@glubean/redaction 0.1.2

package/dist/plugins/bearer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bearer.d.ts","sourceRoot":"","sources":["../../src/plugins/bearer.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAKnD,eAAO,MAAM,YAAY,EAAE,eAU1B,CAAC"}

package/dist/plugins/bearer.js

@@ -0,0 +1,19 @@
+/**
+ * Bearer token plugin — detects "Bearer <token>" patterns.
+ *
+ * Common in Authorization headers and log messages.
+ */
+import { genericPartialMask } from "../engine.js";
+const BEARER_SOURCE = "\\bBearer\\s+[a-zA-Z0-9._-]+";
+export const bearerPlugin = {
+    name: "bearer",
+    matchValue: () => new RegExp(BEARER_SOURCE, "gi"),
+    partialMask: (match) => {
+        if (match.toLowerCase().startsWith("bearer ")) {
+            const token = match.slice(7);
+            return "Bearer " + genericPartialMask(token);
+        }
+        return genericPartialMask(match);
+    },
+};
+//# sourceMappingURL=bearer.js.map

package/dist/plugins/bearer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bearer.js","sourceRoot":"","sources":["../../src/plugins/bearer.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAElD,MAAM,aAAa,GAAG,8BAA8B,CAAC;AAErD,MAAM,CAAC,MAAM,YAAY,GAAoB;IAC3C,IAAI,EAAE,QAAQ;IACd,UAAU,EAAE,GAAG,EAAE,CAAC,IAAI,MAAM,CAAC,aAAa,EAAE,IAAI,CAAC;IACjD,WAAW,EAAE,CAAC,KAAa,EAAE,EAAE;QAC7B,IAAI,KAAK,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAC9C,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAC7B,OAAO,SAAS,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC/C,CAAC;QACD,OAAO,kBAAkB,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC;CACF,CAAC"}

package/dist/plugins/credit-card.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Credit card plugin — detects 16-digit card numbers (with optional separators).
+ */
+import type { RedactionPlugin } from "../types.js";
+export declare const creditCardPlugin: RedactionPlugin;
+//# sourceMappingURL=credit-card.d.ts.map

package/dist/plugins/credit-card.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credit-card.d.ts","sourceRoot":"","sources":["../../src/plugins/credit-card.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAInD,eAAO,MAAM,gBAAgB,EAAE,eAS9B,CAAC"}

package/dist/plugins/credit-card.js

@@ -0,0 +1,15 @@
+/**
+ * Credit card plugin — detects 16-digit card numbers (with optional separators).
+ */
+const CC_SOURCE = "\\b\\d{4}[- ]?\\d{4}[- ]?\\d{4}[- ]?\\d{4}\\b";
+export const creditCardPlugin = {
+    name: "creditCard",
+    matchValue: () => new RegExp(CC_SOURCE, "g"),
+    partialMask: (match) => {
+        // PCI standard: show only last 4 digits
+        const digits = match.replace(/\D/g, "");
+        const last4 = digits.slice(-4);
+        return "****-****-****-" + last4;
+    },
+};
+//# sourceMappingURL=credit-card.js.map

package/dist/plugins/credit-card.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credit-card.js","sourceRoot":"","sources":["../../src/plugins/credit-card.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,MAAM,SAAS,GAAG,+CAA+C,CAAC;AAElE,MAAM,CAAC,MAAM,gBAAgB,GAAoB;IAC/C,IAAI,EAAE,YAAY;IAClB,UAAU,EAAE,GAAG,EAAE,CAAC,IAAI,MAAM,CAAC,SAAS,EAAE,GAAG,CAAC;IAC5C,WAAW,EAAE,CAAC,KAAa,EAAE,EAAE;QAC7B,wCAAwC;QACxC,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACxC,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/B,OAAO,iBAAiB,GAAG,KAAK,CAAC;IACnC,CAAC;CACF,CAAC"}

package/dist/plugins/email.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Email plugin — detects standard email addresses.
+ */
+import type { RedactionPlugin } from "../types.js";
+export declare const emailPlugin: RedactionPlugin;
+//# sourceMappingURL=email.d.ts.map

package/dist/plugins/email.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"email.d.ts","sourceRoot":"","sources":["../../src/plugins/email.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAInD,eAAO,MAAM,WAAW,EAAE,eAYzB,CAAC"}

