@glubean/redaction 0.1.3 → 0.1.7

package/dist/handlers.js

@@ -0,0 +1,236 @@
+/**
+ * @module handlers
+ *
+ * Built-in redaction handlers. Each handler interprets a specific payload shape.
+ *
+ * - `json` — recursive object/array walker (delegates to engine.redact)
+ * - `raw-string` — value-pattern matching only
+ * - `url-query` — parse URL, redact query param names/values, serialize back
+ * - `headers` — header map with case-insensitive keys, cookie/set-cookie parsing
+ */
+// ── json handler ─────────────────────────────────────────────────────────────
+/**
+ * Default handler: delegates directly to engine.redact() which recursively
+ * walks objects/arrays and applies key-level + value-level plugins.
+ */
+export const jsonHandler = {
+    name: "json",
+    process(value, ctx, engine) {
+        return engine.redact(value, { id: ctx.scopeId, name: ctx.scopeName });
+    },
+};
+// ── raw-string handler ───────────────────────────────────────────────────────
+/**
+ * Handles plain string values. Wraps the string in an object so the engine
+ * can apply value-level pattern plugins, then extracts the result.
+ */
+export const rawStringHandler = {
+    name: "raw-string",
+    process(value, ctx, engine) {
+        if (typeof value !== "string") {
+            return { value, redacted: false, details: [] };
+        }
+        // Wrap in object so the engine walks it as a string value
+        const result = engine.redact({ __raw: value }, { id: ctx.scopeId, name: ctx.scopeName });
+        const redacted = result.value;
+        return {
+            value: redacted.__raw,
+            redacted: result.redacted,
+            details: result.details,
+        };
+    },
+};
+// ── url-query handler ────────────────────────────────────────────────────────
+/**
+ * Parses a URL string, redacts query parameter names/values using the engine,
+ * then serializes back to a URL string.
+ */
+export const urlQueryHandler = {
+    name: "url-query",
+    process(value, ctx, engine) {
+        if (typeof value !== "string") {
+            return { value, redacted: false, details: [] };
+        }
+        let url;
+        try {
+            url = new URL(value);
+        }
+        catch {
+            // Not a valid URL — fall back to raw string redaction
+            return engine.redact(value, { id: ctx.scopeId, name: ctx.scopeName });
+        }
+        // Collect all entries first to preserve multiplicity (e.g., ?token=a&token=b)
+        const entries = [...url.searchParams.entries()];
+        if (entries.length === 0) {
+            return { value, redacted: false, details: [] };
+        }
+        let didRedact = false;
+        const details = [];
+        const redactedEntries = [];
+        for (const [key, raw] of entries) {
+            const result = engine.redact({ [key]: raw }, { id: ctx.scopeId, name: ctx.scopeName });
+            if (result.redacted) {
+                const redacted = result.value;
+                redactedEntries.push([key, String(redacted[key] ?? raw)]);
+                didRedact = true;
+                details.push(...result.details);
+            }
+            else {
+                redactedEntries.push([key, raw]);
+            }
+        }
+        if (!didRedact) {
+            return { value, redacted: false, details };
+        }
+        // Rebuild URL with redacted params, preserving multiplicity
+        const redactedUrl = new URL(url.origin + url.pathname);
+        for (const [k, v] of redactedEntries) {
+            redactedUrl.searchParams.append(k, v);
+        }
+        // Preserve hash
+        redactedUrl.hash = url.hash;
+        return {
+            value: redactedUrl.toString(),
+            redacted: true,
+            details,
+        };
+    },
+};
+// ── headers handler ──────────────────────────────────────────────────────────
+/**
+ * Parse a Cookie header string into key/value pairs.
+ */
+function parseCookieHeader(str) {
+    const result = {};
+    for (const part of str.split(";")) {
+        const trimmed = part.trim();
+        if (!trimmed)
+            continue;
+        const eq = trimmed.indexOf("=");
+        if (eq === -1)
+            continue;
+        result[trimmed.slice(0, eq).trim()] = trimmed.slice(eq + 1).trim();
+    }
+    return result;
+}
+/**
+ * Serialize a cookie key/value map back to a Cookie header string.
+ */
+function serializeCookieHeader(obj) {
+    return Object.entries(obj)
+        .map(([k, v]) => `${k}=${String(v)}`)
+        .join("; ");
+}
+/**
+ * Handles HTTP header maps with special treatment for cookie headers.
+ *
+ * - Normal headers: redact as key/value pairs
+ * - `cookie`: parse into name/value pairs, redact, serialize back
+ * - `set-cookie`: parse value portion, preserve attributes (Path, Domain, etc.)
+ */
+export const headersHandler = {
+    name: "headers",
+    process(value, ctx, engine) {
+        if (!value || typeof value !== "object" || Array.isArray(value)) {
+            return { value, redacted: false, details: [] };
+        }
+        const input = value;
+        const output = {};
+        let didRedact = false;
+        const details = [];
+        for (const [headerName, headerValue] of Object.entries(input)) {
+            const lower = headerName.toLowerCase();
+            // Cookie header: parse into key/value pairs
+            if (lower === "cookie" && typeof headerValue === "string") {
+                const parsed = parseCookieHeader(headerValue);
+                const result = engine.redact(parsed, {
+                    id: ctx.scopeId,
+                    name: ctx.scopeName,
+                });
+                output[headerName] = serializeCookieHeader(result.value);
+                if (result.redacted) {
+                    didRedact = true;
+                    details.push(...result.details);
+                }
+                continue;
+            }
+            // Set-Cookie header: redact the value portion, preserve attributes
+            // Supports both single string and string[] (common in HTTP client shapes)
+            if (lower === "set-cookie") {
+                if (typeof headerValue === "string") {
+                    const redacted = redactSetCookie(headerValue, ctx, engine);
+                    output[headerName] = redacted.value;
+                    if (redacted.redacted) {
+                        didRedact = true;
+                        details.push(...redacted.details);
+                    }
+                    continue;
+                }
+                if (Array.isArray(headerValue)) {
+                    const redactedCookies = [];
+                    for (const cookie of headerValue) {
+                        if (typeof cookie !== "string") {
+                            redactedCookies.push(cookie);
+                            continue;
+                        }
+                        const redacted = redactSetCookie(cookie, ctx, engine);
+                        redactedCookies.push(redacted.value);
+                        if (redacted.redacted) {
+                            didRedact = true;
+                            details.push(...redacted.details);
+                        }
+                    }
+                    output[headerName] = redactedCookies;
+                    continue;
+                }
+            }
+            // Normal header: redact as { headerName: value }
+            const result = engine.redact({ [headerName]: headerValue }, { id: ctx.scopeId, name: ctx.scopeName });
+            output[headerName] = result.value[headerName];
+            if (result.redacted) {
+                didRedact = true;
+                details.push(...result.details);
+            }
+        }
+        return { value: didRedact ? output : value, redacted: didRedact, details };
+    },
+};
+/**
+ * Redact a Set-Cookie header value.
+ * Preserves cookie attributes (Path, Domain, HttpOnly, Secure, SameSite, Max-Age, Expires).
+ */
+function redactSetCookie(raw, ctx, engine) {
+    const parts = raw.split(";").map((p) => p.trim());
+    if (parts.length === 0) {
+        return { value: raw, redacted: false, details: [] };
+    }
+    // First part is name=value
+    const first = parts[0];
+    const eq = first.indexOf("=");
+    if (eq === -1) {
+        return { value: raw, redacted: false, details: [] };
+    }
+    const cookieName = first.slice(0, eq).trim();
+    const cookieValue = first.slice(eq + 1).trim();
+    const result = engine.redact({ [cookieName]: cookieValue }, { id: ctx.scopeId, name: ctx.scopeName });
+    if (!result.redacted) {
+        return { value: raw, redacted: false, details: [] };
+    }
+    const redacted = result.value;
+    const redactedValue = String(redacted[cookieName] ?? cookieValue);
+    // Reconstruct: redacted name=value + original attributes
+    const attributes = parts.slice(1);
+    const reconstructed = attributes.length > 0
+        ? `${cookieName}=${redactedValue}; ${attributes.join("; ")}`
+        : `${cookieName}=${redactedValue}`;
+    return { value: reconstructed, redacted: true, details: result.details };
+}
+// ── Handler registry ─────────────────────────────────────────────────────────
+/** All built-in handlers indexed by name. */
+export const BUILTIN_HANDLERS = {
+    json: jsonHandler,
+    "raw-string": rawStringHandler,
+    "url-query": urlQueryHandler,
+    headers: headersHandler,
+};
+//# sourceMappingURL=handlers.js.map

