n8n-nodes-redactor 3.0.1

package/dist/nodes/PiiRedactor/__tests__/semantic.test.js

@@ -0,0 +1,319 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vault_1 = require("../vault");
+const engine_1 = require("../engine");
+function createContext(overrides = {}) {
+    return {
+        enabledPatterns: ['email', 'phone', 'personName', 'ssn'],
+        customPatterns: [],
+        mode: 'token',
+        dedup: true,
+        fieldRules: [],
+        fieldMode: 'all',
+        ...overrides,
+    };
+}
+// ═══════════════════════════════════════════════════════
+// SEMANTIC FIELD-NAME DETECTION
+// ═══════════════════════════════════════════════════════
+describe('Semantic detection: Person names', () => {
+    let vault;
+    beforeEach(() => { vault = new vault_1.MemoryVault(); });
+    test('redacts "name" field without title prefix', () => {
+        vault.getOrCreateSession('s1', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ name: 'Amelia Ramirez' }, createContext(), vault, 's1', hits, 0);
+        expect(result.name).toContain('[PERSON_NAME_');
+        expect(result.name).not.toBe('Amelia Ramirez');
+    });
+    test('redacts "firstName" and "lastName" fields', () => {
+        vault.getOrCreateSession('s2', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ firstName: 'Sarah', lastName: 'Johnson' }, createContext(), vault, 's2', hits, 0);
+        expect(result.firstName).toContain('[PERSON_NAME_');
+        expect(result.lastName).toContain('[PERSON_NAME_');
+    });
+    test('redacts German field names: Vorname, Nachname', () => {
+        vault.getOrCreateSession('s3', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ Vorname: 'Hans', Nachname: 'Mueller' }, createContext(), vault, 's3', hits, 0);
+        expect(result.Vorname).toContain('[PERSON_NAME_');
+        expect(result.Nachname).toContain('[PERSON_NAME_');
+    });
+    test('redacts nested name fields', () => {
+        vault.getOrCreateSession('s4', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ customer: { name: 'Liam Clark' } }, createContext(), vault, 's4', hits, 0);
+        expect(result.customer.name).toContain('[PERSON_NAME_');
+    });
+    test('redacts displayName, contactName, customerName', () => {
+        vault.getOrCreateSession('s5', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ displayName: 'Grace Taylor', contactName: 'Mia Lewis', customerName: 'Ryan Torres' }, createContext(), vault, 's5', hits, 0);
+        expect(result.displayName).toContain('[PERSON_NAME_');
+        expect(result.contactName).toContain('[PERSON_NAME_');
+        expect(result.customerName).toContain('[PERSON_NAME_');
+    });
+    test('redacts French/Spanish field names', () => {
+        vault.getOrCreateSession('s6', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ nom: 'Dupont', prenom: 'Jean', nombre: 'Carlos', apellido: 'Garcia' }, createContext(), vault, 's6', hits, 0);
+        expect(result.nom).toContain('[PERSON_NAME_');
+        expect(result.prenom).toContain('[PERSON_NAME_');
+        expect(result.nombre).toContain('[PERSON_NAME_');
+        expect(result.apellido).toContain('[PERSON_NAME_');
+    });
+});
+describe('Semantic detection: Employee / HR data', () => {
+    let vault;
+    beforeEach(() => { vault = new vault_1.MemoryVault(); });
+    test('redacts employeeId field', () => {
+        vault.getOrCreateSession('hr1', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ employeeId: 'D41BRX4M' }, createContext(), vault, 'hr1', hits, 0);
+        expect(result.employeeId).toContain('[EMPLOYEE_ID_');
+    });
+    test('redacts department field', () => {
+        vault.getOrCreateSession('hr2', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ department: 'Finance' }, createContext(), vault, 'hr2', hits, 0);
+        expect(result.department).toContain('[DEPARTMENT_');
