@uniglot/wont-let-you-see 0.1.0 → 0.2.0

package/.github/CODEOWNERS

@@ -0,0 +1 @@
+* @uniglot

package/.github/workflows/ci.yml

@@ -0,0 +1,14 @@
+name: CI
+on:
+  pull_request:
+    branches: [main]
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: oven-sh/setup-bun@v2
+      - run: bun install --frozen-lockfile
+      - run: bun run typecheck
+      - run: bunx prettier --check "src/**/*.ts"

package/.github/workflows/publish.yml

@@ -0,0 +1,20 @@
+name: Publish
+on:
+  release:
+    types: [published]
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: oven-sh/setup-bun@v2
+      - uses: actions/setup-node@v4
+        with:
+          registry-url: https://registry.npmjs.org
+      - run: bun install --frozen-lockfile
+      - run: bun run build
+      - run: bunx tsc --emitDeclarationOnly --declaration --outDir dist
+      - run: npm publish
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

package/.github/workflows/release.yml

@@ -0,0 +1,20 @@
+name: Draft Release
+on:
+  push:
+    branches: [main]
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+      - id: pkg
+        run: echo "version=$(jq -r .version package.json)" >> $GITHUB_OUTPUT
+      - uses: softprops/action-gh-release@v2
+        with:
+          tag_name: v${{ steps.pkg.outputs.version }}
+          name: v${{ steps.pkg.outputs.version }}
+          draft: true
+          generate_release_notes: true

package/.github/workflows/test.yml

@@ -0,0 +1,13 @@
+name: Test
+on:
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: oven-sh/setup-bun@v2
+      - run: bun install --frozen-lockfile
+      - run: bun test

package/README.md

@@ -92,6 +92,12 @@ The plugin automatically masks output from:
 | `ebs`              | EBS Volume IDs               | `vol-0123456789abcdef0`                                 |
 | `snapshot`         | EBS Snapshot IDs             | `snap-0123456789abcdef0`                                |
 | `eni`              | Network Interface IDs        | `eni-0123456789abcdef0`                                 |
+| `vpc-endpoint`     | VPC Endpoint IDs             | `vpce-0123456789abcdef0`                                |
+| `transit-gateway`  | Transit Gateway IDs          | `tgw-0123456789abcdef0`                                 |
+| `customer-gateway` | Customer Gateway IDs         | `cgw-0123456789abcdef0`                                 |
+| `vpn-gateway`      | VPN Gateway IDs              | `vgw-0123456789abcdef0`                                 |
+| `vpn-connection`   | VPN Connection IDs           | `vpn-0123456789abcdef0`                                 |
+| `ecr-repo`         | ECR Repository URIs          | `123456789012.dkr.ecr.us-west-2.amazonaws.com/my-repo`  |
 
 ### Kubernetes Resources (EKS)
 

package/dist/index.js

@@ -14,7 +14,13 @@ var AWS_PATTERNS = {
   ebs: /^vol-[0-9a-f]{8,17}$/,
   snapshot: /^snap-[0-9a-f]{8,17}$/,
   eni: /^eni-[0-9a-f]{8,17}$/,
+  vpcEndpoint: /^vpce-[0-9a-f]{8,17}$/,
+  transitGateway: /^tgw-[0-9a-f]{8,17}$/,
+  customerGateway: /^cgw-[0-9a-f]{8,17}$/,
+  vpnGateway: /^vgw-[0-9a-f]{8,17}$/,
+  vpnConnection: /^vpn-[0-9a-f]{8,17}$/,
   accountId: /"(?:OwnerId|AccountId|Owner|account_id)":\s*"(\d{12})"/,
+  ecrRepoUri: /^(?:\d{12}|#\(custom-\d+\))\.dkr\.ecr\.[a-z0-9-]+\.amazonaws\.com\/[a-z0-9._\/-]+$/,
   accessKeyId: /(?:^|[^A-Z0-9])(?:AKIA|ABIA|ACCA|ASIA)[A-Z0-9]{16}(?:[^A-Z0-9]|$)/
 };
 var K8S_PATTERNS = {
@@ -28,11 +34,6 @@ var COMMON_PATTERNS = {
   privateKey: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----[\s\S]*?-----END (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/,
   apiKeyField: /"(?:api_key|apiKey|secret_key|secretKey|access_token|auth_token|password|token)":\s*"([^"]+)"/
 };
-var PATTERNS = {
-  ...AWS_PATTERNS,
-  ...K8S_PATTERNS,
-  ...COMMON_PATTERNS
-};
 
