@uniglot/wont-let-you-see 0.1.1 → 0.3.0

package/src/__tests__/masker.test.ts

@@ -2,6 +2,7 @@ import { describe, it, expect, beforeEach, vi, afterEach } from "vitest";
 import { mask, unmask } from "../masker";
 import { createMapping } from "../mapping";
 import { resetConfig } from "../config";
+import { resetPatternCache } from "../patterns";
 
 describe("masker", () => {
   const sessionId = "test-session-masker";
@@ -10,12 +11,14 @@ describe("masker", () => {
   beforeEach(() => {
     process.env.WONT_LET_YOU_SEE_REVEALED_PATTERNS = "";
     resetConfig();
+    resetPatternCache();
     createMapping(sessionId);
   });
 
   afterEach(() => {
     process.env = { ...originalEnv };
     resetConfig();
+    resetPatternCache();
   });
 
   describe("mask()", () => {
@@ -182,6 +185,67 @@ describe("masker", () => {
     });
   });
 
+  describe("customPatterns with regex support", () => {
+    it("should mask exact string patterns", () => {
+      process.env.WONT_LET_YOU_SEE_CUSTOM_PATTERNS = "my-secret-value";
+      resetConfig();
+
+      const input = "Secret: my-secret-value";
+      const result = mask(sessionId, input);
+
+      expect(result).toMatch(/Secret: #\(custom-\d+\)/);
+      expect(result).not.toContain("my-secret-value");
+    });
+
+    it("should mask regex patterns with regex: prefix", () => {
+      process.env.WONT_LET_YOU_SEE_CUSTOM_PATTERNS =
+        "regex:secret-[a-z]{3}-\\d{4}";
+      resetConfig();
+
+      const input = "Keys: secret-abc-1234, secret-xyz-5678";
+      const result = mask(sessionId, input);
+
+      expect(result).toMatch(/#\(custom-\d+\)/);
+      expect(result).not.toContain("secret-abc-1234");
+      expect(result).not.toContain("secret-xyz-5678");
+    });
+
+    it("should treat patterns without regex: prefix as literal strings", () => {
+      process.env.WONT_LET_YOU_SEE_CUSTOM_PATTERNS = "literal-value";
+      resetConfig();
+
+      const input = "Value: literal-value, Other: literal-values";
+      const result = mask(sessionId, input);
+
+      expect(result).toMatch(/Value: #\(custom-\d+\)/);
+      expect(result).toContain("literal-values");
+    });
+
+    it("should round-trip custom regex patterns", () => {
+      process.env.WONT_LET_YOU_SEE_CUSTOM_PATTERNS = "regex:token-[A-Z]{8}";
+      resetConfig();
+
+      const original = "Auth: token-ABCDEFGH";
+      const masked = mask(sessionId, original);
+      const unmasked = unmask(sessionId, masked);
+
+      expect(unmasked).toBe(original);
+    });
+
+    it("should support multiple custom patterns including regex", () => {
+      process.env.WONT_LET_YOU_SEE_CUSTOM_PATTERNS =
+        "exact-secret,regex:pattern-\\d+";
+      resetConfig();
+
+      const input = "Secrets: exact-secret, pattern-123, pattern-456";
+      const result = mask(sessionId, input);
+
+      expect(result).not.toContain("exact-secret");
+      expect(result).not.toContain("pattern-123");
+      expect(result).not.toContain("pattern-456");
+    });
+  });
+
   describe("round-trip integrity", () => {
     it("should maintain round-trip integrity for VPC", () => {
       const original = "vpc-1234567890abcdef0";

package/src/__tests__/patterns.test.ts

@@ -1,26 +1,31 @@
-import { describe, it, expect } from "vitest";
-import {
-  AWS_PATTERNS,
-  K8S_PATTERNS,
-  COMMON_PATTERNS,
-  PATTERNS,
-} from "../patterns";
-
-describe("AWS_PATTERNS", () => {
+import { describe, it, expect, beforeEach } from "vitest";
+import { loadPatterns, resetPatternCache, getPatternByName } from "../patterns";
+
+function getPattern(name: string) {
+  const p = getPatternByName(name);
+  if (!p) throw new Error(`Pattern '${name}' not found`);
+  return p.pattern;
+}
+
+describe("AWS Patterns", () => {
+  beforeEach(() => {
+    resetPatternCache();
+  });
+
   describe("ARN", () => {
     it("should match aws partition", () => {
       expect(
-        AWS_PATTERNS.arn.test("arn:aws:iam::123456789012:user/admin"),
+        getPattern("arn").test("arn:aws:iam::123456789012:user/admin"),
       ).toBe(true);
     });
 
