@osovv/vv-opencode 0.2.5 → 0.3.3

package/dist/plugins/secrets-redaction/engine.js

@@ -0,0 +1,113 @@
+// FILE: src/plugins/secrets-redaction/engine.ts
+// VERSION: 1.0.0
+// START_MODULE_CONTRACT
+//   PURPOSE: Core redaction engine — performs find/replace of secrets with placeholders in text.
+//   SCOPE: text scanning, match sorting, interval arithmetic, replacement
+//   DEPENDS: session, patterns
+//   LINKS: knowledge-graph://plugins/secrets-redaction
+//   ROLE: RUNTIME
+//   MAP_MODE: EXPORTS
+// END_MODULE_CONTRACT
+//
+// START_MODULE_MAP
+//   redactText - replaces secrets in text with placeholders, returns changed text + match list
+// END_MODULE_MAP
+function subtractCovered(intervals) {
+    if (intervals.length === 0)
+        return [];
+    intervals.sort((a, b) => a[0] - b[0]);
+    const result = [];
+    let currentEnd = intervals[0][0];
+    for (const [start, end] of intervals) {
+        if (start > currentEnd) {
+            result.push([currentEnd, start]);
+        }
+        if (end > currentEnd) {
+            currentEnd = end;
+        }
+    }
+    return result;
+}
+function insertCovered(intervals, newInterval) {
+    const merged = [...intervals, newInterval];
+    merged.sort((a, b) => a[0] - b[0]);
+    const result = [];
+    for (const interval of merged) {
+        if (result.length > 0 && interval[0] <= result[result.length - 1][1]) {
+            result[result.length - 1][1] = Math.max(result[result.length - 1][1], interval[1]);
+        }
+        else {
+            result.push([...interval]);
+        }
+    }
+    return result;
+}
+function sortByPositionDesc(rules, text) {
+    const allMatches = [];
+    for (const rule of rules) {
+        const re = new RegExp(rule.pattern.source, rule.pattern.flags.includes("g") ? rule.pattern.flags : `${rule.pattern.flags}g`);
+        let match;
+        while ((match = re.exec(text)) !== null) {
+            allMatches.push({ rule, match: match });
+        }
+    }
+    allMatches.sort((a, b) => {
+        const aStart = a.match.index;
+        const bStart = b.match.index;
+        if (aStart !== bStart)
+            return bStart - aStart;
+        return (b.match[0].length - a.match[0].length);
+    });
+    return allMatches.map((x) => ({ rule: x.rule, matches: x.match }));
+}
+export function redactText(input, patternSet, session) {
+    if (!input || patternSet.rules.length === 0) {
+        return { text: input, matches: [] };
+    }
+    const sorted = sortByPositionDesc(patternSet.rules, input);
+    const covered = [];
+    const matches = [];
+    for (const { rule, matches: match } of sorted) {
+        const start = match.index;
+        const end = start + match[0].length;
+        const value = match[0];
+        if (patternSet.exclude.has(value.toLowerCase())) {
+            continue;
+        }
+        const gaps = subtractCovered(covered);
+        const isInside = gaps.every(([gStart, gEnd]) => start >= gStart && end <= gEnd);
+        if (isInside)
+            continue;
+        const placeholder = session.getOrCreatePlaceholder(value, rule.category);
+        matches.push({ start, end, original: value, placeholder, category: rule.category });
+        const remainingGaps = [];
+        for (const [gStart, gEnd] of gaps) {
+            if (start >= gEnd || end <= gStart) {
+                remainingGaps.push([gStart, gEnd]);
+            }
+            else {
+                if (start > gStart) {
+                    remainingGaps.push([gStart, start]);
+                }
+                if (end < gEnd) {
+                    remainingGaps.push([end, gEnd]);
+                }
+            }
+        }
+        covered.length = 0;
+        for (const g of remainingGaps) {
+            insertCovered(covered, g);
+        }
+    }
+    const sortedMatches = [...matches].sort((a, b) => a.start - b.start);
+    let result = "";
+    let lastIndex = 0;
+    for (const m of sortedMatches) {
+        result += input.slice(lastIndex, m.start);
+        result += m.placeholder;
+        lastIndex = m.end;
+    }
+    result += input.slice(lastIndex);
+    return { text: result, matches: sortedMatches };
+}
+//# sourceMappingURL=engine.js.map

