nsauditor-ai 0.1.0

package/utils/oui.mjs

@@ -0,0 +1,107 @@
+// utils/oui.mjs
+
+import fs from "fs/promises";
+import path from "path";
+import { fileURLToPath } from "url";
+
+let OUI_DB = null;
+
+// Try to import oui-data module, fall back to local file if it fails
+async function loadOuiData() {
+  try {
+    const ouiData = await import("oui-data", { with: { type: "json" } }).then(module => module.default);
+    console.log("[oui.mjs] Successfully loaded oui-data module with", Object.keys(ouiData).length, "entries");
+    return ouiData;
+  } catch (e) {
+    console.error("[oui.mjs] Failed to load oui-data module:", e.message);
+    // Fallback to local oui-data.json if available
+    try {
+      const __dirname = path.dirname(fileURLToPath(import.meta.url));
+      const localPath = path.join(__dirname, "oui-data.json");
+      const data = JSON.parse(await fs.readFile(localPath, "utf8"));
+      console.log("[oui.mjs] Loaded fallback oui-data.json from", localPath, "with", Object.keys(data).length, "entries");
+      return data;
+    } catch (fallbackError) {
+      console.error("[oui.mjs] Failed to load fallback oui-data.json:", fallbackError.message);
+      return null;
+    }
+  }
+}
+
+// Initialize the database
+export async function initOui() {
+  OUI_DB = await loadOuiData();
+  return !!OUI_DB;
+}
+
+// Convert a MAC address to its Organizationally Unique Identifier (OUI).
+function macToOUI(mac) {
+  if (!mac) return null;
+  // Strip non-hex characters and take the first 6
+  return String(mac).replace(/[^0-9A-Fa-f]/g, '').toUpperCase().slice(0, 6);
+}
+
+// Extract the vendor's name from an OUI database entry.
+function pickOrgName(entry) {
+  if (!entry) return null;
+  if (typeof entry === 'string') return entry;
+  return entry.company || entry.organizationName || entry.organization || entry.vendor || entry.name || null;
+}
+
+/**
+ * Looks up the vendor name for a given MAC address.
+ *
+ * @param {string} mac The MAC address to look up.
+ * @returns {string|null} The vendor name or null if not found.
+ */
+export function lookupVendor(mac) {
+  // OUI_DB must be initialized via initOui() before calling this function.
+  // Callers (plugin_manager.mjs) call initOui() at startup before any plugin runs.
+  if (!OUI_DB || !mac || typeof mac !== 'string') {
+    return null;
+  }
+  
+  try {
+    const oui = macToOUI(mac);
+    const entry = OUI_DB[oui];
+    const vendor = pickOrgName(entry);
+    console.log(`[oui.mjs] Lookup for MAC ${mac} (OUI: ${oui}) -> Vendor: ${vendor || 'Not found'}`);
+    return vendor;
+  } catch (e) {
+    console.error("[oui.mjs] Lookup error:", e.message);
+    return null;
+  }
+}
+
+/**
+ * Heuristically guesses the probable operating system based on the vendor name.
+ * This is a highly conservative guess and may be unreliable.
+ *
+ * @param {string} vendor The vendor name.
+ * @returns {string} A short label for the probable OS, or 'Unknown'.
