@osovv/vv-opencode 0.2.4 → 0.3.0

package/dist/plugins/secrets-redaction/config.js

@@ -0,0 +1,158 @@
+// FILE: src/plugins/secrets-redaction/config.ts
+// VERSION: 1.0.0
+// START_MODULE_CONTRACT
+//   PURPOSE: Loads and validates secrets-redaction config from file system with environment variable substitution.
+//   SCOPE: config file lookup, env substitution, default values
+//   DEPENDS: node:fs/promises, node:path
+//   LINKS: knowledge-graph://plugins/secrets-redaction
+//   ROLE: RUNTIME
+//   MAP_MODE: EXPORTS
+// END_MODULE_CONTRACT
+//
+// START_MODULE_MAP
+//   loadConfig - loads and returns normalized config
+//   getConfigCandidates - returns ordered candidate paths
+// END_MODULE_MAP
+import { readFile } from "node:fs/promises";
+import { join } from "node:path";
+import { generateFallbackSecret } from "./session.js";
+export const DEFAULT_CONFIG = {
+    enabled: true,
+    secret: "",
+    ttlMs: 3_600_000,
+    maxMappings: 10_000,
+    patterns: {
+        keywords: [],
+        regex: [],
+        builtin: ["email", "china_phone", "china_id", "uuid", "ipv4", "mac"],
+        exclude: [],
+    },
+    debug: false,
+};
+const CONFIG_FILE_NAMES = ["secrets-redaction.config.json", "secrets-redaction.config.jsonc"];
+function substituteEnvVars(value) {
+    return value.replace(/\$\{([^}]+)\}/g, (_, varName) => {
+        return process.env[varName] ?? "";
+    });
+}
+function deepClone(obj) {
+    if (obj === null || typeof obj !== "object")
+        return obj;
+    if (Array.isArray(obj))
+        return obj.map(deepClone);
+    const result = {};
+    for (const [k, v] of Object.entries(obj)) {
+        result[k] = deepClone(v);
+    }
+    return result;
+}
+function mergeConfig(base, override) {
+    const result = deepClone(base);
+    if (override.enabled !== undefined)
+        result.enabled = override.enabled;
+    if (override.secret !== undefined)
+        result.secret = override.secret;
+    if (override.ttlMs !== undefined)
+        result.ttlMs = override.ttlMs;
+    if (override.maxMappings !== undefined)
+        result.maxMappings = override.maxMappings;
+    if (override.debug !== undefined)
+        result.debug = override.debug;
+    if (override.patterns) {
+        if (override.patterns.keywords)
+            result.patterns.keywords = override.patterns.keywords;
+        if (override.patterns.regex)
+            result.patterns.regex = override.patterns.regex;
+        if (override.patterns.builtin)
+            result.patterns.builtin = override.patterns.builtin;
+        if (override.patterns.exclude)
+            result.patterns.exclude = override.patterns.exclude;
+    }
+    return result;
+}
+function parseJsonc(content) {
+    content = content.replace(/\/\/.*$/gm, "");
+    content = content.replace(/\/\*[\s\S]*?\*\//g, "");
+    return JSON.parse(content);
+}
+function configFromJson(json) {
+    const result = {};
+    if (json.enabled !== undefined)
+        result.enabled = Boolean(json.enabled);
+    if (json.secret !== undefined && typeof json.secret === "string")
+        result.secret = json.secret;
+    if (json.ttlMs !== undefined)
+        result.ttlMs = Number(json.ttlMs);
+    if (json.maxMappings !== undefined)
+        result.maxMappings = Number(json.maxMappings);
+    if (json.debug !== undefined)
+        result.debug = Boolean(json.debug);
+    if (json.patterns && typeof json.patterns === "object") {
+        const p = json.patterns;
+        result.patterns = {
+            keywords: [],
+            regex: [],
+            builtin: [],
+            exclude: [],
+        };
+        if (Array.isArray(p.keywords))
+            result.patterns.keywords = p.keywords;
+        if (Array.isArray(p.regex))
+            result.patterns.regex = p.regex;
+        if (Array.isArray(p.builtin))
+            result.patterns.builtin = p.builtin;
+        if (Array.isArray(p.exclude))
+            result.patterns.exclude = p.exclude;
+    }
+    return result;
+}
+export function getConfigCandidates(directory) {
+    const candidates = [];
+    const envPath = process.env.OPENCODE_SECRETS_REDACTION_CONFIG;
+    if (envPath)
+        candidates.push(envPath);
+    for (const name of CONFIG_FILE_NAMES) {
+        candidates.push(join(directory, name));
+        candidates.push(join(directory, ".opencode", name));
+        candidates.push(join(directory, ".vvoc", name));
+    }
+    const xdgConfig = process.env.XDG_CONFIG_HOME ?? join(process.env.HOME ?? "", ".config");
+    for (const name of CONFIG_FILE_NAMES) {
+        candidates.push(join(xdgConfig, "opencode", name));
+        candidates.push(join(xdgConfig, "vvoc", name));
+    }
+    return candidates;
+}
+export async function loadConfig(directory) {
+    const candidates = getConfigCandidates(directory);
+    const warnings = [];
+    for (const candidate of candidates) {
+        try {
+            const content = await readFile(candidate, "utf-8");
+            const json = parseJsonc(content);
+            const partial = configFromJson(json);
+            let finalSecret = partial.secret ?? DEFAULT_CONFIG.secret;
+            if (finalSecret) {
+                finalSecret = substituteEnvVars(finalSecret);
+            }
+            if (!finalSecret) {
+                finalSecret = generateFallbackSecret();
+                warnings.push(`No VVOC_SECRET env var set — using random fallback secret. Secrets won't be reversible across restarts.`);
+            }
+            const merged = mergeConfig(DEFAULT_CONFIG, { ...partial, secret: finalSecret });
+            return { config: merged, path: candidate, warnings };
+        }
+        catch {
+            // file not found or parse error — continue
+        }
+    }
+    const fallbackSecret = generateFallbackSecret();
+    warnings.push(`No secrets-redaction config found — using defaults with random secret.`);
+    warnings.push(`Set VVOC_SECRET env var and create $XDG_CONFIG_HOME/vvoc/secrets-redaction.config.json for persistent redaction.`);
+    return {
+        config: { ...DEFAULT_CONFIG, secret: fallbackSecret },
+        path: null,
+        warnings,
+    };
+}
+//# sourceMappingURL=config.js.map

