@uniglot/wont-let-you-see 0.1.1 → 0.3.0

package/.github/workflows/ci.yml

@@ -0,0 +1,14 @@
+name: CI
+on:
+  pull_request:
+    branches: [main]
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: oven-sh/setup-bun@v2
+      - run: bun install --frozen-lockfile
+      - run: bun run typecheck
+      - run: bunx prettier --check "src/**/*.ts"

package/.github/workflows/publish.yml

@@ -0,0 +1,20 @@
+name: Publish
+on:
+  release:
+    types: [published]
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: oven-sh/setup-bun@v2
+      - uses: actions/setup-node@v4
+        with:
+          registry-url: https://registry.npmjs.org
+      - run: bun install --frozen-lockfile
+      - run: bun run build
+      - run: bunx tsc --emitDeclarationOnly --declaration --outDir dist
+      - run: npm publish
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

package/.github/workflows/release.yml

@@ -0,0 +1,20 @@
+name: Draft Release
+on:
+  push:
+    branches: [main]
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+      - id: pkg
+        run: echo "version=$(jq -r .version package.json)" >> $GITHUB_OUTPUT
+      - uses: softprops/action-gh-release@v2
+        with:
+          tag_name: v${{ steps.pkg.outputs.version }}
+          name: v${{ steps.pkg.outputs.version }}
+          draft: true
+          generate_release_notes: true

package/.github/workflows/test.yml

@@ -0,0 +1,13 @@
+name: Test
+on:
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: oven-sh/setup-bun@v2
+      - run: bun install --frozen-lockfile
+      - run: bun test

package/README.md

@@ -28,11 +28,11 @@ Configure via environment variables or JSON config file. Environment variables t
 
 #### Environment Variables
 
-| Variable                             | Description                                     | Default |
-| ------------------------------------ | ----------------------------------------------- | ------- |
-| `WONT_LET_YOU_SEE_ENABLED`           | Set to `false` or `0` to disable masking        | `true`  |
-| `WONT_LET_YOU_SEE_REVEALED_PATTERNS` | Comma-separated list of pattern types to reveal | (none)  |
-| `WONT_LET_YOU_SEE_CUSTOM_PATTERNS`   | Comma-separated list of custom strings to mask  | (none)  |
+| Variable                             | Description                                                                | Default |
+| ------------------------------------ | -------------------------------------------------------------------------- | ------- |
+| `WONT_LET_YOU_SEE_ENABLED`           | Set to `false` or `0` to disable masking                                   | `true`  |
+| `WONT_LET_YOU_SEE_REVEALED_PATTERNS` | Comma-separated list of pattern types to reveal                            | (none)  |
+| `WONT_LET_YOU_SEE_CUSTOM_PATTERNS`   | Comma-separated list of custom patterns to mask (supports `regex:` prefix) | (none)  |
 
 #### JSON Config File
 
@@ -48,6 +48,18 @@ Create `.wont-let-you-see.json` in your project root, `~/.config/opencode/`, or
 
 > **Tip**: Add your AWS account ID to `customPatterns`. The built-in `account-id` pattern only matches contextual fields like `"OwnerId": "123456789012"`, but may miss bare account IDs in terraform output or other contexts.
 
+Custom patterns support both literal strings and regular expressions. Prefix with `regex:` to use regex:
+
+```json
+{
+  "customPatterns": [
+    "123456789012",
+    "my-secret-value",
+    "regex:secret-[a-z]{3}-\\d{4}"
+  ]
+}
+```
+
 #### Examples
 
 ```bash
@@ -59,6 +71,9 @@ WONT_LET_YOU_SEE_REVEALED_PATTERNS=eks-cluster,ipv4 opencode
 
 # Mask custom values (e.g., AWS account ID)
 WONT_LET_YOU_SEE_CUSTOM_PATTERNS=123456789012,my-secret opencode
+
+# Mask with regex patterns
+WONT_LET_YOU_SEE_CUSTOM_PATTERNS="regex:token-[A-Z]{8},my-literal-secret" opencode
 ```
 
