@l.x/privacy 0.0.0

package/.depcheckrc

@@ -0,0 +1,9 @@
+ignores: [
+    # Dependencies that depcheck incorrectly marks as unused
+    "typescript",
+    "@typescript/native-preview",
+    "depcheck",
+
+    # Internal packages / workspaces
+    "privacy",
+  ]

package/.eslintrc.js

@@ -0,0 +1,20 @@
+module.exports = {
+  extends: ['@luxfi/eslint-config/lib'],
+  parserOptions: {
+    tsconfigRootDir: __dirname,
+  },
+  overrides: [
+    {
+      files: ['*.ts', '*.tsx'],
+      rules: {
+        'no-relative-import-paths/no-relative-import-paths': [
+          'error',
+          {
+            allowSameFolder: false,
+            prefix: '@luxexchange/privacy',
+          },
+        ],
+      },
+    },
+  ],
+}

package/LICENSE

@@ -0,0 +1,122 @@
+Lux Ecosystem License
+Version 1.2, December 2025
+
+Copyright (c) 2020-2025 Lux Industries Inc.
+All rights reserved.
+
+TECHNOLOGY PORTFOLIO - PATENT APPLICATIONS PLANNED
+Contact: licensing@lux.network
+
+================================================================================
+                          TERMS AND CONDITIONS
+================================================================================
+
+1. DEFINITIONS
+
+   "Lux Primary Network" means the official Lux blockchain with Network ID=1
+   and EVM Chain ID=96369.
+   
+   "Authorized Network" means the Lux Primary Network, official testnets/devnets,
+   and any L1/L2/L3 chain descending from the Lux Primary Network.
+   
+   "Descending Chain" means an L1/L2/L3 chain built on, anchored to, or deriving
+   security from the Lux Primary Network or its authorized testnets.
+   
+   "Research Use" means non-commercial academic research, education, personal
+   study, or evaluation purposes.
+   
+   "Commercial Use" means any use in connection with a product or service
+   offered for sale or fee, internal use by a for-profit entity, or any use
+   to generate revenue.
+
+2. GRANT OF LICENSE
+
+   Subject to these terms, Lux Industries Inc grants you a non-exclusive,
+   royalty-free license to:
+   
+   (a) Use for Research Use without restriction;
+   
+   (b) Operate on the Lux Primary Network (Network ID=1, EVM Chain ID=96369);
+   
+   (c) Operate on official Lux testnets and devnets;
+   
+   (d) Operate L1/L2/L3 chains descending from the Lux Primary Network;
+   
+   (e) Build applications within the Lux ecosystem;
+   
+   (f) Contribute improvements back to the original repositories.
+
+3. RESTRICTIONS
+
+   Without a commercial license from Lux Industries Inc, you may NOT:
+   
+   (a) Fork the Lux Network or any Lux software;
+   
+   (b) Create competing networks not descending from Lux Primary Network;
+   
+   (c) Use for Commercial Use outside the Lux ecosystem;
+   
+   (d) Sublicense or transfer rights outside the Lux ecosystem;
+   
+   (e) Use to create competing blockchain networks, exchanges, custody
+       services, or cryptographic systems outside the Lux ecosystem.
+
+4. NO FORKS POLICY
+
+   Lux Industries Inc maintains ZERO TOLERANCE for unauthorized forks.
+   Any fork or deployment on an unauthorized network constitutes:
+   
+   (a) Breach of this license;
+   (b) Grounds for immediate legal action.
+
+5. RIGHTS RESERVATION
+
+   All rights not explicitly granted are reserved by Lux Industries Inc.
+   
+   We plan to apply for patent protection for the technology in this
+   repository. Any implementation outside the Lux ecosystem may require
+   a separate commercial license.
+
+6. DISCLAIMER OF WARRANTY
+
+   THIS SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+   EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+   MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+
+7. LIMITATION OF LIABILITY
+
+   IN NO EVENT SHALL LUX INDUSTRIES INC BE LIABLE FOR ANY CLAIM, DAMAGES
+   OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+   ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE.
+
+8. TERMINATION
+
+   This license terminates immediately upon any breach, including but not
+   limited to deployment on unauthorized networks or creation of forks.
+
+9. GOVERNING LAW
+
+   This License shall be governed by the laws of the State of Delaware.
+
+10. COMMERCIAL LICENSING
+
+    For commercial use outside the Lux ecosystem:
+    
+    Lux Industries Inc.
+    Email: licensing@lux.network
+    Subject: Commercial License Request
+
+================================================================================
+                              TL;DR
+================================================================================
+
+- Research/academic use = OK
+- Lux Primary Network (Network ID=1, Chain ID=96369) = OK
+- L1/L2/L3 chains descending from Lux Primary Network = OK
+- Commercial products outside Lux ecosystem = Contact licensing@lux.network
+- Forks = Absolutely not
+
+================================================================================
+
+See LP-0012 for full licensing documentation:
+https://github.com/luxfi/lps/blob/main/LPs/lp-0012-ecosystem-licensing.md

