rehydra 0.5.2 → 0.6.0

package/dist/recognizers/secrets/connection-string.js

@@ -0,0 +1,40 @@
+/**
+ * Connection String Recognizer
+ * Detects database/service URIs with embedded credentials
+ */
+import { createRegexRecognizer } from "../base.js";
+import { PIIType } from "../../types/index.js";
+const PLACEHOLDER_PASSWORDS = new Set([
+    "password", "pass", "changeme", "secret", "xxx", "yyy",
+    "your-password", "your_password", "example", "<password>",
+]);
+export const connectionStringRecognizer = createRegexRecognizer({
+    type: PIIType.CONNECTION_STRING,
+    name: "Connection String",
+    defaultConfidence: 0.93,
+    patterns: [
+        // postgres://user:password@host/db
+        /\b(?:postgres(?:ql)?|mysql|mariadb):\/\/[^\s:]+:[^\s@]+@[^\s]+/g,
+        // mongodb+srv://user:password@host/db
+        /\bmongodb(?:\+srv)?:\/\/[^\s:]+:[^\s@]+@[^\s]+/g,
+        // redis://user:password@host:port or redis://:password@host:port
+        /\brediss?:\/\/(?:[^\s:]*:)?[^\s@]+@[^\s]+/g,
+        // amqp://user:password@host:port
+        /\bamqps?:\/\/[^\s:]+:[^\s@]+@[^\s]+/g,
+    ],
+    validate(match) {
+        // Extract password portion (between first : after // and @)
+        const credMatch = match.match(/:\/\/[^:]*:([^@]+)@/);
+        if (credMatch === null)
+            return false;
+        const password = credMatch[1];
+        // Reject placeholder passwords
+        if (PLACEHOLDER_PASSWORDS.has(password.toLowerCase()))
+            return false;
+        // Reject very short passwords (likely placeholders)
+        if (password.length < 4)
+            return false;
+        return true;
+    },
+});
+//# sourceMappingURL=connection-string.js.map

package/dist/recognizers/secrets/connection-string.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"connection-string.js","sourceRoot":"","sources":["../../../src/recognizers/secrets/connection-string.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AACnD,OAAO,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AAE/C,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC;IACpC,UAAU,EAAE,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK;IACtD,eAAe,EAAE,eAAe,EAAE,SAAS,EAAE,YAAY;CAC1D,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,0BAA0B,GAAG,qBAAqB,CAAC;IAC9D,IAAI,EAAE,OAAO,CAAC,iBAAiB;IAC/B,IAAI,EAAE,mBAAmB;IACzB,iBAAiB,EAAE,IAAI;IACvB,QAAQ,EAAE;QACR,mCAAmC;QACnC,iEAAiE;QACjE,sCAAsC;QACtC,iDAAiD;QACjD,iEAAiE;QACjE,4CAA4C;QAC5C,iCAAiC;QACjC,sCAAsC;KACvC;IACD,QAAQ,CAAC,KAAa;QACpB,4DAA4D;QAC5D,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;QACrD,IAAI,SAAS,KAAK,IAAI;YAAE,OAAO,KAAK,CAAC;QAErC,MAAM,QAAQ,GAAG,SAAS,CAAC,CAAC,CAAE,CAAC;QAC/B,+BAA+B;QAC/B,IAAI,qBAAqB,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;YAAE,OAAO,KAAK,CAAC;QACpE,oDAAoD;QACpD,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QAEtC,OAAO,IAAI,CAAC;IACd,CAAC;CACF,CAAC,CAAC"}

package/dist/recognizers/secrets/env-var.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Environment Variable Secret Recognizer
+ * Detects secrets in .env-style KEY=VALUE lines
+ */
+import type { Recognizer } from "../base.js";
+export declare function createEnvVarSecretRecognizer(minValueLength?: number, extraKeyPatterns?: RegExp[]): Recognizer;
+export declare const envVarSecretRecognizer: Recognizer;
+//# sourceMappingURL=env-var.d.ts.map

package/dist/recognizers/secrets/env-var.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"env-var.d.ts","sourceRoot":"","sources":["../../../src/recognizers/secrets/env-var.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAa7C,wBAAgB,4BAA4B,CAC1C,cAAc,GAAE,MAA2B,EAC3C,gBAAgB,GAAE,MAAM,EAAO,GAC9B,UAAU,CAyCZ;AAED,eAAO,MAAM,sBAAsB,YAAiC,CAAC"}

package/dist/recognizers/secrets/env-var.js

@@ -0,0 +1,54 @@
+/**
+ * Environment Variable Secret Recognizer
+ * Detects secrets in .env-style KEY=VALUE lines
+ */
+import { PIIType, DetectionSource } from "../../types/index.js";
+import { isSecretKeyName } from "./key-patterns.js";
+const ENV_VAR_LINE = /^[ \t]*(?:export\s+)?([A-Za-z_][A-Za-z0-9_]*)[ \t]*=[ \t]*["']?(.+?)["']?$/gm;
+const PLACEHOLDER_VALUES = new Set([
+    "changeme", "your-api-key-here", "your_api_key_here",
+    "xxx", "yyy", "zzz", "todo", "fixme", "replace_me",
+    "example", "test", "dummy", "placeholder",
+]);
+const DEFAULT_MIN_LENGTH = 4;
+export function createEnvVarSecretRecognizer(minValueLength = DEFAULT_MIN_LENGTH, extraKeyPatterns = []) {
+    return {
+        type: PIIType.ENV_VAR_SECRET,
+        name: "Environment Variable Secret",
+        defaultConfidence: 0.88,
+        find(text) {
+            const matches = [];
+            for (const match of text.matchAll(ENV_VAR_LINE)) {
+                if (match.index === undefined)
+                    continue;
+                const key = match[1];
+                const value = match[2];
+                // Check if key name suggests a secret
+                const keyIsSecret = isSecretKeyName(key)
+                    || extraKeyPatterns.some((p) => p.test(key));
+                if (!keyIsSecret)
+                    continue;
+                // Filter out short or placeholder values
+                if (value.length < minValueLength)
+                    continue;
+                if (PLACEHOLDER_VALUES.has(value.toLowerCase()))
+                    continue;
+                // Span covers the VALUE portion only
+                const fullLine = match[0];
+                const valueStartInLine = fullLine.lastIndexOf(value);
+                const valueStart = match.index + valueStartInLine;
+                matches.push({
+                    type: PIIType.ENV_VAR_SECRET,
+                    start: valueStart,
+                    end: valueStart + value.length,
+                    confidence: 0.88,
+                    source: DetectionSource.REGEX,
+                    text: value,
+                });
+            }
+            return matches;
+        },
+    };
+}
+export const envVarSecretRecognizer = createEnvVarSecretRecognizer();
+//# sourceMappingURL=env-var.js.map

