@cubenest/rrweb-core 0.1.0-alpha.0

package/dist/masking/regex.js

@@ -0,0 +1,182 @@
+// PII regex bank. Internal — not part of the public API surface.
+//
+// Each pattern is intentionally conservative to limit false positives;
+// callers route matches through type-tagged tokens (`<<REDACTED:CC>>` etc).
+// Known caveats are documented inline alongside each pattern.
+//
+// All `g` (global) patterns are stateful via lastIndex; helpers reset before
+// use. Treat these as read-only constants.
+/**
+ * Email — RFC 5322 "lite". Matches the overwhelming majority of real-world
+ * addresses without trying to model the full grammar (which permits quoted
+ * locals and comments most senders never use).
+ *
+ * Quantifier caps (`{1,64}`/`{1,255}`/`{2,24}`) are intentional: the spec
+ * lets local-parts run to 64 chars and the full address to 254, so the
+ * caps are not under-matching real addresses. They DO bound backtracking
+ * cost — unbounded `+` here is catastrophic on large no-`@` inputs (a
+ * megabyte of `a`s would quadratically backtrack at every start position).
+ *
+ * False-positive surface: strings like `a@b.co` where the TLD is short
+ * will match. Acceptable — we'd rather over-redact emails.
+ */
+export const EMAIL_REGEX = /[A-Za-z0-9._%+-]{1,64}@[A-Za-z0-9.-]{1,255}\.[A-Za-z]{2,24}/g;
+/**
+ * US Social Security Number — `NNN-NN-NNNN`. We intentionally require the
+ * dashes; the dash-less 9-digit form collides with too many legitimate
+ * identifiers (order numbers, zip+4, etc).
+ */
+export const SSN_REGEX = /\b\d{3}-\d{2}-\d{4}\b/g;
+/**
+ * Credit-card candidate — 13-19 contiguous digits with optional separators
+ * (spaces or dashes). Match alone is NOT enough; callers MUST pass each
+ * match through {@link luhn} before treating it as a real card number.
+ *
+ * Prefixes we expect to catch (validated by Luhn after the fact):
+ *   Visa       4xxx
+ *   Mastercard 5xxx, 2221-2720
+ *   Amex       34xx, 37xx (15 digits)
+ *   Discover   6011, 65, 644-649 (16 digits)
+ *
+ * The `(?:[ -]?\d){12,18}` shape is anchored on a leading digit and only
+ * matches 13-19 total digits — bounded width means linear-time matching.
+ *
+ * False-positive surface without Luhn: phone numbers, account numbers,
+ * arbitrary 16-digit strings. Luhn cuts that to near-zero.
+ */
+export const CREDIT_CARD_REGEX = /\b\d(?:[ -]?\d){12,18}\b/g;
+/**
+ * Phone — international-ish (E.164-friendly). Permissive on separators.
+ *
+ * False-positive surface: large numeric runs with separators (e.g. some
+ * timestamps, account numbers with dashes). We accept this; callers route
+ * to `<<REDACTED:PHONE>>` so the AI consumer knows the redaction type and
+ * can choose to ignore it if context suggests not-a-phone.
+ */
+export const PHONE_REGEX = /\+?\d{1,3}[-.\s]?\(?\d{1,4}\)?[-.\s]?\d{1,4}[-.\s]?\d{1,9}/g;
+/**
+ * JWT — three base64url segments separated by `.`. The 10-char minimum on
+ * each segment screens out very short look-alikes (e.g. `eyJ.a.b`).
+ * Upper bound of 4096 per segment is generous (RFC 7519 doesn't set one;
+ * real-world JWTs rarely exceed ~2 KB total) and keeps the regex linear.
+ */
+export const JWT_REGEX = /eyJ[A-Za-z0-9_-]{10,4096}\.[A-Za-z0-9_-]{10,4096}\.[A-Za-z0-9_-]{10,4096}/g;
+/**
+ * Stripe secret/publishable keys — `sk_live_*`, `sk_test_*`, `pk_live_*`,
+ * `pk_test_*` with 24-128 chars of payload (real keys are ~99 chars but
+ * the cap protects against pathological inputs).
+ */
+export const STRIPE_KEY_REGEX = /\b(?:sk|pk)_(?:live|test)_[A-Za-z0-9]{24,128}\b/g;
+/**
+ * GitHub personal-access tokens — `ghp_` prefix + 36 chars.
+ */
+export const GITHUB_TOKEN_REGEX = /\bghp_[A-Za-z0-9]{36}\b/g;
+/**
+ * AWS access key IDs — `AKIA` prefix + 16 uppercase-alnum chars.
+ */
+export const AWS_ACCESS_KEY_REGEX = /\bAKIA[0-9A-Z]{16}\b/g;
+/**
+ * PEM blocks — anything between `-----BEGIN ...-----` and `-----END ...-----`.
+ * Non-greedy so multiple blocks in one string don't merge. The `{1,64}`
