rehydra 0.1.0

package/dist/crypto/pii-map-crypto.d.ts

@@ -0,0 +1,114 @@
+/**
+ * PII Map Encryption
+ * AES-256-GCM encryption for the PII mapping
+ * Uses Web Crypto API for browser compatibility
+ */
+import { EncryptedPIIMap } from "../types/index.js";
+import type { RawPIIMap } from "../pipeline/tagger.js";
+/**
+ * Converts a Uint8Array to a Base64 string
+ */
+export declare function uint8ArrayToBase64(bytes: Uint8Array): string;
+/**
+ * Converts a Base64 string to a Uint8Array
+ */
+export declare function base64ToUint8Array(base64: string): Uint8Array;
+/**
+ * Encryption configuration
+ */
+export interface EncryptionConfig {
+    /** IV length in bytes (default: 12 for GCM) */
+    ivLength: number;
+    /** Auth tag length in bits (default: 128) */
+    authTagLength: number;
+}
+/**
+ * Default encryption configuration
+ */
+export declare const DEFAULT_ENCRYPTION_CONFIG: EncryptionConfig;
+/**
+ * Key generation options
+ */
+export interface KeyGenOptions {
+    /** Key length in bytes (default: 32 for AES-256) */
+    length: number;
+}
+/**
+ * Generates a random encryption key
+ * @returns Promise resolving to Uint8Array containing the key
+ */
+export declare function generateKey(options?: Partial<KeyGenOptions>): Uint8Array;
+/**
+ * Generates a random salt for key derivation
+ * @param length - Salt length in bytes (default: 16)
+ * @returns Uint8Array containing the salt
+ */
+export declare function generateSalt(length?: number): Uint8Array;
+/**
+ * Derives a key from a password using PBKDF2
+ * @param password - Password string
+ * @param salt - Salt Uint8Array (should be randomly generated and stored)
+ * @param iterations - Number of iterations (default: 100000)
+ * @returns Promise resolving to Uint8Array containing the derived key
+ */
+export declare function deriveKey(password: string, salt: Uint8Array, iterations?: number): Promise<Uint8Array>;
+/**
+ * Encrypts a PII map using AES-256-GCM
+ * @param piiMap - Raw PII map to encrypt
+ * @param key - 32-byte encryption key as Uint8Array
+ * @param config - Encryption configuration
+ * @returns Promise resolving to encrypted PII map
+ */
+export declare function encryptPIIMap(piiMap: RawPIIMap, key: Uint8Array, config?: Partial<EncryptionConfig>): Promise<EncryptedPIIMap>;
+/**
+ * Decrypts an encrypted PII map
+ * @param encrypted - Encrypted PII map
+ * @param key - 32-byte encryption key as Uint8Array
+ * @param config - Encryption configuration
+ * @returns Promise resolving to decrypted PII map
+ */
+export declare function decryptPIIMap(encrypted: EncryptedPIIMap, key: Uint8Array, config?: Partial<EncryptionConfig>): Promise<RawPIIMap>;
+/**
+ * Key provider interface for external key management
+ */
+export interface KeyProvider {
+    /** Gets the current encryption key */
+    getKey(): Promise<Uint8Array>;
+    /** Rotates to a new key (optional) */
+    rotateKey?(): Promise<Uint8Array>;
+}
+/**
+ * Simple in-memory key provider (for testing/development)
+ * WARNING: Not secure for production use
+ */
+export declare class InMemoryKeyProvider implements KeyProvider {
+    private key;
+    private initialKey?;
+    constructor(key?: Uint8Array);
+    getKey(): Promise<Uint8Array>;
+    rotateKey(): Promise<Uint8Array>;
+}
+/**
+ * Configuration-based key provider
+ * Accepts the key at construction time (platform-agnostic)
+ * Consumer is responsible for reading the key from environment variables or config
+ */
+export declare class ConfigKeyProvider implements KeyProvider {
+    private key;
+    /**
+     * Creates a new ConfigKeyProvider
+     * @param keyBase64 - Base64-encoded 32-byte encryption key
+     */
+    constructor(keyBase64: string);
+    getKey(): Promise<Uint8Array>;
+}
+/**
+ * Validates that a key is suitable for AES-256
+ */
+export declare function validateKey(key: Uint8Array): boolean;
+/**
+ * Securely compares two Uint8Arrays (constant-time)
+ * Prevents timing attacks by always comparing all bytes
+ */
+export declare function secureCompare(a: Uint8Array, b: Uint8Array): boolean;