package/dist/plugins/secrets-redaction/engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.js","sourceRoot":"","sources":["../../../src/plugins/secrets-redaction/engine.ts"],"names":[],"mappings":"AAAA,gDAAgD;AAChD,iBAAiB;AACjB,wBAAwB;AACxB,iGAAiG;AACjG,0EAA0E;AAC1E,+BAA+B;AAC/B,uDAAuD;AACvD,kBAAkB;AAClB,sBAAsB;AACtB,sBAAsB;AACtB,EAAE;AACF,mBAAmB;AACnB,+FAA+F;AAC/F,iBAAiB;AAkBjB,SAAS,eAAe,CAAC,SAA6B;IACpD,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAEtC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAEtC,MAAM,MAAM,GAAuB,EAAE,CAAC;IACtC,IAAI,UAAU,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAEjC,KAAK,MAAM,CAAC,KAAK,EAAE,GAAG,CAAC,IAAI,SAAS,EAAE,CAAC;QACrC,IAAI,KAAK,GAAG,UAAU,EAAE,CAAC;YACvB,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC,CAAC;QACnC,CAAC;QACD,IAAI,GAAG,GAAG,UAAU,EAAE,CAAC;YACrB,UAAU,GAAG,GAAG,CAAC;QACnB,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,aAAa,CACpB,SAA6B,EAC7B,WAA6B;IAE7B,MAAM,MAAM,GAAG,CAAC,GAAG,SAAS,EAAE,WAAW,CAAC,CAAC;IAC3C,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAEnC,MAAM,MAAM,GAAuB,EAAE,CAAC;IACtC,KAAK,MAAM,QAAQ,IAAI,MAAM,EAAE,CAAC;QAC9B,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,IAAI,QAAQ,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACrE,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QACrF,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,kBAAkB,CAAC,KAAoB,EAAE,IAAY;IAC5D,MAAM,UAAU,GAA0D,EAAE,CAAC;IAE7E,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,EAAE,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,GAAG,CAAC,CAAC;QAC7H,IAAI,KAA6B,CAAC;QAClC,OAAO,CAAC,KAAK,GAAG,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACxC,UAAU,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,KAAyB,EAAE,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC;IAED,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACvB,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,KAAM,CAAC;QAC9B,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,KAAM,CAAC;QAC9B,IAAI,MAAM,KAAK,MAAM;YAAE,OAAO,MAAM,GAAG,MAAM,CAAC;QAC9C,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,OAAO,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;AACrE,CAAC;AAED,MAAM,UAAU,UAAU,CACxB,KAAa,EACb,UAAsB,EACtB,OAA2B;IAE3B,IAAI,CAAC,KAAK,IAAI,UAAU,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5C,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACtC,CAAC;IAED,MAAM,MAAM,GAAG,kBAAkB,CAAC,UAAU,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAE3D,MAAM,OAAO,GAAuB,EAAE,CAAC;IACvC,MAAM,OAAO,GAAY,EAAE,CAAC;IAE5B,KAAK,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,MAAM,EAAE,CAAC;QAC9C,MAAM,KAAK,GAAG,KAAK,CAAC,KAAM,CAAC;QAC3B,MAAM,GAAG,GAAG,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;QACpC,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAEvB,IAAI,UAAU,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;YAChD,SAAS;QACX,CAAC;QAED,MAAM,IAAI,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;QACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,KAAK,IAAI,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,CAAC;QAChF,IAAI,QAAQ;YAAE,SAAS;QAEvB,MAAM,WAAW,GAAG,OAAO,CAAC,sBAAsB,CAAC,KAAK,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;QACzE,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;QAEpF,MAAM,aAAa,GAAuB,EAAE,CAAC;QAC7C,KAAK,MAAM,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC;YAClC,IAAI,KAAK,IAAI,IAAI,IAAI,GAAG,IAAI,MAAM,EAAE,CAAC;gBACnC,aAAa,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC;YACrC,CAAC;iBAAM,CAAC;gBACN,IAAI,KAAK,GAAG,MAAM,EAAE,CAAC;oBACnB,aAAa,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;gBACtC,CAAC;gBACD,IAAI,GAAG,GAAG,IAAI,EAAE,CAAC;oBACf,aAAa,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC;gBAClC,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC;QACnB,KAAK,MAAM,CAAC,IAAI,aAAa,EAAE,CAAC;YAC9B,aAAa,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;IAED,MAAM,aAAa,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;IAErE,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,IAAI,SAAS,GAAG,CAAC,CAAC;IAElB,KAAK,MAAM,CAAC,IAAI,aAAa,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;QAC1C,MAAM,IAAI,CAAC,CAAC,WAAW,CAAC;QACxB,SAAS,GAAG,CAAC,CAAC,GAAG,CAAC;IACpB,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IAEjC,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,CAAC;AAClD,CAAC"}

package/dist/plugins/secrets-redaction/index.d.ts

@@ -0,0 +1,2 @@
+import type { Plugin } from "@opencode-ai/plugin";
+export declare const SecretsRedactionPlugin: Plugin;