package/README.md

@@ -0,0 +1,3 @@
+# @universe/privacy
+
+// TODO

package/package.json

@@ -0,0 +1,32 @@
+{
+  "name": "@l.x/privacy",
+  "version": "0.0.0",
+  "dependencies": {
+    "fast-redact": "3.5.0"
+  },
+  "devDependencies": {
+    "@types/node": "22.13.1",
+    "@typescript/native-preview": "7.0.0-dev.20260311.1",
+    "depcheck": "1.4.7",
+    "eslint": "8.57.1",
+    "typescript": "5.8.3",
+    "@luxfi/eslint-config": "^1.0.5"
+  },
+  "nx": {
+    "includedScripts": []
+  },
+  "main": "src/index.ts",
+  "private": false,
+  "sideEffects": false,
+  "scripts": {
+    "typecheck": "nx typecheck privacy",
+    "typecheck:tsgo": "nx typecheck:tsgo privacy",
+    "lint": "nx lint privacy",
+    "lint:fix": "nx lint:fix privacy",
+    "lint:biome": "nx lint:biome privacy",
+    "lint:biome:fix": "nx lint:biome:fix privacy",
+    "lint:eslint": "nx lint:eslint privacy",
+    "lint:eslint:fix": "nx lint:eslint:fix privacy",
+    "check:deps:usage": "nx check:deps:usage privacy"
+  }
+}

package/project.json

@@ -0,0 +1,18 @@
+{
+  "name": "@l.x/privacy",
+  "$schema": "../../node_modules/nx/schemas/project-schema.json",
+  "sourceRoot": "pkgs/privacy/src",
+  "projectType": "library",
+  "tags": [],
+  "targets": {
+    "typecheck": {},
+    "typecheck:tsgo": {},
+    "lint:biome": {},
+    "lint:biome:fix": {},
+    "lint:eslint": {},
+    "lint:eslint:fix": {},
+    "lint": {},
+    "lint:fix": {},
+    "check:deps:usage": {}
+  }
+}

package/src/email.ts

@@ -0,0 +1,40 @@
+/**
+ * Email truncation utility for privacy-preserving display.
+ *
+ * Shows first character + asterisks + last character of local part,
+ * keeps full domain for recognition.
+ *
+ * @example
+ * truncateEmail("john.doe@gmail.com") // "j***e@gmail.com"
+ * truncateEmail("ab@company.org")     // "a*@company.org"
+ * truncateEmail("x@test.com")         // "x*@test.com"
+ */
+export function truncateEmail(email: string): string {
+  if (!email || typeof email !== 'string') {
+    return '***@***'
+  }
+
+  const atIndex = email.indexOf('@')
+  if (atIndex === -1) {
+    return '***@***'
+  }
+
+  const localPart = email.slice(0, atIndex)
+  const domain = email.slice(atIndex + 1)
+
+  if (!localPart || !domain) {
+    return '***@***'
+  }
+
+  // Truncate local part: show first char + asterisks + last char (if > 2 chars)
+  let truncatedLocal: string
+  if (localPart.length <= 1) {
+    truncatedLocal = localPart + '*'
+  } else if (localPart.length === 2) {
+    truncatedLocal = localPart[0] + '*'
+  } else {
+    truncatedLocal = localPart[0] + '***' + localPart[localPart.length - 1]
+  }
+
+  return `${truncatedLocal}@${domain}`
+}

package/src/fast-redact.d.ts

@@ -0,0 +1,14 @@
+declare module 'fast-redact' {
+  interface FastRedactOptions {
+    paths: string[]
+    serialize?: false | ((obj: Record<string, unknown>) => string)
+    censor?: string
+    strict?: boolean
+    remove?: boolean
+  }
+  function fastRedact(
+    options: FastRedactOptions & { serialize: false },
+  ): (obj: Record<string, unknown>) => Record<string, unknown>
+  function fastRedact(options: FastRedactOptions): (obj: Record<string, unknown>) => string
+  export default fastRedact
+}

package/src/index.ts

@@ -0,0 +1,6 @@
+// Email privacy
+export { truncateEmail } from './email'
+
+// Scrubbing
+export type { Scrubber, ScrubberOptions, ScrubPattern } from './scrub'
+export { createScrubber, DEFAULT_REDACT_PATHS, DEFAULT_SCRUB_PATTERNS } from './scrub'

