n8n-nodes-redactor 3.0.1

package/dist/nodes/PiiRedactor/presidio.d.ts

@@ -0,0 +1,77 @@
+/**
+ * Presidio Analyzer HTTP Client
+ *
+ * Optional integration with Microsoft Presidio for NLP-based entity detection.
+ * Presidio uses spaCy NER models to detect person names, locations, and
+ * organizations in free text — something regex alone cannot do reliably.
+ *
+ * This is OPTIONAL. The node works perfectly without Presidio.
+ * Users who want NLP-level accuracy spin up the Presidio Docker container
+ * and enable "Enhanced NLP Detection" in the node settings.
+ *
+ * Docker setup (one command):
+ *   docker run -d -p 5002:3000 mcr.microsoft.com/presidio-analyzer
+ *
+ * Or with docker-compose alongside n8n:
+ *   services:
+ *     n8n:
+ *       image: n8nio/n8n
+ *       ports: ["5678:5678"]
+ *     presidio:
+ *       image: mcr.microsoft.com/presidio-analyzer
+ *       ports: ["5002:3000"]
+ */
+/** Result from Presidio /analyze endpoint */
+export interface PresidioEntity {
+    entity_type: string;
+    start: number;
+    end: number;
+    score: number;
+    analysis_explanation?: {
+        recognizer: string;
+        pattern_name?: string;
+        pattern?: string;
+        original_score: number;
+        score: number;
+        textual_explanation?: string;
+        score_context_improvement?: number;
+        supportive_context_word?: string;
+        validation_result?: number;
+    };
+    recognition_metadata?: {
+        recognizer_name: string;
+        recognizer_identifier?: string;
+    };
+}
+/** Presidio /analyze request body */
+export interface PresidioAnalyzeRequest {
+    text: string;
+    language: string;
+    entities?: string[];
+    correlation_id?: string;
+    score_threshold?: number;
+    return_decision_process?: boolean;
+}
+/** Reset circuit breaker (call at start of each n8n execution) */
+export declare function resetCircuitBreaker(): void;
+/**
+ * Check if Presidio is reachable at the given URL.
+ */
+export declare function checkPresidioHealth(baseUrl: string): Promise<boolean>;
+/**
+ * Call Presidio /analyze endpoint to detect PII entities in text.
+ * Returns empty array if Presidio is unreachable (graceful fallback).
+ */
+export declare function analyzeWithPresidio(baseUrl: string, text: string, language?: string, scoreThreshold?: number, timeoutMs?: number): Promise<PresidioEntity[]>;
+/**
+ * Get the redactor label for a Presidio entity type.
+ */
+export declare function getRedactorLabel(presidioEntityType: string): string;
+/**
+ * Get the PII category for a Presidio entity type.
+ */
+export declare function getRedactorCategory(presidioEntityType: string): string;
+/**
+ * Get all supported Presidio entity types.
+ */
+export declare function getPresidioEntities(baseUrl: string): Promise<string[]>;