package/dist/plugins/secrets-redaction/index.js

@@ -0,0 +1,124 @@
+// FILE: src/plugins/secrets-redaction/index.ts
+// VERSION: 1.0.0
+// START_MODULE_CONTRACT
+//   PURPOSE: OpenCode plugin that redacts secrets from messages before LLM requests and restores them after.
+//   SCOPE: 3 hook handlers — chat.messages.transform, text.complete, tool.execute.before
+//   DEPENDS: session, engine, patterns, restore, deep, config
+//   LINKS: knowledge-graph://plugins/secrets-redaction
+//   ROLE: RUNTIME
+//   MAP_MODE: EXPORTS
+// END_MODULE_CONTRACT
+//
+// START_MODULE_MAP
+//   SecretsRedactionPlugin - main plugin factory function
+// END_MODULE_MAP
+import { loadConfig } from "./config.js";
+import { buildPatternSet } from "./patterns.js";
+import { redactText } from "./engine.js";
+import { restoreText } from "./restore.js";
+import { redactDeep, restoreDeep } from "./deep.js";
+import { PlaceholderSession } from "./session.js";
+const PLACEHOLDER_PREFIX = "__VVOC_SECRET_";
+function isTextPart(part) {
+    return part.type === "text";
+}
+function isReasoningPart(part) {
+    return part.type === "reasoning";
+}
+function redactMessageParts(parts, patternSet, session) {
+    for (const part of parts) {
+        if (isTextPart(part)) {
+            const result = redactText(part.text, patternSet, session);
+            part.text = result.text;
+        }
+        if (isReasoningPart(part)) {
+            const result = redactText(part.text, patternSet, session);
+            part.text = result.text;
+        }
+    }
+}
+function redactAssistantState(msg, patternSet, session) {
+    const state = msg.state;
+    if (state) {
+        if (state.input) {
+            redactDeep(state.input, patternSet, session);
+        }
+        if (state.output) {
+            redactDeep(state.output, patternSet, session);
+        }
+        if (state.error) {
+            redactDeep(state.error, patternSet, session);
+        }
+        if (state.raw) {
+            redactDeep(state.raw, patternSet, session);
+        }
+    }
+}
+export const SecretsRedactionPlugin = async (ctx) => {
+    const { config, path, warnings } = await loadConfig(ctx.directory);
+    if (config.debug) {
+        await ctx.client.app.log({
+            body: {
+                service: "secrets-redaction",
+                level: "debug",
+                message: `config loaded from: ${path ?? "none"}`,
+            },
+        });
+    }
+    for (const warning of warnings) {
+        await ctx.client.app.log({
+            body: {
+                service: "secrets-redaction",
+                level: "warn",
+                message: warning,
+            },
+        });
+    }
+    if (!config.enabled) {
+        return {};
+    }
+    const patternSet = buildPatternSet(config.patterns);
+    const session = new PlaceholderSession({
+        prefix: PLACEHOLDER_PREFIX,
+        ttlMs: config.ttlMs,
+        maxMappings: config.maxMappings,
+        secret: config.secret,
+    });
+    if (config.ttlMs > 0) {
+        setInterval(() => {
+            const evicted = session.cleanup(Date.now());
+            if (config.debug && evicted > 0) {
+                ctx.client.app.log({
+                    body: {
+                        service: "secrets-redaction",
+                        level: "debug",
+                        message: `evicted ${evicted} expired placeholders`,
+                    },
+                });
+            }
+        }, Math.min(config.ttlMs, 60_000));
+    }
+    return {
+        config: async () => { },
+        event: async () => { },
+        "tool.execute.before": async (_input, output) => {
+            if (output.args) {
+                restoreDeep(output.args, session);
+            }
+        },
+        "experimental.chat.messages.transform": async (_input, output) => {
+            for (const msg of output.messages) {
+                if (msg.info.role === "assistant") {
+                    redactAssistantState(msg.info, patternSet, session);
+                }
+                redactMessageParts(msg.parts, patternSet, session);
+            }
+        },
+        "experimental.text.complete": async (_input, output) => {
+            if (output.text) {
+                output.text = restoreText(output.text, session);
+            }
+        },
+    };
+};
+//# sourceMappingURL=index.js.map

