@cubenest/rrweb-core 0.1.0-alpha.0

package/dist/console/types.d.ts

@@ -0,0 +1,61 @@
+import type { LogLevel as PluginLogLevel } from '@rrweb/rrweb-plugin-console-record';
+/**
+ * The full set of console levels the upstream plugin can emit. The plugin's
+ * default level list is much broader than the typical `log/info/warn/error`
+ * quartet — it patches every `console.*` shape it knows about, including
+ * `assert`, `count`, `dir`, `group`, `table`, `time*`, and `trace`. We
+ * re-export the union here so consumers can declare-and-pass without
+ * importing from the vendor package directly.
+ *
+ * Default level list (from the plugin source) is:
+ * `assert, clear, count, countReset, debug, dir, dirxml, error, group,
+ * groupCollapsed, groupEnd, info, log, table, time, timeEnd, timeLog,
+ * trace, warn`.
+ */
+export type ConsoleLevel = PluginLogLevel;
+/**
+ * The narrower set of "log-shaped" console levels that carry meaningful
+ * `args` payloads in practice — these are the ones most P1/P2 surfaces
+ * render. Other levels (`group`, `time*`, `count*`, etc.) still flow
+ * through the buffer untouched, but consumers that only want
+ * triage-relevant entries typically filter to this subset.
+ */
+export type BasicConsoleLevel = 'log' | 'info' | 'warn' | 'error' | 'debug' | 'trace';
+/**
+ * A captured console event with the shape downstream consumers see after the
+ * rrweb plugin emits and our buffer normalizes it. Mirrors the plugin's
+ * `LogData` shape (`{ level, trace, payload: string[] }`) but renames the
+ * args array (`payload` → `args`) so consumers don't have to disambiguate
+ * the two `payload` fields in the raw rrweb plugin event.
+ *
+ * Field-by-field mapping vs the plugin's `LogData`:
+ *   - `level`  ← `LogData.level`           (verbatim)
+ *   - `args`   ← `LogData.payload`         (renamed for clarity)
+ *   - `trace`  ← `LogData.trace`           (verbatim; only populated when
+ *                                            non-empty — see buffer.ts)
+ *   - `ts`     ← the surrounding rrweb event's `timestamp`
+ */
+export interface ConsoleEvent {
+    /** Wall-clock time (ms since epoch) the rrweb engine stamped the event. */
+    ts: number;
+    /**
+     * Console level the plugin observed. See `ConsoleLevel` for the full
+     * vocabulary; most consumers will filter to `BasicConsoleLevel`.
+     */
+    level: ConsoleLevel;
+    /**
+     * Stringified arguments. Already truncated by the plugin per
+     * `stringifyOptions.stringLengthLimit` / `numOfKeysLimit` /
+     * `depthOfLimit` — we don't re-serialize.
+     */
+    args: string[];
+    /**
+     * Stack trace lines if the plugin captured them. The plugin populates
+     * this for every patched call (it calls `ErrorStackParser.parse(new
+     * Error())` and drops the first frame), but the buffer only retains
+     * it when non-empty so consumers can use `trace !== undefined` as a
+     * meaningful signal.
+     */
+    trace?: string[];
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/console/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/console/types.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,QAAQ,IAAI,cAAc,EAAE,MAAM,oCAAoC,CAAC;AAErF;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,YAAY,GAAG,cAAc,CAAC;AAE1C;;;;;;GAMG;AACH,MAAM,MAAM,iBAAiB,GAAG,KAAK,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,OAAO,GAAG,OAAO,CAAC;AAEtF;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,YAAY;IAC3B,2EAA2E;IAC3E,EAAE,EAAE,MAAM,CAAC;IACX;;;OAGG;IACH,KAAK,EAAE,YAAY,CAAC;IACpB;;;;OAIG;IACH,IAAI,EAAE,MAAM,EAAE,CAAC;IACf;;;;;;OAMG;IACH,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;CAClB"}