     it("should match aws-cn partition", () => {
-      expect(AWS_PATTERNS.arn.test("arn:aws-cn:s3:::my-bucket")).toBe(true);
+      expect(getPattern("arn").test("arn:aws-cn:s3:::my-bucket")).toBe(true);
     });
 
     it("should match aws-us-gov partition", () => {
       expect(
-        AWS_PATTERNS.arn.test(
+        getPattern("arn").test(
           "arn:aws-us-gov:ec2:us-gov-west-1:123456789012:instance/i-123",
         ),
       ).toBe(true);
@@ -29,94 +34,194 @@ describe("AWS_PATTERNS", () => {
 
   describe("VPC resources", () => {
     it("should match vpc", () => {
-      expect(AWS_PATTERNS.vpc.test("vpc-0123456789abcdef0")).toBe(true);
+      expect(getPattern("vpc").test("vpc-0123456789abcdef0")).toBe(true);
     });
 
     it("should match subnet", () => {
-      expect(AWS_PATTERNS.subnet.test("subnet-0123456789abcdef0")).toBe(true);
+      expect(getPattern("subnet").test("subnet-0123456789abcdef0")).toBe(true);
     });
 
     it("should match security group", () => {
-      expect(AWS_PATTERNS.securityGroup.test("sg-0123456789abcdef0")).toBe(
+      expect(getPattern("security-group").test("sg-0123456789abcdef0")).toBe(
         true,
       );
     });
 
     it("should match nat gateway", () => {
-      expect(AWS_PATTERNS.natGateway.test("nat-0123456789abcdef0")).toBe(true);
+      expect(getPattern("nat-gateway").test("nat-0123456789abcdef0")).toBe(
+        true,
+      );
     });
 
     it("should match network acl", () => {
-      expect(AWS_PATTERNS.networkAcl.test("acl-0123456789abcdef0")).toBe(true);
+      expect(getPattern("network-acl").test("acl-0123456789abcdef0")).toBe(
+        true,
+      );
     });
 
     it("should match eni", () => {
-      expect(AWS_PATTERNS.eni.test("eni-0123456789abcdef0")).toBe(true);
+      expect(getPattern("eni").test("eni-0123456789abcdef0")).toBe(true);
     });
   });
 
   describe("EC2 resources", () => {
     it("should match ebs volume", () => {
-      expect(AWS_PATTERNS.ebs.test("vol-0123456789abcdef0")).toBe(true);
+      expect(getPattern("ebs").test("vol-0123456789abcdef0")).toBe(true);
     });
 
