@glubean/redaction 0.1.2

package/dist/adapter.d.ts

@@ -0,0 +1,41 @@
+/**
+ * @module adapter
+ *
+ * Scope adapter — maps ExecutionEvent types to redaction scopes.
+ *
+ * Without this adapter, the engine's scope toggles are decorative.
+ * This function dispatches each event's payload fields to the correct
+ * scope so the engine can gate redaction per-scope.
+ *
+ * Both the CLI (for --share) and the server (for event ingestion) use
+ * this adapter. The server adapter may handle additional premium scopes.
+ */
+import type { RedactionEngine } from "./engine.js";
+import type { RedactionConfig } from "./types.js";
+/**
+ * A generic event shape compatible with both ExecutionEvent (oss runner)
+ * and RunEvent (server). The adapter only reads `type` and mutates payload
+ * fields in-place on a clone.
+ */
+export interface RedactableEvent {
+    type: string;
+    [key: string]: unknown;
+}
+/**
+ * Redact an event by dispatching its payload fields to the appropriate
+ * scopes. Returns a new event object — the original is not mutated.
+ *
+ * Scope mapping:
+ * - trace → requestHeaders, requestQuery, requestBody, responseHeaders, responseBody
+ * - log → consoleOutput
+ * - assertion → errorMessages
+ * - error / status → errorMessages
+ * - warning / schema_validation → errorMessages
+ * - step_end → returnState
+ * - metric, step_start, start, summary → no redaction
+ *
+ * @example
+ * const redacted = redactEvent(engine, { type: "trace", data: { ... } });
+ */
+export declare function redactEvent<C extends RedactionConfig>(engine: RedactionEngine<C>, event: RedactableEvent): RedactableEvent;
+//# sourceMappingURL=adapter.d.ts.map

package/dist/adapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"adapter.d.ts","sourceRoot":"","sources":["../src/adapter.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAElD;;;;GAIG;AACH,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,WAAW,CAAC,CAAC,SAAS,eAAe,EACnD,MAAM,EAAE,eAAe,CAAC,CAAC,CAAC,EAC1B,KAAK,EAAE,eAAe,GACrB,eAAe,CAgIjB"}

package/dist/adapter.js

@@ -0,0 +1,111 @@
+/**
+ * @module adapter
+ *
+ * Scope adapter — maps ExecutionEvent types to redaction scopes.
+ *
+ * Without this adapter, the engine's scope toggles are decorative.
+ * This function dispatches each event's payload fields to the correct
+ * scope so the engine can gate redaction per-scope.
+ *
+ * Both the CLI (for --share) and the server (for event ingestion) use
+ * this adapter. The server adapter may handle additional premium scopes.
+ */
+/**
+ * Redact an event by dispatching its payload fields to the appropriate
+ * scopes. Returns a new event object — the original is not mutated.
+ *
+ * Scope mapping:
+ * - trace → requestHeaders, requestQuery, requestBody, responseHeaders, responseBody
+ * - log → consoleOutput
+ * - assertion → errorMessages
+ * - error / status → errorMessages
+ * - warning / schema_validation → errorMessages
+ * - step_end → returnState
+ * - metric, step_start, start, summary → no redaction
+ *
+ * @example
+ * const redacted = redactEvent(engine, { type: "trace", data: { ... } });
+ */
+export function redactEvent(engine, event) {
+    const t = event.type;
+    // Events that don't need redaction — return as-is
+    if (t === "metric" ||
+        t === "step_start" ||
+        t === "start" ||
+        t === "summary" ||
+        t === "timeout_update") {
+        return event;
+    }
+    // step_end: only needs redaction if returnState is present
+    if (t === "step_end") {
+        if (event.returnState != null) {
+            const clone = structuredClone(event);
+            clone.returnState = engine.redact(clone.returnState, "returnState").value;
+            return clone;
+        }
+        return event;
+    }
+    // Clone to avoid mutating the original
+    const clone = structuredClone(event);
+    if (t === "trace") {
+        // Trace events have data: ApiTrace with headers/bodies
+        const data = clone.data;
+        if (data) {
+            if (data.requestHeaders != null) {
+                data.requestHeaders = engine.redact(data.requestHeaders, "requestHeaders").value;
+            }
+            if (data.requestBody != null) {
+                data.requestBody = engine.redact(data.requestBody, "requestBody").value;
+            }
+            if (data.responseHeaders != null) {
+                data.responseHeaders = engine.redact(data.responseHeaders, "responseHeaders").value;
+            }
+            if (data.responseBody != null) {
+                data.responseBody = engine.redact(data.responseBody, "responseBody").value;
+            }
+            // URL may contain query params with secrets
+            if (typeof data.url === "string") {
+                data.url = engine.redact(data.url, "requestQuery").value;
+            }
+        }
+    }
+    else if (t === "log") {
+        if (clone.message != null) {
+            clone.message = engine.redact(clone.message, "consoleOutput").value;
+        }
+        if (clone.data != null) {
+            clone.data = engine.redact(clone.data, "consoleOutput").value;
+        }
+    }
+    else if (t === "assertion") {
+        if (clone.message != null) {
+            clone.message = engine.redact(clone.message, "errorMessages").value;
+        }
+        if (clone.actual != null) {
+            clone.actual = engine.redact(clone.actual, "errorMessages").value;
+        }
+        if (clone.expected != null) {
+            clone.expected = engine.redact(clone.expected, "errorMessages").value;
+        }
+    }
+    else if (t === "error") {
+        if (clone.message != null) {
+            clone.message = engine.redact(clone.message, "errorMessages").value;
+        }
+    }
+    else if (t === "status") {
+        if (clone.error != null) {
+            clone.error = engine.redact(clone.error, "errorMessages").value;
+        }
+        if (clone.stack != null) {
+            clone.stack = engine.redact(clone.stack, "errorMessages").value;
+        }
+    }
+    else if (t === "warning" || t === "schema_validation") {
+        if (clone.message != null) {
+            clone.message = engine.redact(clone.message, "errorMessages").value;
+        }
+    }
+    return clone;
+}
+//# sourceMappingURL=adapter.js.map

