@xbg.solutions/utils-hashing 1.0.0

package/lib/hashed-fields-lookup.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Encrypted Fields Registry
+ *
+ * Central registry of all PII fields that must be encrypted at rest.
+ * All fields use AES-256-GCM for authenticated encryption.
+ */
+export declare const HASHED_FIELDS: {
+    readonly 'user.email': true;
+    readonly 'user.phoneNumber': true;
+};
+export type HashedFieldPath = keyof typeof HASHED_FIELDS;
+/**
+ * Check if a field path should be hashed
+ */
+export declare function isHashedField(fieldPath: string): boolean;
+//# sourceMappingURL=hashed-fields-lookup.d.ts.map

package/lib/hashed-fields-lookup.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hashed-fields-lookup.d.ts","sourceRoot":"","sources":["../src/hashed-fields-lookup.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,eAAO,MAAM,aAAa;;;CAQhB,CAAC;AAEX,MAAM,MAAM,eAAe,GAAG,MAAM,OAAO,aAAa,CAAC;AAEzD;;GAEG;AACH,wBAAgB,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAExD"}

package/lib/hashed-fields-lookup.js

@@ -0,0 +1,25 @@
+"use strict";
+/**
+ * Encrypted Fields Registry
+ *
+ * Central registry of all PII fields that must be encrypted at rest.
+ * All fields use AES-256-GCM for authenticated encryption.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HASHED_FIELDS = void 0;
+exports.isHashedField = isHashedField;
+exports.HASHED_FIELDS = {
+    // User PII
+    'user.email': true,
+    'user.phoneNumber': true,
+    // Add project-specific PII fields here, e.g.:
+    // 'customer.email': true,
+    // 'address.addressLine1': true,
+};
+/**
+ * Check if a field path should be hashed
+ */
+function isHashedField(fieldPath) {
+    return fieldPath in exports.HASHED_FIELDS;
+}
+//# sourceMappingURL=hashed-fields-lookup.js.map

package/lib/hashed-fields-lookup.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hashed-fields-lookup.js","sourceRoot":"","sources":["../src/hashed-fields-lookup.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAiBH,sCAEC;AAjBY,QAAA,aAAa,GAAG;IAC3B,WAAW;IACX,YAAY,EAAE,IAAI;IAClB,kBAAkB,EAAE,IAAI;IAExB,8CAA8C;IAC9C,0BAA0B;IAC1B,gCAAgC;CACxB,CAAC;AAIX;;GAEG;AACH,SAAgB,aAAa,CAAC,SAAiB;IAC7C,OAAO,SAAS,IAAI,qBAAa,CAAC;AACpC,CAAC"}

package/lib/hasher.d.ts

@@ -0,0 +1,28 @@
+/**
+ * PII Encryption Utilities
+ *
+ * Encrypt PII fields before storage using AES-256-GCM.
+ * AES-256-GCM provides authenticated encryption with reversible decryption.
+ *
+ * Encrypted format: `${iv}:${encrypted}:${authTag}` (all base64 encoded)
+ */
+/**
+ * Encrypt a single value using AES-256-GCM
+ *
+ * @param value - Plaintext value to encrypt
+ * @returns Encrypted value in format: `${iv}:${encrypted}:${authTag}` (base64)
+ */
+export declare function hashValue(value: string): string;
+/**
+ * Hash all PII fields in an object based on entity type
+ *
+ * @param data - Object containing fields to hash
+ * @param entityType - Type of entity ('user', 'contact', 'address')
+ * @returns New object with hashed fields
+ *
+ * @example
+ * hashFields({ email: 'test@example.com' }, 'user')
+ * // Returns { email: '$2b$10$...' }
+ */
+export declare function hashFields<T extends Record<string, unknown>>(data: T, entityType: 'user' | 'contact' | 'address'): T;
+//# sourceMappingURL=hasher.d.ts.map

package/lib/hasher.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hasher.d.ts","sourceRoot":"","sources":["../src/hasher.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAmCH;;;;;GAKG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAkB/C;AAGD;;;;;;;;;;GAUG;AACH,wBAAgB,UAAU,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC1D,IAAI,EAAE,CAAC,EACP,UAAU,EAAE,MAAM,GAAG,SAAS,GAAG,SAAS,GACzC,CAAC,CAkBH"}