+ * label cap matches what OpenSSL emits; the `{1,131072}` body cap is the
+ * widest realistic PEM (~96 KB for an 8192-bit RSA key with armor).
+ */
+export const PEM_BLOCK_REGEX = /-----BEGIN [A-Z ]{1,64}-----[\s\S]{1,131072}?-----END [A-Z ]{1,64}-----/g;
+/**
+ * Luhn check (mod-10). Accepts a digit string with optional spaces/dashes;
+ * returns true iff the cleaned digit run is 13-19 chars and passes the
+ * checksum. Used to confirm a {@link CREDIT_CARD_REGEX} match before
+ * tagging as a credit card.
+ */
+export function luhn(candidate) {
+    const digits = candidate.replace(/[\s-]/g, '');
+    if (digits.length < 13 || digits.length > 19)
+        return false;
+    if (!/^\d+$/.test(digits))
+        return false;
+    let sum = 0;
+    let alt = false;
+    for (let i = digits.length - 1; i >= 0; i--) {
+        let n = digits.charCodeAt(i) - 48; // '0' = 48
+        if (n < 0 || n > 9)
+            return false;
+        if (alt) {
+            n *= 2;
+            if (n > 9)
+                n -= 9;
+        }
+        sum += n;
+        alt = !alt;
+    }
+    return sum % 10 === 0;
+}
+const TOKEN = (tag) => `<<REDACTED:${tag}>>`;
+/**
+ * Order matters: high-specificity patterns first so they win when a string
+ * could match multiple banks (e.g. a Stripe key looks like a generic alnum
+ * blob; PEM bodies might contain base64 chunks that resemble JWT halves).
+ *
+ * Credit cards are handled separately because they need Luhn validation.
+ */
+const ORDERED_PATTERNS = [
+    { tag: 'PEM', re: PEM_BLOCK_REGEX },
+    { tag: 'JWT', re: JWT_REGEX },
+    { tag: 'STRIPE_KEY', re: STRIPE_KEY_REGEX },
+    { tag: 'GITHUB_TOKEN', re: GITHUB_TOKEN_REGEX },
+    { tag: 'AWS_KEY', re: AWS_ACCESS_KEY_REGEX },
+    { tag: 'EMAIL', re: EMAIL_REGEX },
+    { tag: 'SSN', re: SSN_REGEX },
+    // Phone is intentionally last among the non-CC banks: it's the most
+    // false-positive-prone, so any prior bank that matched the same span
+    // should claim it first.
+    { tag: 'PHONE', re: PHONE_REGEX },
+];
+/**
+ * Apply the regex bank to `input`, returning the redacted string.
+ * Credit cards are handled in a separate Luhn-validated pass.
+ *
+ * Internal — exposed via `redactBody` and `maskTextContent` only.
+ */
+export function applyRegexBank(input) {
+    if (input.length === 0)
+        return input;
+    let out = input;
+    // Pass 1: Luhn-validated credit cards. We replace match-by-match so we
+    // don't redact strings that look like CCs but fail the checksum.
+    out = replaceWithValidator(out, CREDIT_CARD_REGEX, (m) => (luhn(m) ? TOKEN('CC') : null));
+    // Pass 2: the remaining ordered patterns. Each pattern runs against
+    // whatever's left after the prior passes, so tokens like
+    // `<<REDACTED:CC>>` won't be re-matched.
+    for (const { tag, re } of ORDERED_PATTERNS) {
+        // Fresh regex per pass to keep `lastIndex` clean.
+        const fresh = new RegExp(re.source, re.flags);
+        out = out.replace(fresh, TOKEN(tag));
+    }
+    return out;
+}
+/**
+ * Like `String.prototype.replace(re, fn)` but lets the callback return
+ * `null` to skip the replacement (leave the original substring in place).
+ * Used for Luhn-gated credit-card redaction.
+ */
+function replaceWithValidator(input, re, fn) {
+    const fresh = new RegExp(re.source, re.flags);
+    let result = '';
+    let lastIndex = 0;
+    let match = fresh.exec(input);
+    while (match !== null) {
+        const replacement = fn(match[0]);
+        if (replacement !== null) {
+            result += input.slice(lastIndex, match.index) + replacement;
+            lastIndex = match.index + match[0].length;
+        }
+        // If validator rejected, leave the substring; advance past it so the
+        // regex doesn't re-match in place.
+        if (fresh.lastIndex === match.index)
+            fresh.lastIndex++;
+        match = fresh.exec(input);
+    }
+    result += input.slice(lastIndex);
+    return result;
+}
+//# sourceMappingURL=regex.js.map

