@uniglot/wont-let-you-see 0.2.0 → 0.3.0

package/README.md

@@ -28,11 +28,11 @@ Configure via environment variables or JSON config file. Environment variables t
 
 #### Environment Variables
 
-| Variable                             | Description                                     | Default |
-| ------------------------------------ | ----------------------------------------------- | ------- |
-| `WONT_LET_YOU_SEE_ENABLED`           | Set to `false` or `0` to disable masking        | `true`  |
-| `WONT_LET_YOU_SEE_REVEALED_PATTERNS` | Comma-separated list of pattern types to reveal | (none)  |
-| `WONT_LET_YOU_SEE_CUSTOM_PATTERNS`   | Comma-separated list of custom strings to mask  | (none)  |
+| Variable                             | Description                                                                | Default |
+| ------------------------------------ | -------------------------------------------------------------------------- | ------- |
+| `WONT_LET_YOU_SEE_ENABLED`           | Set to `false` or `0` to disable masking                                   | `true`  |
+| `WONT_LET_YOU_SEE_REVEALED_PATTERNS` | Comma-separated list of pattern types to reveal                            | (none)  |
+| `WONT_LET_YOU_SEE_CUSTOM_PATTERNS`   | Comma-separated list of custom patterns to mask (supports `regex:` prefix) | (none)  |
 
 #### JSON Config File
 
@@ -48,6 +48,18 @@ Create `.wont-let-you-see.json` in your project root, `~/.config/opencode/`, or
 
 > **Tip**: Add your AWS account ID to `customPatterns`. The built-in `account-id` pattern only matches contextual fields like `"OwnerId": "123456789012"`, but may miss bare account IDs in terraform output or other contexts.
 
+Custom patterns support both literal strings and regular expressions. Prefix with `regex:` to use regex:
+
+```json
+{
+  "customPatterns": [
+    "123456789012",
+    "my-secret-value",
+    "regex:secret-[a-z]{3}-\\d{4}"
+  ]
+}
+```
+
 #### Examples
 
 ```bash
@@ -59,6 +71,9 @@ WONT_LET_YOU_SEE_REVEALED_PATTERNS=eks-cluster,ipv4 opencode
 
 # Mask custom values (e.g., AWS account ID)
 WONT_LET_YOU_SEE_CUSTOM_PATTERNS=123456789012,my-secret opencode
+
+# Mask with regex patterns
+WONT_LET_YOU_SEE_CUSTOM_PATTERNS="regex:token-[A-Z]{8},my-literal-secret" opencode
 ```
 
 ## Supported Commands
@@ -147,9 +162,49 @@ What was the actual VPC ID from the last command?
 
 The LLM should only know the token (e.g., `#(vpc-1)`), not the real value.
 
+## Contributing Patterns
+
+Patterns are defined in JSON files under the `patterns/` directory:
+
+- `patterns/aws.json` - AWS resource patterns
+- `patterns/kubernetes.json` - Kubernetes patterns
+- `patterns/common.json` - Common patterns (IPs, keys, etc.)
+
+You can request to add new files for resources of different categories.
+
+### Pattern Format
+
+Each pattern can be defined as:
+
+```json
+{
+  "pattern-name": "^regex-pattern$",
+
+  "contextual-pattern": {
+    "pattern": "\"field\":\\s*\"(captured-value)\"",
+    "contextual": true
+  },
+
+  "literal-match": {
+    "exact": "literal-string-to-match"
+  }
+}
+```
+
+- **Simple regex**: Just a string with the regex pattern
+- **Contextual**: For patterns where only a captured group should be masked (e.g., JSON fields)
+- **Exact match**: For literal strings that should be escaped
+
+### Adding New Patterns
+
+1. Fork the repository
+2. Add your pattern to the appropriate JSON file
+3. Add tests in `src/__tests__/patterns.test.ts`
+4. Submit a pull request
+
 ## Limitations
 
-- **AWS only**: Currently supports AWS. GCP and Azure are not yet supported.
+- **AWS only**: Currently supports AWS. GCP and Azure are not yet supported. Do you need them? Feel free to contribute!
 - **S3 Buckets**: Bucket names are not masked (often public/intentional).
 - **Account IDs**: Only masked in contextual JSON fields. Add to `customPatterns` for full coverage.
 - **UI display**: The UI shows original values (OpenCode limitation).

package/dist/index.js

@@ -1,58 +1,82 @@
 // src/patterns.ts
-var AWS_PATTERNS = {
-  arn: /^arn:(?:aws|aws-cn|aws-us-gov):[a-zA-Z0-9-]+:[a-z0-9-]*:(?:[0-9]{12})?:.+$/,
-  eksCluster: /^arn:(?:aws|aws-cn|aws-us-gov):eks:[a-z0-9-]+:[0-9]{12}:cluster\/.+$/,
-  vpc: /^vpc-[0-9a-f]{8,17}$/,
-  subnet: /^subnet-[0-9a-f]{8,17}$/,
-  securityGroup: /^sg-[0-9a-f]{8,17}$/,
-  internetGateway: /^igw-[0-9a-f]{8,17}$/,
-  routeTable: /^rtb-[0-9a-f]{8,17}$/,
-  natGateway: /^nat-[0-9a-f]{8,17}$/,
-  networkAcl: /^acl-[0-9a-f]{8,17}$/,
-  ec2Instance: /^i-[0-9a-f]{8,17}$/,
-  ami: /^ami-[0-9a-f]{8,17}$/,
-  ebs: /^vol-[0-9a-f]{8,17}$/,
-  snapshot: /^snap-[0-9a-f]{8,17}$/,
-  eni: /^eni-[0-9a-f]{8,17}$/,
-  vpcEndpoint: /^vpce-[0-9a-f]{8,17}$/,
-  transitGateway: /^tgw-[0-9a-f]{8,17}$/,
-  customerGateway: /^cgw-[0-9a-f]{8,17}$/,
-  vpnGateway: /^vgw-[0-9a-f]{8,17}$/,
-  vpnConnection: /^vpn-[0-9a-f]{8,17}$/,
-  accountId: /"(?:OwnerId|AccountId|Owner|account_id)":\s*"(\d{12})"/,
-  ecrRepoUri: /^(?:\d{12}|#\(custom-\d+\))\.dkr\.ecr\.[a-z0-9-]+\.amazonaws\.com\/[a-z0-9._\/-]+$/,
-  accessKeyId: /(?:^|[^A-Z0-9])(?:AKIA|ABIA|ACCA|ASIA)[A-Z0-9]{16}(?:[^A-Z0-9]|$)/
-};
-var K8S_PATTERNS = {
-  serviceAccountToken: /^eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*$/,
-  nodeNameAws: /^ip-(?:\d{1,3}-){3}\d{1,3}\.[a-z0-9-]+\.compute\.internal$/,
-  clusterEndpoint: /^https:\/\/[A-Z0-9]+\.[a-z0-9-]+\.eks\.amazonaws\.com$/,
-  kubeconfigServer: /^https:\/\/[0-9A-F]{32}\.[a-z]{2}-[a-z]+-\d\.eks\.amazonaws\.com$/i
-};
-var COMMON_PATTERNS = {
-  ipv4: /^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/,
-  privateKey: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----[\s\S]*?-----END (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/,
-  apiKeyField: /"(?:api_key|apiKey|secret_key|secretKey|access_token|auth_token|password|token)":\s*"([^"]+)"/
-};
+import { readdirSync, readFileSync } from "fs";
+import { join, dirname } from "path";
+import { fileURLToPath } from "url";
+var cachedPatterns = null;
+function getPackagePatternsDir() {
+  const currentFile = fileURLToPath(import.meta.url);
+  const srcDir = dirname(currentFile);
+  const packageRoot = dirname(srcDir);
+  return join(packageRoot, "patterns");
+}
+function parsePatternDefinition(name, definition) {
+  if (typeof definition === "string") {
+    return {
+      name,
+      pattern: new RegExp(definition),
+      isContextual: false,
+      isExact: false
+    };
+  }
+  if ("exact" in definition) {
+    const escaped = definition.exact.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+    return {
+      name,
+      pattern: new RegExp(escaped),
+      isContextual: false,
+      isExact: true
+    };
+  }
+  return {
+    name,
+    pattern: new RegExp(definition.pattern),
+    isContextual: definition.contextual ?? false,
+    isExact: false
+  };
+}
+function loadPatternFile(filePath) {
+  const content = readFileSync(filePath, "utf-8");
+  const data = JSON.parse(content);
+  const patterns = [];
+  for (const [name, definition] of Object.entries(data)) {
+    patterns.push(parsePatternDefinition(name, definition));
+  }
+  return patterns;
+}
+function loadPatterns() {
+  if (cachedPatterns) {
+    return cachedPatterns;
+  }
+  const patternsDir = getPackagePatternsDir();
+  const patterns = [];
+  const files = readdirSync(patternsDir).filter((f) => f.endsWith(".json")).sort();
+  for (const file of files) {
+    const filePath = join(patternsDir, file);
+    const filePatterns = loadPatternFile(filePath);
+    patterns.push(...filePatterns);
+  }
+  cachedPatterns = patterns;
+  return patterns;
+}
 