+ */
+export function probableOsFromVendor(vendor) {
+  const v = (vendor || '').toLowerCase();
+  if (!v) return 'Unknown';
+
+  if (v.includes('apple')) return 'macOS or iOS';
+  if (v.includes('samsung')) return 'Android';
+  if (v.includes('microsoft')) return 'Windows';
+  if (v.includes('google')) return 'Android or ChromeOS';
+  if (v.includes('sony')) return 'Android';
+  if (v.includes('hewlett') || v.includes('hp ') || v === 'hp') return 'Windows';
+  if (v.includes('dell')) return 'Windows';
+
+  // Common network / IoT vendors -> likely Embedded Linux
+  if (v.includes('ring') || v.includes('ubiquiti') || v.includes('tp-link') ||
+      v.includes('tplink') || v.includes('netgear') || v.includes('mikrotik') ||
+      v.includes('synology') || v.includes('qnap') || v.includes('hikvision') ||
+      v.includes('dahua') || v.includes('arris') || v.includes('avm') ||
+      v.includes('asus') || v.includes('open-mesh') || v.includes('linksys') ||
+      v.includes('tenda') || v.includes('roku') || v.includes('philips') ||
+      v.includes('lg') || v.includes('xiaomi') || v.includes('huawei')) {
+    return 'Embedded Linux';
+  }
+
+  return 'Unknown';
+}

package/utils/plugin_discovery.mjs

@@ -0,0 +1,89 @@
+// utils/plugin_discovery.mjs
+// Multi-path plugin loader: CE built-in, EE package (optional), custom (env var)
+
+import { readdir } from 'node:fs/promises';
+import { existsSync, realpathSync } from 'node:fs';
+import { join, resolve, dirname } from 'node:path';
+import { createRequire } from 'node:module';
+
+const _require = createRequire(import.meta.url);
+
+const SAFE_PREFIXES = Object.freeze(
+  [process.cwd(), process.env.HOME].filter(Boolean).map(p => p.endsWith('/') ? p : `${p}/`)
+);
+
+function isSafePath(absPath) {
+  // Allow exact match (e.g. NSAUDITOR_PLUGIN_PATH=./plugins resolves to cwd itself)
+  // or any subtree under cwd or HOME.
+  // Symlinks are dereferenced via realpathSync before this check is called.
+  return SAFE_PREFIXES.some(prefix => absPath === prefix.slice(0, -1) || absPath.startsWith(prefix));
+}
+
+async function loadPluginsFromDir(dir, source) {
+  let files;
+  try {
+    files = await readdir(dir);
+  } catch {
+    return [];
+  }
+
+  const plugins = [];
+  for (const file of files.filter(f => f.endsWith('.mjs'))) {
+    try {
+      const mod = await import(join(dir, file));
+      const plugin = mod.default;
+      if (plugin?.id && plugin?.name && typeof plugin?.run === 'function') {
+        // Attach conclude from named export or plugin default
+        const conclude = mod.conclude ?? plugin.conclude;
+        plugins.push({ ...plugin, _source: source, ...(conclude ? { conclude } : {}) });
+      }
+    } catch (e) {
+      if (process.env.NSA_VERBOSE) {
+        console.error(`[plugin_discovery] Failed to load ${file}: ${e.message}`);
+      }
+    }
+  }
+  return plugins;
+}
+
+export async function discoverPlugins(baseDir) {
+  const plugins = [];
+
+  // Source 1: CE built-in plugins
+  plugins.push(...await loadPluginsFromDir(join(baseDir, 'plugins'), 'ce'));
+
+  // Source 2: EE package (@nsasoft/nsauditor-ai-ee)
+  try {
+    const eePkgPath = _require.resolve('@nsasoft/nsauditor-ai-ee/package.json');
+    const eePluginsDir = join(dirname(eePkgPath), 'plugins');
+    if (existsSync(eePluginsDir)) {
+      plugins.push(...await loadPluginsFromDir(eePluginsDir, 'ee'));
+    }
+  } catch {
+    // EE not installed — CE operates standalone
+  }
+
+  // Source 3: Custom plugin paths (colon-separated)
+  const customPaths = process.env.NSAUDITOR_PLUGIN_PATH;
+
+  if (customPaths) {
+    for (const dir of customPaths.split(':')) {
+      const abs = resolve(dir);
+      let real;
+      try {
+        real = realpathSync(abs);
+      } catch {
+        // Path doesn't exist or is inaccessible — skip silently unless verbose
+        if (process.env.NSA_VERBOSE) console.warn(`[plugin_discovery] Cannot resolve real path for: ${abs}`);
+        continue;
+      }
+      if (!isSafePath(real)) {
+        if (process.env.NSA_VERBOSE) console.warn(`[plugin_discovery] Skipping unsafe NSAUDITOR_PLUGIN_PATH entry: ${real}`);
+        continue;
+      }
+      plugins.push(...await loadPluginsFromDir(real, 'custom'));
+    }
+  }
+
+  return plugins.sort((a, b) => (a.priority ?? 0) - (b.priority ?? 0));
+}

package/utils/prompts.mjs

@@ -0,0 +1,143 @@
+export const openaiSimplePrompt = 'You are a network security assistant. Summarize findings and suggest next actions.';
+
+export const openaiPrompt = `You are a senior network security analyst with expertise in assessing vulnerabilities in networks, applications, and systems. Your goals are to detect cybersecurity threats, evaluate risks, and recommend mitigations to safeguard organizational networks and data.