package/dist/console/types.js

@@ -0,0 +1,11 @@
+// Console capture types — Task 1.8.
+//
+// Public-facing shapes for the console capture buffer. The buffer normalizes
+// the upstream `@rrweb/rrweb-plugin-console-record` `LogData` payload
+// (`{ level, trace: string[], payload: string[] }`) into a stable
+// `ConsoleEvent` with our own field names so downstream consumers (P1 report
+// renderer, P2 MCP tool surface) don't bind to vendor field names that
+// happen to collide (the plugin uses `payload` for the args array, which
+// makes call sites like `event.data.payload.payload` impossible to read).
+export {};
+//# sourceMappingURL=types.js.map

package/dist/console/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/console/types.ts"],"names":[],"mappings":"AAAA,oCAAoC;AACpC,EAAE;AACF,6EAA6E;AAC7E,sEAAsE;AACtE,kEAAkE;AAClE,6EAA6E;AAC7E,uEAAuE;AACvE,yEAAyE;AACzE,0EAA0E"}

package/dist/index.d.ts

@@ -0,0 +1,17 @@
+export { record, Replayer, getRecordConsolePlugin, EventType, IncrementalSource, MouseInteractions, } from './rrweb';
+export type { eventWithTime, customEvent, recordOptions, } from './rrweb';
+export { maskInputValue, maskTextContent, redactNetworkHeaders, redactBody, COMPAT_SELECTORS, } from './masking';
+export { LARGE_DOM_DEFAULTS, applyLargeDomGuards } from './throttling';
+export type { ApplyLargeDomGuardsOptions } from './throttling';
+export { traverseShadowRoots } from './shadow-dom';
+export type { ShadowRootInfo } from './shadow-dom';
+export type { ScreenshotAdapter } from './screenshot';
+export { createCDPScreenshotAdapter, createTabsScreenshotAdapter, type CDPTransport, type CDPScreenshotOptions, type CaptureVisibleTabFn, type TabsScreenshotOptions, } from './screenshot';
+export type { CapturedRequest, CapturedResponse, NetworkCaptureAdapter } from './network';
+export { createCDPNetworkAdapter, createWebRequestNetworkAdapter, type CDPNetworkEventSource, type CDPNetworkOptions, type WebRequestEvent, type WebRequestEventSource, type WebRequestNetworkOptions, } from './network';
+export { createConsoleCaptureBuffer, type BasicConsoleLevel, type ConsoleCaptureBuffer, type ConsoleCaptureOptions, type ConsoleEvent, type ConsoleLevel, } from './console';
+export { compress, decompress } from './compression';
+export { createSessionStore } from './persistence';
+export type { SessionChunk, SessionStore, SessionStoreOptions } from './persistence';
+export { COMPATIBILITY_MATRIX, type CompatEntry } from './compat';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,MAAM,EACN,QAAQ,EACR,sBAAsB,EACtB,SAAS,EACT,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,SAAS,CAAC;AAEjB,YAAY,EACV,aAAa,EACb,WAAW,EACX,aAAa,GACd,MAAM,SAAS,CAAC;AAGjB,OAAO,EACL,cAAc,EACd,eAAe,EACf,oBAAoB,EACpB,UAAU,EACV,gBAAgB,GACjB,MAAM,WAAW,CAAC;AAGnB,OAAO,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AACvE,YAAY,EAAE,0BAA0B,EAAE,MAAM,cAAc,CAAC;AAG/D,OAAO,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AACnD,YAAY,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAGnD,YAAY,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACtD,OAAO,EACL,0BAA0B,EAC1B,2BAA2B,EAC3B,KAAK,YAAY,EACjB,KAAK,oBAAoB,EACzB,KAAK,mBAAmB,EACxB,KAAK,qBAAqB,GAC3B,MAAM,cAAc,CAAC;AAGtB,YAAY,EAAE,eAAe,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,MAAM,WAAW,CAAC;AAC1F,OAAO,EACL,uBAAuB,EACvB,8BAA8B,EAC9B,KAAK,qBAAqB,EAC1B,KAAK,iBAAiB,EACtB,KAAK,eAAe,EACpB,KAAK,qBAAqB,EAC1B,KAAK,wBAAwB,GAC9B,MAAM,WAAW,CAAC;AAGnB,OAAO,EACL,0BAA0B,EAC1B,KAAK,iBAAiB,EACtB,KAAK,oBAAoB,EACzB,KAAK,qBAAqB,EAC1B,KAAK,YAAY,EACjB,KAAK,YAAY,GAClB,MAAM,WAAW,CAAC;AAGnB,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAGrD,OAAO,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AACnD,YAAY,EAAE,YAAY,EAAE,YAAY,EAAE,mBAAmB,EAAE,MAAM,eAAe,CAAC;AAGrF,OAAO,EAAE,oBAAoB,EAAE,KAAK,WAAW,EAAE,MAAM,UAAU,CAAC"}