     it("should match snapshot", () => {
-      expect(AWS_PATTERNS.snapshot.test("snap-0123456789abcdef0")).toBe(true);
+      expect(getPattern("snapshot").test("snap-0123456789abcdef0")).toBe(true);
+    });
+  });
+
+  describe("VPC networking resources", () => {
+    it("should match vpc endpoint", () => {
+      expect(getPattern("vpc-endpoint").test("vpce-0123456789abcdef0")).toBe(
+        true,
+      );
+    });
+
+    it("should match transit gateway", () => {
+      expect(getPattern("transit-gateway").test("tgw-0123456789abcdef0")).toBe(
+        true,
+      );
+    });
+
+    it("should match customer gateway", () => {
+      expect(getPattern("customer-gateway").test("cgw-0123456789abcdef0")).toBe(
+        true,
+      );
+    });
+
+    it("should match vpn gateway", () => {
+      expect(getPattern("vpn-gateway").test("vgw-0123456789abcdef0")).toBe(
+        true,
+      );
+    });
+
+    it("should match vpn connection", () => {
+      expect(getPattern("vpn-connection").test("vpn-0123456789abcdef0")).toBe(
+        true,
+      );
+    });
+
+    it("should NOT match invalid vpc endpoint", () => {
+      expect(getPattern("vpc-endpoint").test("vpce-invalid")).toBe(false);
+    });
+  });
+
+  describe("ECR resources", () => {
+    it("should match ECR repo URI", () => {
+      expect(
+        getPattern("ecr-repo").test(
+          "123456789012.dkr.ecr.us-west-2.amazonaws.com/my-repo",
+        ),
+      ).toBe(true);
+    });
+
+    it("should match ECR repo URI with nested path", () => {
+      expect(
+        getPattern("ecr-repo").test(
+          "123456789012.dkr.ecr.eu-central-1.amazonaws.com/org/app/service",
+        ),
+      ).toBe(true);
+    });
+
+    it("should match ECR repo URI with dots and underscores", () => {
+      expect(
+        getPattern("ecr-repo").test(
+          "123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/my_repo.name",
+        ),
+      ).toBe(true);
+    });
+
+    it("should NOT match invalid ECR URI (wrong account ID length)", () => {
+      expect(
+        getPattern("ecr-repo").test(
+          "12345.dkr.ecr.us-west-2.amazonaws.com/my-repo",
+        ),
+      ).toBe(false);
+    });
+
+    it("should NOT match non-ECR docker registry", () => {
+      expect(getPattern("ecr-repo").test("docker.io/library/nginx")).toBe(
+        false,
+      );
+    });
+
+    it("should match ECR repo URI with masked account ID", () => {
+      expect(
+        getPattern("ecr-repo").test(
+          "#(custom-1).dkr.ecr.us-west-2.amazonaws.com/my-repo",
+        ),
+      ).toBe(true);
+    });
+
+    it("should match ECR repo URI with masked account ID (higher number)", () => {
+      expect(
+        getPattern("ecr-repo").test(
+          "#(custom-123).dkr.ecr.us-east-1.amazonaws.com/app/service",
+        ),
+      ).toBe(true);
     });
   });
 
   describe("Account ID (contextual)", () => {
     it("should match OwnerId field", () => {
-      expect(AWS_PATTERNS.accountId.test('"OwnerId": "123456789012"')).toBe(
+      expect(getPattern("account-id").test('"OwnerId": "123456789012"')).toBe(
         true,
       );
     });
 
     it("should match account_id field (terraform style)", () => {
-      expect(AWS_PATTERNS.accountId.test('"account_id": "123456789012"')).toBe(
-        true,
-      );
+      expect(
+        getPattern("account-id").test('"account_id": "123456789012"'),
+      ).toBe(true);
     });
 
     it("should NOT match bare number", () => {
-      expect(AWS_PATTERNS.accountId.test("123456789012")).toBe(false);
+      expect(getPattern("account-id").test("123456789012")).toBe(false);
     });
   });
 
   describe("Access Key ID", () => {
     it("should match AKIA prefix", () => {
-      expect(AWS_PATTERNS.accessKeyId.test(" AKIAIOSFODNN7EXAMPLE ")).toBe(
+      expect(getPattern("access-key-id").test(" AKIAIOSFODNN7EXAMPLE ")).toBe(
         true,
       );
     });
 
     it("should match ASIA prefix (temporary)", () => {
-      expect(AWS_PATTERNS.accessKeyId.test(" ASIAISAMPLEKEYID1234 ")).toBe(
+      expect(getPattern("access-key-id").test(" ASIAISAMPLEKEYID1234 ")).toBe(
         true,
       );
     });
 
     it("should NOT match random string", () => {
-      expect(AWS_PATTERNS.accessKeyId.test("RANDOMSTRING12345678")).toBe(false);
+      expect(getPattern("access-key-id").test("RANDOMSTRING12345678")).toBe(
+        false,
+      );
     });
   });
 });
 
-describe("K8S_PATTERNS", () => {
+describe("Kubernetes Patterns", () => {
+  beforeEach(() => {
+    resetPatternCache();
+  });
+
   describe("Service Account Token", () => {
     it("should match JWT format", () => {
       const jwt =
         "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tYWJjZGUiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjEyMzQ1Njc4LTEyMzQtMTIzNC0xMjM0LTEyMzQ1Njc4OTAxMiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.signature";
-      expect(K8S_PATTERNS.serviceAccountToken.test(jwt)).toBe(true);
+      expect(getPattern("k8s-token").test(jwt)).toBe(true);
     });
   });
 
   describe("Node Names", () => {
     it("should match AWS node name", () => {
       expect(
-        K8S_PATTERNS.nodeNameAws.test(
-          "ip-10-0-1-123.us-west-2.compute.internal",
-        ),
+        getPattern("k8s-node").test("ip-10-0-1-123.us-west-2.compute.internal"),
       ).toBe(true);
     });
   });
@@ -124,7 +229,7 @@ describe("K8S_PATTERNS", () => {
   describe("Cluster Endpoints", () => {
     it("should match EKS endpoint", () => {
       expect(
-        K8S_PATTERNS.clusterEndpoint.test(
+        getPattern("k8s-endpoint").test(
           "https://ABCDEF1234567890ABCD.us-west-2.eks.amazonaws.com",
         ),
       ).toBe(true);
@@ -132,14 +237,18 @@ describe("K8S_PATTERNS", () => {
   });
 });
 
