@uniglot/wont-let-you-see 0.1.0

package/src/__tests__/patterns.test.ts

@@ -0,0 +1,218 @@
+import { describe, it, expect } from "vitest";
+import {
+  AWS_PATTERNS,
+  K8S_PATTERNS,
+  COMMON_PATTERNS,
+  PATTERNS,
+} from "../patterns";
+
+describe("AWS_PATTERNS", () => {
+  describe("ARN", () => {
+    it("should match aws partition", () => {
+      expect(
+        AWS_PATTERNS.arn.test("arn:aws:iam::123456789012:user/admin"),
+      ).toBe(true);
+    });
+
+    it("should match aws-cn partition", () => {
+      expect(AWS_PATTERNS.arn.test("arn:aws-cn:s3:::my-bucket")).toBe(true);
+    });
+
+    it("should match aws-us-gov partition", () => {
+      expect(
+        AWS_PATTERNS.arn.test(
+          "arn:aws-us-gov:ec2:us-gov-west-1:123456789012:instance/i-123",
+        ),
+      ).toBe(true);
+    });
+  });
+
+  describe("VPC resources", () => {
+    it("should match vpc", () => {
+      expect(AWS_PATTERNS.vpc.test("vpc-0123456789abcdef0")).toBe(true);
+    });
+
+    it("should match subnet", () => {
+      expect(AWS_PATTERNS.subnet.test("subnet-0123456789abcdef0")).toBe(true);
+    });
+
+    it("should match security group", () => {
+      expect(AWS_PATTERNS.securityGroup.test("sg-0123456789abcdef0")).toBe(
+        true,
+      );
+    });
+
+    it("should match nat gateway", () => {
+      expect(AWS_PATTERNS.natGateway.test("nat-0123456789abcdef0")).toBe(true);
+    });
+
+    it("should match network acl", () => {
+      expect(AWS_PATTERNS.networkAcl.test("acl-0123456789abcdef0")).toBe(true);
+    });
+
+    it("should match eni", () => {
+      expect(AWS_PATTERNS.eni.test("eni-0123456789abcdef0")).toBe(true);
+    });
+  });
+
+  describe("EC2 resources", () => {
+    it("should match ebs volume", () => {
+      expect(AWS_PATTERNS.ebs.test("vol-0123456789abcdef0")).toBe(true);
+    });
+
+    it("should match snapshot", () => {
+      expect(AWS_PATTERNS.snapshot.test("snap-0123456789abcdef0")).toBe(true);
+    });
+  });
+
+  describe("Account ID (contextual)", () => {
+    it("should match OwnerId field", () => {
+      expect(AWS_PATTERNS.accountId.test('"OwnerId": "123456789012"')).toBe(
+        true,
+      );
+    });
+
+    it("should match account_id field (terraform style)", () => {
+      expect(AWS_PATTERNS.accountId.test('"account_id": "123456789012"')).toBe(
+        true,
+      );
+    });
+
+    it("should NOT match bare number", () => {
+      expect(AWS_PATTERNS.accountId.test("123456789012")).toBe(false);
+    });
+  });
+
+  describe("Access Key ID", () => {
+    it("should match AKIA prefix", () => {
+      expect(AWS_PATTERNS.accessKeyId.test(" AKIAIOSFODNN7EXAMPLE ")).toBe(
+        true,
+      );
+    });
+
+    it("should match ASIA prefix (temporary)", () => {
+      expect(AWS_PATTERNS.accessKeyId.test(" ASIAISAMPLEKEYID1234 ")).toBe(
+        true,
+      );
+    });
+
+    it("should NOT match random string", () => {
+      expect(AWS_PATTERNS.accessKeyId.test("RANDOMSTRING12345678")).toBe(false);
+    });
+  });
+});
+
+describe("K8S_PATTERNS", () => {
+  describe("Service Account Token", () => {
+    it("should match JWT format", () => {
+      const jwt =
