@uniglot/wont-let-you-see 0.1.0

package/src/__tests__/mapping.test.ts

@@ -0,0 +1,279 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { existsSync, rmSync, mkdirSync, readFileSync } from "fs";
+import { join } from "path";
+import {
+  createMapping,
+  addEntry,
+  getOriginal,
+  getToken,
+  loadMapping,
+  saveMapping,
+  getSessionPath,
+} from "../mapping";
+
+describe("Session Mapping Table", () => {
+  const testSessionId = "test-session-mapping";
+  const testSessionId2 = "test-session-mapping-2";
+
+  beforeEach(() => {
+    // Clean up test session directories before each test
+    const sessionPath = getSessionPath(testSessionId);
+    const sessionPath2 = getSessionPath(testSessionId2);
+    const sessionDir = sessionPath.substring(0, sessionPath.lastIndexOf("/"));
+    const sessionDir2 = sessionPath2.substring(
+      0,
+      sessionPath2.lastIndexOf("/"),
+    );
+
+    if (existsSync(sessionDir)) {
+      rmSync(sessionDir, { recursive: true, force: true });
+    }
+    if (existsSync(sessionDir2)) {
+      rmSync(sessionDir2, { recursive: true, force: true });
+    }
+  });
+
+  afterEach(() => {
+    // Clean up test session directories after each test
+    const sessionPath = getSessionPath(testSessionId);
+    const sessionPath2 = getSessionPath(testSessionId2);
+    const sessionDir = sessionPath.substring(0, sessionPath.lastIndexOf("/"));
+    const sessionDir2 = sessionPath2.substring(
+      0,
+      sessionPath2.lastIndexOf("/"),
+    );
+
+    if (existsSync(sessionDir)) {
+      rmSync(sessionDir, { recursive: true, force: true });
+    }
+    if (existsSync(sessionDir2)) {
+      rmSync(sessionDir2, { recursive: true, force: true });
+    }
+  });
+
+  describe("Test 1: createMapping initializes empty mapping", () => {
+    it("should create an empty mapping for a new session", () => {
+      const mapping = createMapping(testSessionId);
+
+      expect(mapping).toBeDefined();
+      expect(mapping.version).toBe(1);
+      expect(mapping.entries).toEqual({});
+    });
+
+    it("should persist empty mapping to disk", () => {
+      createMapping(testSessionId);
+
+      const sessionPath = getSessionPath(testSessionId);
+      expect(existsSync(sessionPath)).toBe(true);
+
+      const fileContent = readFileSync(sessionPath, "utf-8");
+      const parsed = JSON.parse(fileContent);
+
+      expect(parsed.version).toBe(1);
+      expect(parsed.entries).toEqual({});
+    });
+  });
+
+  describe("Test 2: addEntry returns token #(type-N)", () => {
+    it("should return token in format #(type-N) for first entry", () => {
+      createMapping(testSessionId);
+      const token = addEntry(testSessionId, "file", "/path/to/secret.txt");
+
+      expect(token).toBe("#(file-1)");
+    });
+
+    it("should increment counter for same type", () => {
+      createMapping(testSessionId);
+      const token1 = addEntry(testSessionId, "file", "/path/to/secret1.txt");
+      const token2 = addEntry(testSessionId, "file", "/path/to/secret2.txt");
+
+      expect(token1).toBe("#(file-1)");
+      expect(token2).toBe("#(file-2)");
+    });
+
+    it("should maintain separate counters for different types", () => {
+      createMapping(testSessionId);
+      const fileToken = addEntry(testSessionId, "file", "/path/to/secret.txt");
+      const urlToken = addEntry(testSessionId, "url", "https://example.com");
+      const fileToken2 = addEntry(testSessionId, "file", "/another/file.txt");
+
+      expect(fileToken).toBe("#(file-1)");
+      expect(urlToken).toBe("#(url-1)");
+      expect(fileToken2).toBe("#(file-2)");
+    });
+  });
+
+  describe("Test 3: getOriginal returns original value or undefined", () => {
+    it("should return original value for valid token", () => {
+      createMapping(testSessionId);