 // src/mapping.ts
 import {
@@ -113,27 +114,55 @@ function getOriginal(sessionId, token) {
 }
 
 // src/config.ts
-import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
-import { join as join2 } from "path";
+import {
+  existsSync as nodeExistsSync,
+  readFileSync as nodeReadFileSync
+} from "fs";
+import { join as join2, dirname } from "path";
 import { homedir as homedir2 } from "os";
+var fsAdapter = {
+  existsSync: nodeExistsSync,
+  readFileSync: nodeReadFileSync
+};
 var DEFAULT_CONFIG = {
   enabled: true,
   revealedPatterns: [],
   customPatterns: []
 };
 var CONFIG_FILENAME = ".wont-let-you-see.json";
-function loadJsonConfig() {
-  const paths = [
-    join2(process.cwd(), CONFIG_FILENAME),
-    join2(homedir2(), CONFIG_FILENAME)
-  ];
-  for (const configPath of paths) {
-    if (existsSync2(configPath)) {
-      try {
-        const content = readFileSync2(configPath, "utf-8");
-        return JSON.parse(content);
-      } catch {}
+function findConfigInAncestors(startDir) {
+  const home = homedir2();
+  let currentDir = startDir;
+  while (true) {
+    const configPath = join2(currentDir, CONFIG_FILENAME);
+    if (fsAdapter.existsSync(configPath)) {
+      return configPath;
+    }
+    if (currentDir === home) {
+      break;
     }
+    const parentDir = dirname(currentDir);
+    if (parentDir === currentDir) {
+      break;
+    }
+    currentDir = parentDir;
+  }
+  return null;
+}
+function loadJsonConfig() {
+  const ancestorConfig = findConfigInAncestors(process.cwd());
+  if (ancestorConfig) {
+    try {
+      const content = fsAdapter.readFileSync(ancestorConfig, "utf-8");
+      return JSON.parse(content);
+    } catch {}
+  }
+  const homeConfig = join2(homedir2(), CONFIG_FILENAME);
+  if (fsAdapter.existsSync(homeConfig)) {
+    try {
+      const content = fsAdapter.readFileSync(homeConfig, "utf-8");
+      return JSON.parse(content);
+    } catch {}
   }
   return {};
 }
@@ -189,6 +218,12 @@ var PATTERN_ORDER = [
   { pattern: AWS_PATTERNS.natGateway, type: "nat-gateway" },
   { pattern: AWS_PATTERNS.networkAcl, type: "network-acl" },
   { pattern: AWS_PATTERNS.eni, type: "eni" },
+  { pattern: AWS_PATTERNS.vpcEndpoint, type: "vpc-endpoint" },
+  { pattern: AWS_PATTERNS.transitGateway, type: "transit-gateway" },
+  { pattern: AWS_PATTERNS.customerGateway, type: "customer-gateway" },
+  { pattern: AWS_PATTERNS.vpnGateway, type: "vpn-gateway" },
+  { pattern: AWS_PATTERNS.vpnConnection, type: "vpn-connection" },
+  { pattern: AWS_PATTERNS.ecrRepoUri, type: "ecr-repo" },
   { pattern: AWS_PATTERNS.ami, type: "ami" },
   { pattern: AWS_PATTERNS.ec2Instance, type: "ec2-instance" },
   { pattern: AWS_PATTERNS.ebs, type: "ebs" },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@uniglot/wont-let-you-see",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "OpenCode plugin that masks sensitive cloud infrastructure data (AWS, Kubernetes) from LLMs",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/__tests__/config.test.ts

@@ -1,16 +1,36 @@
-import { describe, it, expect, beforeEach, afterEach } from "vitest";
-import { getConfig, resetConfig, isPatternEnabled } from "../config";
+import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
+import {
+  getConfig,
+  resetConfig,
+  isPatternEnabled,
+  setFsAdapter,
+  resetFsAdapter,
+} from "../config";
+import * as path from "path";
+
+const mockExistsSync = vi.fn();
+const mockReadFileSync = vi.fn();
 
 describe("Config", () => {
   const originalEnv = { ...process.env };
+  const originalCwd = process.cwd;
 
   beforeEach(() => {
     resetConfig();
+    setFsAdapter({
+      existsSync: mockExistsSync,
+      readFileSync: mockReadFileSync,
+    });
+    mockExistsSync.mockReturnValue(false);
+    mockReadFileSync.mockReturnValue("{}");
   });
 
   afterEach(() => {
     process.env = { ...originalEnv };
+    process.cwd = originalCwd;
     resetConfig();
+    resetFsAdapter();
+    vi.clearAllMocks();
   });
 