package/dist/plugins/secrets-redaction/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/plugins/secrets-redaction/index.ts"],"names":[],"mappings":"AAAA,+CAA+C;AAC/C,iBAAiB;AACjB,wBAAwB;AACxB,6GAA6G;AAC7G,yFAAyF;AACzF,8DAA8D;AAC9D,uDAAuD;AACvD,kBAAkB;AAClB,sBAAsB;AACtB,sBAAsB;AACtB,EAAE;AACF,mBAAmB;AACnB,0DAA0D;AAC1D,iBAAiB;AAEjB,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AACpD,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAIlD,MAAM,kBAAkB,GAAG,gBAAgB,CAAC;AAE5C,SAAS,UAAU,CAAC,IAAU;IAC5B,OAAO,IAAI,CAAC,IAAI,KAAK,MAAM,CAAC;AAC9B,CAAC;AAED,SAAS,eAAe,CAAC,IAAU;IACjC,OAAO,IAAI,CAAC,IAAI,KAAK,WAAW,CAAC;AACnC,CAAC;AAED,SAAS,kBAAkB,CAAC,KAAa,EAAE,UAA8C,EAAE,OAA2B;IACpH,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACrB,MAAM,MAAM,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;YAC1D,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;QAC1B,CAAC;QACD,IAAI,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1B,MAAM,MAAM,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;YAC1D,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;QAC1B,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,GAAY,EAAE,UAA8C,EAAE,OAA2B;IACrH,MAAM,KAAK,GAAI,GAA2C,CAAC,KAAK,CAAC;IACjE,IAAI,KAAK,EAAE,CAAC;QACV,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YAChB,UAAU,CAAC,KAAK,CAAC,KAAK,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;YACjB,UAAU,CAAC,KAAK,CAAC,MAAM,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;QAChD,CAAC;QACD,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YAChB,UAAU,CAAC,KAAK,CAAC,KAAK,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,KAAK,CAAC,GAAG,EAAE,CAAC;YACd,UAAU,CAAC,KAAK,CAAC,GAAG,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;QAC7C,CAAC;IACH,CAAC;AACH,CAAC;AAED,MAAM,CAAC,MAAM,sBAAsB,GAAW,KAAK,EAAE,GAAG,EAAE,EAAE;IAC1D,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,MAAM,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAEnE,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,MAAM,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC;YACvB,IAAI,EAAE;gBACJ,OAAO,EAAE,mBAAmB;gBAC5B,KAAK,EAAE,OAAgB;gBACvB,OAAO,EAAE,uBAAuB,IAAI,IAAI,MAAM,EAAE;aACjD;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC;YACvB,IAAI,EAAE;gBACJ,OAAO,EAAE,mBAAmB;gBAC5B,KAAK,EAAE,MAAe;gBACtB,OAAO,EAAE,OAAO;aACjB;SACF,CAAC,CAAC;IACL,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,UAAU,GAAG,eAAe,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACpD,MAAM,OAAO,GAAG,IAAI,kBAAkB,CAAC;QACrC,MAAM,EAAE,kBAAkB;QAC1B,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,MAAM,EAAE,MAAM,CAAC,MAAM;KACtB,CAAC,CAAC;IAEH,IAAI,MAAM,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;QACrB,WAAW,CAAC,GAAG,EAAE;YACf,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;YAC5C,IAAI,MAAM,CAAC,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC;gBAChC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC;oBACjB,IAAI,EAAE;wBACJ,OAAO,EAAE,mBAAmB;wBAC5B,KAAK,EAAE,OAAgB;wBACvB,OAAO,EAAE,WAAW,OAAO,uBAAuB;qBACnD;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC;IACrC,CAAC;IAED,OAAO;QACL,MAAM,EAAE,KAAK,IAAI,EAAE,GAAE,CAAC;QACtB,KAAK,EAAE,KAAK,IAAI,EAAE,GAAE,CAAC;QACrB,qBAAqB,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE;YAC9C,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;gBAChB,WAAW,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YACpC,CAAC;QACH,CAAC;QACD,sCAAsC,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE;YAC/D,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBAClC,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;oBAClC,oBAAoB,CAAC,GAAG,CAAC,IAAI,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;gBACtD,CAAC;gBACD,kBAAkB,CAAC,GAAG,CAAC,KAAK,EAAE,UAAU,EAAE,OAAO,CAAC,CAAC;YACrD,CAAC;QACH,CAAC;QACD,4BAA4B,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE;YACrD,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;gBAChB,MAAM,CAAC,IAAI,GAAG,WAAW,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAClD,CAAC;QACH,CAAC;KACF,CAAC;AACJ,CAAC,CAAC"}

package/dist/plugins/secrets-redaction/patterns.d.ts

@@ -0,0 +1,26 @@
+export interface PatternRule {
+    pattern: RegExp;
+    category: string;
+}
+export interface PatternSet {
+    rules: PatternRule[];
+    exclude: Set<string>;
+}
+export interface PatternsConfig {
+    keywords?: Array<{
+        value: string;
+        category?: string;
+    }>;
+    regex?: Array<{
+        pattern: string;
+        category: string;
+    }>;
+    builtin?: string[];
+    exclude?: string[];
+}
+declare const BUILTIN_PATTERNS: Map<string, {
+    pattern: string;
+    category: string;
+}>;
+export declare function buildPatternSet(config: PatternsConfig): PatternSet;
+export { BUILTIN_PATTERNS };