package/dist/masking/regex.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"regex.js","sourceRoot":"","sources":["../../src/masking/regex.ts"],"names":[],"mappings":"AAAA,iEAAiE;AACjE,EAAE;AACF,uEAAuE;AACvE,4EAA4E;AAC5E,8DAA8D;AAC9D,EAAE;AACF,6EAA6E;AAC7E,2CAA2C;AAE3C;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,MAAM,WAAW,GAAG,8DAA8D,CAAC;AAE1F;;;;GAIG;AACH,MAAM,CAAC,MAAM,SAAS,GAAG,wBAAwB,CAAC;AAElD;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,2BAA2B,CAAC;AAE7D;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,WAAW,GAAG,6DAA6D,CAAC;AAEzF;;;;;GAKG;AACH,MAAM,CAAC,MAAM,SAAS,GACpB,4EAA4E,CAAC;AAE/E;;;;GAIG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,kDAAkD,CAAC;AAEnF;;GAEG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAG,0BAA0B,CAAC;AAE7D;;GAEG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,uBAAuB,CAAC;AAE5D;;;;;GAKG;AACH,MAAM,CAAC,MAAM,eAAe,GAC1B,0EAA0E,CAAC;AAE7E;;;;;GAKG;AACH,MAAM,UAAU,IAAI,CAAC,SAAiB;IACpC,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;IAC/C,IAAI,MAAM,CAAC,MAAM,GAAG,EAAE,IAAI,MAAM,CAAC,MAAM,GAAG,EAAE;QAAE,OAAO,KAAK,CAAC;IAC3D,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAExC,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,IAAI,GAAG,GAAG,KAAK,CAAC;IAChB,KAAK,IAAI,CAAC,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC5C,IAAI,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,WAAW;QAC9C,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QACjC,IAAI,GAAG,EAAE,CAAC;YACR,CAAC,IAAI,CAAC,CAAC;YACP,IAAI,CAAC,GAAG,CAAC;gBAAE,CAAC,IAAI,CAAC,CAAC;QACpB,CAAC;QACD,GAAG,IAAI,CAAC,CAAC;QACT,GAAG,GAAG,CAAC,GAAG,CAAC;IACb,CAAC;IACD,OAAO,GAAG,GAAG,EAAE,KAAK,CAAC,CAAC;AACxB,CAAC;AAiBD,MAAM,KAAK,GAAG,CAAC,GAAiB,EAAU,EAAE,CAAC,cAAc,GAAG,IAAI,CAAC;AAEnE;;;;;;GAMG;AACH,MAAM,gBAAgB,GAA6C;IACjE,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE,eAAe,EAAE;IACnC,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE,SAAS,EAAE;IAC7B,EAAE,GAAG,EAAE,YAAY,EAAE,EAAE,EAAE,gBAAgB,EAAE;IAC3C,EAAE,GAAG,EAAE,cAAc,EAAE,EAAE,EAAE,kBAAkB,EAAE;IAC/C,EAAE,GAAG,EAAE,SAAS,EAAE,EAAE,EAAE,oBAAoB,EAAE;IAC5C,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,EAAE,WAAW,EAAE;IACjC,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE,SAAS,EAAE;IAC7B,oEAAoE;IACpE,qEAAqE;IACrE,yBAAyB;IACzB,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,EAAE,WAAW,EAAE;CAClC,CAAC;AAEF;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAAC,KAAa;IAC1C,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAErC,IAAI,GAAG,GAAG,KAAK,CAAC;IAEhB,uEAAuE;IACvE,iEAAiE;IACjE,GAAG,GAAG,oBAAoB,CAAC,GAAG,EAAE,iBAAiB,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IAE1F,oEAAoE;IACpE,yDAAyD;IACzD,yCAAyC;IACzC,KAAK,MAAM,EAAE,GAAG,EAAE,EAAE,EAAE,IAAI,gBAAgB,EAAE,CAAC;QAC3C,kDAAkD;QAClD,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;QAC9C,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;IACvC,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;GAIG;AACH,SAAS,oBAAoB,CAC3B,KAAa,EACb,EAAU,EACV,EAAoC;IAEpC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;IAC9C,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,IAAI,KAAK,GAA2B,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACtD,OAAO,KAAK,KAAK,IAAI,EAAE,CAAC;QACtB,MAAM,WAAW,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACjC,IAAI,WAAW,KAAK,IAAI,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,GAAG,WAAW,CAAC;YAC5D,SAAS,GAAG,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;QAC5C,CAAC;QACD,qEAAqE;QACrE,mCAAmC;QACnC,IAAI,KAAK,CAAC,SAAS,KAAK,KAAK,CAAC,KAAK;YAAE,KAAK,CAAC,SAAS,EAAE,CAAC;QACvD,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC5B,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IACjC,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/masking/selectors.d.ts