package/dist/index.js

@@ -0,0 +1,18 @@
+export { record, Replayer, getRecordConsolePlugin, EventType, IncrementalSource, MouseInteractions, } from './rrweb';
+// Masking
+export { maskInputValue, maskTextContent, redactNetworkHeaders, redactBody, COMPAT_SELECTORS, } from './masking';
+// Throttling defaults + guards
+export { LARGE_DOM_DEFAULTS, applyLargeDomGuards } from './throttling';
+// Shadow DOM
+export { traverseShadowRoots } from './shadow-dom';
+export { createCDPScreenshotAdapter, createTabsScreenshotAdapter, } from './screenshot';
+export { createCDPNetworkAdapter, createWebRequestNetworkAdapter, } from './network';
+// Console capture buffer
+export { createConsoleCaptureBuffer, } from './console';
+// Compression helpers (gzip per-batch via fflate)
+export { compress, decompress } from './compression';
+// IndexedDB persistence helper
+export { createSessionStore } from './persistence';
+// Compatibility matrix
+export { COMPATIBILITY_MATRIX } from './compat';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,MAAM,EACN,QAAQ,EACR,sBAAsB,EACtB,SAAS,EACT,iBAAiB,EACjB,iBAAiB,GAClB,MAAM,SAAS,CAAC;AAQjB,UAAU;AACV,OAAO,EACL,cAAc,EACd,eAAe,EACf,oBAAoB,EACpB,UAAU,EACV,gBAAgB,GACjB,MAAM,WAAW,CAAC;AAEnB,+BAA+B;AAC/B,OAAO,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AAGvE,aAAa;AACb,OAAO,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AAKnD,OAAO,EACL,0BAA0B,EAC1B,2BAA2B,GAK5B,MAAM,cAAc,CAAC;AAItB,OAAO,EACL,uBAAuB,EACvB,8BAA8B,GAM/B,MAAM,WAAW,CAAC;AAEnB,yBAAyB;AACzB,OAAO,EACL,0BAA0B,GAM3B,MAAM,WAAW,CAAC;AAEnB,kDAAkD;AAClD,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAErD,+BAA+B;AAC/B,OAAO,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAGnD,uBAAuB;AACvB,OAAO,EAAE,oBAAoB,EAAoB,MAAM,UAAU,CAAC"}