 ## Supported Commands
@@ -92,6 +107,12 @@ The plugin automatically masks output from:
 | `ebs`              | EBS Volume IDs               | `vol-0123456789abcdef0`                                 |
 | `snapshot`         | EBS Snapshot IDs             | `snap-0123456789abcdef0`                                |
 | `eni`              | Network Interface IDs        | `eni-0123456789abcdef0`                                 |
+| `vpc-endpoint`     | VPC Endpoint IDs             | `vpce-0123456789abcdef0`                                |
+| `transit-gateway`  | Transit Gateway IDs          | `tgw-0123456789abcdef0`                                 |
+| `customer-gateway` | Customer Gateway IDs         | `cgw-0123456789abcdef0`                                 |
+| `vpn-gateway`      | VPN Gateway IDs              | `vgw-0123456789abcdef0`                                 |
+| `vpn-connection`   | VPN Connection IDs           | `vpn-0123456789abcdef0`                                 |
+| `ecr-repo`         | ECR Repository URIs          | `123456789012.dkr.ecr.us-west-2.amazonaws.com/my-repo`  |
 
 ### Kubernetes Resources (EKS)
 
@@ -141,9 +162,49 @@ What was the actual VPC ID from the last command?
 
 The LLM should only know the token (e.g., `#(vpc-1)`), not the real value.
 
+## Contributing Patterns
+
+Patterns are defined in JSON files under the `patterns/` directory:
+
+- `patterns/aws.json` - AWS resource patterns
+- `patterns/kubernetes.json` - Kubernetes patterns
+- `patterns/common.json` - Common patterns (IPs, keys, etc.)
+
+You can request to add new files for resources of different categories.
+
+### Pattern Format
+
+Each pattern can be defined as:
+
+```json
+{
+  "pattern-name": "^regex-pattern$",
+
+  "contextual-pattern": {
+    "pattern": "\"field\":\\s*\"(captured-value)\"",
+    "contextual": true
+  },
+
+  "literal-match": {
+    "exact": "literal-string-to-match"
+  }
+}
+```
+
+- **Simple regex**: Just a string with the regex pattern
+- **Contextual**: For patterns where only a captured group should be masked (e.g., JSON fields)
+- **Exact match**: For literal strings that should be escaped
+
+### Adding New Patterns
+
+1. Fork the repository
+2. Add your pattern to the appropriate JSON file
+3. Add tests in `src/__tests__/patterns.test.ts`
+4. Submit a pull request
+
 ## Limitations
 
-- **AWS only**: Currently supports AWS. GCP and Azure are not yet supported.
+- **AWS only**: Currently supports AWS. GCP and Azure are not yet supported. Do you need them? Feel free to contribute!
 - **S3 Buckets**: Bucket names are not masked (often public/intentional).
 - **Account IDs**: Only masked in contextual JSON fields. Add to `customPatterns` for full coverage.
 - **UI display**: The UI shows original values (OpenCode limitation).