@@ -0,0 +1,67 @@
+/**
+ * Selector families recognized by the substrate. Frozen at module load to
+ * prevent runtime tampering — masking config is a privacy boundary and we
+ * don't want anywhere in the stack to be able to mutate it.
+ */
+export declare const COMPAT_SELECTORS: Readonly<{
+    /**
+     * Native `<org>`-prefixed family (cubenest).
+     * Apps embedding the substrate directly should prefer these.
+     */
+    cubenest: Readonly<{
+        block: "cubenest-block";
+        mask: "cubenest-mask";
+        ignore: "cubenest-ignore";
+        dataAttrs: readonly string[];
+    }>;
+    /**
+     * PostHog session-replay conventions.
+     * Sources: posthog-js README and `session-recording.ts`.
+     */
+    posthog: Readonly<{
+        block: "ph-no-capture";
+        mask: "ph-mask";
+        ignore: "ph-ignore-input";
+        dataAttrs: readonly string[];
+    }>;
+    /**
+     * Sentry session-replay conventions.
+     * Sources: @sentry/replay docs.
+     */
+    sentry: Readonly<{
+        block: "sentry-block";
+        mask: "sentry-mask";
+        ignore: "sentry-ignore";
+        dataAttrs: readonly string[];
+    }>;
+    /**
+     * Upstream rrweb conventions (the `rr-*` prefix).
+     * Sources: rrweb-snapshot README.
+     */
+    rrweb: Readonly<{
+        block: "rr-block";
+        mask: "rr-mask";
+        ignore: "rr-ignore";
+        dataAttrs: readonly string[];
+    }>;
+    /**
+     * Datadog RUM session-replay conventions. Datadog uses data-attribute
+     * values rather than classes; we expose the attribute names plus the
+     * privacy values they accept.
+     * Sources: Datadog RUM docs.
+     */
+    datadog: Readonly<{
+        block: "data-dd-privacy=\"hidden\"";
+        mask: "data-dd-privacy=\"mask\"";
+        ignore: "data-private";
+        dataAttrs: readonly string[];
+    }>;
+}>;
+export type CompatSelectorFamily = keyof typeof COMPAT_SELECTORS;
+/**
+ * Walks `el` and its ancestors, returning true if any node carries a class
+ * from a known mask/block family OR a Datadog `data-dd-privacy` /
+ * `data-private` attribute. Internal — used by `maskInputValue`.
+ */
+export declare function elementMatchesAnyMaskClass(el: Element | null): boolean;
+//# sourceMappingURL=selectors.d.ts.map