package/dist/handlers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handlers.js","sourceRoot":"","sources":["../src/handlers.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,gFAAgF;AAEhF;;;GAGG;AACH,MAAM,CAAC,MAAM,WAAW,GAAqB;IAC3C,IAAI,EAAE,MAAM;IACZ,OAAO,CAAC,KAAK,EAAE,GAAG,EAAE,MAAM;QACxB,OAAO,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC;IACxE,CAAC;CACF,CAAC;AAEF,gFAAgF;AAEhF;;;GAGG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAqB;IAChD,IAAI,EAAE,YAAY;IAClB,OAAO,CAAC,KAAK,EAAE,GAAG,EAAE,MAAM;QACxB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACjD,CAAC;QACD,0DAA0D;QAC1D,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC;QACzF,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAgC,CAAC;QACzD,OAAO;YACL,KAAK,EAAE,QAAQ,CAAC,KAAK;YACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,OAAO,EAAE,MAAM,CAAC,OAAO;SACxB,CAAC;IACJ,CAAC;CACF,CAAC;AAEF,gFAAgF;AAEhF;;;GAGG;AACH,MAAM,CAAC,MAAM,eAAe,GAAqB;IAC/C,IAAI,EAAE,WAAW;IACjB,OAAO,CAAC,KAAK,EAAE,GAAG,EAAE,MAAM;QACxB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACjD,CAAC;QAED,IAAI,GAAQ,CAAC;QACb,IAAI,CAAC;YACH,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;QACvB,CAAC;QAAC,MAAM,CAAC;YACP,sDAAsD;YACtD,OAAO,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC;QACxE,CAAC;QAED,8EAA8E;QAC9E,MAAM,OAAO,GAAG,CAAC,GAAG,GAAG,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC,CAAC;QAChD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACjD,CAAC;QAED,IAAI,SAAS,GAAG,KAAK,CAAC;QACtB,MAAM,OAAO,GAA+B,EAAE,CAAC;QAC/C,MAAM,eAAe,GAAuB,EAAE,CAAC;QAE/C,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,OAAO,EAAE,CAAC;YACjC,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAC1B,EAAE,CAAC,GAAG,CAAC,EAAE,GAAG,EAAE,EACd,EAAE,EAAE,EAAE,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,SAAS,EAAE,CACzC,CAAC;YACF,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACpB,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAgC,CAAC;gBACzD,eAAe,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC;gBAC1D,SAAS,GAAG,IAAI,CAAC;gBACjB,OAAO,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;YAClC,CAAC;iBAAM,CAAC;gBACN,eAAe,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;QAED,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;QAC7C,CAAC;QAED,4DAA4D;QAC5D,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAC,CAAC;QACvD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,eAAe,EAAE,CAAC;YACrC,WAAW,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QACxC,CAAC;QACD,gBAAgB;QAChB,WAAW,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,CAAC;QAE5B,OAAO;YACL,KAAK,EAAE,WAAW,CAAC,QAAQ,EAAE;YAC7B,QAAQ,EAAE,IAAI;YACd,OAAO;SACR,CAAC;IACJ,CAAC;CACF,CAAC;AAEF,gFAAgF;AAEhF;;GAEG;AACH,SAAS,iBAAiB,CAAC,GAAW;IACpC,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;QAClC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO;YAAE,SAAS;QACvB,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAChC,IAAI,EAAE,KAAK,CAAC,CAAC;YAAE,SAAS;QACxB,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IACrE,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAAC,GAA4B;IACzD,OAAO,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC;SACvB,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;SACpC,IAAI,CAAC,IAAI,CAAC,CAAC;AAChB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,cAAc,GAAqB;IAC9C,IAAI,EAAE,SAAS;IACf,OAAO,CAAC,KAAK,EAAE,GAAG,EAAE,MAAM;QACxB,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAChE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACjD,CAAC;QAED,MAAM,KAAK,GAAG,KAAgC,CAAC;QAC/C,MAAM,MAAM,GAA4B,EAAE,CAAC;QAC3C,IAAI,SAAS,GAAG,KAAK,CAAC;QACtB,MAAM,OAAO,GAA+B,EAAE,CAAC;QAE/C,KAAK,MAAM,CAAC,UAAU,EAAE,WAAW,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAC9D,MAAM,KAAK,GAAG,UAAU,CAAC,WAAW,EAAE,CAAC;YAEvC,4CAA4C;YAC5C,IAAI,KAAK,KAAK,QAAQ,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE,CAAC;gBAC1D,MAAM,MAAM,GAAG,iBAAiB,CAAC,WAAW,CAAC,CAAC;gBAC9C,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE;oBACnC,EAAE,EAAE,GAAG,CAAC,OAAO;oBACf,IAAI,EAAE,GAAG,CAAC,SAAS;iBACpB,CAAC,CAAC;gBACH,MAAM,CAAC,UAAU,CAAC,GAAG,qBAAqB,CACxC,MAAM,CAAC,KAAgC,CACxC,CAAC;gBACF,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;oBACpB,SAAS,GAAG,IAAI,CAAC;oBACjB,OAAO,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;gBAClC,CAAC;gBACD,SAAS;YACX,CAAC;YAED,mEAAmE;YACnE,0EAA0E;YAC1E,IAAI,KAAK,KAAK,YAAY,EAAE,CAAC;gBAC3B,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE,CAAC;oBACpC,MAAM,QAAQ,GAAG,eAAe,CAAC,WAAW,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;oBAC3D,MAAM,CAAC,UAAU,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC;oBACpC,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;wBACtB,SAAS,GAAG,IAAI,CAAC;wBACjB,OAAO,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;oBACpC,CAAC;oBACD,SAAS;gBACX,CAAC;gBACD,IAAI,KAAK,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;oBAC/B,MAAM,eAAe,GAAa,EAAE,CAAC;oBACrC,KAAK,MAAM,MAAM,IAAI,WAAW,EAAE,CAAC;wBACjC,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;4BAC/B,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;4BAC7B,SAAS;wBACX,CAAC;wBACD,MAAM,QAAQ,GAAG,eAAe,CAAC,MAAM,EAAE,GAAG,EAAE,MAAM,CAAC,CAAC;wBACtD,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAe,CAAC,CAAC;wBAC/C,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;4BACtB,SAAS,GAAG,IAAI,CAAC;4BACjB,OAAO,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;wBACpC,CAAC;oBACH,CAAC;oBACD,MAAM,CAAC,UAAU,CAAC,GAAG,eAAe,CAAC;oBACrC,SAAS;gBACX,CAAC;YACH,CAAC;YAED,iDAAiD;YACjD,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAC1B,EAAE,CAAC,UAAU,CAAC,EAAE,WAAW,EAAE,EAC7B,EAAE,EAAE,EAAE,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,SAAS,EAAE,CACzC,CAAC;YACF,MAAM,CAAC,UAAU,CAAC,GAAI,MAAM,CAAC,KAAiC,CAC5D,UAAU,CACX,CAAC;YACF,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACpB,SAAS,GAAG,IAAI,CAAC;gBACjB,OAAO,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;YAClC,CAAC;QACH,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC;IAC7E,CAAC;CACF,CAAC;AAEF;;;GAGG;AACH,SAAS,eAAe,CACtB,GAAW,EACX,GAAmB,EACnB,MAAgC;IAEhC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IAClD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACtD,CAAC;IAED,2BAA2B;IAC3B,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IACvB,MAAM,EAAE,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC9B,IAAI,EAAE,KAAK,CAAC,CAAC,EAAE,CAAC;QACd,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACtD,CAAC;IAED,MAAM,UAAU,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAC7C,MAAM,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAE/C,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAC1B,EAAE,CAAC,UAAU,CAAC,EAAE,WAAW,EAAE,EAC7B,EAAE,EAAE,EAAE,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,SAAS,EAAE,CACzC,CAAC;IAEF,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;QACrB,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACtD,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAgC,CAAC;IACzD,MAAM,aAAa,GAAG,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,WAAW,CAAC,CAAC;IAElE,yDAAyD;IACzD,MAAM,UAAU,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAClC,MAAM,aAAa,GACjB,UAAU,CAAC,MAAM,GAAG,CAAC;QACnB,CAAC,CAAC,GAAG,UAAU,IAAI,aAAa,KAAK,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;QAC5D,CAAC,CAAC,GAAG,UAAU,IAAI,aAAa,EAAE,CAAC;IAEvC,OAAO,EAAE,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,CAAC;AAC3E,CAAC;AAED,gFAAgF;AAEhF,6CAA6C;AAC7C,MAAM,CAAC,MAAM,gBAAgB,GAAqC;IAChE,IAAI,EAAE,WAAW;IACjB,YAAY,EAAE,gBAAgB;IAC9B,WAAW,EAAE,eAAe;IAC5B,OAAO,EAAE,cAAc;CACxB,CAAC"}