package/dist/plugins/email.js

@@ -0,0 +1,19 @@
+/**
+ * Email plugin — detects standard email addresses.
+ */
+const EMAIL_SOURCE = "\\b[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}\\b";
+export const emailPlugin = {
+    name: "email",
+    matchValue: () => new RegExp(EMAIL_SOURCE, "g"),
+    partialMask: (match) => {
+        // u***@***.com
+        const atIdx = match.indexOf("@");
+        if (atIdx <= 0)
+            return "***@***";
+        const dotIdx = match.lastIndexOf(".");
+        const user = match.slice(0, atIdx);
+        const domainSuffix = dotIdx > atIdx ? match.slice(dotIdx) : "";
+        return user[0] + "***@***" + domainSuffix;
+    },
+};
+//# sourceMappingURL=email.js.map

package/dist/plugins/email.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"email.js","sourceRoot":"","sources":["../../src/plugins/email.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,MAAM,YAAY,GAAG,uDAAuD,CAAC;AAE7E,MAAM,CAAC,MAAM,WAAW,GAAoB;IAC1C,IAAI,EAAE,OAAO;IACb,UAAU,EAAE,GAAG,EAAE,CAAC,IAAI,MAAM,CAAC,YAAY,EAAE,GAAG,CAAC;IAC/C,WAAW,EAAE,CAAC,KAAa,EAAE,EAAE;QAC7B,eAAe;QACf,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,KAAK,IAAI,CAAC;YAAE,OAAO,SAAS,CAAC;QACjC,MAAM,MAAM,GAAG,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;QACnC,MAAM,YAAY,GAAG,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/D,OAAO,IAAI,CAAC,CAAC,CAAC,GAAG,SAAS,GAAG,YAAY,CAAC;IAC5C,CAAC;CACF,CAAC"}

package/dist/plugins/github-tokens.d.ts

@@ -0,0 +1,6 @@
+/**
+ * GitHub token plugin — detects ghp_, gho_, ghu_, ghs_, ghr_ prefixed tokens.
+ */
+import type { RedactionPlugin } from "../types.js";
+export declare const githubTokensPlugin: RedactionPlugin;
+//# sourceMappingURL=github-tokens.d.ts.map

package/dist/plugins/github-tokens.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"github-tokens.d.ts","sourceRoot":"","sources":["../../src/plugins/github-tokens.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAInD,eAAO,MAAM,kBAAkB,EAAE,eAWhC,CAAC"}

package/dist/plugins/github-tokens.js

@@ -0,0 +1,17 @@
+/**
+ * GitHub token plugin — detects ghp_, gho_, ghu_, ghs_, ghr_ prefixed tokens.
+ */
+const GITHUB_SOURCE = "\\b(ghp_|gho_|ghu_|ghs_|ghr_)[a-zA-Z0-9]{36,}\\b";
+export const githubTokensPlugin = {
+    name: "githubTokens",
+    matchValue: () => new RegExp(GITHUB_SOURCE, "g"),
+    partialMask: (match) => {
+        // ghp_ prefix is meaningful, show prefix + last 3
+        const prefixEnd = match.indexOf("_");
+        if (prefixEnd > 0 && prefixEnd < 4) {
+            return match.slice(0, prefixEnd + 1) + "***" + match.slice(-3);
+        }
+        return match.slice(0, 4) + "***" + match.slice(-3);
+    },
+};
+//# sourceMappingURL=github-tokens.js.map

package/dist/plugins/github-tokens.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"github-tokens.js","sourceRoot":"","sources":["../../src/plugins/github-tokens.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,MAAM,aAAa,GAAG,kDAAkD,CAAC;AAEzE,MAAM,CAAC,MAAM,kBAAkB,GAAoB;IACjD,IAAI,EAAE,cAAc;IACpB,UAAU,EAAE,GAAG,EAAE,CAAC,IAAI,MAAM,CAAC,aAAa,EAAE,GAAG,CAAC;IAChD,WAAW,EAAE,CAAC,KAAa,EAAE,EAAE;QAC7B,kDAAkD;QAClD,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,SAAS,GAAG,CAAC,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC;YACnC,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,GAAG,CAAC,CAAC,GAAG,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACjE,CAAC;QACD,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACrD,CAAC;CACF,CAAC"}

