n8n-nodes-redactor 2.0.0

package/dist/nodes/PiiRedactor/__tests__/phase1.test.js

@@ -0,0 +1,343 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vault_1 = require("../vault");
+const engine_1 = require("../engine");
+const context_1 = require("../context");
+const names_1 = require("../names");
+function ctx(overrides = {}) {
+    return {
+        enabledPatterns: ['email', 'phone', 'ssn', 'creditCard', 'iban'],
+        customPatterns: [],
+        mode: 'token',
+        dedup: true,
+        fieldRules: [],
+        fieldMode: 'all',
+        ...overrides,
+    };
+}
+// ═══════════════════════════════════════════════════════
+// 1.1 ALLOW LIST TESTS
+// ═══════════════════════════════════════════════════════
+describe('Allow List', () => {
+    let vault;
+    beforeEach(() => { vault = new vault_1.MemoryVault(); });
+    test('exact match: bypass specific email', () => {
+        vault.getOrCreateSession('al1', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ text: 'Contact support@mycompany.com or john@gmail.com' }, ctx({ allowList: [{ value: 'support@mycompany.com', type: 'exact' }] }), vault, 'al1', hits, 0);
+        expect(result.text).toContain('support@mycompany.com'); // NOT redacted
+        expect(result.text).not.toContain('john@gmail.com'); // redacted
+    });
+    test('contains match: bypass company domain', () => {
+        vault.getOrCreateSession('al2', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ text: 'Email alice@mycompany.com and bob@mycompany.com and external@gmail.com' }, ctx({ allowList: [{ value: '@mycompany.com', type: 'contains' }] }), vault, 'al2', hits, 0);
+        expect(result.text).toContain('alice@mycompany.com');
+        expect(result.text).toContain('bob@mycompany.com');
+        expect(result.text).not.toContain('external@gmail.com');
+    });
+    test('regex match: bypass pattern', () => {
+        vault.getOrCreateSession('al3', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ text: 'Public: info@acme.com, private: ceo@acme.com, external: john@gmail.com' }, ctx({ allowList: [{ value: 'info@.*\\.com', type: 'regex' }] }), vault, 'al3', hits, 0);
+        expect(result.text).toContain('info@acme.com');
+        expect(result.text).not.toContain('ceo@acme.com');
+        expect(result.text).not.toContain('john@gmail.com');
+    });
+    test('allow list works with semantic detection', () => {
+        vault.getOrCreateSession('al4', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ name: 'Support Team', email: 'support@mycompany.com' }, ctx({ allowList: [
+                { value: 'Support Team', type: 'exact' },
+                { value: '@mycompany.com', type: 'contains' },
+            ] }), vault, 'al4', hits, 0);
+        expect(result.name).toBe('Support Team');
+        expect(result.email).toBe('support@mycompany.com');
+    });
+    test('empty allow list does not affect redaction', () => {
+        vault.getOrCreateSession('al5', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ email: 'test@test.com' }, ctx({ allowList: [] }), vault, 'al5', hits, 0);
+        expect(result.email).not.toBe('test@test.com');
+    });
+    test('allow list with invalid regex does not crash', () => {
+        vault.getOrCreateSession('al6', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ email: 'test@test.com' }, ctx({ allowList: [{ value: '[invalid(', type: 'regex' }] }), vault, 'al6', hits, 0);
+        // Should not crash, email should still be redacted
+        expect(result.email).not.toBe('test@test.com');
+    });
+    test('multiple allow list entries combined', () => {
+        vault.getOrCreateSession('al7', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ text: 'a@safe.com, b@safe.org, c@unsafe.com' }, ctx({ allowList: [
+                { value: '@safe.com', type: 'contains' },
+                { value: '@safe.org', type: 'contains' },
+            ] }), vault, 'al7', hits, 0);
+        expect(result.text).toContain('a@safe.com');
+        expect(result.text).toContain('b@safe.org');
+        expect(result.text).not.toContain('c@unsafe.com');
+    });
+});
+// ═══════════════════════════════════════════════════════
+// 1.2 DENY LIST TESTS
+// ═══════════════════════════════════════════════════════
+describe('Deny List', () => {
+    let vault;
+    beforeEach(() => { vault = new vault_1.MemoryVault(); });