package/dist/index.d.ts

@@ -1,29 +1,36 @@
 /**
  * @glubean/redaction — Plugin-based secrets/PII detection and masking.
  *
- * Pure TypeScript, no runtime-specific dependencies.
+ * v2: scope-based redaction with per-scope rules and handler dispatch.
  *
  * @example
  * import {
- *   RedactionEngine,
- *   createBuiltinPlugins,
- *   DEFAULT_CONFIG,
+ *   compileScopes,
  *   redactEvent,
+ *   BUILTIN_SCOPES,
+ *   DEFAULT_GLOBAL_RULES,
  * } from "@glubean/redaction";
  *
- * const engine = new RedactionEngine({
- *   config: DEFAULT_CONFIG,
- *   plugins: createBuiltinPlugins(DEFAULT_CONFIG),
+ * const compiled = compileScopes({
+ *   builtinScopes: BUILTIN_SCOPES,
+ *   globalRules: DEFAULT_GLOBAL_RULES,
+ *   replacementFormat: "partial",
  * });
  *
- * const result = engine.redact({ authorization: "Bearer secret123" });
- * // result.value === { authorization: "[REDACTED]" }
+ * const redacted = redactEvent(
+ *   { type: "trace", data: { requestHeaders: { authorization: "Bearer secret" } } },
+ *   compiled,
+ *   "partial",
+ * );
  */
-export type { CustomPattern, PatternsConfig, RedactionConfig, RedactionContext, RedactionPlugin, RedactionResult, RedactionScopes, SensitiveKeysConfig, } from "./types.js";
+export type { CompiledScope, CustomPattern, GlobalRules, HandlerContext, RedactionConfig, RedactionContext, RedactionHandler, RedactionPlugin, RedactionResult, RedactionScope, RedactionScopeDeclaration, ScopeContext, ScopeRules, } from "./types.js";
 export { genericPartialMask, RedactionEngine } from "./engine.js";
 export type { RedactionEngineOptions } from "./engine.js";
-export { BUILT_IN_SENSITIVE_KEYS, DEFAULT_CONFIG, PATTERN_SOURCES } from "./defaults.js";
-export { awsKeysPlugin, bearerPlugin, createBuiltinPlugins, creditCardPlugin, emailPlugin, githubTokensPlugin, hexKeysPlugin, ipAddressPlugin, jwtPlugin, sensitiveKeysPlugin, } from "./plugins/mod.js";
+export { BUILTIN_HANDLERS, headersHandler, jsonHandler, rawStringHandler, urlQueryHandler, } from "./handlers.js";
+export { compileScopes, createScopeEngine } from "./compiler.js";
+export type { CompilerOptions, ScopeOverride } from "./compiler.js";
 export { redactEvent } from "./adapter.js";
 export type { RedactableEvent } from "./adapter.js";
+export { BUILTIN_SCOPES, DEFAULT_CONFIG, DEFAULT_GLOBAL_RULES, PATTERN_SOURCES, } from "./defaults.js";
+export { awsKeysPlugin, bearerPlugin, createPatternPlugins, creditCardPlugin, emailPlugin, githubTokensPlugin, hexKeysPlugin, ipAddressPlugin, jwtPlugin, sensitiveKeysPlugin, } from "./plugins/mod.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAGH,YAAY,EACV,aAAa,EACb,cAAc,EACd,eAAe,EACf,gBAAgB,EAChB,eAAe,EACf,eAAe,EACf,eAAe,EACf,mBAAmB,GACpB,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAClE,YAAY,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AAG1D,OAAO,EAAE,uBAAuB,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAGzF,OAAO,EACL,aAAa,EACb,YAAY,EACZ,oBAAoB,EACpB,gBAAgB,EAChB,WAAW,EACX,kBAAkB,EAClB,aAAa,EACb,eAAe,EACf,SAAS,EACT,mBAAmB,GACpB,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAC3C,YAAY,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAGH,YAAY,EACV,aAAa,EACb,aAAa,EACb,WAAW,EACX,cAAc,EACd,eAAe,EACf,gBAAgB,EAChB,gBAAgB,EAChB,eAAe,EACf,eAAe,EACf,cAAc,EACd,yBAAyB,EACzB,YAAY,EACZ,UAAU,GACX,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAClE,YAAY,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AAG1D,OAAO,EACL,gBAAgB,EAChB,cAAc,EACd,WAAW,EACX,gBAAgB,EAChB,eAAe,GAChB,MAAM,eAAe,CAAC;AAGvB,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AACjE,YAAY,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAGpE,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAC3C,YAAY,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAGpD,OAAO,EACL,cAAc,EACd,cAAc,EACd,oBAAoB,EACpB,eAAe,GAChB,MAAM,eAAe,CAAC;AAGvB,OAAO,EACL,aAAa,EACb,YAAY,EACZ,oBAAoB,EACpB,gBAAgB,EAChB,WAAW,EACX,kBAAkB,EAClB,aAAa,EACb,eAAe,EACf,SAAS,EACT,mBAAmB,GACpB,MAAM,kBAAkB,CAAC"}