-describe("COMMON_PATTERNS", () => {
+describe("Common Patterns", () => {
+  beforeEach(() => {
+    resetPatternCache();
+  });
+
   describe("IPv4", () => {
     it("should match IPv4", () => {
-      expect(COMMON_PATTERNS.ipv4.test("192.168.1.1")).toBe(true);
+      expect(getPattern("ipv4").test("192.168.1.1")).toBe(true);
     });
 
     it("should not match CIDR notation", () => {
-      expect(COMMON_PATTERNS.ipv4.test("10.0.0.0/8")).toBe(false);
+      expect(getPattern("ipv4").test("10.0.0.0/8")).toBe(false);
     });
   });
 
@@ -153,16 +262,16 @@ MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC
 -----END PRIVATE KEY-----`;
 
     it("should match entire RSA private key block", () => {
-      expect(COMMON_PATTERNS.privateKey.test(rsaKey)).toBe(true);
+      expect(getPattern("private-key").test(rsaKey)).toBe(true);
     });
 
     it("should match entire generic private key block", () => {
-      expect(COMMON_PATTERNS.privateKey.test(genericKey)).toBe(true);
+      expect(getPattern("private-key").test(genericKey)).toBe(true);
     });
 
     it("should not match header only", () => {
       expect(
-        COMMON_PATTERNS.privateKey.test("-----BEGIN RSA PRIVATE KEY-----"),
+        getPattern("private-key").test("-----BEGIN RSA PRIVATE KEY-----"),
       ).toBe(false);
     });
   });
@@ -170,49 +279,89 @@ MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC
   describe("API Key Field (contextual)", () => {
     it("should match api_key field", () => {
       expect(
-        COMMON_PATTERNS.apiKeyField.test('"api_key": "sk-1234567890abcdef"'),
+        getPattern("api-key").test('"api_key": "sk-1234567890abcdef"'),
       ).toBe(true);
     });
 
     it("should match password field", () => {
-      expect(
-        COMMON_PATTERNS.apiKeyField.test('"password": "supersecret123"'),
-      ).toBe(true);
+      expect(getPattern("api-key").test('"password": "supersecret123"')).toBe(
+        true,
+      );
     });
 
     it("should match token field", () => {
-      expect(
-        COMMON_PATTERNS.apiKeyField.test('"token": "ghp_xxxxxxxxxxxx"'),
-      ).toBe(true);
+      expect(getPattern("api-key").test('"token": "ghp_xxxxxxxxxxxx"')).toBe(
+        true,
+      );
     });
   });
 });
 
-describe("PATTERNS (combined)", () => {
-  it("should include all AWS patterns", () => {
-    expect(PATTERNS.vpc).toBe(AWS_PATTERNS.vpc);
-    expect(PATTERNS.arn).toBe(AWS_PATTERNS.arn);
-  });
-
-  it("should include all K8S patterns", () => {
-    expect(PATTERNS.serviceAccountToken).toBe(K8S_PATTERNS.serviceAccountToken);
+describe("ReDoS safety", () => {
+  beforeEach(() => {
+    resetPatternCache();
   });
 
-  it("should include all common patterns", () => {
-    expect(PATTERNS.ipv4).toBe(COMMON_PATTERNS.ipv4);
-    expect(PATTERNS.privateKey).toBe(COMMON_PATTERNS.privateKey);
-  });
-});
-
-describe("ReDoS safety", () => {
   it("should handle pathological input quickly", () => {
     const pathological = "a".repeat(1000) + "b";
     const start = performance.now();
 