package/dist/masking/selectors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"selectors.d.ts","sourceRoot":"","sources":["../../src/masking/selectors.ts"],"names":[],"mappings":"AAQA;;;;GAIG;AACH,eAAO,MAAM,gBAAgB;IAC3B;;;OAGG;;;;;mBASK,SAAS,MAAM,EAAE;;IAGzB;;;OAGG;;;;;mBAK0D,SAAS,MAAM,EAAE;;IAG9E;;;OAGG;;;;;mBASK,SAAS,MAAM,EAAE;;IAGzB;;;OAGG;;;;;mBASK,SAAS,MAAM,EAAE;;IAGzB;;;;;OAKG;;;;;mBAQgE,SAAS,MAAM,EAAE;;EAEpF,CAAC;AAEH,MAAM,MAAM,oBAAoB,GAAG,MAAM,OAAO,gBAAgB,CAAC;AAwBjE;;;;GAIG;AACH,wBAAgB,0BAA0B,CAAC,EAAE,EAAE,OAAO,GAAG,IAAI,GAAG,OAAO,CAwBtE"}

package/dist/masking/selectors.js

@@ -0,0 +1,137 @@
+// Compatibility selectors inherited from the rrweb ecosystem.
+// Recording libraries (PostHog, Sentry, upstream rrweb, Datadog) have each
+// established their own DOM hint conventions for "don't capture this".
+// `@cubenest/rrweb-core` honors all of them so apps that already annotated
+// their DOM for one vendor don't have to re-annotate.
+//
+// See ADR-0002 for the rationale and source links.
+/**
+ * Selector families recognized by the substrate. Frozen at module load to
+ * prevent runtime tampering — masking config is a privacy boundary and we
+ * don't want anywhere in the stack to be able to mutate it.
+ */
+export const COMPAT_SELECTORS = Object.freeze({
+    /**
+     * Native `<org>`-prefixed family (cubenest).
+     * Apps embedding the substrate directly should prefer these.
+     */
+    cubenest: Object.freeze({
+        block: 'cubenest-block',
+        mask: 'cubenest-mask',
+        ignore: 'cubenest-ignore',
+        dataAttrs: Object.freeze([
+            'data-cubenest-mask',
+            'data-cubenest-block',
+            'data-cubenest-ignore',
+        ]),
+    }),
+    /**
+     * PostHog session-replay conventions.
+     * Sources: posthog-js README and `session-recording.ts`.
+     */
+    posthog: Object.freeze({
+        block: 'ph-no-capture',
+        mask: 'ph-mask',
+        ignore: 'ph-ignore-input',
+        dataAttrs: Object.freeze(['data-ph-capture-attribute']),
+    }),
+    /**
+     * Sentry session-replay conventions.
+     * Sources: @sentry/replay docs.
+     */
+    sentry: Object.freeze({
+        block: 'sentry-block',
+        mask: 'sentry-mask',
+        ignore: 'sentry-ignore',
+        dataAttrs: Object.freeze([
+            'data-sentry-block',
+            'data-sentry-mask',
+            'data-sentry-ignore',
+        ]),
+    }),
+    /**
+     * Upstream rrweb conventions (the `rr-*` prefix).
+     * Sources: rrweb-snapshot README.
+     */
+    rrweb: Object.freeze({
+        block: 'rr-block',
+        mask: 'rr-mask',
+        ignore: 'rr-ignore',
+        dataAttrs: Object.freeze([
+            'data-rr-block',
+            'data-rr-mask',
+            'data-rr-ignore',