+      const token = addEntry(testSessionId, "file", "/path/to/secret.txt");
+
+      const original = getOriginal(testSessionId, token);
+      expect(original).toBe("/path/to/secret.txt");
+    });
+
+    it("should return undefined for non-existent token", () => {
+      createMapping(testSessionId);
+
+      const original = getOriginal(testSessionId, "#(file-999)");
+      expect(original).toBeUndefined();
+    });
+
+    it("should return undefined for invalid token format", () => {
+      createMapping(testSessionId);
+
+      const original = getOriginal(testSessionId, "invalid-token");
+      expect(original).toBeUndefined();
+    });
+  });
+
+  describe("Test 4: getToken returns existing token or undefined", () => {
+    it("should return token for existing original value", () => {
+      createMapping(testSessionId);
+      const originalValue = "/path/to/secret.txt";
+      const addedToken = addEntry(testSessionId, "file", originalValue);
+
+      const foundToken = getToken(testSessionId, originalValue);
+      expect(foundToken).toBe(addedToken);
+      expect(foundToken).toBe("#(file-1)");
+    });
+
+    it("should return undefined for non-existent original value", () => {
+      createMapping(testSessionId);
+      addEntry(testSessionId, "file", "/path/to/secret.txt");
+
+      const token = getToken(testSessionId, "/non/existent/path.txt");
+      expect(token).toBeUndefined();
+    });
+  });
+
+  describe("Test 5: Persistence - mapping survives reload", () => {
+    it("should persist entries to disk and reload them", () => {
+      createMapping(testSessionId);
+      const token1 = addEntry(testSessionId, "file", "/path/to/secret.txt");
+      const token2 = addEntry(testSessionId, "url", "https://example.com");
+
+      // Load mapping from disk (simulating reload)
+      const reloadedMapping = loadMapping(testSessionId);
+
+      expect(reloadedMapping).toBeDefined();
+      expect(reloadedMapping.entries[token1]).toBe("/path/to/secret.txt");
+      expect(reloadedMapping.entries[token2]).toBe("https://example.com");
+    });
+
+    it("should maintain counter state after reload", () => {
+      createMapping(testSessionId);
+      addEntry(testSessionId, "file", "/path/to/secret1.txt");
+      addEntry(testSessionId, "file", "/path/to/secret2.txt");
+
+      // Add another entry after reload
+      const token3 = addEntry(testSessionId, "file", "/path/to/secret3.txt");
+
+      expect(token3).toBe("#(file-3)");
+    });
+
+    it("should verify JSON file structure on disk", () => {
+      createMapping(testSessionId);
+      addEntry(testSessionId, "file", "/path/to/secret.txt");
+
+      const sessionPath = getSessionPath(testSessionId);
+      const fileContent = readFileSync(sessionPath, "utf-8");
+      const parsed = JSON.parse(fileContent);
+
+      expect(parsed.version).toBe(1);
+      expect(parsed.entries).toBeDefined();
+      expect(typeof parsed.entries).toBe("object");
+      expect(parsed.entries["#(file-1)"]).toBe("/path/to/secret.txt");
+    });
+  });
+
+  describe("Test 6: Isolation - session A mappings don't affect session B", () => {
+    it("should maintain separate mappings for different sessions", () => {
+      createMapping(testSessionId);
+      createMapping(testSessionId2);
+
+      const tokenA = addEntry(testSessionId, "file", "/session-a/secret.txt");
+      const tokenB = addEntry(testSessionId2, "file", "/session-b/secret.txt");
+
+      expect(tokenA).toBe("#(file-1)");
+      expect(tokenB).toBe("#(file-1)");
+
+      const originalA = getOriginal(testSessionId, tokenA);
+      const originalB = getOriginal(testSessionId2, tokenB);
+
+      expect(originalA).toBe("/session-a/secret.txt");
+      expect(originalB).toBe("/session-b/secret.txt");
+    });
+
+    it("should not find tokens from other sessions", () => {
