@runtime-digital-twin/sdk 1.0.0

package/dist/redaction.js

@@ -0,0 +1,487 @@
+"use strict";
+/**
+ * Redaction Module
+ *
+ * Provides privacy guardrails for trace capture by:
+ * - Masking sensitive headers (auth, tokens, cookies)
+ * - Redacting passwords and secrets from request/response bodies
+ * - Supporting custom redaction rules via config file
+ * - Using deterministic hashing for redacted values (stable across runs)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SENSITIVE_BODY_FIELDS = exports.SENSITIVE_QUERY_PARAMS = exports.SENSITIVE_HEADERS = void 0;
+exports.computeRedactionHash = computeRedactionHash;
+exports.createRedactedValue = createRedactedValue;
+exports.loadRedactionConfig = loadRedactionConfig;
+exports.setRedactionConfig = setRedactionConfig;
+exports.getRedactionConfig = getRedactionConfig;
+exports.resetRedactionConfig = resetRedactionConfig;
+exports.shouldRedactHeader = shouldRedactHeader;
+exports.shouldRedactQueryParam = shouldRedactQueryParam;
+exports.redactHeaders = redactHeaders;
+exports.redactQueryParams = redactQueryParams;
+exports.redactBodyObject = redactBodyObject;
+exports.redactBodyPatterns = redactBodyPatterns;
+exports.redactBody = redactBody;
+exports.redactUrl = redactUrl;
+exports.containsSensitivePatterns = containsSensitivePatterns;
+const crypto_1 = require("crypto");
+const fs_1 = require("fs");
+const path_1 = require("path");
+/**
+ * Default sensitive header names (case-insensitive)
+ */
+const DEFAULT_SENSITIVE_HEADERS = [
+    "authorization",
+    "x-api-key",
+    "x-auth-token",
+    "x-access-token",
+    "x-refresh-token",
+    "cookie",
+    "set-cookie",
+    "x-csrf-token",
+    "x-xsrf-token",
+    "proxy-authorization",
+    "www-authenticate",
+    "x-amz-security-token",
+    "x-api-secret",
+    "x-client-secret",
+];
+/**
+ * Default sensitive query parameter names (case-insensitive)
+ */
+const DEFAULT_SENSITIVE_QUERY_PARAMS = [
+    "token",
+    "access_token",
+    "refresh_token",
+    "api_key",
+    "apikey",
+    "secret",
+    "password",
+    "pwd",
+    "auth",
+    "key",
+    "session",
+    "sid",
+];
+/**
+ * Default sensitive body field names (case-insensitive)
+ */
+const DEFAULT_SENSITIVE_BODY_FIELDS = [
+    "password",
+    "passwd",
+    "pwd",
+    "secret",
+    "token",
+    "access_token",
+    "refresh_token",
+    "api_key",
+    "apiKey",
+    "apikey",
+    "private_key",
+    "privateKey",
+    "secret_key",
+    "secretKey",
+    "client_secret",
+    "clientSecret",
+    "ssn",
+    "social_security",
+    "credit_card",
+    "creditCard",
+    "card_number",
+    "cardNumber",
+    "cvv",
+    "cvc",
+    "pin",
+];
+/**
+ * Default body patterns to redact (regex)
+ */
+const DEFAULT_SENSITIVE_BODY_PATTERNS = [
+    // Bearer tokens
+    /Bearer\s+[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]*/g,
+    // JWT tokens
+    /eyJ[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]*/g,
+    // API keys (common formats)
+    /(?:api[_-]?key|apikey)[=:]["']?[A-Za-z0-9\-_]{20,}["']?/gi,
+    // AWS access keys
+    /AKIA[0-9A-Z]{16}/g,
+    // Credit card numbers (basic pattern)
+    /\b(?:\d{4}[- ]?){3}\d{4}\b/g,
+];
+/**
+ * Build default redaction rules
+ */
+function buildDefaultRules() {
+    const rules = [];
+    // Header rules
+    for (const header of DEFAULT_SENSITIVE_HEADERS) {
+        rules.push({
+            type: "header",
+            name: header,
+            hash: true,
+        });
+    }
+    // Query param rules
+    for (const param of DEFAULT_SENSITIVE_QUERY_PARAMS) {
+        rules.push({
+            type: "query_param",
+            name: param,
+            hash: true,
+        });
+    }
+    // Body field rules
+    for (const field of DEFAULT_SENSITIVE_BODY_FIELDS) {
+        rules.push({
+            type: "body_field",
+            name: field,
+            hash: true,
+        });
+    }
+    // Body pattern rules
+    for (const pattern of DEFAULT_SENSITIVE_BODY_PATTERNS) {
+        rules.push({
+            type: "body_pattern",
+            pattern: pattern.source,
+            hash: true,
+        });
+    }
+    return rules;
+}
+/**
+ * Default redaction configuration
+ */
+const DEFAULT_CONFIG = {
+    enabled: true,
+    rules: buildDefaultRules(),
+    hashSalt: "rdt-redaction-salt-v1",
+};
+/**
+ * Global redaction config (can be overridden)
+ */
+let globalConfig = { ...DEFAULT_CONFIG };
+/**
+ * Compute a deterministic hash for a redacted value
+ * The hash is stable across runs given the same input and salt
+ */
+function computeRedactionHash(value, salt = globalConfig.hashSalt || "") {
+    const hash = (0, crypto_1.createHash)("sha256")
+        .update(salt + value)
+        .digest("hex")
+        .substring(0, 8);
+    return hash;
+}
+/**
+ * Create a redacted placeholder
+ */
+function createRedactedValue(originalValue, includeHash = true, salt) {
+    if (!includeHash) {
