npm - no-pii - Versions diffs - 1.0.1 → 1.2.0 - Mend

no-pii 1.0.1 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -1,22 +1,15 @@
 # no-pii
-> **No PII** — PII detection and redaction with secure vault storage
-[![npm version](https://img.shields.io/npm/v/no-pii.svg)](https://www.npmjs.com/package/no-pii)
-[![license](https://img.shields.io/npm/l/no-pii.svg)](https://github.com/littlejustnode/no-pii/blob/main/LICENSE)
-[![node](https://img.shields.io/node/v/no-pii.svg)](https://nodejs.org/)
-Zero-dependency PII (Personally Identifiable Information) detection and redaction library with pluggable strategies, secure vault storage, and state persistence.
+PII (Personally Identifiable Information) redaction library for Node.js with built-in CLI support.
 ## Features
-- 🔒 **PII Redaction** — Automatically detect and replace sensitive data with safe placeholders
-- 🗄️ **Secure Vault** — Store redacted values in an encrypted vault for later restoration
-- 🔧 **Pluggable Strategies** — Define custom regex patterns or word-based masking rules
-- 💾 **Persistent Storage** — Save/load configurations to OS keychain, encrypted JSON, or memory
-- 🚀 **Zero Dependencies** — Uses only Node.js built-in modules (except optional `cross-keychain` for OS storage)
-- 📦 **ESM Native** — Modern ES module syntax with named exports
-- 🔄 **Bidirectional** — Redact and restore text without data loss
+- 🔒 **Secure Redaction** — Replace sensitive data with placeholders
+- 🔄 **Reversible** — Restore original data from vault when needed
+- 🏷️ **Named Groups** — Each redacted item gets a labeled placeholder
+- 📦 **Presets** — Built-in patterns for common PII (email, credit card, Hong Kong ID, etc.)
+- 🔐 **Encrypted Storage** — Persist rules to OS keychain or AES-256-GCM encrypted JSON
+- 🖥️ **CLI Ready** — Pipe data through stdin or manage rules from command line
 ## Installation
@@ -24,185 +17,221 @@ Zero-dependency PII (Personally Identifiable Information) detection and redactio
 npm install no-pii
 ```
+For global CLI access:
+```bash
+npm install -g no-pii
+```
 ## Quick Start
+### Library Usage
 ```javascript
 import { nopii } from 'no-pii';
-// Create instance with in-memory storage
-const pii = nopii();
-// Add masking strategies
-await pii.addMasking('email', 'user@example.com', 'admin@company.org');
-await pii.addStrategy('ssn', /\\b\\d{3}-\\d{2}-\\d{4}\\b/g);
+// Basic usage with presets
+const pii = nopii({
+  rules: { COMMON: true, HK: true }
+});
-// Redact sensitive text
 const { safeText, vault } = pii.redact(
-  'Contact user@example.com or admin@company.org. SSN: 123-45-6789'
+  'Contact me at john@example.com or 5123-4567'
 );
 console.log(safeText);
-// 'Contact _P1_ or _P2_. SSN: _P3_'
+// Contact me at [EMAIL_1] or [HK_PHONE_1]
-// Restore original text
+// Restore original data
 const restored = pii.restore(safeText, vault);
 console.log(restored);
-// 'Contact user@example.com or admin@company.org. SSN: 123-45-6789'
+// Contact me at john@example.com or 5123-4567
 ```
-## API Reference
+### CLI Usage
-### `nopii(options)`
-Factory function to create a new no-pii instance.
