@uniglot/wont-let-you-see 0.2.0 → 0.3.1

package/README.md

@@ -28,11 +28,11 @@ Configure via environment variables or JSON config file. Environment variables t
 
 #### Environment Variables
 
-| Variable                             | Description                                     | Default |
-| ------------------------------------ | ----------------------------------------------- | ------- |
-| `WONT_LET_YOU_SEE_ENABLED`           | Set to `false` or `0` to disable masking        | `true`  |
-| `WONT_LET_YOU_SEE_REVEALED_PATTERNS` | Comma-separated list of pattern types to reveal | (none)  |
-| `WONT_LET_YOU_SEE_CUSTOM_PATTERNS`   | Comma-separated list of custom strings to mask  | (none)  |
+| Variable                             | Description                                                                | Default |
+| ------------------------------------ | -------------------------------------------------------------------------- | ------- |
+| `WONT_LET_YOU_SEE_ENABLED`           | Set to `false` or `0` to disable masking                                   | `true`  |
+| `WONT_LET_YOU_SEE_REVEALED_PATTERNS` | Comma-separated list of pattern types to reveal                            | (none)  |
+| `WONT_LET_YOU_SEE_CUSTOM_PATTERNS`   | Comma-separated list of custom patterns to mask (supports `regex:` prefix) | (none)  |
 
 #### JSON Config File
 
@@ -48,6 +48,18 @@ Create `.wont-let-you-see.json` in your project root, `~/.config/opencode/`, or
 
 > **Tip**: Add your AWS account ID to `customPatterns`. The built-in `account-id` pattern only matches contextual fields like `"OwnerId": "123456789012"`, but may miss bare account IDs in terraform output or other contexts.
 
+Custom patterns support both literal strings and regular expressions. Prefix with `regex:` to use regex:
+
+```json
+{
+  "customPatterns": [
+    "123456789012",
+    "my-secret-value",
+    "regex:secret-[a-z]{3}-\\d{4}"
+  ]
+}
+```
+
 #### Examples
 
 ```bash
@@ -59,6 +71,9 @@ WONT_LET_YOU_SEE_REVEALED_PATTERNS=eks-cluster,ipv4 opencode
 
 # Mask custom values (e.g., AWS account ID)
 WONT_LET_YOU_SEE_CUSTOM_PATTERNS=123456789012,my-secret opencode
+
+# Mask with regex patterns
+WONT_LET_YOU_SEE_CUSTOM_PATTERNS="regex:token-[A-Z]{8},my-literal-secret" opencode
 ```
 