 // src/mapping.ts
 import {
   existsSync,
   mkdirSync,
-  readFileSync,
+  readFileSync as readFileSync2,
   writeFileSync,
   renameSync
 } from "fs";
-import { join } from "path";
+import { join as join2 } from "path";
 import { homedir } from "os";
 var sessionStates = new Map;
 function getSessionPath(sessionId) {
   const projectRoot = process.cwd();
-  const defaultPath = join(projectRoot, ".opencode", "sessions", sessionId, "wont-let-you-see-mapping.json");
-  if (existsSync(join(projectRoot, ".opencode")) || !existsSync(homedir())) {
+  const defaultPath = join2(projectRoot, ".opencode", "sessions", sessionId, "wont-let-you-see-mapping.json");
+  if (existsSync(join2(projectRoot, ".opencode")) || !existsSync(homedir())) {
     return defaultPath;
   }
-  return join(homedir(), ".opencode", "sessions", sessionId, "wont-let-you-see-mapping.json");
+  return join2(homedir(), ".opencode", "sessions", sessionId, "wont-let-you-see-mapping.json");
 }
 function ensureSessionDir(sessionPath) {
   const dir = sessionPath.substring(0, sessionPath.lastIndexOf("/"));
@@ -65,7 +89,7 @@ function getSessionState(sessionId) {
   if (!state) {
     const sessionPath = getSessionPath(sessionId);
     if (existsSync(sessionPath)) {
-      const mapping = JSON.parse(readFileSync(sessionPath, "utf-8"));
+      const mapping = JSON.parse(readFileSync2(sessionPath, "utf-8"));
       const counters = {};
       for (const token of Object.keys(mapping.entries)) {
         const match = token.match(/^#\(([^-]+)-(\d+)\)$/);
@@ -118,7 +142,7 @@ import {
   existsSync as nodeExistsSync,
   readFileSync as nodeReadFileSync
 } from "fs";
-import { join as join2, dirname } from "path";
+import { join as join3, dirname as dirname2 } from "path";
 import { homedir as homedir2 } from "os";
 var fsAdapter = {
   existsSync: nodeExistsSync,
@@ -134,14 +158,14 @@ function findConfigInAncestors(startDir) {
   const home = homedir2();
   let currentDir = startDir;
   while (true) {
-    const configPath = join2(currentDir, CONFIG_FILENAME);
+    const configPath = join3(currentDir, CONFIG_FILENAME);
     if (fsAdapter.existsSync(configPath)) {
       return configPath;
     }
     if (currentDir === home) {
       break;
     }
-    const parentDir = dirname(currentDir);
+    const parentDir = dirname2(currentDir);
     if (parentDir === currentDir) {
       break;
     }
@@ -157,7 +181,7 @@ function loadJsonConfig() {
       return JSON.parse(content);
     } catch {}
   }
-  const homeConfig = join2(homedir2(), CONFIG_FILENAME);
+  const homeConfig = join3(homedir2(), CONFIG_FILENAME);
   if (fsAdapter.existsSync(homeConfig)) {
     try {
       const content = fsAdapter.readFileSync(homeConfig, "utf-8");
@@ -205,37 +229,6 @@ function isPatternEnabled(patternType) {
 }
 