+    });
+    test('redacts position/jobTitle field', () => {
+        vault.getOrCreateSession('hr3', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ position: 'Senior Developer', jobTitle: 'CTO' }, createContext(), vault, 'hr3', hits, 0);
+        expect(result.position).toContain('[JOB_TITLE_');
+        expect(result.jobTitle).toContain('[JOB_TITLE_');
+    });
+    test('redacts numeric salary field', () => {
+        vault.getOrCreateSession('hr4', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ salary: 110905 }, createContext(), vault, 'hr4', hits, 0);
+        expect(result.salary).toContain('[SALARY_');
+    });
+    test('redacts hireDate field', () => {
+        vault.getOrCreateSession('hr5', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ hireDate: '2024-01-15' }, createContext(), vault, 'hr5', hits, 0);
+        expect(result.hireDate).toContain('[EMPLOYMENT_DATE_');
+        // Should NOT be broken into postal code + card expiry
+        expect(result.hireDate).not.toContain('POSTCODE');
+        expect(result.hireDate).not.toContain('CARD_EXPIRY');
+    });
+    test('redacts German HR field names', () => {
+        vault.getOrCreateSession('hr6', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ Personalnummer: 'EMP-4821', Abteilung: 'Vertrieb', Stelle: 'Teamleiter' }, createContext(), vault, 'hr6', hits, 0);
+        expect(result.Personalnummer).toContain('[EMPLOYEE_ID_');
+        expect(result.Abteilung).toContain('[DEPARTMENT_');
+        expect(result.Stelle).toContain('[JOB_TITLE_');
+    });
+});
+describe('Semantic detection: Address fields', () => {
+    let vault;
+    beforeEach(() => { vault = new vault_1.MemoryVault(); });
+    test('redacts address field', () => {
+        vault.getOrCreateSession('addr1', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ address: '123 Main Street, Apt 4B' }, createContext(), vault, 'addr1', hits, 0);
+        expect(result.address).toContain('[ADDRESS_');
+    });
+    test('redacts city, state, zipCode fields', () => {
+        vault.getOrCreateSession('addr2', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ city: 'Munich', state: 'Bavaria', zipCode: '80331' }, createContext(), vault, 'addr2', hits, 0);
+        expect(result.city).toContain('[ADDRESS_');
+        expect(result.state).toContain('[ADDRESS_');
+        expect(result.zipCode).toContain('[ADDRESS_');
+    });
+    test('redacts German address fields', () => {
+        vault.getOrCreateSession('addr3', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ Anschrift: 'Musterstr. 12', PLZ: '80331', Adresse: 'Berlin' }, createContext(), vault, 'addr3', hits, 0);
+        expect(result.Anschrift).toContain('[ADDRESS_');
+        expect(result.PLZ).toContain('[ADDRESS_');
+        expect(result.Adresse).toContain('[ADDRESS_');
+    });
+});
+describe('Semantic detection: Financial fields', () => {
+    let vault;
+    beforeEach(() => { vault = new vault_1.MemoryVault(); });
+    test('redacts account_number field', () => {
+        vault.getOrCreateSession('fin1', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ accountNumber: 'DE89370400440532013000' }, createContext(), vault, 'fin1', hits, 0);
+        expect(result.accountNumber).toContain('[ACCOUNT_NUMBER_');
+    });
+    test('redacts insurance policy field', () => {
+        vault.getOrCreateSession('fin2', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ insurancePolicy: 'POL-2024-XYZ' }, createContext(), vault, 'fin2', hits, 0);
+        expect(result.insurancePolicy).toContain('[INSURANCE_');
+    });
+});
+describe('Semantic detection: Company/Organization', () => {
+    let vault;
+    beforeEach(() => { vault = new vault_1.MemoryVault(); });
+    test('redacts company field', () => {