package/dist/adapter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"adapter.js","sourceRoot":"","sources":["../src/adapter.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAeH;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,WAAW,CACzB,MAA0B,EAC1B,KAAsB;IAEtB,MAAM,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC;IAErB,kDAAkD;IAClD,IACE,CAAC,KAAK,QAAQ;QACd,CAAC,KAAK,YAAY;QAClB,CAAC,KAAK,OAAO;QACb,CAAC,KAAK,SAAS;QACf,CAAC,KAAK,gBAAgB,EACtB,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,2DAA2D;IAC3D,IAAI,CAAC,KAAK,UAAU,EAAE,CAAC;QACrB,IAAI,KAAK,CAAC,WAAW,IAAI,IAAI,EAAE,CAAC;YAC9B,MAAM,KAAK,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;YACrC,KAAK,CAAC,WAAW,GAAG,MAAM,CAAC,MAAM,CAC/B,KAAK,CAAC,WAAW,EACjB,aAA2C,CAC5C,CAAC,KAAK,CAAC;YACR,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,uCAAuC;IACvC,MAAM,KAAK,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;IAErC,IAAI,CAAC,KAAK,OAAO,EAAE,CAAC;QAClB,uDAAuD;QACvD,MAAM,IAAI,GAAG,KAAK,CAAC,IAA2C,CAAC;QAC/D,IAAI,IAAI,EAAE,CAAC;YACT,IAAI,IAAI,CAAC,cAAc,IAAI,IAAI,EAAE,CAAC;gBAChC,IAAI,CAAC,cAAc,GAAG,MAAM,CAAC,MAAM,CACjC,IAAI,CAAC,cAAc,EACnB,gBAA8C,CAC/C,CAAC,KAAK,CAAC;YACV,CAAC;YACD,IAAI,IAAI,CAAC,WAAW,IAAI,IAAI,EAAE,CAAC;gBAC7B,IAAI,CAAC,WAAW,GAAG,MAAM,CAAC,MAAM,CAC9B,IAAI,CAAC,WAAW,EAChB,aAA2C,CAC5C,CAAC,KAAK,CAAC;YACV,CAAC;YACD,IAAI,IAAI,CAAC,eAAe,IAAI,IAAI,EAAE,CAAC;gBACjC,IAAI,CAAC,eAAe,GAAG,MAAM,CAAC,MAAM,CAClC,IAAI,CAAC,eAAe,EACpB,iBAA+C,CAChD,CAAC,KAAK,CAAC;YACV,CAAC;YACD,IAAI,IAAI,CAAC,YAAY,IAAI,IAAI,EAAE,CAAC;gBAC9B,IAAI,CAAC,YAAY,GAAG,MAAM,CAAC,MAAM,CAC/B,IAAI,CAAC,YAAY,EACjB,cAA4C,CAC7C,CAAC,KAAK,CAAC;YACV,CAAC;YACD,4CAA4C;YAC5C,IAAI,OAAO,IAAI,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;gBACjC,IAAI,CAAC,GAAG,GAAG,MAAM,CAAC,MAAM,CACtB,IAAI,CAAC,GAAG,EACR,cAA4C,CAC7C,CAAC,KAAe,CAAC;YACpB,CAAC;QACH,CAAC;IACH,CAAC;SAAM,IAAI,CAAC,KAAK,KAAK,EAAE,CAAC;QACvB,IAAI,KAAK,CAAC,OAAO,IAAI,IAAI,EAAE,CAAC;YAC1B,KAAK,CAAC,OAAO,GAAG,MAAM,CAAC,MAAM,CAC3B,KAAK,CAAC,OAAO,EACb,eAA6C,CAC9C,CAAC,KAAK,CAAC;QACV,CAAC;QACD,IAAI,KAAK,CAAC,IAAI,IAAI,IAAI,EAAE,CAAC;YACvB,KAAK,CAAC,IAAI,GAAG,MAAM,CAAC,MAAM,CACxB,KAAK,CAAC,IAAI,EACV,eAA6C,CAC9C,CAAC,KAAK,CAAC;QACV,CAAC;IACH,CAAC;SAAM,IAAI,CAAC,KAAK,WAAW,EAAE,CAAC;QAC7B,IAAI,KAAK,CAAC,OAAO,IAAI,IAAI,EAAE,CAAC;YAC1B,KAAK,CAAC,OAAO,GAAG,MAAM,CAAC,MAAM,CAC3B,KAAK,CAAC,OAAO,EACb,eAA6C,CAC9C,CAAC,KAAK,CAAC;QACV,CAAC;QACD,IAAI,KAAK,CAAC,MAAM,IAAI,IAAI,EAAE,CAAC;YACzB,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAC1B,KAAK,CAAC,MAAM,EACZ,eAA6C,CAC9C,CAAC,KAAK,CAAC;QACV,CAAC;QACD,IAAI,KAAK,CAAC,QAAQ,IAAI,IAAI,EAAE,CAAC;YAC3B,KAAK,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,CAC5B,KAAK,CAAC,QAAQ,EACd,eAA6C,CAC9C,CAAC,KAAK,CAAC;QACV,CAAC;IACH,CAAC;SAAM,IAAI,CAAC,KAAK,OAAO,EAAE,CAAC;QACzB,IAAI,KAAK,CAAC,OAAO,IAAI,IAAI,EAAE,CAAC;YAC1B,KAAK,CAAC,OAAO,GAAG,MAAM,CAAC,MAAM,CAC3B,KAAK,CAAC,OAAO,EACb,eAA6C,CAC9C,CAAC,KAAK,CAAC;QACV,CAAC;IACH,CAAC;SAAM,IAAI,CAAC,KAAK,QAAQ,EAAE,CAAC;QAC1B,IAAI,KAAK,CAAC,KAAK,IAAI,IAAI,EAAE,CAAC;YACxB,KAAK,CAAC,KAAK,GAAG,MAAM,CAAC,MAAM,CACzB,KAAK,CAAC,KAAK,EACX,eAA6C,CAC9C,CAAC,KAAK,CAAC;QACV,CAAC;QACD,IAAI,KAAK,CAAC,KAAK,IAAI,IAAI,EAAE,CAAC;YACxB,KAAK,CAAC,KAAK,GAAG,MAAM,CAAC,MAAM,CACzB,KAAK,CAAC,KAAK,EACX,eAA6C,CAC9C,CAAC,KAAK,CAAC;QACV,CAAC;IACH,CAAC;SAAM,IAAI,CAAC,KAAK,SAAS,IAAI,CAAC,KAAK,mBAAmB,EAAE,CAAC;QACxD,IAAI,KAAK,CAAC,OAAO,IAAI,IAAI,EAAE,CAAC;YAC1B,KAAK,CAAC,OAAO,GAAG,MAAM,CAAC,MAAM,CAC3B,KAAK,CAAC,OAAO,EACb,eAA6C,CAC9C,CAAC,KAAK,CAAC;QACV,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/defaults.d.ts