package/dist/masking/body.d.ts

@@ -0,0 +1,30 @@
+export interface RedactBodyOptions {
+    /**
+     * Hard cap on returned body length (post-redaction, pre-truncation
+     * suffix). Defaults to 1 MB. Sizes here are JavaScript string lengths
+     * (UTF-16 code units), which is a close-enough proxy for transport
+     * bytes in this layer; consumers needing exact byte semantics can
+     * pre-encode and pass the resulting string.
+     */
+    maxLengthBytes?: number;
+}
+/**
+ * Redact a network or DOM body string by:
+ *   1. Truncating to `maxLengthBytes` if longer (we trim FIRST so the regex
+ *      bank never has to scan more than `max` characters — bounds the cost
+ *      and prevents worst-case backtracking on huge inputs).
+ *   2. Running the (possibly-truncated) prefix through the PII regex bank
+ *      (Luhn-validated credit cards, SSNs, JWTs, API keys, email, phone,
+ *      PEM blocks).
+ *   3. Appending the truncation suffix with the dropped byte count.
+ *
+ * Caveat: a multi-megabyte PEM block split across the truncation boundary
+ * won't be redacted as a PEM. Acceptable — that's already a degenerate
+ * input shape and the head/tail markers stay visible enough for human
+ * review.
+ *
+ * Operates purely on strings — no DOM required, no environment coupling.
+ * Safe to use in service workers, Node, and tests.
+ */
+export declare function redactBody(body: string, opts?: RedactBodyOptions): string;
+//# sourceMappingURL=body.d.ts.map

package/dist/masking/body.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"body.d.ts","sourceRoot":"","sources":["../../src/masking/body.ts"],"names":[],"mappings":"AAOA,MAAM,WAAW,iBAAiB;IAChC;;;;;;OAMG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,GAAE,iBAAsB,GAAG,MAAM,CAS7E"}

package/dist/masking/body.js

@@ -0,0 +1,33 @@
+// Network/payload body redaction.
+import { applyRegexBank } from './regex';
+const DEFAULT_MAX_LENGTH_BYTES = 1024 * 1024; // 1 MB
+const TRUNCATION_SUFFIX = (more) => `... [TRUNCATED ${more} more bytes]`;
+/**
+ * Redact a network or DOM body string by:
+ *   1. Truncating to `maxLengthBytes` if longer (we trim FIRST so the regex
+ *      bank never has to scan more than `max` characters — bounds the cost
+ *      and prevents worst-case backtracking on huge inputs).
+ *   2. Running the (possibly-truncated) prefix through the PII regex bank
+ *      (Luhn-validated credit cards, SSNs, JWTs, API keys, email, phone,
+ *      PEM blocks).
+ *   3. Appending the truncation suffix with the dropped byte count.
+ *
+ * Caveat: a multi-megabyte PEM block split across the truncation boundary
+ * won't be redacted as a PEM. Acceptable — that's already a degenerate
+ * input shape and the head/tail markers stay visible enough for human
+ * review.
+ *
+ * Operates purely on strings — no DOM required, no environment coupling.
+ * Safe to use in service workers, Node, and tests.
+ */
+export function redactBody(body, opts = {}) {
+    const max = opts.maxLengthBytes ?? DEFAULT_MAX_LENGTH_BYTES;
+    if (body.length === 0)
+        return body;
+    if (body.length <= max)
+        return applyRegexBank(body);
+    const head = body.slice(0, max);
+    const dropped = body.length - max;
+    return `${applyRegexBank(head)}${TRUNCATION_SUFFIX(dropped)}`;
+}
+//# sourceMappingURL=body.js.map

package/dist/masking/body.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"body.js","sourceRoot":"","sources":["../../src/masking/body.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAElC,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAEzC,MAAM,wBAAwB,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,OAAO;AACrD,MAAM,iBAAiB,GAAG,CAAC,IAAY,EAAU,EAAE,CAAC,kBAAkB,IAAI,cAAc,CAAC;AAazF;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,UAAU,CAAC,IAAY,EAAE,OAA0B,EAAE;IACnE,MAAM,GAAG,GAAG,IAAI,CAAC,cAAc,IAAI,wBAAwB,CAAC;IAC5D,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEnC,IAAI,IAAI,CAAC,MAAM,IAAI,GAAG;QAAE,OAAO,cAAc,CAAC,IAAI,CAAC,CAAC;IAEpD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAChC,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC;IAClC,OAAO,GAAG,cAAc,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,OAAO,CAAC,EAAE,CAAC;AAChE,CAAC"}

