@uniglot/wont-let-you-see 0.1.0

package/dist/index.js

@@ -0,0 +1,308 @@
+// src/patterns.ts
+var AWS_PATTERNS = {
+  arn: /^arn:(?:aws|aws-cn|aws-us-gov):[a-zA-Z0-9-]+:[a-z0-9-]*:(?:[0-9]{12})?:.+$/,
+  eksCluster: /^arn:(?:aws|aws-cn|aws-us-gov):eks:[a-z0-9-]+:[0-9]{12}:cluster\/.+$/,
+  vpc: /^vpc-[0-9a-f]{8,17}$/,
+  subnet: /^subnet-[0-9a-f]{8,17}$/,
+  securityGroup: /^sg-[0-9a-f]{8,17}$/,
+  internetGateway: /^igw-[0-9a-f]{8,17}$/,
+  routeTable: /^rtb-[0-9a-f]{8,17}$/,
+  natGateway: /^nat-[0-9a-f]{8,17}$/,
+  networkAcl: /^acl-[0-9a-f]{8,17}$/,
+  ec2Instance: /^i-[0-9a-f]{8,17}$/,
+  ami: /^ami-[0-9a-f]{8,17}$/,
+  ebs: /^vol-[0-9a-f]{8,17}$/,
+  snapshot: /^snap-[0-9a-f]{8,17}$/,
+  eni: /^eni-[0-9a-f]{8,17}$/,
+  accountId: /"(?:OwnerId|AccountId|Owner|account_id)":\s*"(\d{12})"/,
+  accessKeyId: /(?:^|[^A-Z0-9])(?:AKIA|ABIA|ACCA|ASIA)[A-Z0-9]{16}(?:[^A-Z0-9]|$)/
+};
+var K8S_PATTERNS = {
+  serviceAccountToken: /^eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*$/,
+  nodeNameAws: /^ip-(?:\d{1,3}-){3}\d{1,3}\.[a-z0-9-]+\.compute\.internal$/,
+  clusterEndpoint: /^https:\/\/[A-Z0-9]+\.[a-z0-9-]+\.eks\.amazonaws\.com$/,
+  kubeconfigServer: /^https:\/\/[0-9A-F]{32}\.[a-z]{2}-[a-z]+-\d\.eks\.amazonaws\.com$/i
+};
+var COMMON_PATTERNS = {
+  ipv4: /^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/,
+  privateKey: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----[\s\S]*?-----END (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/,
+  apiKeyField: /"(?:api_key|apiKey|secret_key|secretKey|access_token|auth_token|password|token)":\s*"([^"]+)"/
+};
+var PATTERNS = {
+  ...AWS_PATTERNS,
+  ...K8S_PATTERNS,
+  ...COMMON_PATTERNS
+};
+
+// src/mapping.ts
+import {
+  existsSync,
+  mkdirSync,
+  readFileSync,
+  writeFileSync,
+  renameSync
+} from "fs";
+import { join } from "path";
+import { homedir } from "os";
+var sessionStates = new Map;
+function getSessionPath(sessionId) {
+  const projectRoot = process.cwd();
+  const defaultPath = join(projectRoot, ".opencode", "sessions", sessionId, "wont-let-you-see-mapping.json");
+  if (existsSync(join(projectRoot, ".opencode")) || !existsSync(homedir())) {
+    return defaultPath;
+  }
+  return join(homedir(), ".opencode", "sessions", sessionId, "wont-let-you-see-mapping.json");
+}
+function ensureSessionDir(sessionPath) {
+  const dir = sessionPath.substring(0, sessionPath.lastIndexOf("/"));
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true });
+  }
+}
+function getSessionState(sessionId) {
+  let state = sessionStates.get(sessionId);
+  if (!state) {
+    const sessionPath = getSessionPath(sessionId);
+    if (existsSync(sessionPath)) {
+      const mapping = JSON.parse(readFileSync(sessionPath, "utf-8"));
+      const counters = {};
+      for (const token of Object.keys(mapping.entries)) {
+        const match = token.match(/^#\(([^-]+)-(\d+)\)$/);
+        if (match && match[1] && match[2]) {
+          const type = match[1];
+          const num = match[2];
+          counters[type] = Math.max(counters[type] || 0, parseInt(num, 10));
+        }
+      }
+      state = { mapping, counters };
+    } else {
+      state = {
+        mapping: { version: 1, entries: {} },
+        counters: {}
+      };
+    }
+    sessionStates.set(sessionId, state);
+  }
+  return state;
+}
+function saveMapping(sessionId) {
+  const state = getSessionState(sessionId);
+  const sessionPath = getSessionPath(sessionId);
+  ensureSessionDir(sessionPath);
+  const tempPath = `${sessionPath}.tmp`;
