@logtape/redaction 0.11.0 → 0.12.0-dev.181

package/dist/pattern.d.cts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pattern.d.cts","names":[],"sources":["../pattern.ts"],"sourcesContent":[],"mappings":";;;;;;AAWA;AAsBA;AAUA;AASa,UAzCI,gBAAA,CAyCY;EAUhB;AASb;AASA;AAoCA;EAA+B,SAAA,OAAA,EApGX,MAoGW;EAAA;;;AAGf;AAmChB;EAA+B,SAAA,WAAA,EAAA,MAAA,GAAA,CAAA,CAAA,KAAA,EAAA,MAAA,EAAA,GAAA,IAAA,EAAA,SAAA,GAAA,EAAA,EAAA,GAAA,MAAA,CAAA;;;;AAGZ;;cA5HN,uBAAuB;;;;;cAUvB,4BAA4B;;;;;cAS5B,gBAAgB;;;;;;cAUhB,gBAAgB;;;;;cAShB,aAAa;;;;;KASd,iBAAA,YAA6B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAoCzB,eAAA,YACH,yBACD,oBACT;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAmCa,eAAA,YACH,4BACD,oBACT"}

package/{types → dist}/pattern.d.ts

@@ -1,53 +1,56 @@
-import type { ConsoleFormatter, TextFormatter } from "@logtape/logtape";
+import { ConsoleFormatter, TextFormatter } from "@logtape/logtape";
+
+//#region pattern.d.ts
+
 /**
  * A redaction pattern, which is a pair of regular expression and replacement
  * string or function.
  * @since 0.10.0
  */
-export interface RedactionPattern {
-    /**
-     * The regular expression to match against.  Note that it must have the
-     * `g` (global) flag set, otherwise it will throw a `TypeError`.
-     */
-    readonly pattern: RegExp;
-    /**
-     * The replacement string or function.  If the replacement is a function,
-     * it will be called with the matched string and any capture groups (the same
-     * signature as `String.prototype.replaceAll()`).
-     */
-    readonly replacement: string | ((match: string, ...rest: readonly any[]) => string);
+interface RedactionPattern {
+  /**
+   * The regular expression to match against.  Note that it must have the
+   * `g` (global) flag set, otherwise it will throw a `TypeError`.
+   */
+  readonly pattern: RegExp;
+  /**
+   * The replacement string or function.  If the replacement is a function,
+   * it will be called with the matched string and any capture groups (the same
+   * signature as `String.prototype.replaceAll()`).
+   */
+  readonly replacement: string | ((match: string, ...rest: readonly any[]) => string);
 }
 /**
  * A redaction pattern for email addresses.
  * @since 0.10.0
  */
-export declare const EMAIL_ADDRESS_PATTERN: RedactionPattern;
+declare const EMAIL_ADDRESS_PATTERN: RedactionPattern;
 /**
  * A redaction pattern for credit card numbers (including American Express).
  * @since 0.10.0
  */
-export declare const CREDIT_CARD_NUMBER_PATTERN: RedactionPattern;
+declare const CREDIT_CARD_NUMBER_PATTERN: RedactionPattern;
 /**
  * A redaction pattern for U.S. Social Security numbers.
  * @since 0.10.0
  */
-export declare const US_SSN_PATTERN: RedactionPattern;
+declare const US_SSN_PATTERN: RedactionPattern;
 /**
  * A redaction pattern for South Korean resident registration numbers
  * (住民登錄番號).
  * @since 0.10.0
  */
-export declare const KR_RRN_PATTERN: RedactionPattern;
+declare const KR_RRN_PATTERN: RedactionPattern;
 /**
  * A redaction pattern for JSON Web Tokens (JWT).
  * @since 0.10.0
  */
-export declare const JWT_PATTERN: RedactionPattern;
+declare const JWT_PATTERN: RedactionPattern;
 /**
  * A list of {@link RedactionPattern}s.
  * @since 0.10.0
  */
-export type RedactionPatterns = readonly RedactionPattern[];
+type RedactionPatterns = readonly RedactionPattern[];
 /**
  * Applies data redaction to a {@link TextFormatter}.
  *
@@ -82,7 +85,7 @@ export type RedactionPatterns = readonly RedactionPattern[];
  * @returns The redacted text formatter.