+        "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tYWJjZGUiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjEyMzQ1Njc4LTEyMzQtMTIzNC0xMjM0LTEyMzQ1Njc4OTAxMiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.signature";
+      expect(K8S_PATTERNS.serviceAccountToken.test(jwt)).toBe(true);
+    });
+  });
+
+  describe("Node Names", () => {
+    it("should match AWS node name", () => {
+      expect(
+        K8S_PATTERNS.nodeNameAws.test(
+          "ip-10-0-1-123.us-west-2.compute.internal",
+        ),
+      ).toBe(true);
+    });
+  });
+
+  describe("Cluster Endpoints", () => {
+    it("should match EKS endpoint", () => {
+      expect(
+        K8S_PATTERNS.clusterEndpoint.test(
+          "https://ABCDEF1234567890ABCD.us-west-2.eks.amazonaws.com",
+        ),
+      ).toBe(true);
+    });
+  });
+});
+
+describe("COMMON_PATTERNS", () => {
+  describe("IPv4", () => {
+    it("should match IPv4", () => {
+      expect(COMMON_PATTERNS.ipv4.test("192.168.1.1")).toBe(true);
+    });
+
+    it("should not match CIDR notation", () => {
+      expect(COMMON_PATTERNS.ipv4.test("10.0.0.0/8")).toBe(false);
+    });
+  });
+
+  describe("Private Key", () => {
+    const rsaKey = `-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA0Z3VS5JJcds3xfn/ygWyF8PbnGy0AHB7MxszR0vOo
+-----END RSA PRIVATE KEY-----`;
+
+    const genericKey = `-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC
+-----END PRIVATE KEY-----`;
+
+    it("should match entire RSA private key block", () => {
+      expect(COMMON_PATTERNS.privateKey.test(rsaKey)).toBe(true);
+    });
+
+    it("should match entire generic private key block", () => {
+      expect(COMMON_PATTERNS.privateKey.test(genericKey)).toBe(true);
+    });
+
+    it("should not match header only", () => {
+      expect(
+        COMMON_PATTERNS.privateKey.test("-----BEGIN RSA PRIVATE KEY-----"),
+      ).toBe(false);
+    });
+  });
+
+  describe("API Key Field (contextual)", () => {
+    it("should match api_key field", () => {
+      expect(
+        COMMON_PATTERNS.apiKeyField.test('"api_key": "sk-1234567890abcdef"'),
+      ).toBe(true);
+    });
+
+    it("should match password field", () => {
+      expect(
+        COMMON_PATTERNS.apiKeyField.test('"password": "supersecret123"'),
+      ).toBe(true);
+    });
+
+    it("should match token field", () => {
+      expect(
+        COMMON_PATTERNS.apiKeyField.test('"token": "ghp_xxxxxxxxxxxx"'),
+      ).toBe(true);
+    });
+  });
+});
+
+describe("PATTERNS (combined)", () => {
+  it("should include all AWS patterns", () => {
+    expect(PATTERNS.vpc).toBe(AWS_PATTERNS.vpc);
+    expect(PATTERNS.arn).toBe(AWS_PATTERNS.arn);
+  });
+
+  it("should include all K8S patterns", () => {
+    expect(PATTERNS.serviceAccountToken).toBe(K8S_PATTERNS.serviceAccountToken);
+  });
+
+  it("should include all common patterns", () => {
+    expect(PATTERNS.ipv4).toBe(COMMON_PATTERNS.ipv4);
+    expect(PATTERNS.privateKey).toBe(COMMON_PATTERNS.privateKey);
+  });
+});
+
+describe("ReDoS safety", () => {
+  it("should handle pathological input quickly", () => {
+    const pathological = "a".repeat(1000) + "b";
+    const start = performance.now();
+
+    for (const pattern of Object.values(PATTERNS)) {
+      pattern.test(pathological);
+    }
+
+    expect(performance.now() - start).toBeLessThan(100);
+  });
+});