 // src/masker.ts
-var PATTERN_ORDER = [
-  { pattern: AWS_PATTERNS.eksCluster, type: "eks-cluster" },
-  { pattern: AWS_PATTERNS.arn, type: "arn" },
-  { pattern: AWS_PATTERNS.accountId, type: "account-id", isContextual: true },
-  { pattern: AWS_PATTERNS.accessKeyId, type: "access-key-id" },
-  { pattern: AWS_PATTERNS.vpc, type: "vpc" },
-  { pattern: AWS_PATTERNS.subnet, type: "subnet" },
-  { pattern: AWS_PATTERNS.securityGroup, type: "security-group" },
-  { pattern: AWS_PATTERNS.internetGateway, type: "internet-gateway" },
-  { pattern: AWS_PATTERNS.routeTable, type: "route-table" },
-  { pattern: AWS_PATTERNS.natGateway, type: "nat-gateway" },
-  { pattern: AWS_PATTERNS.networkAcl, type: "network-acl" },
-  { pattern: AWS_PATTERNS.eni, type: "eni" },
-  { pattern: AWS_PATTERNS.vpcEndpoint, type: "vpc-endpoint" },
-  { pattern: AWS_PATTERNS.transitGateway, type: "transit-gateway" },
-  { pattern: AWS_PATTERNS.customerGateway, type: "customer-gateway" },
-  { pattern: AWS_PATTERNS.vpnGateway, type: "vpn-gateway" },
-  { pattern: AWS_PATTERNS.vpnConnection, type: "vpn-connection" },
-  { pattern: AWS_PATTERNS.ecrRepoUri, type: "ecr-repo" },
-  { pattern: AWS_PATTERNS.ami, type: "ami" },
-  { pattern: AWS_PATTERNS.ec2Instance, type: "ec2-instance" },
-  { pattern: AWS_PATTERNS.ebs, type: "ebs" },
-  { pattern: AWS_PATTERNS.snapshot, type: "snapshot" },
-  { pattern: K8S_PATTERNS.serviceAccountToken, type: "k8s-token" },
-  { pattern: K8S_PATTERNS.clusterEndpoint, type: "k8s-endpoint" },
-  { pattern: K8S_PATTERNS.kubeconfigServer, type: "k8s-endpoint" },
-  { pattern: K8S_PATTERNS.nodeNameAws, type: "k8s-node" },
-  { pattern: COMMON_PATTERNS.privateKey, type: "private-key" },
-  { pattern: COMMON_PATTERNS.apiKeyField, type: "api-key", isContextual: true },
-  { pattern: COMMON_PATTERNS.ipv4, type: "ipv4" }
-];
 function removeAnchors(source) {
   let result = source.replace(/^\^/, "").replace(/\$$/, "");
   if (!result.endsWith("\\b")) {
@@ -243,28 +236,42 @@ function removeAnchors(source) {
   }
   return result;
 }
-function mask(sessionId, text) {
-  if (!text || typeof text !== "string") {
-    return text;
-  }
-  const config = getConfig();
-  if (!config.enabled) {
-    return text;
-  }
+var REGEX_PREFIX = "regex:";
+function applyCustomPatterns(sessionId, text, customPatterns) {
   let result = text;
-  for (const customPattern of config.customPatterns) {
-    if (result.includes(customPattern)) {
-      const token = addEntry(sessionId, "custom", customPattern);
-      result = result.split(customPattern).join(token);
+  for (const customPattern of customPatterns) {
+    if (customPattern.startsWith(REGEX_PREFIX)) {
+      const regexStr = customPattern.slice(REGEX_PREFIX.length);
+      const regex = new RegExp(removeAnchors(regexStr), "g");
+      const matches = new Set;
+      let match;
+      while ((match = regex.exec(result)) !== null) {
+        matches.add(match[0]);
+      }
+      for (const value of matches) {
+        const token = addEntry(sessionId, "custom", value);
+        result = result.split(value).join(token);
+      }
+    } else {
+      const escaped = customPattern.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+      const literalRegex = new RegExp(escaped + "(?![\\w])", "g");
+      if (literalRegex.test(result)) {
+        const token = addEntry(sessionId, "custom", customPattern);
+        result = result.replace(literalRegex, token);
+      }
     }
   }
-  for (const { pattern, type, isContextual } of PATTERN_ORDER) {
-    if (!isPatternEnabled(type)) {
+  return result;
+}
+function applyLoadedPatterns(sessionId, text, patterns) {
+  let result = text;
+  for (const { name, pattern, isContextual } of patterns) {
+    if (!isPatternEnabled(name)) {
       continue;
     }
     if (isContextual) {
       result = result.replace(new RegExp(pattern.source, "g"), (match, capturedValue) => {
-        const token = addEntry(sessionId, type, capturedValue);
+        const token = addEntry(sessionId, name, capturedValue);
         return match.replace(capturedValue, token);
       });
     } else {
@@ -275,13 +282,27 @@ function mask(sessionId, text) {
         matches.add(match[0]);
       }
       for (const value of matches) {
-        const token = addEntry(sessionId, type, value);
+        const token = addEntry(sessionId, name, value);
         result = result.split(value).join(token);
       }
     }
   }
   return result;
 }
+function mask(sessionId, text) {
+  if (!text || typeof text !== "string") {
+    return text;
+  }
+  const config = getConfig();
+  if (!config.enabled) {
+    return text;
+  }
+  let result = text;
+  result = applyCustomPatterns(sessionId, result, config.customPatterns);
+  const patterns = loadPatterns();
+  result = applyLoadedPatterns(sessionId, result, patterns);
+  return result;
+}
 function unmask(sessionId, text) {
   if (!text || typeof text !== "string") {
     return text;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@uniglot/wont-let-you-see",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "OpenCode plugin that masks sensitive cloud infrastructure data (AWS, Kubernetes) from LLMs",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/patterns/aws.json

@@ -0,0 +1,27 @@
+{
+  "eks-cluster": "^arn:(?:aws|aws-cn|aws-us-gov):eks:[a-z0-9-]+:[0-9]{12}:cluster\\/.+$",
+  "arn": "^arn:(?:aws|aws-cn|aws-us-gov):[a-zA-Z0-9-]+:[a-z0-9-]*:(?:[0-9]{12})?:.+$",
+  "account-id": {
+    "pattern": "\"(?:OwnerId|AccountId|Owner|account_id)\":\\s*\"(\\d{12})\"",
+    "contextual": true
+  },
+  "access-key-id": "(?:^|[^A-Z0-9])(?:AKIA|ABIA|ACCA|ASIA)[A-Z0-9]{16}(?:[^A-Z0-9]|$)",
+  "vpc": "^vpc-[0-9a-f]{8,17}$",
+  "subnet": "^subnet-[0-9a-f]{8,17}$",
+  "security-group": "^sg-[0-9a-f]{8,17}$",
+  "internet-gateway": "^igw-[0-9a-f]{8,17}$",
+  "route-table": "^rtb-[0-9a-f]{8,17}$",
+  "nat-gateway": "^nat-[0-9a-f]{8,17}$",
+  "network-acl": "^acl-[0-9a-f]{8,17}$",
+  "eni": "^eni-[0-9a-f]{8,17}$",
+  "vpc-endpoint": "^vpce-[0-9a-f]{8,17}$",
+  "transit-gateway": "^tgw-[0-9a-f]{8,17}$",
+  "customer-gateway": "^cgw-[0-9a-f]{8,17}$",
+  "vpn-gateway": "^vgw-[0-9a-f]{8,17}$",
+  "vpn-connection": "^vpn-[0-9a-f]{8,17}$",
+  "ecr-repo": "^(?:\\d{12}|#\\(custom-\\d+\\))\\.dkr\\.ecr\\.[a-z0-9-]+\\.amazonaws\\.com\\/[a-z0-9._\\/-]+$",
+  "ami": "^ami-[0-9a-f]{8,17}$",
+  "ec2-instance": "^i-[0-9a-f]{8,17}$",
+  "ebs": "^vol-[0-9a-f]{8,17}$",
+  "snapshot": "^snap-[0-9a-f]{8,17}$"
+}