package/dist/recognizers/secrets/env-var.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"env-var.js","sourceRoot":"","sources":["../../../src/recognizers/secrets/env-var.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,OAAO,EAAkB,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAEhF,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAEpD,MAAM,YAAY,GAAG,8EAA8E,CAAC;AAEpG,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACjC,UAAU,EAAE,mBAAmB,EAAE,mBAAmB;IACpD,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,YAAY;IAClD,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa;CAC1C,CAAC,CAAC;AAEH,MAAM,kBAAkB,GAAG,CAAC,CAAC;AAE7B,MAAM,UAAU,4BAA4B,CAC1C,iBAAyB,kBAAkB,EAC3C,mBAA6B,EAAE;IAE/B,OAAO;QACL,IAAI,EAAE,OAAO,CAAC,cAAc;QAC5B,IAAI,EAAE,6BAA6B;QACnC,iBAAiB,EAAE,IAAI;QAEvB,IAAI,CAAC,IAAY;YACf,MAAM,OAAO,GAAgB,EAAE,CAAC;YAEhC,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;gBAChD,IAAI,KAAK,CAAC,KAAK,KAAK,SAAS;oBAAE,SAAS;gBACxC,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC;gBACtB,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC;gBAExB,sCAAsC;gBACtC,MAAM,WAAW,GAAG,eAAe,CAAC,GAAG,CAAC;uBACnC,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC/C,IAAI,CAAC,WAAW;oBAAE,SAAS;gBAE3B,yCAAyC;gBACzC,IAAI,KAAK,CAAC,MAAM,GAAG,cAAc;oBAAE,SAAS;gBAC5C,IAAI,kBAAkB,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;oBAAE,SAAS;gBAE1D,qCAAqC;gBACrC,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBAC1B,MAAM,gBAAgB,GAAG,QAAQ,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;gBACrD,MAAM,UAAU,GAAG,KAAK,CAAC,KAAK,GAAG,gBAAgB,CAAC;gBAElD,OAAO,CAAC,IAAI,CAAC;oBACX,IAAI,EAAE,OAAO,CAAC,cAAc;oBAC5B,KAAK,EAAE,UAAU;oBACjB,GAAG,EAAE,UAAU,GAAG,KAAK,CAAC,MAAM;oBAC9B,UAAU,EAAE,IAAI;oBAChB,MAAM,EAAE,eAAe,CAAC,KAAK;oBAC7B,IAAI,EAAE,KAAK;iBACZ,CAAC,CAAC;YACL,CAAC;YAED,OAAO,OAAO,CAAC;QACjB,CAAC;KACF,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,MAAM,sBAAsB,GAAG,4BAA4B,EAAE,CAAC"}

package/dist/recognizers/secrets/index.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Secret Recognizers Module
+ * Exports all secret/credential recognizers
+ */
+import type { Recognizer } from "../base.js";
+export { apiKeyRecognizer } from "./api-key.js";
+export { privateKeyRecognizer } from "./private-key.js";
+export { jwtRecognizer } from "./jwt.js";
+export { connectionStringRecognizer } from "./connection-string.js";
+export { awsCredentialsRecognizer } from "./aws-credentials.js";
+export { envVarSecretRecognizer, createEnvVarSecretRecognizer } from "./env-var.js";
+export { configSecretRecognizer, createConfigSecretRecognizer } from "./config-secret.js";
+export { createLiteralValueRecognizer } from "./literal-value.js";
+export { isSecretKeyName } from "./key-patterns.js";
+/**
+ * Creates all secret recognizers
+ */
+export declare function createSecretRecognizers(): Recognizer[];
+//# sourceMappingURL=index.d.ts.map

package/dist/recognizers/secrets/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/recognizers/secrets/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAS7C,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,0BAA0B,EAAE,MAAM,wBAAwB,CAAC;AACpE,OAAO,EAAE,wBAAwB,EAAE,MAAM,sBAAsB,CAAC;AAChE,OAAO,EAAE,sBAAsB,EAAE,4BAA4B,EAAE,MAAM,cAAc,CAAC;AACpF,OAAO,EAAE,sBAAsB,EAAE,4BAA4B,EAAE,MAAM,oBAAoB,CAAC;AAC1F,OAAO,EAAE,4BAA4B,EAAE,MAAM,oBAAoB,CAAC;AAClE,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAEpD;;GAEG;AACH,wBAAgB,uBAAuB,IAAI,UAAU,EAAE,CAUtD"}

package/dist/recognizers/secrets/index.js

@@ -0,0 +1,35 @@
+/**
+ * Secret Recognizers Module
+ * Exports all secret/credential recognizers
+ */
+import { apiKeyRecognizer } from "./api-key.js";
+import { privateKeyRecognizer } from "./private-key.js";
+import { jwtRecognizer } from "./jwt.js";
+import { connectionStringRecognizer } from "./connection-string.js";
+import { awsCredentialsRecognizer } from "./aws-credentials.js";
+import { envVarSecretRecognizer } from "./env-var.js";
+import { configSecretRecognizer } from "./config-secret.js";
+export { apiKeyRecognizer } from "./api-key.js";
+export { privateKeyRecognizer } from "./private-key.js";
+export { jwtRecognizer } from "./jwt.js";
+export { connectionStringRecognizer } from "./connection-string.js";
+export { awsCredentialsRecognizer } from "./aws-credentials.js";
+export { envVarSecretRecognizer, createEnvVarSecretRecognizer } from "./env-var.js";
+export { configSecretRecognizer, createConfigSecretRecognizer } from "./config-secret.js";
+export { createLiteralValueRecognizer } from "./literal-value.js";
+export { isSecretKeyName } from "./key-patterns.js";
+/**
+ * Creates all secret recognizers
+ */
+export function createSecretRecognizers() {
+    return [
+        apiKeyRecognizer,
+        privateKeyRecognizer,
+        jwtRecognizer,
+        connectionStringRecognizer,
+        awsCredentialsRecognizer,
+        envVarSecretRecognizer,
+        configSecretRecognizer,
+    ];
+}
+//# sourceMappingURL=index.js.map