   describe("getConfig", () => {
@@ -95,4 +115,77 @@ describe("Config", () => {
       expect(isPatternEnabled("vpc")).toBe(true);
     });
   });
+
+  describe("ancestor directory config lookup", () => {
+    it("should find config in parent directory when cwd is subdirectory", () => {
+      process.cwd = () => "/project/packages/app";
+
+      mockExistsSync.mockImplementation((p: string) => {
+        return p === path.join("/project", ".wont-let-you-see.json");
+      });
+      mockReadFileSync.mockReturnValue(
+        JSON.stringify({ enabled: false, customPatterns: ["secret123"] }),
+      );
+
+      const config = getConfig();
+      expect(config.enabled).toBe(false);
+      expect(config.customPatterns).toEqual(["secret123"]);
+    });
+
+    it("should find config in grandparent directory", () => {
+      process.cwd = () => "/project/packages/app/src/components";
+
+      mockExistsSync.mockImplementation((p: string) => {
+        return p === path.join("/project", ".wont-let-you-see.json");
+      });
+      mockReadFileSync.mockReturnValue(
+        JSON.stringify({ revealedPatterns: ["ipv4"] }),
+      );
+
+      const config = getConfig();
+      expect(config.revealedPatterns).toEqual(["ipv4"]);
+    });
+
+    it("should prefer config in closer ancestor over distant ancestor", () => {
+      process.cwd = () => "/project/packages/app";
+
+      mockExistsSync.mockImplementation((p: string) => {
+        return (
+          p === path.join("/project/packages/app", ".wont-let-you-see.json") ||
+          p === path.join("/project", ".wont-let-you-see.json")
+        );
+      });
+      mockReadFileSync.mockImplementation((p: string) => {
+        if (
+          p === path.join("/project/packages/app", ".wont-let-you-see.json")
+        ) {
+          return JSON.stringify({ customPatterns: ["app-secret"] });
+        }
+        return JSON.stringify({ customPatterns: ["root-secret"] });
+      });
+
+      const config = getConfig();
+      expect(config.customPatterns).toEqual(["app-secret"]);
+    });
+
+    it("should prefer cwd config over parent config", () => {
+      process.cwd = () => "/project/subdir";
+
+      mockExistsSync.mockImplementation((p: string) => {
+        return (
+          p === path.join("/project/subdir", ".wont-let-you-see.json") ||
+          p === path.join("/project", ".wont-let-you-see.json")
+        );
+      });
+      mockReadFileSync.mockImplementation((p: string) => {
+        if (p === path.join("/project/subdir", ".wont-let-you-see.json")) {
+          return JSON.stringify({ enabled: false });
+        }
+        return JSON.stringify({ enabled: true });
+      });
+
+      const config = getConfig();
+      expect(config.enabled).toBe(false);
+    });
+  });
 });

package/src/__tests__/patterns.test.ts

@@ -1,10 +1,5 @@
 import { describe, it, expect } from "vitest";
-import {
-  AWS_PATTERNS,
-  K8S_PATTERNS,
-  COMMON_PATTERNS,
-  PATTERNS,
-} from "../patterns";
+import { AWS_PATTERNS, K8S_PATTERNS, COMMON_PATTERNS } from "../patterns";
 
 describe("AWS_PATTERNS", () => {
   describe("ARN", () => {
@@ -65,6 +60,96 @@ describe("AWS_PATTERNS", () => {
     });
   });
 