  * @since 0.10.0
  */
-export declare function redactByPattern(formatter: TextFormatter, patterns: RedactionPatterns): TextFormatter;
+declare function redactByPattern(formatter: TextFormatter, patterns: RedactionPatterns): TextFormatter;
 /**
  * Applies data redaction to a {@link ConsoleFormatter}.
  *
@@ -116,5 +119,8 @@ export declare function redactByPattern(formatter: TextFormatter, patterns: Reda
  * @returns The redacted console formatter.
  * @since 0.10.0
  */
-export declare function redactByPattern(formatter: ConsoleFormatter, patterns: RedactionPatterns): ConsoleFormatter;
+declare function redactByPattern(formatter: ConsoleFormatter, patterns: RedactionPatterns): ConsoleFormatter;
+//# sourceMappingURL=pattern.d.ts.map
+//#endregion
+export { CREDIT_CARD_NUMBER_PATTERN, EMAIL_ADDRESS_PATTERN, JWT_PATTERN, KR_RRN_PATTERN, RedactionPattern, RedactionPatterns, US_SSN_PATTERN, redactByPattern };
 //# sourceMappingURL=pattern.d.ts.map

package/dist/pattern.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pattern.d.ts","names":[],"sources":["../pattern.ts"],"sourcesContent":[],"mappings":";;;;;;AAWA;AAsBA;AAUA;AASa,UAzCI,gBAAA,CAyCY;EAUhB;AASb;AASA;AAoCA;EAA+B,SAAA,OAAA,EApGX,MAoGW;EAAA;;;AAGf;AAmChB;EAA+B,SAAA,WAAA,EAAA,MAAA,GAAA,CAAA,CAAA,KAAA,EAAA,MAAA,EAAA,GAAA,IAAA,EAAA,SAAA,GAAA,EAAA,EAAA,GAAA,MAAA,CAAA;;;;AAGZ;;cA5HN,uBAAuB;;;;;cAUvB,4BAA4B;;;;;cAS5B,gBAAgB;;;;;;cAUhB,gBAAgB;;;;;cAShB,aAAa;;;;;KASd,iBAAA,YAA6B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAoCzB,eAAA,YACH,yBACD,oBACT;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAmCa,eAAA,YACH,4BACD,oBACT"}

package/dist/pattern.js

@@ -0,0 +1,70 @@
+//#region pattern.ts
+/**
+* A redaction pattern for email addresses.
+* @since 0.10.0
+*/
+const EMAIL_ADDRESS_PATTERN = {
+	pattern: /[\p{L}0-9.!#$%&'*+/=?^_`{|}~-]+@[\p{L}0-9](?:[\p{L}0-9-]{0,61}[\p{L}0-9])?(?:\.[\p{L}0-9](?:[\p{L}0-9-]{0,61}[\p{L}0-9])?)+/gu,
+	replacement: "REDACTED@EMAIL.ADDRESS"
+};
+/**
+* A redaction pattern for credit card numbers (including American Express).
+* @since 0.10.0
+*/
+const CREDIT_CARD_NUMBER_PATTERN = {
+	pattern: /(?:\d{4}-){3}\d{4}|(?:\d{4}-){2}\d{6}/g,
+	replacement: "XXXX-XXXX-XXXX-XXXX"
+};
+/**
+* A redaction pattern for U.S. Social Security numbers.
+* @since 0.10.0
+*/
+const US_SSN_PATTERN = {
+	pattern: /\d{3}-\d{2}-\d{4}/g,
+	replacement: "XXX-XX-XXXX"
+};
+/**
+* A redaction pattern for South Korean resident registration numbers
+* (住民登錄番號).
+* @since 0.10.0
+*/
+const KR_RRN_PATTERN = {
+	pattern: /\d{6}-\d{7}/g,
+	replacement: "XXXXXX-XXXXXXX"
+};
+/**
+* A redaction pattern for JSON Web Tokens (JWT).