package/dist/masking/headers.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Redact sensitive headers in place-of in a record. Input is a plain
+ * `Record<string, string>` (the lowest common denominator between fetch
+ * `Headers`, Node's `IncomingMessage.headers`, and webRequest's
+ * `chrome.webRequest.HttpHeader[]` after normalization).
+ *
+ * Non-deny-list headers are returned unchanged. Header *names* are
+ * preserved with their original casing; only *values* on the deny-list
+ * are replaced with `<<REDACTED>>`.
+ *
+ * @example
+ *   redactNetworkHeaders({ Authorization: 'Bearer abc', Accept: 'json' })
+ *   // -> { Authorization: '<<REDACTED>>', Accept: 'json' }
+ */
+export declare function redactNetworkHeaders(headers: Record<string, string>): Record<string, string>;
+//# sourceMappingURL=headers.d.ts.map

package/dist/masking/headers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"headers.d.ts","sourceRoot":"","sources":["../../src/masking/headers.ts"],"names":[],"mappings":"AAsBA;;;;;;;;;;;;;GAaG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAU5F"}

package/dist/masking/headers.js

@@ -0,0 +1,46 @@
+// Network header redaction. Case-insensitive deny-list per
+// IMPLEMENTATION_PLAN.md Task 1.3 and P2 PRD §D.2.
+/**
+ * Headers always redacted, regardless of casing. Lowercased here so
+ * comparisons can be a single `.toLowerCase()` on the caller side.
+ *
+ * Per plan: `authorization`, `cookie`, `set-cookie`, `x-api-key`,
+ * `x-csrf-token`, `x-real-ip`, `proxy-authorization`.
+ */
+const DENY_LIST = new Set([
+    'authorization',
+    'cookie',
+    'set-cookie',
+    'x-api-key',
+    'x-csrf-token',
+    'x-real-ip',
+    'proxy-authorization',
+]);
+const REDACTED_VALUE = '<<REDACTED>>';
+/**
+ * Redact sensitive headers in place-of in a record. Input is a plain
+ * `Record<string, string>` (the lowest common denominator between fetch
+ * `Headers`, Node's `IncomingMessage.headers`, and webRequest's
+ * `chrome.webRequest.HttpHeader[]` after normalization).
+ *
+ * Non-deny-list headers are returned unchanged. Header *names* are
+ * preserved with their original casing; only *values* on the deny-list
+ * are replaced with `<<REDACTED>>`.
+ *
+ * @example
+ *   redactNetworkHeaders({ Authorization: 'Bearer abc', Accept: 'json' })
+ *   // -> { Authorization: '<<REDACTED>>', Accept: 'json' }
+ */
+export function redactNetworkHeaders(headers) {
+    const out = {};
+    for (const [name, value] of Object.entries(headers)) {
+        if (DENY_LIST.has(name.toLowerCase())) {
+            out[name] = REDACTED_VALUE;
+        }
+        else {
+            out[name] = value;
+        }
+    }
+    return out;
+}
+//# sourceMappingURL=headers.js.map

package/dist/masking/headers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"headers.js","sourceRoot":"","sources":["../../src/masking/headers.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,mDAAmD;AAEnD;;;;;;GAMG;AACH,MAAM,SAAS,GAAwB,IAAI,GAAG,CAAC;IAC7C,eAAe;IACf,QAAQ;IACR,YAAY;IACZ,WAAW;IACX,cAAc;IACd,WAAW;IACX,qBAAqB;CACtB,CAAC,CAAC;AAEH,MAAM,cAAc,GAAG,cAAc,CAAC;AAEtC;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAA+B;IAClE,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACpD,IAAI,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YACtC,GAAG,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC;QAC7B,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC;QACpB,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/masking/index.d.ts