package/dist/nodes/PiiRedactor/presidio.js

@@ -0,0 +1,264 @@
+"use strict";
+/**
+ * Presidio Analyzer HTTP Client
+ *
+ * Optional integration with Microsoft Presidio for NLP-based entity detection.
+ * Presidio uses spaCy NER models to detect person names, locations, and
+ * organizations in free text — something regex alone cannot do reliably.
+ *
+ * This is OPTIONAL. The node works perfectly without Presidio.
+ * Users who want NLP-level accuracy spin up the Presidio Docker container
+ * and enable "Enhanced NLP Detection" in the node settings.
+ *
+ * Docker setup (one command):
+ *   docker run -d -p 5002:3000 mcr.microsoft.com/presidio-analyzer
+ *
+ * Or with docker-compose alongside n8n:
+ *   services:
+ *     n8n:
+ *       image: n8nio/n8n
+ *       ports: ["5678:5678"]
+ *     presidio:
+ *       image: mcr.microsoft.com/presidio-analyzer
+ *       ports: ["5002:3000"]
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resetCircuitBreaker = resetCircuitBreaker;
+exports.checkPresidioHealth = checkPresidioHealth;
+exports.analyzeWithPresidio = analyzeWithPresidio;
+exports.getRedactorLabel = getRedactorLabel;
+exports.getRedactorCategory = getRedactorCategory;
+exports.getPresidioEntities = getPresidioEntities;
+const http = __importStar(require("http"));
+const https = __importStar(require("https"));
+/** Map Presidio entity types to our label format */
+const PRESIDIO_TO_REDACTOR_LABEL = {
+    PERSON: 'PERSON_NAME',
+    EMAIL_ADDRESS: 'EMAIL',
+    PHONE_NUMBER: 'PHONE',
+    CREDIT_CARD: 'CREDIT_CARD',
+    IBAN_CODE: 'IBAN',
+    US_SSN: 'SSN',
+    US_ITIN: 'ITIN_US',
+    US_PASSPORT: 'PASSPORT_US',
+    US_DRIVER_LICENSE: 'DRIVER_LICENSE',
+    US_BANK_NUMBER: 'BANK_ACCOUNT',
+    UK_NHS: 'NHS_NUMBER',
+    LOCATION: 'ADDRESS',
+    DATE_TIME: 'DATE',
+    NRP: 'ETHNICITY',
+    MEDICAL_LICENSE: 'MEDICAL',
+    IP_ADDRESS: 'IP_ADDRESS',
+    URL: 'URL',
+    CRYPTO: 'BTC_ADDRESS',
+    ORGANIZATION: 'COMPANY',
+    AU_ABN: 'ABN_AU',
+    AU_ACN: 'ACN_AU',
+    AU_TFN: 'TFN_AU',
+    AU_MEDICARE: 'MEDICARE_AU',
+    SG_NRIC_FIN: 'NRIC_SG',
+    IN_PAN: 'PAN_IN',
+    IN_AADHAAR: 'AADHAAR_IN',
+    ES_NIF: 'NIF_ES',
+    IT_FISCAL_CODE: 'CODICE_FISCALE_IT',
+    IT_DRIVER_LICENSE: 'DRIVER_LICENSE',
+    IT_IDENTITY_CARD: 'CARTA_ID_IT',
+    IT_PASSPORT: 'PASSPORT_EU',
+    IT_VAT_CODE: 'VAT_EU',
+    PL_PESEL: 'PESEL_PL',
+};
+/** Map Presidio entity types to our PII categories */
+const PRESIDIO_TO_CATEGORY = {
+    PERSON: 'identity',
+    EMAIL_ADDRESS: 'contact',
+    PHONE_NUMBER: 'contact',
+    CREDIT_CARD: 'financial',
+    IBAN_CODE: 'financial',
+    US_SSN: 'identity',
+    US_ITIN: 'identity',
+    US_PASSPORT: 'identity',
+    US_DRIVER_LICENSE: 'identity',
+    US_BANK_NUMBER: 'financial',
+    UK_NHS: 'identity',
+    LOCATION: 'location',
+    DATE_TIME: 'temporal',
+    NRP: 'identity',
+    MEDICAL_LICENSE: 'medical',
+    IP_ADDRESS: 'network',
+    URL: 'network',
+    CRYPTO: 'crypto',
+    ORGANIZATION: 'identity',
+};
+/**
+ * Circuit breaker: after 3 consecutive failures, stop calling Presidio
+ * for the rest of this execution. Per-URL to prevent cross-workflow bleed.
+ * Resets on success or at start of each n8n execution.
+ */
+const failureCountByUrl = new Map();
+const MAX_FAILURES = 3;
+function circuitOpen(url) {
+    if (!url)
+        return false;
+    return (failureCountByUrl.get(url) || 0) >= MAX_FAILURES;
+}
+function recordSuccess(url) {
+    if (url)
+        failureCountByUrl.set(url, 0);
+}
+function recordFailure(url) {
+    if (url)
+        failureCountByUrl.set(url, (failureCountByUrl.get(url) || 0) + 1);
+}
+/** Reset circuit breaker (call at start of each n8n execution) */
+function resetCircuitBreaker() {
+    failureCountByUrl.clear();
+}
+/**
+ * Check if Presidio is reachable at the given URL.
+ */
+async function checkPresidioHealth(baseUrl) {
+    try {
+        const result = await httpGet(`${baseUrl}/health`, 3000);
+        return result.statusCode === 200;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Call Presidio /analyze endpoint to detect PII entities in text.
+ * Returns empty array if Presidio is unreachable (graceful fallback).
+ */
+async function analyzeWithPresidio(baseUrl, text, language = 'en', scoreThreshold = 0.4, timeoutMs = 10000) {
+    if (!text || text.trim().length === 0)
+        return [];
+    // Circuit breaker: skip if too many consecutive failures for this URL
+    if (circuitOpen(baseUrl))
+        return [];
+    const requestBody = {
+        text,
+        language,
+        score_threshold: scoreThreshold,
+        return_decision_process: false,
+    };
+    try {
+        const result = await httpPost(`${baseUrl}/analyze`, JSON.stringify(requestBody), timeoutMs);
+        if (result.statusCode !== 200) {
+            recordFailure(baseUrl);
+            return [];
+        }
+        const entities = JSON.parse(result.body);
+        if (!Array.isArray(entities)) {
+            recordFailure(baseUrl);
+            return [];
+        }
+        recordSuccess(baseUrl);
+        return entities;
+    }
+    catch {
+        recordFailure();
+        return [];
+    }
+}
+/**
+ * Get the redactor label for a Presidio entity type.
+ */
+function getRedactorLabel(presidioEntityType) {
+    return PRESIDIO_TO_REDACTOR_LABEL[presidioEntityType] || presidioEntityType;
+}
+/**
+ * Get the PII category for a Presidio entity type.
+ */
+function getRedactorCategory(presidioEntityType) {
+    return PRESIDIO_TO_CATEGORY[presidioEntityType] || 'identity';
+}
+/**
+ * Get all supported Presidio entity types.
+ */
+async function getPresidioEntities(baseUrl) {
+    try {
+        const result = await httpGet(`${baseUrl}/supportedentities`, 5000);
+        if (result.statusCode !== 200)
+            return [];
+        const entities = JSON.parse(result.body);
+        return Array.isArray(entities) ? entities : [];
+    }
+    catch {
+        return [];
+    }
+}
+function httpGet(url, timeoutMs) {
+    return new Promise((resolve, reject) => {
+        const client = url.startsWith('https') ? https : http;
+        const req = client.get(url, { timeout: timeoutMs }, (res) => {
+            let body = '';
+            res.on('data', (chunk) => { body += chunk; });
+            res.on('end', () => {
+                resolve({ statusCode: res.statusCode || 0, body });
+            });
+        });
+        req.on('error', reject);
+        req.on('timeout', () => { req.destroy(); reject(new Error('timeout')); });
+    });
+}
+function httpPost(url, data, timeoutMs) {
+    return new Promise((resolve, reject) => {
+        const parsedUrl = new URL(url);
+        const client = parsedUrl.protocol === 'https:' ? https : http;
+        const options = {
+            hostname: parsedUrl.hostname,
+            port: parsedUrl.port,
+            path: parsedUrl.pathname,
+            method: 'POST',
+            timeout: timeoutMs,
+            headers: {
+                'Content-Type': 'application/json',
+                'Content-Length': Buffer.byteLength(data),
+            },
+        };
+        const req = client.request(options, (res) => {
+            let body = '';
+            res.on('data', (chunk) => { body += chunk; });
+            res.on('end', () => {
+                resolve({ statusCode: res.statusCode || 0, body });
+            });
+        });
+        req.on('error', reject);
+        req.on('timeout', () => { req.destroy(); reject(new Error('timeout')); });
+        req.write(data);
+        req.end();
+    });
+}