package/dist/recognizers/secrets/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/recognizers/secrets/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,0BAA0B,EAAE,MAAM,wBAAwB,CAAC;AACpE,OAAO,EAAE,wBAAwB,EAAE,MAAM,sBAAsB,CAAC;AAChE,OAAO,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAC;AACtD,OAAO,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AAE5D,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,0BAA0B,EAAE,MAAM,wBAAwB,CAAC;AACpE,OAAO,EAAE,wBAAwB,EAAE,MAAM,sBAAsB,CAAC;AAChE,OAAO,EAAE,sBAAsB,EAAE,4BAA4B,EAAE,MAAM,cAAc,CAAC;AACpF,OAAO,EAAE,sBAAsB,EAAE,4BAA4B,EAAE,MAAM,oBAAoB,CAAC;AAC1F,OAAO,EAAE,4BAA4B,EAAE,MAAM,oBAAoB,CAAC;AAClE,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAEpD;;GAEG;AACH,MAAM,UAAU,uBAAuB;IACrC,OAAO;QACL,gBAAgB;QAChB,oBAAoB;QACpB,aAAa;QACb,0BAA0B;QAC1B,wBAAwB;QACxB,sBAAsB;QACtB,sBAAsB;KACvB,CAAC;AACJ,CAAC"}

package/dist/recognizers/secrets/jwt.d.ts

@@ -0,0 +1,6 @@
+/**
+ * JWT Recognizer
+ * Detects JSON Web Tokens (three base64url dot-separated segments)
+ */
+export declare const jwtRecognizer: import("../base.js").Recognizer;
+//# sourceMappingURL=jwt.d.ts.map

package/dist/recognizers/secrets/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../../src/recognizers/secrets/jwt.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAoBH,eAAO,MAAM,aAAa,iCAuBxB,CAAC"}

package/dist/recognizers/secrets/jwt.js

@@ -0,0 +1,47 @@
+/**
+ * JWT Recognizer
+ * Detects JSON Web Tokens (three base64url dot-separated segments)
+ */
+import { createRegexRecognizer } from "../base.js";
+import { PIIType } from "../../types/index.js";
+/**
+ * Decode base64url to string (no padding required)
+ */
+function base64urlDecode(str) {
+    try {
+        // Replace base64url chars with standard base64
+        const base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+        // Add padding if needed
+        const padded = base64 + "=".repeat((4 - (base64.length % 4)) % 4);
+        return atob(padded);
+    }
+    catch {
+        return null;
+    }
+}
+export const jwtRecognizer = createRegexRecognizer({
+    type: PIIType.JWT,
+    name: "JWT",
+    defaultConfidence: 0.95,
+    patterns: [
+        // JWT: eyJ header prefix, three base64url segments separated by dots
+        /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/g,
+    ],
+    validate(match) {
+        const parts = match.split(".");
+        if (parts.length !== 3)
+            return false;
+        // Decode header and verify it has an "alg" field
+        const header = base64urlDecode(parts[0]);
+        if (header === null)
+            return false;
+        try {
+            const parsed = JSON.parse(header);
+            return typeof parsed.alg === "string";
+        }
+        catch {
+            return false;
+        }
+    },
+});
+//# sourceMappingURL=jwt.js.map

package/dist/recognizers/secrets/jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../../../src/recognizers/secrets/jwt.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AACnD,OAAO,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AAE/C;;GAEG;AACH,SAAS,eAAe,CAAC,GAAW;IAClC,IAAI,CAAC;QACH,+CAA+C;QAC/C,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QACzD,wBAAwB;QACxB,MAAM,MAAM,GAAG,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAClE,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;IACtB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,CAAC,MAAM,aAAa,GAAG,qBAAqB,CAAC;IACjD,IAAI,EAAE,OAAO,CAAC,GAAG;IACjB,IAAI,EAAE,KAAK;IACX,iBAAiB,EAAE,IAAI;IACvB,QAAQ,EAAE;QACR,qEAAqE;QACrE,oEAAoE;KACrE;IACD,QAAQ,CAAC,KAAa;QACpB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAErC,iDAAiD;QACjD,MAAM,MAAM,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,CAAC;QAC1C,IAAI,MAAM,KAAK,IAAI;YAAE,OAAO,KAAK,CAAC;QAElC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAA4B,CAAC;YAC7D,OAAO,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,CAAC;QACxC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;CACF,CAAC,CAAC"}

package/dist/recognizers/secrets/key-patterns.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Shared secret key name patterns
+ * Used by ENV_VAR_SECRET and CONFIG_SECRET recognizers
+ */
+/**
+ * Checks if a key/variable name suggests it holds a secret value.
+ * Handles snake_case, camelCase, and kebab-case.
+ */
+export declare function isSecretKeyName(key: string): boolean;
+//# sourceMappingURL=key-patterns.d.ts.map

package/dist/recognizers/secrets/key-patterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-patterns.d.ts","sourceRoot":"","sources":["../../../src/recognizers/secrets/key-patterns.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH;;;GAGG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAIpD"}

package/dist/recognizers/secrets/key-patterns.js

@@ -0,0 +1,15 @@
+/**
+ * Shared secret key name patterns
+ * Used by ENV_VAR_SECRET and CONFIG_SECRET recognizers
+ */
+const SECRET_KEY_PATTERN = /^(?:.*_)?(?:password|passwd|pwd|pass|secret|secret_key|secretkey|token|access_token|refresh_token|auth_token|api_key|apikey|api_secret|private_key|privatekey|credential|credentials|connection_string|connectionstring|database_url|dsn|encryption_key|signing_key|client_secret|app_secret|master_key|auth|bearer|jwt|api_token)(?:_.*)?$/i;
+/**
+ * Checks if a key/variable name suggests it holds a secret value.
+ * Handles snake_case, camelCase, and kebab-case.
+ */
+export function isSecretKeyName(key) {
+    // Normalize camelCase/PascalCase to snake_case for matching
+    const normalized = key.replace(/([a-z])([A-Z])/g, "$1_$2").replace(/-/g, "_");
+    return SECRET_KEY_PATTERN.test(normalized);
+}
+//# sourceMappingURL=key-patterns.js.map

package/dist/recognizers/secrets/key-patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-patterns.js","sourceRoot":"","sources":["../../../src/recognizers/secrets/key-patterns.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,kBAAkB,GAAG,8UAA8U,CAAC;AAE1W;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,GAAW;IACzC,4DAA4D;IAC5D,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC9E,OAAO,kBAAkB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;AAC7C,CAAC"}