package/patterns/common.json

@@ -0,0 +1,8 @@
+{
+  "private-key": "-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----[\\s\\S]*?-----END (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----",
+  "api-key": {
+    "pattern": "\"(?:api_key|apiKey|secret_key|secretKey|access_token|auth_token|password|token)\":\\s*\"([^\"]+)\"",
+    "contextual": true
+  },
+  "ipv4": "^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$"
+}

package/patterns/kubernetes.json

@@ -0,0 +1,9 @@
+{
+  "k8s-token": "^eyJ[A-Za-z0-9_-]*\\.eyJ[A-Za-z0-9_-]*\\.[A-Za-z0-9_-]*$",
+  "k8s-endpoint": "^https:\\/\\/[A-Z0-9]+\\.[a-z0-9-]+\\.eks\\.amazonaws\\.com$",
+  "k8s-endpoint-kubeconfig": {
+    "pattern": "^https:\\/\\/[0-9A-F]{32}\\.[a-z]{2}-[a-z]+-\\d\\.eks\\.amazonaws\\.com$",
+    "contextual": false
+  },
+  "k8s-node": "^ip-(?:\\d{1,3}-){3}\\d{1,3}\\.[a-z0-9-]+\\.compute\\.internal$"
+}

package/src/__tests__/masker.test.ts

@@ -2,6 +2,7 @@ import { describe, it, expect, beforeEach, vi, afterEach } from "vitest";
 import { mask, unmask } from "../masker";
 import { createMapping } from "../mapping";
 import { resetConfig } from "../config";
+import { resetPatternCache } from "../patterns";
 
 describe("masker", () => {
   const sessionId = "test-session-masker";
@@ -10,12 +11,14 @@ describe("masker", () => {
   beforeEach(() => {
     process.env.WONT_LET_YOU_SEE_REVEALED_PATTERNS = "";
     resetConfig();
+    resetPatternCache();
     createMapping(sessionId);
   });
 
   afterEach(() => {
     process.env = { ...originalEnv };
     resetConfig();
+    resetPatternCache();
   });
 
   describe("mask()", () => {
@@ -182,6 +185,67 @@ describe("masker", () => {
     });
   });
 
+  describe("customPatterns with regex support", () => {
+    it("should mask exact string patterns", () => {
+      process.env.WONT_LET_YOU_SEE_CUSTOM_PATTERNS = "my-secret-value";
+      resetConfig();
+
+      const input = "Secret: my-secret-value";
+      const result = mask(sessionId, input);
+
+      expect(result).toMatch(/Secret: #\(custom-\d+\)/);
+      expect(result).not.toContain("my-secret-value");
+    });
+
+    it("should mask regex patterns with regex: prefix", () => {
+      process.env.WONT_LET_YOU_SEE_CUSTOM_PATTERNS =
+        "regex:secret-[a-z]{3}-\\d{4}";
+      resetConfig();
+
+      const input = "Keys: secret-abc-1234, secret-xyz-5678";
+      const result = mask(sessionId, input);
+
+      expect(result).toMatch(/#\(custom-\d+\)/);
+      expect(result).not.toContain("secret-abc-1234");
+      expect(result).not.toContain("secret-xyz-5678");
+    });
+
+    it("should treat patterns without regex: prefix as literal strings", () => {
+      process.env.WONT_LET_YOU_SEE_CUSTOM_PATTERNS = "literal-value";
+      resetConfig();
+
+      const input = "Value: literal-value, Other: literal-values";
+      const result = mask(sessionId, input);
+
+      expect(result).toMatch(/Value: #\(custom-\d+\)/);
+      expect(result).toContain("literal-values");
+    });
+
+    it("should round-trip custom regex patterns", () => {
+      process.env.WONT_LET_YOU_SEE_CUSTOM_PATTERNS = "regex:token-[A-Z]{8}";
+      resetConfig();
+
+      const original = "Auth: token-ABCDEFGH";
+      const masked = mask(sessionId, original);
+      const unmasked = unmask(sessionId, masked);
+
+      expect(unmasked).toBe(original);
+    });
+
+    it("should support multiple custom patterns including regex", () => {
+      process.env.WONT_LET_YOU_SEE_CUSTOM_PATTERNS =
+        "exact-secret,regex:pattern-\\d+";
+      resetConfig();
+
+      const input = "Secrets: exact-secret, pattern-123, pattern-456";
+      const result = mask(sessionId, input);
+
+      expect(result).not.toContain("exact-secret");
+      expect(result).not.toContain("pattern-123");
+      expect(result).not.toContain("pattern-456");
+    });
+  });
+
   describe("round-trip integrity", () => {
     it("should maintain round-trip integrity for VPC", () => {
       const original = "vpc-1234567890abcdef0";

package/src/__tests__/patterns.test.ts

@@ -1,21 +1,31 @@
-import { describe, it, expect } from "vitest";
-import { AWS_PATTERNS, K8S_PATTERNS, COMMON_PATTERNS } from "../patterns";
+import { describe, it, expect, beforeEach } from "vitest";
+import { loadPatterns, resetPatternCache, getPatternByName } from "../patterns";
+
+function getPattern(name: string) {
+  const p = getPatternByName(name);
+  if (!p) throw new Error(`Pattern '${name}' not found`);
+  return p.pattern;
+}
+
+describe("AWS Patterns", () => {
+  beforeEach(() => {
+    resetPatternCache();
+  });
 
-describe("AWS_PATTERNS", () => {
   describe("ARN", () => {
     it("should match aws partition", () => {
       expect(
-        AWS_PATTERNS.arn.test("arn:aws:iam::123456789012:user/admin"),
+        getPattern("arn").test("arn:aws:iam::123456789012:user/admin"),
       ).toBe(true);
     });
 
     it("should match aws-cn partition", () => {
-      expect(AWS_PATTERNS.arn.test("arn:aws-cn:s3:::my-bucket")).toBe(true);
+      expect(getPattern("arn").test("arn:aws-cn:s3:::my-bucket")).toBe(true);
     });
 
     it("should match aws-us-gov partition", () => {
       expect(
-        AWS_PATTERNS.arn.test(
+        getPattern("arn").test(
           "arn:aws-us-gov:ec2:us-gov-west-1:123456789012:instance/i-123",
         ),
       ).toBe(true);
@@ -24,80 +34,86 @@ describe("AWS_PATTERNS", () => {
 
   describe("VPC resources", () => {
     it("should match vpc", () => {
-      expect(AWS_PATTERNS.vpc.test("vpc-0123456789abcdef0")).toBe(true);
+      expect(getPattern("vpc").test("vpc-0123456789abcdef0")).toBe(true);
     });
 