+* @since 0.10.0
+*/
+const JWT_PATTERN = {
+	pattern: /eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*/g,
+	replacement: "[JWT REDACTED]"
+};
+function redactByPattern(formatter, patterns) {
+	for (const { pattern } of patterns) if (!pattern.global) throw new TypeError(`Pattern ${pattern} does not have the global flag set.`);
+	function replaceString(str) {
+		for (const p of patterns) str = typeof p.replacement === "string" ? str.replaceAll(p.pattern, p.replacement) : str.replaceAll(p.pattern, p.replacement);
+		return str;
+	}
+	function replaceObject(object) {
+		if (typeof object === "string") return replaceString(object);
+		else if (Array.isArray(object)) return object.map(replaceObject);
+		else if (typeof object === "object" && object !== null) {
+			if (Object.getPrototypeOf(object) === Object.prototype || Object.getPrototypeOf(object) === null) {
+				const redacted = {};
+				for (const key in object) redacted[key] = replaceObject(object[key]);
+				return redacted;
+			}
+		}
+		return object;
+	}
+	return (record) => {
+		const output = formatter(record);
+		if (typeof output === "string") return replaceString(output);
+		return output.map(replaceObject);
+	};
+}
+
+//#endregion
+export { CREDIT_CARD_NUMBER_PATTERN, EMAIL_ADDRESS_PATTERN, JWT_PATTERN, KR_RRN_PATTERN, US_SSN_PATTERN, redactByPattern };
+//# sourceMappingURL=pattern.js.map

package/dist/pattern.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pattern.js","names":["EMAIL_ADDRESS_PATTERN: RedactionPattern","CREDIT_CARD_NUMBER_PATTERN: RedactionPattern","US_SSN_PATTERN: RedactionPattern","KR_RRN_PATTERN: RedactionPattern","JWT_PATTERN: RedactionPattern","formatter: TextFormatter | ConsoleFormatter","patterns: RedactionPatterns","str: string","object: unknown","redacted: Record<string, unknown>","record: LogRecord"],"sources":["../pattern.ts"],"sourcesContent":["import type {\n  ConsoleFormatter,\n  LogRecord,\n  TextFormatter,\n} from \"@logtape/logtape\";\n\n/**\n * A redaction pattern, which is a pair of regular expression and replacement\n * string or function.\n * @since 0.10.0\n */\nexport interface RedactionPattern {\n  /**\n   * The regular expression to match against.  Note that it must have the\n   * `g` (global) flag set, otherwise it will throw a `TypeError`.\n   */\n  readonly pattern: RegExp;\n\n  /**\n   * The replacement string or function.  If the replacement is a function,\n   * it will be called with the matched string and any capture groups (the same\n   * signature as `String.prototype.replaceAll()`).\n   */\n  readonly replacement:\n    | string\n    // deno-lint-ignore no-explicit-any\n    | ((match: string, ...rest: readonly any[]) => string);\n}\n\n/**\n * A redaction pattern for email addresses.\n * @since 0.10.0\n */\nexport const EMAIL_ADDRESS_PATTERN: RedactionPattern = {\n  pattern:\n    /[\\p{L}0-9.!#$%&'*+/=?^_`{|}~-]+@[\\p{L}0-9](?:[\\p{L}0-9-]{0,61}[\\p{L}0-9])?(?:\\.[\\p{L}0-9](?:[\\p{L}0-9-]{0,61}[\\p{L}0-9])?)+/gu,\n  replacement: \"REDACTED@EMAIL.ADDRESS\",\n};\n\n/**\n * A redaction pattern for credit card numbers (including American Express).\n * @since 0.10.0\n */\nexport const CREDIT_CARD_NUMBER_PATTERN: RedactionPattern = {\n  pattern: /(?:\\d{4}-){3}\\d{4}|(?:\\d{4}-){2}\\d{6}/g,\n  replacement: \"XXXX-XXXX-XXXX-XXXX\",\n};\n\n/**\n * A redaction pattern for U.S. Social Security numbers.\n * @since 0.10.0\n */\nexport const US_SSN_PATTERN: RedactionPattern = {\n  pattern: /\\d{3}-\\d{2}-\\d{4}/g,\n  replacement: \"XXX-XX-XXXX\",\n};\n\n/**\n * A redaction pattern for South Korean resident registration numbers\n * (住民登錄番號).\n * @since 0.10.0\n */\nexport const KR_RRN_PATTERN: RedactionPattern = {\n  pattern: /\\d{6}-\\d{7}/g,\n  replacement: \"XXXXXX-XXXXXXX\",\n};\n\n/**\n * A redaction pattern for JSON Web Tokens (JWT).\n * @since 0.10.0\n */\nexport const JWT_PATTERN: RedactionPattern = {\n  pattern: /eyJ[a-zA-Z0-9_-]*\\.