@@ -0,0 +1,29 @@
+/**
+ * @module defaults
+ *
+ * Built-in sensitive keys, pattern source strings, and the default
+ * redaction configuration used as the mandatory baseline for --share.
+ */
+import type { RedactionConfig } from "./types.js";
+/**
+ * Keys whose values are always redacted when matched (case-insensitive
+ * substring match). Ported from glubean-v1 RedactionService for parity.
+ */
+export declare const BUILT_IN_SENSITIVE_KEYS: readonly string[];
+/**
+ * Regex source strings for built-in value-level patterns.
+ * Plugins create new RegExp instances from these on each call
+ * to avoid stale lastIndex state.
+ */
+export declare const PATTERN_SOURCES: Record<string, {
+    source: string;
+    flags: string;
+}>;
+/**
+ * The mandatory baseline configuration for --share.
+ *
+ * All scopes on, all patterns on, useBuiltIn keys, simple replacement.
+ * User .glubean/redact.json can only add rules on top — never weaken this.
+ */
+export declare const DEFAULT_CONFIG: RedactionConfig;
+//# sourceMappingURL=defaults.d.ts.map

package/dist/defaults.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"defaults.d.ts","sourceRoot":"","sources":["../src/defaults.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAIlD;;;GAGG;AACH,eAAO,MAAM,uBAAuB,EAAE,SAAS,MAAM,EAqBpD,CAAC;AAIF;;;;GAIG;AACH,eAAO,MAAM,eAAe,EAAE,MAAM,CAClC,MAAM,EACN;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAkClC,CAAC;AAIF;;;;;GAKG;AACH,eAAO,MAAM,cAAc,EAAE,eA4B5B,CAAC"}