+```bash
+# Redact from stdin
+cat log.txt | no-pii --common --hk
-**Options:**
+# Add custom rules
+no-pii --add=\"NAMES:Alice,Bob,Charlie\" --db=rules.json --key=secret123
-| Option | Type | Default | Description |
-|--------|------|---------|-------------|
-| `verbose` | `boolean` | `false` | Enable verbose logging |
-| `service` | `string` | `'no-pii'` | Service name for OS keychain storage |
-| `account` | `string` | `'default'` | Account name for OS keychain storage |
-| `memory` | `string\\|object` | `'memory'` | Storage backend: `'os'`, `'memory'`, or custom object |
-| `aesKey` | `string` | — | Required for encrypted JSON file storage |
+# Use OS keychain for storage
+no-pii --add=\"PROJECT:AcmeCorp\" --os --service=myapp
+cat data.txt | no-pii --os --service=myapp
-**Storage Backends:**
+# List current rules
+no-pii --list --db=rules.json --key=secret123
+```
-- `'memory'` (default) — In-memory Map storage
-- `'os'` — OS native keychain (Windows Credential Manager, macOS Keychain, Linux Secret Service) via `cross-keychain`
-- `'./path/to/file.json'` — Encrypted JSON file storage (requires `aesKey`)
-- Custom object — Must implement `{ get(key), set(key, value) }`
+## Configuration
-### `instance.addMasking(label, ...words)`
+### Rules
-Add word-based masking strategy. Escapes special regex characters automatically.
+Rules can be enabled via presets or custom patterns:
 ```javascript
-await pii.addMasking('names', 'John Doe', 'Jane Smith');
+const pii = nopii({
+  rules: {
+    // Enable all common PII patterns
+    COMMON: true,
+    // Enable Hong Kong-specific patterns
+    HK: true,
+    // Custom keyword list (array becomes OR regex)
+    INTERNAL_CODES: ['PROJ-123', 'PROJ-456', 'SECRET'],
+    // Custom regex
+    API_KEY: /sk-[a-zA-Z0-9]{48}/
+  }
+});
 ```
-### `instance.addStrategy(name, regex)`
+### Built-in Presets
+**COMMON:**
+- `EMAIL` — RFC 5322 compliant email addresses
+- `CREDIT_CARD` — Major card networks (Visa, Mastercard, Amex, etc.)
+**HK (Hong Kong):**
+- `HK_PHONE` — Local phone numbers (2/3/5/6/7/8/9 prefixes)
+- `HKID` — Hong Kong Identity Card numbers
+- `HK_OCTOPUS` — Octopus card numbers
-Add custom regex strategy.
+### Storage Options
+**In-Memory (default):**
 ```javascript
-await pii.addStrategy('credit-card', /\\b\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b/g);
+const pii = nopii(); // Rules not persisted
 ```
-### `instance.load(input)`
-Load configuration from file, string, or storage.
+**OS Keychain:**
+```javascript
+const pii = nopii({
+  storage: { method: 'os', service: 'myapp' }
+});
+await pii.load(); // Load saved rules
+```
+**Encrypted JSON File:**
 ```javascript
-// Load from default storage
+const pii = nopii({
+  storage: {
+    method: './rules.db.json',
+    aes: 'your-32-char-secret-key-here!!' // 32 bytes for AES-256
+  }
+});
 await pii.load();
+```
-// Load from JSON file
-await pii.load('./config.json');
+## API Reference
-// Load from object
-await pii.load({
-  masking: { names: ['Alice', 'Bob'] },
-  strategies: { phone: '^\\\\d{3}-\\\\d{3}-\\\\d{4}$' }
-});
-```
+### `nopii(options)`
+Creates a new NoPii instance.
+| Option | Type | Description |
+|--------|------|-------------|
+| `rules` | `Object` | Key-value pairs of rules to register |
+| `storage` | `Object` | Storage configuration for persistence |
+| `verbose` | `boolean` | Enable verbose logging (default: false) |
-### `instance.redact(text)`
+### Instance Methods
-Redact PII from text. Returns `{ safeText, vault }`.
+#### `addRule(key, value)`
+Add a rule dynamically. Returns Promise (resolves to instance).