 ## Supported Commands
@@ -74,46 +89,53 @@ The plugin automatically masks output from:
 
 ### AWS Resources
 
-| Pattern Type       | Description                  | Example                                                 |
-| ------------------ | ---------------------------- | ------------------------------------------------------- |
-| `arn`              | Generic AWS ARNs             | `arn:aws:iam::123456789012:user/admin`                  |
-| `eks-cluster`      | EKS Cluster ARNs             | `arn:aws:eks:us-west-2:123456789012:cluster/my-cluster` |
-| `account-id`       | AWS Account IDs (contextual) | `"OwnerId": "123456789012"`                             |
-| `access-key-id`    | AWS Access Key IDs           | `AKIAIOSFODNN7EXAMPLE`                                  |
-| `vpc`              | VPC IDs                      | `vpc-0123456789abcdef0`                                 |
-| `subnet`           | Subnet IDs                   | `subnet-0123456789abcdef0`                              |
-| `security-group`   | Security Group IDs           | `sg-0123456789abcdef0`                                  |
-| `internet-gateway` | Internet Gateway IDs         | `igw-0123456789abcdef0`                                 |
-| `route-table`      | Route Table IDs              | `rtb-0123456789abcdef0`                                 |
-| `nat-gateway`      | NAT Gateway IDs              | `nat-0123456789abcdef0`                                 |
-| `network-acl`      | Network ACL IDs              | `acl-0123456789abcdef0`                                 |
-| `ec2-instance`     | EC2 Instance IDs             | `i-0123456789abcdef0`                                   |
-| `ami`              | AMI IDs                      | `ami-0123456789abcdef0`                                 |
-| `ebs`              | EBS Volume IDs               | `vol-0123456789abcdef0`                                 |
-| `snapshot`         | EBS Snapshot IDs             | `snap-0123456789abcdef0`                                |
-| `eni`              | Network Interface IDs        | `eni-0123456789abcdef0`                                 |
-| `vpc-endpoint`     | VPC Endpoint IDs             | `vpce-0123456789abcdef0`                                |
-| `transit-gateway`  | Transit Gateway IDs          | `tgw-0123456789abcdef0`                                 |
-| `customer-gateway` | Customer Gateway IDs         | `cgw-0123456789abcdef0`                                 |
-| `vpn-gateway`      | VPN Gateway IDs              | `vgw-0123456789abcdef0`                                 |
-| `vpn-connection`   | VPN Connection IDs           | `vpn-0123456789abcdef0`                                 |
-| `ecr-repo`         | ECR Repository URIs          | `123456789012.dkr.ecr.us-west-2.amazonaws.com/my-repo`  |
+| Pattern Type        | Description                  | Example                                                 |
+| ------------------- | ---------------------------- | ------------------------------------------------------- |
+| `arn`               | Generic AWS ARNs             | `arn:aws:iam::123456789012:user/admin`                  |
+| `eks-cluster`       | EKS Cluster ARNs             | `arn:aws:eks:us-west-2:123456789012:cluster/my-cluster` |
+| `account-id`        | AWS Account IDs (contextual) | `"OwnerId": "123456789012"`                             |
+| `access-key-id`     | AWS Access Key IDs           | `AKIAIOSFODNN7EXAMPLE`                                  |
+| `secret-access-key` | AWS Secret Access Keys       | `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`              |
+| `vpc`               | VPC IDs                      | `vpc-0123456789abcdef0`                                 |
+| `subnet`            | Subnet IDs                   | `subnet-0123456789abcdef0`                              |
+| `security-group`    | Security Group IDs           | `sg-0123456789abcdef0`                                  |
+| `internet-gateway`  | Internet Gateway IDs         | `igw-0123456789abcdef0`                                 |
+| `route-table`       | Route Table IDs              | `rtb-0123456789abcdef0`                                 |
+| `nat-gateway`       | NAT Gateway IDs              | `nat-0123456789abcdef0`                                 |
+| `network-acl`       | Network ACL IDs              | `acl-0123456789abcdef0`                                 |
+| `ec2-instance`      | EC2 Instance IDs             | `i-0123456789abcdef0`                                   |
+| `ami`               | AMI IDs                      | `ami-0123456789abcdef0`                                 |
+| `ebs`               | EBS Volume IDs               | `vol-0123456789abcdef0`                                 |
+| `snapshot`          | EBS Snapshot IDs             | `snap-0123456789abcdef0`                                |
+| `eni`               | Network Interface IDs        | `eni-0123456789abcdef0`                                 |
+| `vpc-endpoint`      | VPC Endpoint IDs             | `vpce-0123456789abcdef0`                                |
+| `transit-gateway`   | Transit Gateway IDs          | `tgw-0123456789abcdef0`                                 |
+| `customer-gateway`  | Customer Gateway IDs         | `cgw-0123456789abcdef0`                                 |
+| `vpn-gateway`       | VPN Gateway IDs              | `vgw-0123456789abcdef0`                                 |
+| `vpn-connection`    | VPN Connection IDs           | `vpn-0123456789abcdef0`                                 |
+| `ecr-repo`          | ECR Repository URIs          | `123456789012.dkr.ecr.us-west-2.amazonaws.com/my-repo`  |
 
 ### Kubernetes Resources (EKS)
 
-| Pattern Type   | Description                  | Example                            |
-| -------------- | ---------------------------- | ---------------------------------- |
-| `k8s-token`    | Service Account Tokens (JWT) | `eyJhbGciOiJSUzI1NiIs...`          |
-| `k8s-endpoint` | EKS Cluster API Endpoints    | `https://ABC123.eks.amazonaws.com` |
-| `k8s-node`     | EKS Node Names               | `ip-10-0-1-123.compute.internal`   |
+| Pattern Type   | Description               | Example                            |
+| -------------- | ------------------------- | ---------------------------------- |
+| `k8s-endpoint` | EKS Cluster API Endpoints | `https://ABC123.eks.amazonaws.com` |
+| `k8s-node`     | EKS Node Names            | `ip-10-0-1-123.compute.internal`   |
 