+//# sourceMappingURL=pii-map-crypto.d.ts.map

package/dist/crypto/pii-map-crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pii-map-crypto.d.ts","sourceRoot":"","sources":["../../src/crypto/pii-map-crypto.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAMvD;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAG5D;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,CAG7D;AAMD;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,+CAA+C;IAC/C,QAAQ,EAAE,MAAM,CAAC;IACjB,6CAA6C;IAC7C,aAAa,EAAE,MAAM,CAAC;CACvB;AAED;;GAEG;AACH,eAAO,MAAM,yBAAyB,EAAE,gBAGvC,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,oDAAoD;IACpD,MAAM,EAAE,MAAM,CAAC;CAChB;AAMD;;;GAGG;AACH,wBAAgB,WAAW,CAAC,OAAO,GAAE,OAAO,CAAC,aAAa,CAAM,GAAG,UAAU,CAK5E;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,MAAM,GAAE,MAAW,GAAG,UAAU,CAI5D;AAED;;;;;;GAMG;AACH,wBAAsB,SAAS,CAC7B,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,UAAU,EAChB,UAAU,GAAE,MAAe,GAC1B,OAAO,CAAC,UAAU,CAAC,CA0BrB;AAMD;;;;;;GAMG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,SAAS,EACjB,GAAG,EAAE,UAAU,EACf,MAAM,GAAE,OAAO,CAAC,gBAAgB,CAAM,GACrC,OAAO,CAAC,eAAe,CAAC,CAwD1B;AAED;;;;;;GAMG;AACH,wBAAsB,aAAa,CACjC,SAAS,EAAE,eAAe,EAC1B,GAAG,EAAE,UAAU,EACf,MAAM,GAAE,OAAO,CAAC,gBAAgB,CAAM,GACrC,OAAO,CAAC,SAAS,CAAC,CAiDpB;AAMD;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,sCAAsC;IACtC,MAAM,IAAI,OAAO,CAAC,UAAU,CAAC,CAAC;IAC9B,sCAAsC;IACtC,SAAS,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,CAAC;CACnC;AAED;;;GAGG;AACH,qBAAa,mBAAoB,YAAW,WAAW;IACrD,OAAO,CAAC,GAAG,CAA2B;IACtC,OAAO,CAAC,UAAU,CAAC,CAAa;gBAEpB,GAAG,CAAC,EAAE,UAAU;IAI5B,MAAM,IAAI,OAAO,CAAC,UAAU,CAAC;IAO7B,SAAS,IAAI,OAAO,CAAC,UAAU,CAAC;CAIjC;AAED;;;;GAIG;AACH,qBAAa,iBAAkB,YAAW,WAAW;IACnD,OAAO,CAAC,GAAG,CAAa;IAExB;;;OAGG;gBACS,SAAS,EAAE,MAAM;IAa7B,MAAM,IAAI,OAAO,CAAC,UAAU,CAAC;CAG9B;AAMD;;GAEG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAEpD;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,UAAU,GAAG,OAAO,CASnE"}

package/dist/crypto/pii-map-crypto.js

@@ -0,0 +1,228 @@
+/**
+ * PII Map Encryption
+ * AES-256-GCM encryption for the PII mapping
+ * Uses Web Crypto API for browser compatibility
+ */
+// ============================================================================
+// Base64 Utility Functions
+// ============================================================================
+/**
+ * Converts a Uint8Array to a Base64 string
+ */
+export function uint8ArrayToBase64(bytes) {
+    const binString = Array.from(bytes, (b) => String.fromCodePoint(b)).join("");
+    return btoa(binString);
+}
+/**
+ * Converts a Base64 string to a Uint8Array
+ */
+export function base64ToUint8Array(base64) {
+    const binString = atob(base64);
+    return Uint8Array.from(binString, (c) => c.codePointAt(0));
+}
+/**
+ * Default encryption configuration
+ */
+export const DEFAULT_ENCRYPTION_CONFIG = {
+    ivLength: 12,
+    authTagLength: 128, // Web Crypto uses bits, not bytes
+};
+// ============================================================================
+// Core Crypto Functions
+// ============================================================================
+/**
+ * Generates a random encryption key
+ * @returns Promise resolving to Uint8Array containing the key
+ */
+export function generateKey(options = {}) {
+    const length = options.length ?? 32;
+    const key = new Uint8Array(length);
+    globalThis.crypto.getRandomValues(key);
+    return key;
+}
+/**
+ * Generates a random salt for key derivation
+ * @param length - Salt length in bytes (default: 16)
+ * @returns Uint8Array containing the salt
+ */
+export function generateSalt(length = 16) {
+    const salt = new Uint8Array(length);
+    globalThis.crypto.getRandomValues(salt);
+    return salt;
+}
+/**
+ * Derives a key from a password using PBKDF2
+ * @param password - Password string
+ * @param salt - Salt Uint8Array (should be randomly generated and stored)
+ * @param iterations - Number of iterations (default: 100000)
+ * @returns Promise resolving to Uint8Array containing the derived key