[a-zA-Z0-9_-]*\\.[a-zA-Z0-9_-]*/g,\n  replacement: \"[JWT REDACTED]\",\n};\n\n/**\n * A list of {@link RedactionPattern}s.\n * @since 0.10.0\n */\nexport type RedactionPatterns = readonly RedactionPattern[];\n\n/**\n * Applies data redaction to a {@link TextFormatter}.\n *\n * Note that there are some built-in redaction patterns:\n *\n * - {@link CREDIT_CARD_NUMBER_PATTERN}\n * - {@link EMAIL_ADDRESS_PATTERN}\n * - {@link JWT_PATTERN}\n * - {@link KR_RRN_PATTERN}\n * - {@link US_SSN_PATTERN}\n *\n * @example\n * ```ts\n * import { getFileSink } from \"@logtape/file\";\n * import { getAnsiColorFormatter } from \"@logtape/logtape\";\n * import {\n *   CREDIT_CARD_NUMBER_PATTERN,\n *   EMAIL_ADDRESS_PATTERN,\n *   JWT_PATTERN,\n *   redactByPattern,\n * } from \"@logtape/redaction\";\n *\n * const formatter = redactByPattern(getAnsiConsoleFormatter(), [\n *   CREDIT_CARD_NUMBER_PATTERN,\n *   EMAIL_ADDRESS_PATTERN,\n *   JWT_PATTERN,\n * ]);\n * const sink = getFileSink(\"my-app.log\", { formatter });\n * ```\n * @param formatter The text formatter to apply redaction to.\n * @param patterns The redaction patterns to apply.\n * @returns The redacted text formatter.\n * @since 0.10.0\n */\nexport function redactByPattern(\n  formatter: TextFormatter,\n  patterns: RedactionPatterns,\n): TextFormatter;\n\n/**\n * Applies data redaction to a {@link ConsoleFormatter}.\n *\n * Note that there are some built-in redaction patterns:\n *\n * - {@link CREDIT_CARD_NUMBER_PATTERN}\n * - {@link EMAIL_ADDRESS_PATTERN}\n * - {@link JWT_PATTERN}\n * - {@link KR_RRN_PATTERN}\n * - {@link US_SSN_PATTERN}\n *\n * @example\n * ```ts\n * import { defaultConsoleFormatter, getConsoleSink } from \"@logtape/logtape\";\n * import {\n *   CREDIT_CARD_NUMBER_PATTERN,\n *   EMAIL_ADDRESS_PATTERN,\n *   JWT_PATTERN,\n *   redactByPattern,\n * } from \"@logtape/redaction\";\n *\n * const formatter = redactByPattern(defaultConsoleFormatter, [\n *   CREDIT_CARD_NUMBER_PATTERN,\n *   EMAIL_ADDRESS_PATTERN,\n *   JWT_PATTERN,\n * ]);\n * const sink = getConsoleSink({ formatter });\n * ```\n * @param formatter The console formatter to apply redaction to.\n * @param patterns The redaction patterns to apply.\n * @returns The redacted console formatter.\n * @since 0.10.0\n */\nexport function redactByPattern(\n  formatter: ConsoleFormatter,\n  patterns: RedactionPatterns,\n): ConsoleFormatter;\n\nexport function redactByPattern(\n  formatter: TextFormatter | ConsoleFormatter,\n  patterns: RedactionPatterns,\n): (record: LogRecord) => string | readonly unknown[] {\n  for (const { pattern } of patterns) {\n    if (!pattern.global) {\n      throw new TypeError(\n        `Pattern ${pattern} does not have the global flag set.`,\n      );\n    }\n  }\n\n  function replaceString(str: string): string {\n    for (const p of patterns) {\n      // The following ternary operator may seem strange, but it's for\n      // making TypeScript happy:\n      str = typeof p.replacement === \"string\"\n        ? str.replaceAll(p.pattern, p.replacement)\n        : str.replaceAll(p.pattern, p.replacement);\n    }\n    return str;\n  }\n\n  function replaceObject(object: unknown): unknown {\n    if (typeof object === \"string\") return replaceString(object);\n    else if (Array.isArray(object)) return object.map(replaceObject);\n    else if (typeof object === \"object\" && object !