package/dist/plugins/secrets-redaction/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../../src/plugins/secrets-redaction/config.ts"],"names":[],"mappings":"AAAA,gDAAgD;AAChD,iBAAiB;AACjB,wBAAwB;AACxB,mHAAmH;AACnH,gEAAgE;AAChE,yCAAyC;AACzC,uDAAuD;AACvD,kBAAkB;AAClB,sBAAsB;AACtB,sBAAsB;AACtB,EAAE;AACF,mBAAmB;AACnB,qDAAqD;AACrD,0DAA0D;AAC1D,iBAAiB;AAEjB,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAC;AAgBtD,MAAM,CAAC,MAAM,cAAc,GAA2B;IACpD,OAAO,EAAE,IAAI;IACb,MAAM,EAAE,EAAE;IACV,KAAK,EAAE,SAAS;IAChB,WAAW,EAAE,MAAM;IACnB,QAAQ,EAAE;QACR,QAAQ,EAAE,EAAE;QACZ,KAAK,EAAE,EAAE;QACT,OAAO,EAAE,CAAC,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC;QACpE,OAAO,EAAE,EAAE;KACZ;IACD,KAAK,EAAE,KAAK;CACb,CAAC;AAEF,MAAM,iBAAiB,GAAG,CAAC,+BAA+B,EAAE,gCAAgC,CAAC,CAAC;AAE9F,SAAS,iBAAiB,CAAC,KAAa;IACtC,OAAO,KAAK,CAAC,OAAO,CAAC,gBAAgB,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,EAAE;QACpD,OAAO,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;IACpC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,SAAS,CAAI,GAAM;IAC1B,IAAI,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,GAAG,CAAC;IACxD,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC,GAAG,CAAC,SAAS,CAAiB,CAAC;IAClE,MAAM,MAAM,GAA4B,EAAE,CAAC;IAC3C,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACzC,MAAM,CAAC,CAAC,CAAC,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;IAC3B,CAAC;IACD,OAAO,MAAW,CAAC;AACrB,CAAC;AAED,SAAS,WAAW,CAAC,IAA4B,EAAE,QAAyC;IAC1F,MAAM,MAAM,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;IAE/B,IAAI,QAAQ,CAAC,OAAO,KAAK,SAAS;QAAE,MAAM,CAAC,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC;IACtE,IAAI,QAAQ,CAAC,MAAM,KAAK,SAAS;QAAE,MAAM,CAAC,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC;IACnE,IAAI,QAAQ,CAAC,KAAK,KAAK,SAAS;QAAE,MAAM,CAAC,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC;IAChE,IAAI,QAAQ,CAAC,WAAW,KAAK,SAAS;QAAE,MAAM,CAAC,WAAW,GAAG,QAAQ,CAAC,WAAW,CAAC;IAClF,IAAI,QAAQ,CAAC,KAAK,KAAK,SAAS;QAAE,MAAM,CAAC,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC;IAEhE,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;QACtB,IAAI,QAAQ,CAAC,QAAQ,CAAC,QAAQ;YAAE,MAAM,CAAC,QAAS,CAAC,QAAQ,GAAG,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACvF,IAAI,QAAQ,CAAC,QAAQ,CAAC,KAAK;YAAE,MAAM,CAAC,QAAS,CAAC,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC;QAC9E,IAAI,QAAQ,CAAC,QAAQ,CAAC,OAAO;YAAE,MAAM,CAAC,QAAS,CAAC,OAAO,GAAG,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC;QACpF,IAAI,QAAQ,CAAC,QAAQ,CAAC,OAAO;YAAE,MAAM,CAAC,QAAS,CAAC,OAAO,GAAG,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC;IACtF,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,UAAU,CAAC,OAAe;IACjC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;IAC3C,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,mBAAmB,EAAE,EAAE,CAAC,CAAC;IACnD,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAA4B,CAAC;AACxD,CAAC;AAED,SAAS,cAAc,CAAC,IAA6B;IACnD,MAAM,MAAM,GAAoC,EAAE,CAAC;IAEnD,IAAI,IAAI,CAAC,OAAO,KAAK,SAAS;QAAE,MAAM,CAAC,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACvE,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,IAAI,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ;QAAE,MAAM,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;IAC9F,IAAI,IAAI,CAAC,KAAK,KAAK,SAAS;QAAE,MAAM,CAAC,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAChE,IAAI,IAAI,CAAC,WAAW,KAAK,SAAS;QAAE,MAAM,CAAC,WAAW,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAClF,IAAI,IAAI,CAAC,KAAK,KAAK,SAAS;QAAE,MAAM,CAAC,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAEjE,IAAI,IAAI,CAAC,QAAQ,IAAI,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACvD,MAAM,CAAC,GAAG,IAAI,CAAC,QAAmC,CAAC;QACnD,MAAM,CAAC,QAAQ,GAAG;YAChB,QAAQ,EAAE,EAAE;YACZ,KAAK,EAAE,EAAE;YACT,OAAO,EAAE,EAAE;YACX,OAAO,EAAE,EAAE;SACZ,CAAC;QAEF,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC;YAAE,MAAM,CAAC,QAAQ,CAAC,QAAQ,GAAG,CAAC,CAAC,QAA0D,CAAC;QACvH,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC;YAAE,MAAM,CAAC,QAAQ,CAAC,KAAK,GAAG,CAAC,CAAC,KAAoD,CAAC;QAC3G,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;YAAE,MAAM,CAAC,QAAQ,CAAC,OAAO,GAAG,CAAC,CAAC,OAAmB,CAAC;QAC9E,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;YAAE,MAAM,CAAC,QAAQ,CAAC,OAAO,GAAG,CAAC,CAAC,OAAmB,CAAC;IAChF,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,SAAiB;IACnD,MAAM,UAAU,GAAa,EAAE,CAAC;IAEhC,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,iCAAiC,CAAC;IAC9D,IAAI,OAAO;QAAE,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAEtC,KAAK,MAAM,IAAI,IAAI,iBAAiB,EAAE,CAAC;QACrC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC,CAAC;QACvC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,EAAE,IAAI,CAAC,CAAC,CAAC;QACpD,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC,CAAC;IAClD,CAAC;IAED,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,EAAE,SAAS,CAAC,CAAC;IACzF,KAAK,MAAM,IAAI,IAAI,iBAAiB,EAAE,CAAC;QACrC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,UAAU,EAAE,IAAI,CAAC,CAAC,CAAC;QACnD,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC;IACjD,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,SAAiB;IAKhD,MAAM,UAAU,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC;IAClD,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;YACnD,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;YACjC,MAAM,OAAO,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;YAErC,IAAI,WAAW,GAAG,OAAO,CAAC,MAAM,IAAI,cAAc,CAAC,MAAM,CAAC;YAC1D,IAAI,WAAW,EAAE,CAAC;gBAChB,WAAW,GAAG,iBAAiB,CAAC,WAAW,CAAC,CAAC;YAC/C,CAAC;YAED,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,WAAW,GAAG,sBAAsB,EAAE,CAAC;gBACvC,QAAQ,CAAC,IAAI,CAAC,yGAAyG,CAAC,CAAC;YAC3H,CAAC;YAED,MAAM,MAAM,GAAG,WAAW,CAAC,cAAc,EAAE,EAAE,GAAG,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC,CAAC;YAEhF,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;QACvD,CAAC;QAAC,MAAM,CAAC;YACP,2CAA2C;QAC7C,CAAC;IACH,CAAC;IAED,MAAM,cAAc,GAAG,sBAAsB,EAAE,CAAC;IAChD,QAAQ,CAAC,IAAI,CAAC,wEAAwE,CAAC,CAAC;IACxF,QAAQ,CAAC,IAAI,CAAC,kHAAkH,CAAC,CAAC;IAElI,OAAO;QACL,MAAM,EAAE,EAAE,GAAG,cAAc,EAAE,MAAM,EAAE,cAAc,EAAE;QACrD,IAAI,EAAE,IAAI;QACV,QAAQ;KACT,CAAC;AACJ,CAAC"}