+    test('exact match: always redact specific value', () => {
+        vault.getOrCreateSession('dl1', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ text: 'Project codename: Project Falcon is confidential' }, ctx({ enabledPatterns: [], denyList: [{ value: 'Project Falcon', type: 'exact' }] }), vault, 'dl1', hits, 0);
+        expect(result.text).not.toContain('Project Falcon');
+        expect(hits).toHaveLength(1);
+        expect(hits[0].patternLabel).toBe('DENY_LIST');
+        expect(hits[0].confidence).toBe(1.0);
+    });
+    test('contains match: redact any occurrence', () => {
+        vault.getOrCreateSession('dl2', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ text: 'INTERNAL-SECRET-2024 and INTERNAL-SECRET-2025 are classified' }, ctx({ enabledPatterns: [], denyList: [{ value: 'INTERNAL-SECRET', type: 'contains' }] }), vault, 'dl2', hits, 0);
+        expect(result.text).not.toContain('INTERNAL-SECRET');
+    });
+    test('deny list combined with allow list (deny takes priority)', () => {
+        vault.getOrCreateSession('dl3', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ text: 'Contact ceo@acme.com for Project Falcon details' }, ctx({
+            denyList: [{ value: 'Project Falcon', type: 'exact' }],
+            allowList: [{ value: '@acme.com', type: 'contains' }],
+        }), vault, 'dl3', hits, 0);
+        expect(result.text).toContain('ceo@acme.com'); // allowed
+        expect(result.text).not.toContain('Project Falcon'); // denied
+    });
+    test('empty deny list does not affect redaction', () => {
+        vault.getOrCreateSession('dl4', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ text: 'Normal text' }, ctx({ denyList: [] }), vault, 'dl4', hits, 0);
+        expect(result.text).toBe('Normal text');
+    });
+});
+// ═══════════════════════════════════════════════════════
+// 1.3 CONTEXT WORD BOOSTING TESTS
+// ═══════════════════════════════════════════════════════
+describe('Context Word Boosting', () => {
+    test('hasContextWords finds nearby keywords', () => {
+        const text = 'Please provide your SSN: 123-45-6789 for verification';
+        expect((0, context_1.hasContextWords)(text, 25, 36, ['SSN', 'social security'])).toBe(true);
+    });
+    test('hasContextWords returns false when no keywords nearby', () => {
+        const text = 'The code is 123-45-6789 in the system';
+        expect((0, context_1.hasContextWords)(text, 12, 23, ['SSN', 'social security'])).toBe(false);
+    });
+    test('context words are case-insensitive', () => {
+        const text = 'your ssn is 123-45-6789';
+        expect((0, context_1.hasContextWords)(text, 12, 23, ['SSN'])).toBe(true);
+    });
+    test('CONTEXT_WORDS has entries for key patterns', () => {
+        expect(context_1.CONTEXT_WORDS.email).toBeDefined();
+        expect(context_1.CONTEXT_WORDS.email.length).toBeGreaterThan(0);
+        expect(context_1.CONTEXT_WORDS.ssn).toBeDefined();
+        expect(context_1.CONTEXT_WORDS.creditCard).toBeDefined();
+        expect(context_1.CONTEXT_WORDS.iban).toBeDefined();
+        expect(context_1.CONTEXT_WORDS.phone).toBeDefined();
+    });
+    test('context boost increases confidence score', () => {
+        const textWithContext = 'SSN: 123-45-6789';
+        const textWithout = 'Code: 123-45-6789';
+        const confWith = (0, context_1.calculateConfidence)('ssn', false, true, textWithContext, 5, 16);
+        const confWithout = (0, context_1.calculateConfidence)('ssn', false, true, textWithout, 6, 17);
+        expect(confWith).toBeGreaterThan(confWithout);
+    });
+});
+// ═══════════════════════════════════════════════════════
+// 1.4 CONFIDENCE SCORING TESTS
+// ═══════════════════════════════════════════════════════
+describe('Confidence Scoring', () => {
+    let vault;
+    beforeEach(() => { vault = new vault_1.MemoryVault(); });
+    test('checksum-validated patterns get 0.95 confidence', () => {
+        const conf = (0, context_1.calculateConfidence)('creditCard', true, true, 'Card: 4532015112830366', 6, 22);
+        expect(conf).toBeGreaterThanOrEqual(0.95);
+    });
+    test('email gets high confidence', () => {
+        const conf = (0, context_1.calculateConfidence)('email', false, true, 'test@example.com', 0, 16);
+        expect(conf).toBeGreaterThanOrEqual(0.85);
+    });
