palaryn 0.1.0

package/dist/tests/unit/dlp-scanner.test.js

@@ -0,0 +1,739 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+const crypto_1 = require("crypto");
+const scanner_1 = require("../../src/dlp/scanner");
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/** Build a DLPConfig with sensible defaults for testing. */
+function buildConfig(overrides = {}) {
+    return {
+        enabled: true,
+        scan_args: true,
+        scan_output: true,
+        secrets_detection: true,
+        pii_detection: true,
+        default_redaction_method: 'mask',
+        ...overrides,
+    };
+}
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+describe('DLPScanner', () => {
+    // -----------------------------------------------------------------------
+    // Secret Detection
+    // -----------------------------------------------------------------------
+    describe('secret detection', () => {
+        it('should detect AWS access keys', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report = scanner.scan({ key: 'AKIAIOSFODNN7EXAMPLE' });
+            expect(report.detected).toContain('aws_access_key');
+            expect(report.severity).toBe('high');
+            expect(report.redactions.length).toBeGreaterThan(0);
+        });
+        it('should detect AWS secret access keys', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report = scanner.scan({
+                config: 'aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY01',
+            });
+            expect(report.detected).toContain('aws_secret_key');
+            expect(report.severity).toBe('high');
+        });
+        it('should detect GitHub tokens (ghp_, gho_, ghu_, ghs_, ghr_)', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const ghpToken = 'ghp_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef0123456789';
+            const report = scanner.scan({ token: ghpToken });
+            expect(report.detected).toContain('github_token');
+            expect(report.severity).toBe('high');
+        });
+        it('should detect Bearer tokens', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report = scanner.scan({
+                headers: { Authorization: 'Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.payload.signature' },
+            });
+            expect(report.detected).toContain('bearer_token');
+            expect(report.severity).toBe('high');
+        });
+        it('should detect JWT tokens', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const jwt = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U';
+            const report = scanner.scan({ token: jwt });
+            expect(report.detected).toContain('jwt_token');
+            expect(report.severity).toBe('high');
+        });
+        it('should detect private keys', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report = scanner.scan({
+                key: '-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEA...',
+            });
+            expect(report.detected).toContain('private_key');
+            expect(report.severity).toBe('high');
+        });
+        it('should detect EC private keys', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report = scanner.scan({
+                key: '-----BEGIN EC PRIVATE KEY-----\nMHQCAQEEIBkg...',
+            });
+            expect(report.detected).toContain('private_key');
+        });
+        it('should detect plain private keys (without algorithm prefix)', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report = scanner.scan({
+                key: '-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBg...',
+            });
+            expect(report.detected).toContain('private_key');
+        });
+        it('should detect password fields', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report = scanner.scan({
+                config: 'password=SuperSecret123!',
+            });
+            expect(report.detected).toContain('password_field');
+            expect(report.severity).toBe('high');
+        });
+        it('should detect password fields with various prefixes (passwd, pwd)', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report1 = scanner.scan({ field: 'passwd=MyS3cur3Pa55!' });
+            expect(report1.detected).toContain('password_field');
+            const report2 = scanner.scan({ field: 'pwd:LongEnoughPassword1' });
+            expect(report2.detected).toContain('password_field');
+        });
+        it('should detect generic API keys', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report = scanner.scan({
+                config: 'api_key=sk_live_abcdefghij1234567890',
+            });
+            expect(report.detected).toContain('generic_api_key');
+        });
+        it('should detect generic API keys with various formats', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report1 = scanner.scan({ value: 'apikey: abcdef1234567890abcdef' });
+            expect(report1.detected).toContain('generic_api_key');
+            const report2 = scanner.scan({ value: 'api-key=abcdefghijklmnopqrst' });