+
+You are given a JSON payload produced by a network audit tool. It contains a high-level summary, a normalized services list, and raw probe evidence lines. Use ONLY this payload; do not assume anything not present in it.
+
+Rules you must follow:
+- Be factual and avoid speculation. If a product AND version are not both present in the payload evidence (e.g., service banner, header, or explicit "program"+"version"), do NOT map to a CVE. Place such items in the "Leads (Needs Verification)" table instead.
+- When you do map to a CVE, explicitly quote the exact evidence line that proves the product+version (for example, the FTP banner, HTTP Server header, DNS version.bind, etc.).
+- If the payload contains a placeholder like "[REDACTED_HIDDEN]" (e.g., Serial=[REDACTED_HIDDEN]), keep it redacted and never invent values. Do NOT add a secret if none is present.
+- Treat technologies detected by "Webapp Detector" as leads unless a specific version is present in the payload.
+- If OS is unknown or only weakly hinted, do not guess; state it as unknown or inferred with low confidence.
+- At the start of the Executive Summary, include a single line: OS (from scan): <value>. Parse <value> from the payload summary text if it contains "Likely OS: ...". If not present, write "Unknown".
+
+Structure your response in markdown with the following sections:
+
+## Executive Summary
+- First line: **OS (from scan): <value>** (derived strictly from the payload summary "Likely OS: ..." text if present; otherwise "Unknown").
+- Provide a high-level overview for leadership: overall security posture, notable internet-exposed services, and the most critical, confirmed vulnerabilities (if any).
+
+## Detailed Vulnerability Analysis
+Provide two tables:
+
+1) Confirmed Vulnerabilities (only when product+version are proven by evidence)
+Columns: Vulnerability | Affected Asset/Port | Severity (Critical/High/Medium/Low) | CVSS v3.1 (if known) | CVE ID | Evidence (quote the exact line)
+- Only include rows where the product and version are explicitly present in the payload.
+- If CVSS is unknown, use "—".
+- The Evidence cell must include the exact banner/header line that proves the mapping.
+
+2) Leads (Needs Verification)
+Columns: Technology or Product | Where Detected (service/port or detector) | What to Verify | Why it Matters
+- Include technologies or products inferred from headers, banners, or the Webapp Detector where version is missing.
+- Do NOT assign CVEs in this table; list the verification step needed to confirm a vulnerable version.
+
+## Risk Assessment
+- Explain potential business impact if issues remain unaddressed. Tie each risk to an item from the Confirmed table where possible. If there are no confirmed vulnerabilities, focus on exposure risks and misconfigurations indicated by open services.
+
+## Prioritized Remediation Plan
+- Provide a numbered list of actionable steps, prioritized by severity and business impact.
+- For each step: the action (what), rationale (why it matters), and priority (Critical/High/Medium/Low). Include suggested timelines (e.g., immediate, within 7 days, within 30 days).
+- Where items appear in the Leads table, include lightweight verification steps (e.g., retrieve precise version, run safe banner grabs, check admin UI build/version).