package/dist/recognizers/secrets/literal-value.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Literal Value Recognizer
+ * Scans for exact occurrences of known secret values (e.g., from .env files)
+ */
+import type { Recognizer } from "../base.js";
+/**
+ * Creates a recognizer that matches exact known secret values in text.
+ */
+export declare function createLiteralValueRecognizer(values: string[], minLength?: number): Recognizer;
+//# sourceMappingURL=literal-value.d.ts.map

package/dist/recognizers/secrets/literal-value.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"literal-value.d.ts","sourceRoot":"","sources":["../../../src/recognizers/secrets/literal-value.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAU7C;;GAEG;AACH,wBAAgB,4BAA4B,CAC1C,MAAM,EAAE,MAAM,EAAE,EAChB,SAAS,GAAE,MAAU,GACpB,UAAU,CAuCZ"}

package/dist/recognizers/secrets/literal-value.js

@@ -0,0 +1,48 @@
+/**
+ * Literal Value Recognizer
+ * Scans for exact occurrences of known secret values (e.g., from .env files)
+ */
+import { PIIType, DetectionSource } from "../../types/index.js";
+const COMMON_NON_SECRET_VALUES = new Set([
+    "true", "false", "yes", "no", "on", "off",
+    "null", "undefined", "none",
+    "0", "1", "localhost", "127.0.0.1", "0.0.0.0",
+    "development", "production", "staging", "test",
+    "utf-8", "utf8", "ascii",
+]);
+/**
+ * Creates a recognizer that matches exact known secret values in text.
+ */
+export function createLiteralValueRecognizer(values, minLength = 4) {
+    // Filter out short and common values
+    const secretValues = values.filter((v) => v.length >= minLength && !COMMON_NON_SECRET_VALUES.has(v.toLowerCase()));
+    // Sort by length descending so longer matches are found first
+    secretValues.sort((a, b) => b.length - a.length);
+    return {
+        type: PIIType.ENV_VAR_SECRET,
+        name: "Literal Secret Value",
+        defaultConfidence: 1.0,
+        find(text) {
+            const matches = [];
+            for (const value of secretValues) {
+                let start = 0;
+                while (start < text.length) {
+                    const idx = text.indexOf(value, start);
+                    if (idx === -1)
+                        break;
+                    matches.push({
+                        type: PIIType.ENV_VAR_SECRET,
+                        start: idx,
+                        end: idx + value.length,
+                        confidence: 1.0,
+                        source: DetectionSource.REGEX,
+                        text: value,
+                    });
+                    start = idx + value.length;
+                }
+            }
+            return matches;
+        },
+    };
+}
+//# sourceMappingURL=literal-value.js.map

package/dist/recognizers/secrets/literal-value.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"literal-value.js","sourceRoot":"","sources":["../../../src/recognizers/secrets/literal-value.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,OAAO,EAAkB,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAGhF,MAAM,wBAAwB,GAAG,IAAI,GAAG,CAAC;IACvC,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK;IACzC,MAAM,EAAE,WAAW,EAAE,MAAM;IAC3B,GAAG,EAAE,GAAG,EAAE,WAAW,EAAE,WAAW,EAAE,SAAS;IAC7C,aAAa,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM;IAC9C,OAAO,EAAE,MAAM,EAAE,OAAO;CACzB,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,UAAU,4BAA4B,CAC1C,MAAgB,EAChB,YAAoB,CAAC;IAErB,qCAAqC;IACrC,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAChC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,IAAI,SAAS,IAAI,CAAC,wBAAwB,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAC/E,CAAC;IAEF,8DAA8D;IAC9D,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC;IAEjD,OAAO;QACL,IAAI,EAAE,OAAO,CAAC,cAAc;QAC5B,IAAI,EAAE,sBAAsB;QAC5B,iBAAiB,EAAE,GAAG;QAEtB,IAAI,CAAC,IAAY;YACf,MAAM,OAAO,GAAgB,EAAE,CAAC;YAEhC,KAAK,MAAM,KAAK,IAAI,YAAY,EAAE,CAAC;gBACjC,IAAI,KAAK,GAAG,CAAC,CAAC;gBACd,OAAO,KAAK,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;oBAC3B,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;oBACvC,IAAI,GAAG,KAAK,CAAC,CAAC;wBAAE,MAAM;oBAEtB,OAAO,CAAC,IAAI,CAAC;wBACX,IAAI,EAAE,OAAO,CAAC,cAAc;wBAC5B,KAAK,EAAE,GAAG;wBACV,GAAG,EAAE,GAAG,GAAG,KAAK,CAAC,MAAM;wBACvB,UAAU,EAAE,GAAG;wBACf,MAAM,EAAE,eAAe,CAAC,KAAK;wBAC7B,IAAI,EAAE,KAAK;qBACZ,CAAC,CAAC;oBAEH,KAAK,GAAG,GAAG,GAAG,KAAK,CAAC,MAAM,CAAC;gBAC7B,CAAC;YACH,CAAC;YAED,OAAO,OAAO,CAAC;QACjB,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/recognizers/secrets/private-key.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Private Key Recognizer
+ * Detects PEM-encoded private keys
+ */
+export declare const privateKeyRecognizer: import("../base.js").Recognizer;
+//# sourceMappingURL=private-key.d.ts.map

package/dist/recognizers/secrets/private-key.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"private-key.d.ts","sourceRoot":"","sources":["../../../src/recognizers/secrets/private-key.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,eAAO,MAAM,oBAAoB,iCAQ/B,CAAC"}

package/dist/recognizers/secrets/private-key.js

@@ -0,0 +1,16 @@
+/**
+ * Private Key Recognizer
+ * Detects PEM-encoded private keys
+ */
+import { createRegexRecognizer } from "../base.js";
+import { PIIType } from "../../types/index.js";
+export const privateKeyRecognizer = createRegexRecognizer({
+    type: PIIType.PRIVATE_KEY,
+    name: "Private Key",
+    defaultConfidence: 0.99,
+    patterns: [
+        // Full PEM block (multiline)
+        /-----BEGIN (?:RSA |EC |DSA |OPENSSH |PGP |ENCRYPTED )?PRIVATE KEY-----[\s\S]*?-----END (?:RSA |EC |DSA |OPENSSH |PGP |ENCRYPTED )?PRIVATE KEY-----/g,
+    ],
+});
+//# sourceMappingURL=private-key.js.map