+      createMapping(testSessionId);
+      createMapping(testSessionId2);
+
+      const tokenA = addEntry(testSessionId, "file", "/session-a/secret.txt");
+
+      // Try to get token from session A using session B
+      const originalInB = getOriginal(testSessionId2, tokenA);
+      expect(originalInB).toBeUndefined();
+    });
+
+    it("should create separate files for different sessions", () => {
+      createMapping(testSessionId);
+      createMapping(testSessionId2);
+
+      addEntry(testSessionId, "file", "/session-a/secret.txt");
+      addEntry(testSessionId2, "file", "/session-b/secret.txt");
+
+      const pathA = getSessionPath(testSessionId);
+      const pathB = getSessionPath(testSessionId2);
+
+      expect(existsSync(pathA)).toBe(true);
+      expect(existsSync(pathB)).toBe(true);
+      expect(pathA).not.toBe(pathB);
+
+      const contentA = JSON.parse(readFileSync(pathA, "utf-8"));
+      const contentB = JSON.parse(readFileSync(pathB, "utf-8"));
+
+      expect(contentA.entries["#(file-1)"]).toBe("/session-a/secret.txt");
+      expect(contentB.entries["#(file-1)"]).toBe("/session-b/secret.txt");
+    });
+  });
+
+  describe("Test 7: Idempotency - adding same value twice returns same token", () => {
+    it("should return same token when adding identical value", () => {
+      createMapping(testSessionId);
+      const originalValue = "/path/to/secret.txt";
+
+      const token1 = addEntry(testSessionId, "file", originalValue);
+      const token2 = addEntry(testSessionId, "file", originalValue);
+
+      expect(token1).toBe(token2);
+      expect(token1).toBe("#(file-1)");
+    });
+
+    it("should not increment counter for duplicate values", () => {
+      createMapping(testSessionId);
+      const originalValue = "/path/to/secret.txt";
+
+      addEntry(testSessionId, "file", originalValue);
+      addEntry(testSessionId, "file", originalValue);
+      const token3 = addEntry(testSessionId, "file", "/different/path.txt");
+
+      expect(token3).toBe("#(file-2)");
+    });
+
+    it("should maintain single entry in mapping for duplicate values", () => {
+      createMapping(testSessionId);
+      const originalValue = "/path/to/secret.txt";
+
+      addEntry(testSessionId, "file", originalValue);
+      addEntry(testSessionId, "file", originalValue);
+
+      const mapping = loadMapping(testSessionId);
+      const entries = Object.entries(mapping.entries);
+
+      expect(entries.length).toBe(1);
+      expect(entries[0]?.[0]).toBe("#(file-1)");
+      expect(entries[0]?.[1]).toBe(originalValue);
+    });
+  });
+});

package/src/__tests__/masker.test.ts

@@ -0,0 +1,248 @@
+import { describe, it, expect, beforeEach, vi, afterEach } from "vitest";
+import { mask, unmask } from "../masker";
+import { createMapping } from "../mapping";
+import { resetConfig } from "../config";
+
+describe("masker", () => {
+  const sessionId = "test-session-masker";
+  const originalEnv = { ...process.env };
+
+  beforeEach(() => {
+    process.env.WONT_LET_YOU_SEE_REVEALED_PATTERNS = "";
+    resetConfig();
+    createMapping(sessionId);
+  });
+
+  afterEach(() => {
+    process.env = { ...originalEnv };
+    resetConfig();
+  });
+
+  describe("mask()", () => {
+    it("should replace sensitive values with tokens", () => {
+      const input = "VPC: vpc-1234567890abcdef0";
+      const result = mask(sessionId, input);
+
+      expect(result).toMatch(/VPC: #\(vpc-\d+\)/);
+      expect(result).not.toContain("vpc-1234567890abcdef0");
+    });
+
+    it("should handle multiple different values with different tokens", () => {
+      const input =
+        "VPC1: vpc-1111111111111111, VPC2: vpc-2222222222222222, VPC3: vpc-3333333333333333, VPC4: vpc-4444444444444444, VPC5: vpc-5555555555555555";
+      const result = mask(sessionId, input);
+
