat(chunks).toString('utf-8')));
+        process.stdin.on('error', reject);
+    });
+}
+export async function run() {
+    let raw;
+    try {
+        raw = await readStdin();
+    }
+    catch {
+        process.stderr.write('hush redact-hook: failed to read stdin\n');
+        process.exit(2);
+    }
+    if (!raw.trim()) {
+        // Empty stdin — nothing to redact
+        process.exit(0);
+    }
+    let payload;
+    try {
+        payload = JSON.parse(raw);
+    }
+    catch {
+        process.stderr.write('hush redact-hook: invalid JSON on stdin\n');
+        process.exit(2);
+    }
+    if (!payload.tool_response) {
+        // No tool_response to redact
+        process.exit(0);
+    }
+    const redactor = new Redactor();
+    const { text, hasRedacted } = redactToolResponse(payload.tool_response, redactor);
+    if (!hasRedacted) {
+        // No PII found — let Claude Code keep the original output
+        process.exit(0);
+    }
+    const response = {
+        decision: 'block',
+        reason: text,
+    };
+    process.stdout.write(JSON.stringify(response) + '\n');
+    process.exit(0);
+}
+//# sourceMappingURL=redact-hook.js.map

package/dist/commands/redact-hook.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redact-hook.js","sourceRoot":"","sources":["../../src/commands/redact-hook.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,2BAA2B,CAAC;AAuBrD,oDAAoD;AACpD,SAAS,WAAW,CAAC,YAA0C;IAC7D,IAAI,CAAC,YAAY,IAAI,OAAO,YAAY,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAEnE,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,IAAI,OAAO,YAAY,CAAC,MAAM,KAAK,QAAQ,IAAI,YAAY,CAAC,MAAM,EAAE,CAAC;QACnE,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAClC,CAAC;IACD,IAAI,OAAO,YAAY,CAAC,MAAM,KAAK,QAAQ,IAAI,YAAY,CAAC,MAAM,EAAE,CAAC;QACnE,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAClC,CAAC;IACD,6CAA6C;IAC7C,IAAI,YAAY,CAAC,IAAI,IAAI,OAAO,YAAY,CAAC,IAAI,CAAC,OAAO,KAAK,QAAQ,IAAI,YAAY,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QACpG,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACxC,CAAC;IACD,IAAI,OAAO,YAAY,CAAC,OAAO,KAAK,QAAQ,IAAI,YAAY,CAAC,OAAO,EAAE,CAAC;QACrE,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;IACnC,CAAC;IACD,IAAI,OAAO,YAAY,CAAC,MAAM,KAAK,QAAQ,IAAI,YAAY,CAAC,MAAM,EAAE,CAAC;QACnE,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;IAClC,CAAC;IAED,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACpD,CAAC;AAED,8CAA8C;AAC9C,SAAS,kBAAkB,CACzB,YAAuD,EACvD,QAAkB;IAElB,MAAM,IAAI,GAAG,WAAW,CAAC,YAAY,CAAC,CAAC;IACvC,IAAI,CAAC,IAAI;QAAE,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE,CAAC;IAEnD,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACvD,OAAO,EAAE,IAAI,EAAE,OAAiB,EAAE,WAAW,EAAE,CAAC;AAClD,CAAC;AAED,SAAS,SAAS;IAChB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAChE,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QAChF,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,GAAG;IACvB,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,SAAS,EAAE,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;QACjE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC;QAChB,kCAAkC;QAClC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,OAAoB,CAAC;IACzB,IAAI,CAAC;QACH,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAgB,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAClE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC;QAC3B,6BAA6B;QAC7B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,QAAQ,EAAE,CAAC;IAChC,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE,GAAG,kBAAkB,CAAC,OAAO,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;IAElF,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,0DAA0D;QAC1D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,QAAQ,GAAiB;QAC7B,QAAQ,EAAE,OAAO;QACjB,MAAM,EAAE,IAAI;KACb,CAAC;IAEF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,CAAC;IACtD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC"}

package/dist/index.js

@@ -131,7 +131,7 @@ async function proxyRequest(req, res, targetUrl, headers) {
     }
     catch (error) {
         log.error({ err: error, path: req.path }, 'Failed to forward request');
-        res.status(500).json({ error: 'Gateway forwarding failed' });
+        res.status(502).json({ error: 'Gateway forwarding failed' });
     }
 }
 /**

package/dist/middleware/redactor.d.ts

@@ -23,6 +23,11 @@ export declare class Redactor {
      * Common PII Regex patterns.