+        ]),
+    }),
+    /**
+     * Datadog RUM session-replay conventions. Datadog uses data-attribute
+     * values rather than classes; we expose the attribute names plus the
+     * privacy values they accept.
+     * Sources: Datadog RUM docs.
+     */
+    datadog: Object.freeze({
+        // Datadog has no class-based block/mask/ignore; we mirror the shape
+        // by surfacing the attribute names. Consumers walking the tree look
+        // for `data-dd-privacy=hidden` (block) or `=mask` (mask).
+        block: 'data-dd-privacy="hidden"',
+        mask: 'data-dd-privacy="mask"',
+        ignore: 'data-private',
+        dataAttrs: Object.freeze(['data-private', 'data-dd-privacy']),
+    }),
+});
+/**
+ * Flat list of class names that mean "block this element entirely" across
+ * all families. Internal helper used by {@link elementMatchesAnyMaskClass}.
+ */
+const ALL_BLOCK_CLASSES = Object.freeze([
+    COMPAT_SELECTORS.cubenest.block,
+    COMPAT_SELECTORS.posthog.block,
+    COMPAT_SELECTORS.sentry.block,
+    COMPAT_SELECTORS.rrweb.block,
+]);
+/**
+ * Flat list of class names that mean "mask this element's value". Datadog
+ * is omitted because it uses attributes, not classes.
+ */
+const ALL_MASK_CLASSES = Object.freeze([
+    COMPAT_SELECTORS.cubenest.mask,
+    COMPAT_SELECTORS.posthog.mask,
+    COMPAT_SELECTORS.sentry.mask,
+    COMPAT_SELECTORS.rrweb.mask,
+]);
+/**
+ * Walks `el` and its ancestors, returning true if any node carries a class
+ * from a known mask/block family OR a Datadog `data-dd-privacy` /
+ * `data-private` attribute. Internal — used by `maskInputValue`.
+ */
+export function elementMatchesAnyMaskClass(el) {
+    let node = el;
+    while (node !== null) {
+        // Class-based matches.
+        if (node.classList !== undefined) {
+            for (const cls of ALL_MASK_CLASSES) {
+                if (node.classList.contains(cls))
+                    return true;
+            }
+            for (const cls of ALL_BLOCK_CLASSES) {
+                if (node.classList.contains(cls))
+                    return true;
+            }
+        }
+        // Attribute-based matches (cubenest data-attrs + Datadog).
+        if (typeof node.hasAttribute === 'function') {
+            for (const attr of COMPAT_SELECTORS.cubenest.dataAttrs) {
+                if (node.hasAttribute(attr))
+                    return true;
+            }
+            if (node.hasAttribute('data-private'))
+                return true;
+            const ddPrivacy = node.getAttribute('data-dd-privacy');
+            if (ddPrivacy === 'hidden' || ddPrivacy === 'mask')
+                return true;
+        }
+        node = node.parentElement;
+    }
+    return false;
+}
+//# sourceMappingURL=selectors.js.map

