n8n-nodes-redactor 3.0.1

package/dist/nodes/PiiRedactor/__tests__/phase4.test.js

@@ -0,0 +1,184 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+const fs = __importStar(require("fs"));
+const os = __importStar(require("os"));
+const path = __importStar(require("path"));
+const profiles_1 = require("../profiles");
+const ropa_1 = require("../ropa");
+const classification_1 = require("../classification");
+// ═══════════════════════════════════════════════════════
+// 4.1 PER-TENANT PROFILES
+// ═══════════════════════════════════════════════════════
+describe('Per-Tenant Profiles', () => {
+    let testDir;
+    beforeEach(() => {
+        testDir = fs.mkdtempSync(path.join(os.tmpdir(), 'pii-profiles-test-'));
+    });
+    afterEach(() => {
+        try {
+            fs.rmSync(testDir, { recursive: true, force: true });
+        }
+        catch { /* ignore */ }
+    });
+    test('save and load profile', () => {
+        const profile = {
+            profileId: 'acme-corp',
+            displayName: 'Acme Corporation',
+            enabledPatterns: ['email', 'phone', 'ssn'],
+            redactionMode: 'token',
+            confidenceThreshold: 0.7,
+            allowList: [{ value: '@acme.com', type: 'contains' }],
+            denyList: [{ value: 'Project Falcon', type: 'exact' }],
+            region: 'EU',
+            auditLog: true,
+            createdAt: new Date().toISOString(),
+            updatedAt: new Date().toISOString(),
+        };
+        expect((0, profiles_1.saveProfile)(profile, testDir)).toBe(true);
+        const loaded = (0, profiles_1.loadProfile)('acme-corp', testDir);
+        expect(loaded).not.toBeNull();
+        expect(loaded.displayName).toBe('Acme Corporation');
+        expect(loaded.enabledPatterns).toEqual(['email', 'phone', 'ssn']);
+        expect(loaded.confidenceThreshold).toBe(0.7);
+        expect(loaded.allowList[0].value).toBe('@acme.com');
+    });
+    test('load nonexistent profile returns null', () => {
+        expect((0, profiles_1.loadProfile)('nonexistent', testDir)).toBeNull();
+    });
+    test('load empty profileId returns null', () => {
+        expect((0, profiles_1.loadProfile)('', testDir)).toBeNull();
+    });
+    test('list profiles', () => {
+        (0, profiles_1.saveProfile)({ profileId: 'tenant-a', displayName: 'Tenant A', createdAt: '', updatedAt: '' }, testDir);
+        (0, profiles_1.saveProfile)({ profileId: 'tenant-b', displayName: 'Tenant B', createdAt: '', updatedAt: '' }, testDir);
+        const profiles = (0, profiles_1.listProfiles)(testDir);
+        expect(profiles).toHaveLength(2);
+        expect(profiles.map((p) => p.profileId).sort()).toEqual(['tenant-a', 'tenant-b']);
+    });
+    test('delete profile', () => {
+        (0, profiles_1.saveProfile)({ profileId: 'delete-me', displayName: 'Delete Me', createdAt: '', updatedAt: '' }, testDir);
+        expect((0, profiles_1.loadProfile)('delete-me', testDir)).not.toBeNull();
+        expect((0, profiles_1.deleteProfile)('delete-me', testDir)).toBe(true);
+        expect((0, profiles_1.loadProfile)('delete-me', testDir)).toBeNull();
+    });
+    test('delete nonexistent profile returns false', () => {
+        expect((0, profiles_1.deleteProfile)('nonexistent', testDir)).toBe(false);
+    });
+    test('profileId is sanitized against path traversal', () => {
+        const result = (0, profiles_1.saveProfile)({
+            profileId: '../../../etc/passwd',
+            displayName: 'Evil',
+            createdAt: '',
+            updatedAt: '',
+        }, testDir);
+        // Should save with sanitized name, not escape the directory
+        const files = fs.readdirSync(testDir);
+        expect(files.every((f) => !f.includes('..'))).toBe(true);
+    });
+    test('list profiles from empty directory', () => {
+        expect((0, profiles_1.listProfiles)(testDir)).toEqual([]);
+    });
+    test('list profiles from nonexistent directory', () => {
+        expect((0, profiles_1.listProfiles)('/tmp/nonexistent-' + Date.now())).toEqual([]);
+    });
+});
+// ═══════════════════════════════════════════════════════
+// 4.4 GDPR ART.30 ROPA REPORT
+// ═══════════════════════════════════════════════════════
+describe('GDPR Art.30 ROPA Report', () => {