package/dist/index.js

@@ -1,30 +1,38 @@
 /**
  * @glubean/redaction — Plugin-based secrets/PII detection and masking.
  *
- * Pure TypeScript, no runtime-specific dependencies.
+ * v2: scope-based redaction with per-scope rules and handler dispatch.
  *
  * @example
  * import {
- *   RedactionEngine,
- *   createBuiltinPlugins,
- *   DEFAULT_CONFIG,
+ *   compileScopes,
  *   redactEvent,
+ *   BUILTIN_SCOPES,
+ *   DEFAULT_GLOBAL_RULES,
  * } from "@glubean/redaction";
  *
- * const engine = new RedactionEngine({
- *   config: DEFAULT_CONFIG,
- *   plugins: createBuiltinPlugins(DEFAULT_CONFIG),
+ * const compiled = compileScopes({
+ *   builtinScopes: BUILTIN_SCOPES,
+ *   globalRules: DEFAULT_GLOBAL_RULES,
+ *   replacementFormat: "partial",
  * });
  *
- * const result = engine.redact({ authorization: "Bearer secret123" });
- * // result.value === { authorization: "[REDACTED]" }
+ * const redacted = redactEvent(
+ *   { type: "trace", data: { requestHeaders: { authorization: "Bearer secret" } } },
+ *   compiled,
+ *   "partial",
+ * );
  */
 // Engine
 export { genericPartialMask, RedactionEngine } from "./engine.js";
-// Defaults
-export { BUILT_IN_SENSITIVE_KEYS, DEFAULT_CONFIG, PATTERN_SOURCES } from "./defaults.js";
-// Plugins
-export { awsKeysPlugin, bearerPlugin, createBuiltinPlugins, creditCardPlugin, emailPlugin, githubTokensPlugin, hexKeysPlugin, ipAddressPlugin, jwtPlugin, sensitiveKeysPlugin, } from "./plugins/mod.js";
+// Handlers
+export { BUILTIN_HANDLERS, headersHandler, jsonHandler, rawStringHandler, urlQueryHandler, } from "./handlers.js";
+// Compiler
+export { compileScopes, createScopeEngine } from "./compiler.js";
 // Adapter
 export { redactEvent } from "./adapter.js";
+// Defaults
+export { BUILTIN_SCOPES, DEFAULT_CONFIG, DEFAULT_GLOBAL_RULES, PATTERN_SOURCES, } from "./defaults.js";
+// Plugins
+export { awsKeysPlugin, bearerPlugin, createPatternPlugins, creditCardPlugin, emailPlugin, githubTokensPlugin, hexKeysPlugin, ipAddressPlugin, jwtPlugin, sensitiveKeysPlugin, } from "./plugins/mod.js";
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAcH,SAAS;AACT,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAGlE,WAAW;AACX,OAAO,EAAE,uBAAuB,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAEzF,UAAU;AACV,OAAO,EACL,aAAa,EACb,YAAY,EACZ,oBAAoB,EACpB,gBAAgB,EAChB,WAAW,EACX,kBAAkB,EAClB,aAAa,EACb,eAAe,EACf,SAAS,EACT,mBAAmB,GACpB,MAAM,kBAAkB,CAAC;AAE1B,UAAU;AACV,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAmBH,SAAS;AACT,OAAO,EAAE,kBAAkB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAGlE,WAAW;AACX,OAAO,EACL,gBAAgB,EAChB,cAAc,EACd,WAAW,EACX,gBAAgB,EAChB,eAAe,GAChB,MAAM,eAAe,CAAC;AAEvB,WAAW;AACX,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAGjE,UAAU;AACV,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAG3C,WAAW;AACX,OAAO,EACL,cAAc,EACd,cAAc,EACd,oBAAoB,EACpB,eAAe,GAChB,MAAM,eAAe,CAAC;AAEvB,UAAU;AACV,OAAO,EACL,aAAa,EACb,YAAY,EACZ,oBAAoB,EACpB,gBAAgB,EAChB,WAAW,EACX,kBAAkB,EAClB,aAAa,EACb,eAAe,EACf,SAAS,EACT,mBAAmB,GACpB,MAAM,kBAAkB,CAAC"}

