mask-privacy 3.5.1 → 4.0.0

package/dist/index.d.mts

@@ -69,6 +69,8 @@ interface Span {
     confidence: number;
     method: string;
     language?: string;
+    ruleId?: string;
+    complianceScope?: ReadonlySet<string>;
     maskedValue?: string;
 }
 
@@ -371,6 +373,8 @@ interface PatternDescriptor {
     validatorTag: string | null;
     isHighEntropy: boolean;
     supportedLocales: string[];
+    ruleId: string;
+    complianceScope: ReadonlySet<string>;
 }
 /**
  * Immutable catalogue of sensitive-data regex signatures.

package/dist/index.d.ts

@@ -69,6 +69,8 @@ interface Span {
     confidence: number;
     method: string;
     language?: string;
+    ruleId?: string;
+    complianceScope?: ReadonlySet<string>;
     maskedValue?: string;
 }
 
@@ -371,6 +373,8 @@ interface PatternDescriptor {
     validatorTag: string | null;
     isHighEntropy: boolean;
     supportedLocales: string[];
+    ruleId: string;
+    complianceScope: ReadonlySet<string>;
 }
 /**
  * Immutable catalogue of sensitive-data regex signatures.

package/dist/index.js

@@ -3,7 +3,7 @@
 var process2 = require('process');
 var path = require('path');
 var os = require('os');
-var cryptoNode = require('crypto');
+var crypto2 = require('crypto');
 var buffer = require('buffer');
 var stream = require('stream');
 var https = require('https');
@@ -38,7 +38,7 @@ function _interopNamespace(e) {
 var process2__namespace = /*#__PURE__*/_interopNamespace(process2);
 var path__namespace = /*#__PURE__*/_interopNamespace(path);
 var os__namespace = /*#__PURE__*/_interopNamespace(os);
-var cryptoNode__namespace = /*#__PURE__*/_interopNamespace(cryptoNode);
+var crypto2__namespace = /*#__PURE__*/_interopNamespace(crypto2);
 var http2__default = /*#__PURE__*/_interopDefault(http2);
 var fs__default = /*#__PURE__*/_interopDefault(fs$1);
 
@@ -114,6 +114,16 @@ var init_config = __esm({
       get MASK_LOG_LEVEL() {
         return (process2__namespace.env.MASK_LOG_LEVEL || "info").toLowerCase();
       },
+      // --- COMPLIANCE & PRIVACY (Bijective) ---
+      get MASK_TENANT_ID() {
+        return process2__namespace.env.MASK_TENANT_ID || "global-default-tenant";
+      },
+      get MASK_SALT_ROTATION() {
+        return (process2__namespace.env.MASK_SALT_ROTATION || "NONE").toUpperCase();
+      },
+      get MASK_BIJECTIVE_MODE() {
+        return getEnvBool("MASK_BIJECTIVE_MODE", true);
+      },
       // --- SECURITY & CRYPTOGRAPHY ---
       get MASK_ENCRYPTION_KEY() {
         return process2__namespace.env.MASK_ENCRYPTION_KEY || null;
@@ -252,6 +262,216 @@ var init_exceptions = __esm({
   }
 });
 
+// src/core/synthesisLibrary.ts
+var FIRST_NAMES, CONNECTORS, SURNAME_ROOTS, SURNAME_SUFFIXES, SYLLABLES;
+var init_synthesisLibrary = __esm({
+  "src/core/synthesisLibrary.ts"() {
+    FIRST_NAMES = [
+      "James",
+      "Mary",
+      "Robert",
+      "Patricia",
+      "John",
+      "Jennifer",
+      "Michael",
+      "Linda",
+      "David",
+      "Elizabeth",
+      "William",
+      "Barbara",
+      "Richard",
+      "Susan",
+      "Joseph",
+      "Jessica"
+    ];
+    while (FIRST_NAMES.length < 2048) {
+      FIRST_NAMES.push(`NameEx_${FIRST_NAMES.length}`);
+    }
+    CONNECTORS = [
+      "of",
+      "from",
+      "van",
+      "del",
+      "di",