      */
     private static readonly PATTERNS;
+    /**
+     * Cloud provider key patterns — Tier 1 only (unique prefixes, very low false-positive risk).
+     * Sources: GitHub secret scanning, gitleaks, trufflehog.
+     */
+    private static readonly CLOUD_KEY_PATTERNS;
     /**
      * Redact sensitive information from a JSON object or string.
      *

package/dist/middleware/redactor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"redactor.d.ts","sourceRoot":"","sources":["../../src/middleware/redactor.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AASH;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,8CAA8C;IAC9C,OAAO,EAAE,GAAG,CAAC;IACb,uCAAuC;IACvC,WAAW,EAAE,OAAO,CAAC;IACrB,6CAA6C;IAC7C,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC7B;AAED;;GAEG;AACH,qBAAa,QAAQ;IACnB;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAa9B;IAEF;;;;;OAKG;IACI,MAAM,CAAC,KAAK,EAAE,GAAG,GAAG,eAAe;CAoG3C"}
+{"version":3,"file":"redactor.d.ts","sourceRoot":"","sources":["../../src/middleware/redactor.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AASH;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,8CAA8C;IAC9C,OAAO,EAAE,GAAG,CAAC;IACb,uCAAuC;IACvC,WAAW,EAAE,OAAO,CAAC;IACrB,6CAA6C;IAC7C,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC7B;AAED;;GAEG;AACH,qBAAa,QAAQ;IACnB;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAa9B;IAEF;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,kBAAkB,CA4CxC;IAEF;;;;;OAKG;IACI,MAAM,CAAC,KAAK,EAAE,GAAG,GAAG,eAAe;CA6H3C"}

package/dist/middleware/redactor.js

@@ -30,6 +30,55 @@ export class Redactor {
         /** Phone Numbers (robust version) */
         PHONE: /(?:^|[\s:;])(?:\+\d{1,3}[-. ]?)?\(?\d{2,4}\)?[-. ]\d{3,4}[-. ]\d{3,4}(?:\s*(?:ext|x)\s*\d+)?/g,
     };
+    /**
+     * Cloud provider key patterns — Tier 1 only (unique prefixes, very low false-positive risk).
+     * Sources: GitHub secret scanning, gitleaks, trufflehog.
+     */
+    static CLOUD_KEY_PATTERNS = [
+        // AWS
+        { re: /\b((?:AKIA|ASIA|ABIA|ACCA)[A-Z2-7]{16})\b/g, label: 'AWS_KEY' },
+        // GCP / Firebase
+        { re: /\b(AIza[\w-]{35})\b/g, label: 'GCP_KEY' },
+        { re: /\b(GOCSPX-[a-zA-Z0-9_-]{28})\b/g, label: 'GCP_OAUTH' },
+        // GitHub
+        { re: /\b(ghp_[0-9a-zA-Z]{36})\b/g, label: 'GITHUB_PAT' },
+        { re: /\b(gho_[0-9a-zA-Z]{36})\b/g, label: 'GITHUB_OAUTH' },
+        { re: /\b(ghu_[0-9a-zA-Z]{36})\b/g, label: 'GITHUB_U2S' },
+        { re: /\b(ghs_[0-9a-zA-Z]{36})\b/g, label: 'GITHUB_S2S' },
+        { re: /\b(ghr_[0-9a-zA-Z]{36})\b/g, label: 'GITHUB_REFRESH' },
+        { re: /\b(github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59})\b/g, label: 'GITHUB_FINE_PAT' },
+        // GitLab
+        { re: /\b(glpat-[\w-]{20})\b/g, label: 'GITLAB_PAT' },
+        { re: /\b(glptt-[a-zA-Z0-9_-]{40})\b/g, label: 'GITLAB_TRIGGER' },
+        // Slack
+        { re: /\b(xoxb-[0-9]{10,13}-[0-9]{10,13}[a-zA-Z0-9-]*)\b/g, label: 'SLACK_BOT' },