package/src/scrub.ts

@@ -0,0 +1,134 @@
+/**
+ * PII Scrubbing Layer
+ *
+ * Two-layer defense: path-based redaction (fast-redact) for known fields,
+ * then regex pattern scanning for PII in arbitrary string values.
+ *
+ * Explicit contract: configurable patterns, injectable into logger pipeline.
+ */
+
+import fastRedact from 'fast-redact'
+
+/** Pattern definition for regex-based string scanning */
+export interface ScrubPattern {
+  /** Human-readable name for this pattern */
+  name: string
+  /** Regex to match sensitive data */
+  pattern: RegExp
+  /** Replacement string */
+  replacement: string
+}
+
+/** Configuration for the scrubber factory */
+export interface ScrubberOptions {
+  /** Paths to redact via fast-redact (e.g., 'headers.cookie') */
+  redactPaths?: string[]
+  /** Regex patterns for string scanning */
+  patterns?: ScrubPattern[]
+}
+
+/** The scrubber function signature */
+export type Scrubber = (obj: Record<string, unknown>) => Record<string, unknown>
+
+export const DEFAULT_REDACT_PATHS: string[] = [
+  'password',
+  'secret',
+  'authorization',
+  'cookie',
+  '["set-cookie"]',
+  '["x-api-key"]',
+  'credentials',
+  'email',
+  'identifier',
+  '*.email',
+  '*.identifier',
+  '*.password',
+  '*.secret',
+  '*.authorization',
+  '*.cookie',
+  'headers.cookie',
+  'headers.authorization',
+]
+
+export const DEFAULT_SCRUB_PATTERNS: ScrubPattern[] = [
+  {
+    name: 'email',
+    pattern: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g,
+    replacement: '[EMAIL_REDACTED]',
+  },
+  {
+    name: 'jwt',
+    pattern: /eyJ[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}/g,
+    replacement: '[JWT_REDACTED]',
+  },
+  {
+    name: 'api_key',
+    pattern: /(?:api[_-]?key|token|secret|authorization)['":\s]*[a-zA-Z0-9_-]{32,}/gi,
+    replacement: '[API_KEY_REDACTED]',
+  },
+  {
+    name: 'ethereum_address',
+    pattern: /0x[a-fA-F0-9]{40}/g,
+    replacement: '[WALLET_REDACTED]',
+  },
+  {
+    name: 'ipv4',
+    pattern: /\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/g,
+    replacement: '[IP_REDACTED]',
+  },
+]
+
+/** Scan a string value and replace all matching patterns */
+function scrubString(value: string, patterns: ScrubPattern[]): string {
+  let result = value
+  for (const { pattern, replacement } of patterns) {
+    // Reset lastIndex for global regexps to ensure clean state
+    pattern.lastIndex = 0
+    result = result.replace(pattern, replacement)
+  }
+  return result
+}
+
+/** Recursively walk an object and scrub all string values */
+function scrubValue(value: unknown, patterns: ScrubPattern[]): unknown {
+  if (typeof value === 'string') {
+    return scrubString(value, patterns)
+  }
+  if (Array.isArray(value)) {
+    return value.map((item) => scrubValue(item, patterns))
+  }
+  if (value !== null && typeof value === 'object') {
+    const result: Record<string, unknown> = {}
+    for (const [key, val] of Object.entries(value)) {
+      result[key] = scrubValue(val, patterns)
+    }
+    return result
+  }
+  // Numbers, booleans, null, undefined pass through untouched
+  return value
+}
+
+/**
+ * Create a scrubber function with the given options.
+ *
+ * Layer 1: fast-redact replaces known sensitive paths with "[REDACTED]"
+ * Layer 2: regex patterns scan all remaining string values for PII
+ */
+export function createScrubber(options?: ScrubberOptions): Scrubber {
+  const redactPaths = options?.redactPaths ?? DEFAULT_REDACT_PATHS
+  const patterns = options?.patterns ?? DEFAULT_SCRUB_PATTERNS
+
+  const redact = fastRedact({
+    paths: redactPaths,
+    serialize: false,
+    censor: '[REDACTED]',
+  }) as (obj: Record<string, unknown>) => Record<string, unknown>
+
+  return (obj: Record<string, unknown>): Record<string, unknown> => {
+    // Layer 1: path-based redaction (mutates in place, returns same ref)
+    const redacted = redact(obj)
+
+    // Layer 2: pattern-based string scanning (returns new object)
+    return scrubValue(redacted, patterns) as Record<string, unknown>
+  }
+}

package/tsconfig.json

@@ -0,0 +1,26 @@
+{
+  "extends": "../../config/tsconfig/app.json",
+  "include": [
+    "src/**/*.ts",
+    "src/**/*.tsx",
+    "src/**/*.json",
+    "src/global.d.ts"
+  ],
+  "exclude": [
+    "src/**/*.spec.ts",
+    "src/**/*.spec.tsx",
+    "src/**/*.test.ts",
+    "src/**/*.test.tsx"
+  ],
+  "compilerOptions": {
+    "noEmit": false,
+    "emitDeclarationOnly": true,
+    "types": ["node"],
+    "paths": {}
+  },
+  "references": [
+    {
+      "path": "../eslint-config"
+    }
+  ]
+}

package/tsconfig.lint.json

@@ -0,0 +1,8 @@
+{
+  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "preserveSymlinks": true
+  },
+  "include": ["**/*.ts", "**/*.tsx", "**/*.json"],
+  "exclude": ["node_modules"]
+}