n8n-nodes-redactor 3.0.1

package/dist/nodes/PiiRedactor/encryption.d.ts

@@ -0,0 +1,45 @@
+/**
+ * Vault Encryption Engine (AES-256-GCM)
+ *
+ * Encrypts vault files at rest so that even if someone accesses the
+ * filesystem, they cannot read the PII mapping data without the passphrase.
+ *
+ * Security properties:
+ *   - AES-256-GCM: Authenticated encryption (confidentiality + integrity)
+ *   - scrypt key derivation: Memory-hard, resists GPU/ASIC brute-force
+ *   - Unique salt per file: Same passphrase produces different keys per file
+ *   - Unique IV per encryption: Same data produces different ciphertext
+ *   - Auth tag: Detects tampering or wrong passphrase
+ *
+ * File format:
+ *   [1 byte: version 0x01]
+ *   [16 bytes: salt]
+ *   [12 bytes: IV]
+ *   [16 bytes: GCM auth tag]
+ *   [N bytes: ciphertext]
+ *
+ * Backward compatible:
+ *   - Files starting with '{' (0x7B) are read as plaintext JSON
+ *   - Files starting with 0x01 are decrypted
+ *   - Unencrypted files are auto-migrated to encrypted on next save
+ */
+/**
+ * Encrypt a JSON string using AES-256-GCM.
+ * Returns a Buffer in the encrypted file format.
+ */
+export declare function encryptVaultData(jsonData: string, passphrase: string): Buffer;
+/**
+ * Decrypt vault data from the encrypted file format.
+ * Returns the decrypted JSON string.
+ * Throws on wrong passphrase, corrupted data, or tampered file.
+ */
+export declare function decryptVaultData(data: Buffer, passphrase: string): string;
+/**
+ * Check if a buffer contains encrypted vault data (starts with version byte).
+ * If it starts with '{' (0x7B), it's plaintext JSON.
+ */
+export declare function isEncryptedVault(data: Buffer): boolean;
+/**
+ * Check if a buffer contains plaintext JSON vault data.
+ */
+export declare function isPlaintextVault(data: Buffer): boolean;