     it("should match subnet", () => {
-      expect(AWS_PATTERNS.subnet.test("subnet-0123456789abcdef0")).toBe(true);
+      expect(getPattern("subnet").test("subnet-0123456789abcdef0")).toBe(true);
     });
 
     it("should match security group", () => {
-      expect(AWS_PATTERNS.securityGroup.test("sg-0123456789abcdef0")).toBe(
+      expect(getPattern("security-group").test("sg-0123456789abcdef0")).toBe(
         true,
       );
     });
 
     it("should match nat gateway", () => {
-      expect(AWS_PATTERNS.natGateway.test("nat-0123456789abcdef0")).toBe(true);
+      expect(getPattern("nat-gateway").test("nat-0123456789abcdef0")).toBe(
+        true,
+      );
     });
 
     it("should match network acl", () => {
-      expect(AWS_PATTERNS.networkAcl.test("acl-0123456789abcdef0")).toBe(true);
+      expect(getPattern("network-acl").test("acl-0123456789abcdef0")).toBe(
+        true,
+      );
     });
 
     it("should match eni", () => {
-      expect(AWS_PATTERNS.eni.test("eni-0123456789abcdef0")).toBe(true);
+      expect(getPattern("eni").test("eni-0123456789abcdef0")).toBe(true);
     });
   });
 
   describe("EC2 resources", () => {
     it("should match ebs volume", () => {
-      expect(AWS_PATTERNS.ebs.test("vol-0123456789abcdef0")).toBe(true);
+      expect(getPattern("ebs").test("vol-0123456789abcdef0")).toBe(true);
     });
 
     it("should match snapshot", () => {
-      expect(AWS_PATTERNS.snapshot.test("snap-0123456789abcdef0")).toBe(true);
+      expect(getPattern("snapshot").test("snap-0123456789abcdef0")).toBe(true);
     });
   });
 
   describe("VPC networking resources", () => {
     it("should match vpc endpoint", () => {
-      expect(AWS_PATTERNS.vpcEndpoint.test("vpce-0123456789abcdef0")).toBe(
+      expect(getPattern("vpc-endpoint").test("vpce-0123456789abcdef0")).toBe(
         true,
       );
     });
 
     it("should match transit gateway", () => {
-      expect(AWS_PATTERNS.transitGateway.test("tgw-0123456789abcdef0")).toBe(
+      expect(getPattern("transit-gateway").test("tgw-0123456789abcdef0")).toBe(
         true,
       );
     });
 
     it("should match customer gateway", () => {
-      expect(AWS_PATTERNS.customerGateway.test("cgw-0123456789abcdef0")).toBe(
+      expect(getPattern("customer-gateway").test("cgw-0123456789abcdef0")).toBe(
         true,
       );
     });
 
     it("should match vpn gateway", () => {
-      expect(AWS_PATTERNS.vpnGateway.test("vgw-0123456789abcdef0")).toBe(true);
+      expect(getPattern("vpn-gateway").test("vgw-0123456789abcdef0")).toBe(
+        true,
+      );
     });
 
     it("should match vpn connection", () => {
-      expect(AWS_PATTERNS.vpnConnection.test("vpn-0123456789abcdef0")).toBe(
+      expect(getPattern("vpn-connection").test("vpn-0123456789abcdef0")).toBe(
         true,
       );
     });
 
     it("should NOT match invalid vpc endpoint", () => {
-      expect(AWS_PATTERNS.vpcEndpoint.test("vpce-invalid")).toBe(false);
+      expect(getPattern("vpc-endpoint").test("vpce-invalid")).toBe(false);
     });
   });
 
   describe("ECR resources", () => {
     it("should match ECR repo URI", () => {
       expect(
-        AWS_PATTERNS.ecrRepoUri.test(
+        getPattern("ecr-repo").test(
           "123456789012.dkr.ecr.us-west-2.amazonaws.com/my-repo",
         ),
       ).toBe(true);
@@ -105,7 +121,7 @@ describe("AWS_PATTERNS", () => {
 
     it("should match ECR repo URI with nested path", () => {
       expect(
-        AWS_PATTERNS.ecrRepoUri.test(
+        getPattern("ecr-repo").test(
           "123456789012.dkr.ecr.eu-central-1.amazonaws.com/org/app/service",
         ),
       ).toBe(true);
@@ -113,7 +129,7 @@ describe("AWS_PATTERNS", () => {
 
     it("should match ECR repo URI with dots and underscores", () => {
       expect(
-        AWS_PATTERNS.ecrRepoUri.test(
+        getPattern("ecr-repo").test(
           "123456789012.dkr.ecr.ap-northeast-1.amazonaws.com/my_repo.name",
         ),
       ).toBe(true);
@@ -121,21 +137,21 @@ describe("AWS_PATTERNS", () => {
 
     it("should NOT match invalid ECR URI (wrong account ID length)", () => {
       expect(
-        AWS_PATTERNS.ecrRepoUri.test(
+        getPattern("ecr-repo").test(
           "12345.dkr.ecr.us-west-2.amazonaws.com/my-repo",
         ),
       ).toBe(false);
     });
 
     it("should NOT match non-ECR docker registry", () => {
-      expect(AWS_PATTERNS.ecrRepoUri.test("docker.io/library/nginx")).toBe(
+      expect(getPattern("ecr-repo").test("docker.io/library/nginx")).toBe(
         false,
       );
     });
 
     it("should match ECR repo URI with masked account ID", () => {
       expect(
-        AWS_PATTERNS.ecrRepoUri.test(
+        getPattern("ecr-repo").test(
           "#(custom-1).dkr.ecr.us-west-2.amazonaws.com/my-repo",
         ),
       ).toBe(true);
@@ -143,7 +159,7 @@ describe("AWS_PATTERNS", () => {
 
     it("should match ECR repo URI with masked account ID (higher number)", () => {
       expect(
-        AWS_PATTERNS.ecrRepoUri.test(
+        getPattern("ecr-repo").test(
           "#(custom-123).dkr.ecr.us-east-1.amazonaws.com/app/service",
         ),
       ).toBe(true);
@@ -152,56 +168,60 @@ describe("AWS_PATTERNS", () => {
 
   describe("Account ID (contextual)", () => {
     it("should match OwnerId field", () => {
-      expect(AWS_PATTERNS.accountId.test('"OwnerId": "123456789012"')).toBe(
+      expect(getPattern("account-id").test('"OwnerId": "123456789012"')).toBe(
         true,
       );
     });
 
     it("should match account_id field (terraform style)", () => {
-      expect(AWS_PATTERNS.accountId.test('"account_id": "123456789012"')).toBe(
-        true,
-      );
+      expect(
+        getPattern("account-id").test('"account_id": "123456789012"'),
+      ).toBe(true);
     });
 
     it("should NOT match bare number", () => {
-      expect(AWS_PATTERNS.accountId.test("123456789012")).toBe(false);
+      expect(getPattern("account-id").test("123456789012")).toBe(false);
     });
   });
 