package/dist/plugins/secrets-redaction/deep.d.ts

@@ -0,0 +1,4 @@
+import { type PlaceholderSession } from "./session.js";
+import { type PatternSet } from "./patterns.js";
+export declare function restoreDeep(value: unknown, session: PlaceholderSession): unknown;
+export declare function redactDeep(value: unknown, patternSet: PatternSet, session: PlaceholderSession): unknown;

package/dist/plugins/secrets-redaction/deep.js

@@ -0,0 +1,78 @@
+// FILE: src/plugins/secrets-redaction/deep.ts
+// VERSION: 1.0.0
+// START_MODULE_CONTRACT
+//   PURPOSE: Deep traversal helpers for restoring/redacting placeholders in nested objects and arrays.
+//   SCOPE: in-place object/array traversal, cycle-safe with WeakSet
+//   DEPENDS: session, restore, engine
+//   LINKS: knowledge-graph://plugins/secrets-redaction
+//   ROLE: RUNTIME
+//   MAP_MODE: EXPORTS
+// END_MODULE_CONTRACT
+//
+// START_MODULE_MAP
+//   restoreDeep - restores placeholders in objects/arrays in-place
+//   redactDeep - redacts secrets in objects/arrays in-place
+// END_MODULE_MAP
+import { redactText } from "./engine.js";
+import { restoreText } from "./restore.js";
+export function restoreDeep(value, session) {
+    if (value === null || value === undefined)
+        return value;
+    if (typeof value === "string")
+        return restoreText(value, session);
+    if (typeof value === "number" || typeof value === "boolean")
+        return value;
+    if (typeof value === "bigint")
+        return value;
+    if (Array.isArray(value)) {
+        for (let i = 0; i < value.length; i++) {
+            value[i] = restoreDeep(value[i], session);
+        }
+        return value;
+    }
+    if (typeof value === "object") {
+        const seen = new WeakSet();
+        return restoreDeepObject(value, session, seen);
+    }
+    return value;
+}
+function restoreDeepObject(obj, session, seen) {
+    if (seen.has(obj))
+        return obj;
+    seen.add(obj);
+    for (const key of Object.keys(obj)) {
+        obj[key] = restoreDeep(obj[key], session);
+    }
+    return obj;
+}
+export function redactDeep(value, patternSet, session) {
+    if (value === null || value === undefined)
+        return value;
+    if (typeof value === "string")
+        return redactText(value, patternSet, session).text;
+    if (typeof value === "number" || typeof value === "boolean")
+        return value;
+    if (typeof value === "bigint")
+        return value;
+    if (Array.isArray(value)) {
+        for (let i = 0; i < value.length; i++) {
+            value[i] = redactDeep(value[i], patternSet, session);
+        }
+        return value;
+    }
+    if (typeof value === "object") {
+        const seen = new WeakSet();
+        return redactDeepObject(value, patternSet, session, seen);
+    }
+    return value;
+}
+function redactDeepObject(obj, patternSet, session, seen) {
+    if (seen.has(obj))
+        return obj;
+    seen.add(obj);
+    for (const key of Object.keys(obj)) {
+        obj[key] = redactDeep(obj[key], patternSet, session);
+    }
+    return obj;
+}
+//# sourceMappingURL=deep.js.map