+
+## Next Steps and Continuous Monitoring
+- Suggest follow-up actions: re-scan after changes, enable logging/alerts, inventory of exposed services, version tracking, periodic WAF/IDS/IPS checks, and scheduled audits.
+
+Output must be concise, professional, and defensible. Avoid speculative language; prefer “confirmed” vs “needs verification”.`;
+
+export const openaiPromptOptimized = `You are a senior network security analyst specializing in vulnerability assessment across networks, applications, and systems. Your mission is to detect cybersecurity threats, evaluate risks, and recommend actionable mitigation strategies.
+
+## Analysis Approach
+Before starting, outline your analysis strategy in 3-5 bullets covering:
+- Payload validation and structure verification
+- Evidence categorization methodology 
+- Vulnerability confirmation criteria
+- Risk prioritization framework
+
+## Input Requirements
+You will receive a JSON payload from a network audit tool containing:
+- **summary**: High-level scan overview with potential OS detection
+- **services**: Normalized service list with ports, protocols, and banners
+- **evidence**: Raw probe data and detection results
+
+**Critical Rules:**
+1. **Strict Evidence-Based Analysis**: Only map to CVEs when BOTH product AND version are explicitly present in the payload evidence
+2. **No Speculation**: Use only information contained in the payload - never assume or invent data
+3. **Redaction Respect**: Preserve any placeholders like "[REDACTED_HIDDEN]" without substitution
+4. **Webapp Detector Handling**: Treat as confirmed only if version is present; otherwise categorize as leads
+5. **OS Detection**: Extract from summary "Likely OS: ..." pattern only; default to "Unknown" if absent
+
+## Required Output Structure
+
+### Executive Summary
+**First Line**: **OS (from scan): [value]** (extract from summary "Likely OS: ..." or state "Unknown")
+
+Provide executive-level overview covering:
+- Overall security posture assessment
+- Critical internet-exposed services
+- Confirmed high-severity vulnerabilities
+- Business risk summary
+
+### Detailed Vulnerability Analysis
+
+**Table 1: Confirmed Vulnerabilities** (sort by Severity DESC, then Port ASC)
+| Vulnerability | Affected Asset/Port | Severity | CVSS v3.1 | CVE ID | Evidence |
+|---------------|-------------------|----------|-----------|---------|----------|
+
+*Requirements*:
+- Include only when product+version are both explicitly present
+- Quote exact evidence line that confirms the mapping
+- Use "—" for unknown CVSS scores
+- Severity: Critical/High/Medium/Low
+
+**Table 2: Leads (Needs Verification)** (sort alphabetically by Technology)
+| Technology/Product | Detection Source | Verification Needed | Risk Context |
+|-------------------|------------------|-------------------|--------------|
+
+*Requirements*:
+- Include products/technologies without confirmed versions
+- Specify detection method (banner, header, webapp detector, etc.)