package/dist/plugins/hex-keys.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Hex keys plugin — detects long hex strings (32+ chars) that are
+ * likely API keys, hashes, or secrets.
+ */
+import type { RedactionPlugin } from "../types.js";
+export declare const hexKeysPlugin: RedactionPlugin;
+//# sourceMappingURL=hex-keys.d.ts.map

package/dist/plugins/hex-keys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hex-keys.d.ts","sourceRoot":"","sources":["../../src/plugins/hex-keys.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAKnD,eAAO,MAAM,aAAa,EAAE,eAI3B,CAAC"}

package/dist/plugins/hex-keys.js

@@ -0,0 +1,12 @@
+/**
+ * Hex keys plugin — detects long hex strings (32+ chars) that are
+ * likely API keys, hashes, or secrets.
+ */
+import { genericPartialMask } from "../engine.js";
+const HEX_SOURCE = "\\b[a-f0-9]{32,}\\b";
+export const hexKeysPlugin = {
+    name: "hexKeys",
+    matchValue: () => new RegExp(HEX_SOURCE, "gi"),
+    partialMask: genericPartialMask,
+};
+//# sourceMappingURL=hex-keys.js.map

package/dist/plugins/hex-keys.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hex-keys.js","sourceRoot":"","sources":["../../src/plugins/hex-keys.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAElD,MAAM,UAAU,GAAG,qBAAqB,CAAC;AAEzC,MAAM,CAAC,MAAM,aAAa,GAAoB;IAC5C,IAAI,EAAE,SAAS;IACf,UAAU,EAAE,GAAG,EAAE,CAAC,IAAI,MAAM,CAAC,UAAU,EAAE,IAAI,CAAC;IAC9C,WAAW,EAAE,kBAAkB;CAChC,CAAC"}

package/dist/plugins/ip-address.d.ts

@@ -0,0 +1,6 @@
+/**
+ * IP address plugin — detects IPv4 addresses.
+ */
+import type { RedactionPlugin } from "../types.js";
+export declare const ipAddressPlugin: RedactionPlugin;
+//# sourceMappingURL=ip-address.d.ts.map

package/dist/plugins/ip-address.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ip-address.d.ts","sourceRoot":"","sources":["../../src/plugins/ip-address.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAKnD,eAAO,MAAM,eAAe,EAAE,eAW7B,CAAC"}

package/dist/plugins/ip-address.js

@@ -0,0 +1,18 @@
+/**
+ * IP address plugin — detects IPv4 addresses.
+ */
+import { genericPartialMask } from "../engine.js";
+const IP_SOURCE = "\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b";
+export const ipAddressPlugin = {
+    name: "ipAddress",
+    matchValue: () => new RegExp(IP_SOURCE, "g"),
+    partialMask: (match) => {
+        // Show first two octets: 192.168.*.*
+        const parts = match.split(".");
+        if (parts.length === 4) {
+            return parts[0] + "." + parts[1] + ".*.*";
+        }
+        return genericPartialMask(match);
+    },
+};
+//# sourceMappingURL=ip-address.js.map

package/dist/plugins/ip-address.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ip-address.js","sourceRoot":"","sources":["../../src/plugins/ip-address.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAElD,MAAM,SAAS,GAAG,iDAAiD,CAAC;AAEpE,MAAM,CAAC,MAAM,eAAe,GAAoB;IAC9C,IAAI,EAAE,WAAW;IACjB,UAAU,EAAE,GAAG,EAAE,CAAC,IAAI,MAAM,CAAC,SAAS,EAAE,GAAG,CAAC;IAC5C,WAAW,EAAE,CAAC,KAAa,EAAE,EAAE;QAC7B,qCAAqC;QACrC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,KAAK,CAAC,CAAC,CAAC,GAAG,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC;QAC5C,CAAC;QACD,OAAO,kBAAkB,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC;CACF,CAAC"}

package/dist/plugins/jwt.d.ts

@@ -0,0 +1,9 @@
+/**
+ * JWT plugin — detects JSON Web Tokens in string values.
+ *
+ * Matches the standard `header.payload.signature` format where
+ * header and payload start with base64url-encoded `{"` (= `eyJ`).
+ */
+import type { RedactionPlugin } from "../types.js";
+export declare const jwtPlugin: RedactionPlugin;
+//# sourceMappingURL=jwt.d.ts.map