+    test('broad patterns get lower confidence', () => {
+        const conf = (0, context_1.calculateConfidence)('postalCodeDE', false, true, '80331', 0, 5);
+        expect(conf).toBeLessThanOrEqual(0.50);
+    });
+    test('confidence threshold filters out low-confidence matches', () => {
+        vault.getOrCreateSession('ct1', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ text: 'Email: test@example.com' }, ctx({ confidenceThreshold: 0.80 }), vault, 'ct1', hits, 0);
+        // Email has high confidence, should be redacted
+        expect(result.text).not.toContain('test@example.com');
+        expect(hits.length).toBeGreaterThan(0);
+        expect(hits[0].confidence).toBeGreaterThanOrEqual(0.80);
+    });
+    test('high threshold blocks low-confidence patterns', () => {
+        vault.getOrCreateSession('ct2', 0);
+        const hits = [];
+        // With threshold 0.99, only checksum-validated should pass
+        const result = (0, engine_1.redactValue)({ text: 'Random number: 80331' }, ctx({
+            enabledPatterns: ['postalCodeDE'],
+            confidenceThreshold: 0.99,
+        }), vault, 'ct2', hits, 0);
+        // postalCodeDE has low confidence (0.40), should NOT be redacted
+        expect(result.text).toBe('Random number: 80331');
+        expect(hits).toHaveLength(0);
+    });
+    test('threshold 0 redacts everything (default)', () => {
+        vault.getOrCreateSession('ct3', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ text: 'test@test.com' }, ctx({ confidenceThreshold: 0 }), vault, 'ct3', hits, 0);
+        expect(result.text).not.toContain('test@test.com');
+    });
+    test('all hits include confidence field', () => {
+        vault.getOrCreateSession('ct4', 0);
+        const hits = [];
+        (0, engine_1.redactValue)({ text: 'Email: a@b.com, SSN: 123-45-6789' }, ctx(), vault, 'ct4', hits, 0);
+        for (const hit of hits) {
+            expect(hit.confidence).toBeDefined();
+            expect(hit.confidence).toBeGreaterThan(0);
+            expect(hit.confidence).toBeLessThanOrEqual(1.0);
+        }
+    });
+});
+// ═══════════════════════════════════════════════════════
+// 1.5 NAME DICTIONARY TESTS
+// ═══════════════════════════════════════════════════════
+describe('Name Dictionary', () => {
+    test('FIRST_NAMES contains common English names', () => {
+        expect(names_1.FIRST_NAMES.has('James')).toBe(true);
+        expect(names_1.FIRST_NAMES.has('Mary')).toBe(true);
+        expect(names_1.FIRST_NAMES.has('Michael')).toBe(true);
+    });
+    test('FIRST_NAMES contains German names', () => {
+        expect(names_1.FIRST_NAMES.has('Hans')).toBe(true);
+        expect(names_1.FIRST_NAMES.has('Klaus')).toBe(true);
+        expect(names_1.FIRST_NAMES.has('Ursula')).toBe(true);
+    });
+    test('FIRST_NAMES contains French names', () => {
+        expect(names_1.FIRST_NAMES.has('Jean')).toBe(true);
+        expect(names_1.FIRST_NAMES.has('Marie')).toBe(true);
+    });
+    test('FIRST_NAMES contains Spanish names', () => {
+        expect(names_1.FIRST_NAMES.has('Antonio')).toBe(true);
+        expect(names_1.FIRST_NAMES.has('Carmen')).toBe(true);
+    });
+    test('FIRST_NAMES contains Indian names', () => {
+        expect(names_1.FIRST_NAMES.has('Adeel')).toBe(true);
+        expect(names_1.FIRST_NAMES.has('Priya')).toBe(true);
+        expect(names_1.FIRST_NAMES.has('Rahul')).toBe(true);
+    });
+    test('LAST_NAMES contains common surnames', () => {
+        expect(names_1.LAST_NAMES.has('Smith')).toBe(true);
+        expect(names_1.LAST_NAMES.has('Mueller')).toBe(true);
+        expect(names_1.LAST_NAMES.has('Garcia')).toBe(true);
+        expect(names_1.LAST_NAMES.has('Patel')).toBe(true);
+        expect(names_1.LAST_NAMES.has('Solangi')).toBe(true);
+    });
+    test('detectNamesInText finds names in free text', () => {
+        const names = (0, names_1.detectNamesInText)('Spoke with Sarah Johnson about her account');
+        expect(names.length).toBeGreaterThan(0);
+        expect(names[0].name).toBe('Sarah Johnson');
+    });
+    test('detectNamesInText finds German names', () => {
+        const names = (0, names_1.detectNamesInText)('Der Kunde ist Hans Mueller aus Berlin');
+        const hansMatch = names.find((n) => n.name.includes('Hans'));
+        expect(hansMatch).toBeDefined();
+    });