+  describe("VPC networking resources", () => {
+    it("should match vpc endpoint", () => {
+      expect(AWS_PATTERNS.vpcEndpoint.test("vpce-0123456789abcdef0")).toBe(
+        true,
+      );
+    });
+
+    it("should match transit gateway", () => {
+      expect(AWS_PATTERNS.transitGateway.test("tgw-0123456789abcdef0")).toBe(
+        true,
+      );
+    });
+
+    it("should match customer gateway", () => {
+      expect(AWS_PATTERNS.customerGateway.test("cgw-0123456789abcdef0")).toBe(
+        true,
+      );
+    });
+
+    it("should match vpn gateway", () => {
+      expect(AWS_PATTERNS.vpnGateway.test("vgw-0123456789abcdef0")).toBe(true);
+    });
+
+    it("should match vpn connection", () => {
+      expect(AWS_PATTERNS.vpnConnection.test("vpn-0123456789abcdef0")).toBe(
+        true,
+      );
+    });
+
+    it("should NOT match invalid vpc endpoint", () => {
+      expect(AWS_PATTERNS.vpcEndpoint.test("vpce-invalid")).toBe(false);
+    });
+  });
+
+  describe("ECR resources", () => {
+    it("should match ECR repo URI", () => {
+      expect(
+        AWS_PATTERNS.ecrRepoUri.test(
+          "123456789012.dkr.ecr.us-west-2.amazonaws.com/my-repo",
+        ),
+      ).toBe(true);
+    });
+
+    it("should match ECR repo URI with nested path", () => {
+      expect(
+        AWS_PATTERNS.ecrRepoUri.test(
+          "123456789012.dkr.ecr.eu-central-1.amazonaws.com/org/app/service",
+        ),
+      ).toBe(true);
+    });
+
+    it("should match ECR repo URI with dots and underscores", () => {
+      expect(
+        AWS_PATTERNS.ecrRepoUri.test(
+          "123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/my_repo.name",
+        ),
+      ).toBe(true);
+    });
+
+    it("should NOT match invalid ECR URI (wrong account ID length)", () => {
+      expect(
+        AWS_PATTERNS.ecrRepoUri.test(
+          "12345.dkr.ecr.us-west-2.amazonaws.com/my-repo",
+        ),
+      ).toBe(false);
+    });
+
+    it("should NOT match non-ECR docker registry", () => {
+      expect(AWS_PATTERNS.ecrRepoUri.test("docker.io/library/nginx")).toBe(
+        false,
+      );
+    });
+
+    it("should match ECR repo URI with masked account ID", () => {
+      expect(
+        AWS_PATTERNS.ecrRepoUri.test(
+          "#(custom-1).dkr.ecr.us-west-2.amazonaws.com/my-repo",
+        ),
+      ).toBe(true);
+    });
+
+    it("should match ECR repo URI with masked account ID (higher number)", () => {
+      expect(
+        AWS_PATTERNS.ecrRepoUri.test(
+          "#(custom-123).dkr.ecr.us-east-1.amazonaws.com/app/service",
+        ),
+      ).toBe(true);
+    });
+  });
+
   describe("Account ID (contextual)", () => {
     it("should match OwnerId field", () => {
       expect(AWS_PATTERNS.accountId.test('"OwnerId": "123456789012"')).toBe(
@@ -188,28 +273,18 @@ MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC
   });
 });
 
-describe("PATTERNS (combined)", () => {
-  it("should include all AWS patterns", () => {
-    expect(PATTERNS.vpc).toBe(AWS_PATTERNS.vpc);
-    expect(PATTERNS.arn).toBe(AWS_PATTERNS.arn);
-  });
-
-  it("should include all K8S patterns", () => {
-    expect(PATTERNS.serviceAccountToken).toBe(K8S_PATTERNS.serviceAccountToken);
-  });
-
-  it("should include all common patterns", () => {
-    expect(PATTERNS.ipv4).toBe(COMMON_PATTERNS.ipv4);
-    expect(PATTERNS.privateKey).toBe(COMMON_PATTERNS.privateKey);
-  });
-});
-
 describe("ReDoS safety", () => {
   it("should handle pathological input quickly", () => {
     const pathological = "a".repeat(1000) + "b";
     const start = performance.now();
 
-    for (const pattern of Object.values(PATTERNS)) {
+    const allPatterns = [
+      ...Object.values(AWS_PATTERNS),
+      ...Object.values(K8S_PATTERNS),
+      ...Object.values(COMMON_PATTERNS),
+    ];
+
+    for (const pattern of allPatterns) {
       pattern.test(pathological);
     }
 

package/src/config.ts

@@ -1,5 +1,8 @@
-import { existsSync, readFileSync } from "fs";
-import { join } from "path";
+import {
+  existsSync as nodeExistsSync,
+  readFileSync as nodeReadFileSync,
+} from "fs";
+import { join, dirname } from "path";
 import { homedir } from "os";
 
 export interface Config {
@@ -8,6 +11,24 @@ export interface Config {
   customPatterns: string[];
 }
 
+interface FsAdapter {
+  existsSync: (path: string) => boolean;
+  readFileSync: (path: string, encoding: "utf-8") => string;
+}
+
+let fsAdapter: FsAdapter = {
+  existsSync: nodeExistsSync,
+  readFileSync: nodeReadFileSync,
+};
+
+export function setFsAdapter(adapter: FsAdapter): void {
+  fsAdapter = adapter;
+}
+
+export function resetFsAdapter(): void {
+  fsAdapter = { existsSync: nodeExistsSync, readFileSync: nodeReadFileSync };
+}
+
 const DEFAULT_CONFIG: Config = {
   enabled: true,
   revealedPatterns: [],
@@ -16,19 +37,45 @@ const DEFAULT_CONFIG: Config = {
 
 const CONFIG_FILENAME = ".wont-let-you-see.json";
 