+        vault.getOrCreateSession('comp1', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ company: 'Acme Corporation' }, createContext(), vault, 'comp1', hits, 0);
+        expect(result.company).toContain('[COMPANY_');
+    });
+    test('redacts employer, organization fields', () => {
+        vault.getOrCreateSession('comp2', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ employer: 'BigCorp GmbH', organization: 'Red Cross' }, createContext(), vault, 'comp2', hits, 0);
+        expect(result.employer).toContain('[COMPANY_');
+        expect(result.organization).toContain('[COMPANY_');
+    });
+    test('redacts German: Firma, Unternehmen, Arbeitgeber', () => {
+        vault.getOrCreateSession('comp3', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ Firma: 'Siemens AG', Arbeitgeber: 'BMW Group' }, createContext(), vault, 'comp3', hits, 0);
+        expect(result.Firma).toContain('[COMPANY_');
+        expect(result.Arbeitgeber).toContain('[COMPANY_');
+    });
+});
+describe('Semantic detection: Full round-trip with real-world data', () => {
+    let vault;
+    beforeEach(() => { vault = new vault_1.MemoryVault(); });
+    test('complete employee record redaction and restoration', () => {
+        vault.getOrCreateSession('rt1', 0);
+        const hits = [];
+        const original = {
+            employeeId: 'D41BRX4M',
+            name: 'Amelia Ramirez',
+            email: 'amelia.ramirez@company.com',
+            department: 'Finance',
+            position: 'Senior Analyst',
+            hireDate: '2024-01-15',
+            salary: 85000,
+            company: 'Exacta GmbH',
+            address: 'Berliner Str. 45, 10115 Berlin',
+        };
+        const redacted = (0, engine_1.redactValue)(original, createContext(), vault, 'rt1', hits, 0);
+        // Every field should be redacted
+        expect(redacted.employeeId).toContain('[');
+        expect(redacted.name).toContain('[PERSON_NAME_');
+        expect(redacted.email).toContain('['); // caught by regex or semantic
+        expect(redacted.department).toContain('[DEPARTMENT_');
+        expect(redacted.position).toContain('[JOB_TITLE_');
+        expect(redacted.hireDate).toContain('[EMPLOYMENT_DATE_');
+        expect(redacted.salary).toContain('[SALARY_');
+        expect(redacted.company).toContain('[COMPANY_');
+        expect(redacted.address).toContain('[ADDRESS_');
+        // None of the original values should be visible
+        const json = JSON.stringify(redacted);
+        expect(json).not.toContain('Amelia Ramirez');
+        expect(json).not.toContain('Finance');
+        expect(json).not.toContain('Senior Analyst');
+        expect(json).not.toContain('85000');
+        expect(json).not.toContain('Exacta GmbH');
+        // Restore should bring everything back
+        const restored = (0, engine_1.restoreValue)(redacted, vault, 'rt1');
+        expect(restored.name).toBe('Amelia Ramirez');
+        expect(restored.department).toBe('Finance');
+        expect(restored.position).toBe('Senior Analyst');
+        expect(restored.salary).toBe('85000'); // restored as string (currency-safe)
+        expect(restored.company).toBe('Exacta GmbH');
+    });
+});
+describe('Semantic detection: Language/cultural fields', () => {
+    let vault;
+    beforeEach(() => { vault = new vault_1.MemoryVault(); });
+    test('redacts "language" field as GDPR Art.9 sensitive', () => {
+        vault.getOrCreateSession('lang1', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ name: 'Adeel', language: 'Sindhi' }, createContext(), vault, 'lang1', hits, 0);
+        expect(result.language).toContain('[LANGUAGE_');
+        expect(result.language).not.toBe('Sindhi');
+    });
+    test('redacts mother tongue fields', () => {
+        vault.getOrCreateSession('lang2', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ motherTongue: 'Urdu', Muttersprache: 'Deutsch' }, createContext(), vault, 'lang2', hits, 0);