 ### Common Patterns
 
-| Pattern Type  | Description                                   | Example                                                           |
-| ------------- | --------------------------------------------- | ----------------------------------------------------------------- |
-| `ipv4`        | IPv4 Addresses (including IP portion of CIDR) | `192.168.1.1`, `10.0.0.0/16` → `#(ipv4-1)/16`                     |
-| `private-key` | Private Key Blocks (entire key)               | `-----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY-----` |
-| `api-key`     | API Keys (contextual)                         | `"api_key": "sk-..."`                                             |
+| Pattern Type          | Description                                   | Example                                                           |
+| --------------------- | --------------------------------------------- | ----------------------------------------------------------------- |
+| `ipv4`                | IPv4 Addresses (including IP portion of CIDR) | `192.168.1.1`, `10.0.0.0/16` → `#(ipv4-1)/16`                     |
+| `private-key`         | Private Key Blocks (entire key)               | `-----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY-----` |
+| `api-key`             | API Keys (contextual)                         | `"api_key": "sk-..."`                                             |
+| `phone-us`            | US Phone Numbers                              | `+1-555-123-4567`, `(555) 123-4567`                               |
+| `phone-kr`            | South Korean Phone Numbers                    | `010-1234-5678`, `+82-10-1234-5678`                               |
+| `phone-international` | International Phone Numbers                   | `+44 20 7946 0958`                                                |
+| `email`               | Email Addresses                               | `user@example.com`                                                |
+| `uuid`                | UUID/GUID                                     | `550e8400-e29b-41d4-a716-446655440000`                            |
+| `jwt`                 | JWT Tokens                                    | `eyJhbGciOiJIUzI1NiIs...`                                         |
+| `base64-secret`       | Base64-encoded Secrets (contextual)           | `"secret": "SGVsbG8gV29ybGQ="`                                    |
 
 ## Token Format
 
@@ -125,6 +147,10 @@ Examples:
 - `10.0.0.1` → `#(ipv4-1)`
 - `10.0.0.0/16` → `#(ipv4-1)/16` (subnet mask preserved)
 - `AKIAIOSFODNN7EXAMPLE` → `#(access-key-id-1)`
+- `wJalrXUtnFEMI/K7MDENG...` → `#(secret-access-key-1)`
+- `user@example.com` → `#(email-1)`
+- `+1-555-123-4567` → `#(phone-us-1)`
+- `eyJhbGciOiJIUzI1NiIs...` → `#(jwt-1)`
 - Entire private key block → `#(private-key-1)`
 
 ## How It Works
@@ -147,9 +173,49 @@ What was the actual VPC ID from the last command?
 
 The LLM should only know the token (e.g., `#(vpc-1)`), not the real value.
 
+## Contributing Patterns
+
+Patterns are defined in JSON files under the `patterns/` directory:
+
+- `patterns/aws.json` - AWS resource patterns
+- `patterns/kubernetes.json` - Kubernetes patterns
+- `patterns/common.json` - Common patterns (IPs, keys, etc.)
+
+You can request to add new files for resources of different categories.
+
+### Pattern Format
+
+Each pattern can be defined as:
+
+```json
+{
+  "pattern-name": "^regex-pattern$",
+
+  "contextual-pattern": {
+    "pattern": "\"field\":\\s*\"(captured-value)\"",
+    "contextual": true
+  },
+
+  "literal-match": {
+    "exact": "literal-string-to-match"
+  }
+}
+```
+
+- **Simple regex**: Just a string with the regex pattern
+- **Contextual**: For patterns where only a captured group should be masked (e.g., JSON fields)
+- **Exact match**: For literal strings that should be escaped
+
+### Adding New Patterns
+
+1. Fork the repository
+2. Add your pattern to the appropriate JSON file
+3. Add tests in `src/__tests__/patterns.test.ts`
+4. Submit a pull request
+
 ## Limitations
 
-- **AWS only**: Currently supports AWS. GCP and Azure are not yet supported.
+- **AWS only**: Currently supports AWS. GCP and Azure are not yet supported. Do you need them? Feel free to contribute!
 - **S3 Buckets**: Bucket names are not masked (often public/intentional).
 - **Account IDs**: Only masked in contextual JSON fields. Add to `customPatterns` for full coverage.
 - **UI display**: The UI shows original values (OpenCode limitation).