-function loadJsonConfig(): Partial<Config> {
-  const paths = [
-    join(process.cwd(), CONFIG_FILENAME),
-    join(homedir(), CONFIG_FILENAME),
-  ];
-
-  for (const configPath of paths) {
-    if (existsSync(configPath)) {
-      try {
-        const content = readFileSync(configPath, "utf-8");
-        return JSON.parse(content);
-      } catch {}
+function findConfigInAncestors(startDir: string): string | null {
+  const home = homedir();
+  let currentDir = startDir;
+
+  while (true) {
+    const configPath = join(currentDir, CONFIG_FILENAME);
+    if (fsAdapter.existsSync(configPath)) {
+      return configPath;
     }
+
+    if (currentDir === home) {
+      break;
+    }
+
+    const parentDir = dirname(currentDir);
+    if (parentDir === currentDir) {
+      break;
+    }
+    currentDir = parentDir;
+  }
+
+  return null;
+}
+
+function loadJsonConfig(): Partial<Config> {
+  const ancestorConfig = findConfigInAncestors(process.cwd());
+  if (ancestorConfig) {
+    try {
+      const content = fsAdapter.readFileSync(ancestorConfig, "utf-8");
+      return JSON.parse(content);
+    } catch {}
+  }
+
+  const homeConfig = join(homedir(), CONFIG_FILENAME);
+  if (fsAdapter.existsSync(homeConfig)) {
+    try {
+      const content = fsAdapter.readFileSync(homeConfig, "utf-8");
+      return JSON.parse(content);
+    } catch {}
   }
 
   return {};

package/src/masker.ts

@@ -21,6 +21,12 @@ const PATTERN_ORDER: PatternConfig[] = [
   { pattern: AWS_PATTERNS.natGateway, type: "nat-gateway" },
   { pattern: AWS_PATTERNS.networkAcl, type: "network-acl" },
   { pattern: AWS_PATTERNS.eni, type: "eni" },
+  { pattern: AWS_PATTERNS.vpcEndpoint, type: "vpc-endpoint" },
+  { pattern: AWS_PATTERNS.transitGateway, type: "transit-gateway" },
+  { pattern: AWS_PATTERNS.customerGateway, type: "customer-gateway" },
+  { pattern: AWS_PATTERNS.vpnGateway, type: "vpn-gateway" },
+  { pattern: AWS_PATTERNS.vpnConnection, type: "vpn-connection" },
+  { pattern: AWS_PATTERNS.ecrRepoUri, type: "ecr-repo" },
   { pattern: AWS_PATTERNS.ami, type: "ami" },
   { pattern: AWS_PATTERNS.ec2Instance, type: "ec2-instance" },
   { pattern: AWS_PATTERNS.ebs, type: "ebs" },

package/src/patterns.ts

@@ -14,7 +14,14 @@ export const AWS_PATTERNS = {
   ebs: /^vol-[0-9a-f]{8,17}$/,
   snapshot: /^snap-[0-9a-f]{8,17}$/,
   eni: /^eni-[0-9a-f]{8,17}$/,
+  vpcEndpoint: /^vpce-[0-9a-f]{8,17}$/,
+  transitGateway: /^tgw-[0-9a-f]{8,17}$/,
+  customerGateway: /^cgw-[0-9a-f]{8,17}$/,
+  vpnGateway: /^vgw-[0-9a-f]{8,17}$/,
+  vpnConnection: /^vpn-[0-9a-f]{8,17}$/,
   accountId: /"(?:OwnerId|AccountId|Owner|account_id)":\s*"(\d{12})"/,
+  ecrRepoUri:
+    /^(?:\d{12}|#\(custom-\d+\))\.dkr\.ecr\.[a-z0-9-]+\.amazonaws\.com\/[a-z0-9._\/-]+$/,
   accessKeyId:
     /(?:^|[^A-Z0-9])(?:AKIA|ABIA|ACCA|ASIA)[A-Z0-9]{16}(?:[^A-Z0-9]|$)/,
 } as const;
@@ -36,10 +43,3 @@ export const COMMON_PATTERNS = {
   apiKeyField:
     /"(?:api_key|apiKey|secret_key|secretKey|access_token|auth_token|password|token)":\s*"([^"]+)"/,
 } as const;
-
-// Combined for backward compatibility
-export const PATTERNS = {
-  ...AWS_PATTERNS,
-  ...K8S_PATTERNS,
-  ...COMMON_PATTERNS,
-} as const;