package/dist/defaults.js

@@ -0,0 +1,110 @@
+/**
+ * @module defaults
+ *
+ * Built-in sensitive keys, pattern source strings, and the default
+ * redaction configuration used as the mandatory baseline for --share.
+ */
+// ── Built-in sensitive keys ─────────────────────────────────────────────────
+/**
+ * Keys whose values are always redacted when matched (case-insensitive
+ * substring match). Ported from glubean-v1 RedactionService for parity.
+ */
+export const BUILT_IN_SENSITIVE_KEYS = [
+    "password",
+    "passwd",
+    "secret",
+    "token",
+    "api_key",
+    "apikey",
+    "api-key",
+    "access_token",
+    "refresh_token",
+    "authorization",
+    "auth",
+    "credential",
+    "credentials",
+    "private_key",
+    "privatekey",
+    "private-key",
+    "ssh_key",
+    "client_secret",
+    "client-secret",
+    "bearer",
+];
+// ── Built-in pattern source strings ─────────────────────────────────────────
+/**
+ * Regex source strings for built-in value-level patterns.
+ * Plugins create new RegExp instances from these on each call
+ * to avoid stale lastIndex state.
+ */
+export const PATTERN_SOURCES = {
+    jwt: {
+        source: "\\beyJ[a-zA-Z0-9_-]*\\.eyJ[a-zA-Z0-9_-]*\\.[a-zA-Z0-9_-]*",
+        flags: "g",
+    },
+    bearer: {
+        source: "\\bBearer\\s+[a-zA-Z0-9._-]+",
+        flags: "gi",
+    },
+    awsKeys: {
+        source: "\\bAKIA[0-9A-Z]{16}\\b",
+        flags: "g",
+    },
+    githubTokens: {
+        source: "\\b(ghp_|gho_|ghu_|ghs_|ghr_)[a-zA-Z0-9]{36,}\\b",
+        flags: "g",
+    },
+    email: {
+        source: "\\b[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}\\b",
+        flags: "g",
+    },
+    ipAddress: {
+        source: "\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b",
+        flags: "g",
+    },
+    creditCard: {
+        source: "\\b\\d{4}[- ]?\\d{4}[- ]?\\d{4}[- ]?\\d{4}\\b",
+        flags: "g",
+    },
+    hexKeys: {
+        source: "\\b[a-f0-9]{32,}\\b",
+        flags: "gi",
+    },
+};
+// ── Default config ──────────────────────────────────────────────────────────
+/**
+ * The mandatory baseline configuration for --share.
+ *
+ * All scopes on, all patterns on, useBuiltIn keys, simple replacement.
+ * User .glubean/redact.json can only add rules on top — never weaken this.
+ */
+export const DEFAULT_CONFIG = {
+    scopes: {
+        requestHeaders: true,
+        requestQuery: true,
+        requestBody: true,
+        responseHeaders: true,
+        responseBody: true,
+        consoleOutput: true,
+        errorMessages: true,
+        returnState: true,
+    },
+    sensitiveKeys: {
+        useBuiltIn: true,
+        additional: [],
+        excluded: [],
+    },
+    patterns: {
+        jwt: true,
+        bearer: true,
+        awsKeys: true,
+        githubTokens: true,
+        email: true,
+        ipAddress: true,
+        creditCard: true,
+        hexKeys: true,
+        custom: [],
+    },
+    replacementFormat: "partial",
+};
+//# sourceMappingURL=defaults.js.map

package/dist/defaults.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"defaults.js","sourceRoot":"","sources":["../src/defaults.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAsB;IACxD,UAAU;IACV,QAAQ;IACR,QAAQ;IACR,OAAO;IACP,SAAS;IACT,QAAQ;IACR,SAAS;IACT,cAAc;IACd,eAAe;IACf,eAAe;IACf,MAAM;IACN,YAAY;IACZ,aAAa;IACb,aAAa;IACb,YAAY;IACZ,aAAa;IACb,SAAS;IACT,eAAe;IACf,eAAe;IACf,QAAQ;CACT,CAAC;AAEF,+EAA+E;AAE/E;;;;GAIG;AACH,MAAM,CAAC,MAAM,eAAe,GAGxB;IACF,GAAG,EAAE;QACH,MAAM,EAAE,2DAA2D;QACnE,KAAK,EAAE,GAAG;KACX;IACD,MAAM,EAAE;QACN,MAAM,EAAE,8BAA8B;QACtC,KAAK,EAAE,IAAI;KACZ;IACD,OAAO,EAAE;QACP,MAAM,EAAE,wBAAwB;QAChC,KAAK,EAAE,GAAG;KACX;IACD,YAAY,EAAE;QACZ,MAAM,EAAE,kDAAkD;QAC1D,KAAK,EAAE,GAAG;KACX;IACD,KAAK,EAAE;QACL,MAAM,EAAE,uDAAuD;QAC/D,KAAK,EAAE,GAAG;KACX;IACD,SAAS,EAAE;QACT,MAAM,EAAE,iDAAiD;QACzD,KAAK,EAAE,GAAG;KACX;IACD,UAAU,EAAE;QACV,MAAM,EAAE,+CAA+C;QACvD,KAAK,EAAE,GAAG;KACX;IACD,OAAO,EAAE;QACP,MAAM,EAAE,qBAAqB;QAC7B,KAAK,EAAE,IAAI;KACZ;CACF,CAAC;AAEF,+EAA+E;AAE/E;;;;;GAKG;AACH,MAAM,CAAC,MAAM,cAAc,GAAoB;IAC7C,MAAM,EAAE;QACN,cAAc,EAAE,IAAI;QACpB,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,IAAI;QACjB,eAAe,EAAE,IAAI;QACrB,YAAY,EAAE,IAAI;QAClB,aAAa,EAAE,IAAI;QACnB,aAAa,EAAE,IAAI;QACnB,WAAW,EAAE,IAAI;KAClB;IACD,aAAa,EAAE;QACb,UAAU,EAAE,IAAI;QAChB,UAAU,EAAE,EAAE;QACd,QAAQ,EAAE,EAAE;KACb;IACD,QAAQ,EAAE;QACR,GAAG,EAAE,IAAI;QACT,MAAM,EAAE,IAAI;QACZ,OAAO,EAAE,IAAI;QACb,YAAY,EAAE,IAAI;QAClB,KAAK,EAAE,IAAI;QACX,SAAS,EAAE,IAAI;QACf,UAAU,EAAE,IAAI;QAChB,OAAO,EAAE,IAAI;QACb,MAAM,EAAE,EAAE;KACX;IACD,iBAAiB,EAAE,SAAS;CAC7B,CAAC"}