package/dist/index.js

@@ -1,58 +1,82 @@
 // src/patterns.ts
-var AWS_PATTERNS = {
-  arn: /^arn:(?:aws|aws-cn|aws-us-gov):[a-zA-Z0-9-]+:[a-z0-9-]*:(?:[0-9]{12})?:.+$/,
-  eksCluster: /^arn:(?:aws|aws-cn|aws-us-gov):eks:[a-z0-9-]+:[0-9]{12}:cluster\/.+$/,
-  vpc: /^vpc-[0-9a-f]{8,17}$/,
-  subnet: /^subnet-[0-9a-f]{8,17}$/,
-  securityGroup: /^sg-[0-9a-f]{8,17}$/,
-  internetGateway: /^igw-[0-9a-f]{8,17}$/,
-  routeTable: /^rtb-[0-9a-f]{8,17}$/,
-  natGateway: /^nat-[0-9a-f]{8,17}$/,
-  networkAcl: /^acl-[0-9a-f]{8,17}$/,
-  ec2Instance: /^i-[0-9a-f]{8,17}$/,
-  ami: /^ami-[0-9a-f]{8,17}$/,
-  ebs: /^vol-[0-9a-f]{8,17}$/,
-  snapshot: /^snap-[0-9a-f]{8,17}$/,
-  eni: /^eni-[0-9a-f]{8,17}$/,
-  vpcEndpoint: /^vpce-[0-9a-f]{8,17}$/,
-  transitGateway: /^tgw-[0-9a-f]{8,17}$/,
-  customerGateway: /^cgw-[0-9a-f]{8,17}$/,
-  vpnGateway: /^vgw-[0-9a-f]{8,17}$/,
-  vpnConnection: /^vpn-[0-9a-f]{8,17}$/,
-  accountId: /"(?:OwnerId|AccountId|Owner|account_id)":\s*"(\d{12})"/,
-  ecrRepoUri: /^(?:\d{12}|#\(custom-\d+\))\.dkr\.ecr\.[a-z0-9-]+\.amazonaws\.com\/[a-z0-9._\/-]+$/,
-  accessKeyId: /(?:^|[^A-Z0-9])(?:AKIA|ABIA|ACCA|ASIA)[A-Z0-9]{16}(?:[^A-Z0-9]|$)/
-};
-var K8S_PATTERNS = {
-  serviceAccountToken: /^eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*$/,
-  nodeNameAws: /^ip-(?:\d{1,3}-){3}\d{1,3}\.[a-z0-9-]+\.compute\.internal$/,
-  clusterEndpoint: /^https:\/\/[A-Z0-9]+\.[a-z0-9-]+\.eks\.amazonaws\.com$/,
-  kubeconfigServer: /^https:\/\/[0-9A-F]{32}\.[a-z]{2}-[a-z]+-\d\.eks\.amazonaws\.com$/i
-};
-var COMMON_PATTERNS = {
-  ipv4: /^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/,
-  privateKey: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----[\s\S]*?-----END (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/,
-  apiKeyField: /"(?:api_key|apiKey|secret_key|secretKey|access_token|auth_token|password|token)":\s*"([^"]+)"/
-};
+import { readdirSync, readFileSync } from "fs";
+import { join, dirname } from "path";
+import { fileURLToPath } from "url";
+var cachedPatterns = null;
+function getPackagePatternsDir() {
+  const currentFile = fileURLToPath(import.meta.url);
+  const srcDir = dirname(currentFile);
+  const packageRoot = dirname(srcDir);
+  return join(packageRoot, "patterns");
+}
+function parsePatternDefinition(name, definition) {
+  if (typeof definition === "string") {
+    return {
+      name,
+      pattern: new RegExp(definition),
+      isContextual: false,
+      isExact: false
+    };
+  }
+  if ("exact" in definition) {
+    const escaped = definition.exact.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+    return {
+      name,
+      pattern: new RegExp(escaped),
+      isContextual: false,
+      isExact: true
+    };
+  }
+  return {
+    name,
+    pattern: new RegExp(definition.pattern),
+    isContextual: definition.contextual ?? false,
+    isExact: false
+  };
+}
+function loadPatternFile(filePath) {
+  const content = readFileSync(filePath, "utf-8");
+  const data = JSON.parse(content);
+  const patterns = [];
+  for (const [name, definition] of Object.entries(data)) {
+    patterns.push(parsePatternDefinition(name, definition));
+  }
+  return patterns;
+}
+function loadPatterns() {
+  if (cachedPatterns) {
+    return cachedPatterns;
+  }
+  const patternsDir = getPackagePatternsDir();
+  const patterns = [];
+  const files = readdirSync(patternsDir).filter((f) => f.endsWith(".json")).sort();
+  for (const file of files) {
+    const filePath = join(patternsDir, file);
+    const filePatterns = loadPatternFile(filePath);
+    patterns.push(...filePatterns);
+  }
+  cachedPatterns = patterns;
+  return patterns;
+}
 