package/dist/index.js

@@ -1,57 +1,82 @@
 // src/patterns.ts
-var AWS_PATTERNS = {
-  arn: /^arn:(?:aws|aws-cn|aws-us-gov):[a-zA-Z0-9-]+:[a-z0-9-]*:(?:[0-9]{12})?:.+$/,
-  eksCluster: /^arn:(?:aws|aws-cn|aws-us-gov):eks:[a-z0-9-]+:[0-9]{12}:cluster\/.+$/,
-  vpc: /^vpc-[0-9a-f]{8,17}$/,
-  subnet: /^subnet-[0-9a-f]{8,17}$/,
-  securityGroup: /^sg-[0-9a-f]{8,17}$/,
-  internetGateway: /^igw-[0-9a-f]{8,17}$/,
-  routeTable: /^rtb-[0-9a-f]{8,17}$/,
-  natGateway: /^nat-[0-9a-f]{8,17}$/,
-  networkAcl: /^acl-[0-9a-f]{8,17}$/,
-  ec2Instance: /^i-[0-9a-f]{8,17}$/,
-  ami: /^ami-[0-9a-f]{8,17}$/,
-  ebs: /^vol-[0-9a-f]{8,17}$/,
-  snapshot: /^snap-[0-9a-f]{8,17}$/,
-  eni: /^eni-[0-9a-f]{8,17}$/,
-  accountId: /"(?:OwnerId|AccountId|Owner|account_id)":\s*"(\d{12})"/,
-  accessKeyId: /(?:^|[^A-Z0-9])(?:AKIA|ABIA|ACCA|ASIA)[A-Z0-9]{16}(?:[^A-Z0-9]|$)/
-};
-var K8S_PATTERNS = {
-  serviceAccountToken: /^eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*$/,
-  nodeNameAws: /^ip-(?:\d{1,3}-){3}\d{1,3}\.[a-z0-9-]+\.compute\.internal$/,
-  clusterEndpoint: /^https:\/\/[A-Z0-9]+\.[a-z0-9-]+\.eks\.amazonaws\.com$/,
-  kubeconfigServer: /^https:\/\/[0-9A-F]{32}\.[a-z]{2}-[a-z]+-\d\.eks\.amazonaws\.com$/i
-};
-var COMMON_PATTERNS = {
-  ipv4: /^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/,
-  privateKey: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----[\s\S]*?-----END (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/,
-  apiKeyField: /"(?:api_key|apiKey|secret_key|secretKey|access_token|auth_token|password|token)":\s*"([^"]+)"/
-};
-var PATTERNS = {
-  ...AWS_PATTERNS,
-  ...K8S_PATTERNS,
-  ...COMMON_PATTERNS
-};
+import { readdirSync, readFileSync } from "fs";
+import { join, dirname } from "path";
+import { fileURLToPath } from "url";
+var cachedPatterns = null;
+function getPackagePatternsDir() {
+  const currentFile = fileURLToPath(import.meta.url);
+  const srcDir = dirname(currentFile);
+  const packageRoot = dirname(srcDir);
+  return join(packageRoot, "patterns");
+}
+function parsePatternDefinition(name, definition) {
+  if (typeof definition === "string") {
+    return {
+      name,
+      pattern: new RegExp(definition),
+      isContextual: false,
+      isExact: false
+    };
+  }
+  if ("exact" in definition) {
+    const escaped = definition.exact.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+    return {
+      name,
+      pattern: new RegExp(escaped),
+      isContextual: false,
+      isExact: true
+    };
+  }
+  return {
+    name,
+    pattern: new RegExp(definition.pattern),
+    isContextual: definition.contextual ?? false,
+    isExact: false
+  };
+}
+function loadPatternFile(filePath) {
+  const content = readFileSync(filePath, "utf-8");
+  const data = JSON.parse(content);
+  const patterns = [];
+  for (const [name, definition] of Object.entries(data)) {
+    patterns.push(parsePatternDefinition(name, definition));
+  }
+  return patterns;
+}
+function loadPatterns() {
+  if (cachedPatterns) {
+    return cachedPatterns;
+  }
+  const patternsDir = getPackagePatternsDir();
+  const patterns = [];
+  const files = readdirSync(patternsDir).filter((f) => f.endsWith(".json")).sort();
+  for (const file of files) {
+    const filePath = join(patternsDir, file);
+    const filePatterns = loadPatternFile(filePath);
+    patterns.push(...filePatterns);
+  }
+  cachedPatterns = patterns;
+  return patterns;
+}
 