+        expect(result.motherTongue).toContain('[LANGUAGE_');
+        expect(result.Muttersprache).toContain('[LANGUAGE_');
+    });
+});
+describe('Semantic detection: Context-aware ambiguous fields', () => {
+    let vault;
+    beforeEach(() => { vault = new vault_1.MemoryVault(); });
+    test('redacts bare "id" when sibling has "name" (PII context)', () => {
+        vault.getOrCreateSession('ctx1', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ id: 'D41BRX4M', name: 'Amelia Ramirez', department: 'Finance' }, createContext(), vault, 'ctx1', hits, 0);
+        expect(result.id).toContain('[IDENTIFIER_');
+        expect(result.id).not.toBe('D41BRX4M');
+    });
+    test('does NOT redact bare "id" when no PII sibling fields', () => {
+        vault.getOrCreateSession('ctx2', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ id: '12345', status: 'active', type: 'widget' }, createContext(), vault, 'ctx2', hits, 0);
+        // No PII indicator siblings, so id should NOT be redacted
+        expect(result.id).toBe('12345');
+    });
+    test('redacts "code" and "ref" when email sibling exists', () => {
+        vault.getOrCreateSession('ctx3', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ code: 'EMP-4821', ref: 'REF-999', email: 'john@test.com' }, createContext(), vault, 'ctx3', hits, 0);
+        expect(result.code).toContain('[IDENTIFIER_');
+        expect(result.ref).toContain('[IDENTIFIER_');
+    });
+    test('redacts "number" when salary sibling exists', () => {
+        vault.getOrCreateSession('ctx4', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ number: 'ACC-12345', salary: 85000, name: 'Jane Doe' }, createContext(), vault, 'ctx4', hits, 0);
+        expect(result.number).toContain('[IDENTIFIER_');
+    });
+    test('does NOT redact "status" in non-PII record', () => {
+        vault.getOrCreateSession('ctx5', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ status: 'completed', category: 'urgent', label: 'bug' }, createContext(), vault, 'ctx5', hits, 0);
+        expect(result.status).toBe('completed');
+        expect(result.category).toBe('urgent');
+        expect(result.label).toBe('bug');
+    });
+    test('context-aware detection in nested objects', () => {
+        vault.getOrCreateSession('ctx6', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ user: { id: 'USR-999', name: 'John Smith', code: 'ABC123' } }, createContext(), vault, 'ctx6', hits, 0);
+        expect(result.user.id).toContain('[IDENTIFIER_');
+        expect(result.user.code).toContain('[IDENTIFIER_');
+    });
+    test('full employee record with ambiguous fields all redacted', () => {
+        vault.getOrCreateSession('ctx7', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({
+            id: 'V59OF92YF62',
+            name: 'Adeel Solangi',
+            language: 'Sindhi',
+            code: 'EMP001',
+            ref: 'HR-2024-001',
+            email: 'adeel@company.com',
+        }, createContext(), vault, 'ctx7', hits, 0);
+        const json = JSON.stringify(result);
+        expect(json).not.toContain('V59OF92YF62');
+        expect(json).not.toContain('Adeel Solangi');
+        expect(json).not.toContain('Sindhi');
+        expect(json).not.toContain('EMP001');
+        expect(json).not.toContain('HR-2024-001');
+        expect(json).not.toContain('adeel@company.com');
+    });
+});
+describe('Semantic detection: Notes/text fields fall through to regex', () => {
+    let vault;
+    beforeEach(() => { vault = new vault_1.MemoryVault(); });
+    test('notes field is NOT fully redacted but regex runs on it', () => {
+        vault.getOrCreateSession('notes1', 0);
+        const hits = [];
+        const result = (0, engine_1.redactValue)({ notes: 'Customer john@test.com called about order' }, createContext(), vault, 'notes1', hits, 0);