+    test('detectNamesInText does NOT match city names', () => {
+        const names = (0, names_1.detectNamesInText)('We visited New York and Los Angeles');
+        expect(names).toHaveLength(0);
+    });
+    test('detectNamesInText does NOT match months', () => {
+        const names = (0, names_1.detectNamesInText)('Meeting scheduled for January February');
+        expect(names).toHaveLength(0);
+    });
+    test('detectNamesInText does NOT match tech terms', () => {
+        const names = (0, names_1.detectNamesInText)('Data Server Client Table Field');
+        expect(names).toHaveLength(0);
+    });
+    test('name dictionary works in redaction engine', () => {
+        const vault = new vault_1.MemoryVault();
+        vault.getOrCreateSession('nd1', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ notes: 'Spoke with Sarah Johnson about her billing issue' }, ctx(), vault, 'nd1', hits, 0);
+        // Sarah Johnson should be detected by name dictionary
+        expect(result.notes).not.toContain('Sarah Johnson');
+    });
+    test('name dictionary respects allow list', () => {
+        const vault = new vault_1.MemoryVault();
+        vault.getOrCreateSession('nd2', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ notes: 'Spoke with Sarah Johnson at the office' }, ctx({ allowList: [{ value: 'Sarah Johnson', type: 'exact' }] }), vault, 'nd2', hits, 0);
+        expect(result.notes).toContain('Sarah Johnson');
+    });
+});
+// ═══════════════════════════════════════════════════════
+// INTEGRATION: All Phase 1 features combined
+// ═══════════════════════════════════════════════════════
+describe('Phase 1 Integration', () => {
+    let vault;
+    beforeEach(() => { vault = new vault_1.MemoryVault(); });
+    test('allow + deny + confidence + names all working together', () => {
+        vault.getOrCreateSession('int1', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({
+            message: 'Contact Sarah Johnson at support@acme.com about Project Falcon. Her SSN is 123-45-6789.',
+            notes: 'Internal ref: CLASSIFIED-2024',
+        }, ctx({
+            allowList: [{ value: '@acme.com', type: 'contains' }],
+            denyList: [
+                { value: 'Project Falcon', type: 'exact' },
+                { value: 'CLASSIFIED', type: 'contains' },
+            ],
+            confidenceThreshold: 0,
+        }), vault, 'int1', hits, 0);
+        // Allow list: support@acme.com should NOT be redacted
+        expect(result.message).toContain('support@acme.com');
+        // Deny list: Project Falcon should be redacted
+        expect(result.message).not.toContain('Project Falcon');
+        // SSN: should be redacted (regex pattern)
+        expect(result.message).not.toContain('123-45-6789');
+        // Name: Sarah Johnson should be detected by dictionary
+        expect(result.message).not.toContain('Sarah Johnson');
+        // Deny list: CLASSIFIED should be redacted in notes
+        expect(result.notes).not.toContain('CLASSIFIED-2024');
+    });
+    test('full round-trip with allow/deny lists', () => {
+        vault.getOrCreateSession('int2', 0);
+        const hits = [];
+        const original = {
+            text: 'Email support@safe.com or private@gmail.com. Secret: CODENAME-X.',
+        };
+        const redacted = (0, engine_1.redactValue)(original, ctx({
+            allowList: [{ value: '@safe.com', type: 'contains' }],
+            denyList: [{ value: 'CODENAME-X', type: 'exact' }],
+        }), vault, 'int2', hits, 0);
+        // Verify redaction
+        expect(redacted.text).toContain('support@safe.com');
+        expect(redacted.text).not.toContain('private@gmail.com');
+        expect(redacted.text).not.toContain('CODENAME-X');
+        // Restore
+        const restored = (0, engine_1.restoreValue)(redacted, vault, 'int2');
+        expect(restored.text).toContain('private@gmail.com');
+        expect(restored.text).toContain('CODENAME-X');
+        expect(restored.text).toContain('support@safe.com');
+    });
+    test('confidence scores in report output', () => {
+        vault.getOrCreateSession('int3', 0);
+        const hits = [];
+        (0, engine_1.redactValue)({ text: 'SSN: 123-45-6789, email: test@test.com' }, ctx(), vault, 'int3', hits, 0);
+        // Every hit should have a confidence score