package/dist/plugins/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../src/plugins/jwt.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAInD,eAAO,MAAM,SAAS,EAAE,eAIvB,CAAC"}

package/dist/plugins/jwt.js

@@ -0,0 +1,13 @@
+/**
+ * JWT plugin — detects JSON Web Tokens in string values.
+ *
+ * Matches the standard `header.payload.signature` format where
+ * header and payload start with base64url-encoded `{"` (= `eyJ`).
+ */
+const JWT_SOURCE = "\\beyJ[a-zA-Z0-9_-]*\\.eyJ[a-zA-Z0-9_-]*\\.[a-zA-Z0-9_-]*";
+export const jwtPlugin = {
+    name: "jwt",
+    matchValue: () => new RegExp(JWT_SOURCE, "g"),
+    partialMask: (match) => match.slice(0, 3) + "***" + match.slice(-3),
+};
+//# sourceMappingURL=jwt.js.map

package/dist/plugins/jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../../src/plugins/jwt.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,MAAM,UAAU,GAAG,2DAA2D,CAAC;AAE/E,MAAM,CAAC,MAAM,SAAS,GAAoB;IACxC,IAAI,EAAE,KAAK;IACX,UAAU,EAAE,GAAG,EAAE,CAAC,IAAI,MAAM,CAAC,UAAU,EAAE,GAAG,CAAC;IAC7C,WAAW,EAAE,CAAC,KAAa,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;CAC5E,CAAC"}

package/dist/plugins/mod.d.ts

@@ -0,0 +1,29 @@
+/**
+ * @module plugins
+ *
+ * Re-exports all built-in plugins and provides `createBuiltinPlugins()`
+ * factory that assembles the plugin list from a RedactionConfig.
+ */
+import type { RedactionConfig, RedactionPlugin } from "../types.js";
+import { sensitiveKeysPlugin } from "./sensitive-keys.js";
+import { jwtPlugin } from "./jwt.js";
+import { bearerPlugin } from "./bearer.js";
+import { awsKeysPlugin } from "./aws-keys.js";
+import { githubTokensPlugin } from "./github-tokens.js";
+import { emailPlugin } from "./email.js";
+import { ipAddressPlugin } from "./ip-address.js";
+import { creditCardPlugin } from "./credit-card.js";
+import { hexKeysPlugin } from "./hex-keys.js";
+export { awsKeysPlugin, bearerPlugin, creditCardPlugin, emailPlugin, githubTokensPlugin, hexKeysPlugin, ipAddressPlugin, jwtPlugin, sensitiveKeysPlugin, };
+/**
+ * Create the full plugin list from a RedactionConfig.
+ *
+ * Order: sensitive-keys plugin first (key-level), then enabled pattern
+ * plugins (value-level), then user custom patterns.
+ *
+ * @example
+ * const plugins = createBuiltinPlugins(DEFAULT_CONFIG);
+ * const engine = new RedactionEngine({ config: DEFAULT_CONFIG, plugins });
+ */
+export declare function createBuiltinPlugins(config: RedactionConfig): RedactionPlugin[];
+//# sourceMappingURL=mod.d.ts.map

package/dist/plugins/mod.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mod.d.ts","sourceRoot":"","sources":["../../src/plugins/mod.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AACpE,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AACrC,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAE9C,OAAO,EACL,aAAa,EACb,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACX,kBAAkB,EAClB,aAAa,EACb,eAAe,EACf,SAAS,EACT,mBAAmB,GACpB,CAAC;AAcF;;;;;;;;;GASG;AACH,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,eAAe,GACtB,eAAe,EAAE,CA6BnB"}