+        // The whole field should NOT be a single token
+        expect(result.notes).toContain('called about order');
+        // But the email inside should be redacted
+        expect(result.notes).toContain('[EMAIL_');
+        expect(result.notes).not.toContain('john@test.com');
+    });
+});

package/dist/nodes/PiiRedactor/__tests__/vault.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/nodes/PiiRedactor/__tests__/vault.test.js

@@ -0,0 +1,247 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+const vault_1 = require("../vault");
+function makeEntry(token, original) {
+    return {
+        token,
+        original,
+        patternLabel: 'EMAIL',
+        category: 'contact',
+        createdAt: new Date().toISOString(),
+    };
+}
+// ═══════════════════════════════════════════════════════
+// MEMORY VAULT
+// ═══════════════════════════════════════════════════════
+describe('MemoryVault', () => {
+    let vault;
+    beforeEach(() => {
+        vault = new vault_1.MemoryVault();
+    });
+    test('creates a new session', () => {
+        const session = vault.getOrCreateSession('test-1', 0);
+        expect(session.sessionId).toBe('test-1');
+        expect(Object.keys(session.entries)).toHaveLength(0);
+    });
+    test('returns existing session on second call', () => {
+        vault.getOrCreateSession('test-2', 0);
+        vault.addEntry('test-2', makeEntry('[EMAIL_0]', 'a@b.com'));
+        const session = vault.getOrCreateSession('test-2', 0);
+        expect(Object.keys(session.entries)).toHaveLength(1);
+    });
+    test('adds and retrieves entries', () => {
+        vault.getOrCreateSession('test-3', 0);
+        vault.addEntry('test-3', makeEntry('[EMAIL_0]', 'alice@example.com'));
+        vault.addEntry('test-3', makeEntry('[PHONE_1]', '+49123456'));
+        const session = vault.getSession('test-3');
+        expect(session).not.toBeNull();
+        expect(Object.keys(session.entries)).toHaveLength(2);
+        expect(session.entries['[EMAIL_0]'].original).toBe('alice@example.com');
+    });
+    test('findByOriginal returns matching entry', () => {
+        vault.getOrCreateSession('test-4', 0);
+        vault.addEntry('test-4', makeEntry('[EMAIL_0]', 'test@test.com'));
+        const found = vault.findByOriginal('test-4', 'test@test.com');
+        expect(found).toBeDefined();
+        expect(found.token).toBe('[EMAIL_0]');
+    });
+    test('findByOriginal returns undefined for non-existent', () => {
+        vault.getOrCreateSession('test-5', 0);
+        expect(vault.findByOriginal('test-5', 'nope')).toBeUndefined();
+    });
+    test('deleteSession removes session', () => {
+        vault.getOrCreateSession('test-6', 0);
+        vault.deleteSession('test-6');
+        expect(vault.getSession('test-6')).toBeNull();
+    });
+    test('listSessions returns all active sessions', () => {
+        vault.getOrCreateSession('s1', 0);
+        vault.getOrCreateSession('s2', 0);
+        vault.addEntry('s1', makeEntry('[EMAIL_0]', 'a@b.com'));
+        const sessions = vault.listSessions();
+        expect(sessions.length).toBeGreaterThanOrEqual(2);
+        const s1 = sessions.find((s) => s.sessionId === 's1');
+        expect(s1?.entryCount).toBe(1);
+    });
+    test('TTL expiry — expired session returns null', () => {
+        // Create session with 1ms TTL
+        vault.getOrCreateSession('ttl-test', 1);
+        vault.addEntry('ttl-test', makeEntry('[EMAIL_0]', 'a@b.com'));
+        // Wait for expiry
+        const start = Date.now();
+        while (Date.now() - start < 10) {
+            // busy wait
+        }
+        expect(vault.getSession('ttl-test')).toBeNull();
+    });
+    test('TTL = 0 means no expiry', () => {
+        vault.getOrCreateSession('no-ttl', 0);