+    test('generates complete ROPA record', () => {
+        const hits = [
+            { token: '[E_0]', original: '***', patternName: 'email', patternLabel: 'EMAIL', category: 'contact', field: 'email', itemIndex: 0, confidence: 0.90 },
+            { token: '[S_1]', original: '***', patternName: 'ssn', patternLabel: 'SSN', category: 'identity', field: 'ssn', itemIndex: 0, confidence: 0.85 },
+            { token: '[C_2]', original: '***', patternName: 'creditCard', patternLabel: 'CREDIT_CARD', category: 'financial', field: 'card', itemIndex: 0, confidence: 0.95 },
+        ];
+        const classification = (0, classification_1.classifyData)(hits);
+        const ropa = (0, ropa_1.generateRopaRecord)(hits, classification, 100, 90, 'token', 60, true, true, { name: 'Acme Corp', contactEmail: 'dpo@acme.com', dpo: 'John DPO' }, ['PII redaction before LLM processing'], 'Art.6(1)(f) Legitimate interest', ['customers', 'employees'], ['LLM provider (OpenAI)'], [{ country: 'US', organization: 'OpenAI', safeguards: 'Standard Contractual Clauses' }]);
+        // Art.30(1)(a) - Controller
+        expect(ropa.controller.name).toBe('Acme Corp');
+        expect(ropa.controller.dpo).toBe('John DPO');
+        // Art.30(1)(b) - Purposes
+        expect(ropa.processingPurposes).toContain('PII redaction before LLM processing');
+        expect(ropa.legalBasis).toBe('Art.6(1)(f) Legitimate interest');
+        // Art.30(1)(c) - Data subjects
+        expect(ropa.dataSubjectCategories).toContain('customers');
+        // Art.30(1)(d) - Personal data categories
+        expect(ropa.personalDataCategories.length).toBeGreaterThanOrEqual(3);
+        const contactCat = ropa.personalDataCategories.find((c) => c.category === 'contact');
+        expect(contactCat).toBeDefined();
+        expect(contactCat.patternLabels).toContain('EMAIL');
+        // Art.30(1)(e) - Recipients
+        expect(ropa.recipientCategories).toContain('LLM provider (OpenAI)');
+        // Art.30(1)(f) - Transfers
+        expect(ropa.thirdCountryTransfers).toHaveLength(1);
+        expect(ropa.thirdCountryTransfers[0].country).toBe('US');
+        // Art.30(1)(g) - Retention
+        expect(ropa.retentionPolicy.vaultTtlMinutes).toBe(60);
+        // Art.30(1)(h) - Security measures
+        expect(ropa.securityMeasures.encryptionAtRest).toBe(true);
+        expect(ropa.securityMeasures.encryptionAlgorithm).toBe('AES-256-GCM');
+        expect(ropa.securityMeasures.auditLogging).toBe(true);
+        // Processing summary
+        expect(ropa.processingSummary.totalItemsProcessed).toBe(100);
+        expect(ropa.processingSummary.totalPiiDetected).toBe(3);
+        expect(ropa.processingSummary.classificationLevel).toBe('RESTRICTED');
+        // Meta
+        expect(ropa.version).toBe('1.0');
+        expect(ropa.generatedBy).toBe('n8n-nodes-redactor');
+        expect(ropa.recordId).toBeDefined();
+        expect(ropa.generatedAt).toBeDefined();
+    });
+    test('ROPA with no PII detected', () => {
+        const classification = (0, classification_1.classifyData)([]);
+        const ropa = (0, ropa_1.generateRopaRecord)([], classification, 50, 90, 'token', 60, false, false, { name: 'Test Corp', contactEmail: 'test@test.com' }, ['Data analysis'], 'Art.6(1)(f)', ['users'], [], []);
+        expect(ropa.personalDataCategories).toHaveLength(0);
+        expect(ropa.processingSummary.totalPiiDetected).toBe(0);
+        expect(ropa.processingSummary.classificationLevel).toBe('PUBLIC');
+        expect(ropa.securityMeasures.encryptionAtRest).toBe(false);
+    });
+    test('ROPA report does not contain original PII values', () => {
+        const hits = [
+            { token: '[E_0]', original: '***', patternName: 'email', patternLabel: 'EMAIL', category: 'contact', field: 'email', itemIndex: 0, confidence: 0.90 },
+        ];
+        const classification = (0, classification_1.classifyData)(hits);
+        const ropa = (0, ropa_1.generateRopaRecord)(hits, classification, 1, 90, 'token', 60, false, false, { name: 'Test', contactEmail: 'test@test.com' }, ['test'], 'Art.6(1)(f)', [], [], []);
+        const json = JSON.stringify(ropa);
+        // Original values should never appear (they're already '***' in hits)