package/dist/plugins/mod.js

@@ -0,0 +1,65 @@
+/**
+ * @module plugins
+ *
+ * Re-exports all built-in plugins and provides `createBuiltinPlugins()`
+ * factory that assembles the plugin list from a RedactionConfig.
+ */
+import { sensitiveKeysPlugin } from "./sensitive-keys.js";
+import { jwtPlugin } from "./jwt.js";
+import { bearerPlugin } from "./bearer.js";
+import { awsKeysPlugin } from "./aws-keys.js";
+import { githubTokensPlugin } from "./github-tokens.js";
+import { emailPlugin } from "./email.js";
+import { ipAddressPlugin } from "./ip-address.js";
+import { creditCardPlugin } from "./credit-card.js";
+import { hexKeysPlugin } from "./hex-keys.js";
+export { awsKeysPlugin, bearerPlugin, creditCardPlugin, emailPlugin, githubTokensPlugin, hexKeysPlugin, ipAddressPlugin, jwtPlugin, sensitiveKeysPlugin, };
+/** Map of pattern name → plugin for built-in patterns. */
+const PATTERN_PLUGINS = {
+    jwt: jwtPlugin,
+    bearer: bearerPlugin,
+    awsKeys: awsKeysPlugin,
+    githubTokens: githubTokensPlugin,
+    email: emailPlugin,
+    ipAddress: ipAddressPlugin,
+    creditCard: creditCardPlugin,
+    hexKeys: hexKeysPlugin,
+};
+/**
+ * Create the full plugin list from a RedactionConfig.
+ *
+ * Order: sensitive-keys plugin first (key-level), then enabled pattern
+ * plugins (value-level), then user custom patterns.
+ *
+ * @example
+ * const plugins = createBuiltinPlugins(DEFAULT_CONFIG);
+ * const engine = new RedactionEngine({ config: DEFAULT_CONFIG, plugins });
+ */
+export function createBuiltinPlugins(config) {
+    const plugins = [];
+    // Key-level plugin always first
+    plugins.push(sensitiveKeysPlugin(config.sensitiveKeys));
+    // Add enabled pattern plugins
+    const patternFlags = config.patterns;
+    for (const [name, plugin] of Object.entries(PATTERN_PLUGINS)) {
+        if (patternFlags[name] === true) {
+            plugins.push(plugin);
+        }
+    }
+    // Add user custom patterns
+    for (const custom of config.patterns.custom ?? []) {
+        try {
+            // Validate regex compiles
+            new RegExp(custom.regex, "g");
+            plugins.push({
+                name: custom.name,
+                matchValue: () => new RegExp(custom.regex, "g"),
+            });
+        }
+        catch {
+            // Skip invalid regex patterns — per arch doc, CLI warns but doesn't abort
+        }
+    }
+    return plugins;
+}
+//# sourceMappingURL=mod.js.map

package/dist/plugins/mod.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mod.js","sourceRoot":"","sources":["../../src/plugins/mod.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AACrC,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAE9C,OAAO,EACL,aAAa,EACb,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACX,kBAAkB,EAClB,aAAa,EACb,eAAe,EACf,SAAS,EACT,mBAAmB,GACpB,CAAC;AAEF,0DAA0D;AAC1D,MAAM,eAAe,GAAoC;IACvD,GAAG,EAAE,SAAS;IACd,MAAM,EAAE,YAAY;IACpB,OAAO,EAAE,aAAa;IACtB,YAAY,EAAE,kBAAkB;IAChC,KAAK,EAAE,WAAW;IAClB,SAAS,EAAE,eAAe;IAC1B,UAAU,EAAE,gBAAgB;IAC5B,OAAO,EAAE,aAAa;CACvB,CAAC;AAEF;;;;;;;;;GASG;AACH,MAAM,UAAU,oBAAoB,CAClC,MAAuB;IAEvB,MAAM,OAAO,GAAsB,EAAE,CAAC;IAEtC,gCAAgC;IAChC,OAAO,CAAC,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC;IAExD,8BAA8B;IAC9B,MAAM,YAAY,GAAG,MAAM,CAAC,QAA8C,CAAC;IAC3E,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,CAAC;QAC7D,IAAI,YAAY,CAAC,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;YAChC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,2BAA2B;IAC3B,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;QAClD,IAAI,CAAC;YACH,0BAA0B;YAC1B,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,UAAU,EAAE,GAAG,EAAE,CAAC,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC;aAChD,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,0EAA0E;QAC5E,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/plugins/sensitive-keys.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Sensitive-keys plugin — key-level redaction.
+ *
+ * Checks if a JSON key or header name matches one of the configured
+ * sensitive keys (case-insensitive substring match).
+ *
+ * @example
+ * // "x-authorization-token" matches "authorization"
+ * // "X-Api-Key" matches "api-key" (after lowercasing)
+ */
+import type { RedactionPlugin, SensitiveKeysConfig } from "../types.js";
+/**
+ * Create a sensitive-keys plugin from config.
+ *
+ * Key matching uses case-insensitive substring — "x-authorization-token"
+ * matches "authorization".
+ */
+export declare function sensitiveKeysPlugin(config: SensitiveKeysConfig): RedactionPlugin;
+//# sourceMappingURL=sensitive-keys.d.ts.map