package/dist/plugins/secrets-redaction/deep.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"deep.js","sourceRoot":"","sources":["../../../src/plugins/secrets-redaction/deep.ts"],"names":[],"mappings":"AAAA,8CAA8C;AAC9C,iBAAiB;AACjB,wBAAwB;AACxB,uGAAuG;AACvG,oEAAoE;AACpE,sCAAsC;AACtC,uDAAuD;AACvD,kBAAkB;AAClB,sBAAsB;AACtB,sBAAsB;AACtB,EAAE;AACF,mBAAmB;AACnB,mEAAmE;AACnE,4DAA4D;AAC5D,iBAAiB;AAIjB,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAE3C,MAAM,UAAU,WAAW,CAAC,KAAc,EAAE,OAA2B;IACrE,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IACxD,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,WAAW,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IAClE,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,OAAO,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IAC1E,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAE5C,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,KAAK,CAAC,CAAC,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,OAAO,CAAU,CAAC;QACrD,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,IAAI,GAAG,IAAI,OAAO,EAAE,CAAC;QAC3B,OAAO,iBAAiB,CAAC,KAAgC,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;IAC5E,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,iBAAiB,CACxB,GAA4B,EAC5B,OAA2B,EAC3B,IAAqB;IAErB,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC;IAC9B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAEd,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACnC,GAAG,CAAC,GAAG,CAAC,GAAG,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,OAAO,CAAU,CAAC;IACrD,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,UAAU,UAAU,CACxB,KAAc,EACd,UAAsB,EACtB,OAA2B;IAE3B,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IACxD,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,UAAU,CAAC,KAAK,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC;IAClF,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,OAAO,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IAC1E,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC;IAE5C,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,KAAK,CAAC,CAAC,CAAC,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,OAAO,CAAU,CAAC;QAChE,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,IAAI,GAAG,IAAI,OAAO,EAAE,CAAC;QAC3B,OAAO,gBAAgB,CAAC,KAAgC,EAAE,UAAU,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;IACvF,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,gBAAgB,CACvB,GAA4B,EAC5B,UAAsB,EACtB,OAA2B,EAC3B,IAAqB;IAErB,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC;IAC9B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAEd,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACnC,GAAG,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,UAAU,EAAE,OAAO,CAAU,CAAC;IAChE,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/plugins/secrets-redaction/engine.d.ts

@@ -0,0 +1,14 @@
+import { type PatternSet } from "./patterns.js";
+import { type PlaceholderSession } from "./session.js";
+export interface Match {
+    start: number;
+    end: number;
+    original: string;
+    placeholder: string;
+    category: string;
+}
+export interface RedactResult {
+    text: string;
+    matches: Match[];
+}
+export declare function redactText(input: string, patternSet: PatternSet, session: PlaceholderSession): RedactResult;

package/dist/plugins/secrets-redaction/engine.js

@@ -0,0 +1,113 @@
+// FILE: src/plugins/secrets-redaction/engine.ts
+// VERSION: 1.0.0
+// START_MODULE_CONTRACT
+//   PURPOSE: Core redaction engine — performs find/replace of secrets with placeholders in text.
+//   SCOPE: text scanning, match sorting, interval arithmetic, replacement
+//   DEPENDS: session, patterns
+//   LINKS: knowledge-graph://plugins/secrets-redaction
+//   ROLE: RUNTIME
+//   MAP_MODE: EXPORTS
+// END_MODULE_CONTRACT
+//
+// START_MODULE_MAP
+//   redactText - replaces secrets in text with placeholders, returns changed text + match list
+// END_MODULE_MAP
+function subtractCovered(intervals) {
+    if (intervals.length === 0)
+        return [];
+    intervals.sort((a, b) => a[0] - b[0]);
+    const result = [];
+    let currentEnd = intervals[0][0];
+    for (const [start, end] of intervals) {
+        if (start > currentEnd) {
+            result.push([currentEnd, start]);
+        }
+        if (end > currentEnd) {
+            currentEnd = end;
+        }
+    }
+    return result;
+}
+function insertCovered(intervals, newInterval) {
+    const merged = [...intervals, newInterval];
+    merged.sort((a, b) => a[0] - b[0]);
+    const result = [];
+    for (const interval of merged) {
+        if (result.length > 0 && interval[0] <= result[result.length - 1][1]) {
+            result[result.length - 1][1] = Math.max(result[result.length - 1][1], interval[1]);
+        }
+        else {
+            result.push([...interval]);
+        }
+    }
+    return result;
+}
+function sortByPositionDesc(rules, text) {
+    const allMatches = [];
+    for (const rule of rules) {
+        const re = new RegExp(rule.pattern.source, rule.pattern.flags.includes("g") ? rule.pattern.flags : `${rule.pattern.flags}g`);
+        let match;
+        while ((match = re.exec(text)) !== null) {
+            allMatches.push({ rule, match: match });
+        }
+    }
+    allMatches.sort((a, b) => {
+        const aStart = a.match.index;
+        const bStart = b.match.index;
+        if (aStart !== bStart)
+            return bStart - aStart;
+        return (b.match[0].length - a.match[0].length);
+    });
+    return allMatches.map((x) => ({ rule: x.rule, matches: x.match }));
+}
+export function redactText(input, patternSet, session) {
+    if (!input || patternSet.rules.length === 0) {
+        return { text: input, matches: [] };
+    }
+    const sorted = sortByPositionDesc(patternSet.rules, input);
+    const covered = [];
+    const matches = [];
+    for (const { rule, matches: match } of sorted) {
+        const start = match.index;
+        const end = start + match[0].length;
+        const value = match[0];
+        if (patternSet.exclude.has(value.toLowerCase())) {
+            continue;
+        }
+        const gaps = subtractCovered(covered);
+        const isInside = gaps.every(([gStart, gEnd]) => start >= gStart && end <= gEnd);
+        if (isInside)
+            continue;
+        const placeholder = session.getOrCreatePlaceholder(value, rule.category);
+        matches.push({ start, end, original: value, placeholder, category: rule.category });
+        const remainingGaps = [];
+        for (const [gStart, gEnd] of gaps) {
+            if (start >= gEnd || end <= gStart) {
+                remainingGaps.push([gStart, gEnd]);
+            }
+            else {
+                if (start > gStart) {
+                    remainingGaps.push([gStart, start]);
+                }
+                if (end < gEnd) {
+                    remainingGaps.push([end, gEnd]);
+                }
+            }
+        }
+        covered.length = 0;
+        for (const g of remainingGaps) {
+            insertCovered(covered, g);
+        }
+    }
+    const sortedMatches = [...matches].sort((a, b) => a.start - b.start);
+    let result = "";
+    let lastIndex = 0;
+    for (const m of sortedMatches) {
+        result += input.slice(lastIndex, m.start);
+        result += m.placeholder;
+        lastIndex = m.end;
+    }
+    result += input.slice(lastIndex);
+    return { text: result, matches: sortedMatches };
+}
+//# sourceMappingURL=engine.js.map