+ */
+export async function deriveKey(password, salt, iterations = 100000) {
+    const encoder = new TextEncoder();
+    const passwordBuffer = encoder.encode(password);
+    // Import password as a key
+    const baseKey = await globalThis.crypto.subtle.importKey("raw", passwordBuffer, "PBKDF2", false, ["deriveBits"]);
+    // Derive bits using PBKDF2
+    const derivedBits = await globalThis.crypto.subtle.deriveBits({
+        name: "PBKDF2",
+        salt: salt,
+        iterations: iterations,
+        hash: "SHA-256",
+    }, baseKey, 256 // 32 bytes * 8 bits
+    );
+    return new Uint8Array(derivedBits);
+}
+// ============================================================================
+// Encrypt / Decrypt Functions
+// ============================================================================
+/**
+ * Encrypts a PII map using AES-256-GCM
+ * @param piiMap - Raw PII map to encrypt
+ * @param key - 32-byte encryption key as Uint8Array
+ * @param config - Encryption configuration
+ * @returns Promise resolving to encrypted PII map
+ */
+export async function encryptPIIMap(piiMap, key, config = {}) {
+    const encConfig = { ...DEFAULT_ENCRYPTION_CONFIG, ...config };
+    // Validate key length
+    if (key.length !== 32) {
+        throw new Error(`Invalid key length: expected 32 bytes, got ${key.length}`);
+    }
+    // Convert map to JSON
+    const mapObject = {};
+    for (const [k, v] of piiMap) {
+        mapObject[k] = v;
+    }
+    const plaintext = JSON.stringify(mapObject);
+    // Generate random IV
+    const iv = new Uint8Array(encConfig.ivLength);
+    globalThis.crypto.getRandomValues(iv);
+    // Import key for AES-GCM
+    const cryptoKey = await globalThis.crypto.subtle.importKey("raw", key, { name: "AES-GCM" }, false, ["encrypt"]);
+    // Encrypt using AES-GCM
+    const encoder = new TextEncoder();
+    const plaintextBuffer = encoder.encode(plaintext);
+    const encryptedBuffer = await globalThis.crypto.subtle.encrypt({
+        name: "AES-GCM",
+        iv: iv,
+        tagLength: encConfig.authTagLength,
+    }, cryptoKey, plaintextBuffer);
+    // Web Crypto returns ciphertext + authTag concatenated
+    const encryptedArray = new Uint8Array(encryptedBuffer);
+    const authTagBytes = encConfig.authTagLength / 8;
+    const ciphertext = encryptedArray.slice(0, encryptedArray.length - authTagBytes);
+    const authTag = encryptedArray.slice(encryptedArray.length - authTagBytes);
+    return {
+        ciphertext: uint8ArrayToBase64(ciphertext),
+        iv: uint8ArrayToBase64(iv),
+        authTag: uint8ArrayToBase64(authTag),
+    };
+}
+/**
+ * Decrypts an encrypted PII map
+ * @param encrypted - Encrypted PII map
+ * @param key - 32-byte encryption key as Uint8Array
+ * @param config - Encryption configuration
+ * @returns Promise resolving to decrypted PII map
+ */
+export async function decryptPIIMap(encrypted, key, config = {}) {
+    const encConfig = { ...DEFAULT_ENCRYPTION_CONFIG, ...config };
+    // Validate key length
+    if (key.length !== 32) {
+        throw new Error(`Invalid key length: expected 32 bytes, got ${key.length}`);
+    }
+    // Decode base64
+    const ciphertext = base64ToUint8Array(encrypted.ciphertext);
+    const iv = base64ToUint8Array(encrypted.iv);
+    const authTag = base64ToUint8Array(encrypted.authTag);
+    // Web Crypto expects ciphertext + authTag concatenated
+    const encryptedData = new Uint8Array(ciphertext.length + authTag.length);
+    encryptedData.set(ciphertext, 0);
+    encryptedData.set(authTag, ciphertext.length);
+    // Import key for AES-GCM
+    const cryptoKey = await globalThis.crypto.subtle.importKey("raw", key, { name: "AES-GCM" }, false, ["decrypt"]);
+    // Decrypt using AES-GCM
+    const decryptedBuffer = await globalThis.crypto.subtle.decrypt({
+        name: "AES-GCM",
+        iv: iv,
+        tagLength: encConfig.authTagLength,
+    }, cryptoKey, encryptedData);
+    // Parse JSON back to map
+    const decoder = new TextDecoder();