package/lib/hasher.js

@@ -0,0 +1,115 @@
+"use strict";
+/**
+ * PII Encryption Utilities
+ *
+ * Encrypt PII fields before storage using AES-256-GCM.
+ * AES-256-GCM provides authenticated encryption with reversible decryption.
+ *
+ * Encrypted format: `${iv}:${encrypted}:${authTag}` (all base64 encoded)
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.hashValue = hashValue;
+exports.hashFields = hashFields;
+const crypto = __importStar(require("crypto"));
+const hashed_fields_lookup_1 = require("./hashed-fields-lookup");
+// AES-256-GCM configuration
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 12; // 96 bits for GCM
+const KEY_LENGTH = 32; // 256 bits
+/**
+ * Get encryption key from environment
+ * Key must be 32 bytes (64 hex characters) for AES-256
+ */
+function getEncryptionKey() {
+    const keyHex = process.env.PII_ENCRYPTION_KEY;
+    if (!keyHex) {
+        throw new Error('PII_ENCRYPTION_KEY not found in environment. ' +
+            'Generate with: openssl rand -hex 32');
+    }
+    // Validate key length
+    if (keyHex.length !== KEY_LENGTH * 2) {
+        throw new Error(`PII_ENCRYPTION_KEY must be ${KEY_LENGTH * 2} hex characters (${KEY_LENGTH} bytes). ` +
+            `Current length: ${keyHex.length}`);
+    }
+    return Buffer.from(keyHex, 'hex');
+}
+/**
+ * Encrypt a single value using AES-256-GCM
+ *
+ * @param value - Plaintext value to encrypt
+ * @returns Encrypted value in format: `${iv}:${encrypted}:${authTag}` (base64)
+ */
+function hashValue(value) {
+    const key = getEncryptionKey();
+    // Generate random IV (initialization vector)
+    const iv = crypto.randomBytes(IV_LENGTH);
+    // Create cipher
+    const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
+    // Encrypt the value
+    let encrypted = cipher.update(value, 'utf8', 'base64');
+    encrypted += cipher.final('base64');
+    // Get authentication tag
+    const authTag = cipher.getAuthTag();
+    // Return in format: iv:encrypted:authTag (all base64)
+    return `${iv.toString('base64')}:${encrypted}:${authTag.toString('base64')}`;
+}
+/**
+ * Hash all PII fields in an object based on entity type
+ *
+ * @param data - Object containing fields to hash
+ * @param entityType - Type of entity ('user', 'contact', 'address')
+ * @returns New object with hashed fields
+ *
+ * @example
+ * hashFields({ email: 'test@example.com' }, 'user')
+ * // Returns { email: '$2b$10$...' }
+ */
+function hashFields(data, entityType) {
+    const result = Object.assign({}, data);
+    // Iterate through top-level fields and check if they should be hashed
+    for (const fieldName of Object.keys(result)) {
+        const fieldPath = `${entityType}.${fieldName}`;
+        if ((0, hashed_fields_lookup_1.isHashedField)(fieldPath)) {
+            const value = result[fieldName];
+            // Only hash non-null, non-empty strings
+            if (value && typeof value === 'string' && value.length > 0) {
+                result[fieldName] = hashValue(value);
+            }
+        }
+    }
+    return result;
+}
+//# sourceMappingURL=hasher.js.map