 // src/mapping.ts
 import {
   existsSync,
   mkdirSync,
-  readFileSync,
+  readFileSync as readFileSync2,
   writeFileSync,
   renameSync
 } from "fs";
-import { join } from "path";
+import { join as join2 } from "path";
 import { homedir } from "os";
 var sessionStates = new Map;
 function getSessionPath(sessionId) {
   const projectRoot = process.cwd();
-  const defaultPath = join(projectRoot, ".opencode", "sessions", sessionId, "wont-let-you-see-mapping.json");
-  if (existsSync(join(projectRoot, ".opencode")) || !existsSync(homedir())) {
+  const defaultPath = join2(projectRoot, ".opencode", "sessions", sessionId, "wont-let-you-see-mapping.json");
+  if (existsSync(join2(projectRoot, ".opencode")) || !existsSync(homedir())) {
     return defaultPath;
   }
-  return join(homedir(), ".opencode", "sessions", sessionId, "wont-let-you-see-mapping.json");
+  return join2(homedir(), ".opencode", "sessions", sessionId, "wont-let-you-see-mapping.json");
 }
 function ensureSessionDir(sessionPath) {
   const dir = sessionPath.substring(0, sessionPath.lastIndexOf("/"));
@@ -65,7 +89,7 @@ function getSessionState(sessionId) {
   if (!state) {
     const sessionPath = getSessionPath(sessionId);
     if (existsSync(sessionPath)) {
-      const mapping = JSON.parse(readFileSync(sessionPath, "utf-8"));
+      const mapping = JSON.parse(readFileSync2(sessionPath, "utf-8"));
       const counters = {};
       for (const token of Object.keys(mapping.entries)) {
         const match = token.match(/^#\(([^-]+)-(\d+)\)$/);
@@ -118,7 +142,7 @@ import {
   existsSync as nodeExistsSync,
   readFileSync as nodeReadFileSync
 } from "fs";
-import { join as join2, dirname } from "path";
+import { join as join3, dirname as dirname2 } from "path";
 import { homedir as homedir2 } from "os";
 var fsAdapter = {
   existsSync: nodeExistsSync,
@@ -134,14 +158,14 @@ function findConfigInAncestors(startDir) {
   const home = homedir2();
   let currentDir = startDir;
   while (true) {
-    const configPath = join2(currentDir, CONFIG_FILENAME);
+    const configPath = join3(currentDir, CONFIG_FILENAME);
     if (fsAdapter.existsSync(configPath)) {
       return configPath;
     }
     if (currentDir === home) {
       break;
     }
-    const parentDir = dirname(currentDir);
+    const parentDir = dirname2(currentDir);
     if (parentDir === currentDir) {
       break;
     }
@@ -157,7 +181,7 @@ function loadJsonConfig() {
       return JSON.parse(content);
     } catch {}
   }
-  const homeConfig = join2(homedir2(), CONFIG_FILENAME);
+  const homeConfig = join3(homedir2(), CONFIG_FILENAME);
   if (fsAdapter.existsSync(homeConfig)) {
     try {
       const content = fsAdapter.readFileSync(homeConfig, "utf-8");
@@ -205,37 +229,6 @@ function isPatternEnabled(patternType) {
 }
 