package/dist/engine.d.ts

@@ -0,0 +1,48 @@
+/**
+ * @module engine
+ *
+ * RedactionEngine — the core recursive JSON walker that applies plugins
+ * to detect and mask sensitive data.
+ *
+ * Ported from glubean-v1 RedactionService (policyRedactValue / policyRedactObject /
+ * policyRedactString) with the monolithic class decomposed into a plugin pipeline.
+ */
+import type { RedactionConfig, RedactionPlugin, RedactionResult } from "./types.js";
+/** Options for constructing a RedactionEngine instance. */
+export interface RedactionEngineOptions<C extends RedactionConfig = RedactionConfig> {
+    config: C;
+    plugins: RedactionPlugin[];
+    /** Max object nesting depth before truncation. Default: 10. */
+    maxDepth?: number;
+}
+/**
+ * Generic partial mask: show first 3 and last 3 characters for long values,
+ * less for shorter values, full mask for very short ones.
+ *
+ * Used as fallback when a plugin does not provide its own partialMask().
+ */
+export declare function genericPartialMask(value: string): string;
+/**
+ * Plugin-based redaction engine.
+ *
+ * Walks JSON values recursively, applying registered plugins for key-level
+ * and value-level redaction. Supports three replacement formats:
+ * "simple" ([REDACTED]), "labeled" ([REDACTED:plugin_name]), "partial" (smart masking).
+ */
+export declare class RedactionEngine<C extends RedactionConfig = RedactionConfig> {
+    private readonly config;
+    private readonly plugins;
+    private readonly maxDepth;
+    constructor(options: RedactionEngineOptions<C>);
+    /**
+     * Redact a value. Recursively walks objects and arrays.
+     *
+     * @param value   The value to redact (deep-cloned internally).
+     * @param scope   Optional scope key — if the scope is disabled in config, returns value unchanged.
+     */
+    redact(value: unknown, scope?: keyof C["scopes"] & string): RedactionResult;
+    private walkValue;
+    private walkObject;
+    private walkString;
+}
+//# sourceMappingURL=engine.d.ts.map

package/dist/engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../src/engine.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAoB,eAAe,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAEtG,2DAA2D;AAC3D,MAAM,WAAW,sBAAsB,CACrC,CAAC,SAAS,eAAe,GAAG,eAAe;IAE3C,MAAM,EAAE,CAAC,CAAC;IACV,OAAO,EAAE,eAAe,EAAE,CAAC;IAC3B,+DAA+D;IAC/D,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAKxD;AAED;;;;;;GAMG;AACH,qBAAa,eAAe,CAAC,CAAC,SAAS,eAAe,GAAG,eAAe;IACtE,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAI;IAC3B,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAoB;IAC5C,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;gBAEtB,OAAO,EAAE,sBAAsB,CAAC,CAAC,CAAC;IAM9C;;;;;OAKG;IACH,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,GAAG,MAAM,GAAG,eAAe;IAqB3E,OAAO,CAAC,SAAS;IAiDjB,OAAO,CAAC,UAAU;IA4DlB,OAAO,CAAC,UAAU;CA8CnB"}