   describe("Access Key ID", () => {
     it("should match AKIA prefix", () => {
-      expect(AWS_PATTERNS.accessKeyId.test(" AKIAIOSFODNN7EXAMPLE ")).toBe(
+      expect(getPattern("access-key-id").test(" AKIAIOSFODNN7EXAMPLE ")).toBe(
         true,
       );
     });
 
     it("should match ASIA prefix (temporary)", () => {
-      expect(AWS_PATTERNS.accessKeyId.test(" ASIAISAMPLEKEYID1234 ")).toBe(
+      expect(getPattern("access-key-id").test(" ASIAISAMPLEKEYID1234 ")).toBe(
         true,
       );
     });
 
     it("should NOT match random string", () => {
-      expect(AWS_PATTERNS.accessKeyId.test("RANDOMSTRING12345678")).toBe(false);
+      expect(getPattern("access-key-id").test("RANDOMSTRING12345678")).toBe(
+        false,
+      );
     });
   });
 });
 
-describe("K8S_PATTERNS", () => {
+describe("Kubernetes Patterns", () => {
+  beforeEach(() => {
+    resetPatternCache();
+  });
+
   describe("Service Account Token", () => {
     it("should match JWT format", () => {
       const jwt =
         "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tYWJjZGUiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjEyMzQ1Njc4LTEyMzQtMTIzNC0xMjM0LTEyMzQ1Njc4OTAxMiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.signature";
-      expect(K8S_PATTERNS.serviceAccountToken.test(jwt)).toBe(true);
+      expect(getPattern("k8s-token").test(jwt)).toBe(true);
     });
   });
 
   describe("Node Names", () => {
     it("should match AWS node name", () => {
       expect(
-        K8S_PATTERNS.nodeNameAws.test(
-          "ip-10-0-1-123.us-west-2.compute.internal",
-        ),
+        getPattern("k8s-node").test("ip-10-0-1-123.us-west-2.compute.internal"),
       ).toBe(true);
     });
   });
@@ -209,7 +229,7 @@ describe("K8S_PATTERNS", () => {
   describe("Cluster Endpoints", () => {
     it("should match EKS endpoint", () => {
       expect(
-        K8S_PATTERNS.clusterEndpoint.test(
+        getPattern("k8s-endpoint").test(
           "https://ABCDEF1234567890ABCD.us-west-2.eks.amazonaws.com",
         ),
       ).toBe(true);
@@ -217,14 +237,18 @@ describe("K8S_PATTERNS", () => {
   });
 });
 
-describe("COMMON_PATTERNS", () => {
+describe("Common Patterns", () => {
+  beforeEach(() => {
+    resetPatternCache();
+  });
+
   describe("IPv4", () => {
     it("should match IPv4", () => {
-      expect(COMMON_PATTERNS.ipv4.test("192.168.1.1")).toBe(true);
+      expect(getPattern("ipv4").test("192.168.1.1")).toBe(true);
     });
 
     it("should not match CIDR notation", () => {
-      expect(COMMON_PATTERNS.ipv4.test("10.0.0.0/8")).toBe(false);
+      expect(getPattern("ipv4").test("10.0.0.0/8")).toBe(false);
     });
   });
 
@@ -238,16 +262,16 @@ MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC
 -----END PRIVATE KEY-----`;
 
     it("should match entire RSA private key block", () => {
-      expect(COMMON_PATTERNS.privateKey.test(rsaKey)).toBe(true);
+      expect(getPattern("private-key").test(rsaKey)).toBe(true);
     });
 
     it("should match entire generic private key block", () => {
-      expect(COMMON_PATTERNS.privateKey.test(genericKey)).toBe(true);
+      expect(getPattern("private-key").test(genericKey)).toBe(true);
     });
 
     it("should not match header only", () => {
       expect(
-        COMMON_PATTERNS.privateKey.test("-----BEGIN RSA PRIVATE KEY-----"),
+        getPattern("private-key").test("-----BEGIN RSA PRIVATE KEY-----"),
       ).toBe(false);
     });
   });
@@ -255,39 +279,89 @@ MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC
   describe("API Key Field (contextual)", () => {
     it("should match api_key field", () => {
       expect(
-        COMMON_PATTERNS.apiKeyField.test('"api_key": "sk-1234567890abcdef"'),
+        getPattern("api-key").test('"api_key": "sk-1234567890abcdef"'),
       ).toBe(true);
     });
 
     it("should match password field", () => {
-      expect(
-        COMMON_PATTERNS.apiKeyField.test('"password": "supersecret123"'),
-      ).toBe(true);
+      expect(getPattern("api-key").test('"password": "supersecret123"')).toBe(
+        true,
+      );
     });
 
     it("should match token field", () => {
-      expect(
-        COMMON_PATTERNS.apiKeyField.test('"token": "ghp_xxxxxxxxxxxx"'),
-      ).toBe(true);
+      expect(getPattern("api-key").test('"token": "ghp_xxxxxxxxxxxx"')).toBe(
+        true,
+      );
     });
   });
 });
 
 describe("ReDoS safety", () => {
+  beforeEach(() => {
+    resetPatternCache();
+  });
+
   it("should handle pathological input quickly", () => {
     const pathological = "a".repeat(1000) + "b";
     const start = performance.now();
 
-    const allPatterns = [
-      ...Object.values(AWS_PATTERNS),
-      ...Object.values(K8S_PATTERNS),
-      ...Object.values(COMMON_PATTERNS),
-    ];
-
-    for (const pattern of allPatterns) {
+    const allPatterns = loadPatterns();
+    for (const { pattern } of allPatterns) {
       pattern.test(pathological);
     }
 
     expect(performance.now() - start).toBeLessThan(100);
   });
 });
+
+describe("loadPatterns", () => {
+  beforeEach(() => {
+    resetPatternCache();
+  });
+
+  it("should load patterns from JSON files", () => {
+    const patterns = loadPatterns();
+    expect(patterns.length).toBeGreaterThan(0);
+  });
+
+  it("should load AWS patterns", () => {
+    const patterns = loadPatterns();
+    const vpcPattern = patterns.find((p) => p.name === "vpc");
+    expect(vpcPattern).toBeDefined();
+    expect(vpcPattern!.pattern.test("vpc-1234567890abcdef0")).toBe(true);
+  });
+
+  it("should load Kubernetes patterns", () => {
+    const patterns = loadPatterns();
+    const k8sTokenPattern = patterns.find((p) => p.name === "k8s-token");
+    expect(k8sTokenPattern).toBeDefined();
+  });
+
+  it("should load common patterns", () => {
+    const patterns = loadPatterns();
+    const ipv4Pattern = patterns.find((p) => p.name === "ipv4");
+    expect(ipv4Pattern).toBeDefined();
+    expect(ipv4Pattern!.pattern.test("192.168.1.1")).toBe(true);
+  });
+
+  it("should mark contextual patterns correctly", () => {
+    const patterns = loadPatterns();
+    const accountIdPattern = patterns.find((p) => p.name === "account-id");
+    expect(accountIdPattern).toBeDefined();
+    expect(accountIdPattern!.isContextual).toBe(true);
+  });
+
+  it("should cache patterns after first load", () => {
+    const patterns1 = loadPatterns();
+    const patterns2 = loadPatterns();
+    expect(patterns1).toBe(patterns2);
+  });
+
+  it("should reset cache on resetPatternCache()", () => {
+    const patterns1 = loadPatterns();
+    resetPatternCache();
+    const patterns2 = loadPatterns();
+    expect(patterns1).not.toBe(patterns2);
+  });
+});