 ```javascript
-const { safeText, vault } = pii.redact('Sensitive data here');
-// safeText: Redacted text with placeholders
-// vault: Map of placeholder → original value
+await pii.addRule('EMPLOYEE_ID', /EMP-\\d{5}/);
+await pii.addRule('DEPARTMENTS', ['HR', 'Engineering', 'Sales']);
 ```
-### `instance.restore(redactedText, vault)`
+#### `list()`
-Restore original text from redacted version using vault.
+Returns current rules as plain object.
 ```javascript
-const original = pii.restore(safeText, vault);
+const rules = pii.list();
+// { COMMON: true, HK: true, EMAIL: /.../ }
 ```
-## Configuration Persistence
+#### `redact(text)`
-### OS Keychain Storage
+Redacts PII from input text.
-```javascript
-const pii = nopii({ memory: 'os', service: 'myapp', account: 'pii' });
+**Returns:** `{ safeText: string, vault: Map }`
-// Strategies are persisted automatically
-await pii.addMasking('api-keys', 'sk-abc123', 'sk-xyz789');
+- `safeText` — Text with placeholders
+- `vault` — Map of `placeholder → original_value`
-// Load on next run
-await pii.load();
-```
+#### `restore(redactedText, vault)`
-### Encrypted JSON Storage
+Restores original text from vault.
 ```javascript
-const pii = nopii({
-  memory: './secrets/pii-store.json',
-  aesKey: 'your-32-char-secret-key-here!!' // Must be 32+ chars for AES-256-GCM
-});
-await pii.addStrategy('token', /Bearer\\s+[a-zA-Z0-9]+/g);
-// Automatically encrypted and saved to ./secrets/pii-store.json
+const original = pii.restore(safeText, vault);
 ```
-## Advanced Example
+#### `load()`
-```javascript
-import { nopii } from 'no-pii';
-import fs from 'node:fs/promises';
+Loads rules from configured storage. Returns Promise (resolves to instance).
-// Initialize with OS keychain storage
-const pii = nopii({
-  memory: 'os',
-  service: 'my-cli-tool',
-  account: 'redaction-config'
-});
+## CLI Reference
-// Load existing configuration
-await pii.load();
+```
+no-pii [options]
+Options:
+  --add=\"KEY:VAL\"    Add rule. Use commas for multiple keywords.
+  --list             List all currently registered rules
+  --os               Use OS Keychain (with --service)
+  --db=path.json     Use encrypted JSON file (requires --key)
+  --key=str          32-character AES key for --db
+  --service=name     Custom service identity (default: nopii)
+  --hk               Enable Hong Kong PII presets
+  --common           Enable Common PII presets
+  --help, -h         Show help
+```
+### CLI Examples
+**Redact a log file:**
+```bash
+no-pii --common --hk < application.log > redacted.log
+```
-// Add comprehensive PII patterns
-await pii.addStrategy('email', /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}/g);
-await pii.addStrategy('phone', /\\b\\(?\\d{3}\\)?[-.\\s]?\\d{3}[-.\\s]?\\d{4}\\b/g);
-await pii.addStrategy('ip', /\\b(?:\\d{1,3}\\.){3}\\d{1,3}\\b/g);
-await pii.addMasking('internal-codes', 'PROJ-1234', 'SECRET-5678');
+**Build a ruleset incrementally:**
+```bash
+# Initialize with presets
+no-pii --common --db=production.json --key=$(openssl rand -base64 24)
-// Process log file
-const logs = await fs.readFile('./app.log', 'utf8');
-const { safeText, vault } = pii.redact(logs);
+# Add company-specific terms
+no-pii --add=\"PRODUCTS:WidgetPro,MegaTool\" --db=production.json --key=...
+no-pii --add=\"STAFF:jdoe,asmith\" --db=production.json --key=...
-// Save redacted logs (safe for sharing)
-await fs.writeFile('./app-redacted.log', safeText);
+# Use the ruleset
+journalctl -u myapp | no-pii --db=production.json --key=...