package/dist/plugins/mod.d.ts

@@ -1,10 +1,10 @@
 /**
  * @module plugins
  *
- * Re-exports all built-in plugins and provides `createBuiltinPlugins()`
- * factory that assembles the plugin list from a RedactionConfig.
+ * Re-exports all built-in plugins and provides factories
+ * for assembling plugin pipelines.
  */
-import type { RedactionConfig, RedactionPlugin } from "../types.js";
+import type { RedactionPlugin } from "../types.js";
 import { sensitiveKeysPlugin } from "./sensitive-keys.js";
 import { jwtPlugin } from "./jwt.js";
 import { bearerPlugin } from "./bearer.js";
@@ -16,14 +16,7 @@ import { creditCardPlugin } from "./credit-card.js";
 import { hexKeysPlugin } from "./hex-keys.js";
 export { awsKeysPlugin, bearerPlugin, creditCardPlugin, emailPlugin, githubTokensPlugin, hexKeysPlugin, ipAddressPlugin, jwtPlugin, sensitiveKeysPlugin, };
 /**
- * Create the full plugin list from a RedactionConfig.
- *
- * Order: sensitive-keys plugin first (key-level), then enabled pattern
- * plugins (value-level), then user custom patterns.
- *
- * @example
- * const plugins = createBuiltinPlugins(DEFAULT_CONFIG);
- * const engine = new RedactionEngine({ config: DEFAULT_CONFIG, plugins });
+ * Create pattern plugins for a set of enabled pattern names.
  */
-export declare function createBuiltinPlugins(config: RedactionConfig): RedactionPlugin[];
+export declare function createPatternPlugins(enabledPatterns: Set<string>): RedactionPlugin[];
 //# sourceMappingURL=mod.d.ts.map

package/dist/plugins/mod.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mod.d.ts","sourceRoot":"","sources":["../../src/plugins/mod.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AACpE,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AACrC,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAE9C,OAAO,EACL,aAAa,EACb,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACX,kBAAkB,EAClB,aAAa,EACb,eAAe,EACf,SAAS,EACT,mBAAmB,GACpB,CAAC;AAcF;;;;;;;;;GASG;AACH,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,eAAe,GACtB,eAAe,EAAE,CA6BnB"}
+{"version":3,"file":"mod.d.ts","sourceRoot":"","sources":["../../src/plugins/mod.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AACrC,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAE9C,OAAO,EACL,aAAa,EACb,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACX,kBAAkB,EAClB,aAAa,EACb,eAAe,EACf,SAAS,EACT,mBAAmB,GACpB,CAAC;AAcF;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,eAAe,EAAE,GAAG,CAAC,MAAM,CAAC,GAC3B,eAAe,EAAE,CAQnB"}

package/dist/plugins/mod.js

@@ -1,8 +1,8 @@
 /**
  * @module plugins
  *
- * Re-exports all built-in plugins and provides `createBuiltinPlugins()`
- * factory that assembles the plugin list from a RedactionConfig.
+ * Re-exports all built-in plugins and provides factories
+ * for assembling plugin pipelines.
  */
 import { sensitiveKeysPlugin } from "./sensitive-keys.js";
 import { jwtPlugin } from "./jwt.js";
@@ -26,40 +26,15 @@ const PATTERN_PLUGINS = {
     hexKeys: hexKeysPlugin,
 };
 /**
- * Create the full plugin list from a RedactionConfig.
- *
- * Order: sensitive-keys plugin first (key-level), then enabled pattern
- * plugins (value-level), then user custom patterns.
- *
- * @example
- * const plugins = createBuiltinPlugins(DEFAULT_CONFIG);
- * const engine = new RedactionEngine({ config: DEFAULT_CONFIG, plugins });
+ * Create pattern plugins for a set of enabled pattern names.
  */
-export function createBuiltinPlugins(config) {
+export function createPatternPlugins(enabledPatterns) {
     const plugins = [];
-    // Key-level plugin always first
-    plugins.push(sensitiveKeysPlugin(config.sensitiveKeys));
-    // Add enabled pattern plugins
-    const patternFlags = config.patterns;
     for (const [name, plugin] of Object.entries(PATTERN_PLUGINS)) {
-        if (patternFlags[name] === true) {
+        if (enabledPatterns.has(name)) {
             plugins.push(plugin);
         }
     }
-    // Add user custom patterns
-    for (const custom of config.patterns.custom ?? []) {
-        try {
-            // Validate regex compiles
-            new RegExp(custom.regex, "g");
-            plugins.push({
-                name: custom.name,
-                matchValue: () => new RegExp(custom.regex, "g"),
-            });
-        }
-        catch {
-            // Skip invalid regex patterns — per arch doc, CLI warns but doesn't abort
-        }
-    }
     return plugins;
 }
 //# sourceMappingURL=mod.js.map