package/src/config.ts

@@ -0,0 +1,93 @@
+import { existsSync, readFileSync } from "fs";
+import { join } from "path";
+import { homedir } from "os";
+
+export interface Config {
+  enabled: boolean;
+  revealedPatterns: string[];
+  customPatterns: string[];
+}
+
+const DEFAULT_CONFIG: Config = {
+  enabled: true,
+  revealedPatterns: [],
+  customPatterns: [],
+};
+
+const CONFIG_FILENAME = ".wont-let-you-see.json";
+
+function loadJsonConfig(): Partial<Config> {
+  const paths = [
+    join(process.cwd(), CONFIG_FILENAME),
+    join(homedir(), CONFIG_FILENAME),
+  ];
+
+  for (const configPath of paths) {
+    if (existsSync(configPath)) {
+      try {
+        const content = readFileSync(configPath, "utf-8");
+        return JSON.parse(content);
+      } catch {}
+    }
+  }
+
+  return {};
+}
+
+function loadEnvConfig(): Partial<Config> {
+  const config: Partial<Config> = {};
+
+  const enabled = process.env.WONT_LET_YOU_SEE_ENABLED;
+  if (enabled !== undefined) {
+    config.enabled = enabled.toLowerCase() !== "false" && enabled !== "0";
+  }
+
+  const revealedPatterns = process.env.WONT_LET_YOU_SEE_REVEALED_PATTERNS;
+  if (revealedPatterns !== undefined) {
+    config.revealedPatterns = revealedPatterns
+      .split(",")
+      .map((p) => p.trim())
+      .filter(Boolean);
+  }
+
+  const customPatterns = process.env.WONT_LET_YOU_SEE_CUSTOM_PATTERNS;
+  if (customPatterns !== undefined) {
+    config.customPatterns = customPatterns
+      .split(",")
+      .map((p) => p.trim())
+      .filter(Boolean);
+  }
+
+  return config;
+}
+
+let cachedConfig: Config | null = null;
+
+export function getConfig(): Config {
+  if (cachedConfig) {
+    return cachedConfig;
+  }
+
+  const jsonConfig = loadJsonConfig();
+  const envConfig = loadEnvConfig();
+
+  cachedConfig = {
+    ...DEFAULT_CONFIG,
+    ...jsonConfig,
+    ...envConfig,
+  };
+
+  return cachedConfig;
+}
+
+export function resetConfig(): void {
+  cachedConfig = null;
+}
+
+export function isPatternEnabled(patternType: string): boolean {
+  const config = getConfig();
+  if (!config.enabled) {
+    return false;
+  }
+  return !config.revealedPatterns.includes(patternType);
+}

package/src/index.ts

@@ -0,0 +1,44 @@
+import type { Plugin, Hooks, PluginInput } from "@opencode-ai/plugin";
+import { unmask, mask } from "./masker";
+
+const INFRA_COMMAND_PATTERN = /\b(aws|terraform|kubectl|helm)\s/;
+
+export const plugin: Plugin = async (input: PluginInput): Promise<Hooks> => {
+  const infraCommands = new Map<string, boolean>();
+
+  return {
+    "tool.execute.before": async (hookInput, output) => {
+      if (hookInput.tool !== "bash") {
+        return;
+      }
+
+      const command = output.args.command;
+      if (!INFRA_COMMAND_PATTERN.test(command)) {
+        return;
+      }
+
+      infraCommands.set(hookInput.callID, true);
+      output.args.command = unmask(hookInput.sessionID, command);
+    },
+
+    "tool.execute.after": async (hookInput, output) => {
+      if (hookInput.tool !== "bash") {
+        return;
+      }
+
+      if (!infraCommands.get(hookInput.callID)) {
+        return;
+      }
+
+      output.output = mask(hookInput.sessionID, output.output);
+    },
+
+    "chat.message": async (hookInput, output) => {
+      for (const part of output.parts) {
+        if (part.type === "text" && part.text) {
+          part.text = mask(hookInput.sessionID, part.text);
+        }
+      }
+    },
+  };
+};