+```
-// Save vault separately (keep secure!)
-await fs.writeFile('./vault.json', JSON.stringify([...vault]));
+**Team-shared rules via keychain:**
+```bash
+# One-time setup per machine
+no-pii --common --hk --os --service=team-redactor
-// Later: restore original
-const restored = pii.restore(safeText, new Map(JSON.parse(await fs.readFile('./vault.json', 'utf8'))));
+# Everyone uses same rules
+npm run logs | no-pii --os --service=team-redactor
 ```
-## Security Considerations
+## Security Notes
-- **Vault Security**: The vault contains the actual PII. Store it encrypted or in a secure location.
-- **AES Key Management**: When using JSON storage, protect your `aesKey` — it decrypts the entire store.
-- **OS Keychain**: Relies on system security. On shared machines, ensure proper user isolation.
-- **Memory Storage**: Not persisted; cleared on process exit. Suitable for one-time operations.
+- **AES Key**: When using encrypted JSON storage, the key must be exactly 32 bytes. The library will pad/truncate shorter/longer strings.
+- **Vault Handling**: The `vault` Map contains sensitive data. Do not log or serialize it unintentionally.
+- **OS Keychain**: Relies on `cross-keychain` for cross-platform keychain access (macOS Keychain, Windows Credential Locker, Linux Secret Service).
 ## Requirements
-- Node.js ≥ 18.0.0
-- For OS storage: `cross-keychain` peer dependency (auto-installed)
+- Node.js ≥ 18.0.0 (for native `node:` prefixed modules)
 ## License
-MIT © [littlejustnode](https://github.com/littlejustnode)
----
-**Note**: This package is designed for data processing pipelines, log sanitization, and GDPR/privacy compliance workflows. Always follow your organization's data handling policies when processing PII.
+MIT © littlejustnode

package/nopii-cli.js ADDED Viewed

@@ -0,0 +1,89 @@
+#!/usr/bin/env node
+import { stdin, stdout } from 'node:process';
+import { nopii } from './nopii.js';
+const args = process.argv.slice(2);
+const help = args.includes('--help') || args.includes('-h');
+const listRules = args.includes('--list');
+const addRuleStr = args.find(a => a.startsWith('--add='))?.split('=')[1];
+const useHK = args.includes('--hk');
+const useCommon = args.includes('--common');
+const useOS = args.includes('--os');
+const getVal = (flag) => args.find(a => a.startsWith(flag))?.split('=')[1];
+const aesKey = getVal('--key=');
+const dbPath = getVal('--db=');
+const service = getVal('--service=') || 'nopii';
+if (help || (args.length === 0 && stdin.isTTY && !listRules && !addRuleStr)) {
+  console.log(`
+  nopii CLI - Production-grade PII Redaction
+  Usage:
+    cat log.txt | nopii [options]
+    nopii --add="NAMES:peter,amy,danny" --db=v.json --key=secret
+  Options:
+    --add="KEY:VAL"    Add rule. Use commas for multiple keywords.