package/dist/engine.js

@@ -0,0 +1,174 @@
+/**
+ * @module engine
+ *
+ * RedactionEngine — the core recursive JSON walker that applies plugins
+ * to detect and mask sensitive data.
+ *
+ * Ported from glubean-v1 RedactionService (policyRedactValue / policyRedactObject /
+ * policyRedactString) with the monolithic class decomposed into a plugin pipeline.
+ */
+/**
+ * Generic partial mask: show first 3 and last 3 characters for long values,
+ * less for shorter values, full mask for very short ones.
+ *
+ * Used as fallback when a plugin does not provide its own partialMask().
+ */
+export function genericPartialMask(value) {
+    const len = value.length;
+    if (len <= 4)
+        return "****";
+    if (len <= 8)
+        return value.slice(0, 2) + "***" + value.slice(-1);
+    return value.slice(0, 3) + "***" + value.slice(-3);
+}
+/**
+ * Plugin-based redaction engine.
+ *
+ * Walks JSON values recursively, applying registered plugins for key-level
+ * and value-level redaction. Supports three replacement formats:
+ * "simple" ([REDACTED]), "labeled" ([REDACTED:plugin_name]), "partial" (smart masking).
+ */
+export class RedactionEngine {
+    config;
+    plugins;
+    maxDepth;
+    constructor(options) {
+        this.config = options.config;
+        this.plugins = options.plugins;
+        this.maxDepth = options.maxDepth ?? 10;
+    }
+    /**
+     * Redact a value. Recursively walks objects and arrays.
+     *
+     * @param value   The value to redact (deep-cloned internally).
+     * @param scope   Optional scope key — if the scope is disabled in config, returns value unchanged.
+     */
+    redact(value, scope) {
+        // Scope gate: if scope is specified and disabled, skip entirely
+        if (scope) {
+            const scopes = this.config.scopes;
+            if (scopes[scope] === false) {
+                return { value, redacted: false, details: [] };
+            }
+        }
+        const details = [];
+        const scopeStr = scope ?? "";
+        const result = this.walkValue(value, scopeStr, [], details, 0);
+        return {
+            value: result.value,
+            redacted: result.didRedact,
+            details,
+        };
+    }
+    // ── Private recursive walker ──────────────────────────────────────────
+    walkValue(value, scope, path, details, depth) {
+        if (depth > this.maxDepth) {
+            return { value: "[REDACTED: too deep]", didRedact: true };
+        }
+        if (value === null || value === undefined) {
+            return { value, didRedact: false };
+        }
+        if (typeof value === "string") {
+            return this.walkString(value, scope, path, details);
+        }
+        if (Array.isArray(value)) {
+            let didRedact = false;
+            const redactedArray = value.map((item, i) => {
+                const result = this.walkValue(item, scope, [...path, String(i)], details, depth + 1);
+                if (result.didRedact)
+                    didRedact = true;
+                return result.value;
+            });
+            return { value: redactedArray, didRedact };
+        }
+        if (typeof value === "object") {
+            return this.walkObject(value, scope, path, details, depth);
+        }
+        // Numbers, booleans, etc. — pass through
+        return { value, didRedact: false };
+    }
+    walkObject(obj, scope, path, details, depth) {
+        let didRedact = false;
+        const result = {};
+        for (const [key, value] of Object.entries(obj)) {
+            const keyPath = [...path, key];
+            const ctx = { scope, path: keyPath, key };
+            // Key-level check: first plugin returning true wins
+            let keySensitive = false;
+            let keyPluginName = "";
+            for (const plugin of this.plugins) {
+                if (plugin.isKeySensitive) {
+                    const hit = plugin.isKeySensitive(key, ctx);
+                    if (hit === true) {
+                        keySensitive = true;
+                        keyPluginName = plugin.name;
+                        break;
+                    }
+                }
+            }
+            if (keySensitive) {
+                const replacement = this.config.replacementFormat;
+                if (replacement === "partial") {
+                    const str = value === null || value === undefined ? "" : String(value);
+                    result[key] = genericPartialMask(str);
+                }
+                else {
+                    result[key] = "[REDACTED]";
+                }
+                didRedact = true;
+                details.push({
+                    path: keyPath.join("."),
+                    plugin: keyPluginName,
+                    original: typeof value === "string" ? value : undefined,
+                });
+                continue;
+            }
+            // Recurse into value
+            const redacted = this.walkValue(value, scope, keyPath, details, depth + 1);
+            result[key] = redacted.value;
+            if (redacted.didRedact)
+                didRedact = true;
+        }
+        return { value: result, didRedact };
+    }
+    walkString(str, scope, path, details) {
+        let result = str;
+        let didRedact = false;
+        const ctx = {
+            scope,
+            path,
+            key: path.length > 0 ? path[path.length - 1] : "",
+        };
+        for (const plugin of this.plugins) {
+            if (!plugin.matchValue)
+                continue;
+            const regex = plugin.matchValue(result, ctx);
+            if (!regex)
+                continue;
+            // Test if the pattern matches
+            if (regex.test(result)) {
+                regex.lastIndex = 0; // Reset after test()
+                const replacement = this.config.replacementFormat;
+                if (replacement === "partial") {
+                    const maskFn = plugin.partialMask ?? genericPartialMask;
+                    result = result.replace(regex, (match) => maskFn(match));
+                }
+                else if (replacement === "labeled") {
+                    const tag = `[REDACTED:${plugin.name}]`;
+                    result = result.replace(regex, tag);
+                }
+                else {
+                    result = result.replace(regex, "[REDACTED]");
+                }
+                didRedact = true;
+                details.push({
+                    path: path.join("."),
+                    plugin: plugin.name,
+                    original: str,
+                });
+            }
+        }
+        return { value: result, didRedact };
+    }
+}
+//# sourceMappingURL=engine.js.map