package/dist/masking/selectors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"selectors.js","sourceRoot":"","sources":["../../src/masking/selectors.ts"],"names":[],"mappings":"AAAA,8DAA8D;AAC9D,2EAA2E;AAC3E,uEAAuE;AACvE,2EAA2E;AAC3E,sDAAsD;AACtD,EAAE;AACF,mDAAmD;AAEnD;;;;GAIG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,MAAM,CAAC,MAAM,CAAC;IAC5C;;;OAGG;IACH,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC;QACtB,KAAK,EAAE,gBAAgB;QACvB,IAAI,EAAE,eAAe;QACrB,MAAM,EAAE,iBAAiB;QACzB,SAAS,EAAE,MAAM,CAAC,MAAM,CAAC;YACvB,oBAAoB;YACpB,qBAAqB;YACrB,sBAAsB;SACvB,CAAsB;KACxB,CAAC;IAEF;;;OAGG;IACH,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC;QACrB,KAAK,EAAE,eAAe;QACtB,IAAI,EAAE,SAAS;QACf,MAAM,EAAE,iBAAiB;QACzB,SAAS,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,2BAA2B,CAAC,CAAsB;KAC7E,CAAC;IAEF;;;OAGG;IACH,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC;QACpB,KAAK,EAAE,cAAc;QACrB,IAAI,EAAE,aAAa;QACnB,MAAM,EAAE,eAAe;QACvB,SAAS,EAAE,MAAM,CAAC,MAAM,CAAC;YACvB,mBAAmB;YACnB,kBAAkB;YAClB,oBAAoB;SACrB,CAAsB;KACxB,CAAC;IAEF;;;OAGG;IACH,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC;QACnB,KAAK,EAAE,UAAU;QACjB,IAAI,EAAE,SAAS;QACf,MAAM,EAAE,WAAW;QACnB,SAAS,EAAE,MAAM,CAAC,MAAM,CAAC;YACvB,eAAe;YACf,cAAc;YACd,gBAAgB;SACjB,CAAsB;KACxB,CAAC;IAEF;;;;;OAKG;IACH,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC;QACrB,oEAAoE;QACpE,oEAAoE;QACpE,0DAA0D;QAC1D,KAAK,EAAE,0BAA0B;QACjC,IAAI,EAAE,wBAAwB;QAC9B,MAAM,EAAE,cAAc;QACtB,SAAS,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,cAAc,EAAE,iBAAiB,CAAC,CAAsB;KACnF,CAAC;CACH,CAAC,CAAC;AAIH;;;GAGG;AACH,MAAM,iBAAiB,GAAsB,MAAM,CAAC,MAAM,CAAC;IACzD,gBAAgB,CAAC,QAAQ,CAAC,KAAK;IAC/B,gBAAgB,CAAC,OAAO,CAAC,KAAK;IAC9B,gBAAgB,CAAC,MAAM,CAAC,KAAK;IAC7B,gBAAgB,CAAC,KAAK,CAAC,KAAK;CAC7B,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,gBAAgB,GAAsB,MAAM,CAAC,MAAM,CAAC;IACxD,gBAAgB,CAAC,QAAQ,CAAC,IAAI;IAC9B,gBAAgB,CAAC,OAAO,CAAC,IAAI;IAC7B,gBAAgB,CAAC,MAAM,CAAC,IAAI;IAC5B,gBAAgB,CAAC,KAAK,CAAC,IAAI;CAC5B,CAAC,CAAC;AAEH;;;;GAIG;AACH,MAAM,UAAU,0BAA0B,CAAC,EAAkB;IAC3D,IAAI,IAAI,GAAmB,EAAE,CAAC;IAC9B,OAAO,IAAI,KAAK,IAAI,EAAE,CAAC;QACrB,uBAAuB;QACvB,IAAI,IAAI,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YACjC,KAAK,MAAM,GAAG,IAAI,gBAAgB,EAAE,CAAC;gBACnC,IAAI,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC;oBAAE,OAAO,IAAI,CAAC;YAChD,CAAC;YACD,KAAK,MAAM,GAAG,IAAI,iBAAiB,EAAE,CAAC;gBACpC,IAAI,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC;oBAAE,OAAO,IAAI,CAAC;YAChD,CAAC;QACH,CAAC;QACD,2DAA2D;QAC3D,IAAI,OAAO,IAAI,CAAC,YAAY,KAAK,UAAU,EAAE,CAAC;YAC5C,KAAK,MAAM,IAAI,IAAI,gBAAgB,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;gBACvD,IAAI,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC;oBAAE,OAAO,IAAI,CAAC;YAC3C,CAAC;YACD,IAAI,IAAI,CAAC,YAAY,CAAC,cAAc,CAAC;gBAAE,OAAO,IAAI,CAAC;YACnD,MAAM,SAAS,GAAG,IAAI,CAAC,YAAY,CAAC,iBAAiB,CAAC,CAAC;YACvD,IAAI,SAAS,KAAK,QAAQ,IAAI,SAAS,KAAK,MAAM;gBAAE,OAAO,IAAI,CAAC;QAClE,CAAC;QACD,IAAI,GAAG,IAAI,CAAC,aAAa,CAAC;IAC5B,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/masking/text.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Apply the PII regex bank to a text-node's content. Used when capturing
+ * text mutations during recording.
+ *
+ * Pure string in, pure string out — no DOM dependency. Callers extract
+ * `textNode.data` (or equivalent) before calling.
+ */
+export declare function maskTextContent(text: string): string;
+//# sourceMappingURL=text.d.ts.map