package/src/mapping.ts

@@ -0,0 +1,161 @@
+import {
+  existsSync,
+  mkdirSync,
+  readFileSync,
+  writeFileSync,
+  renameSync,
+} from "fs";
+import { join } from "path";
+import { homedir } from "os";
+
+export interface MappingTable {
+  version: number;
+  entries: Record<string, string>;
+}
+
+interface SessionState {
+  mapping: MappingTable;
+  counters: Record<string, number>;
+}
+
+const sessionStates = new Map<string, SessionState>();
+
+export function getSessionPath(sessionId: string): string {
+  const projectRoot = process.cwd();
+  const defaultPath = join(
+    projectRoot,
+    ".opencode",
+    "sessions",
+    sessionId,
+    "wont-let-you-see-mapping.json",
+  );
+
+  if (existsSync(join(projectRoot, ".opencode")) || !existsSync(homedir())) {
+    return defaultPath;
+  }
+
+  return join(
+    homedir(),
+    ".opencode",
+    "sessions",
+    sessionId,
+    "wont-let-you-see-mapping.json",
+  );
+}
+
+function ensureSessionDir(sessionPath: string): void {
+  const dir = sessionPath.substring(0, sessionPath.lastIndexOf("/"));
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true });
+  }
+}
+
+function getSessionState(sessionId: string): SessionState {
+  let state = sessionStates.get(sessionId);
+
+  if (!state) {
+    const sessionPath = getSessionPath(sessionId);
+
+    if (existsSync(sessionPath)) {
+      const mapping = JSON.parse(
+        readFileSync(sessionPath, "utf-8"),
+      ) as MappingTable;
+      const counters: Record<string, number> = {};
+
+      for (const token of Object.keys(mapping.entries)) {
+        const match = token.match(/^#\(([^-]+)-(\d+)\)$/);
+        if (match && match[1] && match[2]) {
+          const type = match[1];
+          const num = match[2];
+          counters[type] = Math.max(counters[type] || 0, parseInt(num, 10));
+        }
+      }
+
+      state = { mapping, counters };
+    } else {
+      state = {
+        mapping: { version: 1, entries: {} },
+        counters: {},
+      };
+    }
+
+    sessionStates.set(sessionId, state);
+  }
+
+  return state;
+}
+
+export function createMapping(sessionId: string): MappingTable {
+  const state: SessionState = {
+    mapping: { version: 1, entries: {} },
+    counters: {},
+  };
+
+  sessionStates.set(sessionId, state);
+  saveMapping(sessionId);
+
+  return state.mapping;
+}
+
+export function loadMapping(sessionId: string): MappingTable {
+  const state = getSessionState(sessionId);
+  return state.mapping;
+}
+
+export function saveMapping(sessionId: string): void {
+  const state = getSessionState(sessionId);
+  const sessionPath = getSessionPath(sessionId);
+
+  ensureSessionDir(sessionPath);
+
+  const tempPath = `${sessionPath}.tmp`;
+  writeFileSync(tempPath, JSON.stringify(state.mapping, null, 2), "utf-8");
+  renameSync(tempPath, sessionPath);
+}
+
+export function addEntry(
+  sessionId: string,
+  type: string,
+  originalValue: string,
+): string {
+  const state = getSessionState(sessionId);
+
+  for (const [token, value] of Object.entries(state.mapping.entries)) {
+    if (value === originalValue) {
+      return token;
+    }
+  }
+
+  const counter = (state.counters[type] || 0) + 1;
+  state.counters[type] = counter;
+
+  const token = `#(${type}-${counter})`;
+  state.mapping.entries[token] = originalValue;
+
+  saveMapping(sessionId);
+
+  return token;
+}
+
+export function getOriginal(
+  sessionId: string,
+  token: string,
+): string | undefined {
+  const state = getSessionState(sessionId);
+  return state.mapping.entries[token];
+}
+
+export function getToken(
+  sessionId: string,
+  originalValue: string,
+): string | undefined {
+  const state = getSessionState(sessionId);
+
+  for (const [token, value] of Object.entries(state.mapping.entries)) {
+    if (value === originalValue) {
+      return token;
+    }
+  }
+
+  return undefined;
+}