 // src/masker.ts
-var PATTERN_ORDER = [
-  { pattern: AWS_PATTERNS.eksCluster, type: "eks-cluster" },
-  { pattern: AWS_PATTERNS.arn, type: "arn" },
-  { pattern: AWS_PATTERNS.accountId, type: "account-id", isContextual: true },
-  { pattern: AWS_PATTERNS.accessKeyId, type: "access-key-id" },
-  { pattern: AWS_PATTERNS.vpc, type: "vpc" },
-  { pattern: AWS_PATTERNS.subnet, type: "subnet" },
-  { pattern: AWS_PATTERNS.securityGroup, type: "security-group" },
-  { pattern: AWS_PATTERNS.internetGateway, type: "internet-gateway" },
-  { pattern: AWS_PATTERNS.routeTable, type: "route-table" },
-  { pattern: AWS_PATTERNS.natGateway, type: "nat-gateway" },
-  { pattern: AWS_PATTERNS.networkAcl, type: "network-acl" },
-  { pattern: AWS_PATTERNS.eni, type: "eni" },
-  { pattern: AWS_PATTERNS.vpcEndpoint, type: "vpc-endpoint" },
-  { pattern: AWS_PATTERNS.transitGateway, type: "transit-gateway" },
-  { pattern: AWS_PATTERNS.customerGateway, type: "customer-gateway" },
-  { pattern: AWS_PATTERNS.vpnGateway, type: "vpn-gateway" },
-  { pattern: AWS_PATTERNS.vpnConnection, type: "vpn-connection" },
-  { pattern: AWS_PATTERNS.ecrRepoUri, type: "ecr-repo" },
-  { pattern: AWS_PATTERNS.ami, type: "ami" },
-  { pattern: AWS_PATTERNS.ec2Instance, type: "ec2-instance" },
-  { pattern: AWS_PATTERNS.ebs, type: "ebs" },
-  { pattern: AWS_PATTERNS.snapshot, type: "snapshot" },
-  { pattern: K8S_PATTERNS.serviceAccountToken, type: "k8s-token" },
-  { pattern: K8S_PATTERNS.clusterEndpoint, type: "k8s-endpoint" },
-  { pattern: K8S_PATTERNS.kubeconfigServer, type: "k8s-endpoint" },
-  { pattern: K8S_PATTERNS.nodeNameAws, type: "k8s-node" },
-  { pattern: COMMON_PATTERNS.privateKey, type: "private-key" },
-  { pattern: COMMON_PATTERNS.apiKeyField, type: "api-key", isContextual: true },
-  { pattern: COMMON_PATTERNS.ipv4, type: "ipv4" }
-];
 function removeAnchors(source) {
   let result = source.replace(/^\^/, "").replace(/\$$/, "");
   if (!result.endsWith("\\b")) {
@@ -243,28 +236,42 @@ function removeAnchors(source) {
   }
   return result;
 }
-function mask(sessionId, text) {
-  if (!text || typeof text !== "string") {
-    return text;
-  }
-  const config = getConfig();
-  if (!config.enabled) {
-    return text;
-  }
+var REGEX_PREFIX = "regex:";
+function applyCustomPatterns(sessionId, text, customPatterns) {
   let result = text;
-  for (const customPattern of config.customPatterns) {
-    if (result.includes(customPattern)) {
-      const token = addEntry(sessionId, "custom", customPattern);
-      result = result.split(customPattern).join(token);
+  for (const customPattern of customPatterns) {
+    if (customPattern.startsWith(REGEX_PREFIX)) {
+      const regexStr = customPattern.slice(REGEX_PREFIX.length);
+      const regex = new RegExp(removeAnchors(regexStr), "g");
+      const matches = new Set;
+      let match;
+      while ((match = regex.exec(result)) !== null) {
+        matches.add(match[0]);
+      }
+      for (const value of matches) {
+        const token = addEntry(sessionId, "custom", value);
+        result = result.split(value).join(token);
+      }
+    } else {
+      const escaped = customPattern.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+      const literalRegex = new RegExp(escaped + "(?![\\w])", "g");
+      if (literalRegex.test(result)) {
+        const token = addEntry(sessionId, "custom", customPattern);
+        result = result.replace(literalRegex, token);
+      }
     }
   }
-  for (const { pattern, type, isContextual } of PATTERN_ORDER) {
-    if (!isPatternEnabled(type)) {
+  return result;
+}
+function applyLoadedPatterns(sessionId, text, patterns) {
+  let result = text;
+  for (const { name, pattern, isContextual } of patterns) {
+    if (!isPatternEnabled(name)) {
       continue;
     }
     if (isContextual) {
       result = result.replace(new RegExp(pattern.source, "g"), (match, capturedValue) => {
-        const token = addEntry(sessionId, type, capturedValue);
+        const token = addEntry(sessionId, name, capturedValue);
         return match.replace(capturedValue, token);
       });
     } else {
@@ -275,13 +282,27 @@ function mask(sessionId, text) {
         matches.add(match[0]);
       }
       for (const value of matches) {
-        const token = addEntry(sessionId, type, value);
+        const token = addEntry(sessionId, name, value);
         result = result.split(value).join(token);
       }
     }
   }
   return result;
 }
+function mask(sessionId, text) {
+  if (!text || typeof text !== "string") {
+    return text;
+  }
+  const config = getConfig();
+  if (!config.enabled) {
+    return text;
+  }
+  let result = text;
+  result = applyCustomPatterns(sessionId, result, config.customPatterns);
+  const patterns = loadPatterns();
+  result = applyLoadedPatterns(sessionId, result, patterns);
+  return result;
+}
 function unmask(sessionId, text) {
   if (!text || typeof text !== "string") {
     return text;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@uniglot/wont-let-you-see",
-  "version": "0.2.0",
+  "version": "0.3.1",
   "description": "OpenCode plugin that masks sensitive cloud infrastructure data (AWS, Kubernetes) from LLMs",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/patterns/aws.json