package/src/masker.ts

@@ -1,47 +1,7 @@
-import { AWS_PATTERNS, K8S_PATTERNS, COMMON_PATTERNS } from "./patterns";
+import { loadPatterns, type LoadedPattern } from "./patterns";
 import { addEntry, getOriginal } from "./mapping";
 import { getConfig, isPatternEnabled } from "./config";
 
-interface PatternConfig {
-  pattern: RegExp;
-  type: string;
-  isContextual?: boolean;
-}
-
-const PATTERN_ORDER: PatternConfig[] = [
-  { pattern: AWS_PATTERNS.eksCluster, type: "eks-cluster" },
-  { pattern: AWS_PATTERNS.arn, type: "arn" },
-  { pattern: AWS_PATTERNS.accountId, type: "account-id", isContextual: true },
-  { pattern: AWS_PATTERNS.accessKeyId, type: "access-key-id" },
-  { pattern: AWS_PATTERNS.vpc, type: "vpc" },
-  { pattern: AWS_PATTERNS.subnet, type: "subnet" },
-  { pattern: AWS_PATTERNS.securityGroup, type: "security-group" },
-  { pattern: AWS_PATTERNS.internetGateway, type: "internet-gateway" },
-  { pattern: AWS_PATTERNS.routeTable, type: "route-table" },
-  { pattern: AWS_PATTERNS.natGateway, type: "nat-gateway" },
-  { pattern: AWS_PATTERNS.networkAcl, type: "network-acl" },
-  { pattern: AWS_PATTERNS.eni, type: "eni" },
-  { pattern: AWS_PATTERNS.vpcEndpoint, type: "vpc-endpoint" },
-  { pattern: AWS_PATTERNS.transitGateway, type: "transit-gateway" },
-  { pattern: AWS_PATTERNS.customerGateway, type: "customer-gateway" },
-  { pattern: AWS_PATTERNS.vpnGateway, type: "vpn-gateway" },
-  { pattern: AWS_PATTERNS.vpnConnection, type: "vpn-connection" },
-  { pattern: AWS_PATTERNS.ecrRepoUri, type: "ecr-repo" },
-  { pattern: AWS_PATTERNS.ami, type: "ami" },
-  { pattern: AWS_PATTERNS.ec2Instance, type: "ec2-instance" },
-  { pattern: AWS_PATTERNS.ebs, type: "ebs" },
-  { pattern: AWS_PATTERNS.snapshot, type: "snapshot" },
-
-  { pattern: K8S_PATTERNS.serviceAccountToken, type: "k8s-token" },
-  { pattern: K8S_PATTERNS.clusterEndpoint, type: "k8s-endpoint" },
-  { pattern: K8S_PATTERNS.kubeconfigServer, type: "k8s-endpoint" },
-  { pattern: K8S_PATTERNS.nodeNameAws, type: "k8s-node" },
-
-  { pattern: COMMON_PATTERNS.privateKey, type: "private-key" },
-  { pattern: COMMON_PATTERNS.apiKeyField, type: "api-key", isContextual: true },
-  { pattern: COMMON_PATTERNS.ipv4, type: "ipv4" },
-];
-
 function removeAnchors(source: string): string {
   let result = source.replace(/^\^/, "").replace(/\$$/, "");
   if (!result.endsWith("\\b")) {
@@ -50,34 +10,58 @@ function removeAnchors(source: string): string {
   return result;
 }
 
-export function mask(sessionId: string, text: string): string {
-  if (!text || typeof text !== "string") {
-    return text;
-  }
-
-  const config = getConfig();
-  if (!config.enabled) {
-    return text;
-  }
+const REGEX_PREFIX = "regex:";
 
+function applyCustomPatterns(
+  sessionId: string,
+  text: string,
+  customPatterns: string[],
+): string {
   let result = text;
 
-  for (const customPattern of config.customPatterns) {
-    if (result.includes(customPattern)) {
-      const token = addEntry(sessionId, "custom", customPattern);
-      result = result.split(customPattern).join(token);
+  for (const customPattern of customPatterns) {
+    if (customPattern.startsWith(REGEX_PREFIX)) {
+      const regexStr = customPattern.slice(REGEX_PREFIX.length);
+      const regex = new RegExp(removeAnchors(regexStr), "g");
+      const matches = new Set<string>();
+      let match;
+      while ((match = regex.exec(result)) !== null) {
+        matches.add(match[0]);
+      }
+      for (const value of matches) {
+        const token = addEntry(sessionId, "custom", value);
+        result = result.split(value).join(token);
+      }
+    } else {
+      const escaped = customPattern.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+      const literalRegex = new RegExp(escaped + "(?![\\w])", "g");
+      if (literalRegex.test(result)) {
+        const token = addEntry(sessionId, "custom", customPattern);
+        result = result.replace(literalRegex, token);
+      }
     }
   }
 
-  for (const { pattern, type, isContextual } of PATTERN_ORDER) {
-    if (!isPatternEnabled(type)) {
+  return result;
+}
+
+function applyLoadedPatterns(
+  sessionId: string,
+  text: string,
+  patterns: LoadedPattern[],
+): string {
+  let result = text;
+
+  for (const { name, pattern, isContextual } of patterns) {
+    if (!isPatternEnabled(name)) {
       continue;
     }
+
     if (isContextual) {
       result = result.replace(
         new RegExp(pattern.source, "g"),
         (match, capturedValue) => {
-          const token = addEntry(sessionId, type, capturedValue);
+          const token = addEntry(sessionId, name, capturedValue);
           return match.replace(capturedValue, token);
         },
       );
@@ -91,7 +75,7 @@ export function mask(sessionId: string, text: string): string {
       }
 
       for (const value of matches) {
-        const token = addEntry(sessionId, type, value);
+        const token = addEntry(sessionId, name, value);
         result = result.split(value).join(token);
       }
     }
@@ -100,6 +84,26 @@ export function mask(sessionId: string, text: string): string {
   return result;
 }
 