+    const decryptedText = decoder.decode(decryptedBuffer);
+    const mapObject = JSON.parse(decryptedText);
+    const piiMap = new Map();
+    for (const [k, v] of Object.entries(mapObject)) {
+        piiMap.set(k, v);
+    }
+    return piiMap;
+}
+/**
+ * Simple in-memory key provider (for testing/development)
+ * WARNING: Not secure for production use
+ */
+export class InMemoryKeyProvider {
+    key = null;
+    initialKey;
+    constructor(key) {
+        this.initialKey = key;
+    }
+    getKey() {
+        if (this.key === null) {
+            this.key = this.initialKey ?? generateKey();
+        }
+        return Promise.resolve(this.key);
+    }
+    rotateKey() {
+        this.key = generateKey();
+        return Promise.resolve(this.key);
+    }
+}
+/**
+ * Configuration-based key provider
+ * Accepts the key at construction time (platform-agnostic)
+ * Consumer is responsible for reading the key from environment variables or config
+ */
+export class ConfigKeyProvider {
+    key;
+    /**
+     * Creates a new ConfigKeyProvider
+     * @param keyBase64 - Base64-encoded 32-byte encryption key
+     */
+    constructor(keyBase64) {
+        if (!keyBase64 || keyBase64.length === 0) {
+            throw new Error("Encryption key must be provided");
+        }
+        this.key = base64ToUint8Array(keyBase64);
+        if (this.key.length !== 32) {
+            throw new Error(`Invalid key length: expected 32 bytes, got ${this.key.length}`);
+        }
+    }
+    getKey() {
+        return Promise.resolve(this.key);
+    }
+}
+// ============================================================================
+// Utility Functions
+// ============================================================================
+/**
+ * Validates that a key is suitable for AES-256
+ */
+export function validateKey(key) {
+    return key.length === 32;
+}
+/**
+ * Securely compares two Uint8Arrays (constant-time)
+ * Prevents timing attacks by always comparing all bytes
+ */
+export function secureCompare(a, b) {
+    if (a.length !== b.length) {
+        return false;
+    }
+    let result = 0;
+    for (let i = 0; i < a.length; i++) {
+        result |= a[i] ^ b[i];
+    }
+    return result === 0;
+}
+//# sourceMappingURL=pii-map-crypto.js.map

package/dist/crypto/pii-map-crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pii-map-crypto.js","sourceRoot":"","sources":["../../src/crypto/pii-map-crypto.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH,+EAA+E;AAC/E,2BAA2B;AAC3B,+EAA+E;AAE/E;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAiB;IAClD,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC7E,OAAO,IAAI,CAAC,SAAS,CAAC,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAAc;IAC/C,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC/B,OAAO,UAAU,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAE,CAAC,CAAC;AAC9D,CAAC;AAgBD;;GAEG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAqB;IACzD,QAAQ,EAAE,EAAE;IACZ,aAAa,EAAE,GAAG,EAAE,kCAAkC;CACvD,CAAC;AAUF,+EAA+E;AAC/E,wBAAwB;AACxB,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,UAAkC,EAAE;IAC9D,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC;IACpC,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IACnC,UAAU,CAAC,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;IACvC,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,YAAY,CAAC,SAAiB,EAAE;IAC9C,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IACpC,UAAU,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;IACxC,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,QAAgB,EAChB,IAAgB,EAChB,aAAqB,MAAM;IAE3B,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAEhD,2BAA2B;IAC3B,MAAM,OAAO,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CACtD,KAAK,EACL,cAAc,EACd,QAAQ,EACR,KAAK,EACL,CAAC,YAAY,CAAC,CACf,CAAC;IAEF,2BAA2B;IAC3B,MAAM,WAAW,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,UAAU,CAC3D;QACE,IAAI,EAAE,QAAQ;QACd,IAAI,EAAE,IAAoB;QAC1B,UAAU,EAAE,UAAU;QACtB,IAAI,EAAE,SAAS;KAChB,EACD,OAAO,EACP,GAAG,CAAC,oBAAoB;KACzB,CAAC;IAEF,OAAO,IAAI,UAAU,CAAC,WAAW,CAAC,CAAC;AACrC,CAAC;AAED,+EAA+E;AAC/E,8BAA8B;AAC9B,+EAA+E;AAE/E;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,MAAiB,EACjB,GAAe,EACf,SAAoC,EAAE;IAEtC,MAAM,SAAS,GAAG,EAAE,GAAG,yBAAyB,EAAE,GAAG,MAAM,EAAE,CAAC;IAE9D,sBAAsB;IACtB,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,8CAA8C,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IAC9E,CAAC;IAED,sBAAsB;IACtB,MAAM,SAAS,GAA2B,EAAE,CAAC;IAC7C,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,EAAE,CAAC;QAC5B,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACnB,CAAC;IACD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;IAE5C,qBAAqB;IACrB,MAAM,EAAE,GAAG,IAAI,UAAU,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IAC9C,UAAU,CAAC,MAAM,CAAC,eAAe,CAAC,EAAE,CAAC,CAAC;IAEtC,yBAAyB;IACzB,MAAM,SAAS,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CACxD,KAAK,EACL,GAAmB,EACnB,EAAE,IAAI,EAAE,SAAS,EAAE,EACnB,KAAK,EACL,CAAC,SAAS,CAAC,CACZ,CAAC;IAEF,wBAAwB;IACxB,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAElD,MAAM,eAAe,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAC5D;QACE,IAAI,EAAE,SAAS;QACf,EAAE,EAAE,EAAE;QACN,SAAS,EAAE,SAAS,CAAC,aAAa;KACnC,EACD,SAAS,EACT,eAAe,CAChB,CAAC;IAEF,uDAAuD;IACvD,MAAM,cAAc,GAAG,IAAI,UAAU,CAAC,eAAe,CAAC,CAAC;IACvD,MAAM,YAAY,GAAG,SAAS,CAAC,aAAa,GAAG,CAAC,CAAC;IACjD,MAAM,UAAU,GAAG,cAAc,CAAC,KAAK,CACrC,CAAC,EACD,cAAc,CAAC,MAAM,GAAG,YAAY,CACrC,CAAC;IACF,MAAM,OAAO,GAAG,cAAc,CAAC,KAAK,CAAC,cAAc,CAAC,MAAM,GAAG,YAAY,CAAC,CAAC;IAE3E,OAAO;QACL,UAAU,EAAE,kBAAkB,CAAC,UAAU,CAAC;QAC1C,EAAE,EAAE,kBAAkB,CAAC,EAAE,CAAC;QAC1B,OAAO,EAAE,kBAAkB,CAAC,OAAO,CAAC;KACrC,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,SAA0B,EAC1B,GAAe,EACf,SAAoC,EAAE;IAEtC,MAAM,SAAS,GAAG,EAAE,GAAG,yBAAyB,EAAE,GAAG,MAAM,EAAE,CAAC;IAE9D,sBAAsB;IACtB,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,8CAA8C,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IAC9E,CAAC;IAED,gBAAgB;IAChB,MAAM,UAAU,GAAG,kBAAkB,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IAC5D,MAAM,EAAE,GAAG,kBAAkB,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;IAC5C,MAAM,OAAO,GAAG,kBAAkB,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IAEtD,uDAAuD;IACvD,MAAM,aAAa,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACzE,aAAa,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC;IACjC,aAAa,CAAC,GAAG,CAAC,OAAO,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC;IAE9C,yBAAyB;IACzB,MAAM,SAAS,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CACxD,KAAK,EACL,GAAmB,EACnB,EAAE,IAAI,EAAE,SAAS,EAAE,EACnB,KAAK,EACL,CAAC,SAAS,CAAC,CACZ,CAAC;IAEF,wBAAwB;IACxB,MAAM,eAAe,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAC5D;QACE,IAAI,EAAE,SAAS;QACf,EAAE,EAAE,EAAkB;QACtB,SAAS,EAAE,SAAS,CAAC,aAAa;KACnC,EACD,SAAS,EACT,aAAa,CACd,CAAC;IAEF,yBAAyB;IACzB,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;IACtD,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,aAAa,CAA2B,CAAC;IACtE,MAAM,MAAM,GAAc,IAAI,GAAG,EAAE,CAAC;IAEpC,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;QAC/C,MAAM,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACnB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAgBD;;;GAGG;AACH,MAAM,OAAO,mBAAmB;IACtB,GAAG,GAAsB,IAAI,CAAC;IAC9B,UAAU,CAAc;IAEhC,YAAY,GAAgB;QAC1B,IAAI,CAAC,UAAU,GAAG,GAAG,CAAC;IACxB,CAAC;IAED,MAAM;QACJ,IAAI,IAAI,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;YACtB,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,UAAU,IAAI,WAAW,EAAE,CAAC;QAC9C,CAAC;QACD,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnC,CAAC;IAED,SAAS;QACP,IAAI,CAAC,GAAG,GAAG,WAAW,EAAE,CAAC;QACzB,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnC,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,OAAO,iBAAiB;IACpB,GAAG,CAAa;IAExB;;;OAGG;IACH,YAAY,SAAiB;QAC3B,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzC,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACrD,CAAC;QAED,IAAI,CAAC,GAAG,GAAG,kBAAkB,CAAC,SAAS,CAAC,CAAC;QACzC,IAAI,IAAI,CAAC,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CACb,8CAA8C,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAChE,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM;QACJ,OAAO,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnC,CAAC;CACF;AAED,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,GAAe;IACzC,OAAO,GAAG,CAAC,MAAM,KAAK,EAAE,CAAC;AAC3B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,CAAa,EAAE,CAAa;IACxD,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC;QAC1B,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAE,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC;IAC1B,CAAC;IACD,OAAO,MAAM,KAAK,CAAC,CAAC;AACtB,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,180 @@
+/**
+ * Rehydra Module
+ * Main entry point for on-device PII anonymization
+ */
+export * from "./types/index.js";
+export { Recognizer, RegexRecognizer, RecognizerRegistry, createDefaultRegistry, createRegistry, getGlobalRegistry, emailRecognizer, phoneRecognizer, ibanRecognizer, bicSwiftRecognizer, creditCardRecognizer, ipAddressRecognizer, urlRecognizer, createCustomIdRecognizer, createCaseIdRecognizer, createCustomerIdRecognizer, } from "./recognizers/index.js";
+export { NERModel, NERModelStub, createNERModel, createNERModelStub, WordPieceTokenizer, loadVocabFromFile, parseVocab, loadRuntime, detectRuntime, getRuntimeType, type INERModel, type NERModelConfig, type NERPrediction, type NERModelMode, type DownloadProgressCallback, MODEL_REGISTRY, getModelCacheDir, isModelDownloaded, downloadModel, ensureModel, clearModelCache, listDownloadedModels, } from "./ner/index.js";
+export { prenormalize, resolveEntities, tagEntities, validateOutput, generateTag, parseTag, rehydrate, enrichSemantics, inferGender, classifyLocation, getDatabaseStats, hasName, hasLocation, isSemanticDataAvailable, isSemanticDataDownloaded, getSemanticDataCacheDir, getDataDirectory, downloadSemanticData, ensureSemanticData, initializeSemanticData, loadSemanticData, clearSemanticData, clearSemanticDataCache, getSemanticDataInfo, SEMANTIC_DATA_FILES, extractTitle, extractTitlesFromSpans, mergeAdjacentTitleSpans, getTitlesForLanguage, getAllTitles, startsWithTitle, isOnlyTitle, type SemanticDataFileInfo, type EnricherConfig, type GenderResult, type LocationResult, type TitleExtractionResult, } from "./pipeline/index.js";
+export { encryptPIIMap, decryptPIIMap, generateKey, deriveKey, generateSalt, KeyProvider, InMemoryKeyProvider, ConfigKeyProvider, validateKey, secureCompare, uint8ArrayToBase64, base64ToUint8Array, } from "./crypto/index.js";
+export { getStorageProvider, isNode, isBrowser, resetStorageProvider, setStorageProvider, type StorageProvider, } from "./utils/storage.js";
+export { join as pathJoin, dirname as pathDirname, basename as pathBasename, normalize as pathNormalize, extname as pathExtname, isAbsolute as pathIsAbsolute, } from "./utils/path.js";
+import { AnonymizationResult, AnonymizationPolicy, SemanticConfig, PIIType } from "./types/index.js";
+import { RecognizerRegistry } from "./recognizers/index.js";
+import { type INERModel } from "./ner/index.js";
+import { type NERModelMode, type DownloadProgressCallback } from "./ner/model-manager.js";
+import { type KeyProvider } from "./crypto/index.js";
+/**
+ * NER configuration options
+ */
+export interface NERConfig {
+    /**
+     * NER model mode:
+     * - 'standard': Full-size multilingual model (~1.1 GB)
+     * - 'quantized': Smaller quantized model (~280 MB)
+     * - 'disabled': No NER, regex-only detection
+     * - 'custom': Use custom model paths
+     */
+    mode: NERModelMode;
+    /**
+     * Custom model path (required when mode is 'custom')
+     */
+    modelPath?: string;
+    /**
+     * Custom vocab path (required when mode is 'custom')
+     */
+    vocabPath?: string;
+    /**
+     * Whether to auto-download model if not present
+     * @default true
+     */
+    autoDownload?: boolean;
+    /**
+     * Callback for download progress
+     */
+    onDownloadProgress?: DownloadProgressCallback;
+    /**
+     * Callback for status messages
+     */
+    onStatus?: (status: string) => void;