 // src/mapping.ts
 import {
   existsSync,
   mkdirSync,
-  readFileSync,
+  readFileSync as readFileSync2,
   writeFileSync,
   renameSync
 } from "fs";
-import { join } from "path";
+import { join as join2 } from "path";
 import { homedir } from "os";
 var sessionStates = new Map;
 function getSessionPath(sessionId) {
   const projectRoot = process.cwd();
-  const defaultPath = join(projectRoot, ".opencode", "sessions", sessionId, "wont-let-you-see-mapping.json");
-  if (existsSync(join(projectRoot, ".opencode")) || !existsSync(homedir())) {
+  const defaultPath = join2(projectRoot, ".opencode", "sessions", sessionId, "wont-let-you-see-mapping.json");
+  if (existsSync(join2(projectRoot, ".opencode")) || !existsSync(homedir())) {
     return defaultPath;
   }
-  return join(homedir(), ".opencode", "sessions", sessionId, "wont-let-you-see-mapping.json");
+  return join2(homedir(), ".opencode", "sessions", sessionId, "wont-let-you-see-mapping.json");
 }
 function ensureSessionDir(sessionPath) {
   const dir = sessionPath.substring(0, sessionPath.lastIndexOf("/"));
@@ -64,7 +89,7 @@ function getSessionState(sessionId) {
   if (!state) {
     const sessionPath = getSessionPath(sessionId);
     if (existsSync(sessionPath)) {
-      const mapping = JSON.parse(readFileSync(sessionPath, "utf-8"));
+      const mapping = JSON.parse(readFileSync2(sessionPath, "utf-8"));
       const counters = {};
       for (const token of Object.keys(mapping.entries)) {
         const match = token.match(/^#\(([^-]+)-(\d+)\)$/);
@@ -113,9 +138,16 @@ function getOriginal(sessionId, token) {
 }
 
 // src/config.ts
-import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
-import { join as join2, dirname } from "path";
+import {
+  existsSync as nodeExistsSync,
+  readFileSync as nodeReadFileSync
+} from "fs";
+import { join as join3, dirname as dirname2 } from "path";
 import { homedir as homedir2 } from "os";
+var fsAdapter = {
+  existsSync: nodeExistsSync,
+  readFileSync: nodeReadFileSync
+};
 var DEFAULT_CONFIG = {
   enabled: true,
   revealedPatterns: [],
@@ -126,14 +158,14 @@ function findConfigInAncestors(startDir) {
   const home = homedir2();
   let currentDir = startDir;
   while (true) {
-    const configPath = join2(currentDir, CONFIG_FILENAME);
-    if (existsSync2(configPath)) {
+    const configPath = join3(currentDir, CONFIG_FILENAME);
+    if (fsAdapter.existsSync(configPath)) {
       return configPath;
     }
     if (currentDir === home) {
       break;
     }
-    const parentDir = dirname(currentDir);
+    const parentDir = dirname2(currentDir);
     if (parentDir === currentDir) {
       break;
     }
@@ -145,14 +177,14 @@ function loadJsonConfig() {
   const ancestorConfig = findConfigInAncestors(process.cwd());
   if (ancestorConfig) {
     try {
-      const content = readFileSync2(ancestorConfig, "utf-8");
+      const content = fsAdapter.readFileSync(ancestorConfig, "utf-8");
       return JSON.parse(content);
     } catch {}
   }
-  const homeConfig = join2(homedir2(), CONFIG_FILENAME);
-  if (existsSync2(homeConfig)) {
+  const homeConfig = join3(homedir2(), CONFIG_FILENAME);
+  if (fsAdapter.existsSync(homeConfig)) {
     try {
-      const content = readFileSync2(homeConfig, "utf-8");
+      const content = fsAdapter.readFileSync(homeConfig, "utf-8");
       return JSON.parse(content);
     } catch {}
   }
@@ -197,31 +229,6 @@ function isPatternEnabled(patternType) {
 }
 