package/dist/recognizers/secrets/private-key.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"private-key.js","sourceRoot":"","sources":["../../../src/recognizers/secrets/private-key.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAC;AACnD,OAAO,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AAE/C,MAAM,CAAC,MAAM,oBAAoB,GAAG,qBAAqB,CAAC;IACxD,IAAI,EAAE,OAAO,CAAC,WAAW;IACzB,IAAI,EAAE,aAAa;IACnB,iBAAiB,EAAE,IAAI;IACvB,QAAQ,EAAE;QACR,6BAA6B;QAC7B,qJAAqJ;KACtJ;CACF,CAAC,CAAC"}

package/dist/types/index.d.ts

@@ -195,6 +195,21 @@ export interface AnonymizationResult {
 /**
  * Creates a default anonymization policy with all types enabled
  */
+/**
+ * Secrets/credentials detection configuration
+ */
+export interface SecretsConfig {
+    /** Enable secrets/credentials detection */
+    enabled: boolean;
+    /** .env file paths to parse for known secret values */
+    envFiles?: string[];
+    /** Explicit values to always redact */
+    redactValues?: string[];
+    /** Additional key name patterns for ENV_VAR_SECRET / CONFIG_SECRET detection */
+    secretKeyPatterns?: RegExp[];
+    /** Minimum value length to consider as a secret (default: 4) */
+    minValueLength?: number;
+}
 export declare function createDefaultPolicy(): AnonymizationPolicy;
 /**
  * Merges a partial policy with defaults