+        expect(hits.length).toBeGreaterThan(0);
+        for (const hit of hits) {
+            expect(typeof hit.confidence).toBe('number');
+            expect(hit.confidence).toBeGreaterThan(0);
+            expect(hit.confidence).toBeLessThanOrEqual(1.0);
+        }
+    });
+});

package/dist/nodes/PiiRedactor/__tests__/security.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/nodes/PiiRedactor/__tests__/security.test.js

@@ -0,0 +1,178 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vault_1 = require("../vault");
+const engine_1 = require("../engine");
+function createContext(overrides = {}) {
+    return {
+        enabledPatterns: ['email', 'phone', 'personName', 'ssn', 'creditCard', 'iban', 'ipv4'],
+        customPatterns: [],
+        mode: 'token',
+        dedup: true,
+        fieldRules: [],
+        fieldMode: 'all',
+        ...overrides,
+    };
+}
+// ═══════════════════════════════════════════════════════
+// SECURITY: ReDoS Prevention
+// ═══════════════════════════════════════════════════════
+describe('ReDoS prevention', () => {
+    let vault;
+    beforeEach(() => { vault = new vault_1.MemoryVault(); });
+    test('custom regex with nested quantifiers is rejected', () => {
+        vault.getOrCreateSession('redos-1', 0);
+        const hits = [];
+        // (a+)+ is a classic ReDoS pattern
+        const result = (0, engine_1.redactValue)({ text: 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!' }, createContext({
+            enabledPatterns: [],
+            customPatterns: [{ label: 'EVIL', regex: '(a+)+$' }],
+        }), vault, 'redos-1', hits, 0);
+        // Should NOT hang, and should NOT redact (pattern rejected)
+        expect(result.text).toBe('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!');
+        expect(hits).toHaveLength(0);
+    });
+    test('custom regex over 500 chars is rejected', () => {
+        vault.getOrCreateSession('redos-2', 0);
+        const hits = [];
+        const longRegex = 'a'.repeat(600);
+        const result = (0, engine_1.redactValue)({ text: 'test' }, createContext({
+            enabledPatterns: [],
+            customPatterns: [{ label: 'LONG', regex: longRegex }],
+        }), vault, 'redos-2', hits, 0);
+        expect(hits).toHaveLength(0);
+    });
+    test('connStringKV does not hang on adversarial input', () => {
+        vault.getOrCreateSession('redos-3', 0);
+        const hits = [];
+        const adversarial = 'Server=x;' + 'a'.repeat(10000);
+        const start = Date.now();
+        (0, engine_1.redactValue)({ text: adversarial }, createContext({ enabledPatterns: ['connStringKV'] }), vault, 'redos-3', hits, 0);
+        const elapsed = Date.now() - start;
+        // Should complete in under 5 seconds, not hang
+        expect(elapsed).toBeLessThan(5000);
+    });
+});
+// ═══════════════════════════════════════════════════════
+// SECURITY: Information Leakage Prevention
+// ═══════════════════════════════════════════════════════
+describe('Information leakage prevention', () => {
+    let vault;
+    beforeEach(() => { vault = new vault_1.MemoryVault(); });
+    test('audit report NEVER contains original PII values', () => {
+        vault.getOrCreateSession('leak-1', 0);
+        const hits = [];
+        (0, engine_1.redactValue)({ email: 'secret@company.com', ssn: '123-45-6789' }, createContext({ mode: 'token' }), vault, 'leak-1', hits, 0);
+        const report = (0, engine_1.buildReport)('leak-1', hits);
+        const reportJson = JSON.stringify(report);
+        // Original values must NOT appear in the report
+        expect(reportJson).not.toContain('secret@company.com');
+        expect(reportJson).not.toContain('123-45-6789');
+        // All originals should be '***'
+        for (const hit of report.hits) {
+            expect(hit.original).toBe('***');
+        }
+    });
+    test('audit report in mask mode also hides originals', () => {
+        vault.getOrCreateSession('leak-2', 0);
+        const hits = [];
+        (0, engine_1.redactValue)({ email: 'secret@company.com' }, createContext({ mode: 'mask' }), vault, 'leak-2', hits, 0);
+        for (const hit of hits) {
+            expect(hit.original).toBe('***');
+        }
+    });
+});
+// ═══════════════════════════════════════════════════════
+// SECURITY: Restore Infinite Loop Prevention