+      "von",
+      "le",
+      "la",
+      "de",
+      "el",
+      "the",
+      "near",
+      "at",
+      "by",
+      "under",
+      "over",
+      "across",
+      "beyond",
+      "within",
+      "without",
+      "and",
+      "with",
+      "aka",
+      "alias",
+      "formally",
+      "lately",
+      "born",
+      "styled",
+      "known",
+      "called",
+      "st",
+      "al",
+      "bin",
+      "ibn",
+      "abu",
+      "ben",
+      "bar",
+      "fitz",
+      "mac",
+      "mc",
+      "o",
+      "da",
+      "dos",
+      "das",
+      "do",
+      "du",
+      "della",
+      "degli",
+      "dei",
+      "delle",
+      "sur",
+      "ter",
+      "ten",
+      "zu",
+      "zum",
+      "zur",
+      "auf",
+      "an",
+      "der",
+      "die",
+      "das",
+      "pro",
+      "anti",
+      "ex",
+      "quasi"
+    ];
+    SURNAME_ROOTS = [
+      "Silver",
+      "Gold",
+      "Iron",
+      "Stone",
+      "Rock",
+      "Wood",
+      "Leaf",
+      "Rain",
+      "Snow",
+      "Wind",
+      "Storm",
+      "Cloud",
+      "Sun",
+      "Moon",
+      "Star",
+      "Sky",
+      "Sea",
+      "Lake",
+      "River",
+      "Brook",
+      "Hill",
+      "Mount",
+      "Vale",
+      "Glen",
+      "Dale",
+      "Field",
+      "Meadow",
+      "Forest",
+      "Grove",
+      "Wild"
+    ];
+    while (SURNAME_ROOTS.length < 4096) {
+      SURNAME_ROOTS.push(`RootEx_${SURNAME_ROOTS.length}`);
+    }
+    SURNAME_SUFFIXES = [
+      "son",
+      "man",
+      "field",
+      "wood",
+      "berg",
+      "stein",
+      "ov",
+      "ova",
+      "ski",
+      "ska",
+      "ez",
+      "ez",
+      "ia",
+      "ic",
+      "os",
+      "as",
+      "is",
+      "us",
+      "er",
+      "en",
+      "ard",
+      "ier",
+      "eau",
+      "oux",
+      "ly",
+      "ley",
+      "ton",
+      "don",
+      "ham",
+      "ford",
+      "wick",
+      "shire",
+      "land",
+      "way",
+      "side",
+      "gate",
+      "bridge",
+      "well",
+      "pool",
+      "cliff",
+      "bank",
+      "shore",
+      "hart",
+      "foot",
+      "head",
+      "more",
+      "less",
+      "ness",
+      "ship",
+      "ward"
+    ];
+    while (SURNAME_SUFFIXES.length < 512) {
+      SURNAME_SUFFIXES.push(`SuffixEx_${SURNAME_SUFFIXES.length}`);
+    }
+    SYLLABLES = [
+      "San",
+      "Ver",
+      "Dina",
+      "Lon",
+      "Don",
+      "Chi",
+      "Ca",
+      "Go",
+      "New",
+      "York",
+      "Los",
+      "An",
+      "Ge",
+      "Les",
+      "Pa",
+      "Ris",
+      "Ber",
+      "Lin",
+      "Mad",
+      "Rid"
+    ];
+    while (SYLLABLES.length < 1e3) {
+      SYLLABLES.push(`Syl_${SYLLABLES.length}`);
+    }
+  }
+});
+
 // src/core/fpe_utils.ts
 function looksLikeToken(value) {
   if (typeof value !== "string") return false;
@@ -286,13 +506,20 @@ function looksLikeToken(value) {
   if (v7.startsWith("[TKN-") && v7.endsWith("]")) {
     return true;
   }
+  if (v7.includes("-") && v7.length >= 6) {
+    const parts = v7.split("-");
+    const tag = parts[parts.length - 1];
+    if (tag.length === 4 && /^\d+$/.test(tag)) {
+      return true;
+    }
+  }
   return false;
 }
 var TOKEN_PATTERN;
 var init_fpe_utils = __esm({
   "src/core/fpe_utils.ts"() {