+      // Extract all tokens
+      const tokens = result.match(/#\(vpc-\d+\)/g) || [];
+      expect(tokens).toHaveLength(5);
+
+      // Verify all tokens are unique
+      const uniqueTokens = new Set(tokens);
+      expect(uniqueTokens.size).toBe(5);
+    });
+
+    it("should be idempotent (masking twice returns same result)", () => {
+      const input = "VPC: vpc-1234567890abcdef0";
+      const masked1 = mask(sessionId, input);
+      const masked2 = mask(sessionId, masked1);
+
+      expect(masked1).toBe(masked2);
+    });
+
+    it("should apply patterns in priority order (ARN before Account ID)", () => {
+      const input =
+        '{"OwnerId": "123456789012", "ClusterArn": "arn:aws:eks:us-east-1:123456789012:cluster/my-cluster"}';
+      const result = mask(sessionId, input);
+
+      // ARN should be masked as eks-cluster (not as arn containing account-id)
+      expect(result).toMatch(/#\(eks-cluster-\d+\)/);
+      // Account ID in JSON field should be masked separately
+      expect(result).toMatch(/"OwnerId":\s*"#\(account-id-\d+\)"/);
+
+      // Verify no double-masking (no tokens inside tokens)
+      expect(result).not.toMatch(/#\([^)]*#\(/);
+    });
+
+    it("should preserve JSON validity after masking", () => {
+      const input =
+        '{"VpcId": "vpc-1234567890abcdef0", "SubnetId": "subnet-abcdef1234567890", "CidrBlock": "10.0.0.0/16"}';
+      const result = mask(sessionId, input);
+
+      // Should be valid JSON
+      expect(() => JSON.parse(result)).not.toThrow();
+
+      const parsed = JSON.parse(result);
+      expect(parsed.VpcId).toMatch(/#\(vpc-\d+\)/);
+      expect(parsed.SubnetId).toMatch(/#\(subnet-\d+\)/);
+      expect(parsed.CidrBlock).toMatch(/#\(ipv4-\d+\)\/16/);
+    });
+
+    it("should handle mixed content with multiple pattern types", () => {
+      const input =
+        "Instance i-1234567890abcdef0 in VPC vpc-abcdef1234567890 with IP 10.0.1.5 and CIDR 10.0.0.0/16";
+      const result = mask(sessionId, input);
+
+      expect(result).toMatch(/Instance #\(ec2-instance-\d+\)/);
+      expect(result).toMatch(/VPC #\(vpc-\d+\)/);
+      expect(result).toMatch(/IP #\(ipv4-\d+\)/);
+      expect(result).toMatch(/CIDR #\(ipv4-\d+\)\/16/);
+    });
+
+    it("should mask IP portion of CIDR while preserving subnet mask", () => {
+      const input = "CIDR: 10.0.0.0/16, IP: 10.0.1.5";
+      const result = mask(sessionId, input);
+
+      expect(result).toMatch(/CIDR: #\(ipv4-\d+\)\/16/);
+      expect(result).toMatch(/IP: #\(ipv4-\d+\)/);
+    });
+  });
+
+  describe("unmask()", () => {
+    it("should replace tokens with original values", () => {
+      const original = "VPC: vpc-1234567890abcdef0";
+      const masked = mask(sessionId, original);
+      const unmasked = unmask(sessionId, masked);
+
+      expect(unmasked).toBe(original);
+    });
+
+    it("should handle unknown tokens with console.warn", () => {
+      const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+
+      const input = "Unknown token: #(vpc-999)";
+      const result = unmask(sessionId, input);
+
+      // Should return literal token when unknown
+      expect(result).toBe("Unknown token: #(vpc-999)");
+
+      // Should log warning
+      expect(warnSpy).toHaveBeenCalledWith("Unknown token: #(vpc-999)");
+
+      warnSpy.mockRestore();
+    });
+
+    it("should not warn for valid tokens", () => {
+      const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+
+      const original = "VPC: vpc-1234567890abcdef0";
+      const masked = mask(sessionId, original);
+      unmask(sessionId, masked);
+
+      expect(warnSpy).not.toHaveBeenCalled();
+
+      warnSpy.mockRestore();
+    });
+  });
+
+  describe("config integration", () => {
+    it("should not mask when plugin is disabled", () => {
+      process.env.WONT_LET_YOU_SEE_ENABLED = "false";