package/dist/plugins/secrets-redaction/patterns.js

@@ -0,0 +1,85 @@
+// FILE: src/plugins/secrets-redaction/patterns.ts
+// VERSION: 1.0.0
+// START_MODULE_CONTRACT
+//   PURPOSE: Builds the internal pattern set from config — keywords, regex rules, and builtin patterns.
+//   SCOPE: pattern parsing, normalization, deduplication
+//   DEPENDS: node:crypto (for hashing)
+//   LINKS: knowledge-graph://plugins/secrets-redaction
+//   ROLE: RUNTIME
+//   MAP_MODE: EXPORTS
+// END_MODULE_CONTRACT
+//
+// START_MODULE_MAP
+//   buildPatternSet - builds pattern set from config object
+//   BUILTIN_PATTERNS - Map of 6 builtin pattern definitions
+// END_MODULE_MAP
+const BUILTIN_PATTERNS = new Map([
+    ["email", { pattern: "[a-z0-9._%+-]+@[a-z0-9.-]+\\.[a-z]{2,}", category: "EMAIL" }],
+    [
+        "china_phone",
+        { pattern: "(?<!\\d)1[3-9]\\d{9}(?!\\d)", category: "CHINA_PHONE" },
+    ],
+    [
+        "china_id",
+        { pattern: "(?<!\\d)\\d{17}[\\dXx](?!\\d)", category: "CHINA_ID" },
+    ],
+    [
+        "uuid",
+        {
+            pattern: "[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}",
+            category: "UUID",
+        },
+    ],
+    [
+        "ipv4",
+        { pattern: "(?:\\d{1,3}\\.){3}\\d{1,3}", category: "IPV4" },
+    ],
+    ["mac", { pattern: "(?:[0-9a-f]{2}:){5}[0-9a-f]{2}", category: "MAC" }],
+]);
+function peelFlags(pattern) {
+    const inlineFlags = [];
+    let p = pattern;
+    const iMatch = p.match(/^\(\?([a-z]+)\)/);
+    if (iMatch) {
+        const captured = iMatch[1];
+        if (captured.includes("i"))
+            inlineFlags.push("i");
+        if (captured.includes("m"))
+            inlineFlags.push("m");
+        if (captured.includes("s"))
+            inlineFlags.push("s");
+        p = p.slice(iMatch[0].length);
+    }
+    return { pattern: p, flags: inlineFlags.join("") };
+}
+function buildRegex(pattern, defaultFlags = "gi") {
+    const { pattern: raw, flags: peeled } = peelFlags(pattern);
+    const flags = peeled ? `${defaultFlags}${peeled}` : defaultFlags;
+    return new RegExp(raw, flags);
+}
+export function buildPatternSet(config) {
+    const rules = [];
+    if (config.builtin) {
+        for (const name of config.builtin) {
+            const builtin = BUILTIN_PATTERNS.get(name);
+            if (builtin) {
+                rules.push({ pattern: buildRegex(builtin.pattern), category: builtin.category });
+            }
+        }
+    }
+    if (config.regex) {
+        for (const { pattern, category } of config.regex) {
+            rules.push({ pattern: buildRegex(pattern), category });
+        }
+    }
+    if (config.keywords) {
+        for (const { value, category = "KEYWORD" } of config.keywords) {
+            const escaped = value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+            rules.push({ pattern: new RegExp(escaped, "gi"), category });
+        }
+    }
+    const exclude = new Set(config.exclude ?? []);
+    return { rules, exclude };
+}
+export { BUILTIN_PATTERNS };
+//# sourceMappingURL=patterns.js.map

package/dist/plugins/secrets-redaction/patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../../src/plugins/secrets-redaction/patterns.ts"],"names":[],"mappings":"AAAA,kDAAkD;AAClD,iBAAiB;AACjB,wBAAwB;AACxB,wGAAwG;AACxG,yDAAyD;AACzD,uCAAuC;AACvC,uDAAuD;AACvD,kBAAkB;AAClB,sBAAsB;AACtB,sBAAsB;AACtB,EAAE;AACF,mBAAmB;AACnB,4DAA4D;AAC5D,4DAA4D;AAC5D,iBAAiB;AAmBjB,MAAM,gBAAgB,GAAuD,IAAI,GAAG,CAAC;IACnF,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,wCAAwC,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;IACnF;QACE,aAAa;QACb,EAAE,OAAO,EAAE,6BAA6B,EAAE,QAAQ,EAAE,aAAa,EAAE;KACpE;IACD;QACE,UAAU;QACV,EAAE,OAAO,EAAE,+BAA+B,EAAE,QAAQ,EAAE,UAAU,EAAE;KACnE;IACD;QACE,MAAM;QACN;YACE,OAAO,EAAE,0FAA0F;YACnG,QAAQ,EAAE,MAAM;SACjB;KACF;IACD;QACE,MAAM;QACN,EAAE,OAAO,EAAE,4BAA4B,EAAE,QAAQ,EAAE,MAAM,EAAE;KAC5D;IACD,CAAC,KAAK,EAAE,EAAE,OAAO,EAAE,gCAAgC,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;CACxE,CAAC,CAAC;AAEH,SAAS,SAAS,CAAC,OAAe;IAChC,MAAM,WAAW,GAAa,EAAE,CAAC;IACjC,IAAI,CAAC,GAAG,OAAO,CAAC;IAEhB,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;IAC1C,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,QAAQ,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QAC3B,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAClD,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAClD,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAClD,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IAChC,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,KAAK,EAAE,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;AACrD,CAAC;AAED,SAAS,UAAU,CAAC,OAAe,EAAE,YAAY,GAAG,IAAI;IACtD,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC;IAC3D,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,GAAG,YAAY,GAAG,MAAM,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC;IACjE,OAAO,IAAI,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;AAChC,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,MAAsB;IACpD,MAAM,KAAK,GAAkB,EAAE,CAAC;IAEhC,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACnB,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YAClC,MAAM,OAAO,GAAG,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAC3C,IAAI,OAAO,EAAE,CAAC;gBACZ,KAAK,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,QAAQ,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;YACnF,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,KAAK,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YACjD,KAAK,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACpB,KAAK,MAAM,EAAE,KAAK,EAAE,QAAQ,GAAG,SAAS,EAAE,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YAC9D,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;YAC7D,KAAK,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC/D,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,GAAG,CAAS,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC;IAEtD,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;AAC5B,CAAC;AAED,OAAO,EAAE,gBAAgB,EAAE,CAAC"}