+  writeFileSync(tempPath, JSON.stringify(state.mapping, null, 2), "utf-8");
+  renameSync(tempPath, sessionPath);
+}
+function addEntry(sessionId, type, originalValue) {
+  const state = getSessionState(sessionId);
+  for (const [token2, value] of Object.entries(state.mapping.entries)) {
+    if (value === originalValue) {
+      return token2;
+    }
+  }
+  const counter = (state.counters[type] || 0) + 1;
+  state.counters[type] = counter;
+  const token = `#(${type}-${counter})`;
+  state.mapping.entries[token] = originalValue;
+  saveMapping(sessionId);
+  return token;
+}
+function getOriginal(sessionId, token) {
+  const state = getSessionState(sessionId);
+  return state.mapping.entries[token];
+}
+
+// src/config.ts
+import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
+import { join as join2 } from "path";
+import { homedir as homedir2 } from "os";
+var DEFAULT_CONFIG = {
+  enabled: true,
+  revealedPatterns: [],
+  customPatterns: []
+};
+var CONFIG_FILENAME = ".wont-let-you-see.json";
+function loadJsonConfig() {
+  const paths = [
+    join2(process.cwd(), CONFIG_FILENAME),
+    join2(homedir2(), CONFIG_FILENAME)
+  ];
+  for (const configPath of paths) {
+    if (existsSync2(configPath)) {
+      try {
+        const content = readFileSync2(configPath, "utf-8");
+        return JSON.parse(content);
+      } catch {}
+    }
+  }
+  return {};
+}
+function loadEnvConfig() {
+  const config = {};
+  const enabled = process.env.WONT_LET_YOU_SEE_ENABLED;
+  if (enabled !== undefined) {
+    config.enabled = enabled.toLowerCase() !== "false" && enabled !== "0";
+  }
+  const revealedPatterns = process.env.WONT_LET_YOU_SEE_REVEALED_PATTERNS;
+  if (revealedPatterns !== undefined) {
+    config.revealedPatterns = revealedPatterns.split(",").map((p) => p.trim()).filter(Boolean);
+  }
+  const customPatterns = process.env.WONT_LET_YOU_SEE_CUSTOM_PATTERNS;
+  if (customPatterns !== undefined) {
+    config.customPatterns = customPatterns.split(",").map((p) => p.trim()).filter(Boolean);
+  }
+  return config;
+}
+var cachedConfig = null;
+function getConfig() {
+  if (cachedConfig) {
+    return cachedConfig;
+  }
+  const jsonConfig = loadJsonConfig();
+  const envConfig = loadEnvConfig();
+  cachedConfig = {
+    ...DEFAULT_CONFIG,
+    ...jsonConfig,
+    ...envConfig
+  };
+  return cachedConfig;
+}
+function isPatternEnabled(patternType) {
+  const config = getConfig();
+  if (!config.enabled) {
+    return false;
+  }
+  return !config.revealedPatterns.includes(patternType);
+}
+
+// src/masker.ts
+var PATTERN_ORDER = [
+  { pattern: AWS_PATTERNS.eksCluster, type: "eks-cluster" },
+  { pattern: AWS_PATTERNS.arn, type: "arn" },
+  { pattern: AWS_PATTERNS.accountId, type: "account-id", isContextual: true },
+  { pattern: AWS_PATTERNS.accessKeyId, type: "access-key-id" },
+  { pattern: AWS_PATTERNS.vpc, type: "vpc" },
+  { pattern: AWS_PATTERNS.subnet, type: "subnet" },
+  { pattern: AWS_PATTERNS.securityGroup, type: "security-group" },
+  { pattern: AWS_PATTERNS.internetGateway, type: "internet-gateway" },
+  { pattern: AWS_PATTERNS.routeTable, type: "route-table" },
+  { pattern: AWS_PATTERNS.natGateway, type: "nat-gateway" },
+  { pattern: AWS_PATTERNS.networkAcl, type: "network-acl" },
+  { pattern: AWS_PATTERNS.eni, type: "eni" },
+  { pattern: AWS_PATTERNS.ami, type: "ami" },
+  { pattern: AWS_PATTERNS.ec2Instance, type: "ec2-instance" },
+  { pattern: AWS_PATTERNS.ebs, type: "ebs" },
+  { pattern: AWS_PATTERNS.snapshot, type: "snapshot" },