package/dist/nodes/PiiRedactor/profiles.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Per-Tenant Profile Management
+ *
+ * Profiles allow agencies to define different redaction rules per client/tenant.
+ * Each profile is a JSON config containing: enabled patterns, allow/deny lists,
+ * redaction mode, field rules, confidence threshold, and compliance settings.
+ *
+ * Storage: ~/.n8n/pii-profiles/profile_{profileId}.json
+ * Loading: By profileId parameter in node settings
+ * Isolation: Each profile has its own vault passphrase recommendation
+ */
+import { RedactionMode, CustomPattern, AllowDenyEntry, FieldRule } from './types';
+export interface TenantProfile {
+    profileId: string;
+    displayName: string;
+    enabledPatterns?: string[];
+    customPatterns?: CustomPattern[];
+    confidenceThreshold?: number;
+    redactionMode?: RedactionMode;
+    dedup?: boolean;
+    fieldMode?: 'all' | 'allowlist' | 'denylist';
+    fieldRules?: FieldRule[];
+    allowList?: AllowDenyEntry[];
+    denyList?: AllowDenyEntry[];
+    region?: string;
+    retentionMinutes?: number;
+    auditLog?: boolean;
+    createdAt: string;
+    updatedAt: string;
+}
+/**
+ * Load a tenant profile by ID.
+ * Returns null if not found.
+ */
+export declare function loadProfile(profileId: string, profileDir?: string): TenantProfile | null;
+/**
+ * Save a tenant profile.
+ */
+export declare function saveProfile(profile: TenantProfile, profileDir?: string): boolean;
+/**
+ * List all available profiles.
+ */
+export declare function listProfiles(profileDir?: string): TenantProfile[];
+/**
+ * Delete a tenant profile.
+ */
+export declare function deleteProfile(profileId: string, profileDir?: string): boolean;