-    for (const pattern of Object.values(PATTERNS)) {
+    const allPatterns = loadPatterns();
+    for (const { pattern } of allPatterns) {
       pattern.test(pathological);
     }
 
     expect(performance.now() - start).toBeLessThan(100);
   });
 });
+
+describe("loadPatterns", () => {
+  beforeEach(() => {
+    resetPatternCache();
+  });
+
+  it("should load patterns from JSON files", () => {
+    const patterns = loadPatterns();
+    expect(patterns.length).toBeGreaterThan(0);
+  });
+
+  it("should load AWS patterns", () => {
+    const patterns = loadPatterns();
+    const vpcPattern = patterns.find((p) => p.name === "vpc");
+    expect(vpcPattern).toBeDefined();
+    expect(vpcPattern!.pattern.test("vpc-1234567890abcdef0")).toBe(true);
+  });
+
+  it("should load Kubernetes patterns", () => {
+    const patterns = loadPatterns();
+    const k8sTokenPattern = patterns.find((p) => p.name === "k8s-token");
+    expect(k8sTokenPattern).toBeDefined();
+  });
+
+  it("should load common patterns", () => {
+    const patterns = loadPatterns();
+    const ipv4Pattern = patterns.find((p) => p.name === "ipv4");
+    expect(ipv4Pattern).toBeDefined();
+    expect(ipv4Pattern!.pattern.test("192.168.1.1")).toBe(true);
+  });
+
+  it("should mark contextual patterns correctly", () => {
+    const patterns = loadPatterns();
+    const accountIdPattern = patterns.find((p) => p.name === "account-id");
+    expect(accountIdPattern).toBeDefined();
+    expect(accountIdPattern!.isContextual).toBe(true);
+  });
+
+  it("should cache patterns after first load", () => {
+    const patterns1 = loadPatterns();
+    const patterns2 = loadPatterns();
+    expect(patterns1).toBe(patterns2);
+  });
+
+  it("should reset cache on resetPatternCache()", () => {
+    const patterns1 = loadPatterns();
+    resetPatternCache();
+    const patterns2 = loadPatterns();
+    expect(patterns1).not.toBe(patterns2);
+  });
+});

package/src/config.ts

@@ -1,5 +1,8 @@
-import { existsSync, readFileSync } from "fs";
-import { join, dirname, parse } from "path";
+import {
+  existsSync as nodeExistsSync,
+  readFileSync as nodeReadFileSync,
+} from "fs";
+import { join, dirname } from "path";
 import { homedir } from "os";
 
 export interface Config {
@@ -8,6 +11,24 @@ export interface Config {
   customPatterns: string[];
 }
 
+interface FsAdapter {
+  existsSync: (path: string) => boolean;
+  readFileSync: (path: string, encoding: "utf-8") => string;
+}
+
+let fsAdapter: FsAdapter = {
+  existsSync: nodeExistsSync,
+  readFileSync: nodeReadFileSync,
+};
+
+export function setFsAdapter(adapter: FsAdapter): void {
+  fsAdapter = adapter;
+}
+
+export function resetFsAdapter(): void {
+  fsAdapter = { existsSync: nodeExistsSync, readFileSync: nodeReadFileSync };
+}
+
 const DEFAULT_CONFIG: Config = {
   enabled: true,
   revealedPatterns: [],
@@ -22,7 +43,7 @@ function findConfigInAncestors(startDir: string): string | null {
 
   while (true) {
     const configPath = join(currentDir, CONFIG_FILENAME);
-    if (existsSync(configPath)) {
+    if (fsAdapter.existsSync(configPath)) {
       return configPath;
     }
 
@@ -41,20 +62,18 @@ function findConfigInAncestors(startDir: string): string | null {
 }
 
 function loadJsonConfig(): Partial<Config> {
-  // First, search up from cwd to find nearest config
   const ancestorConfig = findConfigInAncestors(process.cwd());
   if (ancestorConfig) {
     try {
-      const content = readFileSync(ancestorConfig, "utf-8");
+      const content = fsAdapter.readFileSync(ancestorConfig, "utf-8");
       return JSON.parse(content);
     } catch {}
   }
 
-  // Fall back to home directory
   const homeConfig = join(homedir(), CONFIG_FILENAME);
-  if (existsSync(homeConfig)) {
+  if (fsAdapter.existsSync(homeConfig)) {
     try {
-      const content = readFileSync(homeConfig, "utf-8");
+      const content = fsAdapter.readFileSync(homeConfig, "utf-8");
       return JSON.parse(content);
     } catch {}
   }