@@ -0,0 +1,8 @@
+export { maskInputValue } from './inputs';
+export { maskTextContent } from './text';
+export { redactNetworkHeaders } from './headers';
+export { redactBody } from './body';
+export type { RedactBodyOptions } from './body';
+export { COMPAT_SELECTORS } from './selectors';
+export type { CompatSelectorFamily } from './selectors';
+//# sourceMappingURL=index.d.ts.map

package/dist/masking/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/masking/index.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,QAAQ,CAAC;AACzC,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC;AACjD,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AACpC,YAAY,EAAE,iBAAiB,EAAE,MAAM,QAAQ,CAAC;AAChD,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC/C,YAAY,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC"}

package/dist/masking/index.js

@@ -0,0 +1,11 @@
+// Public barrel for the masking module.
+//
+// Locked surface per IMPLEMENTATION_PLAN.md Public API contract
+// (lines 691-693): the four functions below plus `COMPAT_SELECTORS`. The
+// internals (regex bank, individual matchers, helpers) stay internal.
+export { maskInputValue } from './inputs';
+export { maskTextContent } from './text';
+export { redactNetworkHeaders } from './headers';
+export { redactBody } from './body';
+export { COMPAT_SELECTORS } from './selectors';
+//# sourceMappingURL=index.js.map

package/dist/masking/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/masking/index.ts"],"names":[],"mappings":"AAAA,wCAAwC;AACxC,EAAE;AACF,gEAAgE;AAChE,yEAAyE;AACzE,sEAAsE;AAEtE,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAC1C,OAAO,EAAE,eAAe,EAAE,MAAM,QAAQ,CAAC;AACzC,OAAO,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC;AACjD,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAEpC,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC"}

package/dist/masking/inputs.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Return the maskable representation of an input's value.
+ *
+ *   1. If `type` is password/email/tel: return all `*` of the same length
+ *      (hard mask; no opt-out).
+ *   2. Else if the element or any ancestor carries a mask/block class or
+ *      Datadog privacy attribute: return all `*` of the same length.
+ *   3. Else: return the actual value.
+ *
+ * The asterisk-of-same-length convention matches PostHog/Sentry; the
+ * length leak is intentional so replay still shows "something was typed
+ * here" without revealing what.
+ */
+export declare function maskInputValue(el: HTMLInputElement | HTMLTextAreaElement): string;
+//# sourceMappingURL=inputs.d.ts.map

package/dist/masking/inputs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"inputs.d.ts","sourceRoot":"","sources":["../../src/masking/inputs.ts"],"names":[],"mappings":"AAYA;;;;;;;;;;;;GAYG;AACH,wBAAgB,cAAc,CAAC,EAAE,EAAE,gBAAgB,GAAG,mBAAmB,GAAG,MAAM,CAgBjF"}

package/dist/masking/inputs.js

@@ -0,0 +1,36 @@
+// Input-element value masking.
+import { elementMatchesAnyMaskClass } from './selectors';
+/**
+ * Hard-masked input types — always returned as asterisks regardless of
+ * surrounding selectors, parent attributes, or config. This is the privacy
+ * floor: even if every other guard misconfigures, a password field's
+ * value never leaves the device.
+ */
+const HARD_MASKED_TYPES = new Set(['password', 'email', 'tel']);
+/**
+ * Return the maskable representation of an input's value.
+ *
+ *   1. If `type` is password/email/tel: return all `*` of the same length
+ *      (hard mask; no opt-out).
+ *   2. Else if the element or any ancestor carries a mask/block class or
+ *      Datadog privacy attribute: return all `*` of the same length.
+ *   3. Else: return the actual value.
+ *
+ * The asterisk-of-same-length convention matches PostHog/Sentry; the
+ * length leak is intentional so replay still shows "something was typed
+ * here" without revealing what.
+ */
+export function maskInputValue(el) {
+    const value = el.value ?? '';
+    // `type` only exists on HTMLInputElement; textareas always fall through
+    // to the class/attribute check.
+    const type = 'type' in el && typeof el.type === 'string' ? el.type.toLowerCase() : '';
+    if (HARD_MASKED_TYPES.has(type)) {
+        return '*'.repeat(value.length);
+    }
+    if (elementMatchesAnyMaskClass(el)) {
+        return '*'.repeat(value.length);
+    }
+    return value;
+}
+//# sourceMappingURL=inputs.js.map