package/dist/plugins/secrets-redaction/restore.d.ts

@@ -0,0 +1,2 @@
+import { type PlaceholderSession } from "./session.js";
+export declare function restoreText(input: string, session: PlaceholderSession): string;

package/dist/plugins/secrets-redaction/restore.js

@@ -0,0 +1,25 @@
+// FILE: src/plugins/secrets-redaction/restore.ts
+// VERSION: 1.0.0
+// START_MODULE_CONTRACT
+//   PURPOSE: Restores placeholders in a single string back to original secret values.
+//   SCOPE: single-string placeholder → original lookup
+//   DEPENDS: session
+//   LINKS: knowledge-graph://plugins/secrets-redaction
+//   ROLE: RUNTIME
+//   MAP_MODE: EXPORTS
+// END_MODULE_CONTRACT
+//
+// START_MODULE_MAP
+//   restoreText - restores all placeholders in a string to original values
+// END_MODULE_MAP
+import { getPlaceholderRegex } from "./session.js";
+export function restoreText(input, session) {
+    if (!input)
+        return input;
+    const regex = getPlaceholderRegex(session["prefix"]);
+    return input.replace(regex, (placeholder) => {
+        const original = session.lookup(placeholder);
+        return original ?? placeholder;
+    });
+}
+//# sourceMappingURL=restore.js.map

package/dist/plugins/secrets-redaction/restore.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"restore.js","sourceRoot":"","sources":["../../../src/plugins/secrets-redaction/restore.ts"],"names":[],"mappings":"AAAA,iDAAiD;AACjD,iBAAiB;AACjB,wBAAwB;AACxB,sFAAsF;AACtF,uDAAuD;AACvD,qBAAqB;AACrB,uDAAuD;AACvD,kBAAkB;AAClB,sBAAsB;AACtB,sBAAsB;AACtB,EAAE;AACF,mBAAmB;AACnB,2EAA2E;AAC3E,iBAAiB;AAGjB,OAAO,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AAEnD,MAAM,UAAU,WAAW,CAAC,KAAa,EAAE,OAA2B;IACpE,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IAEzB,MAAM,KAAK,GAAG,mBAAmB,CAAC,OAAO,CAAC,QAAQ,CAAsB,CAAC,CAAC;IAC1E,OAAO,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC,WAAW,EAAE,EAAE;QAC1C,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAC7C,OAAO,QAAQ,IAAI,WAAW,CAAC;IACjC,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/plugins/secrets-redaction/session.d.ts

@@ -0,0 +1,30 @@
+export interface PlaceholderSessionOptions {
+    prefix: string;
+    ttlMs: number;
+    maxMappings: number;
+    secret: string;
+}
+export interface PlaceholderEntry {
+    original: string;
+    placeholder: string;
+    category: string;
+    createdAt: number;
+}
+export declare class PlaceholderSession {
+    private readonly prefix;
+    private readonly ttlMs;
+    private readonly maxMappings;
+    private readonly secret;
+    private readonly forward;
+    private readonly reverse;
+    private readonly created;
+    constructor(options: PlaceholderSessionOptions);
+    private computeHash;
+    getOrCreatePlaceholder(original: string, category: string): string;
+    lookup(placeholder: string): string | undefined;
+    cleanup(now: number): number;
+    private evictIfNeeded;
+    get size(): number;
+}
+export declare function getPlaceholderRegex(prefix: string): RegExp;
+export declare function generateFallbackSecret(): string;