package/dist/plugins/sensitive-keys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sensitive-keys.d.ts","sourceRoot":"","sources":["../../src/plugins/sensitive-keys.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AA4BxE;;;;;GAKG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,mBAAmB,GAC1B,eAAe,CAgBjB"}

package/dist/plugins/sensitive-keys.js

@@ -0,0 +1,56 @@
+/**
+ * Sensitive-keys plugin — key-level redaction.
+ *
+ * Checks if a JSON key or header name matches one of the configured
+ * sensitive keys (case-insensitive substring match).
+ *
+ * @example
+ * // "x-authorization-token" matches "authorization"
+ * // "X-Api-Key" matches "api-key" (after lowercasing)
+ */
+import { BUILT_IN_SENSITIVE_KEYS } from "../defaults.js";
+/**
+ * Build the sensitive key set from config.
+ * If useBuiltIn is true, starts with BUILT_IN_SENSITIVE_KEYS,
+ * adds `additional`, removes `excluded`.
+ */
+function buildKeySet(config) {
+    const keys = new Set();
+    if (config.useBuiltIn) {
+        for (const k of BUILT_IN_SENSITIVE_KEYS) {
+            keys.add(k);
+        }
+    }
+    for (const k of config.additional ?? []) {
+        keys.add(k.toLowerCase());
+    }
+    for (const k of config.excluded ?? []) {
+        keys.delete(k.toLowerCase());
+    }
+    return keys;
+}
+/**
+ * Create a sensitive-keys plugin from config.
+ *
+ * Key matching uses case-insensitive substring — "x-authorization-token"
+ * matches "authorization".
+ */
+export function sensitiveKeysPlugin(config) {
+    const keys = buildKeySet(config);
+    return {
+        name: "sensitive-keys",
+        isKeySensitive: (key) => {
+            const lower = key.toLowerCase();
+            // Exact match first (fast path)
+            if (keys.has(lower))
+                return true;
+            // Substring match
+            for (const sensitive of keys) {
+                if (lower.includes(sensitive))
+                    return true;
+            }
+            return undefined;
+        },
+    };
+}
+//# sourceMappingURL=sensitive-keys.js.map