package/dist/plugins/secrets-redaction/engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.js","sourceRoot":"","sources":["../../../src/plugins/secrets-redaction/engine.ts"],"names":[],"mappings":"AAAA,gDAAgD;AAChD,iBAAiB;AACjB,wBAAwB;AACxB,iGAAiG;AACjG,0EAA0E;AAC1E,+BAA+B;AAC/B,uDAAuD;AACvD,kBAAkB;AAClB,sBAAsB;AACtB,sBAAsB;AACtB,EAAE;AACF,mBAAmB;AACnB,+FAA+F;AAC/F,iBAAiB;AAkBjB,SAAS,eAAe,CAAC,SAA6B;IACpD,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAEtC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAEtC,MAAM,MAAM,GAAuB,EAAE,CAAC;IACtC,IAAI,UAAU,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAEjC,KAAK,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC,IAAI,SAAS,EAAE,CAAC;QACrC,IAAI,KAAK,GAAG,UAAU,EAAE,CAAC;YACvB,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC,CAAC;QACnC,CAAC;QACD,IAAI,GAAG,GAAG,UAAU,EAAE,CAAC;YACrB,UAAU,GAAG,GAAG,CAAC;QACnB,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,aAAa,CACpB,SAA6B,EAC7B,WAA6B;IAE7B,MAAM,MAAM,GAAG,CAAC,GAAG,SAAS,EAAE,WAAW,CAAC,CAAC;IAC3C,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAEnC,MAAM,MAAM,GAAuB,EAAE,CAAC;IACtC,KAAK,MAAM,QAAQ,IAAI,MAAM,EAAE,CAAC;QAC9B,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,IAAI,QAAQ,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACrE,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QACrF,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,kBAAkB,CAAC,KAAoB,EAAE,IAAY;IAC5D,MAAM,UAAU,GAA0D,EAAE,CAAC;IAE7E,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,EAAE,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,GAAG,CAAC,CAAC;QAC7H,IAAI,KAA6B,CAAC;QAClC,OAAO,CAAC,KAAK,GAAG,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACxC,UAAU,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,KAAyB,EAAE,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC;IAED,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACvB,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,KAAM,CAAC;QAC9B,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,KAAM,CAAC;QAC9B,IAAI,MAAM,KAAK,MAAM;YAAE,OAAO,MAAM,GAAG,MAAM,CAAC;QAC9C,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,OAAO,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;AACrE,CAAC;AAED,MAAM,UAAU,UAAU,CACxB,KAAa,EACb,UAAsB,EACtB,OAA2B;IAE3B,IAAI,CAAC,KAAK,IAAI,UAAU,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5C,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACtC,CAAC;IAED,MAAM,MAAM,GAAG,kBAAkB,CAAC,UAAU,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAE3D,MAAM,OAAO,GAAuB,EAAE,CAAC;IACvC,MAAM,OAAO,GAAY,EAAE,CAAC;IAE5B,KAAK,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,MAAM,EAAE,CAAC;QAC9C,MAAM,KAAK,GAAG,KAAK,CAAC,KAAM,CAAC;QAC3B,MAAM,GAAG,GAAG,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;QACpC,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAEvB,IAAI,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YAChD,SAAS;QACX,CAAC;QAED,MAAM,IAAI,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;QACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,KAAK,IAAI,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,CAAC;QAChF,IAAI,QAAQ;YAAE,SAAS;QAEvB,MAAM,WAAW,GAAG,OAAO,CAAC,sBAAsB,CAAC,KAAK,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;QACzE,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;QAEpF,MAAM,aAAa,GAAuB,EAAE,CAAC;QAC7C,KAAK,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC;YAClC,IAAI,KAAK,IAAI,IAAI,IAAI,GAAG,IAAI,MAAM,EAAE,CAAC;gBACnC,aAAa,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC;YACrC,CAAC;iBAAM,CAAC;gBACN,IAAI,KAAK,GAAG,MAAM,EAAE,CAAC;oBACnB,aAAa,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;gBACtC,CAAC;gBACD,IAAI,GAAG,GAAG,IAAI,EAAE,CAAC;oBACf,aAAa,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC;gBAClC,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC;QACnB,KAAK,MAAM,CAAC,IAAI,aAAa,EAAE,CAAC;YAC9B,aAAa,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;IAED,MAAM,aAAa,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;IAErE,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,IAAI,SAAS,GAAG,CAAC,CAAC;IAElB,KAAK,MAAM,CAAC,IAAI,aAAa,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;QAC1C,MAAM,IAAI,CAAC,CAAC,WAAW,CAAC;QACxB,SAAS,GAAG,CAAC,CAAC,GAAG,CAAC;IACpB,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IAEjC,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,CAAC;AAClD,CAAC"}