+        { re: /\b(xox[pe]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9-]+)\b/g, label: 'SLACK_TOKEN' },
+        // Stripe
+        { re: /\b(sk_(?:live|test)_[a-zA-Z0-9]{10,99})\b/g, label: 'STRIPE_SECRET' },
+        { re: /\b(rk_(?:live|test)_[a-zA-Z0-9]{10,99})\b/g, label: 'STRIPE_RESTRICTED' },
+        { re: /\b(whsec_[a-zA-Z0-9]{24,})\b/g, label: 'STRIPE_WEBHOOK' },
+        // SendGrid (SG. + base64url with internal dot separator)
+        { re: /\b(SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43})\b/g, label: 'SENDGRID_KEY' },
+        // npm
+        { re: /\b(npm_[a-z0-9]{36})\b/gi, label: 'NPM_TOKEN' },
+        // PyPI
+        { re: /\b(pypi-AgEIcHlwaS5vcmc[\w-]{50,})\b/g, label: 'PYPI_TOKEN' },
+        // Docker Hub
+        { re: /\b(dckr_pat_[a-zA-Z0-9_-]{27,})\b/g, label: 'DOCKER_PAT' },
+        // Anthropic
+        { re: /\b(sk-ant-[a-zA-Z0-9_-]{36,})\b/g, label: 'ANTHROPIC_KEY' },
+        // OpenAI (with T3BlbkFJ marker)
+        { re: /\b(sk-(?:proj|svcacct|admin)-[A-Za-z0-9_-]{20,}T3BlbkFJ[A-Za-z0-9_-]{20,})\b/g, label: 'OPENAI_KEY' },
+        // DigitalOcean
+        { re: /\b(do[por]_v1_[a-f0-9]{64})\b/g, label: 'DIGITALOCEAN_TOKEN' },
+        // HashiCorp Vault
+        { re: /\b(hvs\.[\w-]{90,})\b/g, label: 'VAULT_TOKEN' },
+        { re: /\b(hvb\.[\w-]{90,})\b/g, label: 'VAULT_BATCH' },
+        // Supabase
+        { re: /\b(sbp_[a-f0-9]{40})\b/g, label: 'SUPABASE_PAT' },
+        { re: /\b(sb_secret_[a-zA-Z0-9_-]{20,})\b/g, label: 'SUPABASE_SECRET' },
+        // PEM private keys (multiline — matched separately in redactPEMKeys)
+    ];
     /**
      * Redact sensitive information from a JSON object or string.
      *
@@ -78,6 +127,26 @@ export class Redactor {
                     tokens.set(token, match);
                     return token;
                 });
+                // Redact cloud provider keys BEFORE generic patterns — specific prefixed
+                // keys must be matched first so they don't get partially eaten by SECRET
+                // or CREDIT_CARD patterns.
+                for (const { re, label } of Redactor.CLOUD_KEY_PATTERNS) {
+                    re.lastIndex = 0;
+                    text = text.replace(re, (match, p1) => {
+                        hasRedacted = true;
+                        const val = p1 || match;
+                        const token = `[${label}_${tokenHash(val)}]`;
+                        tokens.set(token, val);
+                        return token;
+                    });
+                }
+                // Redact PEM private keys
+                text = text.replace(/-----BEGIN[ A-Z0-9_-]{0,100}PRIVATE KEY-----[\s\S]{64,}?-----END[ A-Z0-9_-]{0,100}PRIVATE KEY-----/g, (match) => {
+                    hasRedacted = true;
+                    const token = `[PRIVATE_KEY_${tokenHash(match)}]`;
+                    tokens.set(token, match);
+                    return token;
+                });
                 // Redact Secrets in text (e.g. "api_key=...")