+    /**
+     * Confidence thresholds per PII type (0.0 - 1.0)
+     * Overrides default thresholds for specified types
+     * @example { PERSON: 0.8, ORG: 0.7 }
+     */
+    thresholds?: Partial<Record<PIIType, number>>;
+}
+/**
+ * Anonymizer configuration
+ */
+export interface AnonymizerConfig {
+    /** Recognizer registry (uses default if not provided) */
+    registry?: RecognizerRegistry;
+    /**
+     * NER configuration
+     * @default { mode: 'disabled' }
+     */
+    ner?: NERConfig;
+    /**
+     * Semantic enrichment configuration
+     * Enables MT-friendly PII tags with gender/scope attributes
+     * @default { enabled: false }
+     */
+    semantic?: SemanticConfig;
+    /** Key provider for encryption (generates random key if not provided) */
+    keyProvider?: KeyProvider;
+    /** Default policy (uses default if not provided) */
+    defaultPolicy?: AnonymizationPolicy;
+    /** Model version string */
+    modelVersion?: string;
+    /** Policy version string */
+    policyVersion?: string;
+}
+/**
+ * Anonymizer instance
+ * Main class for performing PII anonymization
+ */
+export declare class Anonymizer {
+    private registry;
+    private nerModel;
+    private nerConfig;
+    private semanticConfig;
+    private keyProvider;
+    private defaultPolicy;
+    private modelVersion;
+    private policyVersion;
+    private initialized;
+    private semanticDataReady;
+    constructor(config?: AnonymizerConfig);
+    /**
+     * Initializes the anonymizer
+     * Downloads NER model and semantic data if needed and loads them
+     */
+    initialize(): Promise<void>;
+    /**
+     * Anonymizes text, replacing PII with placeholder tags
+     * @param text - Input text to anonymize
+     * @param locale - Optional locale hint (e.g., 'de-DE', 'en-US')
+     * @param policy - Optional policy override
+     * @returns Anonymization result with anonymized text and encrypted PII map
+     */
+    anonymize(text: string, locale?: string, policy?: Partial<AnonymizationPolicy>): Promise<AnonymizationResult>;
+    /**
+     * Disposes of resources
+     */
+    dispose(): Promise<void>;
+    /**
+     * Gets the recognizer registry
+     */
+    getRegistry(): RecognizerRegistry;
+    /**
+     * Gets the NER model
+     */
+    getNERModel(): INERModel | null;
+    /**
+     * Whether the anonymizer is initialized
+     */
+    get isInitialized(): boolean;
+}
+/**
+ * Creates an anonymizer with the specified configuration
+ *
+ * @example
+ * ```typescript
+ * // Regex-only (no NER)
+ * const anonymizer = createAnonymizer();
+ *
+ * // With NER (auto-downloads model on first use)
+ * const anonymizer = createAnonymizer({
+ *   ner: { mode: 'quantized' }
+ * });
+ *
+ * // With NER and progress callback
+ * const anonymizer = createAnonymizer({
+ *   ner: {
+ *     mode: 'standard',
+ *     onStatus: (status) => console.log(status),
+ *     onDownloadProgress: (p) => console.log(`${p.file}: ${p.percent}%`)
+ *   }
+ * });
+ * ```
+ */
+export declare function createAnonymizer(config?: AnonymizerConfig): Anonymizer;
+/**
+ * Convenience function for one-off anonymization
+ * Creates a temporary anonymizer with default settings (regex-only)
+ */
+export declare function anonymize(text: string, locale?: string, policy?: Partial<AnonymizationPolicy>): Promise<AnonymizationResult>;
+/**
+ * Quick regex-only anonymization (no NER, faster)
+ */
+export declare function anonymizeRegexOnly(text: string, policy?: Partial<AnonymizationPolicy>): Promise<AnonymizationResult>;
+/**
+ * Full anonymization with NER
+ * Auto-downloads the quantized model on first use
+ *
+ * @example
+ * ```typescript
+ * const result = await anonymizeWithNER(
+ *   'Contact John Smith at john@example.com',
+ *   {
+ *     mode: 'quantized',
+ *     onStatus: console.log
+ *   }
+ * );
+ * ```
+ */
+export declare function anonymizeWithNER(text: string, nerConfig: Omit<NERConfig, "mode"> & {
+    mode?: "standard" | "quantized";