+- Define specific verification steps needed
+- No CVE assignments in this table
+
+### Risk Assessment
+Analyze business impact potential for each confirmed vulnerability, linking to:
+- Data exposure risks
+- System compromise scenarios  
+- Service availability threats
+- Compliance implications
+
+### Prioritized Remediation Plan
+Numbered action items prioritized by severity and business impact:
+
+**Format**: 
+1. **Action**: [What to do]
+   - **Rationale**: [Why critical]
+   - **Priority**: [Critical/High/Medium/Low]
+   - **Timeline**: [Immediate/7 days/30 days]
+   - **Verification**: [How to confirm completion]
+
+### Next Steps and Continuous Monitoring
+Recommend ongoing security practices:
+- Post-remediation validation scanning
+- Continuous vulnerability monitoring
+- Asset inventory maintenance
+- Security control implementation
+- Scheduled assessment cadence
+
+## Quality Assurance
+Before finalizing, verify:
+- [ ] All evidence claims are directly quotable from payload
+- [ ] No speculative or assumed information included
+- [ ] Required sections present and properly formatted
+- [ ] CVE mappings have supporting product+version evidence
+- [ ] Tables follow specified sort order
+
+## Error Handling
+If payload is malformed or missing required sections (summary, services, evidence), output:
+
+ERROR: Malformed payload detected
+Missing sections: [list missing sections]
+Cannot proceed with analysis - payload validation failed
+
+Produce a professional, defensible assessment using precise language. Distinguish between "confirmed vulnerabilities" and "leads requiring verification" throughout your analysis.`;

package/utils/raw_report_html.mjs

@@ -0,0 +1,170 @@
+// utils/raw_report_html.mjs
+// Admin RAW HTML report: show open services + full evidence (with status)
+// Emits data-key="tcp-<port>" on open-service rows for tests (e.g., "tcp-80")
+
+export async function buildAdminRawHtmlReport({
+  host,
+  whenIso,
+  summary,
+  os = null,
+  services = [],
+  evidence = [],
+} = {}) {
+  const esc = (s) =>
+    String(s ?? "")
+      .replace(/&/g, "&amp;")
+      .replace(/</g, "&lt;")
+      .replace(/>/g, "&gt;");
+
+  const guessStatus = (text) => {
+    const t = String(text || "");
+    if (/success|open\b/i.test(t)) return "open";
+    if (/refused|closed|reset|rst/i.test(t)) return "closed";
+    if (/timeout|no\s*response|unreachable|filtered/i.test(t)) return "filtered";
+    return "";
+  };
+
+  // Build a quick lookup to enrich Evidence “Status” from services
+  const svcByKey = new Map();
+  for (const s of Array.isArray(services) ? services : []) {
+    const key = `${String(s.protocol || "").toLowerCase()}/${Number(s.port)}`;
+    if (!svcByKey.has(key)) svcByKey.set(key, s);
+  }
+
+  const openServices = services.filter((s) => String(s.status).toLowerCase() === "open");
+
+  const openRows = openServices
+    .map((s) => {
+      const proto = String(s.protocol || "").toLowerCase();
+      const key = `${proto}-${Number(s.port)}`; // <-- this puts tcp-80 in the HTML
+      return `<tr data-key="${esc(key)}">
+        <td>${Number(s.port) || ""}</td>
+        <td>${esc(proto)}</td>
+        <td>${esc(s.service || "")}</td>
+        <td>${esc(s.program || "")}</td>
+        <td>${esc(s.version || "")}</td>
+        <td>${esc(s.status || "")}</td>
+        <td>${esc(s.info || "")}</td>
+        <td>${s.banner ? `<pre>${esc(s.banner)}</pre>` : ""}</td>
+      </tr>`;
+    })
+    .join("");
+
+  const evRows = (Array.isArray(evidence) ? evidence : [])
+    .map((e) => {
+      // normalize evidence (supports both normalized and legacy probe_* fields)
+      const proto = String(e?.protocol ?? e?.probe_protocol ?? "").toLowerCase();
+      const port = Number(e?.port ?? e?.probe_port) || "";
+      const info = e?.info ?? e?.probe_info ?? "";
+      const banner = e?.banner ?? e?.response_banner ?? "";
+      const key = `${proto}/${port}`;
+      const svc = svcByKey.get(key);
+      // Prefer service.status, then explicit evidence status, then inference
+      const status = svc?.status || e?.status || guessStatus(info) || guessStatus(banner) || "";