+        expect(json).not.toContain('original');
+        // Pattern labels are fine (they describe TYPES not VALUES)
+        expect(json).toContain('EMAIL');
+    });
+});

package/dist/nodes/PiiRedactor/__tests__/presidio.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/nodes/PiiRedactor/__tests__/presidio.test.js

@@ -0,0 +1,170 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const presidio_1 = require("../presidio");
+const vault_1 = require("../vault");
+const engine_1 = require("../engine");
+// ═══════════════════════════════════════════════════════
+// PRESIDIO CLIENT TESTS
+// ═══════════════════════════════════════════════════════
+describe('Presidio Client', () => {
+    test('checkPresidioHealth returns false when unreachable', async () => {
+        const result = await (0, presidio_1.checkPresidioHealth)('http://localhost:99999');
+        expect(result).toBe(false);
+    });
+    test('analyzeWithPresidio returns empty array when unreachable', async () => {
+        const result = await (0, presidio_1.analyzeWithPresidio)('http://localhost:99999', 'John Smith called', 'en', 0.4, 2000);
+        expect(result).toEqual([]);
+    });
+    test('analyzeWithPresidio returns empty for empty text', async () => {
+        const result = await (0, presidio_1.analyzeWithPresidio)('http://localhost:5002', '', 'en');
+        expect(result).toEqual([]);
+    });
+    test('analyzeWithPresidio returns empty for whitespace text', async () => {
+        const result = await (0, presidio_1.analyzeWithPresidio)('http://localhost:5002', '   ', 'en');
+        expect(result).toEqual([]);
+    });
+    test('getPresidioEntities returns empty when unreachable', async () => {
+        const result = await (0, presidio_1.getPresidioEntities)('http://localhost:99999');
+        expect(result).toEqual([]);
+    });
+});
+// ═══════════════════════════════════════════════════════
+// ENTITY TYPE MAPPING TESTS
+// ═══════════════════════════════════════════════════════
+describe('Presidio Entity Mapping', () => {
+    test('maps PERSON to PERSON_NAME', () => {
+        expect((0, presidio_1.getRedactorLabel)('PERSON')).toBe('PERSON_NAME');
+    });
+    test('maps EMAIL_ADDRESS to EMAIL', () => {
+        expect((0, presidio_1.getRedactorLabel)('EMAIL_ADDRESS')).toBe('EMAIL');
+    });
+    test('maps PHONE_NUMBER to PHONE', () => {
+        expect((0, presidio_1.getRedactorLabel)('PHONE_NUMBER')).toBe('PHONE');
+    });
+    test('maps CREDIT_CARD to CREDIT_CARD', () => {
+        expect((0, presidio_1.getRedactorLabel)('CREDIT_CARD')).toBe('CREDIT_CARD');
+    });
+    test('maps LOCATION to ADDRESS', () => {
+        expect((0, presidio_1.getRedactorLabel)('LOCATION')).toBe('ADDRESS');
+    });
+    test('maps ORGANIZATION to COMPANY', () => {
+        expect((0, presidio_1.getRedactorLabel)('ORGANIZATION')).toBe('COMPANY');
+    });
+    test('maps US_SSN to SSN', () => {
+        expect((0, presidio_1.getRedactorLabel)('US_SSN')).toBe('SSN');
+    });
+    test('maps IBAN_CODE to IBAN', () => {
+        expect((0, presidio_1.getRedactorLabel)('IBAN_CODE')).toBe('IBAN');
+    });
+    test('unknown entity type passes through as-is', () => {
+        expect((0, presidio_1.getRedactorLabel)('UNKNOWN_TYPE')).toBe('UNKNOWN_TYPE');
+    });
+    test('category mapping works for PERSON', () => {
+        expect((0, presidio_1.getRedactorCategory)('PERSON')).toBe('identity');
+    });
+    test('category mapping works for CREDIT_CARD', () => {
+        expect((0, presidio_1.getRedactorCategory)('CREDIT_CARD')).toBe('financial');
+    });
+    test('category mapping works for IP_ADDRESS', () => {
+        expect((0, presidio_1.getRedactorCategory)('IP_ADDRESS')).toBe('network');
+    });
+    test('unknown category defaults to identity', () => {
+        expect((0, presidio_1.getRedactorCategory)('UNKNOWN')).toBe('identity');
+    });
+});
+// ═══════════════════════════════════════════════════════
+// ENHANCE WITH PRESIDIO TESTS (graceful fallback)
+// ═══════════════════════════════════════════════════════
+describe('enhanceWithPresidio', () => {
+    let vault;
+    beforeEach(() => {
+        vault = new vault_1.MemoryVault();
+    });
+    test('returns data unchanged when presidioUrl is not set', async () => {