 // src/masker.ts
-var PATTERN_ORDER = [
-  { pattern: AWS_PATTERNS.eksCluster, type: "eks-cluster" },
-  { pattern: AWS_PATTERNS.arn, type: "arn" },
-  { pattern: AWS_PATTERNS.accountId, type: "account-id", isContextual: true },
-  { pattern: AWS_PATTERNS.accessKeyId, type: "access-key-id" },
-  { pattern: AWS_PATTERNS.vpc, type: "vpc" },
-  { pattern: AWS_PATTERNS.subnet, type: "subnet" },
-  { pattern: AWS_PATTERNS.securityGroup, type: "security-group" },
-  { pattern: AWS_PATTERNS.internetGateway, type: "internet-gateway" },
-  { pattern: AWS_PATTERNS.routeTable, type: "route-table" },
-  { pattern: AWS_PATTERNS.natGateway, type: "nat-gateway" },
-  { pattern: AWS_PATTERNS.networkAcl, type: "network-acl" },
-  { pattern: AWS_PATTERNS.eni, type: "eni" },
-  { pattern: AWS_PATTERNS.ami, type: "ami" },
-  { pattern: AWS_PATTERNS.ec2Instance, type: "ec2-instance" },
-  { pattern: AWS_PATTERNS.ebs, type: "ebs" },
-  { pattern: AWS_PATTERNS.snapshot, type: "snapshot" },
-  { pattern: K8S_PATTERNS.serviceAccountToken, type: "k8s-token" },
-  { pattern: K8S_PATTERNS.clusterEndpoint, type: "k8s-endpoint" },
-  { pattern: K8S_PATTERNS.kubeconfigServer, type: "k8s-endpoint" },
-  { pattern: K8S_PATTERNS.nodeNameAws, type: "k8s-node" },
-  { pattern: COMMON_PATTERNS.privateKey, type: "private-key" },
-  { pattern: COMMON_PATTERNS.apiKeyField, type: "api-key", isContextual: true },
-  { pattern: COMMON_PATTERNS.ipv4, type: "ipv4" }
-];
 function removeAnchors(source) {
   let result = source.replace(/^\^/, "").replace(/\$$/, "");
   if (!result.endsWith("\\b")) {
@@ -229,28 +236,42 @@ function removeAnchors(source) {
   }
   return result;
 }
-function mask(sessionId, text) {
-  if (!text || typeof text !== "string") {
-    return text;
-  }
-  const config = getConfig();
-  if (!config.enabled) {
-    return text;
-  }
+var REGEX_PREFIX = "regex:";
+function applyCustomPatterns(sessionId, text, customPatterns) {
   let result = text;
-  for (const customPattern of config.customPatterns) {
-    if (result.includes(customPattern)) {
-      const token = addEntry(sessionId, "custom", customPattern);
-      result = result.split(customPattern).join(token);
+  for (const customPattern of customPatterns) {
+    if (customPattern.startsWith(REGEX_PREFIX)) {
+      const regexStr = customPattern.slice(REGEX_PREFIX.length);
+      const regex = new RegExp(removeAnchors(regexStr), "g");
+      const matches = new Set;
+      let match;
+      while ((match = regex.exec(result)) !== null) {
+        matches.add(match[0]);
+      }
+      for (const value of matches) {
+        const token = addEntry(sessionId, "custom", value);
+        result = result.split(value).join(token);
+      }
+    } else {
+      const escaped = customPattern.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+      const literalRegex = new RegExp(escaped + "(?![\\w])", "g");
+      if (literalRegex.test(result)) {
+        const token = addEntry(sessionId, "custom", customPattern);
+        result = result.replace(literalRegex, token);
+      }
     }
   }
-  for (const { pattern, type, isContextual } of PATTERN_ORDER) {
-    if (!isPatternEnabled(type)) {
+  return result;
+}
+function applyLoadedPatterns(sessionId, text, patterns) {
+  let result = text;
+  for (const { name, pattern, isContextual } of patterns) {
+    if (!isPatternEnabled(name)) {
       continue;
     }
     if (isContextual) {
       result = result.replace(new RegExp(pattern.source, "g"), (match, capturedValue) => {
-        const token = addEntry(sessionId, type, capturedValue);
+        const token = addEntry(sessionId, name, capturedValue);
         return match.replace(capturedValue, token);
       });
     } else {
@@ -261,13 +282,27 @@ function mask(sessionId, text) {
         matches.add(match[0]);
       }
       for (const value of matches) {
-        const token = addEntry(sessionId, type, value);
+        const token = addEntry(sessionId, name, value);
         result = result.split(value).join(token);
       }
     }
   }
   return result;
 }
+function mask(sessionId, text) {
+  if (!text || typeof text !== "string") {
+    return text;
+  }
+  const config = getConfig();
+  if (!config.enabled) {
+    return text;
+  }
+  let result = text;
+  result = applyCustomPatterns(sessionId, result, config.customPatterns);
+  const patterns = loadPatterns();
+  result = applyLoadedPatterns(sessionId, result, patterns);
+  return result;
+}
 function unmask(sessionId, text) {
   if (!text || typeof text !== "string") {
     return text;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@uniglot/wont-let-you-see",
-  "version": "0.1.1",
+  "version": "0.3.0",
   "description": "OpenCode plugin that masks sensitive cloud infrastructure data (AWS, Kubernetes) from LLMs",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/patterns/aws.json