+            expect(report2.detected).toContain('generic_api_key');
+        });
+        it('should detect Slack tokens', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report = scanner.scan({
+                token: 'xoxb-123456789012-1234567890123-AbCdEfGhIjKl',
+            });
+            expect(report.detected).toContain('slack_token');
+            expect(report.severity).toBe('high');
+        });
+        it('should detect generic secrets', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report = scanner.scan({
+                env: 'secret=abcdefghijklmnop1234',
+            });
+            expect(report.detected).toContain('generic_secret');
+        });
+    });
+    // -----------------------------------------------------------------------
+    // PII Detection
+    // -----------------------------------------------------------------------
+    describe('PII detection', () => {
+        it('should detect email addresses', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report = scanner.scan({ contact: 'user@example.com' });
+            expect(report.detected).toContain('email');
+            expect(report.severity).toBe('medium');
+        });
+        it('should detect various email formats', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report = scanner.scan({
+                emails: 'john.doe+test@sub.domain.co.uk, admin@company.io',
+            });
+            expect(report.detected).toContain('email');
+        });
+        it('should detect US phone numbers', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report = scanner.scan({ phone: '(555) 123-4567' });
+            expect(report.detected).toContain('phone_us');
+            expect(report.severity).toBe('medium');
+        });
+        it('should detect phone numbers with +1 prefix', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report = scanner.scan({ phone: '+1-555-123-4567' });
+            expect(report.detected).toContain('phone_us');
+        });
+        it('should detect SSNs', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report = scanner.scan({ ssn: '123-45-6789' });
+            expect(report.detected).toContain('ssn');
+            expect(report.severity).toBe('high');
+        });
+        it('should detect credit card numbers', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report = scanner.scan({ card: '4111 1111 1111 1111' });
+            expect(report.detected).toContain('credit_card');
+            expect(report.severity).toBe('high');
+        });
+        it('should detect credit card numbers with dashes', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report = scanner.scan({ card: '4111-1111-1111-1111' });
+            expect(report.detected).toContain('credit_card');
+        });
+        it('should detect IP addresses', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report = scanner.scan({ ip: '192.168.1.100' });
+            expect(report.detected).toContain('ip_address');
+            expect(report.severity).toBe('low');
+        });
+    });
+    // -----------------------------------------------------------------------
+    // Recursive Scanning
+    // -----------------------------------------------------------------------
+    describe('recursive scanning', () => {
+        it('should scan nested objects recursively', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const data = {
+                level1: {
+                    level2: {
+                        level3: {
+                            secret: 'password=VerySecretPass1',
+                        },
+                    },
+                },
+            };
+            const report = scanner.scan(data);
+            expect(report.detected).toContain('password_field');
+            expect(report.redactions.length).toBeGreaterThan(0);
+            // Check that the path is correctly computed
+            const redaction = report.redactions.find((r) => r.original_type === 'password_field');
+            expect(redaction).toBeDefined();
+            expect(redaction.path).toBe('level1.level2.level3.secret');
+        });
+        it('should scan arrays', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const data = {
+                items: [
+                    'safe text',
+                    'AKIAIOSFODNN7EXAMPLE',
+                    { nested: 'user@example.com' },
+                ],
+            };
+            const report = scanner.scan(data);
+            expect(report.detected).toContain('aws_access_key');
+            expect(report.detected).toContain('email');
+            const awsRedaction = report.redactions.find((r) => r.original_type === 'aws_access_key');
+            expect(awsRedaction).toBeDefined();
+            expect(awsRedaction.path).toBe('items[1]');
+            const emailRedaction = report.redactions.find((r) => r.original_type === 'email');
+            expect(emailRedaction).toBeDefined();
+            expect(emailRedaction.path).toBe('items[2].nested');
+        });