+export function mask(sessionId: string, text: string): string {
+  if (!text || typeof text !== "string") {
+    return text;
+  }
+
+  const config = getConfig();
+  if (!config.enabled) {
+    return text;
+  }
+
+  let result = text;
+
+  result = applyCustomPatterns(sessionId, result, config.customPatterns);
+
+  const patterns = loadPatterns();
+  result = applyLoadedPatterns(sessionId, result, patterns);
+
+  return result;
+}
+
 export function unmask(sessionId: string, text: string): string {
   if (!text || typeof text !== "string") {
     return text;

package/src/patterns.ts

@@ -1,45 +1,108 @@
-export const AWS_PATTERNS = {
-  arn: /^arn:(?:aws|aws-cn|aws-us-gov):[a-zA-Z0-9-]+:[a-z0-9-]*:(?:[0-9]{12})?:.+$/,
-  eksCluster:
-    /^arn:(?:aws|aws-cn|aws-us-gov):eks:[a-z0-9-]+:[0-9]{12}:cluster\/.+$/,
-  vpc: /^vpc-[0-9a-f]{8,17}$/,
-  subnet: /^subnet-[0-9a-f]{8,17}$/,
-  securityGroup: /^sg-[0-9a-f]{8,17}$/,
-  internetGateway: /^igw-[0-9a-f]{8,17}$/,
-  routeTable: /^rtb-[0-9a-f]{8,17}$/,
-  natGateway: /^nat-[0-9a-f]{8,17}$/,
-  networkAcl: /^acl-[0-9a-f]{8,17}$/,
-  ec2Instance: /^i-[0-9a-f]{8,17}$/,
-  ami: /^ami-[0-9a-f]{8,17}$/,
-  ebs: /^vol-[0-9a-f]{8,17}$/,
-  snapshot: /^snap-[0-9a-f]{8,17}$/,
-  eni: /^eni-[0-9a-f]{8,17}$/,
-  vpcEndpoint: /^vpce-[0-9a-f]{8,17}$/,
-  transitGateway: /^tgw-[0-9a-f]{8,17}$/,
-  customerGateway: /^cgw-[0-9a-f]{8,17}$/,
-  vpnGateway: /^vgw-[0-9a-f]{8,17}$/,
-  vpnConnection: /^vpn-[0-9a-f]{8,17}$/,
-  accountId: /"(?:OwnerId|AccountId|Owner|account_id)":\s*"(\d{12})"/,
-  ecrRepoUri:
-    /^(?:\d{12}|#\(custom-\d+\))\.dkr\.ecr\.[a-z0-9-]+\.amazonaws\.com\/[a-z0-9._\/-]+$/,
-  accessKeyId:
-    /(?:^|[^A-Z0-9])(?:AKIA|ABIA|ACCA|ASIA)[A-Z0-9]{16}(?:[^A-Z0-9]|$)/,
-} as const;
-
-export const K8S_PATTERNS = {
-  serviceAccountToken: /^eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*$/,
-  nodeNameAws: /^ip-(?:\d{1,3}-){3}\d{1,3}\.[a-z0-9-]+\.compute\.internal$/,
-  clusterEndpoint: /^https:\/\/[A-Z0-9]+\.[a-z0-9-]+\.eks\.amazonaws\.com$/,
-  kubeconfigServer:
-    /^https:\/\/[0-9A-F]{32}\.[a-z]{2}-[a-z]+-\d\.eks\.amazonaws\.com$/i,
-} as const;
-
-export const COMMON_PATTERNS = {
-  ipv4: /^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/,
-  // Private key blocks (entire key including body and footer)
-  privateKey:
-    /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----[\s\S]*?-----END (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/,
-  // Generic API keys/tokens (contextual - in JSON/YAML fields)
-  apiKeyField:
-    /"(?:api_key|apiKey|secret_key|secretKey|access_token|auth_token|password|token)":\s*"([^"]+)"/,
-} as const;
+import { readdirSync, readFileSync } from "fs";
+import { join, dirname } from "path";
+import { fileURLToPath } from "url";
+
+/**
+ * Pattern definition in JSON files.
+ * Can be:
+ * - A regex string: "^vpc-[0-9a-f]{8,17}$"
+ * - An object with pattern and optional contextual flag: { "pattern": "...", "contextual": true }
+ * - An object with exact string match: { "exact": "literal-value" }
+ */
+export type PatternDefinition =
+  | string
+  | { pattern: string; contextual?: boolean }
+  | { exact: string };
+
+export interface PatternFile {
+  [patternName: string]: PatternDefinition;
+}
+
+export interface LoadedPattern {
+  name: string;
+  pattern: RegExp;
+  isContextual: boolean;
+  isExact: boolean;
+}
+
+let cachedPatterns: LoadedPattern[] | null = null;
+
+function getPackagePatternsDir(): string {
+  const currentFile = fileURLToPath(import.meta.url);
+  const srcDir = dirname(currentFile);
+  const packageRoot = dirname(srcDir);
+  return join(packageRoot, "patterns");
+}
+
+function parsePatternDefinition(
+  name: string,
+  definition: PatternDefinition,
+): LoadedPattern {
+  if (typeof definition === "string") {
+    return {
+      name,
+      pattern: new RegExp(definition),
+      isContextual: false,
+      isExact: false,
+    };
+  }
+
+  if ("exact" in definition) {
+    const escaped = definition.exact.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+    return {
+      name,
+      pattern: new RegExp(escaped),
+      isContextual: false,
+      isExact: true,
+    };
+  }
+
+  return {
+    name,
+    pattern: new RegExp(definition.pattern),
+    isContextual: definition.contextual ?? false,
+    isExact: false,
+  };
+}
+
+function loadPatternFile(filePath: string): LoadedPattern[] {
+  const content = readFileSync(filePath, "utf-8");
+  const data: PatternFile = JSON.parse(content);
+  const patterns: LoadedPattern[] = [];
+
+  for (const [name, definition] of Object.entries(data)) {
+    patterns.push(parsePatternDefinition(name, definition));
+  }
+
+  return patterns;
+}
+
+export function loadPatterns(): LoadedPattern[] {
+  if (cachedPatterns) {
+    return cachedPatterns;
+  }
+
+  const patternsDir = getPackagePatternsDir();
+  const patterns: LoadedPattern[] = [];
+
+  const files = readdirSync(patternsDir)
+    .filter((f) => f.endsWith(".json"))
+    .sort();
+
+  for (const file of files) {
+    const filePath = join(patternsDir, file);
+    const filePatterns = loadPatternFile(filePath);
+    patterns.push(...filePatterns);
+  }
+
+  cachedPatterns = patterns;
+  return patterns;
+}
+
+export function resetPatternCache(): void {
+  cachedPatterns = null;
+}
+
+export function getPatternByName(name: string): LoadedPattern | undefined {
+  return loadPatterns().find((p) => p.name === name);
+}