npm - mask-privacy - Versions diffs - 3.5.1 → 4.1.0 - Mend

mask-privacy 3.5.1 → 4.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

package/dist/index.d.mts +14 -12
package/dist/index.d.ts +14 -12
package/dist/index.js +749 -162
package/dist/index.js.map +1 -1
package/dist/index.mjs +744 -156
package/dist/index.mjs.map +1 -1
package/package.json +2 -1
package/src/config.ts +6 -0
package/src/core/crypto.ts +50 -15
package/src/core/dlp/registry.ts +7 -1
package/src/core/exceptions.ts +25 -0
package/src/core/ff1.ts +196 -0
package/src/core/fpe.ts +134 -74
package/src/core/fpe_utils.ts +24 -14
package/src/core/scanner.ts +2 -1
package/src/core/span.ts +3 -0
package/src/core/synthesisLibrary.ts +41 -0
package/src/core/vault.ts +66 -17
package/src/telemetry/audit_logger.ts +45 -1
package/tests/bijective_fpe.test.ts +107 -0
package/tests/fpe.test.ts +17 -8
package/tests/security_hardening.test.ts +26 -0
package/tests/vault.test.ts +67 -0

package/dist/index.d.mts CHANGED Viewed

@@ -1,11 +1,13 @@
 /** Interface every vault backend must implement. */
 declare abstract class BaseVault {
-    /** Persist a token → plaintext mapping with a TTL. Optionally save a reverse lookup hash. */
-    abstract store(token: string, plaintext: string, ttlSeconds: number, ptHash?: string | null): Promise<void>;
+    /** Persist a token → encrypted plaintext mapping with a TTL and optional compliance metadata. */
+    abstract store(token: string, plaintext: string, ttlSeconds: number, ptHash?: string | null, metadata?: Record<string, string> | null): Promise<void>;
     /** Return the existing unexpired token for a given plaintext hash, or null. */
     abstract getTokenByPlaintextHash(ptHash: string): Promise<string | null>;
     /** Return the plaintext for token, or null if missing/expired. */
     abstract retrieve(token: string): Promise<string | null>;
+    /** Return the plaintext hash stored for this token (used for collision detection), or null. */
+    abstract getPtHashForToken(token: string): Promise<string | null>;
     /** Delete a token and its reverse mapping. */
     abstract delete(token: string): Promise<void>;
 }
@@ -15,6 +17,7 @@ type EncodeOptions = {
     searchBuckets?: ('year' | 'month' | 'day' | 'numeric')[];
     searchBucketSize?: number;
     entityType?: string;
+    metadata?: Record<string, string> | null;
 };
 /**
  * Tokenise rawText, encrypt it, store in vault, return the FPE token.
@@ -41,18 +44,11 @@ declare const adetokenizeText: typeof detokenizeText;
 declare function looksLikeToken(value: string | any): boolean;
 /**
- * Format-Preserving Encryption (FPE) token generation.
- *
- * Generates structurally valid, **deterministic** tokens that preserve the
- * format of the original data type so downstream tools, schemas, and
- * validators continue to work without modification.
+ * Deterministic Pseudonymization (DP) token generation using NIST SP 800-38G FF1.
  */
-/** Clear the cached master key. Useful in tests. */
 declare function resetMasterKey(): void;
-/**
- * Return a **deterministic**, format-preserving token for rawText using its entityType.
- */
-declare function generateFPEToken(rawText: string, entityType?: string): Promise<string>;
+declare function generateDPToken(rawText: string, entityType?: string): Promise<string>;
+declare const generateFPEToken: typeof generateDPToken;
 /**
  * Span Resolution Engine — Sweep-Line Overlap Resolver (TypeScript).
@@ -69,6 +65,8 @@ interface Span {
     confidence: number;
     method: string;
     language?: string;
+    ruleId?: string;
+    complianceScope?: ReadonlySet<string>;
     maskedValue?: string;
 }
@@ -234,6 +232,8 @@ declare class AuditLogger {
     private _strictMode;
     private _bufferFullWarned;
     private _shutdownRegistered;
+    private _signingKey;
+    private _prevSig;
     private constructor();
     static getInstance(): AuditLogger;
     log(action: string, token: string, dataType?: string, agent?: string, tool?: string, extra?: Record<string, any>): void;
@@ -371,6 +371,8 @@ interface PatternDescriptor {
     validatorTag: string | null;
     isHighEntropy: boolean;
     supportedLocales: string[];
+    ruleId: string;
+    complianceScope: ReadonlySet<string>;
 }
 /**
  * Immutable catalogue of sensitive-data regex signatures.