     TOKEN_PATTERN = new RegExp(
-      "tkn-[a-f0-9]{8,64}@[A-Za-z0-9.\\-]+\\.[A-Za-z]{2,}|\\+[1-9]\\d{0,3}-555-\\d{7}|000-00-\\d{4}|4000-0000-0000-\\d{4}|000000\\d{3}|000\\d{5}[A-Z]|[A-Z]{2}00[A-F0-9]{4,16}|<(?:PER|LOC|ORG):[^>]+>|\\[TKN-[a-f0-9]{8,64}\\]",
+      "tkn-[a-f0-9]{8,64}@[A-Za-z0-9.\\-]+\\.[A-Za-z]{2,}|\\+[1-9]\\d{0,3}-555-\\d{7}|000-00-\\d{4}|4000-0000-0000-\\d{4}|000000\\d{3}|000\\d{5}[A-Z]|[A-Z]{2}00[A-F0-9]{4,16}|<(?:PER|LOC|ORG):[^>]+>|\\b[A-Z][a-zA-Z, ]+-[0-9]{3,4}\\b|\\\\[TKN-[a-f0-9]{8,64}\\\\]",
       // Opaque
       "g"
     );
@@ -307,7 +534,7 @@ async function _getMasterKey() {
     }
     if (!raw) {
       if (config.MASK_DEV_MODE) {
-        raw = cryptoNode__namespace.randomBytes(32).toString("hex");
+        raw = crypto2__namespace.randomBytes(32).toString("hex");
         process.env.MASK_MASTER_KEY = raw;
       } else {
         throw new exports.MaskSecurityError(
@@ -324,27 +551,64 @@ function resetMasterKey() {
 }
 async function _hmacHex(plaintext, n6 = 8) {
   const masterKey = await _getMasterKey();
-  const digest = cryptoNode__namespace.createHmac("sha256", masterKey).update(plaintext, "utf-8").digest("hex");
+  const digest = crypto2__namespace.createHmac("sha256", masterKey).update(plaintext, "utf-8").digest("hex");
   return digest.slice(0, n6);
 }
-async function _hmacDigits(plaintext, n6, offset = 0) {
+async function _hmacInt(plaintext) {
   const masterKey = await _getMasterKey();
-  const digest = cryptoNode__namespace.createHmac("sha256", masterKey).update(plaintext, "utf-8").digest("hex");
-  const result = [];
-  for (let i6 = offset; i6 < digest.length; i6++) {
-    const ch = digest[i6];
-    result.push((parseInt(ch, 16) % 10).toString());
-    if (result.length === n6) break;
+  const raw = crypto2__namespace.createHmac("sha256", masterKey).update(plaintext, "utf-8").digest();
+  let result = 0n;
+  for (let i6 = 0; i6 < 16; i6++) {
+    result = result << 8n | BigInt(raw[i6]);
   }
-  while (result.length < n6) {
-    result.push("0");
+  return result;
+}
+async function _hmacDigits(plaintext, n6, offset = 0) {
+  const salted = offset ? `${plaintext}::${offset}` : plaintext;
+  const seed = await _hmacInt(salted);
+  const modulus = 10n ** BigInt(n6);
+  return (seed % modulus).toString().padStart(n6, "0");
+}
+async function _getBijectiveTweak() {
+  const masterKey = await _getMasterKey();
+  let base = config.MASK_TENANT_ID;
+  if (config.MASK_SALT_ROTATION !== "NONE") {
+    const now = /* @__PURE__ */ new Date();
+    if (config.MASK_SALT_ROTATION === "MONTHLY") {
+      base += `-${now.getUTCFullYear()}-${now.getUTCMonth() + 1}`;
+    } else if (config.MASK_SALT_ROTATION === "YEARLY") {
+      base += `-${now.getUTCFullYear()}`;
+    }
   }
-  return result.join("");
+  return crypto2__namespace.createHmac("sha256", masterKey).update(base, "utf-8").digest();
 }
-async function _pickFromArray(plaintext, array) {
-  const digits = await _hmacDigits(plaintext, 8);
-  const num = parseInt(digits, 10);
-  return array[num % array.length];
+function _renderBijectivePerson(bits) {
+  const firstIdx = Number(bits & 0x7FFn);
+  const connIdx = Number(bits >> 11n & 0x3Fn);
+  const rootIdx = Number(bits >> 17n & 0xFFFn);
+  const suffixIdx = Number(bits >> 29n & 0x1FFn);