+      return `<tr data-proto="${esc(proto)}" data-port="${port}" data-status="${esc(
+        String(status).toLowerCase()
+      )}">
+        <td>${esc(e?.from || "")}</td>
+        <td>${esc(proto)}</td>
+        <td>${port}</td>
+        <td class="ev-status">${esc(status)}</td>
+        <td>${esc(info)}</td>
+        <td>${banner ? `<pre>${esc(banner)}</pre>` : ""}</td>
+      </tr>`;
+    })
+    .join("");
+
+  return `<!doctype html>
+<html lang="en">
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width,initial-scale=1"/>
+<title>Admin Raw Report – ${esc(host)}</title>
+<style>
+:root{
+  --bg:#0b0f14; --card:#0f1622; --text:#e7eef7; --muted:#a9b6c6;
+  --border:#1f2937; --link:#60a5fa;
+  --open:#15a34a; --closed:#ef4444; --filtered:#f59e0b;
+}
+*{box-sizing:border-box}
+body{margin:0;background:var(--bg);color:var(--text);font:14px/1.55 system-ui,Segoe UI,Roboto,Ubuntu,sans-serif}
+.main{max-width:1100px;margin:24px auto;padding:24px;background:var(--card);border:1px solid var(--border);border-radius:14px}
+h1,h2{margin:1.2em 0 .6em}
+h1{font-size:26px} h2{font-size:18px}
+.meta{color:var(--muted);font-size:12px;margin-top:2px}
+.header{border-bottom:1px dashed var(--border);padding-bottom:12px;margin-bottom:18px}
+table{width:100%;border-collapse:collapse;margin:14px 0;border:1px solid var(--border)}
+th,td{border:1px solid var(--border);padding:8px 10px;vertical-align:top}
+th{background:#0e1420;color:#cfe0ff;text-align:left}
+tbody tr:nth-child(odd){background:#0f1522}
+pre{margin:0;white-space:pre-wrap;word-break:break-word}
+.badge{display:inline-block;padding:2px 8px;border-radius:999px;font-weight:600;border:1px solid transparent}
+.badge-open{background:rgba(21,163,74,.08);border-color:var(--open);color:#b9f6ca}
+.badge-closed{background:rgba(239,68,68,.08);border-color:var(--closed);color:#fecaca}
+.badge-filtered{background:rgba(245,158,11,.08);border-color:var(--filtered);color:#ffe4b5}
+.controls{display:flex;gap:16px;align-items:center;margin:8px 0 14px;color:var(--muted)}
+</style>
+<body>
+  <div class="main">
+    <div class="header">
+      <h1>Admin Raw Report – ${esc(host)}</h1>
+      <div class="meta">Generated: ${esc(whenIso || new Date().toISOString())}${os ? ` • OS: ${esc(os)}` : ""}</div>
+      ${summary ? `<div class="meta">Summary: ${esc(summary)}</div>` : ""}
+    </div>
+
+    <h2>Open Services</h2>
+    <table>
+      <thead>
+        <tr>
+          <th>Port</th><th>Protocol</th><th>Service</th><th>Program</th><th>Version</th><th>Status</th><th>Info</th><th>Banner</th>
+        </tr>
+      </thead>
+      <tbody>
+        ${openRows || ""}
+      </tbody>
+    </table>
+
+    <div class="controls">
+      <label><input type="checkbox" id="onlyOpen"> Show only OPEN in Evidence</label>
+    </div>
+
+    <h2>Evidence</h2>
+    <table id="ev">
+      <thead>
+        <tr>
+          <th>From</th><th>Protocol</th><th>Port</th><th>Status</th><th>Info</th><th>Banner</th>
+        </tr>
+      </thead>
+      <tbody>
+        ${evRows || ""}
+      </tbody>
+    </table>
+  </div>
+
+<script>
+(function(){
+  const onlyOpen = document.getElementById('onlyOpen');
+  const tbl = document.getElementById('ev');
+  if (!onlyOpen || !tbl) return;
+  function apply(){
+    const want = !!onlyOpen.checked;
+    tbl.querySelectorAll('tbody tr').forEach(tr=>{
+      const st = (tr.getAttribute('data-status')||'').toLowerCase();
+      tr.style.display = (want && st !== 'open') ? 'none' : '';
+      // badge styling in-place:
+      const cell = tr.querySelector('.ev-status');
+      if (!cell) return;
+      const v = (cell.textContent||'').trim().toLowerCase();
+      let cls = '';
+      if (v === 'open') cls = 'badge badge-open';
+      else if (v === 'closed') cls = 'badge badge-closed';
+      else if (v === 'filtered') cls = 'badge badge-filtered';
+      if (cls) cell.innerHTML = '<span class="'+cls+'">'+cell.textContent.trim()+'</span>';
+    });
+  }
+  onlyOpen.addEventListener('change', apply);
+  apply();
+})();
+</script>
+</body>
+</html>`;
+}

package/utils/redact.mjs

@@ -0,0 +1,79 @@
+// utils/redact.mjs
+// Replace values whose KEY contains any of the given keywords.