package/lib/hasher.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hasher.js","sourceRoot":"","sources":["../src/hasher.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAyCH,8BAkBC;AAcD,gCAqBC;AA5FD,+CAAiC;AACjC,iEAAuD;AAEvD,4BAA4B;AAC5B,MAAM,SAAS,GAAG,aAAa,CAAC;AAChC,MAAM,SAAS,GAAG,EAAE,CAAC,CAAC,kBAAkB;AACxC,MAAM,UAAU,GAAG,EAAE,CAAC,CAAC,WAAW;AAElC;;;GAGG;AACH,SAAS,gBAAgB;IACvB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;IAE9C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CACb,+CAA+C;YAC/C,qCAAqC,CACtC,CAAC;IACJ,CAAC;IAED,sBAAsB;IACtB,IAAI,MAAM,CAAC,MAAM,KAAK,UAAU,GAAG,CAAC,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CACb,8BAA8B,UAAU,GAAG,CAAC,oBAAoB,UAAU,WAAW;YACrF,mBAAmB,MAAM,CAAC,MAAM,EAAE,CACnC,CAAC;IACJ,CAAC;IAED,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;AACpC,CAAC;AAED;;;;;GAKG;AACH,SAAgB,SAAS,CAAC,KAAa;IACrC,MAAM,GAAG,GAAG,gBAAgB,EAAE,CAAC;IAE/B,6CAA6C;IAC7C,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;IAEzC,gBAAgB;IAChB,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAEzD,oBAAoB;IACpB,IAAI,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IACvD,SAAS,IAAI,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAEpC,yBAAyB;IACzB,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAEpC,sDAAsD;IACtD,OAAO,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;AAC/E,CAAC;AAGD;;;;;;;;;;GAUG;AACH,SAAgB,UAAU,CACxB,IAAO,EACP,UAA0C;IAE1C,MAAM,MAAM,qBAAQ,IAAI,CAAE,CAAC;IAE3B,sEAAsE;IACtE,KAAK,MAAM,SAAS,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QAC5C,MAAM,SAAS,GAAG,GAAG,UAAU,IAAI,SAAS,EAAE,CAAC;QAE/C,IAAI,IAAA,oCAAa,EAAC,SAAS,CAAC,EAAE,CAAC;YAC7B,MAAM,KAAK,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC;YAEhC,wCAAwC;YACxC,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC1D,MAAkC,CAAC,SAAS,CAAC,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;YACpE,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/lib/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Hashing utilities barrel export
+ */
+export { HASHED_FIELDS, isHashedField } from './hashed-fields-lookup';
+export type { HashedFieldPath } from './hashed-fields-lookup';
+export { hashValue, hashFields } from './hasher';
+export { unhashValue, unhashFields } from './unhashing';
+//# sourceMappingURL=index.d.ts.map

package/lib/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACtE,YAAY,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAC9D,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC"}

package/lib/index.js

@@ -0,0 +1,16 @@
+"use strict";
+/**
+ * Hashing utilities barrel export
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.unhashFields = exports.unhashValue = exports.hashFields = exports.hashValue = exports.isHashedField = exports.HASHED_FIELDS = void 0;
+var hashed_fields_lookup_1 = require("./hashed-fields-lookup");
+Object.defineProperty(exports, "HASHED_FIELDS", { enumerable: true, get: function () { return hashed_fields_lookup_1.HASHED_FIELDS; } });
+Object.defineProperty(exports, "isHashedField", { enumerable: true, get: function () { return hashed_fields_lookup_1.isHashedField; } });
+var hasher_1 = require("./hasher");
+Object.defineProperty(exports, "hashValue", { enumerable: true, get: function () { return hasher_1.hashValue; } });
+Object.defineProperty(exports, "hashFields", { enumerable: true, get: function () { return hasher_1.hashFields; } });
+var unhashing_1 = require("./unhashing");
+Object.defineProperty(exports, "unhashValue", { enumerable: true, get: function () { return unhashing_1.unhashValue; } });
+Object.defineProperty(exports, "unhashFields", { enumerable: true, get: function () { return unhashing_1.unhashFields; } });
+//# sourceMappingURL=index.js.map

package/lib/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA;;GAEG;;;AAEH,+DAAsE;AAA7D,qHAAA,aAAa,OAAA;AAAE,qHAAA,aAAa,OAAA;AAErC,mCAAiD;AAAxC,mGAAA,SAAS,OAAA;AAAE,oGAAA,UAAU,OAAA;AAC9B,yCAAwD;AAA/C,wGAAA,WAAW,OAAA;AAAE,yGAAA,YAAY,OAAA"}

package/lib/unhashing.d.ts

@@ -0,0 +1,31 @@
+/**
+ * PII Decryption Utilities (Lazy Pattern)
+ *
+ * Decrypt PII fields on-demand when explicitly requested.
+ * Uses AES-256-GCM for authenticated decryption.
+ *
+ * Encrypted format: `${iv}:${encrypted}:${authTag}` (all base64 encoded)
+ */
+/**
+ * Decrypt a single value using AES-256-GCM
+ *
+ * @param encryptedValue - Encrypted value in format: `${iv}:${encrypted}:${authTag}` (base64)
+ * @returns Decrypted plaintext value
+ * @throws Error if decryption fails or format is invalid
+ */
+export declare function unhashValue(value: string): string;
+/**
+ * Unhash specific fields in an object (lazy pattern)
+ *
+ * Services explicitly request which fields to unhash.
+ * No automatic unhashing on every GET request.
+ *
+ * @param data - Object containing hashed fields
+ * @param fieldsToUnhash - Array of field paths to unhash (e.g., ['contact.email'])
+ * @returns New object with unhashed fields
+ *
+ * @example
+ * unhashFields(contactData, ['contact.email', 'contact.phoneNumber'])
+ */
+export declare function unhashFields<T extends Record<string, unknown>>(data: T, fieldsToUnhash: string[]): T;
+//# sourceMappingURL=unhashing.d.ts.map