+  const tag = Number(bits >> 38n & 0x3FFFn);
+  const formatIdx = Number(bits >> 52n & 0xFn);
+  const first = FIRST_NAMES[firstIdx % FIRST_NAMES.length];
+  const conn = CONNECTORS[connIdx % CONNECTORS.length];
+  const root = SURNAME_ROOTS[rootIdx % SURNAME_ROOTS.length];
+  const suffix = SURNAME_SUFFIXES[suffixIdx % SURNAME_SUFFIXES.length];
+  const surname = `${root}${suffix}`;
+  const numeric = tag % 1e4;
+  const paddedNumeric = numeric.toString().padStart(4, "0");
+  if (formatIdx === 0) return `${first} ${conn} ${surname}-${paddedNumeric}`;
+  if (formatIdx === 1) return `${surname}, ${first}-${paddedNumeric}`;
+  if (formatIdx === 2) return `${first[0]}. ${surname}-${paddedNumeric}`;
+  if (formatIdx === 3) return `${first} ${surname}-${paddedNumeric}`;
+  return `${first} ${surname}-${paddedNumeric}`;
+}
+function _renderBijectiveLocation(bits) {
+  const s1 = Number(bits & 0x3FFn);
+  const s22 = Number(bits >> 10n & 0x3FFn);
+  const s32 = Number(bits >> 20n & 0x3FFn);
+  const tag = Number(bits >> 30n & 0xFFFn);
+  const city = `${SYLLABLES[s1 % 1e3]}${SYLLABLES[s22 % 1e3].toLowerCase()}${SYLLABLES[s32 % 1e3].toLowerCase()}`;
+  return `${city}-${tag.toString().padStart(3, "0")}`;
 }
 function _computeLuhnDigit(partialNum) {
   const digits = partialNum.split("").map(Number);
@@ -407,26 +671,41 @@ async function generateFPEToken(rawText, entityType = "UNKNOWN") {
     return digits + _computeEsIdCheck(parseInt(digits, 10));
   }
   if (type === "PERSON" || type === "PERSON_NAME") {
-    const f6 = await _pickFromArray(text, _FIRST_NAMES);
-    const l6 = await _pickFromArray(text + "last", _LAST_NAMES);
-    return `<PER:${f6}_${l6}>`;
+    if (config.MASK_BIJECTIVE_MODE) {
+      const canonical = text.toLowerCase().trim();
+      const hash = crypto2__namespace.createHash("sha256").update(canonical, "utf-8").digest();
+      const inputInt = hash.readBigUInt64BE(0);
+      const masterKey = await _getMasterKey();
+      const engine = new FF1(masterKey.slice(0, 16), await _getBijectiveTweak());
+      const cipher = engine.encrypt(inputInt);
+      return _renderBijectivePerson(cipher);
+    }
+    return `[TKN-PERSON-${await _hmacHex(text)}]`;
   }
   if (type === "LOCATION" || type === "PHYS_ADDRESS") {
-    const c6 = await _pickFromArray(text, _CITIES);
-    return `<LOC:${c6}>`;
+    if (config.MASK_BIJECTIVE_MODE) {
+      const canonical = text.toLowerCase().trim();
+      const hash = crypto2__namespace.createHash("sha256").update(canonical, "utf-8").digest();
+      const inputInt = hash.readBigUInt64BE(0);
+      const masterKey = await _getMasterKey();
+      const engine = new FF1(masterKey.slice(0, 16), await _getBijectiveTweak());
+      const cipher = engine.encrypt(inputInt);
+      return _renderBijectiveLocation(cipher);
+    }
+    return `[TKN-LOC-${await _hmacHex(text)}]`;
   }
   if (type === "ORGANIZATION") {
-    const c6 = await _pickFromArray(text, _LAST_NAMES);
-    return `<ORG:${c6}_Inc>`;
+    return `[TKN-ORG-${await _hmacHex(text)}]`;
   }
   return `[TKN-${await _hmacHex(text)}]`;
 }
-var _masterKey, _EMAIL_RE, _PHONE_RE, _SSN_RE, _CC_RE, _ROUTING_RE, _ES_ID_RE, _IBAN_RE, _FIRST_NAMES, _LAST_NAMES, _CITIES;
+var _masterKey, _EMAIL_RE, _PHONE_RE, _SSN_RE, _CC_RE, _ROUTING_RE, _ES_ID_RE, _IBAN_RE, FF1;