                 text = text.replace(Redactor.PATTERNS.SECRET, (match, p1) => {
                     hasRedacted = true;

package/dist/middleware/redactor.js.map

@@ -1 +1 @@
-{"version":3,"file":"redactor.js","sourceRoot":"","sources":["../../src/middleware/redactor.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAEpC,0EAA0E;AAC1E,SAAS,SAAS,CAAC,KAAa;IAC9B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AACtE,CAAC;AAcD;;GAEG;AACH,MAAM,OAAO,QAAQ;IACnB;;OAEG;IACK,MAAM,CAAU,QAAQ,GAAG;QACjC,kFAAkF;QAClF,KAAK,EAAE,kEAAkE;QACzE,yBAAyB;QACzB,IAAI,EAAE,8BAA8B;QACpC,yBAAyB;QACzB,IAAI,EAAE,spBAAspB;QAC5pB,wDAAwD;QACxD,MAAM,EAAE,+GAA+G;QACvH,0BAA0B;QAC1B,WAAW,EAAE,0BAA0B;QACvC,qCAAqC;QACrC,KAAK,EAAE,+FAA+F;KACvG,CAAC;IAEF;;;;;OAKG;IACI,MAAM,CAAC,KAAU;QACtB,MAAM,MAAM,GAAG,IAAI,GAAG,EAAkB,CAAC;QACzC,IAAI,WAAW,GAAG,KAAK,CAAC;QAExB,0DAA0D;QAC1D,MAAM,MAAM,GAAG,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI;YACxD,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;YACnC,CAAC,CAAC,KAAK,CAAC;QAEV,MAAM,cAAc,GAAG,CAAC,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,YAAY,CAAC,CAAC;QAEjG,MAAM,OAAO,GAAG,CAAC,IAAS,EAAE,OAAgB,EAAO,EAAE;YACnD,wCAAwC;YACxC,IAAI,OAAO,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACxC,MAAM,aAAa,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;gBACjE,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBACxD,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM,KAAK,GAAG,qBAAqB,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC;oBACtD,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;oBACxB,OAAO,KAAK,CAAC;gBACf,CAAC;YACH,CAAC;YAED,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC7B,IAAI,IAAI,GAAG,IAAI,CAAC;gBAEhB,gBAAgB;gBAChB,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC,KAAK,EAAE,EAAE;oBACrD,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM,KAAK,GAAG,eAAe,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC;oBACjD,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;oBACzB,OAAO,KAAK,CAAC;gBACf,CAAC,CAAC,CAAC;gBAEH,2BAA2B;gBAC3B,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,EAAE,EAAE;oBACpD,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM,KAAK,GAAG,eAAe,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC;oBACjD,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;oBACzB,OAAO,KAAK,CAAC;gBACf,CAAC,CAAC,CAAC;gBAEH,2BAA2B;gBAC3B,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,EAAE,EAAE;oBACpD,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM,KAAK,GAAG,kBAAkB,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC;oBACpD,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;oBACzB,OAAO,KAAK,CAAC;gBACf,CAAC,CAAC,CAAC;gBAEH,8CAA8C;gBAC9C,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;oBAC1D,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM,KAAK,GAAG,qBAAqB,SAAS,CAAC,EAAE,CAAC,GAAG,CAAC;oBACpD,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;oBACtB,OAAO,KAAK,CAAC,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;gBAClC,CAAC,CAAC,CAAC;gBAEH,sBAAsB;gBACtB,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,KAAK,EAAE,EAAE;oBAC3D,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM,KAAK,GAAG,iBAAiB,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC;oBACnD,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;oBACzB,OAAO,KAAK,CAAC;gBACf,CAAC,CAAC,CAAC;gBAEH,uBAAuB;gBACvB,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC,KAAK,EAAE,EAAE;oBACrD,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM,KAAK,GAAG,iBAAiB,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC;oBACnD,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;oBACzB