package/lib/unhashing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"unhashing.d.ts","sourceRoot":"","sources":["../src/unhashing.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AA2CH;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAgCjD;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,YAAY,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC5D,IAAI,EAAE,CAAC,EACP,cAAc,EAAE,MAAM,EAAE,GACvB,CAAC,CA0BH"}

package/lib/unhashing.js

@@ -0,0 +1,143 @@
+"use strict";
+/**
+ * PII Decryption Utilities (Lazy Pattern)
+ *
+ * Decrypt PII fields on-demand when explicitly requested.
+ * Uses AES-256-GCM for authenticated decryption.
+ *
+ * Encrypted format: `${iv}:${encrypted}:${authTag}` (all base64 encoded)
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.unhashValue = unhashValue;
+exports.unhashFields = unhashFields;
+const crypto = __importStar(require("crypto"));
+const hashed_fields_lookup_1 = require("./hashed-fields-lookup");
+// AES-256-GCM configuration
+const ALGORITHM = 'aes-256-gcm';
+const KEY_LENGTH = 32; // 256 bits
+/**
+ * Get encryption key from environment
+ * Key must be 32 bytes (64 hex characters) for AES-256
+ */
+function getEncryptionKey() {
+    const keyHex = process.env.PII_ENCRYPTION_KEY;
+    if (!keyHex) {
+        throw new Error('PII_ENCRYPTION_KEY not found in environment. ' +
+            'Generate with: openssl rand -hex 32');
+    }
+    // Validate key length
+    if (keyHex.length !== KEY_LENGTH * 2) {
+        throw new Error(`PII_ENCRYPTION_KEY must be ${KEY_LENGTH * 2} hex characters (${KEY_LENGTH} bytes). ` +
+            `Current length: ${keyHex.length}`);
+    }
+    return Buffer.from(keyHex, 'hex');
+}
+/**
+ * Check if a value appears to be AES-256-GCM encrypted
+ * Format: iv:encrypted:authTag (base64 strings separated by colons)
+ */
+function isEncrypted(value) {
+    const parts = value.split(':');
+    return parts.length === 3 && parts.every(part => part.length > 0);
+}
+/**
+ * Decrypt a single value using AES-256-GCM
+ *
+ * @param encryptedValue - Encrypted value in format: `${iv}:${encrypted}:${authTag}` (base64)
+ * @returns Decrypted plaintext value
+ * @throws Error if decryption fails or format is invalid
+ */
+function unhashValue(value) {
+    // Validate format
+    if (!isEncrypted(value)) {
+        throw new Error('Invalid encrypted value format. ' +
+            'Expected: iv:encrypted:authTag (base64)');
+    }
+    const key = getEncryptionKey();
+    // Parse encrypted value components
+    const [ivBase64, encryptedBase64, authTagBase64] = value.split(':');
+    const iv = Buffer.from(ivBase64, 'base64');
+    const authTag = Buffer.from(authTagBase64, 'base64');
+    // Create decipher
+    const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+    try {
+        // Decrypt the value
+        let decrypted = decipher.update(encryptedBase64, 'base64', 'utf8');
+        decrypted += decipher.final('utf8');
+        return decrypted;
+    }
+    catch (error) {
+        throw new Error('Decryption failed. This may indicate data corruption or wrong encryption key. ' +
+            `Original error: ${error instanceof Error ? error.message : String(error)}`);
+    }
+}
+/**
+ * Unhash specific fields in an object (lazy pattern)
+ *
+ * Services explicitly request which fields to unhash.
+ * No automatic unhashing on every GET request.
+ *
+ * @param data - Object containing hashed fields
+ * @param fieldsToUnhash - Array of field paths to unhash (e.g., ['contact.email'])
+ * @returns New object with unhashed fields
+ *
+ * @example
+ * unhashFields(contactData, ['contact.email', 'contact.phoneNumber'])
+ */
+function unhashFields(data, fieldsToUnhash) {
+    const result = Object.assign({}, data);
+    for (const fieldPath of fieldsToUnhash) {
+        // Validate that this field is actually an encrypted field
+        if (!(0, hashed_fields_lookup_1.isHashedField)(fieldPath)) {
+            continue;
+        }
+        // Extract entity type and field name from path
+        // e.g., 'contact.email' -> entityType='contact', fieldName='email'
+        const parts = fieldPath.split('.');
+        if (parts.length !== 2) {
+            continue;
+        }
+        const fieldName = parts[1];
+        const value = result[fieldName];
+        // Only attempt to decrypt string values that appear to be encrypted
+        if (value && typeof value === 'string' && isEncrypted(value)) {
+            result[fieldName] = unhashValue(value);
+        }
+    }
+    return result;
+}
+//# sourceMappingURL=unhashing.js.map