package/src/masker.ts

@@ -0,0 +1,122 @@
+import { AWS_PATTERNS, K8S_PATTERNS, COMMON_PATTERNS } from "./patterns";
+import { addEntry, getOriginal } from "./mapping";
+import { getConfig, isPatternEnabled } from "./config";
+
+interface PatternConfig {
+  pattern: RegExp;
+  type: string;
+  isContextual?: boolean;
+}
+
+const PATTERN_ORDER: PatternConfig[] = [
+  { pattern: AWS_PATTERNS.eksCluster, type: "eks-cluster" },
+  { pattern: AWS_PATTERNS.arn, type: "arn" },
+  { pattern: AWS_PATTERNS.accountId, type: "account-id", isContextual: true },
+  { pattern: AWS_PATTERNS.accessKeyId, type: "access-key-id" },
+  { pattern: AWS_PATTERNS.vpc, type: "vpc" },
+  { pattern: AWS_PATTERNS.subnet, type: "subnet" },
+  { pattern: AWS_PATTERNS.securityGroup, type: "security-group" },
+  { pattern: AWS_PATTERNS.internetGateway, type: "internet-gateway" },
+  { pattern: AWS_PATTERNS.routeTable, type: "route-table" },
+  { pattern: AWS_PATTERNS.natGateway, type: "nat-gateway" },
+  { pattern: AWS_PATTERNS.networkAcl, type: "network-acl" },
+  { pattern: AWS_PATTERNS.eni, type: "eni" },
+  { pattern: AWS_PATTERNS.ami, type: "ami" },
+  { pattern: AWS_PATTERNS.ec2Instance, type: "ec2-instance" },
+  { pattern: AWS_PATTERNS.ebs, type: "ebs" },
+  { pattern: AWS_PATTERNS.snapshot, type: "snapshot" },
+
+  { pattern: K8S_PATTERNS.serviceAccountToken, type: "k8s-token" },
+  { pattern: K8S_PATTERNS.clusterEndpoint, type: "k8s-endpoint" },
+  { pattern: K8S_PATTERNS.kubeconfigServer, type: "k8s-endpoint" },
+  { pattern: K8S_PATTERNS.nodeNameAws, type: "k8s-node" },
+
+  { pattern: COMMON_PATTERNS.privateKey, type: "private-key" },
+  { pattern: COMMON_PATTERNS.apiKeyField, type: "api-key", isContextual: true },
+  { pattern: COMMON_PATTERNS.ipv4, type: "ipv4" },
+];
+
+function removeAnchors(source: string): string {
+  let result = source.replace(/^\^/, "").replace(/\$$/, "");
+  if (!result.endsWith("\\b")) {
+    result += "\\b";
+  }
+  return result;
+}
+
+export function mask(sessionId: string, text: string): string {
+  if (!text || typeof text !== "string") {
+    return text;
+  }
+
+  const config = getConfig();
+  if (!config.enabled) {
+    return text;
+  }
+
+  let result = text;
+
+  for (const customPattern of config.customPatterns) {
+    if (result.includes(customPattern)) {
+      const token = addEntry(sessionId, "custom", customPattern);
+      result = result.split(customPattern).join(token);
+    }
+  }
+
+  for (const { pattern, type, isContextual } of PATTERN_ORDER) {
+    if (!isPatternEnabled(type)) {
+      continue;
+    }
+    if (isContextual) {
+      result = result.replace(
+        new RegExp(pattern.source, "g"),
+        (match, capturedValue) => {
+          const token = addEntry(sessionId, type, capturedValue);
+          return match.replace(capturedValue, token);
+        },
+      );
+    } else {
+      const matches = new Set<string>();
+      const globalPattern = new RegExp(removeAnchors(pattern.source), "g");
+
+      let match;
+      while ((match = globalPattern.exec(result)) !== null) {
+        matches.add(match[0]);
+      }
+
+      for (const value of matches) {
+        const token = addEntry(sessionId, type, value);
+        result = result.split(value).join(token);
+      }
+    }
+  }
+
+  return result;
+}
+
+export function unmask(sessionId: string, text: string): string {
+  if (!text || typeof text !== "string") {
+    return text;
+  }
+
+  let result = text;
+  const tokenPattern = /#\([^)]+\)/g;
+  const tokens = new Set<string>();
+
+  let match;
+  while ((match = tokenPattern.exec(text)) !== null) {
+    tokens.add(match[0]);
+  }
+
+  for (const token of tokens) {
+    const original = getOriginal(sessionId, token);
+
+    if (original === undefined) {
+      console.warn(`Unknown token: ${token}`);
+    } else {
+      result = result.split(token).join(original);
+    }
+  }
+
+  return result;
+}