+}, policy?: Partial<AnonymizationPolicy>): Promise<AnonymizationResult>;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,cAAc,kBAAkB,CAAC;AAGjC,OAAO,EACL,UAAU,EACV,eAAe,EACf,kBAAkB,EAClB,qBAAqB,EACrB,cAAc,EACd,iBAAiB,EACjB,eAAe,EACf,eAAe,EACf,cAAc,EACd,kBAAkB,EAClB,oBAAoB,EACpB,mBAAmB,EACnB,aAAa,EACb,wBAAwB,EACxB,sBAAsB,EACtB,0BAA0B,GAC3B,MAAM,wBAAwB,CAAC;AAGhC,OAAO,EACL,QAAQ,EACR,YAAY,EACZ,cAAc,EACd,kBAAkB,EAClB,kBAAkB,EAClB,iBAAiB,EACjB,UAAU,EACV,WAAW,EACX,aAAa,EACb,cAAc,EACd,KAAK,SAAS,EACd,KAAK,cAAc,EACnB,KAAK,aAAa,EAClB,KAAK,YAAY,EACjB,KAAK,wBAAwB,EAC7B,cAAc,EACd,gBAAgB,EAChB,iBAAiB,EACjB,aAAa,EACb,WAAW,EACX,eAAe,EACf,oBAAoB,GACrB,MAAM,gBAAgB,CAAC;AAGxB,OAAO,EACL,YAAY,EACZ,eAAe,EACf,WAAW,EACX,cAAc,EACd,WAAW,EACX,QAAQ,EACR,SAAS,EACT,eAAe,EACf,WAAW,EACX,gBAAgB,EAChB,gBAAgB,EAChB,OAAO,EACP,WAAW,EAEX,uBAAuB,EACvB,wBAAwB,EACxB,uBAAuB,EACvB,gBAAgB,EAChB,oBAAoB,EACpB,kBAAkB,EAClB,sBAAsB,EACtB,gBAAgB,EAChB,iBAAiB,EACjB,sBAAsB,EACtB,mBAAmB,EACnB,mBAAmB,EAEnB,YAAY,EACZ,sBAAsB,EACtB,uBAAuB,EACvB,oBAAoB,EACpB,YAAY,EACZ,eAAe,EACf,WAAW,EACX,KAAK,oBAAoB,EACzB,KAAK,cAAc,EACnB,KAAK,YAAY,EACjB,KAAK,cAAc,EACnB,KAAK,qBAAqB,GAC3B,MAAM,qBAAqB,CAAC;AAG7B,OAAO,EACL,aAAa,EACb,aAAa,EACb,WAAW,EACX,SAAS,EACT,YAAY,EACZ,WAAW,EACX,mBAAmB,EACnB,iBAAiB,EACjB,WAAW,EACX,aAAa,EACb,kBAAkB,EAClB,kBAAkB,GACnB,MAAM,mBAAmB,CAAC;AAG3B,OAAO,EACL,kBAAkB,EAClB,MAAM,EACN,SAAS,EACT,oBAAoB,EACpB,kBAAkB,EAClB,KAAK,eAAe,GACrB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EACL,IAAI,IAAI,QAAQ,EAChB,OAAO,IAAI,WAAW,EACtB,QAAQ,IAAI,YAAY,EACxB,SAAS,IAAI,aAAa,EAC1B,OAAO,IAAI,WAAW,EACtB,UAAU,IAAI,cAAc,GAC7B,MAAM,iBAAiB,CAAC;AAGzB,OAAO,EACL,mBAAmB,EACnB,mBAAmB,EAGnB,cAAc,EAEd,OAAO,EAER,MAAM,kBAAkB,CAAC;AAmC1B,OAAO,EAEL,kBAAkB,EACnB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,KAAK,SAAS,EAIf,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,KAAK,YAAY,EAEjB,KAAK,wBAAwB,EAC9B,MAAM,wBAAwB,CAAC;AAehC,OAAO,EAGL,KAAK,WAAW,EACjB,MAAM,mBAAmB,CAAC;AAG3B;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB;;;;;;OAMG;IACH,IAAI,EAAE,YAAY,CAAC;IAEnB;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,YAAY,CAAC,EAAE,OAAO,CAAC;IAEvB;;OAEG;IACH,kBAAkB,CAAC,EAAE,wBAAwB,CAAC;IAE9C;;OAEG;IACH,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,IAAI,CAAC;IAEpC;;;;OAIG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC;CAC/C;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,yDAAyD;IACzD,QAAQ,CAAC,EAAE,kBAAkB,CAAC;IAE9B;;;OAGG;IACH,GAAG,CAAC,EAAE,SAAS,CAAC;IAEhB;;;;OAIG;IACH,QAAQ,CAAC,EAAE,cAAc,CAAC;IAE1B,yEAAyE;IACzE,WAAW,CAAC,EAAE,WAAW,CAAC;IAE1B,oDAAoD;IACpD,aAAa,CAAC,EAAE,mBAAmB,CAAC;IAEpC,2BAA2B;IAC3B,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB,4BAA4B;IAC5B,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;;GAGG;AACH,qBAAa,UAAU;IACrB,OAAO,CAAC,QAAQ,CAAqB;IACrC,OAAO,CAAC,QAAQ,CAA0B;IAC1C,OAAO,CAAC,SAAS,CAAY;IAC7B,OAAO,CAAC,cAAc,CAAiB;IACvC,OAAO,CAAC,WAAW,CAAqB;IACxC,OAAO,CAAC,aAAa,CAAsB;IAC3C,OAAO,CAAC,YAAY,CAAS;IAC7B,OAAO,CAAC,aAAa,CAAS;IAC9B,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,iBAAiB,CAAS;gBAEtB,MAAM,GAAE,gBAAqB;IAsCzC;;;OAGG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IA6FjC;;;;;;OAMG;IACG,SAAS,CACb,IAAI,EAAE,MAAM,EACZ,MAAM,CAAC,EAAE,MAAM,EACf,MAAM,CAAC,EAAE,OAAO,CAAC,mBAAmB,CAAC,GACpC,OAAO,CAAC,mBAAmB,CAAC;IAkH/B;;OAEG;IACG,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAO9B;;OAEG;IACH,WAAW,IAAI,kBAAkB;IAIjC;;OAEG;IACH,WAAW,IAAI,SAAS,GAAG,IAAI;IAI/B;;OAEG;IACH,IAAI,aAAa,IAAI,OAAO,CAE3B;CACF;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,CAAC,EAAE,gBAAgB,GAAG,UAAU,CAEtE;AAED;;;GAGG;AACH,wBAAsB,SAAS,CAC7B,IAAI,EAAE,MAAM,EACZ,MAAM,CAAC,EAAE,MAAM,EACf,MAAM,CAAC,EAAE,OAAO,CAAC,mBAAmB,CAAC,GACpC,OAAO,CAAC,mBAAmB,CAAC,CAS9B;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,IAAI,EAAE,MAAM,EACZ,MAAM,CAAC,EAAE,OAAO,CAAC,mBAAmB,CAAC,GACpC,OAAO,CAAC,mBAAmB,CAAC,CAQ9B;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,gBAAgB,CACpC,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,GAAG;IAAE,IAAI,CAAC,EAAE,UAAU,GAAG,WAAW,CAAA;CAAE,EACxE,MAAM,CAAC,EAAE,OAAO,CAAC,mBAAmB,CAAC,GACpC,OAAO,CAAC,mBAAmB,CAAC,CAe9B"}