== null) {\n      // Check if object is a vanilla object:\n      if (\n        Object.getPrototypeOf(object) === Object.prototype ||\n        Object.getPrototypeOf(object) === null\n      ) {\n        const redacted: Record<string, unknown> = {};\n        for (const key in object) {\n          redacted[key] =\n            // @ts-ignore: object always has key\n            replaceObject(object[key]);\n        }\n        return redacted;\n      }\n    }\n    return object;\n  }\n\n  return (record: LogRecord) => {\n    const output = formatter(record);\n    if (typeof output === \"string\") return replaceString(output);\n    return output.map(replaceObject);\n  };\n}\n"],"mappings":";;;;;AAiCA,MAAaA,wBAA0C;CACrD,SACE;CACF,aAAa;AACd;;;;;AAMD,MAAaC,6BAA+C;CAC1D,SAAS;CACT,aAAa;AACd;;;;;AAMD,MAAaC,iBAAmC;CAC9C,SAAS;CACT,aAAa;AACd;;;;;;AAOD,MAAaC,iBAAmC;CAC9C,SAAS;CACT,aAAa;AACd;;;;;AAMD,MAAaC,cAAgC;CAC3C,SAAS;CACT,aAAa;AACd;AAqFD,SAAgB,gBACdC,WACAC,UACoD;AACpD,MAAK,MAAM,EAAE,SAAS,IAAI,SACxB,MAAK,QAAQ,OACX,OAAM,IAAI,WACP,UAAU,QAAQ;CAKzB,SAAS,cAAcC,KAAqB;AAC1C,OAAK,MAAM,KAAK,SAGd,cAAa,EAAE,gBAAgB,WAC3B,IAAI,WAAW,EAAE,SAAS,EAAE,YAAY,GACxC,IAAI,WAAW,EAAE,SAAS,EAAE,YAAY;AAE9C,SAAO;CACR;CAED,SAAS,cAAcC,QAA0B;AAC/C,aAAW,WAAW,SAAU,QAAO,cAAc,OAAO;WACnD,MAAM,QAAQ,OAAO,CAAE,QAAO,OAAO,IAAI,cAAc;kBAChD,WAAW,YAAY,WAAW,MAEhD;OACE,OAAO,eAAe,OAAO,KAAK,OAAO,aACzC,OAAO,eAAe,OAAO,KAAK,MAClC;IACA,MAAMC,WAAoC,CAAE;AAC5C,SAAK,MAAM,OAAO,OAChB,UAAS,OAEP,cAAc,OAAO,KAAK;AAE9B,WAAO;GACR;;AAEH,SAAO;CACR;AAED,QAAO,CAACC,WAAsB;EAC5B,MAAM,SAAS,UAAU,OAAO;AAChC,aAAW,WAAW,SAAU,QAAO,cAAc,OAAO;AAC5D,SAAO,OAAO,IAAI,cAAc;CACjC;AACF"}

package/field.test.ts

@@ -0,0 +1,217 @@
+import { suite } from "@hongminhee/suite";
+import type { LogRecord, Sink } from "@logtape/logtape";
+import { assert } from "@std/assert/assert";
+import { assertEquals } from "@std/assert/equals";
+import { assertExists } from "@std/assert/exists";
+import { assertFalse } from "@std/assert/false";
+import {
+  type FieldPatterns,
+  redactByField,
+  redactProperties,
+  shouldFieldRedacted,
+} from "./field.ts";
+
+const test = suite(import.meta);
+
+test("shouldFieldRedacted()", () => {
+  { // matches string pattern
+    const fieldPatterns: FieldPatterns = ["password", "secret"];
+    assertEquals(shouldFieldRedacted("password", fieldPatterns), true);
+    assertEquals(shouldFieldRedacted("secret", fieldPatterns), true);
+    assertEquals(shouldFieldRedacted("username", fieldPatterns), false);
+  }
+
+  { // matches regex pattern
+    const fieldPatterns: FieldPatterns = [/pass/i, /secret/i];
+    assertEquals(shouldFieldRedacted("password", fieldPatterns), true);
+    assertEquals(shouldFieldRedacted("secretKey", fieldPatterns), true);
+    assertEquals(shouldFieldRedacted("myPassword", fieldPatterns), true);
+    assertEquals(shouldFieldRedacted("username", fieldPatterns), false);
+  }
+
+  { // case sensitivity in regex
+    const caseSensitivePatterns: FieldPatterns = [/pass/, /secret/];
+    const caseInsensitivePatterns: FieldPatterns = [/pass/i, /secret/i];
+
+    assertEquals(shouldFieldRedacted("Password", caseSensitivePatterns), false);
+    assertEquals(
+      shouldFieldRedacted("Password", caseInsensitivePatterns),
+      true,
+    );
+  }
+});
+
+test("redactProperties()", () => {
+  { // delete action (default)
+    const properties = {
+      username: "user123",
+      password: "secret123",
+      email: "user@example.com",
+      message: "Hello world",
+    };
+
+    const result = redactProperties(properties, {
+      fieldPatterns: ["password", "email"],
+    });
+
+    assert("username" in result);
+    assertFalse("password" in result);
+    assertFalse("email" in result);
+    assert("message" in result);
+
+    const nestedObject = {
+      ...properties,
+      nested: {
+        foo: "bar",
+        baz: "qux",
+        passphrase: "asdf",
+      },
+    };
+    const result2 = redactProperties(nestedObject, {
+      fieldPatterns: ["password", "email", "passphrase"],
+    });
+
+    assert("username" in result2);
+    assertFalse("password" in result2);
+    assertFalse("email" in result2);
+    assert("message" in result2);
+    assert("nested" in result2);
+    assert(typeof result2.nested === "object");
+    assertExists(result2.nested);
+    assert("foo" in result2.nested);
+    assert("baz" in result2.nested);