@@ -0,0 +1,27 @@
+{
+  "eks-cluster": "^arn:(?:aws|aws-cn|aws-us-gov):eks:[a-z0-9-]+:[0-9]{12}:cluster\\/.+$",
+  "arn": "^arn:(?:aws|aws-cn|aws-us-gov):[a-zA-Z0-9-]+:[a-z0-9-]*:(?:[0-9]{12})?:.+$",
+  "account-id": {
+    "pattern": "\"(?:OwnerId|AccountId|Owner|account_id)\":\\s*\"(\\d{12})\"",
+    "contextual": true
+  },
+  "access-key-id": "(?:^|[^A-Z0-9])(?:AKIA|ABIA|ACCA|ASIA)[A-Z0-9]{16}(?:[^A-Z0-9]|$)",
+  "vpc": "^vpc-[0-9a-f]{8,17}$",
+  "subnet": "^subnet-[0-9a-f]{8,17}$",
+  "security-group": "^sg-[0-9a-f]{8,17}$",
+  "internet-gateway": "^igw-[0-9a-f]{8,17}$",
+  "route-table": "^rtb-[0-9a-f]{8,17}$",
+  "nat-gateway": "^nat-[0-9a-f]{8,17}$",
+  "network-acl": "^acl-[0-9a-f]{8,17}$",
+  "eni": "^eni-[0-9a-f]{8,17}$",
+  "vpc-endpoint": "^vpce-[0-9a-f]{8,17}$",
+  "transit-gateway": "^tgw-[0-9a-f]{8,17}$",
+  "customer-gateway": "^cgw-[0-9a-f]{8,17}$",
+  "vpn-gateway": "^vgw-[0-9a-f]{8,17}$",
+  "vpn-connection": "^vpn-[0-9a-f]{8,17}$",
+  "ecr-repo": "^(?:\\d{12}|#\\(custom-\\d+\\))\\.dkr\\.ecr\\.[a-z0-9-]+\\.amazonaws\\.com\\/[a-z0-9._\\/-]+$",
+  "ami": "^ami-[0-9a-f]{8,17}$",
+  "ec2-instance": "^i-[0-9a-f]{8,17}$",
+  "ebs": "^vol-[0-9a-f]{8,17}$",
+  "snapshot": "^snap-[0-9a-f]{8,17}$"
+}

package/patterns/common.json

@@ -0,0 +1,8 @@
+{
+  "private-key": "-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----[\\s\\S]*?-----END (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----",
+  "api-key": {
+    "pattern": "\"(?:api_key|apiKey|secret_key|secretKey|access_token|auth_token|password|token)\":\\s*\"([^\"]+)\"",
+    "contextual": true
+  },
+  "ipv4": "^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$"
+}

package/patterns/kubernetes.json

@@ -0,0 +1,9 @@
+{
+  "k8s-token": "^eyJ[A-Za-z0-9_-]*\\.eyJ[A-Za-z0-9_-]*\\.[A-Za-z0-9_-]*$",
+  "k8s-endpoint": "^https:\\/\\/[A-Z0-9]+\\.[a-z0-9-]+\\.eks\\.amazonaws\\.com$",
+  "k8s-endpoint-kubeconfig": {
+    "pattern": "^https:\\/\\/[0-9A-F]{32}\\.[a-z]{2}-[a-z]+-\\d\\.eks\\.amazonaws\\.com$",
+    "contextual": false
+  },
+  "k8s-node": "^ip-(?:\\d{1,3}-){3}\\d{1,3}\\.[a-z0-9-]+\\.compute\\.internal$"
+}

package/src/__tests__/config.test.ts

@@ -1,16 +1,15 @@
 import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
-import { getConfig, resetConfig, isPatternEnabled } from "../config";
-import * as fs from "fs";
+import {
+  getConfig,
+  resetConfig,
+  isPatternEnabled,
+  setFsAdapter,
+  resetFsAdapter,
+} from "../config";
 import * as path from "path";
 