package/dist/types/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAyB,MAAM,gBAAgB,CAAC;AAEhE,cAAc,gBAAgB,CAAC;AAE/B;;GAEG;AACH,oBAAY,eAAe;IACzB,KAAK,UAAU;IACf,GAAG,QAAQ;IACX,MAAM,WAAW;CAClB;AAED;;;;GAIG;AACH,MAAM,MAAM,iBAAiB,GAAG,cAAc,GAAG,WAAW,CAAC;AAM7D;;;GAGG;AACH,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,QAAQ,GAAG,SAAS,GAAG,SAAS,CAAC;AAErE;;;GAGG;AACH,MAAM,MAAM,aAAa,GAAG,MAAM,GAAG,SAAS,GAAG,QAAQ,GAAG,SAAS,CAAC;AAEtE;;;GAGG;AACH,MAAM,WAAW,kBAAkB;IACjC,iCAAiC;IACjC,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,6CAA6C;IAC7C,KAAK,CAAC,EAAE,aAAa,CAAC;IACtB,2EAA2E;IAC3E,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,MAAM,gCAAgC,GAAG,CAAC,QAAQ,EAAE;IACxD,IAAI,EAAE,MAAM,CAAC;IACb,eAAe,EAAE,MAAM,CAAC;IACxB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;CACxB,KAAK,IAAI,CAAC;AAEX;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B;;;OAGG;IACH,OAAO,EAAE,OAAO,CAAC;IAEjB;;;;;OAKG;IACH,YAAY,CAAC,EAAE,OAAO,CAAC;IAEvB;;OAEG;IACH,kBAAkB,CAAC,EAAE,gCAAgC,CAAC;IAEtD;;OAEG;IACH,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,IAAI,CAAC;CACrC;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,mBAAmB;IACnB,IAAI,EAAE,OAAO,CAAC;IACd,gFAAgF;IAChF,EAAE,EAAE,MAAM,CAAC;IACX,mEAAmE;IACnE,KAAK,EAAE,MAAM,CAAC;IACd,iEAAiE;IACjE,GAAG,EAAE,MAAM,CAAC;IACZ,8CAA8C;IAC9C,UAAU,EAAE,MAAM,CAAC;IACnB,mCAAmC;IACnC,MAAM,EAAE,eAAe,CAAC;IACxB,qEAAqE;IACrE,QAAQ,EAAE,MAAM,CAAC;IACjB,qEAAqE;IACrE,QAAQ,CAAC,EAAE,kBAAkB,CAAC;CAC/B;AAED;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,mBAAmB;IACnB,IAAI,EAAE,OAAO,CAAC;IACd,kDAAkD;IAClD,KAAK,EAAE,MAAM,CAAC;IACd,gDAAgD;IAChD,GAAG,EAAE,MAAM,CAAC;IACZ,8CAA8C;IAC9C,UAAU,EAAE,MAAM,CAAC;IACnB,iCAAiC;IACjC,MAAM,EAAE,eAAe,CAAC;IACxB,uBAAuB;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,qEAAqE;IACrE,QAAQ,CAAC,EAAE,kBAAkB,CAAC;CAC/B;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,sCAAsC;IACtC,IAAI,EAAE,MAAM,CAAC;IACb,iCAAiC;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,4DAA4D;IAC5D,IAAI,EAAE,OAAO,CAAC;IACd,mCAAmC;IACnC,QAAQ,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC;CACvC;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,sDAAsD;IACtD,YAAY,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IAC3B,2CAA2C;IAC3C,iBAAiB,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IAChC,yCAAyC;IACzC,eAAe,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IAC9B,yFAAyF;IACzF,YAAY,EAAE,OAAO,EAAE,CAAC;IACxB,4DAA4D;IAC5D,oBAAoB,EAAE,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC3C,yDAAyD;IACzD,gBAAgB,EAAE,eAAe,EAAE,CAAC;IACpC,iEAAiE;IACjE,cAAc,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAC5B,iDAAiD;IACjD,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,8DAA8D;IAC9D,sBAAsB,EAAE,OAAO,CAAC;IAChC,oDAAoD;IACpD,cAAc,EAAE,OAAO,CAAC;IACxB,yFAAyF;IACzF,qBAAqB,EAAE,OAAO,CAAC;CAChC;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,0CAA0C;IAC1C,UAAU,EAAE,MAAM,CAAC;IACnB,qCAAqC;IACrC,EAAE,EAAE,MAAM,CAAC;IACX,kCAAkC;IAClC,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,0CAA0C;IAC1C,YAAY,EAAE,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACtC,wCAAwC;IACxC,aAAa,EAAE,MAAM,CAAC;IACtB,6BAA6B;IAC7B,YAAY,EAAE,MAAM,CAAC;IACrB,gCAAgC;IAChC,aAAa,EAAE,MAAM,CAAC;IACtB,sCAAsC;IACtC,gBAAgB,EAAE,MAAM,CAAC;IACzB,4CAA4C;IAC5C,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,iDAAiD;IACjD,cAAc,EAAE,MAAM,CAAC;IACvB,mEAAmE;IACnE,QAAQ,EAAE,IAAI,CAAC,cAAc,EAAE,UAAU,CAAC,EAAE,CAAC;IAC7C,yFAAyF;IACzF,MAAM,CAAC,EAAE,eAAe,CAAC;IACzB,yCAAyC;IACzC,KAAK,EAAE,kBAAkB,CAAC;CAC3B;AAED;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,mBAAmB,CAyCzD;AAED;;GAEG;AACH,wBAAgB,WAAW,CACzB,OAAO,EAAE,OAAO,CAAC,mBAAmB,CAAC,GACpC,mBAAmB,CA+BrB"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAA2C,MAAM,gBAAgB,CAAC;AAElF,cAAc,gBAAgB,CAAC;AAE/B;;GAEG;AACH,oBAAY,eAAe;IACzB,KAAK,UAAU;IACf,GAAG,QAAQ;IACX,MAAM,WAAW;CAClB;AAED;;;;GAIG;AACH,MAAM,MAAM,iBAAiB,GAAG,cAAc,GAAG,WAAW,CAAC;AAM7D;;;GAGG;AACH,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,QAAQ,GAAG,SAAS,GAAG,SAAS,CAAC;AAErE;;;GAGG;AACH,MAAM,MAAM,aAAa,GAAG,MAAM,GAAG,SAAS,GAAG,QAAQ,GAAG,SAAS,CAAC;AAEtE;;;GAGG;AACH,MAAM,WAAW,kBAAkB;IACjC,iCAAiC;IACjC,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,6CAA6C;IAC7C,KAAK,CAAC,EAAE,aAAa,CAAC;IACtB,2EAA2E;IAC3E,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,MAAM,gCAAgC,GAAG,CAAC,QAAQ,EAAE;IACxD,IAAI,EAAE,MAAM,CAAC;IACb,eAAe,EAAE,MAAM,CAAC;IACxB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;CACxB,KAAK,IAAI,CAAC;AAEX;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B;;;OAGG;IACH,OAAO,EAAE,OAAO,CAAC;IAEjB;;;;;OAKG;IACH,YAAY,CAAC,EAAE,OAAO,CAAC;IAEvB;;OAEG;IACH,kBAAkB,CAAC,EAAE,gCAAgC,CAAC;IAEtD;;OAEG;IACH,QAAQ,CAAC,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,IAAI,CAAC;CACrC;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,mBAAmB;IACnB,IAAI,EAAE,OAAO,CAAC;IACd,gFAAgF;IAChF,EAAE,EAAE,MAAM,CAAC;IACX,mEAAmE;IACnE,KAAK,EAAE,MAAM,CAAC;IACd,iEAAiE;IACjE,GAAG,EAAE,MAAM,CAAC;IACZ,8CAA8C;IAC9C,UAAU,EAAE,MAAM,CAAC;IACnB,mCAAmC;IACnC,MAAM,EAAE,eAAe,CAAC;IACxB,qEAAqE;IACrE,QAAQ,EAAE,MAAM,CAAC;IACjB,qEAAqE;IACrE,QAAQ,CAAC,EAAE,kBAAkB,CAAC;CAC/B;AAED;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,mBAAmB;IACnB,IAAI,EAAE,OAAO,CAAC;IACd,kDAAkD;IAClD,KAAK,EAAE,MAAM,CAAC;IACd,gDAAgD;IAChD,GAAG,EAAE,MAAM,CAAC;IACZ,8CAA8C;IAC9C,UAAU,EAAE,MAAM,CAAC;IACnB,iCAAiC;IACjC,MAAM,EAAE,eAAe,CAAC;IACxB,uBAAuB;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,qEAAqE;IACrE,QAAQ,CAAC,EAAE,kBAAkB,CAAC;CAC/B;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,sCAAsC;IACtC,IAAI,EAAE,MAAM,CAAC;IACb,iCAAiC;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,4DAA4D;IAC5D,IAAI,EAAE,OAAO,CAAC;IACd,mCAAmC;IACnC,QAAQ,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC;CACvC;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,sDAAsD;IACtD,YAAY,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IAC3B,2CAA2C;IAC3C,iBAAiB,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IAChC,yCAAyC;IACzC,eAAe,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IAC9B,yFAAyF;IACzF,YAAY,EAAE,OAAO,EAAE,CAAC;IACxB,4DAA4D;IAC5D,oBAAoB,EAAE,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC3C,yDAAyD;IACzD,gBAAgB,EAAE,eAAe,EAAE,CAAC;IACpC,iEAAiE;IACjE,cAAc,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;IAC5B,iDAAiD;IACjD,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,8DAA8D;IAC9D,sBAAsB,EAAE,OAAO,CAAC;IAChC,oDAAoD;IACpD,cAAc,EAAE,OAAO,CAAC;IACxB,yFAAyF;IACzF,qBAAqB,EAAE,OAAO,CAAC;CAChC;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,0CAA0C;IAC1C,UAAU,EAAE,MAAM,CAAC;IACnB,qCAAqC;IACrC,EAAE,EAAE,MAAM,CAAC;IACX,kCAAkC;IAClC,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,0CAA0C;IAC1C,YAAY,EAAE,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACtC,wCAAwC;IACxC,aAAa,EAAE,MAAM,CAAC;IACtB,6BAA6B;IAC7B,YAAY,EAAE,MAAM,CAAC;IACrB,gCAAgC;IAChC,aAAa,EAAE,MAAM,CAAC;IACtB,sCAAsC;IACtC,gBAAgB,EAAE,MAAM,CAAC;IACzB,4CAA4C;IAC5C,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,iDAAiD;IACjD,cAAc,EAAE,MAAM,CAAC;IACvB,mEAAmE;IACnE,QAAQ,EAAE,IAAI,CAAC,cAAc,EAAE,UAAU,CAAC,EAAE,CAAC;IAC7C,yFAAyF;IACzF,MAAM,CAAC,EAAE,eAAe,CAAC;IACzB,yCAAyC;IACzC,KAAK,EAAE,kBAAkB,CAAC;CAC3B;AAED;;GAEG;AACH;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,2CAA2C;IAC3C,OAAO,EAAE,OAAO,CAAC;IACjB,uDAAuD;IACvD,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,uCAAuC;IACvC,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,gFAAgF;IAChF,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,gEAAgE;IAChE,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,wBAAgB,mBAAmB,IAAI,mBAAmB,CA+CzD;AAED;;GAEG;AACH,wBAAgB,WAAW,CACzB,OAAO,EAAE,OAAO,CAAC,mBAAmB,CAAC,GACpC,mBAAmB,CA+BrB"}