+        it('should handle null values gracefully', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report = scanner.scan({ value: null });
+            expect(report.detected).toHaveLength(0);
+            expect(report.redactions).toHaveLength(0);
+        });
+        it('should handle undefined values gracefully', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report = scanner.scan(undefined);
+            expect(report.detected).toHaveLength(0);
+            expect(report.redactions).toHaveLength(0);
+        });
+        it('should handle top-level null', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report = scanner.scan(null);
+            expect(report.detected).toHaveLength(0);
+        });
+        it('should ignore non-string primitives (numbers, booleans)', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report = scanner.scan({ count: 42, active: true, ratio: 3.14 });
+            expect(report.detected).toHaveLength(0);
+        });
+        it('should use basePath when provided', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report = scanner.scan({ token: 'AKIAIOSFODNN7EXAMPLE' }, 'args');
+            const redaction = report.redactions.find((r) => r.original_type === 'aws_access_key');
+            expect(redaction).toBeDefined();
+            expect(redaction.path).toBe('args.token');
+        });
+        it('should scan top-level arrays', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report = scanner.scan(['AKIAIOSFODNN7EXAMPLE', 'safe']);
+            expect(report.detected).toContain('aws_access_key');
+            const redaction = report.redactions.find((r) => r.original_type === 'aws_access_key');
+            expect(redaction).toBeDefined();
+            expect(redaction.path).toBe('[0]');
+        });
+        it('should scan a plain string value', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report = scanner.scan('password=MySuperSecret1');
+            expect(report.detected).toContain('password_field');
+        });
+    });
+    // -----------------------------------------------------------------------
+    // Severity Calculation
+    // -----------------------------------------------------------------------
+    describe('severity calculation', () => {
+        it('should return "low" when no detections are found', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report = scanner.scan({ safe: 'nothing here' });
+            expect(report.severity).toBe('low');
+        });
+        it('should return "medium" when only medium-severity items are detected', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            // generic_api_key has medium severity, email has medium severity
+            const report = scanner.scan({ contact: 'user@example.com' });
+            expect(report.severity).toBe('medium');
+        });
+        it('should return "high" when any high-severity item is detected', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            // Mix of medium (email) and high (AWS key)
+            const report = scanner.scan({
+                contact: 'user@example.com',
+                key: 'AKIAIOSFODNN7EXAMPLE',
+            });
+            expect(report.severity).toBe('high');
+        });
+        it('should return "high" overriding "medium" and "low" detections', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report = scanner.scan({
+                ip: '192.168.1.1', // ip_address -> low
+                email: 'user@example.com', // email -> medium
+                ssn: '123-45-6789', // ssn -> high
+            });
+            expect(report.severity).toBe('high');
+        });
+        it('should return "low" for IP-only detection', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report = scanner.scan({ ip: '10.0.0.1' });
+            expect(report.severity).toBe('low');
+        });
+    });
+    // -----------------------------------------------------------------------
+    // Redaction Methods (static)
+    // -----------------------------------------------------------------------
+    describe('redact (static)', () => {
+        const testValue = 'AKIAIOSFODNN7EXAMPLE';
+        it('should mask values (keep first 4 chars, replace rest with x)', () => {
+            const result = scanner_1.DLPScanner.redact(testValue, 'mask');
+            expect(result).toBe('AKIA' + 'x'.repeat(Math.min(testValue.length - 4, 20)));
+            expect(result.startsWith('AKIA')).toBe(true);
+            // The rest should be x's
+            expect(result.slice(4)).toMatch(/^x+$/);
+        });
+        it('should mask short values (length <= 4) as "xxxx"', () => {
+            expect(scanner_1.DLPScanner.redact('abc', 'mask')).toBe('xxxx');
+            expect(scanner_1.DLPScanner.redact('abcd', 'mask')).toBe('xxxx');
+        });
+        it('should cap mask replacement at 20 x characters', () => {
+            const longValue = 'abcd' + 'z'.repeat(50);
+            const result = scanner_1.DLPScanner.redact(longValue, 'mask');
+            expect(result).toBe('abcd' + 'x'.repeat(20));
+        });
+        it('should hash values with SHA-256 prefix', () => {