+    --list             List all currently registered rules
+    --os               Use OS Keychain
+    --db=path.json     Use encrypted JSON file (requires --key)
+    --key=str          32-character AES key
+    --service=name     Custom service identity (default: nopii)
+    --hk               Enable Hong Kong PII presets
+    --common           Enable Common PII presets
+  `);
+  process.exit(0);
+}
+// Ensure service/key are nested inside storage object for nopii.js
+const storageConfig = useOS
+  ? { method: 'os', service: service }
+  : dbPath ? { method: dbPath, aes: aesKey } : null;
+const pii = nopii({
+  rules: { HK: useHK, COMMON: useCommon },
+  storage: storageConfig
+});
+async function run() {
+  if (storageConfig) {
+    try { await pii.load(); } catch (err) {
+      console.error(`[nopii] Load failed: ${err.message}`);
+      process.exit(1);
+    }
+  }
+  if (addRuleStr) {
+    const [key, ...valParts] = addRuleStr.split(':');
+    let value = valParts.join(':');
+    // Split by comma if multiple values are provided
+    if (value.includes(',')) {
+      value = value.split(',').map(v => v.trim());
+    }
+    try {
+      await pii.addRule(key, value); //
+      console.log(`[nopii] Added ${key}: ${Array.isArray(value) ? value.join(', ') : value}`);
+      if (stdin.isTTY) process.exit(0);
+    } catch (err) {
+      console.error(`[nopii] Add failed: ${err.message}`);
+      process.exit(1);
+    }
+  }
+  if (listRules) {
+    console.log(JSON.stringify(pii.list(), null, 2));
+    process.exit(0);
+  }
+  stdin.on('data', (chunk) => {
+    const { safeText } = pii.redact(chunk.toString()); //
+    stdout.write(safeText);
+  });
+  stdin.on('end', () => process.exit(0));
+}
+run();

package/nopii.js CHANGED Viewed

@@ -8,148 +8,118 @@ export class NoPii {
   #combinedRegex = null;
   #storage = null;
   #config = {};
-  #currentConfig = { masking: {}, strategies: {} };
+  #currentRules = {};
+  static PRESETS = {
+    COMMON: {
+      EMAIL: /[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*/u,
+      CREDIT_CARD: /\b(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11})\b/u,
+    },
+    HK: {
+      HK_PHONE: /\b(852)?[2356789]\d{3}[\s-]?\d{4}\b/u,
+      HKID: /\b[A-Z]{1,2}\d{6}\(?[\dA]\)?\b/u,
+      HK_OCTOPUS: /\b\d{8,9}\(?\d\)?\b/u,
+    }
+  };
   constructor(options = {}) {
-    this.#config = {
-      verbose: false,
-      service: 'nopii',
-      account: 'default',
-      ...options
-    };
-    this.#storage = this.#initStorage(this.#config.memory);
+    this.#config = { verbose: false, ...options };
+    this.#storage = this.#initStorage(options.storage);
+    if (options.rules) {
+      for (const [key, val] of Object.entries(options.rules)) {
+        this.#applyRuleLogic(key, val);
+      }
+    }
   }
-  #initStorage(memoryOption) {
-    if (memoryOption && typeof memoryOption === 'object' && typeof memoryOption.get === 'function') {
-      return memoryOption;
-    }
+  list() {
+    return { ...this.#currentRules };
+  }
-    if (memoryOption === 'os') {
-      const { service, account } = this.#config;
-      return {
-        get: async (key) => {
-          // Use underscore instead of colon for Windows compatibility
-          const val = await getPassword(service, `${account}_${key}`);
-          return val ? JSON.parse(val) : null;
-        },
-        set: async (key, val) => {
-          await setPassword(service, `${account}_${key}`, JSON.stringify(val));
-        }
-      };
-    }
+  async addRule(key, value) {
+    this.#applyRuleLogic(key, value);
+    await this.#persist();
+    return this;
+  }
-    if (typeof memoryOption === 'string' && memoryOption.endsWith('.json')) {
-      const aesKey = this.#config.aesKey;
-      if (!aesKey) throw new Error("nopii: aesKey required for JSON storage.");