-vi.mock("fs", async () => {
-  const actual = await vi.importActual<typeof fs>("fs");
-  return {
-    ...actual,
-    existsSync: vi.fn(),
-    readFileSync: vi.fn(),
-  };
-});
+const mockExistsSync = vi.fn();
+const mockReadFileSync = vi.fn();
 
 describe("Config", () => {
   const originalEnv = { ...process.env };
@@ -18,14 +17,19 @@ describe("Config", () => {
 
   beforeEach(() => {
     resetConfig();
-    vi.mocked(fs.existsSync).mockReturnValue(false);
-    vi.mocked(fs.readFileSync).mockReturnValue("{}");
+    setFsAdapter({
+      existsSync: mockExistsSync,
+      readFileSync: mockReadFileSync,
+    });
+    mockExistsSync.mockReturnValue(false);
+    mockReadFileSync.mockReturnValue("{}");
   });
 
   afterEach(() => {
     process.env = { ...originalEnv };
     process.cwd = originalCwd;
     resetConfig();
+    resetFsAdapter();
     vi.clearAllMocks();
   });
 
@@ -116,10 +120,10 @@ describe("Config", () => {
     it("should find config in parent directory when cwd is subdirectory", () => {
       process.cwd = () => "/project/packages/app";
 
-      vi.mocked(fs.existsSync).mockImplementation((p) => {
+      mockExistsSync.mockImplementation((p: string) => {
         return p === path.join("/project", ".wont-let-you-see.json");
       });
-      vi.mocked(fs.readFileSync).mockReturnValue(
+      mockReadFileSync.mockReturnValue(
         JSON.stringify({ enabled: false, customPatterns: ["secret123"] }),
       );
 
@@ -131,10 +135,10 @@ describe("Config", () => {
     it("should find config in grandparent directory", () => {
       process.cwd = () => "/project/packages/app/src/components";
 
-      vi.mocked(fs.existsSync).mockImplementation((p) => {
+      mockExistsSync.mockImplementation((p: string) => {
         return p === path.join("/project", ".wont-let-you-see.json");
       });
-      vi.mocked(fs.readFileSync).mockReturnValue(
+      mockReadFileSync.mockReturnValue(
         JSON.stringify({ revealedPatterns: ["ipv4"] }),
       );
 
@@ -145,13 +149,13 @@ describe("Config", () => {
     it("should prefer config in closer ancestor over distant ancestor", () => {
       process.cwd = () => "/project/packages/app";
 
-      vi.mocked(fs.existsSync).mockImplementation((p) => {
+      mockExistsSync.mockImplementation((p: string) => {
         return (
           p === path.join("/project/packages/app", ".wont-let-you-see.json") ||
           p === path.join("/project", ".wont-let-you-see.json")
         );
       });
-      vi.mocked(fs.readFileSync).mockImplementation((p) => {
+      mockReadFileSync.mockImplementation((p: string) => {
         if (
           p === path.join("/project/packages/app", ".wont-let-you-see.json")
         ) {
@@ -167,13 +171,13 @@ describe("Config", () => {
     it("should prefer cwd config over parent config", () => {
       process.cwd = () => "/project/subdir";
 
-      vi.mocked(fs.existsSync).mockImplementation((p) => {
+      mockExistsSync.mockImplementation((p: string) => {
         return (
           p === path.join("/project/subdir", ".wont-let-you-see.json") ||
           p === path.join("/project", ".wont-let-you-see.json")
         );
       });
-      vi.mocked(fs.readFileSync).mockImplementation((p) => {
+      mockReadFileSync.mockImplementation((p: string) => {
         if (p === path.join("/project/subdir", ".wont-let-you-see.json")) {
           return JSON.stringify({ enabled: false });
         }