+      resetConfig();
+
+      const input = "VPC: vpc-1234567890abcdef0";
+      const result = mask(sessionId, input);
+
+      expect(result).toBe(input);
+    });
+
+    it("should skip revealed patterns", () => {
+      process.env.WONT_LET_YOU_SEE_REVEALED_PATTERNS = "vpc,subnet";
+      resetConfig();
+
+      const input = "VPC: vpc-1234567890abcdef0, SG: sg-abcdef1234567890";
+      const result = mask(sessionId, input);
+
+      expect(result).toContain("vpc-1234567890abcdef0");
+      expect(result).toMatch(/SG: #\(security-group-\d+\)/);
+    });
+
+    it("should skip eks-cluster but fall back to generic ARN pattern", () => {
+      process.env.WONT_LET_YOU_SEE_REVEALED_PATTERNS = "eks-cluster";
+      resetConfig();
+
+      const input =
+        "EKS: arn:aws:eks:us-east-1:123456789012:cluster/my-cluster";
+      const result = mask(sessionId, input);
+
+      expect(result).toMatch(/EKS: #\(arn-\d+\)/);
+      expect(result).not.toMatch(/#\(eks-cluster-/);
+    });
+
+    it("should not mask ARN when both eks-cluster and arn are revealed", () => {
+      process.env.WONT_LET_YOU_SEE_REVEALED_PATTERNS = "eks-cluster,arn";
+      resetConfig();
+
+      const input =
+        "EKS: arn:aws:eks:us-east-1:123456789012:cluster/my-cluster";
+      const result = mask(sessionId, input);
+
+      expect(result).toContain(
+        "arn:aws:eks:us-east-1:123456789012:cluster/my-cluster",
+      );
+    });
+  });
+
+  describe("round-trip integrity", () => {
+    it("should maintain round-trip integrity for VPC", () => {
+      const original = "vpc-1234567890abcdef0";
+      const masked = mask(sessionId, original);
+      const unmasked = unmask(sessionId, masked);
+
+      expect(unmasked).toBe(original);
+    });
+
+    it("should maintain round-trip integrity for ARN", () => {
+      const original = "arn:aws:eks:us-east-1:123456789012:cluster/my-cluster";
+      const masked = mask(sessionId, original);
+      const unmasked = unmask(sessionId, masked);
+
+      expect(unmasked).toBe(original);
+    });
+
+    it("should maintain round-trip integrity for Account ID in JSON", () => {
+      const original = '{"OwnerId": "123456789012"}';
+      const masked = mask(sessionId, original);
+      const unmasked = unmask(sessionId, masked);
+
+      expect(unmasked).toBe(original);
+    });
+
+    it("should maintain round-trip integrity for CIDR (IP portion masked)", () => {
+      const original = "10.0.0.0/16";
+      const masked = mask(sessionId, original);
+      const unmasked = unmask(sessionId, masked);
+
+      expect(unmasked).toBe(original);
+    });
+
+    it("should maintain round-trip integrity for IPv4", () => {
+      const original = "10.0.1.5";
+      const masked = mask(sessionId, original);
+      const unmasked = unmask(sessionId, masked);
+
+      expect(unmasked).toBe(original);
+    });
+
+    it("should maintain round-trip integrity for complex JSON", () => {
+      const original =
+        '{"VpcId": "vpc-1234567890abcdef0", "SubnetId": "subnet-abcdef1234567890", "CidrBlock": "10.0.0.0/16", "OwnerId": "123456789012"}';
+      const masked = mask(sessionId, original);
+      const unmasked = unmask(sessionId, masked);
+
+      expect(unmasked).toBe(original);
+
+      // Verify JSON validity is preserved
+      expect(() => JSON.parse(unmasked)).not.toThrow();
+      expect(JSON.parse(unmasked)).toEqual(JSON.parse(original));
+    });
+
+    it("should maintain round-trip integrity for mixed content", () => {
+      const original =
+        "Instance i-1234567890abcdef0 in VPC vpc-abcdef1234567890 with IP 10.0.1.5 and CIDR 10.0.0.0/16";
+      const masked = mask(sessionId, original);
+      const unmasked = unmask(sessionId, masked);
+
+      expect(unmasked).toBe(original);
+    });
+  });
+});