package/dist/plugins/secrets-redaction/index.d.ts

@@ -0,0 +1,2 @@
+import type { Plugin } from "@opencode-ai/plugin";
+export declare const SecretsRedactionPlugin: Plugin;

package/dist/plugins/secrets-redaction/index.js

@@ -0,0 +1,124 @@
+// FILE: src/plugins/secrets-redaction/index.ts
+// VERSION: 1.0.0
+// START_MODULE_CONTRACT
+//   PURPOSE: OpenCode plugin that redacts secrets from messages before LLM requests and restores them after.
+//   SCOPE: 3 hook handlers — chat.messages.transform, text.complete, tool.execute.before
+//   DEPENDS: session, engine, patterns, restore, deep, config
+//   LINKS: knowledge-graph://plugins/secrets-redaction
+//   ROLE: RUNTIME
+//   MAP_MODE: EXPORTS
+// END_MODULE_CONTRACT
+//
+// START_MODULE_MAP
+//   SecretsRedactionPlugin - main plugin factory function
+// END_MODULE_MAP
+import { loadConfig } from "./config.js";
+import { buildPatternSet } from "./patterns.js";
+import { redactText } from "./engine.js";
+import { restoreText } from "./restore.js";
+import { redactDeep, restoreDeep } from "./deep.js";
+import { PlaceholderSession } from "./session.js";
+const PLACEHOLDER_PREFIX = "__VVOC_SECRET_";
+function isTextPart(part) {
+    return part.type === "text";
+}
+function isReasoningPart(part) {
+    return part.type === "reasoning";
+}
+function redactMessageParts(parts, patternSet, session) {
+    for (const part of parts) {
+        if (isTextPart(part)) {
+            const result = redactText(part.text, patternSet, session);
+            part.text = result.text;
+        }
+        if (isReasoningPart(part)) {
+            const result = redactText(part.text, patternSet, session);
+            part.text = result.text;
+        }
+    }
+}
+function redactAssistantState(msg, patternSet, session) {
+    const state = msg.state;
+    if (state) {
+        if (state.input) {
+            redactDeep(state.input, patternSet, session);
+        }
+        if (state.output) {
+            redactDeep(state.output, patternSet, session);
+        }
+        if (state.error) {
+            redactDeep(state.error, patternSet, session);
+        }
+        if (state.raw) {
+            redactDeep(state.raw, patternSet, session);
+        }
+    }
+}
+export const SecretsRedactionPlugin = async (ctx) => {
+    const { config, path, warnings } = await loadConfig(ctx.directory);
+    if (config.debug) {
+        await ctx.client.app.log({
+            body: {
+                service: "secrets-redaction",
+                level: "debug",
+                message: `config loaded from: ${path ?? "none"}`,
+            },
+        });
+    }
+    for (const warning of warnings) {
+        await ctx.client.app.log({
+            body: {
+                service: "secrets-redaction",
+                level: "warn",
+                message: warning,
+            },
+        });
+    }
+    if (!config.enabled) {
+        return {};
+    }
+    const patternSet = buildPatternSet(config.patterns);
+    const session = new PlaceholderSession({
+        prefix: PLACEHOLDER_PREFIX,
+        ttlMs: config.ttlMs,
+        maxMappings: config.maxMappings,
+        secret: config.secret,
+    });
+    if (config.ttlMs > 0) {
+        setInterval(() => {
+            const evicted = session.cleanup(Date.now());
+            if (config.debug && evicted > 0) {
+                ctx.client.app.log({
+                    body: {
+                        service: "secrets-redaction",
+                        level: "debug",
+                        message: `evicted ${evicted} expired placeholders`,
+                    },
+                });
+            }
+        }, Math.min(config.ttlMs, 60_000));
+    }
+    return {
+        config: async () => { },
+        event: async () => { },
+        "tool.execute.before": async (_input, output) => {
+            if (output.args) {
+                restoreDeep(output.args, session);
+            }
+        },
+        "experimental.chat.messages.transform": async (_input, output) => {
+            for (const msg of output.messages) {
+                if (msg.info.role === "assistant") {
+                    redactAssistantState(msg.info, patternSet, session);
+                }
+                redactMessageParts(msg.parts, patternSet, session);
+            }
+        },
+        "experimental.text.complete": async (_input, output) => {
+            if (output.text) {
+                output.text = restoreText(output.text, session);
+            }
+        },
+    };
+};
+//# sourceMappingURL=index.js.map