+    assertFalse("passphrase" in result2.nested);
+  }
+
+  { // custom action function
+    const properties = {
+      username: "user123",
+      password: "secret123",
+      token: "abc123",
+      message: "Hello world",
+    };
+
+    const result = redactProperties(properties, {
+      fieldPatterns: [/password/i, /token/i],
+      action: () => "REDACTED",
+    });
+
+    assertEquals(result.username, "user123");
+    assertEquals(result.password, "REDACTED");
+    assertEquals(result.token, "REDACTED");
+    assertEquals(result.message, "Hello world");
+  }
+
+  { // preserves other properties
+    const properties = {
+      username: "user123",
+      data: { nested: "value" },
+      sensitive: "hidden",
+    };
+
+    const result = redactProperties(properties, {
+      fieldPatterns: ["sensitive"],
+    });
+
+    assertEquals(result.username, "user123");
+    assertEquals(result.data, { nested: "value" });
+    assertFalse("sensitive" in result);
+  }
+});
+
+test("redactByField()", async () => {
+  { // wraps sink and redacts properties
+    const records: LogRecord[] = [];
+    const originalSink: Sink = (record) => records.push(record);
+
+    const wrappedSink = redactByField(originalSink, {
+      fieldPatterns: ["password", "token"],
+    });
+
+    const record: LogRecord = {
+      level: "info",
+      category: ["test"],
+      message: ["Test message"],
+      rawMessage: "Test message",
+      timestamp: Date.now(),
+      properties: {
+        username: "user123",
+        password: "secret123",
+        token: "abc123",
+      },
+    };
+
+    wrappedSink(record);
+
+    assertEquals(records.length, 1);
+    assert("username" in records[0].properties);
+    assertFalse("password" in records[0].properties);
+    assertFalse("token" in records[0].properties);
+  }
+
+  { // uses default field patterns when not specified
+    const records: LogRecord[] = [];
+    const originalSink: Sink = (record) => records.push(record);
+
+    const wrappedSink = redactByField(originalSink);
+
+    const record: LogRecord = {
+      level: "info",
+      category: ["test"],
+      message: ["Test message"],
+      rawMessage: "Test message",
+      timestamp: Date.now(),
+      properties: {
+        username: "user123",
+        password: "secret123",
+        email: "user@example.com",
+        apiKey: "xyz789",
+      },
+    };
+
+    wrappedSink(record);
+
+    assertEquals(records.length, 1);
+    assert("username" in records[0].properties);
+    assertFalse("password" in records[0].properties);
+    assertFalse("email" in records[0].properties);
+    assertFalse("apiKey" in records[0].properties);
+  }
+
+  { // preserves Disposable behavior
+    let disposed = false;
+    const originalSink: Sink & Disposable = Object.assign(
+      (_record: LogRecord) => {},
+      {
+        [Symbol.dispose]: () => {
+          disposed = true;
+        },
+      },
+    );
+
+    const wrappedSink = redactByField(originalSink) as Sink & Disposable;
+
+    assert(Symbol.dispose in wrappedSink);
+    wrappedSink[Symbol.dispose]();
+    assert(disposed);
+  }
+
+  { // preserves AsyncDisposable behavior
+    let disposed = false;
+    const originalSink: Sink & AsyncDisposable = Object.assign(
+      (_record: LogRecord) => {},
+      {
+        [Symbol.asyncDispose]: () => {
+          disposed = true;
+          return Promise.resolve();
+        },
+      },
+    );
+
+    const wrappedSink = redactByField(originalSink) as Sink & AsyncDisposable;
+
+    assert(Symbol.asyncDispose in wrappedSink);
+    await wrappedSink[Symbol.asyncDispose]();
+    assert(disposed);
+  }
+});

package/field.ts

@@ -0,0 +1,164 @@
+import type { LogRecord, Sink } from "@logtape/logtape";
+
+/**
+ * The type for a field pattern used in redaction.  A string or a regular
+ * expression that matches field names.