package/dist/masking/inputs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"inputs.js","sourceRoot":"","sources":["../../src/masking/inputs.ts"],"names":[],"mappings":"AAAA,+BAA+B;AAE/B,OAAO,EAAE,0BAA0B,EAAE,MAAM,aAAa,CAAC;AAEzD;;;;;GAKG;AACH,MAAM,iBAAiB,GAAwB,IAAI,GAAG,CAAC,CAAC,UAAU,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC;AAErF;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,cAAc,CAAC,EAA0C;IACvE,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC;IAE7B,wEAAwE;IACxE,gCAAgC;IAChC,MAAM,IAAI,GAAG,MAAM,IAAI,EAAE,IAAI,OAAO,EAAE,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAEtF,IAAI,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;QAChC,OAAO,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAClC,CAAC;IAED,IAAI,0BAA0B,CAAC,EAAE,CAAC,EAAE,CAAC;QACnC,OAAO,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAClC,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/masking/regex.d.ts

@@ -0,0 +1,96 @@
+/**
+ * Email — RFC 5322 "lite". Matches the overwhelming majority of real-world
+ * addresses without trying to model the full grammar (which permits quoted
+ * locals and comments most senders never use).
+ *
+ * Quantifier caps (`{1,64}`/`{1,255}`/`{2,24}`) are intentional: the spec
+ * lets local-parts run to 64 chars and the full address to 254, so the
+ * caps are not under-matching real addresses. They DO bound backtracking
+ * cost — unbounded `+` here is catastrophic on large no-`@` inputs (a
+ * megabyte of `a`s would quadratically backtrack at every start position).
+ *
+ * False-positive surface: strings like `a@b.co` where the TLD is short
+ * will match. Acceptable — we'd rather over-redact emails.
+ */
+export declare const EMAIL_REGEX: RegExp;
+/**
+ * US Social Security Number — `NNN-NN-NNNN`. We intentionally require the
+ * dashes; the dash-less 9-digit form collides with too many legitimate
+ * identifiers (order numbers, zip+4, etc).
+ */
+export declare const SSN_REGEX: RegExp;
+/**
+ * Credit-card candidate — 13-19 contiguous digits with optional separators
+ * (spaces or dashes). Match alone is NOT enough; callers MUST pass each
+ * match through {@link luhn} before treating it as a real card number.
+ *
+ * Prefixes we expect to catch (validated by Luhn after the fact):
+ *   Visa       4xxx
+ *   Mastercard 5xxx, 2221-2720
+ *   Amex       34xx, 37xx (15 digits)
+ *   Discover   6011, 65, 644-649 (16 digits)
+ *
+ * The `(?:[ -]?\d){12,18}` shape is anchored on a leading digit and only
+ * matches 13-19 total digits — bounded width means linear-time matching.
+ *
+ * False-positive surface without Luhn: phone numbers, account numbers,
+ * arbitrary 16-digit strings. Luhn cuts that to near-zero.
+ */
+export declare const CREDIT_CARD_REGEX: RegExp;
+/**
+ * Phone — international-ish (E.164-friendly). Permissive on separators.
+ *
+ * False-positive surface: large numeric runs with separators (e.g. some
+ * timestamps, account numbers with dashes). We accept this; callers route
+ * to `<<REDACTED:PHONE>>` so the AI consumer knows the redaction type and
+ * can choose to ignore it if context suggests not-a-phone.
+ */
+export declare const PHONE_REGEX: RegExp;
+/**
+ * JWT — three base64url segments separated by `.`. The 10-char minimum on
+ * each segment screens out very short look-alikes (e.g. `eyJ.a.b`).
+ * Upper bound of 4096 per segment is generous (RFC 7519 doesn't set one;
+ * real-world JWTs rarely exceed ~2 KB total) and keeps the regex linear.
+ */
+export declare const JWT_REGEX: RegExp;
+/**
+ * Stripe secret/publishable keys — `sk_live_*`, `sk_test_*`, `pk_live_*`,
+ * `pk_test_*` with 24-128 chars of payload (real keys are ~99 chars but
+ * the cap protects against pathological inputs).
+ */
+export declare const STRIPE_KEY_REGEX: RegExp;
+/**
+ * GitHub personal-access tokens — `ghp_` prefix + 36 chars.
+ */
+export declare const GITHUB_TOKEN_REGEX: RegExp;
+/**
+ * AWS access key IDs — `AKIA` prefix + 16 uppercase-alnum chars.
+ */
+export declare const AWS_ACCESS_KEY_REGEX: RegExp;
+/**
+ * PEM blocks — anything between `-----BEGIN ...-----` and `-----END ...-----`.
+ * Non-greedy so multiple blocks in one string don't merge. The `{1,64}`
+ * label cap matches what OpenSSL emits; the `{1,131072}` body cap is the
+ * widest realistic PEM (~96 KB for an 8192-bit RSA key with armor).
+ */
+export declare const PEM_BLOCK_REGEX: RegExp;
+/**
+ * Luhn check (mod-10). Accepts a digit string with optional spaces/dashes;
+ * returns true iff the cleaned digit run is 13-19 chars and passes the
+ * checksum. Used to confirm a {@link CREDIT_CARD_REGEX} match before
+ * tagging as a credit card.
+ */
+export declare function luhn(candidate: string): boolean;
+/**
+ * Token tags emitted by {@link applyRegexBank}. Exposed for tests; not
+ * re-exported from the public barrel.
+ */
+export type RedactionTag = 'CC' | 'SSN' | 'EMAIL' | 'PHONE' | 'JWT' | 'STRIPE_KEY' | 'GITHUB_TOKEN' | 'AWS_KEY' | 'PEM';
+/**
+ * Apply the regex bank to `input`, returning the redacted string.
+ * Credit cards are handled in a separate Luhn-validated pass.
+ *
+ * Internal — exposed via `redactBody` and `maskTextContent` only.
+ */
+export declare function applyRegexBank(input: string): string;
+//# sourceMappingURL=regex.d.ts.map