package/dist/engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.js","sourceRoot":"","sources":["../src/engine.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAcH;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAa;IAC9C,MAAM,GAAG,GAAG,KAAK,CAAC,MAAM,CAAC;IACzB,IAAI,GAAG,IAAI,CAAC;QAAE,OAAO,MAAM,CAAC;IAC5B,IAAI,GAAG,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACjE,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;AACrD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,OAAO,eAAe;IACT,MAAM,CAAI;IACV,OAAO,CAAoB;IAC3B,QAAQ,CAAS;IAElC,YAAY,OAAkC;QAC5C,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC7B,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAC/B,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC;IACzC,CAAC;IAED;;;;;OAKG;IACH,MAAM,CAAC,KAAc,EAAE,KAAkC;QACvD,gEAAgE;QAChE,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,MAA4C,CAAC;YACxE,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,KAAK,EAAE,CAAC;gBAC5B,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;YACjD,CAAC;QACH,CAAC;QAED,MAAM,OAAO,GAA+B,EAAE,CAAC;QAC/C,MAAM,QAAQ,GAAG,KAAK,IAAI,EAAE,CAAC;QAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,QAAQ,EAAE,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;QAC/D,OAAO;YACL,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,QAAQ,EAAE,MAAM,CAAC,SAAS;YAC1B,OAAO;SACR,CAAC;IACJ,CAAC;IAED,yEAAyE;IAEjE,SAAS,CACf,KAAc,EACd,KAAa,EACb,IAAc,EACd,OAAmC,EACnC,KAAa;QAEb,IAAI,KAAK,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC1B,OAAO,EAAE,KAAK,EAAE,sBAAsB,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;QAC5D,CAAC;QAED,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YAC1C,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;QACrC,CAAC;QAED,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;QACtD,CAAC;QAED,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,IAAI,SAAS,GAAG,KAAK,CAAC;YACtB,MAAM,aAAa,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;gBAC1C,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAC3B,IAAI,EACJ,KAAK,EACL,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,EACpB,OAAO,EACP,KAAK,GAAG,CAAC,CACV,CAAC;gBACF,IAAI,MAAM,CAAC,SAAS;oBAAE,SAAS,GAAG,IAAI,CAAC;gBACvC,OAAO,MAAM,CAAC,KAAK,CAAC;YACtB,CAAC,CAAC,CAAC;YACH,OAAO,EAAE,KAAK,EAAE,aAAa,EAAE,SAAS,EAAE,CAAC;QAC7C,CAAC;QAED,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAC,UAAU,CACpB,KAAgC,EAChC,KAAK,EACL,IAAI,EACJ,OAAO,EACP,KAAK,CACN,CAAC;QACJ,CAAC;QAED,yCAAyC;QACzC,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;IACrC,CAAC;IAEO,UAAU,CAChB,GAA4B,EAC5B,KAAa,EACb,IAAc,EACd,OAAmC,EACnC,KAAa;QAEb,IAAI,SAAS,GAAG,KAAK,CAAC;QACtB,MAAM,MAAM,GAA4B,EAAE,CAAC;QAE3C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YAC/C,MAAM,OAAO,GAAG,CAAC,GAAG,IAAI,EAAE,GAAG,CAAC,CAAC;YAC/B,MAAM,GAAG,GAAqB,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC;YAE5D,oDAAoD;YACpD,IAAI,YAAY,GAAG,KAAK,CAAC;YACzB,IAAI,aAAa,GAAG,EAAE,CAAC;YACvB,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gBAClC,IAAI,MAAM,CAAC,cAAc,EAAE,CAAC;oBAC1B,MAAM,GAAG,GAAG,MAAM,CAAC,cAAc,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;oBAC5C,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;wBACjB,YAAY,GAAG,IAAI,CAAC;wBACpB,aAAa,GAAG,MAAM,CAAC,IAAI,CAAC;wBAC5B,MAAM;oBACR,CAAC;gBACH,CAAC;YACH,CAAC;YAED,IAAI,YAAY,EAAE,CAAC;gBACjB,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC;gBAClD,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;oBAC9B,MAAM,GAAG,GAAG,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;oBACvE,MAAM,CAAC,GAAG,CAAC,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;gBACxC,CAAC;qBAAM,CAAC;oBACN,MAAM,CAAC,GAAG,CAAC,GAAG,YAAY,CAAC;gBAC7B,CAAC;gBACD,SAAS,GAAG,IAAI,CAAC;gBACjB,OAAO,CAAC,IAAI,CAAC;oBACX,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC;oBACvB,MAAM,EAAE,aAAa;oBACrB,QAAQ,EAAE,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;iBACxD,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;YAED,qBAAqB;YACrB,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAC7B,KAAK,EACL,KAAK,EACL,OAAO,EACP,OAAO,EACP,KAAK,GAAG,CAAC,CACV,CAAC;YACF,MAAM,CAAC,GAAG,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC;YAC7B,IAAI,QAAQ,CAAC,SAAS;gBAAE,SAAS,GAAG,IAAI,CAAC;QAC3C,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IACtC,CAAC;IAEO,UAAU,CAChB,GAAW,EACX,KAAa,EACb,IAAc,EACd,OAAmC;QAEnC,IAAI,MAAM,GAAG,GAAG,CAAC;QACjB,IAAI,SAAS,GAAG,KAAK,CAAC;QACtB,MAAM,GAAG,GAAqB;YAC5B,KAAK;YACL,IAAI;YACJ,GAAG,EAAE,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE;SAClD,CAAC;QAEF,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YAClC,IAAI,CAAC,MAAM,CAAC,UAAU;gBAAE,SAAS;YAEjC,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;YAC7C,IAAI,CAAC,KAAK;gBAAE,SAAS;YAErB,8BAA8B;YAC9B,IAAI,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;gBACvB,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,qBAAqB;gBAE1C,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC;gBAClD,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;oBAC9B,MAAM,MAAM,GAAG,MAAM,CAAC,WAAW,IAAI,kBAAkB,CAAC;oBACxD,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;gBAC3D,CAAC;qBAAM,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;oBACrC,MAAM,GAAG,GAAG,aAAa,MAAM,CAAC,IAAI,GAAG,CAAC;oBACxC,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBACtC,CAAC;qBAAM,CAAC;oBACN,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;gBAC/C,CAAC;gBAED,SAAS,GAAG,IAAI,CAAC;gBACjB,OAAO,CAAC,IAAI,CAAC;oBACX,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;oBACpB,MAAM,EAAE,MAAM,CAAC,IAAI;oBACnB,QAAQ,EAAE,GAAG;iBACd,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC;IACtC,CAAC;CACF"}