package/dist/index.d.ts CHANGED Viewed

@@ -1,11 +1,13 @@
 /** Interface every vault backend must implement. */
 declare abstract class BaseVault {
-    /** Persist a token → plaintext mapping with a TTL. Optionally save a reverse lookup hash. */
-    abstract store(token: string, plaintext: string, ttlSeconds: number, ptHash?: string | null): Promise<void>;
+    /** Persist a token → encrypted plaintext mapping with a TTL and optional compliance metadata. */
+    abstract store(token: string, plaintext: string, ttlSeconds: number, ptHash?: string | null, metadata?: Record<string, string> | null): Promise<void>;
     /** Return the existing unexpired token for a given plaintext hash, or null. */
     abstract getTokenByPlaintextHash(ptHash: string): Promise<string | null>;
     /** Return the plaintext for token, or null if missing/expired. */
     abstract retrieve(token: string): Promise<string | null>;
+    /** Return the plaintext hash stored for this token (used for collision detection), or null. */
+    abstract getPtHashForToken(token: string): Promise<string | null>;
     /** Delete a token and its reverse mapping. */
     abstract delete(token: string): Promise<void>;
 }
@@ -15,6 +17,7 @@ type EncodeOptions = {
     searchBuckets?: ('year' | 'month' | 'day' | 'numeric')[];
     searchBucketSize?: number;
     entityType?: string;
+    metadata?: Record<string, string> | null;
 };
 /**
  * Tokenise rawText, encrypt it, store in vault, return the FPE token.
@@ -41,18 +44,11 @@ declare const adetokenizeText: typeof detokenizeText;
 declare function looksLikeToken(value: string | any): boolean;
 /**
- * Format-Preserving Encryption (FPE) token generation.
- *
- * Generates structurally valid, **deterministic** tokens that preserve the
- * format of the original data type so downstream tools, schemas, and
- * validators continue to work without modification.
+ * Deterministic Pseudonymization (DP) token generation using NIST SP 800-38G FF1.
  */
-/** Clear the cached master key. Useful in tests. */
 declare function resetMasterKey(): void;
-/**
- * Return a **deterministic**, format-preserving token for rawText using its entityType.
- */
-declare function generateFPEToken(rawText: string, entityType?: string): Promise<string>;
+declare function generateDPToken(rawText: string, entityType?: string): Promise<string>;
+declare const generateFPEToken: typeof generateDPToken;
 /**
  * Span Resolution Engine — Sweep-Line Overlap Resolver (TypeScript).
@@ -69,6 +65,8 @@ interface Span {
     confidence: number;
     method: string;
     language?: string;
+    ruleId?: string;
+    complianceScope?: ReadonlySet<string>;
     maskedValue?: string;
 }
@@ -234,6 +232,8 @@ declare class AuditLogger {
     private _strictMode;
     private _bufferFullWarned;
     private _shutdownRegistered;
+    private _signingKey;
+    private _prevSig;
     private constructor();
     static getInstance(): AuditLogger;
     log(action: string, token: string, dataType?: string, agent?: string, tool?: string, extra?: Record<string, any>): void;
@@ -371,6 +371,8 @@ interface PatternDescriptor {
     validatorTag: string | null;
     isHighEntropy: boolean;
     supportedLocales: string[];
+    ruleId: string;
+    complianceScope: ReadonlySet<string>;
 }
 /**
  * Immutable catalogue of sensitive-data regex signatures.