package/dist/plugins/secrets-redaction/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/plugins/secrets-redaction/index.ts"],"names":[],"mappings":"AAAA,+CAA+C;AAC/C,iBAAiB;AACjB,wBAAwB;AACxB,6GAA6G;AAC7G,yFAAyF;AACzF,8DAA8D;AAC9D,uDAAuD;AACvD,kBAAkB;AAClB,sBAAsB;AACtB,sBAAsB;AACtB,EAAE;AACF,mBAAmB;AACnB,0DAA0D;AAC1D,iBAAiB;AAEjB,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AACpD,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAIlD,MAAM,kBAAkB,GAAG,gBAAgB,CAAC;AAE5C,SAAS,UAAU,CAAC,IAAU;IAC5B,OAAO,IAAI,CAAC,IAAI,KAAK,MAAM,CAAC;AAC9B,CAAC;AAED,SAAS,eAAe,CAAC,IAAU;IACjC,OAAO,IAAI,CAAC,IAAI,KAAK,WAAW,CAAC;AACnC,CAAC;AAED,SAAS,kBAAkB,CAAC,KAAa,EAAE,UAA8C,EAAE,OAA2B;IACpH,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACrB,MAAM,MAAM,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;YAC1D,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;QAC1B,CAAC;QACD,IAAI,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1B,MAAM,MAAM,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;YAC1D,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;QAC1B,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,GAAY,EAAE,UAA8C,EAAE,OAA2B;IACrH,MAAM,KAAK,GAAI,GAA2C,CAAC,KAAK,CAAC;IACjE,IAAI,KAAK,EAAE,CAAC;QACV,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YAChB,UAAU,CAAC,KAAK,CAAC,KAAK,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;YACjB,UAAU,CAAC,KAAK,CAAC,MAAM,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;QAChD,CAAC;QACD,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YAChB,UAAU,CAAC,KAAK,CAAC,KAAK,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,KAAK,CAAC,GAAG,EAAE,CAAC;YACd,UAAU,CAAC,KAAK,CAAC,GAAG,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;QAC7C,CAAC;IACH,CAAC;AACH,CAAC;AAED,MAAM,CAAC,MAAM,sBAAsB,GAAW,KAAK,EAAE,GAAG,EAAE,EAAE;IAC1D,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,MAAM,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAEnE,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,MAAM,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC;YACvB,IAAI,EAAE;gBACJ,OAAO,EAAE,mBAAmB;gBAC5B,KAAK,EAAE,OAAgB;gBACvB,OAAO,EAAE,uBAAuB,IAAI,IAAI,MAAM,EAAE;aACjD;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC;YACvB,IAAI,EAAE;gBACJ,OAAO,EAAE,mBAAmB;gBAC5B,KAAK,EAAE,MAAe;gBACtB,OAAO,EAAE,OAAO;aACjB;SACF,CAAC,CAAC;IACL,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,UAAU,GAAG,eAAe,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACpD,MAAM,OAAO,GAAG,IAAI,kBAAkB,CAAC;QACrC,MAAM,EAAE,kBAAkB;QAC1B,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,MAAM,EAAE,MAAM,CAAC,MAAM;KACtB,CAAC,CAAC;IAEH,IAAI,MAAM,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;QACrB,WAAW,CAAC,GAAG,EAAE;YACf,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;YAC5C,IAAI,MAAM,CAAC,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC;gBAChC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC;oBACjB,IAAI,EAAE;wBACJ,OAAO,EAAE,mBAAmB;wBAC5B,KAAK,EAAE,OAAgB;wBACvB,OAAO,EAAE,WAAW,OAAO,uBAAuB;qBACnD;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC;IACrC,CAAC;IAED,OAAO;QACL,MAAM,EAAE,KAAK,IAAI,EAAE,GAAE,CAAC;QACtB,KAAK,EAAE,KAAK,IAAI,EAAE,GAAE,CAAC;QACrB,qBAAqB,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE;YAC9C,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;gBAChB,WAAW,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YACpC,CAAC;QACH,CAAC;QACD,sCAAsC,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE;YAC/D,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBAClC,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;oBAClC,oBAAoB,CAAC,GAAG,CAAC,IAAI,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;gBACtD,CAAC;gBACD,kBAAkB,CAAC,GAAG,CAAC,KAAK,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;YACrD,CAAC;QACH,CAAC;QACD,4BAA4B,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE;YACrD,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;gBAChB,MAAM,CAAC,IAAI,GAAG,WAAW,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAClD,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC,CAAC"}

package/dist/plugins/secrets-redaction/patterns.d.ts

@@ -0,0 +1,26 @@
+export interface PatternRule {
+    pattern: RegExp;
+    category: string;
+}
+export interface PatternSet {
+    rules: PatternRule[];
+    exclude: Set<string>;
+}
+export interface PatternsConfig {
+    keywords?: Array<{
+        value: string;
+        category?: string;
+    }>;
+    regex?: Array<{
+        pattern: string;
+        category: string;
+    }>;
+    builtin?: string[];
+    exclude?: string[];
+}
+declare const BUILTIN_PATTERNS: Map<string, {
+    pattern: string;
+    category: string;
+}>;
+export declare function buildPatternSet(config: PatternsConfig): PatternSet;
+export { BUILTIN_PATTERNS };