+            const result = scanner_1.DLPScanner.redact(testValue, 'hash');
+            expect(result).toMatch(/^HASH:[0-9a-f]{16}$/);
+            // Verify it matches the expected hash
+            const expectedHash = (0, crypto_1.createHash)('sha256').update(testValue).digest('hex').slice(0, 16);
+            expect(result).toBe(`HASH:${expectedHash}`);
+        });
+        it('should drop values entirely', () => {
+            expect(scanner_1.DLPScanner.redact(testValue, 'drop')).toBe('[REDACTED]');
+        });
+        it('should tokenize values with SHA-256 prefix', () => {
+            const result = scanner_1.DLPScanner.redact(testValue, 'tokenize');
+            expect(result).toMatch(/^\{\{REDACTED_[0-9a-f]{16}\}\}$/);
+            // Verify determinism
+            const expectedToken = (0, crypto_1.createHash)('sha256').update(testValue).digest('hex').slice(0, 16);
+            expect(result).toBe(`{{REDACTED_${expectedToken}}}`);
+        });
+        it('should default to [REDACTED] for unknown method', () => {
+            const result = scanner_1.DLPScanner.redact(testValue, 'unknown');
+            expect(result).toBe('[REDACTED]');
+        });
+        it('should produce deterministic results for hash and tokenize', () => {
+            const v = 'consistent_value_for_testing_123';
+            expect(scanner_1.DLPScanner.redact(v, 'hash')).toBe(scanner_1.DLPScanner.redact(v, 'hash'));
+            expect(scanner_1.DLPScanner.redact(v, 'tokenize')).toBe(scanner_1.DLPScanner.redact(v, 'tokenize'));
+        });
+    });
+    // -----------------------------------------------------------------------
+    // Entropy Calculation
+    // -----------------------------------------------------------------------
+    describe('calculateEntropy (static)', () => {
+        it('should return 0 for an empty string', () => {
+            expect(scanner_1.DLPScanner.calculateEntropy('')).toBe(0);
+        });
+        it('should return 0 for a single-character repeated string', () => {
+            expect(scanner_1.DLPScanner.calculateEntropy('aaaaaaa')).toBe(0);
+        });
+        it('should return 1 for a two-character string with equal distribution', () => {
+            // "ab" -> each char appears once out of 2 -> -2 * (0.5 * log2(0.5)) = 1
+            expect(scanner_1.DLPScanner.calculateEntropy('ab')).toBeCloseTo(1.0, 5);
+        });
+        it('should return higher entropy for random-looking strings', () => {
+            const lowEntropy = 'aaaaaaaabbbbbbbb';
+            const highEntropy = 'aB3$xZ9!qW7&mK2@';
+            expect(scanner_1.DLPScanner.calculateEntropy(highEntropy)).toBeGreaterThan(scanner_1.DLPScanner.calculateEntropy(lowEntropy));
+        });
+        it('should compute correct entropy for a known distribution', () => {
+            // "aabb" -> a:2, b:2 -> -2*(2/4 * log2(2/4)) = -2*(0.5*-1) = 1.0
+            expect(scanner_1.DLPScanner.calculateEntropy('aabb')).toBeCloseTo(1.0, 5);
+        });
+        it('should return higher entropy for more varied character sets', () => {
+            // 'aaabbbcccddd' has 3 unique chars each appearing 4 times -> low entropy
+            const lowVariety = 'aaabbbcccdddeeee';
+            // 'aB3$xZ9!qW7&mK2@' has 16 unique chars each appearing once -> high entropy
+            const highVariety = 'aB3$xZ9!qW7&mK2@';
+            expect(scanner_1.DLPScanner.calculateEntropy(highVariety)).toBeGreaterThan(scanner_1.DLPScanner.calculateEntropy(lowVariety));
+        });
+    });
+    // -----------------------------------------------------------------------
+    // High Entropy Detection
+    // -----------------------------------------------------------------------
+    describe('isHighEntropy (static)', () => {
+        it('should return false for short strings (< 16 chars)', () => {
+            expect(scanner_1.DLPScanner.isHighEntropy('aB3$xZ9!')).toBe(false);
+            expect(scanner_1.DLPScanner.isHighEntropy('123456789012345')).toBe(false); // 15 chars
+        });
+        it('should return false for low-entropy long strings', () => {
+            const lowEntropy = 'aaaaaaaaaaaaaaaa'; // 16 chars, entropy = 0
+            expect(scanner_1.DLPScanner.isHighEntropy(lowEntropy)).toBe(false);
+        });
+        it('should return true for high-entropy strings of sufficient length', () => {
+            // A base64-encoded random-looking string with many unique chars
+            const highEntropyStr = 'aB3$xZ9!qW7&mK2@pL5^tY8#';
+            const entropy = scanner_1.DLPScanner.calculateEntropy(highEntropyStr);
+            // Verify the string actually has high entropy first
+            expect(entropy).toBeGreaterThanOrEqual(4.0);
+            expect(scanner_1.DLPScanner.isHighEntropy(highEntropyStr)).toBe(true);
+        });
+        it('should respect custom threshold parameter', () => {
+            // A string with moderate entropy
+            const str = 'abcdefghijklmnop'; // 16 unique chars, entropy = 4.0
+            const entropy = scanner_1.DLPScanner.calculateEntropy(str);