 var init_fpe = __esm({
   "src/core/fpe.ts"() {
     init_config();
     init_key_provider();
     init_exceptions();
+    init_synthesisLibrary();
     init_fpe_utils();
     _masterKey = null;
     _EMAIL_RE = /^[^@\s]+@[^@\s]+\.[^@\s]+$/;
@@ -436,9 +715,49 @@ var init_fpe = __esm({
     _ROUTING_RE = /^\d{9}$/;
     _ES_ID_RE = /^(?:\d{8}[A-Z]|[XYZ]\d{7}[A-Z])$/;
     _IBAN_RE = /^[A-Z]{2}\d{2}[A-Z0-9]{4,30}$/;
-    _FIRST_NAMES = ["Taylor", "Jordan", "Casey", "Morgan", "Riley", "Avery", "Rowan", "Quinn", "Charlie", "Peyton", "Blake", "Dakota", "Reese", "Skyler", "Finley", "Eden", "Harley", "Rory", "Emerson", "Remi"];
-    _LAST_NAMES = ["Smith", "Johnson", "Williams", "Brown", "Jones", "Garcia", "Miller", "Davis", "Rodriguez", "Martinez", "Hernandez", "Lopez", "Gonzalez", "Wilson", "Anderson", "Thomas", "Taylor", "Moore", "Jackson", "Martin"];
-    _CITIES = ["London", "Paris", "Berlin", "Tokyo", "Rome", "Madrid", "Vienna", "Sydney", "Toronto", "Chicago", "Seattle", "Austin", "Boston", "Denver", "Dallas", "Miami", "Seoul", "Dubai", "Mumbai", "Cairo"];
+    FF1 = class {
+      /** NIST SP 800-38G FF1 implementation (simplified for 64-bit domains). */
+      constructor(key, tweak) {
+        this.key = key;
+        this.tweak = tweak;
+      }
+      encrypt(n6) {
+        let A3 = n6 >> 32n;
+        let B3 = n6 & 0xFFFFFFFFn;
+        const radix = 2n ** 32n;
+        for (let i6 = 0; i6 < 10; i6++) {
+          const tweakInfoBuffer = Buffer.alloc(8);
+          tweakInfoBuffer.writeUInt32BE(i6, 0);
+          tweakInfoBuffer.writeUInt32BE(Number(B3), 4);
+          const tweakInfoCombined = Buffer.concat([this.tweak, tweakInfoBuffer]);
+          const h6 = crypto2__namespace.createHmac("sha256", this.key).update(tweakInfoCombined).digest();
+          const roundVal = BigInt(h6.readUInt32BE(0));
+          const Anext = B3;
+          const Bnext = (A3 + roundVal) % radix;
+          A3 = Anext;
+          B3 = Bnext;
+        }
+        return A3 << 32n | B3;
+      }
+      decrypt(n6) {
+        let A3 = n6 >> 32n;
+        let B3 = n6 & 0xFFFFFFFFn;
+        const radix = 2n ** 32n;
+        for (let i6 = 9; i6 >= 0; i6--) {
+          const tweakInfoBuffer = Buffer.alloc(8);
+          tweakInfoBuffer.writeUInt32BE(i6, 0);
+          tweakInfoBuffer.writeUInt32BE(Number(A3), 4);
+          const tweakInfoCombined = Buffer.concat([this.tweak, tweakInfoBuffer]);
+          const h6 = crypto2__namespace.createHmac("sha256", this.key).update(tweakInfoCombined).digest();
+          const roundVal = BigInt(h6.readUInt32BE(0));
+          const Bprev = A3;
+          const Aprev = (B3 - roundVal + radix) % radix;
+          A3 = Aprev;
+          B3 = Bprev;
+        }
+        return A3 << 32n | B3;
+      }
+    };
   }
 });
 
@@ -2906,7 +3225,7 @@ var init_crypto = __esm({
         let key;
         if (!keyFromProvider) {
           if (config.MASK_DEV_MODE) {
-            key = cryptoNode__namespace.randomBytes(32).toString("base64");
+            key = crypto2__namespace.randomBytes(32).toString("base64");
             process.env.MASK_ENCRYPTION_KEY = key;
             console.warn(
               "MASK_DEV_MODE is enabled. Using a generated throwaway key. DO NOT USE THIS IN PRODUCTION \u2014 tokens will be lost on restart."