package/dist/masking/text.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"text.d.ts","sourceRoot":"","sources":["../../src/masking/text.ts"],"names":[],"mappings":"AAIA;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAGpD"}

package/dist/masking/text.js

@@ -0,0 +1,15 @@
+// Text-node content masking.
+import { applyRegexBank } from './regex';
+/**
+ * Apply the PII regex bank to a text-node's content. Used when capturing
+ * text mutations during recording.
+ *
+ * Pure string in, pure string out — no DOM dependency. Callers extract
+ * `textNode.data` (or equivalent) before calling.
+ */
+export function maskTextContent(text) {
+    if (text.length === 0)
+        return text;
+    return applyRegexBank(text);
+}
+//# sourceMappingURL=text.js.map

package/dist/masking/text.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"text.js","sourceRoot":"","sources":["../../src/masking/text.ts"],"names":[],"mappings":"AAAA,6BAA6B;AAE7B,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAEzC;;;;;;GAMG;AACH,MAAM,UAAU,eAAe,CAAC,IAAY;IAC1C,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,OAAO,cAAc,CAAC,IAAI,CAAC,CAAC;AAC9B,CAAC"}

package/dist/network/cdp.d.ts

@@ -0,0 +1,54 @@
+import type { NetworkCaptureAdapter } from './types';
+/**
+ * Structural shape of the CDP event source. The product-side wrapper
+ * adapts whichever CDP client it has (chrome-remote-interface,
+ * WDIO/Playwright/Puppeteer CDP sessions, …) to this minimal interface.
+ *
+ * `on(event, handler)` MUST return an unsubscribe function; if the
+ * underlying client doesn't natively expose unsubscribe, the wrapper is
+ * responsible for synthesizing one.
+ *
+ * `getResponseBody`, when present, mirrors CDP's
+ * `Network.getResponseBody` reply: `{ body, base64Encoded }`. The adapter
+ * only calls it when `captureResponseBodies: true` (and silently skips
+ * binary `base64Encoded: true` payloads — we don't redact binary, so
+ * tagging it would mislead consumers).
+ */
+export interface CDPNetworkEventSource {
+    on(event: string, handler: (params: unknown) => void): () => void;
+    getResponseBody?(requestId: string): Promise<{
+        body: string;
+        base64Encoded: boolean;
+    }>;
+}
+/**
+ * Factory-time options for `createCDPNetworkAdapter`.
+ */
+export interface CDPNetworkOptions {
+    /**
+     * Try to fetch response bodies via `getResponseBody` when the event
+     * source exposes it. Defaults to `false` because CDP retains bodies in
+     * the renderer until fetched (memory tax) and the request/response
+     * metadata is usually enough for triage.
+     */
+    captureResponseBodies?: boolean;
+    /**
+     * Body cap forwarded to `redactBody`. Defaults to 1 MB (the masking
+     * module's own default — listed here for discoverability).
+     */
+    maxBodyBytes?: number;
+}
+/**
+ * Build a `NetworkCaptureAdapter` that consumes CDP `Network.*` events.
+ *
+ * The adapter installs its own subscriptions on `source` and tracks
+ * in-flight requests in an internal `Map` keyed by CDP `requestId`. The
+ * map is cleared lazily as terminal events arrive; calling `dispose()`
+ * unsubscribes all four CDP listeners and drops any remaining entries.
+ *
+ * @param source A `CDPNetworkEventSource` (typically a thin wrapper around
+ *               the CDP client owned by the calling framework).
+ * @param options `{ captureResponseBodies?, maxBodyBytes? }`.
+ */
+export declare function createCDPNetworkAdapter(source: CDPNetworkEventSource, options?: CDPNetworkOptions): NetworkCaptureAdapter;
+//# sourceMappingURL=cdp.d.ts.map

package/dist/network/cdp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cdp.d.ts","sourceRoot":"","sources":["../../src/network/cdp.ts"],"names":[],"mappings":"AAyBA,OAAO,KAAK,EAAqC,qBAAqB,EAAE,MAAM,SAAS,CAAC;AAExF;;;;;;;;;;;;;;GAcG;AACH,MAAM,WAAW,qBAAqB;IACpC,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,MAAM,EAAE,OAAO,KAAK,IAAI,GAAG,MAAM,IAAI,CAAC;IAClE,eAAe,CAAC,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,aAAa,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;CACxF;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC;;;;;OAKG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AA2GD;;;;;;;;;;;GAWG;AACH,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,qBAAqB,EAC7B,OAAO,GAAE,iBAAsB,GAC9B,qBAAqB,CAqOvB"}