+ * @since 0.10.0
+ */
+export type FieldPattern = string | RegExp;
+
+/**
+ * An array of field patterns used for redaction.  Each pattern can be
+ * a string or a regular expression that matches field names.
+ * @since 0.10.0
+ */
+export type FieldPatterns = FieldPattern[];
+
+/**
+ * Default field patterns for redaction.  These patterns will match
+ * common sensitive fields such as passwords, tokens, and personal
+ * information.
+ * @since 0.10.0
+ */
+export const DEFAULT_REDACT_FIELDS: FieldPatterns = [
+  /pass(?:code|phrase|word)/i,
+  /secret/i,
+  /token/i,
+  /key/i,
+  /credential/i,
+  /auth/i,
+  /signature/i,
+  /sensitive/i,
+  /private/i,
+  /ssn/i,
+  /email/i,
+  /phone/i,
+  /address/i,
+];
+
+/**
+ * Options for redacting fields in a {@link LogRecord}.  Used by
+ * the {@link redactByField} function.
+ * @since 0.10.0
+ */
+export interface FieldRedactionOptions {
+  /**
+   * The field patterns to match against.  This can be an array of
+   * strings or regular expressions.  If a field matches any of the
+   * patterns, it will be redacted.
+   * @defaultValue {@link DEFAULT_REDACT_FIELDS}
+   */
+  readonly fieldPatterns: FieldPatterns;
+
+  /**
+   * The action to perform on the matched fields.  If not provided,
+   * the default action is to delete the field from the properties.
+   * If a function is provided, it will be called with the
+   * value of the field, and the return value will be used to replace
+   * the field in the properties.
+   * If the action is `"delete"`, the field will be removed from the
+   * properties.
+   * @default `"delete"`
+   */
+  readonly action?: "delete" | ((value: unknown) => unknown);
+}
+
+/**
+ * Redacts properties in a {@link LogRecord} based on the provided field
+ * patterns and action.
+ *
+ * Note that it is a decorator which wraps the sink and redacts properties
+ * before passing them to the sink.
+ *
+ * @example
+ * ```ts
+ * import { getConsoleSink } from "@logtape/logtape";
+ * import { redactByField } from "@logtape/redaction";
+ *
+ * const sink = redactByField(getConsoleSink());
+ * ```
+ *
+ * @param sink The sink to wrap.
+ * @param options The redaction options.
+ * @returns The wrapped sink.
+ * @since 0.10.0
+ */
+export function redactByField(
+  sink: Sink | Sink & Disposable | Sink & AsyncDisposable,
+  options: FieldRedactionOptions | FieldPatterns = DEFAULT_REDACT_FIELDS,
+): Sink | Sink & Disposable | Sink & AsyncDisposable {
+  const opts = Array.isArray(options) ? { fieldPatterns: options } : options;
+  const wrapped = (record: LogRecord) => {
+    sink({ ...record, properties: redactProperties(record.properties, opts) });
+  };
+  if (Symbol.dispose in sink) wrapped[Symbol.dispose] = sink[Symbol.dispose];
+  if (Symbol.asyncDispose in sink) {
+    wrapped[Symbol.asyncDispose] = sink[Symbol.asyncDispose];
+  }
+  return wrapped;
+}
+
+/**
+ * Redacts properties from an object based on specified field patterns.
+ *
+ * This function creates a shallow copy of the input object and applies
+ * redaction rules to its properties. For properties that match the redaction
+ * patterns, the function either removes them or transforms their values based
+ * on the provided action.
+ *
+ * The redaction process is recursive and will be applied to nested objects
+ * as well, allowing for deep redaction of sensitive data in complex object
+ * structures.
+ * @param properties The properties to redact.
+ * @param options The redaction options.
+ * @returns The redacted properties.