+            // With a threshold below its entropy -> true
+            expect(scanner_1.DLPScanner.isHighEntropy(str, entropy - 0.1)).toBe(true);
+            // With a threshold above its entropy -> false
+            expect(scanner_1.DLPScanner.isHighEntropy(str, entropy + 0.1)).toBe(false);
+        });
+        it('should use default threshold of 4.5', () => {
+            // Entropy of 'abcdefghijklmnop' = log2(16) = 4.0, below 4.5
+            expect(scanner_1.DLPScanner.isHighEntropy('abcdefghijklmnop')).toBe(false);
+        });
+    });
+    // -----------------------------------------------------------------------
+    // Disabled DLP
+    // -----------------------------------------------------------------------
+    describe('disabled DLP', () => {
+        it('should return empty report when DLP is disabled', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig({ enabled: false }));
+            const report = scanner.scan({
+                key: 'AKIAIOSFODNN7EXAMPLE',
+                email: 'user@example.com',
+                password: 'password=SuperSecretPassword1',
+            });
+            expect(report.detected).toHaveLength(0);
+            expect(report.redactions).toHaveLength(0);
+            expect(report.severity).toBe('low');
+        });
+    });
+    // -----------------------------------------------------------------------
+    // Selective Scanning (secrets only, PII only)
+    // -----------------------------------------------------------------------
+    describe('selective scanning', () => {
+        it('should detect only secrets when PII detection is disabled', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig({ pii_detection: false }));
+            const report = scanner.scan({
+                key: 'AKIAIOSFODNN7EXAMPLE',
+                email: 'user@example.com',
+                ssn: '123-45-6789',
+            });
+            expect(report.detected).toContain('aws_access_key');
+            expect(report.detected).not.toContain('email');
+            expect(report.detected).not.toContain('ssn');
+        });
+        it('should detect only PII when secrets detection is disabled', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig({ secrets_detection: false }));
+            const report = scanner.scan({
+                key: 'AKIAIOSFODNN7EXAMPLE',
+                email: 'user@example.com',
+                ssn: '123-45-6789',
+            });
+            expect(report.detected).not.toContain('aws_access_key');
+            expect(report.detected).toContain('email');
+            expect(report.detected).toContain('ssn');
+        });
+        it('should detect nothing when both secrets and PII detection are disabled', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig({ secrets_detection: false, pii_detection: false }));
+            const report = scanner.scan({
+                key: 'AKIAIOSFODNN7EXAMPLE',
+                email: 'user@example.com',
+            });
+            expect(report.detected).toHaveLength(0);
+            expect(report.redactions).toHaveLength(0);
+        });
+    });
+    // -----------------------------------------------------------------------
+    // Redaction application (applyRedactions)
+    // -----------------------------------------------------------------------
+    describe('applyRedactions', () => {
+        it('should apply mask redaction to a nested path', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const data = {
+                headers: {
+                    Authorization: 'Bearer eyJhbGciOiJIUzI1NiJ9.payload.sig',
+                },
+            };
+            const redactions = [
+                { path: 'headers.Authorization', method: 'mask', original_type: 'bearer_token' },
+            ];
+            const result = scanner.applyRedactions(data, redactions);
+            // The original should not be mutated
+            expect(data.headers.Authorization).toBe('Bearer eyJhbGciOiJIUzI1NiJ9.payload.sig');
+            // The redacted result should not contain the original bearer token
+            expect(result.headers.Authorization).not.toBe(data.headers.Authorization);
+        });
+        it('should apply drop redaction', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const data = { secret: 'AKIAIOSFODNN7EXAMPLE' };
+            const redactions = [
+                { path: 'secret', method: 'drop', original_type: 'aws_access_key' },
+            ];
+            const result = scanner.applyRedactions(data, redactions);
+            // The entire matched portion is replaced with [REDACTED]
+            expect(result.secret).toContain('[REDACTED]');
+        });
+        it('should return data unchanged when no redactions are provided', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const data = { key: 'value' };
+            const result = scanner.applyRedactions(data, []);
+            expect(result).toEqual(data);
+        });
+        it('should handle array paths in redactions', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const data = {