@@ -0,0 +1,28 @@
+{
+  "eks-cluster": "^arn:(?:aws|aws-cn|aws-us-gov):eks:[a-z0-9-]+:[0-9]{12}:cluster\\/.+$",
+  "arn": "^arn:(?:aws|aws-cn|aws-us-gov):[a-zA-Z0-9-]+:[a-z0-9-]*:(?:[0-9]{12})?:.+$",
+  "account-id": {
+    "pattern": "\"(?:OwnerId|AccountId|Owner|account_id)\":\\s*\"(\\d{12})\"",
+    "contextual": true
+  },
+  "access-key-id": "(?:^|[^A-Z0-9])(?:AKIA|ABIA|ACCA|ASIA)[A-Z0-9]{16}(?:[^A-Z0-9]|$)",
+  "secret-access-key": "(?:^|[^A-Za-z0-9+/])[A-Za-z0-9+/]{40}(?:[^A-Za-z0-9+/]|$)",
+  "vpc": "^vpc-[0-9a-f]{8,17}$",
+  "subnet": "^subnet-[0-9a-f]{8,17}$",
+  "security-group": "^sg-[0-9a-f]{8,17}$",
+  "internet-gateway": "^igw-[0-9a-f]{8,17}$",
+  "route-table": "^rtb-[0-9a-f]{8,17}$",
+  "nat-gateway": "^nat-[0-9a-f]{8,17}$",
+  "network-acl": "^acl-[0-9a-f]{8,17}$",
+  "eni": "^eni-[0-9a-f]{8,17}$",
+  "vpc-endpoint": "^vpce-[0-9a-f]{8,17}$",
+  "transit-gateway": "^tgw-[0-9a-f]{8,17}$",
+  "customer-gateway": "^cgw-[0-9a-f]{8,17}$",
+  "vpn-gateway": "^vgw-[0-9a-f]{8,17}$",
+  "vpn-connection": "^vpn-[0-9a-f]{8,17}$",
+  "ecr-repo": "^(?:\\d{12}|#\\(custom-\\d+\\))\\.dkr\\.ecr\\.[a-z0-9-]+\\.amazonaws\\.com\\/[a-z0-9._\\/-]+$",
+  "ami": "^ami-[0-9a-f]{8,17}$",
+  "ec2-instance": "^i-[0-9a-f]{8,17}$",
+  "ebs": "^vol-[0-9a-f]{8,17}$",
+  "snapshot": "^snap-[0-9a-f]{8,17}$"
+}

package/patterns/common.json

@@ -0,0 +1,18 @@
+{
+  "private-key": "-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----[\\s\\S]*?-----END (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----",
+  "api-key": {
+    "pattern": "\"(?:api_key|apiKey|secret_key|secretKey|access_token|auth_token|password|token)\":\\s*\"([^\"]+)\"",
+    "contextual": true
+  },
+  "ipv4": "^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$",
+  "phone-us": "^(?:\\+1[-\\s.]?)?(?:\\(?[2-9][0-9]{2}\\)?[-\\s.]?)?[2-9][0-9]{2}[-\\s.]?[0-9]{4}$",
+  "phone-kr": "^(?:\\+82[-\\s.]?|0)?(?:1[0-9]|2|3[1-3]|4[1-4]|5[1-5]|6[1-4])[-\\s.]?[0-9]{3,4}[-\\s.]?[0-9]{4}$",
+  "phone-international": "^\\+[1-9][0-9]{0,2}[-\\s.]?(?:[0-9][-\\s.]?){6,14}[0-9]$",
+  "email": "^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}$",
+  "uuid": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$",
+  "jwt": "^eyJ[A-Za-z0-9_-]*\\.eyJ[A-Za-z0-9_-]*\\.[A-Za-z0-9_-]*$",
+  "base64-secret": {
+    "pattern": "\"(?:secret|password|credential|private_key|privateKey|encryption_key|encryptionKey|signing_key|signingKey)\":\\s*\"([A-Za-z0-9+/]{32,}={0,2})\"",
+    "contextual": true
+  }
+}