package/dist/plugins/sensitive-keys.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sensitive-keys.js","sourceRoot":"","sources":["../../src/plugins/sensitive-keys.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,EAAE,uBAAuB,EAAE,MAAM,gBAAgB,CAAC;AAEzD;;;;GAIG;AACH,SAAS,WAAW,CAAC,MAA2B;IAC9C,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/B,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QACtB,KAAK,MAAM,CAAC,IAAI,uBAAuB,EAAE,CAAC;YACxC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,UAAU,IAAI,EAAE,EAAE,CAAC;QACxC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IAC5B,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;QACtC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IAC/B,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CACjC,MAA2B;IAE3B,MAAM,IAAI,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;IAEjC,OAAO;QACL,IAAI,EAAE,gBAAgB;QACtB,cAAc,EAAE,CAAC,GAAW,EAAuB,EAAE;YACnD,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;YAChC,gCAAgC;YAChC,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YACjC,kBAAkB;YAClB,KAAK,MAAM,SAAS,IAAI,IAAI,EAAE,CAAC;gBAC7B,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC;oBAAE,OAAO,IAAI,CAAC;YAC7C,CAAC;YACD,OAAO,SAAS,CAAC;QACnB,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,144 @@
+/**
+ * @module types
+ *
+ * Core type definitions for the Glubean Redaction Engine.
+ *
+ * These types are pure TypeScript with no runtime-specific dependencies,
+ * enabling consumption by both Deno (oss CLI/runner) and Node.js (server).
+ *
+ * The generic parameters on RedactionConfig allow the server to extend
+ * base types with premium scopes and patterns without modifying this package.
+ */
+/** Which data areas the engine should scan for sensitive content. */
+export interface RedactionScopes {
+    requestHeaders: boolean;
+    requestQuery: boolean;
+    requestBody: boolean;
+    responseHeaders: boolean;
+    responseBody: boolean;
+    consoleOutput: boolean;
+    errorMessages: boolean;
+    /** Whether to redact sensitive data in step return state values. */
+    returnState: boolean;
+}
+/** A user-defined regex pattern for value-level redaction. */
+export interface CustomPattern {
+    name: string;
+    regex: string;
+}
+/** Built-in pattern toggles. Each key enables/disables a specific detector. */
+export interface PatternsConfig {
+    jwt: boolean;
+    bearer: boolean;
+    awsKeys: boolean;
+    githubTokens: boolean;
+    email: boolean;
+    ipAddress: boolean;
+    creditCard: boolean;
+    hexKeys: boolean;
+    custom: CustomPattern[];
+}
+/** Configuration for key-based redaction (header names, JSON keys, etc.). */
+export interface SensitiveKeysConfig {
+    /** Whether to include the built-in sensitive keys list. */
+    useBuiltIn: boolean;
+    /** Additional keys to treat as sensitive. */
+    additional: string[];
+    /** Keys to exclude from the built-in list. */
+    excluded: string[];
+}
+/**
+ * Core redaction configuration. Extensible via generics so the server
+ * can add premium scopes and patterns without modifying oss code.
+ *
+ * @example
+ * // Server extends base config:
+ * interface ServerScopes extends RedactionScopes { webhookPayloads: boolean; }
+ * type ServerConfig = RedactionConfig<ServerScopes>;
+ */
+export interface RedactionConfig<TScopes extends RedactionScopes = RedactionScopes, TPatterns extends PatternsConfig = PatternsConfig> {
+    scopes: TScopes;
+    sensitiveKeys: SensitiveKeysConfig;
+    patterns: TPatterns;
+    replacementFormat: "simple" | "labeled" | "partial";
+}
+/**
+ * Context passed to each plugin — describes what is being redacted
+ * and where in the data tree the engine currently is.
+ */
+export interface RedactionContext {
+    /** Data scope: "requestHeaders", "responseBody", "consoleOutput", etc. */
+    scope: string;
+    /** Key path from root, e.g. ["data", "user", "email"] */
+    path: readonly string[];
+    /** Current key name (last element of path), or empty string for root values. */
+    key: string;
+}
+/**
+ * A single redaction plugin.
+ *
+ * Plugins are composable units that detect one category of sensitive data.
+ * The engine calls plugins in registration order; first match wins for
+ * key-level redaction, all patterns are applied for value-level (multi-pass).
+ *
+ * @example
+ * ```ts
+ * const myPlugin: RedactionPlugin = {
+ *   name: "my-pattern",
+ *   matchValue: () => new RegExp("secret_[a-z]+", "g"),
+ *   partialMask: (match) => match.slice(0, 3) + "***" + match.slice(-3),
+ * };
+ * ```
+ */
+export interface RedactionPlugin {