+        return "[REDACTED]";
+    }
+    const hash = computeRedactionHash(originalValue, salt);
+    return `[REDACTED:${hash}]`;
+}
+/**
+ * Load redaction config from file
+ */
+function loadRedactionConfig(configPath) {
+    // Try to find config file
+    const searchPaths = configPath
+        ? [configPath]
+        : [
+            (0, path_1.join)(process.cwd(), ".rdt.json"),
+            (0, path_1.join)(process.cwd(), ".rdt/config.json"),
+            (0, path_1.join)(process.cwd(), "rdt.config.json"),
+        ];
+    for (const path of searchPaths) {
+        if ((0, fs_1.existsSync)(path)) {
+            try {
+                const content = (0, fs_1.readFileSync)(path, "utf8");
+                const config = JSON.parse(content);
+                if (config.redaction) {
+                    const userConfig = config.redaction;
+                    // Merge with defaults
+                    const mergedConfig = {
+                        enabled: userConfig.enabled ?? true,
+                        rules: userConfig.overrideDefaults
+                            ? userConfig.rules || []
+                            : [...buildDefaultRules(), ...(userConfig.rules || [])],
+                        overrideDefaults: userConfig.overrideDefaults,
+                        hashSalt: userConfig.hashSalt || DEFAULT_CONFIG.hashSalt,
+                    };
+                    return mergedConfig;
+                }
+            }
+            catch (error) {
+                console.warn(`[Redaction] Failed to load config from ${path}: ${error}`);
+            }
+        }
+    }
+    return { ...DEFAULT_CONFIG };
+}
+/**
+ * Set global redaction config
+ */
+function setRedactionConfig(config) {
+    globalConfig = {
+        ...DEFAULT_CONFIG,
+        ...config,
+        rules: config.overrideDefaults
+            ? config.rules || []
+            : [...buildDefaultRules(), ...(config.rules || [])],
+    };
+}
+/**
+ * Get current redaction config
+ */
+function getRedactionConfig() {
+    return { ...globalConfig };
+}
+/**
+ * Reset redaction config to defaults
+ */
+function resetRedactionConfig() {
+    globalConfig = { ...DEFAULT_CONFIG, rules: buildDefaultRules() };
+}
+/**
+ * Check if a header name should be redacted
+ */
+function shouldRedactHeader(headerName) {
+    if (!globalConfig.enabled)
+        return false;
+    const lowerName = headerName.toLowerCase();
+    for (const rule of globalConfig.rules) {
+        if (rule.type !== "header")
+            continue;
+        if (rule.regex && rule.name) {
+            const regex = new RegExp(rule.name, "i");
+            if (regex.test(lowerName))
+                return true;
+        }
+        else if (rule.name) {
+            if (rule.name.toLowerCase() === lowerName)
+                return true;
+        }
+    }
+    return false;
+}
+/**
+ * Check if a query param should be redacted
+ */
+function shouldRedactQueryParam(paramName) {
+    if (!globalConfig.enabled)
+        return false;
+    const lowerName = paramName.toLowerCase();
+    for (const rule of globalConfig.rules) {
+        if (rule.type !== "query_param")
+            continue;
+        if (rule.regex && rule.name) {
+            const regex = new RegExp(rule.name, "i");
+            if (regex.test(lowerName))
+                return true;
+        }
+        else if (rule.name) {
+            if (rule.name.toLowerCase() === lowerName)
+                return true;
+        }
+    }
+    return false;
+}
+/**
+ * Redact headers in a headers object
+ */
+function redactHeaders(headers) {
+    if (!globalConfig.enabled)
+        return headers;
+    const redacted = {};
+    for (const [key, value] of Object.entries(headers)) {
+        if (value === undefined) {
+            redacted[key] = value;
+            continue;
+        }
+        if (shouldRedactHeader(key)) {
+            const originalValue = Array.isArray(value) ? value.join(", ") : value;
+            redacted[key] = createRedactedValue(originalValue, true, globalConfig.hashSalt);
+        }
+        else {
+            redacted[key] = value;
+        }
+    }
+    return redacted;
+}
+/**
+ * Redact query parameters
+ */
+function redactQueryParams(query) {
+    if (!globalConfig.enabled)
+        return query;
+    const redacted = {};
+    for (const [key, value] of Object.entries(query)) {
+        if (shouldRedactQueryParam(key)) {
+            const originalValue = typeof value === "string" ? value : JSON.stringify(value);
+            redacted[key] = createRedactedValue(originalValue, true, globalConfig.hashSalt);
+        }
+        else if (typeof value === "object" && value !== null) {
+            redacted[key] = redactQueryParams(value);
+        }
+        else {
+            redacted[key] = value;
+        }
+    }
+    return redacted;
+}
+/**
+ * Check if a body field name should be redacted
+ */
+function shouldRedactBodyField(fieldName) {