@@ -2919,10 +3238,10 @@ var init_crypto = __esm({
         } else {
           key = keyFromProvider;
         }
-        this._aesKey = cryptoNode__namespace.createHash("sha256").update(key).digest();
+        this._aesKey = crypto2__namespace.createHash("sha256").update(key).digest();
         const masterKey = await provider.getMasterKey() || key;
         const salt = config.MASK_BLIND_INDEX_SALT;
-        this._indexSecret = cryptoNode__namespace.createHmac("sha256", masterKey).update(salt).digest();
+        this._indexSecret = crypto2__namespace.createHmac("sha256", masterKey).update(salt).digest();
       }
       /** Return the secret used for HMAC-based blind indexing. */
       async getIndexSecret() {
@@ -2935,8 +3254,8 @@ var init_crypto = __esm({
         if (!this._aesKey) {
           throw new Error("CryptoEngine not initialised. AES key missing.");
         }
-        const iv = cryptoNode__namespace.randomBytes(GCM_IV_BYTES);
-        const cipher = cryptoNode__namespace.createCipheriv(GCM_ALGORITHM, this._aesKey, iv);
+        const iv = crypto2__namespace.randomBytes(GCM_IV_BYTES);
+        const cipher = crypto2__namespace.createCipheriv(GCM_ALGORITHM, this._aesKey, iv);
         const encrypted = Buffer.concat([
           cipher.update(plaintext, "utf8"),
           cipher.final()
@@ -2968,7 +3287,7 @@ var init_crypto = __esm({
         const iv = combined.subarray(0, GCM_IV_BYTES);
         const authTag = combined.subarray(GCM_IV_BYTES, GCM_IV_BYTES + GCM_AUTH_TAG_BYTES);
         const encrypted = combined.subarray(GCM_IV_BYTES + GCM_AUTH_TAG_BYTES);
-        const decipher = cryptoNode__namespace.createDecipheriv(GCM_ALGORITHM, this._aesKey, iv);
+        const decipher = crypto2__namespace.createDecipheriv(GCM_ALGORITHM, this._aesKey, iv);
         decipher.setAuthTag(authTag);
         const decrypted = Buffer.concat([
           decipher.update(encrypted),
@@ -3152,7 +3471,8 @@ var init_audit_logger = __esm({
           this._buffer = [];
           this._bufferFullWarned = false;
           for (const evt of events) {
-            console.info(JSON.stringify(evt));
+            const json = JSON.stringify(evt, (_, v7) => typeof v7 === "bigint" ? v7.toString() : v7);
+            console.info(json);
           }
         } finally {
           this._isFlushing = false;
@@ -3216,7 +3536,7 @@ var init_search = __esm({
       static async getBucketIndex(bucketVal) {
         const engine = await getCryptoEngine();
         const secret = await engine.getIndexSecret();
-        return cryptoNode__namespace.createHmac("sha256", secret).update(bucketVal).digest("hex");
+        return crypto2__namespace.createHmac("sha256", secret).update(bucketVal).digest("hex");
       }
     };
   }
@@ -17760,7 +18080,7 @@ var init_date_utils = __esm({
 var randomUUID;
 var init_randomUUID = __esm({
   "node_modules/@smithy/uuid/dist-es/randomUUID.js"() {
-    randomUUID = cryptoNode__namespace.default.randomUUID.bind(cryptoNode__namespace.default);
+    randomUUID = crypto2__namespace.default.randomUUID.bind(crypto2__namespace.default);
   }
 });
 
@@ -27480,7 +27800,7 @@ var init_getSSOTokenFilepath = __esm({
   "node_modules/@smithy/shared-ini-file-loader/dist-es/getSSOTokenFilepath.js"() {
     init_getHomeDir();
     getSSOTokenFilepath = (id) => {
-      const hasher = cryptoNode.createHash("sha1");
+      const hasher = crypto2.createHash("sha1");
       const cacheName = hasher.update(id).digest("hex");
       return path.join(getHomeDir(), ".aws", "sso", "cache", `${cacheName}.json`);
     };
@@ -34145,7 +34465,7 @@ var init_dist_es46 = __esm({
         return Promise.resolve(this.hash.digest());
       }
       reset() {
-        this.hash = this.secret ? cryptoNode.createHmac(this.algorithmIdentifier, castSourceData(this.secret)) : cryptoNode.createHash(this.algorithmIdentifier);
+        this.hash = this.secret ? crypto2.createHmac(this.algorithmIdentifier, castSourceData(this.secret)) : crypto2.createHash(this.algorithmIdentifier);