+  #applyRuleLogic(key, value) {
+    const upperKey = key.toUpperCase();
+    const allPresets = { ...NoPii.PRESETS.COMMON, ...NoPii.PRESETS.HK };
+    this.#currentRules[key] = value;
-      return {
-        path: memoryOption,
-        key: Buffer.alloc(32, aesKey),
-        async get() {
-          try {
-            const raw = await fs.readFile(this.path, 'utf8');
-            return JSON.parse(this.decrypt(raw));
-          } catch (e) {
-            // Rethrow decryption/auth errors, ignore "file not found"
-            if (e.message.includes('Decryption failed')) throw e;
-            return null;
-          }
-        },
-        async set(key, val) {
-          const encrypted = this.encrypt(JSON.stringify(val));
-          await fs.writeFile(this.path, encrypted);
-        },
-        encrypt(text) {
-          const iv = crypto.randomBytes(12);
-          const cipher = crypto.createCipheriv('aes-256-gcm', this.key, iv);
-          const enc = Buffer.concat([cipher.update(text, 'utf8'), cipher.final()]);
-          return Buffer.concat([iv, cipher.getAuthTag(), enc]).toString('base64');
-        },
-        decrypt(data) {
-          try {
-            const buf = Buffer.from(data, 'base64');
-            const iv = buf.subarray(0, 12);
-            const tag = buf.subarray(12, 28);
-            const enc = buf.subarray(28);
-            const decipher = crypto.createDecipheriv('aes-256-gcm', this.key, iv);
-            decipher.setAuthTag(tag);
-            // .final() throws if the tag (GCM auth) is invalid
-            return decipher.update(enc, 'utf8') + decipher.final('utf8');
-          } catch (err) {
-            throw new Error(`Decryption failed: ${err.message}`);
-          }
-        }
-      };
+    if (upperKey === 'HK' && value === true) {
+      Object.entries(NoPii.PRESETS.HK).forEach(([k, v]) => this.#register(k, v));
+    }
+    else if (upperKey === 'COMMON' && value === true) {
+      Object.entries(NoPii.PRESETS.COMMON).forEach(([k, v]) => this.#register(k, v));
+    }
+    else if (allPresets[upperKey] && value === true) {
+      this.#register(upperKey, allPresets[upperKey]);
+    }
+    else if (Array.isArray(value)) {
+      const escaped = value.map(v => v.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')).join('|');
+      this.#register(key, new RegExp(`\\b(${escaped})\\b`, 'gu'));
+    }
+    else {
+      this.#register(key, value);
     }
-    const _mem = new Map();
-    return {
-      get: async (key) => _mem.get(key),
-      set: async (key, val) => _mem.set(key, val)
-    };
   }
-  async load(input) {
-    let configData = null;
-    if (!input && this.#config.memory) {
-      configData = await this.#storage.get('config');
-    } else if (typeof input === 'string') {
-      const raw = input.endsWith('.json') ? await fs.readFile(input, 'utf8') : input;
-      configData = JSON.parse(raw);
+  #register(name, regex) {
+    let pattern;
+    // FIX: Handle string-serialized regex like "/pattern/flags"
+    if (typeof regex === 'string' && regex.startsWith('/') && regex.lastIndexOf('/') > 0) {
+      const lastSlash = regex.lastIndexOf('/');
+      const source = regex.slice(1, lastSlash);
+      const flags = regex.slice(lastSlash + 1);
+      pattern = new RegExp(source, flags || 'u');
+    } else if (typeof regex === 'string') {
+      pattern = new RegExp(regex, 'u');
     } else {
-      configData = input;
+      pattern = regex;
     }
-    if (configData) {
-      await this.#applyConfig(configData, false);
+    const existingIdx = this.#strategies.findIndex(s => s.name === name);
+    if (existingIdx > -1) {
+      this.#strategies[existingIdx].regex = pattern;
+    } else {
+      this.#strategies.push({ name, regex: pattern });
     }
-    return this;
+    this.#compile();
   }
-  async #persist() {