package/dist/plugins/mod.js.map

@@ -1 +1 @@
-{"version":3,"file":"mod.js","sourceRoot":"","sources":["../../src/plugins/mod.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AACrC,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAE9C,OAAO,EACL,aAAa,EACb,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACX,kBAAkB,EAClB,aAAa,EACb,eAAe,EACf,SAAS,EACT,mBAAmB,GACpB,CAAC;AAEF,0DAA0D;AAC1D,MAAM,eAAe,GAAoC;IACvD,GAAG,EAAE,SAAS;IACd,MAAM,EAAE,YAAY;IACpB,OAAO,EAAE,aAAa;IACtB,YAAY,EAAE,kBAAkB;IAChC,KAAK,EAAE,WAAW;IAClB,SAAS,EAAE,eAAe;IAC1B,UAAU,EAAE,gBAAgB;IAC5B,OAAO,EAAE,aAAa;CACvB,CAAC;AAEF;;;;;;;;;GASG;AACH,MAAM,UAAU,oBAAoB,CAClC,MAAuB;IAEvB,MAAM,OAAO,GAAsB,EAAE,CAAC;IAEtC,gCAAgC;IAChC,OAAO,CAAC,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC;IAExD,8BAA8B;IAC9B,MAAM,YAAY,GAAG,MAAM,CAAC,QAA8C,CAAC;IAC3E,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,CAAC;QAC7D,IAAI,YAAY,CAAC,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;YAChC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,2BAA2B;IAC3B,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;QAClD,IAAI,CAAC;YACH,0BAA0B;YAC1B,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAC9B,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI,EAAE,MAAM,CAAC,IAAI;gBACjB,UAAU,EAAE,GAAG,EAAE,CAAC,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC;aAChD,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,0EAA0E;QAC5E,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}
+{"version":3,"file":"mod.js","sourceRoot":"","sources":["../../src/plugins/mod.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AACrC,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAE9C,OAAO,EACL,aAAa,EACb,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACX,kBAAkB,EAClB,aAAa,EACb,eAAe,EACf,SAAS,EACT,mBAAmB,GACpB,CAAC;AAEF,0DAA0D;AAC1D,MAAM,eAAe,GAAoC;IACvD,GAAG,EAAE,SAAS;IACd,MAAM,EAAE,YAAY;IACpB,OAAO,EAAE,aAAa;IACtB,YAAY,EAAE,kBAAkB;IAChC,KAAK,EAAE,WAAW;IAClB,SAAS,EAAE,eAAe;IAC1B,UAAU,EAAE,gBAAgB;IAC5B,OAAO,EAAE,aAAa;CACvB,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAClC,eAA4B;IAE5B,MAAM,OAAO,GAAsB,EAAE,CAAC;IACtC,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,CAAC;QAC7D,IAAI,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9B,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/plugins/sensitive-keys.d.ts

@@ -3,12 +3,17 @@
  *
  * Checks if a JSON key or header name matches one of the configured
  * sensitive keys (case-insensitive substring match).
- *
- * @example
- * // "x-authorization-token" matches "authorization"
- * // "X-Api-Key" matches "api-key" (after lowercasing)
  */
-import type { RedactionPlugin, SensitiveKeysConfig } from "../types.js";
+import type { RedactionPlugin } from "../types.js";
+/** Config for the sensitive keys plugin. */
+export interface SensitiveKeysConfig {
+    /** Whether to include the built-in sensitive keys list. */
+    useBuiltIn: boolean;
+    /** Additional keys to treat as sensitive. */
+    additional: string[];
+    /** Keys to exclude from the built-in list. */
+    excluded: string[];
+}
 /**
  * Create a sensitive-keys plugin from config.
  *

package/dist/plugins/sensitive-keys.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sensitive-keys.d.ts","sourceRoot":"","sources":["../../src/plugins/sensitive-keys.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AA4BxE;;;;;GAKG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,mBAAmB,GAC1B,eAAe,CAgBjB"}
+{"version":3,"file":"sensitive-keys.d.ts","sourceRoot":"","sources":["../../src/plugins/sensitive-keys.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAEnD,4CAA4C;AAC5C,MAAM,WAAW,mBAAmB;IAClC,2DAA2D;IAC3D,UAAU,EAAE,OAAO,CAAC;IACpB,6CAA6C;IAC7C,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,8CAA8C;IAC9C,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAqDD;;;;;GAKG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,mBAAmB,GAC1B,eAAe,CAcjB"}