+// Example: scrubByKey({ serialNumber: 'X8K...' }, ['serial']) -> { serialNumber: '[REDACTED_HIDDEN]' }
+
+export function scrubByKey(val, keywords, placeholder = '[REDACTED_HIDDEN]') {
+  if (val == null) return val;
+
+  if (Array.isArray(val)) {
+    return val.map(v => scrubByKey(v, keywords, placeholder));
+  }
+
+  if (typeof val === 'object') {
+    const out = {};
+    for (const [k, v] of Object.entries(val)) {
+      const lk = k.toLowerCase();
+      const hit = keywords.some(word => lk.includes(word));
+      out[k] = hit ? placeholder : scrubByKey(v, keywords, placeholder);
+    }
+    return out;
+  }
+
+  return val; // primitives pass through
+}
+
+// Pattern-based redaction rules
+const PATTERNS = [
+  // Standard level
+  { regex: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\b/g, replacement: '[REDACTED_EMAIL]', level: 'standard' },
+  { regex: /\b[\w-]+\.(internal|local|corp|lan|intra|priv)\b/gi, replacement: '[REDACTED_HOSTNAME]', level: 'standard' },
+  { regex: /https?:\/\/(?:10\.|172\.(?:1[6-9]|2\d|3[01])\.|192\.168\.)\S+/g, replacement: '[REDACTED_URL]', level: 'standard' },
+  { regex: /community=\S+/gi, replacement: 'community=[REDACTED]', level: 'standard' },
+  { regex: /\b(?:[0-9a-f]{2}:){5}[0-9a-f]{2}\b/gi, replacement: '[REDACTED_MAC]', level: 'standard' },
+  // Strict level
+  { regex: /(?:\/[\w.-]+){2,}\.(?:conf|log|ini|cfg|env|key|pem|crt)\b/g, replacement: '[REDACTED_PATH]', level: 'strict' },
+  { regex: /\b(?:AKIA|ASIA)[A-Z0-9]{16}\b/g, replacement: '[REDACTED_AWS_KEY]', level: 'strict' },
+  { regex: /\bBearer\s+[A-Za-z0-9._~+\/=-]+/gi, replacement: '[REDACTED_BEARER]', level: 'strict' },
+];
+
+/**
+ * Redact sensitive patterns from string values within an object tree.
+ * Applies regex-based redaction to all string values recursively.
+ * @param {*} val - Value to redact
+ * @param {string} level - 'standard' or 'strict'
+ * @returns {*} Redacted value
+ */
+export function redactPatterns(val, level = 'standard') {
+  const activePatterns = PATTERNS.filter(
+    p => p.level === 'standard' || (level === 'strict' && p.level === 'strict')
+  );
+  return _applyPatterns(val, activePatterns);
+}
+
+function _applyPatterns(val, patterns) {
+  if (val == null) return val;
+
+  if (typeof val === 'string') {
+    let result = val;
+    for (const { regex, replacement } of patterns) {
+      // Reset lastIndex for global regexes
+      regex.lastIndex = 0;
+      result = result.replace(regex, replacement);
+    }
+    return result;
+  }
+
+  if (Array.isArray(val)) {
+    return val.map(v => _applyPatterns(v, patterns));
+  }
+
+  if (typeof val === 'object') {
+    const out = {};
+    for (const [k, v] of Object.entries(val)) {
+      out[k] = _applyPatterns(v, patterns);
+    }
+    return out;
+  }
+
+  return val;
+}