package/dist/plugins/secrets-redaction/session.js

@@ -0,0 +1,113 @@
+// FILE: src/plugins/secrets-redaction/session.ts
+// VERSION: 1.0.0
+// START_MODULE_CONTRACT
+//   PURPOSE: Manages placeholder lifecycle for secret redaction — generates stable HMAC-based placeholders,
+//            maintains forward/reverse mappings, handles TTL eviction and max-mappings limits.
+//   SCOPE: placeholder creation, lookup, cleanup
+//   DEPENDS: node:crypto
+//   LINKS: knowledge-graph://plugins/secrets-redaction
+//   ROLE: RUNTIME
+//   MAP_MODE: EXPORTS
+// END_MODULE_CONTRACT
+//
+// START_MODULE_MAP
+//   PlaceholderSession - manages secret → placeholder mappings with HMAC hashing
+//   getPlaceholderRegex - returns RegExp to find all placeholders in text
+// END_MODULE_MAP
+import { createHmac, randomBytes } from "node:crypto";
+export class PlaceholderSession {
+    prefix;
+    ttlMs;
+    maxMappings;
+    secret;
+    forward = new Map();
+    reverse = new Map();
+    created = new Map();
+    constructor(options) {
+        this.prefix = options.prefix;
+        this.ttlMs = options.ttlMs;
+        this.maxMappings = options.maxMappings;
+        this.secret = Buffer.from(options.secret, "utf-8");
+    }
+    computeHash(original) {
+        return createHmac("sha256", this.secret).update(original, "utf-8").digest("hex");
+    }
+    getOrCreatePlaceholder(original, category) {
+        if (this.reverse.has(original)) {
+            return this.reverse.get(original);
+        }
+        this.evictIfNeeded();
+        const hash = this.computeHash(original);
+        const hash12 = hash.substring(0, 12);
+        let placeholder = `${this.prefix}${category}_${hash12}__`;
+        if (this.forward.has(placeholder)) {
+            let counter = 1;
+            while (this.forward.has(placeholder)) {
+                placeholder = `${this.prefix}${category}_${hash12}_${counter}__`;
+                counter++;
+            }
+        }
+        const entry = {
+            original,
+            placeholder,
+            category,
+            createdAt: Date.now(),
+        };
+        this.forward.set(placeholder, entry);
+        this.reverse.set(original, placeholder);
+        this.created.set(placeholder, Date.now());
+        return placeholder;
+    }
+    lookup(placeholder) {
+        return this.forward.get(placeholder)?.original;
+    }
+    cleanup(now) {
+        let evicted = 0;
+        const expired = [];
+        for (const [placeholder, createdAt] of this.created) {
+            if (now - createdAt > this.ttlMs) {
+                expired.push(placeholder);
+            }
+        }
+        for (const placeholder of expired) {
+            const entry = this.forward.get(placeholder);
+            if (entry) {
+                this.reverse.delete(entry.original);
+                this.forward.delete(placeholder);
+                this.created.delete(placeholder);
+                evicted++;
+            }
+        }
+        return evicted;
+    }
+    evictIfNeeded() {
+        if (this.forward.size < this.maxMappings)
+            return;
+        let oldestPlaceholder = null;
+        let oldestCreated = Infinity;
+        for (const [placeholder, createdAt] of this.created) {
+            if (createdAt < oldestCreated) {
+                oldestCreated = createdAt;
+                oldestPlaceholder = placeholder;
+            }
+        }
+        if (oldestPlaceholder) {
+            const entry = this.forward.get(oldestPlaceholder);
+            if (entry) {
+                this.reverse.delete(entry.original);
+                this.forward.delete(oldestPlaceholder);
+                this.created.delete(oldestPlaceholder);
+            }
+        }
+    }
+    get size() {
+        return this.forward.size;
+    }
+}
+export function getPlaceholderRegex(prefix) {
+    return new RegExp(`${prefix}[A-Z_]+_[0-9a-f]{12}(?:_\\d+)?__`, "g");
+}
+export function generateFallbackSecret() {
+    return randomBytes(32).toString("hex");
+}
+//# sourceMappingURL=session.js.map