+  { pattern: K8S_PATTERNS.serviceAccountToken, type: "k8s-token" },
+  { pattern: K8S_PATTERNS.clusterEndpoint, type: "k8s-endpoint" },
+  { pattern: K8S_PATTERNS.kubeconfigServer, type: "k8s-endpoint" },
+  { pattern: K8S_PATTERNS.nodeNameAws, type: "k8s-node" },
+  { pattern: COMMON_PATTERNS.privateKey, type: "private-key" },
+  { pattern: COMMON_PATTERNS.apiKeyField, type: "api-key", isContextual: true },
+  { pattern: COMMON_PATTERNS.ipv4, type: "ipv4" }
+];
+function removeAnchors(source) {
+  let result = source.replace(/^\^/, "").replace(/\$$/, "");
+  if (!result.endsWith("\\b")) {
+    result += "\\b";
+  }
+  return result;
+}
+function mask(sessionId, text) {
+  if (!text || typeof text !== "string") {
+    return text;
+  }
+  const config = getConfig();
+  if (!config.enabled) {
+    return text;
+  }
+  let result = text;
+  for (const customPattern of config.customPatterns) {
+    if (result.includes(customPattern)) {
+      const token = addEntry(sessionId, "custom", customPattern);
+      result = result.split(customPattern).join(token);
+    }
+  }
+  for (const { pattern, type, isContextual } of PATTERN_ORDER) {
+    if (!isPatternEnabled(type)) {
+      continue;
+    }
+    if (isContextual) {
+      result = result.replace(new RegExp(pattern.source, "g"), (match, capturedValue) => {
+        const token = addEntry(sessionId, type, capturedValue);
+        return match.replace(capturedValue, token);
+      });
+    } else {
+      const matches = new Set;
+      const globalPattern = new RegExp(removeAnchors(pattern.source), "g");
+      let match;
+      while ((match = globalPattern.exec(result)) !== null) {
+        matches.add(match[0]);
+      }
+      for (const value of matches) {
+        const token = addEntry(sessionId, type, value);
+        result = result.split(value).join(token);
+      }
+    }
+  }
+  return result;
+}
+function unmask(sessionId, text) {
+  if (!text || typeof text !== "string") {
+    return text;
+  }
+  let result = text;
+  const tokenPattern = /#\([^)]+\)/g;
+  const tokens = new Set;
+  let match;
+  while ((match = tokenPattern.exec(text)) !== null) {
+    tokens.add(match[0]);
+  }
+  for (const token of tokens) {
+    const original = getOriginal(sessionId, token);
+    if (original === undefined) {
+      console.warn(`Unknown token: ${token}`);
+    } else {
+      result = result.split(token).join(original);
+    }
+  }
+  return result;
+}
+
+// src/index.ts
+var INFRA_COMMAND_PATTERN = /\b(aws|terraform|kubectl|helm)\s/;
+var plugin = async (input) => {
+  const infraCommands = new Map;
+  return {
+    "tool.execute.before": async (hookInput, output) => {
+      if (hookInput.tool !== "bash") {
+        return;
+      }
+      const command = output.args.command;
+      if (!INFRA_COMMAND_PATTERN.test(command)) {
+        return;
+      }
+      infraCommands.set(hookInput.callID, true);
+      output.args.command = unmask(hookInput.sessionID, command);
+    },
+    "tool.execute.after": async (hookInput, output) => {
+      if (hookInput.tool !== "bash") {
+        return;
+      }
+      if (!infraCommands.get(hookInput.callID)) {
+        return;
+      }
+      output.output = mask(hookInput.sessionID, output.output);
+    },
+    "chat.message": async (hookInput, output) => {
+      for (const part of output.parts) {
+        if (part.type === "text" && part.text) {
+          part.text = mask(hookInput.sessionID, part.text);
+        }
+      }
+    }
+  };
+};
+export {
+  plugin
+};