package/dist/plugins/secrets-redaction/patterns.js

@@ -0,0 +1,85 @@
+// FILE: src/plugins/secrets-redaction/patterns.ts
+// VERSION: 1.0.0
+// START_MODULE_CONTRACT
+//   PURPOSE: Builds the internal pattern set from config — keywords, regex rules, and builtin patterns.
+//   SCOPE: pattern parsing, normalization, deduplication
+//   DEPENDS: node:crypto (for hashing)
+//   LINKS: knowledge-graph://plugins/secrets-redaction
+//   ROLE: RUNTIME
+//   MAP_MODE: EXPORTS
+// END_MODULE_CONTRACT
+//
+// START_MODULE_MAP
+//   buildPatternSet - builds pattern set from config object
+//   BUILTIN_PATTERNS - Map of 6 builtin pattern definitions
+// END_MODULE_MAP
+const BUILTIN_PATTERNS = new Map([
+    ["email", { pattern: "[a-z0-9._%+-]+@[a-z0-9.-]+\\.[a-z]{2,}", category: "EMAIL" }],
+    [
+        "china_phone",
+        { pattern: "(?<!\\d)1[3-9]\\d{9}(?!\\d)", category: "CHINA_PHONE" },
+    ],
+    [
+        "china_id",
+        { pattern: "(?<!\\d)\\d{17}[\\dXx](?!\\d)", category: "CHINA_ID" },
+    ],
+    [
+        "uuid",
+        {
+            pattern: "[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}",
+            category: "UUID",
+        },
+    ],
+    [
+        "ipv4",
+        { pattern: "(?:\\d{1,3}\\.){3}\\d{1,3}", category: "IPV4" },
+    ],
+    ["mac", { pattern: "(?:[0-9a-f]{2}:){5}[0-9a-f]{2}", category: "MAC" }],
+]);
+function peelFlags(pattern) {
+    const inlineFlags = [];
+    let p = pattern;
+    const iMatch = p.match(/^\(\?([a-z]+)\)/);
+    if (iMatch) {
+        const captured = iMatch[1];
+        if (captured.includes("i"))
+            inlineFlags.push("i");
+        if (captured.includes("m"))
+            inlineFlags.push("m");
+        if (captured.includes("s"))
+            inlineFlags.push("s");
+        p = p.slice(iMatch[0].length);
+    }
+    return { pattern: p, flags: inlineFlags.join("") };
+}
+function buildRegex(pattern, defaultFlags = "gi") {
+    const { pattern: raw, flags: peeled } = peelFlags(pattern);
+    const flags = peeled ? `${defaultFlags}${peeled}` : defaultFlags;
+    return new RegExp(raw, flags);
+}
+export function buildPatternSet(config) {
+    const rules = [];
+    if (config.builtin) {
+        for (const name of config.builtin) {
+            const builtin = BUILTIN_PATTERNS.get(name);
+            if (builtin) {
+                rules.push({ pattern: buildRegex(builtin.pattern), category: builtin.category });
+            }
+        }
+    }
+    if (config.regex) {
+        for (const { pattern, category } of config.regex) {
+            rules.push({ pattern: buildRegex(pattern), category });
+        }
+    }
+    if (config.keywords) {
+        for (const { value, category = "KEYWORD" } of config.keywords) {
+            const escaped = value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+            rules.push({ pattern: new RegExp(escaped, "gi"), category });
+        }
+    }
+    const exclude = new Set(config.exclude ?? []);
+    return { rules, exclude };
+}
+export { BUILTIN_PATTERNS };
+//# sourceMappingURL=patterns.js.map

package/dist/plugins/secrets-redaction/patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../../src/plugins/secrets-redaction/patterns.ts"],"names":[],"mappings":"AAAA,kDAAkD;AAClD,iBAAiB;AACjB,wBAAwB;AACxB,wGAAwG;AACxG,yDAAyD;AACzD,uCAAuC;AACvC,uDAAuD;AACvD,kBAAkB;AAClB,sBAAsB;AACtB,sBAAsB;AACtB,EAAE;AACF,mBAAmB;AACnB,4DAA4D;AAC5D,4DAA4D;AAC5D,iBAAiB;AAmBjB,MAAM,gBAAgB,GAAuD,IAAI,GAAG,CAAC;IACnF,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,wCAAwC,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;IACnF;QACE,aAAa;QACb,EAAE,OAAO,EAAE,6BAA6B,EAAE,QAAQ,EAAE,aAAa,EAAE;KACpE;IACD;QACE,UAAU;QACV,EAAE,OAAO,EAAE,+BAA+B,EAAE,QAAQ,EAAE,UAAU,EAAE;KACnE;IACD;QACE,MAAM;QACN;YACE,OAAO,EAAE,0FAA0F;YACnG,QAAQ,EAAE,MAAM;SACjB;KACF;IACD;QACE,MAAM;QACN,EAAE,OAAO,EAAE,4BAA4B,EAAE,QAAQ,EAAE,MAAM,EAAE;KAC5D;IACD,CAAC,KAAK,EAAE,EAAE,OAAO,EAAE,gCAAgC,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;CACxE,CAAC,CAAC;AAEH,SAAS,SAAS,CAAC,OAAe;IAChC,MAAM,WAAW,GAAa,EAAE,CAAC;IACjC,IAAI,CAAC,GAAG,OAAO,CAAC;IAEhB,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;IAC1C,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,QAAQ,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QAC3B,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAClD,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAClD,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAClD,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IAChC,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,KAAK,EAAE,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;AACrD,CAAC;AAED,SAAS,UAAU,CAAC,OAAe,EAAE,YAAY,GAAG,IAAI;IACtD,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC;IAC3D,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,GAAG,YAAY,GAAG,MAAM,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC;IACjE,OAAO,IAAI,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;AAChC,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,MAAsB;IACpD,MAAM,KAAK,GAAkB,EAAE,CAAC;IAEhC,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACnB,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YAClC,MAAM,OAAO,GAAG,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC3C,IAAI,OAAO,EAAE,CAAC;gBACZ,KAAK,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,QAAQ,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;YACnF,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,KAAK,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YACjD,KAAK,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACpB,KAAK,MAAM,EAAE,KAAK,EAAE,QAAQ,GAAG,SAAS,EAAE,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YAC9D,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;YAC7D,KAAK,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC/D,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,GAAG,CAAS,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC;IAEtD,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;AAC5B,CAAC;AAED,OAAO,EAAE,gBAAgB,EAAE,CAAC"}

package/dist/plugins/secrets-redaction/restore.d.ts

@@ -0,0 +1,2 @@
+import { type PlaceholderSession } from "./session.js";
+export declare function restoreText(input: string, session: PlaceholderSession): string;