package/dist/types/index.js

@@ -1,4 +1,4 @@
-import { PIIType, DEFAULT_TYPE_PRIORITY } from "./pii-types.js";
+import { PIIType, DEFAULT_TYPE_PRIORITY, SECRET_PII_TYPES } from "./pii-types.js";
 export * from "./pii-types.js";
 /**
  * Source of entity detection
@@ -9,11 +9,13 @@ export var DetectionSource;
     DetectionSource["NER"] = "NER";
     DetectionSource["HYBRID"] = "HYBRID";
 })(DetectionSource || (DetectionSource = {}));
-/**
- * Creates a default anonymization policy with all types enabled
- */
 export function createDefaultPolicy() {
     const allTypes = new Set(Object.values(PIIType));
+    // Secret types are opt-in only — exclude from default enabled set
+    const secretTypeSet = new Set(SECRET_PII_TYPES);
+    for (const secretType of secretTypeSet) {
+        allTypes.delete(secretType);
+    }
     const defaultThresholds = new Map();
     for (const type of allTypes) {
         // Higher threshold for NER-detected types (more uncertainty)

package/dist/types/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAC;AAEhE,cAAc,gBAAgB,CAAC;AAE/B;;GAEG;AACH,MAAM,CAAN,IAAY,eAIX;AAJD,WAAY,eAAe;IACzB,kCAAe,CAAA;IACf,8BAAW,CAAA;IACX,oCAAiB,CAAA;AACnB,CAAC,EAJW,eAAe,KAAf,eAAe,QAI1B;AA8MD;;GAEG;AACH,MAAM,UAAU,mBAAmB;IACjC,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAc,CAAC,CAAC;IAE9D,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAAmB,CAAC;IACrD,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;QAC5B,6DAA6D;QAC7D,iBAAiB,CAAC,GAAG,CACnB,IAAI,EACJ,IAAI,KAAK,OAAO,CAAC,MAAM,IAAI,IAAI,KAAK,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAC5D,CAAC;IACJ,CAAC;IAED,OAAO;QACL,YAAY,EAAE,QAAQ;QACtB,iBAAiB,EAAE,IAAI,GAAG,CAAC;YACzB,OAAO,CAAC,KAAK;YACb,OAAO,CAAC,KAAK;YACb,OAAO,CAAC,IAAI;YACZ,OAAO,CAAC,SAAS;YACjB,OAAO,CAAC,WAAW;YACnB,OAAO,CAAC,UAAU;YAClB,OAAO,CAAC,GAAG;YACX,OAAO,CAAC,OAAO;YACf,OAAO,CAAC,WAAW;SACpB,CAAC;QACF,eAAe,EAAE,IAAI,GAAG,CAAC;YACvB,OAAO,CAAC,MAAM;YACd,OAAO,CAAC,GAAG;YACX,OAAO,CAAC,QAAQ;YAChB,OAAO,CAAC,OAAO;YACf,OAAO,CAAC,aAAa;SACtB,CAAC;QACF,YAAY,EAAE,CAAC,GAAG,qBAAqB,CAAC;QACxC,oBAAoB,EAAE,iBAAiB;QACvC,gBAAgB,EAAE,EAAE;QACpB,cAAc,EAAE,IAAI,GAAG,EAAE;QACzB,gBAAgB,EAAE,EAAE;QACpB,sBAAsB,EAAE,KAAK;QAC7B,cAAc,EAAE,IAAI;QACpB,qBAAqB,EAAE,KAAK;KAC7B,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CACzB,OAAqC;IAErC,MAAM,aAAa,GAAG,mBAAmB,EAAE,CAAC;IAE5C,sCAAsC;IACtC,IAAI,oBAAoB,GAAG,aAAa,CAAC,oBAAoB,CAAC;IAC9D,IAAI,OAAO,CAAC,oBAAoB,KAAK,SAAS,EAAE,CAAC;QAC/C,oBAAoB,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,oBAAoB,CAAC,CAAC;QACnE,8BAA8B;QAC9B,KAAK,MAAM,CAAC,IAAI,EAAE,SAAS,CAAC,IAAI,OAAO,CAAC,oBAAoB,EAAE,CAAC;YAC7D,oBAAoB,CAAC,GAAG,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;QAC5C,CAAC;IACH,CAAC;IAED,OAAO;QACL,YAAY,EAAE,OAAO,CAAC,YAAY,IAAI,aAAa,CAAC,YAAY;QAChE,iBAAiB,EACf,OAAO,CAAC,iBAAiB,IAAI,aAAa,CAAC,iBAAiB;QAC9D,eAAe,EAAE,OAAO,CAAC,eAAe,IAAI,aAAa,CAAC,eAAe;QACzE,YAAY,EAAE,OAAO,CAAC,YAAY,IAAI,aAAa,CAAC,YAAY;QAChE,oBAAoB;QACpB,gBAAgB,EACd,OAAO,CAAC,gBAAgB,IAAI,aAAa,CAAC,gBAAgB;QAC5D,cAAc,EAAE,OAAO,CAAC,cAAc,IAAI,aAAa,CAAC,cAAc;QACtE,gBAAgB,EACd,OAAO,CAAC,gBAAgB,IAAI,aAAa,CAAC,gBAAgB;QAC5D,sBAAsB,EACpB,OAAO,CAAC,sBAAsB,IAAI,aAAa,CAAC,sBAAsB;QACxE,cAAc,EAAE,OAAO,CAAC,cAAc,IAAI,aAAa,CAAC,cAAc;QACtE,qBAAqB,EACnB,OAAO,CAAC,qBAAqB,IAAI,aAAa,CAAC,qBAAqB;KACvE,CAAC;AACJ,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAElF,cAAc,gBAAgB,CAAC;AAE/B;;GAEG;AACH,MAAM,CAAN,IAAY,eAIX;AAJD,WAAY,eAAe;IACzB,kCAAe,CAAA;IACf,8BAAW,CAAA;IACX,oCAAiB,CAAA;AACnB,CAAC,EAJW,eAAe,KAAf,eAAe,QAI1B;AAiOD,MAAM,UAAU,mBAAmB;IACjC,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAc,CAAC,CAAC;IAE9D,kEAAkE;IAClE,MAAM,aAAa,GAAG,IAAI,GAAG,CAAU,gBAAgB,CAAC,CAAC;IACzD,KAAK,MAAM,UAAU,IAAI,aAAa,EAAE,CAAC;QACvC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAC9B,CAAC;IAED,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAAmB,CAAC;IACrD,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;QAC5B,6DAA6D;QAC7D,iBAAiB,CAAC,GAAG,CACnB,IAAI,EACJ,IAAI,KAAK,OAAO,CAAC,MAAM,IAAI,IAAI,KAAK,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAC5D,CAAC;IACJ,CAAC;IAED,OAAO;QACL,YAAY,EAAE,QAAQ;QACtB,iBAAiB,EAAE,IAAI,GAAG,CAAC;YACzB,OAAO,CAAC,KAAK;YACb,OAAO,CAAC,KAAK;YACb,OAAO,CAAC,IAAI;YACZ,OAAO,CAAC,SAAS;YACjB,OAAO,CAAC,WAAW;YACnB,OAAO,CAAC,UAAU;YAClB,OAAO,CAAC,GAAG;YACX,OAAO,CAAC,OAAO;YACf,OAAO,CAAC,WAAW;SACpB,CAAC;QACF,eAAe,EAAE,IAAI,GAAG,CAAC;YACvB,OAAO,CAAC,MAAM;YACd,OAAO,CAAC,GAAG;YACX,OAAO,CAAC,QAAQ;YAChB,OAAO,CAAC,OAAO;YACf,OAAO,CAAC,aAAa;SACtB,CAAC;QACF,YAAY,EAAE,CAAC,GAAG,qBAAqB,CAAC;QACxC,oBAAoB,EAAE,iBAAiB;QACvC,gBAAgB,EAAE,EAAE;QACpB,cAAc,EAAE,IAAI,GAAG,EAAE;QACzB,gBAAgB,EAAE,EAAE;QACpB,sBAAsB,EAAE,KAAK;QAC7B,cAAc,EAAE,IAAI;QACpB,qBAAqB,EAAE,KAAK;KAC7B,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CACzB,OAAqC;IAErC,MAAM,aAAa,GAAG,mBAAmB,EAAE,CAAC;IAE5C,sCAAsC;IACtC,IAAI,oBAAoB,GAAG,aAAa,CAAC,oBAAoB,CAAC;IAC9D,IAAI,OAAO,CAAC,oBAAoB,KAAK,SAAS,EAAE,CAAC;QAC/C,oBAAoB,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,oBAAoB,CAAC,CAAC;QACnE,8BAA8B;QAC9B,KAAK,MAAM,CAAC,IAAI,EAAE,SAAS,CAAC,IAAI,OAAO,CAAC,oBAAoB,EAAE,CAAC;YAC7D,oBAAoB,CAAC,GAAG,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;QAC5C,CAAC;IACH,CAAC;IAED,OAAO;QACL,YAAY,EAAE,OAAO,CAAC,YAAY,IAAI,aAAa,CAAC,YAAY;QAChE,iBAAiB,EACf,OAAO,CAAC,iBAAiB,IAAI,aAAa,CAAC,iBAAiB;QAC9D,eAAe,EAAE,OAAO,CAAC,eAAe,IAAI,aAAa,CAAC,eAAe;QACzE,YAAY,EAAE,OAAO,CAAC,YAAY,IAAI,aAAa,CAAC,YAAY;QAChE,oBAAoB;QACpB,gBAAgB,EACd,OAAO,CAAC,gBAAgB,IAAI,aAAa,CAAC,gBAAgB;QAC5D,cAAc,EAAE,OAAO,CAAC,cAAc,IAAI,aAAa,CAAC,cAAc;QACtE,gBAAgB,EACd,OAAO,CAAC,gBAAgB,IAAI,aAAa,CAAC,gBAAgB;QAC5D,sBAAsB,EACpB,OAAO,CAAC,sBAAsB,IAAI,aAAa,CAAC,sBAAsB;QACxE,cAAc,EAAE,OAAO,CAAC,cAAc,IAAI,aAAa,CAAC,cAAc;QACtE,qBAAqB,EACnB,OAAO,CAAC,qBAAqB,IAAI,aAAa,CAAC,qBAAqB;KACvE,CAAC;AACJ,CAAC"}