+    const lowerName = fieldName.toLowerCase();
+    for (const rule of globalConfig.rules) {
+        if (rule.type !== "body_field")
+            continue;
+        if (rule.regex && rule.name) {
+            const regex = new RegExp(rule.name, "i");
+            if (regex.test(lowerName))
+                return true;
+        }
+        else if (rule.name) {
+            if (rule.name.toLowerCase() === lowerName)
+                return true;
+        }
+    }
+    return false;
+}
+/**
+ * Redact sensitive fields from a body object (recursive)
+ */
+function redactBodyObject(body) {
+    if (!globalConfig.enabled)
+        return body;
+    if (body === null || body === undefined) {
+        return body;
+    }
+    if (typeof body !== "object") {
+        return body;
+    }
+    if (Array.isArray(body)) {
+        return body.map((item) => redactBodyObject(item));
+    }
+    const redacted = {};
+    for (const [key, value] of Object.entries(body)) {
+        if (shouldRedactBodyField(key)) {
+            const originalValue = typeof value === "string" ? value : JSON.stringify(value);
+            redacted[key] = createRedactedValue(originalValue, true, globalConfig.hashSalt);
+        }
+        else if (typeof value === "object" && value !== null) {
+            redacted[key] = redactBodyObject(value);
+        }
+        else {
+            redacted[key] = value;
+        }
+    }
+    return redacted;
+}
+/**
+ * Redact patterns from a body string
+ */
+function redactBodyPatterns(body) {
+    if (!globalConfig.enabled)
+        return body;
+    let result = body;
+    for (const rule of globalConfig.rules) {
+        if (rule.type !== "body_pattern" || !rule.pattern)
+            continue;
+        try {
+            const regex = new RegExp(rule.pattern, "g");
+            result = result.replace(regex, (match) => {
+                return createRedactedValue(match, rule.hash ?? true, globalConfig.hashSalt);
+            });
+        }
+        catch {
+            // Invalid regex, skip
+            console.warn(`[Redaction] Invalid pattern: ${rule.pattern}`);
+        }
+    }
+    return result;
+}
+/**
+ * Redact a body (handles both string and object)
+ */
+function redactBody(body) {
+    if (!globalConfig.enabled)
+        return body;
+    if (body === null || body === undefined) {
+        return body;
+    }
+    if (typeof body === "string") {
+        // Try to parse as JSON
+        try {
+            const parsed = JSON.parse(body);
+            const redacted = redactBodyObject(parsed);
+            let result = JSON.stringify(redacted);
+            // Also apply pattern matching
+            result = redactBodyPatterns(result);
+            return result;
+        }
+        catch {
+            // Not JSON, apply pattern matching only
+            return redactBodyPatterns(body);
+        }
+    }
+    if (typeof body === "object") {
+        const redacted = redactBodyObject(body);
+        // Also check for patterns in string values
+        return JSON.parse(redactBodyPatterns(JSON.stringify(redacted)));
+    }
+    return body;
+}
+/**
+ * Redact a URL (query params)
+ */
+function redactUrl(url) {
+    if (!globalConfig.enabled)
+        return url;
+    try {
+        const urlObj = new URL(url, "http://placeholder");
+        const redactedParams = new URLSearchParams();
+        for (const [key, value] of urlObj.searchParams) {
+            if (shouldRedactQueryParam(key)) {
+                redactedParams.set(key, createRedactedValue(value, true, globalConfig.hashSalt));
+            }
+            else {
+                redactedParams.set(key, value);
+            }
+        }
+        urlObj.search = redactedParams.toString();
+        // Return the full URL if it was absolute, or just path+query if relative
+        if (url.startsWith("http://") || url.startsWith("https://")) {
+            return urlObj.toString();
+        }
+        return urlObj.pathname + (urlObj.search ? urlObj.search : "");
+    }
+    catch {
+        // Invalid URL, return as-is
+        return url;
+    }
+}
+/**
+ * Check if a value looks like it contains sensitive data
+ * (heuristic-based, for additional protection)
+ */
+function containsSensitivePatterns(value) {
+    // Check for common sensitive patterns
+    const sensitivePatterns = [
+        /Bearer\s+[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+/,
+        /eyJ[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+/,
+        /password[=:]/i,
+        /secret[=:]/i,
+        /token[=:]/i,
+        /api[_-]?key[=:]/i,
+    ];
+    return sensitivePatterns.some((pattern) => pattern.test(value));
+}
+/**
+ * Export default sensitive lists for testing
+ */
+exports.SENSITIVE_HEADERS = DEFAULT_SENSITIVE_HEADERS;
+exports.SENSITIVE_QUERY_PARAMS = DEFAULT_SENSITIVE_QUERY_PARAMS;
+exports.SENSITIVE_BODY_FIELDS = DEFAULT_SENSITIVE_BODY_FIELDS;