+        vault.getOrCreateSession('p1', 0);
+        const hits = [];
+        const data = { name: 'John Smith', email: 'john@test.com' };
+        const result = await (0, engine_1.enhanceWithPresidio)(data, { enabledPatterns: [], customPatterns: [], mode: 'token', dedup: true, fieldRules: [], fieldMode: 'all' }, vault, 'p1', hits, 0);
+        expect(result).toEqual(data);
+        expect(hits).toHaveLength(0);
+    });
+    test('returns data unchanged when Presidio is unreachable', async () => {
+        vault.getOrCreateSession('p2', 0);
+        const hits = [];
+        const data = { notes: 'Spoke with Sarah Johnson about billing' };
+        const result = await (0, engine_1.enhanceWithPresidio)(data, {
+            enabledPatterns: [], customPatterns: [], mode: 'token', dedup: true,
+            fieldRules: [], fieldMode: 'all',
+            presidioUrl: 'http://localhost:99999',
+            presidioLanguage: 'en',
+        }, vault, 'p2', hits, 0);
+        // Should not crash, returns original data
+        expect(result.notes).toBe('Spoke with Sarah Johnson about billing');
+        expect(hits).toHaveLength(0);
+    });
+    test('skips already-redacted tokens', async () => {
+        vault.getOrCreateSession('p3', 0);
+        const hits = [];
+        const data = { name: '[PERSON_NAME_0]', email: '[EMAIL_1]' };
+        const result = await (0, engine_1.enhanceWithPresidio)(data, {
+            enabledPatterns: [], customPatterns: [], mode: 'token', dedup: true,
+            fieldRules: [], fieldMode: 'all',
+            presidioUrl: 'http://localhost:99999',
+        }, vault, 'p3', hits, 0);
+        // Tokens should not be modified
+        expect(result.name).toBe('[PERSON_NAME_0]');
+        expect(result.email).toBe('[EMAIL_1]');
+    });
+    test('skips empty and whitespace strings', async () => {
+        vault.getOrCreateSession('p4', 0);
+        const hits = [];
+        const data = { empty: '', whitespace: '   ', valid: 'some text' };
+        const result = await (0, engine_1.enhanceWithPresidio)(data, {
+            enabledPatterns: [], customPatterns: [], mode: 'token', dedup: true,
+            fieldRules: [], fieldMode: 'all',
+            presidioUrl: 'http://localhost:99999',
+        }, vault, 'p4', hits, 0);
+        expect(result.empty).toBe('');
+        expect(result.whitespace).toBe('   ');
+    });
+    test('respects allow list', async () => {
+        vault.getOrCreateSession('p5', 0);
+        const hits = [];
+        const data = { text: 'Contact Support Team at support@acme.com' };
+        const result = await (0, engine_1.enhanceWithPresidio)(data, {
+            enabledPatterns: [], customPatterns: [], mode: 'token', dedup: true,
+            fieldRules: [], fieldMode: 'all',
+            presidioUrl: 'http://localhost:99999',
+            allowList: [{ value: 'Support Team', type: 'exact' }],
+        }, vault, 'p5', hits, 0);
+        // Even if Presidio found "Support Team", allow list would skip it
+        expect(result.text).toContain('Support Team');
+    });
+    test('handles non-string values gracefully', async () => {
+        vault.getOrCreateSession('p6', 0);
+        const hits = [];
+        const data = { count: 42, active: true };
+        const result = await (0, engine_1.enhanceWithPresidio)(data, {
+            enabledPatterns: [], customPatterns: [], mode: 'token', dedup: true,
+            fieldRules: [], fieldMode: 'all',
+            presidioUrl: 'http://localhost:99999',
+        }, vault, 'p6', hits, 0);
+        // Non-strings should pass through unchanged
+        expect(result.count).toBe(42);
+        expect(result.active).toBe(true);
+    });
+});
+// ═══════════════════════════════════════════════════════
+// DOCKER SETUP DOCUMENTATION TEST
+// ═══════════════════════════════════════════════════════
+describe('Presidio Docker Setup', () => {
+    test('docker command is documented correctly', () => {
+        // Verify the Docker image reference is correct
+        const dockerImage = 'mcr.microsoft.com/presidio-analyzer';
+        const defaultPort = 5002;
+        const internalPort = 3000;
+        expect(dockerImage).toContain('presidio-analyzer');
+        expect(defaultPort).toBe(5002);