+                items: ['safe', 'AKIAIOSFODNN7EXAMPLE'],
+            };
+            const redactions = [
+                { path: 'items[1]', method: 'drop', original_type: 'aws_access_key' },
+            ];
+            const result = scanner.applyRedactions(data, redactions);
+            expect(result.items[0]).toBe('safe');
+            expect(result.items[1]).toContain('[REDACTED]');
+        });
+        it('should not mutate the original data', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const original = { secret: 'AKIAIOSFODNN7EXAMPLE' };
+            const redactions = [
+                { path: 'secret', method: 'drop', original_type: 'aws_access_key' },
+            ];
+            scanner.applyRedactions(original, redactions);
+            expect(original.secret).toBe('AKIAIOSFODNN7EXAMPLE');
+        });
+        it('should skip silently when path cannot be resolved', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const data = { key: 'value' };
+            const redactions = [
+                { path: 'nonexistent.deep.path', method: 'drop' },
+            ];
+            const result = scanner.applyRedactions(data, redactions);
+            expect(result).toEqual({ key: 'value' });
+        });
+        it('should skip silently when the leaf is not a string', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const data = { count: 42 };
+            const redactions = [
+                { path: 'count', method: 'mask' },
+            ];
+            const result = scanner.applyRedactions(data, redactions);
+            expect(result.count).toBe(42);
+        });
+    });
+    // -----------------------------------------------------------------------
+    // parsePath (static)
+    // -----------------------------------------------------------------------
+    describe('parsePath (static)', () => {
+        it('should parse dot-notation paths', () => {
+            expect(scanner_1.DLPScanner.parsePath('a.b.c')).toEqual(['a', 'b', 'c']);
+        });
+        it('should parse bracket-notation paths', () => {
+            expect(scanner_1.DLPScanner.parsePath('items[0]')).toEqual(['items', '0']);
+        });
+        it('should parse mixed dot and bracket notation', () => {
+            expect(scanner_1.DLPScanner.parsePath('items[0].value')).toEqual(['items', '0', 'value']);
+        });
+        it('should parse standalone bracket path', () => {
+            expect(scanner_1.DLPScanner.parsePath('[0]')).toEqual(['0']);
+        });
+        it('should return empty array for empty string', () => {
+            expect(scanner_1.DLPScanner.parsePath('')).toEqual([]);
+        });
+        it('should parse single segment', () => {
+            expect(scanner_1.DLPScanner.parsePath('key')).toEqual(['key']);
+        });
+    });
+    // -----------------------------------------------------------------------
+    // deepClone (static)
+    // -----------------------------------------------------------------------
+    describe('deepClone (static)', () => {
+        it('should deep clone objects', () => {
+            const original = { a: { b: { c: 1 } } };
+            const cloned = scanner_1.DLPScanner.deepClone(original);
+            expect(cloned).toEqual(original);
+            cloned.a.b.c = 99;
+            expect(original.a.b.c).toBe(1);
+        });
+        it('should deep clone arrays', () => {
+            const original = [1, [2, 3], { a: 4 }];
+            const cloned = scanner_1.DLPScanner.deepClone(original);
+            expect(cloned).toEqual(original);
+            cloned[2].a = 99;
+            expect(original[2].a).toBe(4);
+        });
+        it('should return null for null', () => {
+            expect(scanner_1.DLPScanner.deepClone(null)).toBe(null);
+        });
+        it('should return undefined for undefined', () => {
+            expect(scanner_1.DLPScanner.deepClone(undefined)).toBe(undefined);
+        });
+        it('should return primitives as-is', () => {
+            expect(scanner_1.DLPScanner.deepClone(42)).toBe(42);
+            expect(scanner_1.DLPScanner.deepClone('hello')).toBe('hello');
+            expect(scanner_1.DLPScanner.deepClone(true)).toBe(true);
+        });
+    });
+    // -----------------------------------------------------------------------
+    // Deduplication
+    // -----------------------------------------------------------------------
+    describe('detection deduplication', () => {
+        it('should deduplicate detection names in the report', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const report = scanner.scan({
+                key1: 'AKIAIOSFODNN7EXAMPLE',
+                key2: 'AKIAIOSFODNN7FOOBAR1',
+            });
+            // Both are aws_access_key but should appear only once in detected
+            const awsCount = report.detected.filter((d) => d === 'aws_access_key').length;
+            expect(awsCount).toBe(1);
+            // But there should be 2 redactions (one per field)
+            const awsRedactions = report.redactions.filter((r) => r.original_type === 'aws_access_key');