package/dist/masking/regex.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"regex.d.ts","sourceRoot":"","sources":["../../src/masking/regex.ts"],"names":[],"mappings":"AASA;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,WAAW,QAAiE,CAAC;AAE1F;;;;GAIG;AACH,eAAO,MAAM,SAAS,QAA2B,CAAC;AAElD;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,iBAAiB,QAA8B,CAAC;AAE7D;;;;;;;GAOG;AACH,eAAO,MAAM,WAAW,QAAgE,CAAC;AAEzF;;;;;GAKG;AACH,eAAO,MAAM,SAAS,QACwD,CAAC;AAE/E;;;;GAIG;AACH,eAAO,MAAM,gBAAgB,QAAqD,CAAC;AAEnF;;GAEG;AACH,eAAO,MAAM,kBAAkB,QAA6B,CAAC;AAE7D;;GAEG;AACH,eAAO,MAAM,oBAAoB,QAA0B,CAAC;AAE5D;;;;;GAKG;AACH,eAAO,MAAM,eAAe,QACgD,CAAC;AAE7E;;;;;GAKG;AACH,wBAAgB,IAAI,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAkB/C;AAED;;;GAGG;AACH,MAAM,MAAM,YAAY,GACpB,IAAI,GACJ,KAAK,GACL,OAAO,GACP,OAAO,GACP,KAAK,GACL,YAAY,GACZ,cAAc,GACd,SAAS,GACT,KAAK,CAAC;AAyBV;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAmBpD"}