package/src/patterns.ts

@@ -0,0 +1,45 @@
+export const AWS_PATTERNS = {
+  arn: /^arn:(?:aws|aws-cn|aws-us-gov):[a-zA-Z0-9-]+:[a-z0-9-]*:(?:[0-9]{12})?:.+$/,
+  eksCluster:
+    /^arn:(?:aws|aws-cn|aws-us-gov):eks:[a-z0-9-]+:[0-9]{12}:cluster\/.+$/,
+  vpc: /^vpc-[0-9a-f]{8,17}$/,
+  subnet: /^subnet-[0-9a-f]{8,17}$/,
+  securityGroup: /^sg-[0-9a-f]{8,17}$/,
+  internetGateway: /^igw-[0-9a-f]{8,17}$/,
+  routeTable: /^rtb-[0-9a-f]{8,17}$/,
+  natGateway: /^nat-[0-9a-f]{8,17}$/,
+  networkAcl: /^acl-[0-9a-f]{8,17}$/,
+  ec2Instance: /^i-[0-9a-f]{8,17}$/,
+  ami: /^ami-[0-9a-f]{8,17}$/,
+  ebs: /^vol-[0-9a-f]{8,17}$/,
+  snapshot: /^snap-[0-9a-f]{8,17}$/,
+  eni: /^eni-[0-9a-f]{8,17}$/,
+  accountId: /"(?:OwnerId|AccountId|Owner|account_id)":\s*"(\d{12})"/,
+  accessKeyId:
+    /(?:^|[^A-Z0-9])(?:AKIA|ABIA|ACCA|ASIA)[A-Z0-9]{16}(?:[^A-Z0-9]|$)/,
+} as const;
+
+export const K8S_PATTERNS = {
+  serviceAccountToken: /^eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*$/,
+  nodeNameAws: /^ip-(?:\d{1,3}-){3}\d{1,3}\.[a-z0-9-]+\.compute\.internal$/,
+  clusterEndpoint: /^https:\/\/[A-Z0-9]+\.[a-z0-9-]+\.eks\.amazonaws\.com$/,
+  kubeconfigServer:
+    /^https:\/\/[0-9A-F]{32}\.[a-z]{2}-[a-z]+-\d\.eks\.amazonaws\.com$/i,
+} as const;
+
+export const COMMON_PATTERNS = {
+  ipv4: /^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/,
+  // Private key blocks (entire key including body and footer)
+  privateKey:
+    /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----[\s\S]*?-----END (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/,
+  // Generic API keys/tokens (contextual - in JSON/YAML fields)
+  apiKeyField:
+    /"(?:api_key|apiKey|secret_key|secretKey|access_token|auth_token|password|token)":\s*"([^"]+)"/,
+} as const;
+
+// Combined for backward compatibility
+export const PATTERNS = {
+  ...AWS_PATTERNS,
+  ...K8S_PATTERNS,
+  ...COMMON_PATTERNS,
+} as const;