+            expect(awsRedactions.length).toBe(2);
+        });
+    });
+    // -----------------------------------------------------------------------
+    // Redaction method from config
+    // -----------------------------------------------------------------------
+    describe('uses configured default_redaction_method', () => {
+        it('should use "hash" as the redaction method when configured', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig({ default_redaction_method: 'hash' }));
+            const report = scanner.scan({ key: 'AKIAIOSFODNN7EXAMPLE' });
+            for (const redaction of report.redactions) {
+                expect(redaction.method).toBe('hash');
+            }
+        });
+        it('should use "drop" as the redaction method when configured', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig({ default_redaction_method: 'drop' }));
+            const report = scanner.scan({ email: 'user@example.com' });
+            for (const redaction of report.redactions) {
+                expect(redaction.method).toBe('drop');
+            }
+        });
+        it('should use "tokenize" as the redaction method when configured', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig({ default_redaction_method: 'tokenize' }));
+            const report = scanner.scan({ key: 'AKIAIOSFODNN7EXAMPLE' });
+            for (const redaction of report.redactions) {
+                expect(redaction.method).toBe('tokenize');
+            }
+        });
+    });
+    // -----------------------------------------------------------------------
+    // Multiple detections in single string
+    // -----------------------------------------------------------------------
+    describe('multiple detections in a single string', () => {
+        it('should detect multiple secret types in one string', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            const combined = 'key=AKIAIOSFODNN7EXAMPLE token=xoxb-1234567890-1234567890-abcdefghij';
+            const report = scanner.scan({ value: combined });
+            expect(report.detected).toContain('aws_access_key');
+            expect(report.detected).toContain('slack_token');
+        });
+    });
+    // -----------------------------------------------------------------------
+    // DLP Bypass Vector Tests
+    // -----------------------------------------------------------------------
+    describe('DLP bypass vectors', () => {
+        // Use RegexDLPBackend directly for these tests since it has the
+        // normalization logic (zero-width stripping, homoglyph replacement, base64 decode)
+        let backend;
+        beforeAll(async () => {
+            const { RegexDLPBackend } = await Promise.resolve().then(() => __importStar(require('../../src/dlp/regex-backend')));
+            backend = new RegexDLPBackend();
+        });
+        it('should detect base64-encoded AWS key', () => {
+            const awsKey = 'AKIAIOSFODNN7EXAMPLE';
+            const encoded = Buffer.from(awsKey).toString('base64');
+            const detections = backend.scanString(encoded);
+            // Should detect the AWS key either directly or via base64 decoding
+            const hasAwsDetection = detections.some(d => d.pattern_name === 'aws_access_key' || d.pattern_name === 'base64:aws_access_key');
+            expect(hasAwsDetection).toBe(true);
+        });
+        it('should detect AWS key with Unicode homoglyph (Cyrillic A)', () => {
+            // Replace ASCII 'A' with Cyrillic 'A' (U+0410) in the AKIA prefix
+            const homoglyphKey = '\u0410KI\u0410IOSFODNN7EXAMPLE';
+            const detections = backend.scanString(homoglyphKey);
+            const hasAwsDetection = detections.some(d => d.pattern_name === 'aws_access_key');
+            expect(hasAwsDetection).toBe(true);
+        });
+        it('should detect AWS key with zero-width characters inserted', () => {
+            // Insert zero-width space (U+200B) inside the key
+            const zwKey = 'AKI\u200BAIOSFODNN7EXAMPLE';
+            const detections = backend.scanString(zwKey);
+            const hasAwsDetection = detections.some(d => d.pattern_name === 'aws_access_key');
+            expect(hasAwsDetection).toBe(true);
+        });
+        it('should NOT detect secrets nested beyond depth limit (> 32 levels)', () => {
+            const scanner = new scanner_1.DLPScanner(buildConfig());
+            // Build an object nested 33 levels deep with a secret at the bottom
+            let obj = { secret: 'AKIAIOSFODNN7EXAMPLE' };
+            for (let i = 0; i < 33; i++) {
+                obj = { nested: obj };
+            }
+            const report = scanner.scan(obj);
+            // The secret is at depth 34 (33 wrapping levels + 1 for the 'secret' key),
+            // which exceeds MAX_SCAN_DEPTH of 32, so it should NOT be detected
+            expect(report.detected).not.toContain('aws_access_key');
+            expect(report.redactions).toHaveLength(0);
+        });
+    });
+});
+//# sourceMappingURL=dlp-scanner.test.js.map