package/dist/nodes/PiiRedactor/encryption.js

@@ -0,0 +1,158 @@
+"use strict";
+/**
+ * Vault Encryption Engine (AES-256-GCM)
+ *
+ * Encrypts vault files at rest so that even if someone accesses the
+ * filesystem, they cannot read the PII mapping data without the passphrase.
+ *
+ * Security properties:
+ *   - AES-256-GCM: Authenticated encryption (confidentiality + integrity)
+ *   - scrypt key derivation: Memory-hard, resists GPU/ASIC brute-force
+ *   - Unique salt per file: Same passphrase produces different keys per file
+ *   - Unique IV per encryption: Same data produces different ciphertext
+ *   - Auth tag: Detects tampering or wrong passphrase
+ *
+ * File format:
+ *   [1 byte: version 0x01]
+ *   [16 bytes: salt]
+ *   [12 bytes: IV]
+ *   [16 bytes: GCM auth tag]
+ *   [N bytes: ciphertext]
+ *
+ * Backward compatible:
+ *   - Files starting with '{' (0x7B) are read as plaintext JSON
+ *   - Files starting with 0x01 are decrypted
+ *   - Unencrypted files are auto-migrated to encrypted on next save
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.encryptVaultData = encryptVaultData;
+exports.decryptVaultData = decryptVaultData;
+exports.isEncryptedVault = isEncryptedVault;
+exports.isPlaintextVault = isPlaintextVault;
+const crypto = __importStar(require("crypto"));
+const VERSION_BYTE = 0x01;
+const SALT_LENGTH = 16;
+const IV_LENGTH = 12;
+const AUTH_TAG_LENGTH = 16;
+const KEY_LENGTH = 32; // AES-256
+const SCRYPT_N = 2 ** 14; // 16384 — fast and secure for file encryption
+const SCRYPT_R = 8;
+const SCRYPT_P = 1;
+/**
+ * Derive a 256-bit encryption key from a passphrase using scrypt.
+ */
+function deriveKey(passphrase, salt) {
+    return crypto.scryptSync(passphrase, salt, KEY_LENGTH, {
+        N: SCRYPT_N,
+        r: SCRYPT_R,
+        p: SCRYPT_P,
+    });
+}
+/**
+ * Encrypt a JSON string using AES-256-GCM.
+ * Returns a Buffer in the encrypted file format.
+ */
+function encryptVaultData(jsonData, passphrase) {
+    const salt = crypto.randomBytes(SALT_LENGTH);
+    const iv = crypto.randomBytes(IV_LENGTH);
+    const key = deriveKey(passphrase, salt);
+    const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+    const encrypted = Buffer.concat([
+        cipher.update(jsonData, 'utf-8'),
+        cipher.final(),
+    ]);
+    const authTag = cipher.getAuthTag();
+    // Assemble: [version][salt][iv][authTag][ciphertext]
+    return Buffer.concat([
+        Buffer.from([VERSION_BYTE]),
+        salt,
+        iv,
+        authTag,
+        encrypted,
+    ]);
+}
+/**
+ * Decrypt vault data from the encrypted file format.
+ * Returns the decrypted JSON string.
+ * Throws on wrong passphrase, corrupted data, or tampered file.
+ */
+function decryptVaultData(data, passphrase) {
+    if (data.length < 1 + SALT_LENGTH + IV_LENGTH + AUTH_TAG_LENGTH + 1) {
+        throw new Error('Encrypted vault file is too short or corrupted.');
+    }
+    const version = data[0];
+    if (version !== VERSION_BYTE) {
+        throw new Error(`Unsupported vault encryption version: ${version}`);
+    }
+    let offset = 1;
+    const salt = data.subarray(offset, offset + SALT_LENGTH);
+    offset += SALT_LENGTH;
+    const iv = data.subarray(offset, offset + IV_LENGTH);
+    offset += IV_LENGTH;
+    const authTag = data.subarray(offset, offset + AUTH_TAG_LENGTH);
+    offset += AUTH_TAG_LENGTH;
+    const ciphertext = data.subarray(offset);
+    const key = deriveKey(passphrase, salt);
+    try {
+        const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
+        decipher.setAuthTag(authTag);
+        const decrypted = Buffer.concat([
+            decipher.update(ciphertext),
+            decipher.final(),
+        ]);
+        return decrypted.toString('utf-8');
+    }
+    catch {
+        throw new Error('Vault decryption failed: wrong passphrase or corrupted file.');
+    }
+}
+/**
+ * Check if a buffer contains encrypted vault data (starts with version byte).
+ * If it starts with '{' (0x7B), it's plaintext JSON.
+ */
+function isEncryptedVault(data) {
+    if (data.length === 0)
+        return false;
+    return data[0] === VERSION_BYTE;
+}
+/**
+ * Check if a buffer contains plaintext JSON vault data.
+ */
+function isPlaintextVault(data) {
+    if (data.length === 0)
+        return false;
+    return data[0] === 0x7B; // '{'
+}

package/dist/nodes/PiiRedactor/engine.d.ts

@@ -0,0 +1,23 @@
+import { IVault } from './vault';
+import { RedactionContext, RedactionHit, RedactionReport } from './types';
+/**
+ * Main redaction engine - recursively walks JSON and applies redaction.
+ * Uses BOTH semantic field-name detection AND regex pattern matching.
+ */
+export declare function redactValue(value: unknown, ctx: RedactionContext, vault: IVault, sessionId: string, hits: RedactionHit[], itemIndex: number, currentPath?: string, siblingKeys?: string[]): unknown;
+/**
+ * Restore redacted tokens back to original values.
+ * Uses single-pass replacement to avoid infinite loops.
+ */
+export declare function restoreValue(value: unknown, vault: IVault, sessionId: string): unknown;
+/**
+ * Run Presidio NLP analysis on all string values in an item,
+ * then redact the detected entities. Called AFTER regex-based redaction.
+ * This catches entities that regex missed (especially PERSON names in free text).
+ */
+export declare function enhanceWithPresidio(data: Record<string, unknown>, ctx: RedactionContext, vault: IVault, sessionId: string, hits: RedactionHit[], itemIndex: number): Promise<Record<string, unknown>>;
+/**
+ * Build a redaction audit report from collected hits.
+ * SECURITY: Original PII values are NEVER included in the report.
+ */
+export declare function buildReport(sessionId: string, hits: RedactionHit[]): RedactionReport;