package/dist/plugins/sensitive-keys.js

@@ -3,16 +3,36 @@
  *
  * Checks if a JSON key or header name matches one of the configured
  * sensitive keys (case-insensitive substring match).
- *
- * @example
- * // "x-authorization-token" matches "authorization"
- * // "X-Api-Key" matches "api-key" (after lowercasing)
  */
-import { BUILT_IN_SENSITIVE_KEYS } from "../defaults.js";
+/**
+ * Built-in sensitive keys.
+ * v2: these are only used when `useBuiltIn: true` (for backwards compat).
+ * In the new model, sensitive keys live in scope declarations.
+ */
+const BUILT_IN_SENSITIVE_KEYS = [
+    "password",
+    "passwd",
+    "secret",
+    "token",
+    "api_key",
+    "apikey",
+    "api-key",
+    "access_token",
+    "refresh_token",
+    "authorization",
+    "auth",
+    "credential",
+    "credentials",
+    "private_key",
+    "privatekey",
+    "private-key",
+    "ssh_key",
+    "client_secret",
+    "client-secret",
+    "bearer",
+];
 /**
  * Build the sensitive key set from config.
- * If useBuiltIn is true, starts with BUILT_IN_SENSITIVE_KEYS,
- * adds `additional`, removes `excluded`.
  */
 function buildKeySet(config) {
     const keys = new Set();
@@ -41,10 +61,8 @@ export function sensitiveKeysPlugin(config) {
         name: "sensitive-keys",
         isKeySensitive: (key) => {
             const lower = key.toLowerCase();
-            // Exact match first (fast path)
             if (keys.has(lower))
                 return true;
-            // Substring match
             for (const sensitive of keys) {
                 if (lower.includes(sensitive))
                     return true;

package/dist/plugins/sensitive-keys.js.map

@@ -1 +1 @@
-{"version":3,"file":"sensitive-keys.js","sourceRoot":"","sources":["../../src/plugins/sensitive-keys.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,EAAE,uBAAuB,EAAE,MAAM,gBAAgB,CAAC;AAEzD;;;;GAIG;AACH,SAAS,WAAW,CAAC,MAA2B;IAC9C,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/B,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QACtB,KAAK,MAAM,CAAC,IAAI,uBAAuB,EAAE,CAAC;YACxC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,UAAU,IAAI,EAAE,EAAE,CAAC;QACxC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IAC5B,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;QACtC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IAC/B,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CACjC,MAA2B;IAE3B,MAAM,IAAI,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;IAEjC,OAAO;QACL,IAAI,EAAE,gBAAgB;QACtB,cAAc,EAAE,CAAC,GAAW,EAAuB,EAAE;YACnD,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;YAChC,gCAAgC;YAChC,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YACjC,kBAAkB;YAClB,KAAK,MAAM,SAAS,IAAI,IAAI,EAAE,CAAC;gBAC7B,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC;oBAAE,OAAO,IAAI,CAAC;YAC7C,CAAC;YACD,OAAO,SAAS,CAAC;QACnB,CAAC;KACF,CAAC;AACJ,CAAC"}
+{"version":3,"file":"sensitive-keys.js","sourceRoot":"","sources":["../../src/plugins/sensitive-keys.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAcH;;;;GAIG;AACH,MAAM,uBAAuB,GAAsB;IACjD,UAAU;IACV,QAAQ;IACR,QAAQ;IACR,OAAO;IACP,SAAS;IACT,QAAQ;IACR,SAAS;IACT,cAAc;IACd,eAAe;IACf,eAAe;IACf,MAAM;IACN,YAAY;IACZ,aAAa;IACb,aAAa;IACb,YAAY;IACZ,aAAa;IACb,SAAS;IACT,eAAe;IACf,eAAe;IACf,QAAQ;CACT,CAAC;AAEF;;GAEG;AACH,SAAS,WAAW,CAAC,MAA2B;IAC9C,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/B,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QACtB,KAAK,MAAM,CAAC,IAAI,uBAAuB,EAAE,CAAC;YACxC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,UAAU,IAAI,EAAE,EAAE,CAAC;QACxC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IAC5B,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;QACtC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IAC/B,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB,CACjC,MAA2B;IAE3B,MAAM,IAAI,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;IAEjC,OAAO;QACL,IAAI,EAAE,gBAAgB;QACtB,cAAc,EAAE,CAAC,GAAW,EAAuB,EAAE;YACnD,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;YAChC,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YACjC,KAAK,MAAM,SAAS,IAAI,IAAI,EAAE,CAAC;gBAC7B,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC;oBAAE,OAAO,IAAI,CAAC;YAC7C,CAAC;YACD,OAAO,SAAS,CAAC;QACnB,CAAC;KACF,CAAC;AACJ,CAAC"}