+// ═══════════════════════════════════════════════════════
+describe('Restore safety', () => {
+    let vault;
+    beforeEach(() => { vault = new vault_1.MemoryVault(); });
+    test('restore does not infinite loop when original contains a token', () => {
+        vault.getOrCreateSession('loop-1', 0);
+        // Manually create a vault entry where the original contains another token
+        vault.addEntry('loop-1', {
+            token: '[EMAIL_0]',
+            original: 'Contact [PHONE_1] for info',
+            patternLabel: 'EMAIL',
+            category: 'contact',
+            createdAt: new Date().toISOString(),
+        });
+        vault.addEntry('loop-1', {
+            token: '[PHONE_1]',
+            original: '555-1234',
+            patternLabel: 'PHONE',
+            category: 'contact',
+            createdAt: new Date().toISOString(),
+        });
+        const start = Date.now();
+        const result = (0, engine_1.restoreValue)({ text: 'Message: [EMAIL_0]' }, vault, 'loop-1');
+        const elapsed = Date.now() - start;
+        // Must complete quickly (no infinite loop)
+        expect(elapsed).toBeLessThan(1000);
+        // The split/join approach replaces in order, so [EMAIL_0] becomes
+        // "Contact [PHONE_1] for info", then [PHONE_1] becomes "555-1234"
+        expect(result.text).toBe('Message: Contact 555-1234 for info');
+    });
+});
+// ═══════════════════════════════════════════════════════
+// SECURITY: Memory Leak Prevention
+// ═══════════════════════════════════════════════════════
+describe('Memory leak prevention', () => {
+    test('MemoryVault enforces max session limit', () => {
+        const vault = new vault_1.MemoryVault();
+        // Create many sessions
+        for (let i = 0; i < 1010; i++) {
+            vault.getOrCreateSession(`session-${i}`, 60000);
+        }
+        const sessions = vault.listSessions();
+        // Should not exceed max (1000) + some buffer
+        expect(sessions.length).toBeLessThanOrEqual(1010);
+    });
+    test('MemoryVault auto-cleans expired sessions on create', () => {
+        const vault = new vault_1.MemoryVault();
+        // Create session with 1ms TTL
+        vault.getOrCreateSession('expire-me', 1);
+        // Wait for expiry
+        const start = Date.now();
+        while (Date.now() - start < 10) { /* busy wait */ }
+        // Creating a new session triggers cleanup
+        vault.getOrCreateSession('new-session', 0);
+        // Expired session should be gone
+        expect(vault.getSession('expire-me')).toBeNull();
+    });
+});
+// ═══════════════════════════════════════════════════════
+// SECURITY: Field Path Injection Prevention
+// ═══════════════════════════════════════════════════════
+describe('Field path injection prevention', () => {
+    let vault;
+    beforeEach(() => { vault = new vault_1.MemoryVault(); });
+    test('malicious field path pattern does not crash', () => {
+        vault.getOrCreateSession('field-inj', 0);
+        const hits = [];
+        // Attempt to inject regex via field rule
+        const result = (0, engine_1.redactValue)({ email: 'test@test.com' }, createContext({
+            fieldMode: 'allowlist',
+            fieldRules: [{ field: '(a+)+', mode: 'include' }],
+        }), vault, 'field-inj', hits, 0);
+        // Should not crash or hang
+        expect(result.email).toBeDefined();
+    });
+});
+// ═══════════════════════════════════════════════════════
+// SECURITY: Token Collision Prevention
+// ═══════════════════════════════════════════════════════
+describe('Token collision prevention', () => {
+    let vault;
+    beforeEach(() => { vault = new vault_1.MemoryVault(); });
+    test('generated tokens are not re-redacted by subsequent patterns', () => {
+        vault.getOrCreateSession('collision-1', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ text: 'Email: test@example.com and SSN: 123-45-6789' }, createContext(), vault, 'collision-1', hits, 0);
+        // Tokens should be clean [LABEL_N] format, not double-redacted
+        expect(result.text).toMatch(/\[EMAIL_\d+\]/);
+        expect(result.text).toMatch(/\[SSN_\d+\]/);
+        // Should NOT contain nested tokens like [[EMAIL_0]]
+        expect(result.text).not.toContain('[[');
+    });
+});

package/dist/nodes/PiiRedactor/__tests__/semantic.test.d.ts

@@ -0,0 +1 @@
+export {};