-    if (this.#config.memory) {
-      await this.#storage.set('config', this.#currentConfig);
+  #compile() {
+    if (this.#strategies.length === 0) {
+      this.#combinedRegex = null;
+      return;
     }
+    const source = this.#strategies.map(s => `(?<${s.name}>${s.regex.source})`).join('|');
+    this.#combinedRegex = new RegExp(source, 'gu');
   }
-  async #applyConfig(data, shouldPersist = true) {
-    if (data.masking) {
-      for (const [label, words] of Object.entries(data.masking)) {
-        await this.addMasking(label, ...words);
-      }
-    }
-    if (data.strategies) {
-      for (const [name, pattern] of Object.entries(data.strategies)) {
-        await this.addStrategy(name, new RegExp(pattern, 'u'));
-      }
+  async #persist() {
+    if (!this.#storage) return;
+    // FIX: Serialize RegExp objects to strings so they don't become {} in JSON
+    const serializable = {};
+    for (const [k, v] of Object.entries(this.#currentRules)) {
+      serializable[k] = (v instanceof RegExp) ? `/${v.source}/${v.flags}` : v;
     }
-    if (shouldPersist) await this.#persist();
+    await this.#storage.set('rules', serializable);
   }
-  async addMasking(label, ...words) {
-    const pattern = words.map(w => w.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')).join('|');
-    this.#currentConfig.masking[label] = words;
-    this.#strategies.push({ name: label, regex: new RegExp(`(${pattern})`, 'u') });
-    this.#compile();
-    await this.#persist();
-    return this;
-  }
-  async addStrategy(name, regex) {
-    this.#currentConfig.strategies[name] = regex.source;
-    this.#strategies.push({ name, regex });
-    this.#compile();
-    await this.#persist();
+  async load() {
+    if (!this.#storage) return this;
+    const savedRules = await this.#storage.get('rules');
+    if (savedRules) {
+      for (const [key, val] of Object.entries(savedRules)) {
+        this.#applyRuleLogic(key, val);
+      }
+    }
     return this;
   }
-  #compile() {
-    if (this.#strategies.length === 0) return;
-    const source = this.#strategies.map(s => `(?<${s.name}>${s.regex.source})`).join('|');
-    this.#combinedRegex = new RegExp(source, 'gu');
-  }
   redact(text) {
     if (!this.#combinedRegex || !text) return { safeText: text, vault: new Map() };
     const vault = new Map();
@@ -157,18 +127,89 @@ export class NoPii {
     const safeText = text.replace(this.#combinedRegex, (...args) => {
       const groups = args.at(-1);
       const label = Object.keys(groups).find(key => groups[key] !== undefined);
-      const placeholder = `_P${++count}_`;
-      vault.set(placeholder, groups[label]);
+      const value = groups[label];
+      const placeholder = `[${label}_${++count}]`;
+      vault.set(placeholder, value);
       return placeholder;
     });
     return { safeText, vault };
   }
   restore(redactedText, vault) {
-    if (!redactedText || !vault || vault.size === 0) return redactedText;
-    const keys = Array.from(vault.keys()).sort((a, b) => b.length - a.length);
-    const restoreRegex = new RegExp(keys.map(k => k.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')).join('|'), 'g');
-    return redactedText.replace(restoreRegex, (m) => vault.get(m));
+    if (!redactedText || !vault) return redactedText;
+    const vaultEntries = vault instanceof Map ? Array.from(vault.entries()) : Object.entries(vault);
+    if (vaultEntries.length === 0) return redactedText;
+    const sortedKeys = vaultEntries
+      .map(([k]) => k)
+      .sort((a, b) => b.length - a.length);
+    const restoreRegex = new RegExp(sortedKeys.map(k => k.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')).join('|'), 'g');
+    const lookup = (m) => (vault instanceof Map ? vault.get(m) : vault[m]);
+    return redactedText.replace(restoreRegex, (m) => lookup(m));
+  }