package/patterns/kubernetes.json

@@ -0,0 +1,8 @@
+{
+  "k8s-endpoint": "^https:\\/\\/[A-Z0-9]+\\.[a-z0-9-]+\\.eks\\.amazonaws\\.com$",
+  "k8s-endpoint-kubeconfig": {
+    "pattern": "^https:\\/\\/[0-9A-F]{32}\\.[a-z]{2}-[a-z]+-\\d\\.eks\\.amazonaws\\.com$",
+    "contextual": false
+  },
+  "k8s-node": "^ip-(?:\\d{1,3}-){3}\\d{1,3}\\.[a-z0-9-]+\\.compute\\.internal$"
+}

package/src/__tests__/masker.test.ts

@@ -2,6 +2,7 @@ import { describe, it, expect, beforeEach, vi, afterEach } from "vitest";
 import { mask, unmask } from "../masker";
 import { createMapping } from "../mapping";
 import { resetConfig } from "../config";
+import { resetPatternCache } from "../patterns";
 
 describe("masker", () => {
   const sessionId = "test-session-masker";
@@ -10,12 +11,14 @@ describe("masker", () => {
   beforeEach(() => {
     process.env.WONT_LET_YOU_SEE_REVEALED_PATTERNS = "";
     resetConfig();
+    resetPatternCache();
     createMapping(sessionId);
   });
 
   afterEach(() => {
     process.env = { ...originalEnv };
     resetConfig();
+    resetPatternCache();
   });
 
   describe("mask()", () => {
@@ -182,6 +185,67 @@ describe("masker", () => {
     });
   });
 
+  describe("customPatterns with regex support", () => {
+    it("should mask exact string patterns", () => {
+      process.env.WONT_LET_YOU_SEE_CUSTOM_PATTERNS = "my-secret-value";
+      resetConfig();
+
+      const input = "Secret: my-secret-value";
+      const result = mask(sessionId, input);
+
+      expect(result).toMatch(/Secret: #\(custom-\d+\)/);
+      expect(result).not.toContain("my-secret-value");
+    });
+
+    it("should mask regex patterns with regex: prefix", () => {
+      process.env.WONT_LET_YOU_SEE_CUSTOM_PATTERNS =
+        "regex:secret-[a-z]{3}-\\d{4}";
+      resetConfig();
+
+      const input = "Keys: secret-abc-1234, secret-xyz-5678";
+      const result = mask(sessionId, input);
+
+      expect(result).toMatch(/#\(custom-\d+\)/);
+      expect(result).not.toContain("secret-abc-1234");
+      expect(result).not.toContain("secret-xyz-5678");
+    });
+
+    it("should treat patterns without regex: prefix as literal strings", () => {
+      process.env.WONT_LET_YOU_SEE_CUSTOM_PATTERNS = "literal-value";
+      resetConfig();
+
+      const input = "Value: literal-value, Other: literal-values";
+      const result = mask(sessionId, input);
+
+      expect(result).toMatch(/Value: #\(custom-\d+\)/);
+      expect(result).toContain("literal-values");
+    });
+
+    it("should round-trip custom regex patterns", () => {
+      process.env.WONT_LET_YOU_SEE_CUSTOM_PATTERNS = "regex:token-[A-Z]{8}";
+      resetConfig();
+
+      const original = "Auth: token-ABCDEFGH";
+      const masked = mask(sessionId, original);
+      const unmasked = unmask(sessionId, masked);
+
+      expect(unmasked).toBe(original);
+    });
+
+    it("should support multiple custom patterns including regex", () => {
+      process.env.WONT_LET_YOU_SEE_CUSTOM_PATTERNS =
+        "exact-secret,regex:pattern-\\d+";
+      resetConfig();
+
+      const input = "Secrets: exact-secret, pattern-123, pattern-456";
+      const result = mask(sessionId, input);
+
+      expect(result).not.toContain("exact-secret");
+      expect(result).not.toContain("pattern-123");
+      expect(result).not.toContain("pattern-456");
+    });
+  });
+
   describe("round-trip integrity", () => {
     it("should maintain round-trip integrity for VPC", () => {
       const original = "vpc-1234567890abcdef0";