,OAAO,KAAK,CAAC;gBACf,CAAC,CAAC,CAAC;gBAEH,OAAO,IAAI,CAAC;YACd,CAAC;YAED,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBACxB,OAAO,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;YACzC,CAAC;YAED,IAAI,IAAI,KAAK,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC9C,MAAM,GAAG,GAAQ,EAAE,CAAC;gBACpB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;oBAChD,GAAG,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBACjC,CAAC;gBACD,OAAO,GAAG,CAAC;YACb,CAAC;YAED,OAAO,IAAI,CAAC;QACd,CAAC,CAAC;QAEF,MAAM,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;QAExC,OAAO;YACL,OAAO,EAAE,eAAe;YACxB,WAAW;YACX,MAAM;SACP,CAAC;IACJ,CAAC"}
+{"version":3,"file":"redactor.js","sourceRoot":"","sources":["../../src/middleware/redactor.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAEpC,0EAA0E;AAC1E,SAAS,SAAS,CAAC,KAAa;IAC9B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;AACtE,CAAC;AAcD;;GAEG;AACH,MAAM,OAAO,QAAQ;IACnB;;OAEG;IACK,MAAM,CAAU,QAAQ,GAAG;QACjC,kFAAkF;QAClF,KAAK,EAAE,kEAAkE;QACzE,yBAAyB;QACzB,IAAI,EAAE,8BAA8B;QACpC,yBAAyB;QACzB,IAAI,EAAE,spBAAspB;QAC5pB,wDAAwD;QACxD,MAAM,EAAE,+GAA+G;QACvH,0BAA0B;QAC1B,WAAW,EAAE,0BAA0B;QACvC,qCAAqC;QACrC,KAAK,EAAE,+FAA+F;KACvG,CAAC;IAEF;;;OAGG;IACK,MAAM,CAAU,kBAAkB,GAAyC;QACjF,MAAM;QACN,EAAE,EAAE,EAAE,4CAA4C,EAAE,KAAK,EAAE,SAAS,EAAE;QACtE,iBAAiB;QACjB,EAAE,EAAE,EAAE,sBAAsB,EAAE,KAAK,EAAE,SAAS,EAAE;QAChD,EAAE,EAAE,EAAE,iCAAiC,EAAE,KAAK,EAAE,WAAW,EAAE;QAC7D,SAAS;QACT,EAAE,EAAE,EAAE,4BAA4B,EAAE,KAAK,EAAE,YAAY,EAAE;QACzD,EAAE,EAAE,EAAE,4BAA4B,EAAE,KAAK,EAAE,cAAc,EAAE;QAC3D,EAAE,EAAE,EAAE,4BAA4B,EAAE,KAAK,EAAE,YAAY,EAAE;QACzD,EAAE,EAAE,EAAE,4BAA4B,EAAE,KAAK,EAAE,YAAY,EAAE;QACzD,EAAE,EAAE,EAAE,4BAA4B,EAAE,KAAK,EAAE,gBAAgB,EAAE;QAC7D,EAAE,EAAE,EAAE,mDAAmD,EAAE,KAAK,EAAE,iBAAiB,EAAE;QACrF,SAAS;QACT,EAAE,EAAE,EAAE,wBAAwB,EAAE,KAAK,EAAE,YAAY,EAAE;QACrD,EAAE,EAAE,EAAE,gCAAgC,EAAE,KAAK,EAAE,gBAAgB,EAAE;QACjE,QAAQ;QACR,EAAE,EAAE,EAAE,oDAAoD,EAAE,KAAK,EAAE,WAAW,EAAE;QAChF,EAAE,EAAE,EAAE,wDAAwD,EAAE,KAAK,EAAE,aAAa,EAAE;QACtF,SAAS;QACT,EAAE,EAAE,EAAE,4CAA4C,EAAE,KAAK,EAAE,eAAe,EAAE;QAC5E,EAAE,EAAE,EAAE,4CAA4C,EAAE,KAAK,EAAE,mBAAmB,EAAE;QAChF,EAAE,EAAE,EAAE,+BAA+B,EAAE,KAAK,EAAE,gBAAgB,EAAE;QAChE,yDAAyD;QACzD,EAAE,EAAE,EAAE,iDAAiD,EAAE,KAAK,EAAE,cAAc,EAAE;QAChF,MAAM;QACN,EAAE,EAAE,EAAE,0BAA0B,EAAE,KAAK,EAAE,WAAW,EAAE;QACtD,OAAO;QACP,EAAE,EAAE,EAAE,uCAAuC,EAAE,KAAK,EAAE,YAAY,EAAE;QACpE,aAAa;QACb,EAAE,EAAE,EAAE,oCAAoC,EAAE,KAAK,EAAE,YAAY,EAAE;QACjE,YAAY;QACZ,EAAE,EAAE,EAAE,kCAAkC,EAAE,KAAK,EAAE,eAAe,EAAE;QAClE,gCAAgC;QAChC,EAAE,EAAE,EAAE,+EAA+E,EAAE,KAAK,EAAE,YAAY,EAAE;QAC5G,eAAe;QACf,EAAE,EAAE,EAAE,gCAAgC,EAAE,KAAK,EAAE,oBAAoB,EAAE;QACrE,kBAAkB;QAClB,EAAE,EAAE,EAAE,wBAAwB,EAAE,KAAK,EAAE,aAAa,EAAE;QACtD,EAAE,EAAE,EAAE,wBAAwB,EAAE,KAAK,EAAE,aAAa,EAAE;QACtD,WAAW;QACX,EAAE,EAAE,EAAE,yBAAyB,EAAE,KAAK,EAAE,cAAc,EAAE;QACxD,EAAE,EAAE,EAAE,qCAAqC,EAAE,KAAK,EAAE,iBAAiB,EAAE;QACvE,qEAAqE;KACtE,CAAC;IAEF;;;;;OAKG;IACI,MAAM,CAAC,KAAU;QACtB,MAAM,MAAM,GAAG,IAAI,GAAG,EAAkB,CAAC;QACzC,IAAI,WAAW,GAAG,KAAK,CAAC;QAExB,0DAA0D;QAC1D,MAAM,MAAM,GAAG,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI;YACxD,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;YACnC,CAAC,CAAC,KAAK,CAAC;QAEV,MAAM,cAAc,GAAG,CAAC,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,YAAY,CAAC,CAAC;QAEjG,MAAM,OAAO,GAAG,CAAC,IAAS,EAAE,OAAgB,EAAO,EAAE;YACnD,wCAAwC;YACxC,IAAI,OAAO,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACxC,MAAM,aAAa,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;gBACjE,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBACxD,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM,KAAK,GAAG,qBAAqB,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC;oBACtD,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;oBACxB,OAAO,KAAK,CAAC;gBACf,CAAC;YACH,CAAC;YAED,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC7B,IAAI,IAAI,GAAG,IAAI,CAAC;gBAEhB,gBAAgB;gBAChB,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC,KAAK,EAAE,EAAE;oBACrD,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM,KAAK,GAAG,eAAe,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC;oBACjD,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;oBACzB,OAAO,KAAK,CAAC;gBACf,CAAC,CAAC,CAAC;gBAEH,2BAA2B;gBAC3B,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,EAAE,EAAE;oBACpD,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM,KAAK,GAAG,eAAe,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC;oBACjD,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;oBACzB,OAAO,KAAK,CAAC;gBACf,CAAC,CAAC,CAAC;gBAEH,2BAA2B;gBAC3B,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,EAAE,EAAE;oBACpD,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM,KAAK,GAAG,kBAAkB,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC;oBACpD,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;oBACzB,OAAO,KAAK,CAAC;gBACf,CAAC,CAAC,CAAC;gBAEH,yEAAyE;gBACzE,yEAAyE;gBACzE,2BAA2B;gBAC3B,KAAK,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,QAAQ,CAAC,kBAAkB,EAAE,CAAC;oBACxD,EAAE,CAAC,SAAS,GAAG,CAAC,CAAC;oBACjB,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC,KAAK,EAAE,EAAU,EAAE,EAAE;wBAC5C,WAAW,GAAG,IAAI,CAAC;wBACnB,MAAM,GAAG,GAAG,EAAE,IAAI,KAAK,CAAC;wBACxB,MAAM,KAAK,GAAG,IAAI,KAAK,IAAI,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC;wBAC7C,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;wBACvB,OAAO,KAAK,CAAC;oBACf,CAAC,CAAC,CAAC;gBACL,CAAC;gBAED,0BAA0B;gBAC1B,IAAI,GAAG,IAAI,CAAC,OAAO,CACjB,qGAAqG,EACrG,CAAC,KAAK,EAAE,EAAE;oBACR,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM,KAAK,GAAG,gBAAgB,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC;oBAClD,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;oBACzB,OAAO,KAAK,CAAC;gBACf,CAAC,CACF,CAAC;gBAEF,8CAA8C;gBAC9C,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;oBAC1D,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM,KAAK,GAAG,qBAAqB,SAAS,CAAC,EAAE,CAAC,GAAG,CAAC;oBACpD,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;oBACtB,OAAO,KAAK,CAAC,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;gBAClC,CAAC,CAAC,CAAC;gBAEH,sBAAsB;gBACtB,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,KAAK,EAAE,EAAE;oBAC3D,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM,KAAK,GAAG,iBAAiB,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC;oBACnD,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;oBACzB,OAAO,KAAK,CAAC;gBACf,CAAC,CAAC,CAAC;gBAEH,uBAAuB;gBACvB,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC,KAAK,EAAE,EAAE;oBACrD,WAAW,GAAG,IAAI,CAAC;oBACnB,MAAM,KAAK,GAAG,iBAAiB,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC;oBACnD,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;oBACzB,OAAO,KAAK,CAAC;gBACf,CAAC,CAAC,CAAC;gBAEH,OAAO,IAAI,CAAC;YACd,CAAC;YAED,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;gBACxB,OAAO,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;YACzC,CAAC;YAED,IAAI,IAAI,KAAK,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC9C,MAAM,GAAG,GAAQ,EAAE,CAAC;gBACpB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;oBAChD,GAAG,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBACjC,CAAC;gBACD,OAAO,GAAG,CAAC;YACb,CAAC;YAED,OAAO,IAAI,CAAC;QACd,CAAC,CAAC;QAEF,MAAM,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;QAExC,OAAO;YACL,OAAO,EAAE,eAAe;YACxB,WAAW;YACX,MAAM;SACP,CAAC;IACJ,CAAC"}