+        vault.addEntry('no-ttl', makeEntry('[EMAIL_0]', 'a@b.com'));
+        expect(vault.getSession('no-ttl')).not.toBeNull();
+    });
+    test('cleanup removes expired sessions', () => {
+        vault.getOrCreateSession('expired', 1);
+        vault.getOrCreateSession('alive', 0);
+        const start = Date.now();
+        while (Date.now() - start < 10) {
+            // busy wait
+        }
+        const removed = vault.cleanup();
+        expect(removed).toBeGreaterThanOrEqual(1);
+        expect(vault.getSession('alive')).not.toBeNull();
+    });
+});
+// ═══════════════════════════════════════════════════════
+// FILE VAULT
+// ═══════════════════════════════════════════════════════
+describe('FileVault', () => {
+    let vault;
+    let testDir;
+    beforeEach(() => {
+        testDir = fs.mkdtempSync(path.join(os.tmpdir(), 'pii-vault-test-'));
+        vault = new vault_1.FileVault(testDir);
+    });
+    afterEach(() => {
+        // Cleanup
+        try {
+            fs.rmSync(testDir, { recursive: true, force: true });
+        }
+        catch {
+            // ignore
+        }
+    });
+    test('creates vault directory', () => {
+        expect(fs.existsSync(testDir)).toBe(true);
+    });
+    test('creates and persists session to file', () => {
+        vault.getOrCreateSession('file-test-1', 0);
+        vault.addEntry('file-test-1', makeEntry('[EMAIL_0]', 'test@file.com'));
+        vault.save('file-test-1');
+        // Verify file was created
+        const files = fs.readdirSync(testDir);
+        expect(files.some((f) => f.startsWith('vault_') && f.endsWith('.json'))).toBe(true);
+    });
+    test('loads session from file after re-instantiation', () => {
+        vault.getOrCreateSession('persist-test', 0);
+        vault.addEntry('persist-test', makeEntry('[EMAIL_0]', 'persisted@test.com'));
+        vault.save('persist-test');
+        // Create a new vault instance pointing to same dir
+        const vault2 = new vault_1.FileVault(testDir);
+        const session = vault2.getSession('persist-test');
+        expect(session).not.toBeNull();
+        expect(session.entries['[EMAIL_0]'].original).toBe('persisted@test.com');
+    });
+    test('deleteSession removes file', () => {
+        vault.getOrCreateSession('delete-test', 0);
+        vault.addEntry('delete-test', makeEntry('[EMAIL_0]', 'x@y.com'));
+        vault.save('delete-test');
+        vault.deleteSession('delete-test');
+        const vault2 = new vault_1.FileVault(testDir);
+        expect(vault2.getSession('delete-test')).toBeNull();
+    });
+    test('listSessions reads all vault files', () => {
+        vault.getOrCreateSession('list-1', 0);
+        vault.save('list-1');
+        vault.getOrCreateSession('list-2', 0);
+        vault.addEntry('list-2', makeEntry('[EMAIL_0]', 'a@b.com'));
+        vault.save('list-2');
+        const sessions = vault.listSessions();
+        expect(sessions).toHaveLength(2);
+    });
+    test('TTL expiry on file vault', () => {
+        vault.getOrCreateSession('file-ttl', 1);
+        vault.save('file-ttl');
+        const start = Date.now();
+        while (Date.now() - start < 10) {
+            // busy wait
+        }
+        const vault2 = new vault_1.FileVault(testDir);
+        expect(vault2.getSession('file-ttl')).toBeNull();
+    });
+    test('cleanup removes expired files', () => {
+        vault.getOrCreateSession('expired-file', 1);
+        vault.save('expired-file');
+        vault.getOrCreateSession('alive-file', 0);
+        vault.save('alive-file');
+        const start = Date.now();
+        while (Date.now() - start < 10) {
+            // busy wait
+        }
+        // Auto-cleanup fires on getOrCreateSession and constructor,
+        // so the expired file may already be gone. Verify it's not accessible.