+ * @since 0.10.0
+ */
+export function redactProperties(
+  properties: Record<string, unknown>,
+  options: FieldRedactionOptions,
+): Record<string, unknown> {
+  const copy = { ...properties };
+  for (const field in copy) {
+    if (shouldFieldRedacted(field, options.fieldPatterns)) {
+      if (options.action == null || options.action === "delete") {
+        delete copy[field];
+      } else {
+        copy[field] = options.action(copy[field]);
+      }
+      continue;
+    }
+    const value = copy[field];
+    // Check if value is a vanilla object:
+    if (
+      typeof value === "object" && value !== null &&
+      (Object.getPrototypeOf(value) === Object.prototype ||
+        Object.getPrototypeOf(value) === null)
+    ) {
+      // @ts-ignore: value is always Record<string, unknown>
+      copy[field] = redactProperties(value, options);
+    }
+  }
+  return copy;
+}
+
+/**
+ * Checks if a field should be redacted based on the provided field patterns.
+ * @param field The field name to check.
+ * @param fieldPatterns The field patterns to match against.
+ * @returns `true` if the field should be redacted, `false` otherwise.
+ * @since 0.10.0
+ */
+export function shouldFieldRedacted(
+  field: string,
+  fieldPatterns: FieldPatterns,
+): boolean {
+  for (const fieldPattern of fieldPatterns) {
+    if (typeof fieldPattern === "string") {
+      if (fieldPattern === field) return true;
+    } else {
+      if (fieldPattern.test(field)) return true;
+    }
+  }
+  return false;
+}

package/mod.ts

@@ -0,0 +1,8 @@
+export {
+  DEFAULT_REDACT_FIELDS,
+  type FieldPattern,
+  type FieldPatterns,
+  type FieldRedactionOptions,
+  redactByField,
+} from "./field.ts";
+export * from "./pattern.ts";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@logtape/redaction",
-  "version": "0.11.0",
+  "version": "0.12.0-dev.181+e4f33b9d",
   "description": "Redact sensitive data from log messages",
   "keywords": [
     "logging",
@@ -11,6 +11,7 @@
     "masking",
     "sensitive"
   ],
+  "license": "MIT",
   "author": {
     "name": "Hong Minhee",
     "email": "hong@minhee.org",
@@ -20,38 +21,40 @@
   "repository": {
     "type": "git",
     "url": "git+https://github.com/dahlia/logtape.git",
-    "directory": "file/"
+    "directory": "redaction/"
   },
-  "license": "MIT",
   "bugs": {
     "url": "https://github.com/dahlia/logtape/issues"
   },
-  "main": "./script/mod.js",
-  "module": "./esm/mod.js",
-  "types": "./types/mod.d.ts",
+  "funding": [
+    "https://github.com/sponsors/dahlia"
+  ],
+  "type": "module",
+  "module": "./dist/mod.js",
+  "main": "./dist/mod.cjs",
+  "types": "./dist/mod.d.ts",
   "exports": {
     ".": {
-      "import": {
-        "types": "./types/mod.d.ts",
-        "default": "./esm/mod.js"
-      },
-      "require": {
-        "types": "./types/mod.d.ts",
-        "default": "./script/mod.js"
-      }
-    }
+      "import": "./dist/mod.js",
+      "require": "./dist/mod.cjs",
+      "types": "./dist/mod.d.ts"
+    },
+    "./package.json": "./package.json"
   },
-  "scripts": {
-    "test": "node test_runner.js"
+  "peerDependencies": {
+    "@logtape/logtape": "0.12.0-dev.181+e4f33b9d"
   },
-  "funding": [
-    "https://github.com/sponsors/dahlia"
-  ],
   "devDependencies": {
-    "@types/node": "^20.9.0",
-    "picocolors": "^1.0.0",
-    "@deno/shim-deno": "~0.18.0",
-    "@logtape/logtape": "^0.11.0"
+    "@hongminhee/suite": "^0.6.2",
+    "@std/assert": "npm:@jsr/std__assert@^1.0.13",
+    "tsdown": "^0.12.7",
+    "typescript": "^5.8.3"
   },
-  "_generatedBy": "dnt@dev"
+  "scripts": {
+    "build": "tsdown",
+    "test": "tsdown && node --experimental-transform-types --test",
+    "test:bun": "tsdown && bun test",
+    "test:deno": "deno test",
+    "test-all": "tsdown && node --experimental-transform-types --test && bun test && deno test"
+  }
 }