package/dist/index.d.ts

@@ -0,0 +1,30 @@
+/**
+ * @glubean/redaction — Plugin-based secrets/PII detection and masking.
+ *
+ * Pure TypeScript, no runtime-specific dependencies (no Deno.*, no node:*).
+ * Consumable by both Deno (oss CLI/runner) and Node.js (server).
+ *
+ * @example
+ * import {
+ *   RedactionEngine,
+ *   createBuiltinPlugins,
+ *   DEFAULT_CONFIG,
+ *   redactEvent,
+ * } from "@glubean/redaction";
+ *
+ * const engine = new RedactionEngine({
+ *   config: DEFAULT_CONFIG,
+ *   plugins: createBuiltinPlugins(DEFAULT_CONFIG),
+ * });
+ *
+ * const result = engine.redact({ authorization: "Bearer secret123" });
+ * // result.value === { authorization: "[REDACTED]" }
+ */
+export type { CustomPattern, PatternsConfig, RedactionConfig, RedactionContext, RedactionPlugin, RedactionResult, RedactionScopes, SensitiveKeysConfig, } from "./types.js";
+export { genericPartialMask, RedactionEngine } from "./engine.js";
+export type { RedactionEngineOptions } from "./engine.js";
+export { BUILT_IN_SENSITIVE_KEYS, DEFAULT_CONFIG, PATTERN_SOURCES } from "./defaults.js";
+export { awsKeysPlugin, bearerPlugin, createBuiltinPlugins, creditCardPlugin, emailPlugin, githubTokensPlugin, hexKeysPlugin, ipAddressPlugin, jwtPlugin, sensitiveKeysPlugin, } from "./plugins/mod.js";
+export { redactEvent } from "./adapter.js";
+export type { RedactableEvent } from "./adapter.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAGH,YAAY,EACV,aAAa,EACb,cAAc,EACd,eAAe,EACf,gBAAgB,EAChB,eAAe,EACf,eAAe,EACf,eAAe,EACf,mBAAmB,GACpB,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAClE,YAAY,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AAG1D,OAAO,EAAE,uBAAuB,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAGzF,OAAO,EACL,aAAa,EACb,YAAY,EACZ,oBAAoB,EACpB,gBAAgB,EAChB,WAAW,EACX,kBAAkB,EAClB,aAAa,EACb,eAAe,EACf,SAAS,EACT,mBAAmB,GACpB,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAC3C,YAAY,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC"}

package/dist/index.js

@@ -0,0 +1,31 @@
+/**
+ * @glubean/redaction — Plugin-based secrets/PII detection and masking.
+ *
+ * Pure TypeScript, no runtime-specific dependencies (no Deno.*, no node:*).
+ * Consumable by both Deno (oss CLI/runner) and Node.js (server).
+ *
+ * @example
+ * import {
+ *   RedactionEngine,
+ *   createBuiltinPlugins,
+ *   DEFAULT_CONFIG,
+ *   redactEvent,
+ * } from "@glubean/redaction";
+ *
+ * const engine = new RedactionEngine({
+ *   config: DEFAULT_CONFIG,
+ *   plugins: createBuiltinPlugins(DEFAULT_CONFIG),
+ * });
+ *
+ * const result = engine.redact({ authorization: "Bearer secret123" });
+ * // result.value === { authorization: "[REDACTED]" }
+ */
+// Engine
+export { genericPartialMask, RedactionEngine } from "./engine.js";
+// Defaults
+export { BUILT_IN_SENSITIVE_KEYS, DEFAULT_CONFIG, PATTERN_SOURCES } from "./defaults.js";
+// Plugins
+export { awsKeysPlugin, bearerPlugin, createBuiltinPlugins, creditCardPlugin, emailPlugin, githubTokensPlugin, hexKeysPlugin, ipAddressPlugin, jwtPlugin, sensitiveKeysPlugin, } from "./plugins/mod.js";
+// Adapter
+export { redactEvent } from "./adapter.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAcH,SAAS;AACT,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAGlE,WAAW;AACX,OAAO,EAAE,uBAAuB,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAEzF,UAAU;AACV,OAAO,EACL,aAAa,EACb,YAAY,EACZ,oBAAoB,EACpB,gBAAgB,EAChB,WAAW,EACX,kBAAkB,EAClB,aAAa,EACb,eAAe,EACf,SAAS,EACT,mBAAmB,GACpB,MAAM,kBAAkB,CAAC;AAE1B,UAAU;AACV,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC"}

package/dist/plugins/aws-keys.d.ts

@@ -0,0 +1,6 @@
+/**
+ * AWS access key plugin — detects AKIA-prefixed access key IDs.
+ */
+import type { RedactionPlugin } from "../types.js";
+export declare const awsKeysPlugin: RedactionPlugin;
+//# sourceMappingURL=aws-keys.d.ts.map

package/dist/plugins/aws-keys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws-keys.d.ts","sourceRoot":"","sources":["../../src/plugins/aws-keys.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAInD,eAAO,MAAM,aAAa,EAAE,eAK3B,CAAC"}

package/dist/plugins/aws-keys.js

@@ -0,0 +1,11 @@
+/**
+ * AWS access key plugin — detects AKIA-prefixed access key IDs.
+ */
+const AWS_SOURCE = "\\bAKIA[0-9A-Z]{16}\\b";
+export const awsKeysPlugin = {
+    name: "awsKeys",
+    matchValue: () => new RegExp(AWS_SOURCE, "g"),
+    // AKIA prefix is meaningful, show first 4 + last 2
+    partialMask: (match) => match.slice(0, 4) + "***" + match.slice(-2),
+};
+//# sourceMappingURL=aws-keys.js.map

package/dist/plugins/aws-keys.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws-keys.js","sourceRoot":"","sources":["../../src/plugins/aws-keys.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,MAAM,UAAU,GAAG,wBAAwB,CAAC;AAE5C,MAAM,CAAC,MAAM,aAAa,GAAoB;IAC5C,IAAI,EAAE,SAAS;IACf,UAAU,EAAE,GAAG,EAAE,CAAC,IAAI,MAAM,CAAC,UAAU,EAAE,GAAG,CAAC;IAC7C,mDAAmD;IACnD,WAAW,EAAE,CAAC,KAAa,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;CAC5E,CAAC"}

package/dist/plugins/bearer.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Bearer token plugin — detects "Bearer <token>" patterns.
+ *
+ * Common in Authorization headers and log messages.
+ */
+import type { RedactionPlugin } from "../types.js";
+export declare const bearerPlugin: RedactionPlugin;
+//# sourceMappingURL=bearer.d.ts.map