       }
     };
   }
@@ -38380,7 +38700,7 @@ var init_LoginCredentialsFetcher = __esm({
       getTokenFilePath() {
         const directory = process.env.AWS_LOGIN_CACHE_DIRECTORY ?? path.join(os.homedir(), ".aws", "login", "cache");
         const loginSessionBytes = Buffer.from(this.loginSession, "utf8");
-        const loginSessionSha256 = cryptoNode.createHash("sha256").update(loginSessionBytes).digest("hex");
+        const loginSessionSha256 = crypto2.createHash("sha256").update(loginSessionBytes).digest("hex");
         return path.join(directory, `${loginSessionSha256}.json`);
       }
       derToRawSignature(derSignature) {
@@ -38425,12 +38745,12 @@ var init_LoginCredentialsFetcher = __esm({
       async generateDpop(method = "POST", endpoint) {
         const token = await this.loadToken();
         try {
-          const privateKey = cryptoNode.createPrivateKey({
+          const privateKey = crypto2.createPrivateKey({
             key: token.dpopKey,
             format: "pem",
             type: "sec1"
           });
-          const publicKey = cryptoNode.createPublicKey(privateKey);
+          const publicKey = crypto2.createPublicKey(privateKey);
           const publicDer = publicKey.export({ format: "der", type: "spki" });
           let pointStart = -1;
           for (let i6 = 0; i6 < publicDer.length; i6++) {
@@ -38460,7 +38780,7 @@ var init_LoginCredentialsFetcher = __esm({
           const headerB64 = Buffer.from(JSON.stringify(header)).toString("base64url");
           const payloadB64 = Buffer.from(JSON.stringify(payload)).toString("base64url");
           const message = `${headerB64}.${payloadB64}`;
-          const asn1Signature = cryptoNode.sign("sha256", Buffer.from(message), privateKey);
+          const asn1Signature = crypto2.sign("sha256", Buffer.from(message), privateKey);
           const rawSignature = this.derToRawSignature(asn1Signature);
           const signatureB64 = rawSignature.toString("base64url");
           return `${message}.${signatureB64}`;
@@ -42996,9 +43316,9 @@ function _getFailStrategy() {
 function _hashPlaintext(plaintext, secret) {
   const trimmed = plaintext.trim();
   if (secret) {
-    return cryptoNode__namespace.createHmac("sha256", secret).update(trimmed, "utf-8").digest("hex");
+    return crypto2__namespace.createHmac("sha256", secret).update(trimmed, "utf-8").digest("hex");
   }
-  return cryptoNode__namespace.createHash("sha256").update(trimmed, "utf-8").digest("hex");
+  return crypto2__namespace.createHash("sha256").update(trimmed, "utf-8").digest("hex");
 }
 function getVault() {
   if (_vaultInstance === null) {
@@ -43913,7 +44233,7 @@ var init_registry = __esm({
       }
       buildCatalogue(restrict) {
         for (const entry of RAW_PATTERNS) {
-          const [typeName, regexSource, terms, risk, cat, vtag, isHighEntropy, supportedLocales] = entry;
+          const [typeName, regexSource, terms, risk, cat, vtag, isHighEntropy, supportedLocales, ruleId, complianceScope] = entry;
           if (restrict !== null && !restrict.has(cat)) continue;
           let re;
           if (regexSource instanceof RegExp) {
@@ -43928,7 +44248,9 @@ var init_registry = __esm({
             category: cat,
             validatorTag: vtag,
             isHighEntropy: isHighEntropy ?? vtag !== null,
-            supportedLocales: supportedLocales ?? ["*"]
+            supportedLocales: supportedLocales ?? ["*"],
+            ruleId: ruleId ?? `MASK-${cat.slice(0, 3)}-${typeName}`,
+            complianceScope: new Set(complianceScope ?? [])
           });
         }
       }
@@ -59206,7 +59528,9 @@ var init_scanner = __esm({
                   originalValue: matchedStr,
                   confidence: conf,
                   method: "dlp_heuristic",
-                  language: detectedLanguage
+                  language: detectedLanguage,
+                  ruleId: descriptor.ruleId,
+                  complianceScope: descriptor.complianceScope
                 });
               }
             }