+        const vault2 = new vault_1.FileVault(testDir);
+        expect(vault2.getSession('expired-file')).toBeNull();
+        // The alive session should still exist
+        expect(vault2.getSession('alive-file')).not.toBeNull();
+    });
+    test('findByOriginal works with file vault', () => {
+        vault.getOrCreateSession('find-test', 0);
+        vault.addEntry('find-test', makeEntry('[EMAIL_0]', 'find@me.com'));
+        const found = vault.findByOriginal('find-test', 'find@me.com');
+        expect(found).toBeDefined();
+        expect(found.token).toBe('[EMAIL_0]');
+    });
+    test('handles corrupt JSON files gracefully', () => {
+        // Write a corrupt file
+        const corruptFile = path.join(testDir, 'vault_corrupt1234567.json');
+        fs.writeFileSync(corruptFile, 'not valid json{{{', 'utf-8');
+        const sessions = vault.listSessions();
+        // Should not crash, just skip the corrupt file
+        expect(Array.isArray(sessions)).toBe(true);
+    });
+});
+// ═══════════════════════════════════════════════════════
+// createVault FACTORY
+// ═══════════════════════════════════════════════════════
+describe('createVault factory', () => {
+    test('returns MemoryVault for "memory"', () => {
+        const v = (0, vault_1.createVault)('memory');
+        expect(v).toBeInstanceOf(vault_1.MemoryVault);
+    });
+    test('returns FileVault for "file"', () => {
+        const testDir = fs.mkdtempSync(path.join(os.tmpdir(), 'factory-test-'));
+        const v = (0, vault_1.createVault)('file', testDir);
+        expect(v).toBeInstanceOf(vault_1.FileVault);
+        fs.rmSync(testDir, { recursive: true, force: true });
+    });
+    test('defaults to MemoryVault for unknown type', () => {
+        const v = (0, vault_1.createVault)('unknown');
+        expect(v).toBeInstanceOf(vault_1.MemoryVault);
+    });
+});

package/dist/nodes/PiiRedactor/audit.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Persistent Audit Log
+ *
+ * JSONL (JSON Lines) audit logger for compliance recording.
+ * One JSON object per line, append-only, auto-rotating.
+ *
+ * Compliant with:
+ *   - GDPR Article 30 (Records of Processing Activities)
+ *   - HIPAA (6-year retention)
+ *   - SOX (7-year retention)
+ *   - PCI DSS (1-year minimum)
+ *
+ * Format: JSONL (compatible with Splunk, ELK, Datadog, CloudWatch)
+ * Location: ~/.n8n/pii-audit/pii-audit-YYYY-MM-DD.jsonl
+ * Rotation: Daily + 100MB size limit
+ */
+import { RedactionHit, RedactionMode } from './types';
+import { ClassificationLabel } from './classification';
+export interface AuditLogEntry {
+    version: string;
+    timestamp: string;
+    eventId: string;
+    severity: 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL';
+    action: string;
+    mode: RedactionMode | string;
+    status: 'SUCCESS' | 'PARTIAL' | 'FAILED';
+    totalHits: number;
+    hitsByCategory: Record<string, number>;
+    hitsByPattern: Record<string, number>;
+    classificationLevel?: string;
+    inputItemCount: number;
+    processingTimeMs: number;
+    patternsUsed: number;
+    presidioEnabled: boolean;
+    sessionId?: string;
+}
+/**
+ * Write an audit log entry.
+ * Creates the audit directory if it doesn't exist.
+ * Handles file rotation (daily + size-based).
+ * Graceful: never throws, never blocks the workflow.
+ */
+export declare function writeAuditLog(action: string, mode: RedactionMode | string, hits: RedactionHit[], inputItemCount: number, processingTimeMs: number, patternsUsed: number, presidioEnabled: boolean, classification?: ClassificationLabel, sessionId?: string, auditDir?: string): void;
+/**
+ * Read audit log entries for a given date range.
+ * Returns parsed entries. Used by Stats operation for audit review.
+ */
+export declare function readAuditLog(startDate?: string, endDate?: string, auditDir?: string): AuditLogEntry[];