+    /** Unique identifier, used in labeled replacement: [REDACTED:<name>] */
+    readonly name: string;
+    /**
+     * Key-level check: should the value at this key be fully redacted
+     * without inspecting its content?
+     *
+     * Return `true` to redact, `undefined` to defer to the next plugin.
+     */
+    isKeySensitive?(key: string, ctx: RedactionContext): boolean | undefined;
+    /**
+     * Value-level check: return a RegExp that matches sensitive patterns
+     * in the string value. The engine replaces all matches.
+     *
+     * Return `undefined` to skip this plugin for the given value.
+     * The regex MUST use the global flag (/g).
+     *
+     * IMPORTANT: return a NEW RegExp instance every call to avoid
+     * stale lastIndex in concurrent use.
+     */
+    matchValue?(value: string, ctx: RedactionContext): RegExp | undefined;
+    /**
+     * Custom partial-mask strategy for this plugin's matches.
+     * Called when replacementFormat is "partial".
+     *
+     * If not provided, the engine applies a generic mask (first 3 + last 3 chars).
+     */
+    partialMask?(match: string): string;
+}
+/**
+ * Result of a redaction operation.
+ */
+export interface RedactionResult {
+    /** The redacted value (deep clone, original untouched). */
+    value: unknown;
+    /** Whether any redaction occurred. */
+    redacted: boolean;
+    /**
+     * Per-field redaction details (for local debugging only).
+     *
+     * INVARIANT: details are EPHEMERAL — they must NEVER be persisted,
+     * uploaded, or included in any share/server payload. The `original`
+     * field contains plaintext secrets and exists solely for local
+     * --verbose output where the developer wants to see what was redacted.
+     */
+    details: Array<{
+        path: string;
+        plugin: string;
+        original?: string;
+    }>;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAIH,qEAAqE;AACrE,MAAM,WAAW,eAAe;IAC9B,cAAc,EAAE,OAAO,CAAC;IACxB,YAAY,EAAE,OAAO,CAAC;IACtB,WAAW,EAAE,OAAO,CAAC;IACrB,eAAe,EAAE,OAAO,CAAC;IACzB,YAAY,EAAE,OAAO,CAAC;IACtB,aAAa,EAAE,OAAO,CAAC;IACvB,aAAa,EAAE,OAAO,CAAC;IACvB,oEAAoE;IACpE,WAAW,EAAE,OAAO,CAAC;CACtB;AAID,8DAA8D;AAC9D,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;CACf;AAED,+EAA+E;AAC/E,MAAM,WAAW,cAAc;IAC7B,GAAG,EAAE,OAAO,CAAC;IACb,MAAM,EAAE,OAAO,CAAC;IAChB,OAAO,EAAE,OAAO,CAAC;IACjB,YAAY,EAAE,OAAO,CAAC;IACtB,KAAK,EAAE,OAAO,CAAC;IACf,SAAS,EAAE,OAAO,CAAC;IACnB,UAAU,EAAE,OAAO,CAAC;IACpB,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE,aAAa,EAAE,CAAC;CACzB;AAID,6EAA6E;AAC7E,MAAM,WAAW,mBAAmB;IAClC,2DAA2D;IAC3D,UAAU,EAAE,OAAO,CAAC;IACpB,6CAA6C;IAC7C,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,8CAA8C;IAC9C,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAID;;;;;;;;GAQG;AACH,MAAM,WAAW,eAAe,CAC9B,OAAO,SAAS,eAAe,GAAG,eAAe,EACjD,SAAS,SAAS,cAAc,GAAG,cAAc;IAEjD,MAAM,EAAE,OAAO,CAAC;IAChB,aAAa,EAAE,mBAAmB,CAAC;IACnC,QAAQ,EAAE,SAAS,CAAC;IACpB,iBAAiB,EAAE,QAAQ,GAAG,SAAS,GAAG,SAAS,CAAC;CACrD;AAID;;;GAGG;AACH,MAAM,WAAW,gBAAgB;IAC/B,0EAA0E;IAC1E,KAAK,EAAE,MAAM,CAAC;IACd,yDAAyD;IACzD,IAAI,EAAE,SAAS,MAAM,EAAE,CAAC;IACxB,gFAAgF;IAChF,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,WAAW,eAAe;IAC9B,wEAAwE;IACxE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAEtB;;;;;OAKG;IACH,cAAc,CAAC,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,gBAAgB,GAAG,OAAO,GAAG,SAAS,CAAC;IAEzE;;;;;;;;;OASG;IACH,UAAU,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,gBAAgB,GAAG,MAAM,GAAG,SAAS,CAAC;IAEtE;;;;;OAKG;IACH,WAAW,CAAC,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC;CACrC;AAID;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,2DAA2D;IAC3D,KAAK,EAAE,OAAO,CAAC;IACf,sCAAsC;IACtC,QAAQ,EAAE,OAAO,CAAC;IAClB;;;;;;;OAOG;IACH,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACrE"}

package/dist/types.js

@@ -0,0 +1,13 @@
+/**
+ * @module types
+ *
+ * Core type definitions for the Glubean Redaction Engine.
+ *
+ * These types are pure TypeScript with no runtime-specific dependencies,
+ * enabling consumption by both Deno (oss CLI/runner) and Node.js (server).
+ *
+ * The generic parameters on RedactionConfig allow the server to extend
+ * base types with premium scopes and patterns without modifying this package.
+ */
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG"}

package/package.json

@@ -0,0 +1,21 @@
+{
+  "name": "@glubean/redaction",
+  "version": "0.1.2",
+  "type": "module",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "devDependencies": {
+    "@types/node": "^22.0.0"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.build.json",
+    "test": "vitest run"
+  }
+}