package/lib/unhashing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"unhashing.js","sourceRoot":"","sources":["../src/unhashing.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkDH,kCAgCC;AAeD,oCA6BC;AA5HD,+CAAiC;AACjC,iEAAuD;AAEvD,4BAA4B;AAC5B,MAAM,SAAS,GAAG,aAAa,CAAC;AAChC,MAAM,UAAU,GAAG,EAAE,CAAC,CAAC,WAAW;AAElC;;;GAGG;AACH,SAAS,gBAAgB;IACvB,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;IAE9C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CACb,+CAA+C;YAC/C,qCAAqC,CACtC,CAAC;IACJ,CAAC;IAED,sBAAsB;IACtB,IAAI,MAAM,CAAC,MAAM,KAAK,UAAU,GAAG,CAAC,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CACb,8BAA8B,UAAU,GAAG,CAAC,oBAAoB,UAAU,WAAW;YACrF,mBAAmB,MAAM,CAAC,MAAM,EAAE,CACnC,CAAC;IACJ,CAAC;IAED,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;AACpC,CAAC;AAED;;;GAGG;AACH,SAAS,WAAW,CAAC,KAAa;IAChC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,OAAO,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;AACpE,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,WAAW,CAAC,KAAa;IACvC,kBAAkB;IAClB,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CACb,kCAAkC;YAClC,yCAAyC,CAC1C,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,gBAAgB,EAAE,CAAC;IAE/B,mCAAmC;IACnC,MAAM,CAAC,QAAQ,EAAE,eAAe,EAAE,aAAa,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACpE,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAC3C,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;IAErD,kBAAkB;IAClB,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAC7D,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IAE7B,IAAI,CAAC;QACH,oBAAoB;QACpB,IAAI,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,eAAe,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;QACnE,SAAS,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAEpC,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,gFAAgF;YAChF,mBAAmB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAC5E,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,SAAgB,YAAY,CAC1B,IAAO,EACP,cAAwB;IAExB,MAAM,MAAM,qBAAQ,IAAI,CAAE,CAAC;IAE3B,KAAK,MAAM,SAAS,IAAI,cAAc,EAAE,CAAC;QACvC,0DAA0D;QAC1D,IAAI,CAAC,IAAA,oCAAa,EAAC,SAAS,CAAC,EAAE,CAAC;YAC9B,SAAS;QACX,CAAC;QAED,+CAA+C;QAC/C,mEAAmE;QACnE,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,SAAS;QACX,CAAC;QAED,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAC3B,MAAM,KAAK,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC;QAEhC,oEAAoE;QACpE,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5D,MAAkC,CAAC,SAAS,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;QACtE,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/package.json

@@ -0,0 +1,22 @@
+{
+  "name": "@xbg.solutions/utils-hashing",
+  "version": "1.0.0",
+  "description": "PII encryption with AES-256-GCM and field-level hashing",
+  "main": "lib/index.js",
+  "types": "lib/index.d.ts",
+  "files": ["lib"],
+  "scripts": {
+    "build": "tsc",
+    "build:watch": "tsc --watch",
+    "clean": "rm -rf lib",
+    "prepublishOnly": "npm run build"
+  },
+  "dependencies": {"lodash": "^4.17.21"},
+  "devDependencies": {"@types/lodash": "^4.14.202", "@types/node": "^20.11.0", "typescript": "^5.3.3"},
+  "engines": {
+    "node": "22"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}