+        expect(internalPort).toBe(3000);
+    });
+});

package/dist/nodes/PiiRedactor/__tests__/security.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/nodes/PiiRedactor/__tests__/security.test.js

@@ -0,0 +1,178 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vault_1 = require("../vault");
+const engine_1 = require("../engine");
+function createContext(overrides = {}) {
+    return {
+        enabledPatterns: ['email', 'phone', 'personName', 'ssn', 'creditCard', 'iban', 'ipv4'],
+        customPatterns: [],
+        mode: 'token',
+        dedup: true,
+        fieldRules: [],
+        fieldMode: 'all',
+        ...overrides,
+    };
+}
+// ═══════════════════════════════════════════════════════
+// SECURITY: ReDoS Prevention
+// ═══════════════════════════════════════════════════════
+describe('ReDoS prevention', () => {
+    let vault;
+    beforeEach(() => { vault = new vault_1.MemoryVault(); });
+    test('custom regex with nested quantifiers is rejected', () => {
+        vault.getOrCreateSession('redos-1', 0);
+        const hits = [];
+        // (a+)+ is a classic ReDoS pattern
+        const result = (0, engine_1.redactValue)({ text: 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!' }, createContext({
+            enabledPatterns: [],
+            customPatterns: [{ label: 'EVIL', regex: '(a+)+$' }],
+        }), vault, 'redos-1', hits, 0);
+        // Should NOT hang, and should NOT redact (pattern rejected)
+        expect(result.text).toBe('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!');
+        expect(hits).toHaveLength(0);
+    });
+    test('custom regex over 500 chars is rejected', () => {
+        vault.getOrCreateSession('redos-2', 0);
+        const hits = [];
+        const longRegex = 'a'.repeat(600);
+        const result = (0, engine_1.redactValue)({ text: 'test' }, createContext({
+            enabledPatterns: [],
+            customPatterns: [{ label: 'LONG', regex: longRegex }],
+        }), vault, 'redos-2', hits, 0);
+        expect(hits).toHaveLength(0);
+    });
+    test('connStringKV does not hang on adversarial input', () => {
+        vault.getOrCreateSession('redos-3', 0);
+        const hits = [];
+        const adversarial = 'Server=x;' + 'a'.repeat(10000);
+        const start = Date.now();
+        (0, engine_1.redactValue)({ text: adversarial }, createContext({ enabledPatterns: ['connStringKV'] }), vault, 'redos-3', hits, 0);
+        const elapsed = Date.now() - start;
+        // Should complete in under 5 seconds, not hang
+        expect(elapsed).toBeLessThan(5000);
+    });
+});
+// ═══════════════════════════════════════════════════════
+// SECURITY: Information Leakage Prevention
+// ═══════════════════════════════════════════════════════
+describe('Information leakage prevention', () => {
+    let vault;
+    beforeEach(() => { vault = new vault_1.MemoryVault(); });
+    test('audit report NEVER contains original PII values', () => {
+        vault.getOrCreateSession('leak-1', 0);
+        const hits = [];
+        (0, engine_1.redactValue)({ email: 'secret@company.com', ssn: '123-45-6789' }, createContext({ mode: 'token' }), vault, 'leak-1', hits, 0);
+        const report = (0, engine_1.buildReport)('leak-1', hits);
+        const reportJson = JSON.stringify(report);
+        // Original values must NOT appear in the report
+        expect(reportJson).not.toContain('secret@company.com');
+        expect(reportJson).not.toContain('123-45-6789');
+        // All originals should be '***'
+        for (const hit of report.hits) {
+            expect(hit.original).toBe('***');
+        }
+    });
+    test('audit report in mask mode also hides originals', () => {
+        vault.getOrCreateSession('leak-2', 0);
+        const hits = [];
+        (0, engine_1.redactValue)({ email: 'secret@company.com' }, createContext({ mode: 'mask' }), vault, 'leak-2', hits, 0);
+        for (const hit of hits) {
+            expect(hit.original).toBe('***');
+        }
+    });
+});
+// ═══════════════════════════════════════════════════════
+// SECURITY: Restore Infinite Loop Prevention
+// ═══════════════════════════════════════════════════════
+describe('Restore safety', () => {
+    let vault;