package/dist/plugins/secrets-redaction/session.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.js","sourceRoot":"","sources":["../../../src/plugins/secrets-redaction/session.ts"],"names":[],"mappings":"AAAA,iDAAiD;AACjD,iBAAiB;AACjB,wBAAwB;AACxB,4GAA4G;AAC5G,+FAA+F;AAC/F,iDAAiD;AACjD,yBAAyB;AACzB,uDAAuD;AACvD,kBAAkB;AAClB,sBAAsB;AACtB,sBAAsB;AACtB,EAAE;AACF,mBAAmB;AACnB,iFAAiF;AACjF,0EAA0E;AAC1E,iBAAiB;AAEjB,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAgBtD,MAAM,OAAO,kBAAkB;IACZ,MAAM,CAAS;IACf,KAAK,CAAS;IACd,WAAW,CAAS;IACpB,MAAM,CAAS;IACf,OAAO,GAAkC,IAAI,GAAG,EAAE,CAAC;IACnD,OAAO,GAAwB,IAAI,GAAG,EAAE,CAAC;IACzC,OAAO,GAAwB,IAAI,GAAG,EAAE,CAAC;IAE1D,YAAY,OAAkC;QAC5C,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC7B,IAAI,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAC3B,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC;QACvC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrD,CAAC;IAEO,WAAW,CAAC,QAAgB;QAClC,OAAO,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACnF,CAAC;IAED,sBAAsB,CAAC,QAAgB,EAAE,QAAgB;QACvD,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC/B,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAE,CAAC;QACrC,CAAC;QAED,IAAI,CAAC,aAAa,EAAE,CAAC;QAErB,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;QACxC,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACrC,IAAI,WAAW,GAAG,GAAG,IAAI,CAAC,MAAM,GAAG,QAAQ,IAAI,MAAM,IAAI,CAAC;QAE1D,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,CAAC;YAClC,IAAI,OAAO,GAAG,CAAC,CAAC;YAChB,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,CAAC;gBACrC,WAAW,GAAG,GAAG,IAAI,CAAC,MAAM,GAAG,QAAQ,IAAI,MAAM,IAAI,OAAO,IAAI,CAAC;gBACjE,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QAED,MAAM,KAAK,GAAqB;YAC9B,QAAQ;YACR,WAAW;YACX,QAAQ;YACR,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACtB,CAAC;QAEF,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;QACrC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;QACxC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;QAE1C,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,MAAM,CAAC,WAAmB;QACxB,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,QAAQ,CAAC;IACjD,CAAC;IAED,OAAO,CAAC,GAAW;QACjB,IAAI,OAAO,GAAG,CAAC,CAAC;QAChB,MAAM,OAAO,GAAa,EAAE,CAAC;QAE7B,KAAK,MAAM,CAAC,WAAW,EAAE,SAAS,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACpD,IAAI,GAAG,GAAG,SAAS,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;gBACjC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC5B,CAAC;QACH,CAAC;QAED,KAAK,MAAM,WAAW,IAAI,OAAO,EAAE,CAAC;YAClC,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;YAC5C,IAAI,KAAK,EAAE,CAAC;gBACV,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;gBACpC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;gBACjC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;gBACjC,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAEO,aAAa;QACnB,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,WAAW;YAAE,OAAO;QAEjD,IAAI,iBAAiB,GAAkB,IAAI,CAAC;QAC5C,IAAI,aAAa,GAAG,QAAQ,CAAC;QAE7B,KAAK,MAAM,CAAC,WAAW,EAAE,SAAS,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACpD,IAAI,SAAS,GAAG,aAAa,EAAE,CAAC;gBAC9B,aAAa,GAAG,SAAS,CAAC;gBAC1B,iBAAiB,GAAG,WAAW,CAAC;YAClC,CAAC;QACH,CAAC;QAED,IAAI,iBAAiB,EAAE,CAAC;YACtB,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;YAClD,IAAI,KAAK,EAAE,CAAC;gBACV,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;gBACpC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;gBACvC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;YACzC,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;IAC3B,CAAC;CACF;AAED,MAAM,UAAU,mBAAmB,CAAC,MAAc;IAChD,OAAO,IAAI,MAAM,CAAC,GAAG,MAAM,kCAAkC,EAAE,GAAG,CAAC,CAAC;AACtE,CAAC;AAED,MAAM,UAAU,sBAAsB;IACpC,OAAO,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC"}

package/dist/plugins/secrets-redaction.d.ts

@@ -0,0 +1 @@
+export { SecretsRedactionPlugin } from "./secrets-redaction/index.js";

package/dist/plugins/secrets-redaction.js

@@ -0,0 +1,16 @@
+// FILE: src/plugins/secrets-redaction.ts
+// VERSION: 1.0.0
+// START_MODULE_CONTRACT
+//   PURPOSE: Re-export barrel for SecretsRedactionPlugin
+//   SCOPE: plugin re-exports
+//   DEPENDS: secrets-redaction/index
+//   LINKS: knowledge-graph://plugins/secrets-redaction
+//   ROLE: BARREL
+//   MAP_MODE: SUMMARY
+// END_MODULE_CONTRACT
+//
+// START_MODULE_MAP
+//   SecretsRedactionPlugin - main plugin export
+// END_MODULE_MAP
+export { SecretsRedactionPlugin } from "./secrets-redaction/index.js";
+//# sourceMappingURL=secrets-redaction.js.map

package/dist/plugins/secrets-redaction.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets-redaction.js","sourceRoot":"","sources":["../../src/plugins/secrets-redaction.ts"],"names":[],"mappings":"AAAA,yCAAyC;AACzC,iBAAiB;AACjB,wBAAwB;AACxB,yDAAyD;AACzD,6BAA6B;AAC7B,qCAAqC;AACrC,uDAAuD;AACvD,iBAAiB;AACjB,sBAAsB;AACtB,sBAAsB;AACtB,EAAE;AACF,mBAAmB;AACnB,gDAAgD;AAChD,iBAAiB;AAEjB,OAAO,EAAE,sBAAsB,EAAE,MAAM,8BAA8B,CAAC"}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@osovv/vv-opencode",
-  "version": "0.2.5",
-  "description": "Portable OpenCode workflow plugins and CLI tooling.",
+  "version": "0.3.3",
+  "description": "Portable OpenCode workflow plugins, explicit memory, and CLI tooling.",
   "type": "module",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
@@ -15,6 +15,8 @@
     "workflow",
     "guardian",
     "memory",
+    "xdg",
+    "grace",
     "bun",
     "citty"
   ],
@@ -47,6 +49,7 @@
     "fmt:check": "oxfmt --check src",
     "test": "bun test",
     "check": "bun run typecheck && bun run lint && bun run fmt:check && bun test",
+    "pack:check": "npm pack --dry-run",
     "prepare": "lefthook install --force"
   },
   "dependencies": {