package/dist/nodes/PiiRedactor/profiles.js

@@ -0,0 +1,139 @@
+"use strict";
+/**
+ * Per-Tenant Profile Management
+ *
+ * Profiles allow agencies to define different redaction rules per client/tenant.
+ * Each profile is a JSON config containing: enabled patterns, allow/deny lists,
+ * redaction mode, field rules, confidence threshold, and compliance settings.
+ *
+ * Storage: ~/.n8n/pii-profiles/profile_{profileId}.json
+ * Loading: By profileId parameter in node settings
+ * Isolation: Each profile has its own vault passphrase recommendation
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadProfile = loadProfile;
+exports.saveProfile = saveProfile;
+exports.listProfiles = listProfiles;
+exports.deleteProfile = deleteProfile;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const DEFAULT_PROFILE_DIR = path.join(process.env.HOME || '/tmp', '.n8n', 'pii-profiles');
+/**
+ * Load a tenant profile by ID.
+ * Returns null if not found.
+ */
+function loadProfile(profileId, profileDir) {
+    if (!profileId || profileId.trim().length === 0)
+        return null;
+    try {
+        const dir = profileDir || DEFAULT_PROFILE_DIR;
+        // Sanitize profileId to prevent path traversal
+        const safeId = profileId.replace(/[^a-zA-Z0-9_\-]/g, '_');
+        const fp = path.join(dir, `profile_${safeId}.json`);
+        if (!fs.existsSync(fp))
+            return null;
+        const data = JSON.parse(fs.readFileSync(fp, 'utf-8'));
+        return data;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Save a tenant profile.
+ */
+function saveProfile(profile, profileDir) {
+    try {
+        const dir = profileDir || DEFAULT_PROFILE_DIR;
+        if (!fs.existsSync(dir)) {
+            fs.mkdirSync(dir, { recursive: true });
+        }
+        const safeId = profile.profileId.replace(/[^a-zA-Z0-9_\-]/g, '_');
+        const fp = path.join(dir, `profile_${safeId}.json`);
+        const tmpFp = fp + '.tmp';
+        profile.updatedAt = new Date().toISOString();
+        fs.writeFileSync(tmpFp, JSON.stringify(profile, null, 2), 'utf-8');
+        fs.renameSync(tmpFp, fp);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * List all available profiles.
+ */
+function listProfiles(profileDir) {
+    try {
+        const dir = profileDir || DEFAULT_PROFILE_DIR;
+        if (!fs.existsSync(dir))
+            return [];
+        const files = fs.readdirSync(dir)
+            .filter((f) => f.startsWith('profile_') && f.endsWith('.json'));
+        const profiles = [];
+        for (const file of files) {
+            try {
+                const data = JSON.parse(fs.readFileSync(path.join(dir, file), 'utf-8'));
+                profiles.push(data);
+            }
+            catch {
+                // Skip corrupt profiles
+            }
+        }
+        return profiles;
+    }
+    catch {
+        return [];
+    }
+}
+/**
+ * Delete a tenant profile.
+ */
+function deleteProfile(profileId, profileDir) {
+    try {
+        const dir = profileDir || DEFAULT_PROFILE_DIR;
+        const safeId = profileId.replace(/[^a-zA-Z0-9_\-]/g, '_');
+        const fp = path.join(dir, `profile_${safeId}.json`);
+        if (fs.existsSync(fp)) {
+            fs.unlinkSync(fp);
+            return true;
+        }
+        return false;
+    }
+    catch {
+        return false;
+    }
+}

package/dist/nodes/PiiRedactor/pseudonymize.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Pseudonymization Engine
+ *
+ * Replaces PII with realistic-looking fake data that preserves format.
+ * GDPR Article 4(5): "processing personal data so it can no longer be
+ * attributed to a specific data subject without additional information."
+ *
+ * Key properties:
+ *   - Format-preserving: emails stay email-shaped, phones stay phone-shaped
+ *   - Deterministic: same input + same session = same output (seeded)
+ *   - Reversible: mapping stored in vault for restoration
+ *   - GDPR-compliant: mapping stored separately from pseudonymized data
+ *
+ * No external dependencies (no Faker.js). Uses built-in deterministic generation.
+ */
+/**
+ * Generate a pseudonym for a given PII value based on its type.
+ * Deterministic: same sessionId + original = same pseudonym.
+ */
+export declare function generatePseudonym(sessionId: string, original: string, label: string): string;