+    beforeEach(() => { vault = new vault_1.MemoryVault(); });
+    test('restore does not infinite loop when original contains a token', () => {
+        vault.getOrCreateSession('loop-1', 0);
+        // Manually create a vault entry where the original contains another token
+        vault.addEntry('loop-1', {
+            token: '[EMAIL_0]',
+            original: 'Contact [PHONE_1] for info',
+            patternLabel: 'EMAIL',
+            category: 'contact',
+            createdAt: new Date().toISOString(),
+        });
+        vault.addEntry('loop-1', {
+            token: '[PHONE_1]',
+            original: '555-1234',
+            patternLabel: 'PHONE',
+            category: 'contact',
+            createdAt: new Date().toISOString(),
+        });
+        const start = Date.now();
+        const result = (0, engine_1.restoreValue)({ text: 'Message: [EMAIL_0]' }, vault, 'loop-1');
+        const elapsed = Date.now() - start;
+        // Must complete quickly (no infinite loop)
+        expect(elapsed).toBeLessThan(1000);
+        // The split/join approach replaces in order, so [EMAIL_0] becomes
+        // "Contact [PHONE_1] for info", then [PHONE_1] becomes "555-1234"
+        expect(result.text).toBe('Message: Contact 555-1234 for info');
+    });
+});
+// ═══════════════════════════════════════════════════════
+// SECURITY: Memory Leak Prevention
+// ═══════════════════════════════════════════════════════
+describe('Memory leak prevention', () => {
+    test('MemoryVault enforces max session limit', () => {
+        const vault = new vault_1.MemoryVault();
+        // Create many sessions
+        for (let i = 0; i < 1010; i++) {
+            vault.getOrCreateSession(`session-${i}`, 60000);
+        }
+        const sessions = vault.listSessions();
+        // Should not exceed max (1000) + some buffer
+        expect(sessions.length).toBeLessThanOrEqual(1010);
+    });
+    test('MemoryVault auto-cleans expired sessions on create', () => {
+        const vault = new vault_1.MemoryVault();
+        // Create session with 1ms TTL
+        vault.getOrCreateSession('expire-me', 1);
+        // Wait for expiry
+        const start = Date.now();
+        while (Date.now() - start < 10) { /* busy wait */ }
+        // Creating a new session triggers cleanup
+        vault.getOrCreateSession('new-session', 0);
+        // Expired session should be gone
+        expect(vault.getSession('expire-me')).toBeNull();
+    });
+});
+// ═══════════════════════════════════════════════════════
+// SECURITY: Field Path Injection Prevention
+// ═══════════════════════════════════════════════════════
+describe('Field path injection prevention', () => {
+    let vault;
+    beforeEach(() => { vault = new vault_1.MemoryVault(); });
+    test('malicious field path pattern does not crash', () => {
+        vault.getOrCreateSession('field-inj', 0);
+        const hits = [];
+        // Attempt to inject regex via field rule
+        const result = (0, engine_1.redactValue)({ email: 'test@test.com' }, createContext({
+            fieldMode: 'allowlist',
+            fieldRules: [{ field: '(a+)+', mode: 'include' }],
+        }), vault, 'field-inj', hits, 0);
+        // Should not crash or hang
+        expect(result.email).toBeDefined();
+    });
+});
+// ═══════════════════════════════════════════════════════
+// SECURITY: Token Collision Prevention
+// ═══════════════════════════════════════════════════════
+describe('Token collision prevention', () => {
+    let vault;
+    beforeEach(() => { vault = new vault_1.MemoryVault(); });
+    test('generated tokens are not re-redacted by subsequent patterns', () => {
+        vault.getOrCreateSession('collision-1', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ text: 'Email: test@example.com and SSN: 123-45-6789' }, createContext(), vault, 'collision-1', hits, 0);
+        // Tokens should be clean [LABEL_N] format, not double-redacted
+        expect(result.text).toMatch(/\[EMAIL_\d+\]/);
+        expect(result.text).toMatch(/\[SSN_\d+\]/);
+        // Should NOT contain nested tokens like [[EMAIL_0]]
+        expect(result.text).not.toContain('[[');
+    });
+});

package/dist/nodes/PiiRedactor/__tests__/semantic.test.d.ts

@@ -0,0 +1 @@
+export {};