+  #initStorage(storage) {
+    if (!storage) {
+      const _mem = new Map();
+      return { get: async (k) => _mem.get(k), set: async (k, v) => _mem.set(k, v) };
+    }
+    if (storage.method === 'os') {
+      const { service = 'nopii' } = storage;
+	  const account = service;
+      return {
+        get: async (key) => {
+          try {
+            const val = await getPassword(service, `${account}_${key}`);
+            return val ? JSON.parse(val) : null;
+          } catch { return null; }
+        },
+        set: async (key, val) => {
+          await setPassword(service, `${account}_${key}`, JSON.stringify(val));
+        }
+      };
+    }
+    if (typeof storage.method === 'string' && storage.method.endsWith('.json')) {
+      const aesKey = Buffer.alloc(32, storage.aes || 'default-secret-key');
+      const filePath = storage.method;
+      const encrypt = (text) => {
+        const iv = crypto.randomBytes(12);
+        const cipher = crypto.createCipheriv('aes-256-gcm', aesKey, iv);
+        const enc = Buffer.concat([cipher.update(text, 'utf8'), cipher.final()]);
+        return Buffer.concat([iv, cipher.getAuthTag(), enc]).toString('base64');
+      };
+      const decrypt = (data) => {
+        const buf = Buffer.from(data, 'base64');
+        const iv = buf.subarray(0, 12), tag = buf.subarray(12, 28), enc = buf.subarray(28);
+        const decipher = crypto.createDecipheriv('aes-256-gcm', aesKey, iv);
+        decipher.setAuthTag(tag);
+        return decipher.update(enc, 'utf8') + decipher.final('utf8');
+      };
+      return {
+        async get(lookupKey) {
+          try {
+            const raw = await fs.readFile(filePath, 'utf8');
+            const data = JSON.parse(decrypt(raw));
+            return lookupKey ? data[lookupKey] : data;
+          } catch { return null; }
+        },
+        async set(lookupKey, val) {
+          let data = {};
+          try {
+            const raw = await fs.readFile(filePath, 'utf8');
+            data = JSON.parse(decrypt(raw));
+          } catch (e) {}
+          data[lookupKey] = val;
+          await fs.writeFile(filePath, encrypt(JSON.stringify(data)));
+        }
+      };
+    }
   }
 }

package/package.json CHANGED Viewed

@@ -1,46 +1,44 @@
 {
   "name": "no-pii",
-  "version": "1.0.1",
-  "description": "PII redaction utility with encrypted local persistence and OS keychain support.",
-  "type": "module",
+  "version": "1.2.0",
+  "description": "Production-grade PII redaction library with CLI support",
   "main": "nopii.js",
-  "files": [
-    "nopii.js",
-    "LICENSE",
-    "README.md"
-  ],
-  "engines": {
-    "node": ">=18.0.0"
+  "type": "module",
+  "bin": {
+    "nopii": "./nopii-cli.js"
   },
   "scripts": {
-    "test": "node --test test.js",
-    "lint": "eslint .",
-    "example": "node examples/basic-usage.js"
+    "test": "echo \"Error: no test specified\" && exit 1"
   },
   "keywords": [
-    "nopii",
     "pii",
+	"nopii",
+	"no-pii",
     "redaction",
+    "privacy",
+    "gdpr",
     "security",
-    "keychain",
-    "encryption",
-    "node-js",
-    "esm"
+    "cli",
+    "hong-kong",
+    "hkid",
+    "email",
+    "credit-card"
   ],
   "author": "littlejustnode",
   "license": "MIT",
-  "dependencies": {
-    "cross-keychain": "^1.1.0"
-  },
-  "devDependencies": {
-    "eslint": "^9.0.0"
-  },
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/littlejustnode/nopii.git"
+  "engines": {
+    "node": ">=18.0.0"
   },
-  "bugs": {
-    "url": "https://github.com/littlejustnode/nopii/issues"
+  "dependencies": {
+    "cross-keychain": "^1.0.0"
   },
-  "homepage": "https://github.com/littlejustnode/nopii#readme"
-}
+  "files": [
+    "nopii.js",
+    "nopii-cli.js",
+    "README.md"
+  ],
+  "exports": {
+    ".": "./nopii.js",
+    "./cli": "./nopii-cli.js"
+  }
+}