package/dist/types/pii-types.d.ts

@@ -19,7 +19,14 @@ export declare enum PIIType {
     NATIONAL_ID = "NATIONAL_ID",
     DATE_OF_BIRTH = "DATE_OF_BIRTH",
     CASE_ID = "CASE_ID",
-    CUSTOMER_ID = "CUSTOMER_ID"
+    CUSTOMER_ID = "CUSTOMER_ID",
+    API_KEY = "API_KEY",
+    PRIVATE_KEY = "PRIVATE_KEY",
+    JWT = "JWT",
+    CONNECTION_STRING = "CONNECTION_STRING",
+    AWS_CREDENTIALS = "AWS_CREDENTIALS",
+    ENV_VAR_SECRET = "ENV_VAR_SECRET",
+    CONFIG_SECRET = "CONFIG_SECRET"
 }
 /**
  * All PII types as a readonly array for iteration
@@ -29,6 +36,10 @@ export declare const ALL_PII_TYPES: readonly PIIType[];
  * PII types that are detected via regex (structured PII)
  */
 export declare const REGEX_PII_TYPES: readonly PIIType[];
+/**
+ * PII types that are secrets/credentials (opt-in, regex-based)
+ */
+export declare const SECRET_PII_TYPES: readonly PIIType[];
 /**
  * PII types that are detected via NER model (soft PII)
  */

package/dist/types/pii-types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"pii-types.d.ts","sourceRoot":"","sources":["../../src/types/pii-types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,oBAAY,OAAO;IAEjB,MAAM,WAAW;IACjB,GAAG,QAAQ;IACX,QAAQ,aAAa;IACrB,OAAO,YAAY;IAGnB,KAAK,UAAU;IACf,KAAK,UAAU;IACf,GAAG,QAAQ;IACX,UAAU,eAAe;IAGzB,IAAI,SAAS;IACb,SAAS,cAAc;IACvB,cAAc,mBAAmB;IACjC,WAAW,gBAAgB;IAG3B,MAAM,WAAW;IACjB,WAAW,gBAAgB;IAC3B,aAAa,kBAAkB;IAG/B,OAAO,YAAY;IACnB,WAAW,gBAAgB;CAC5B;AAED;;GAEG;AACH,eAAO,MAAM,aAAa,EAAE,SAAS,OAAO,EAAwC,CAAC;AAErF;;GAEG;AACH,eAAO,MAAM,eAAe,EAAE,SAAS,OAAO,EAa7C,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,aAAa,EAAE,SAAS,OAAO,EAM3C,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,qBAAqB,EAAE,SAAS,OAAO,EAqBnD,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,qBAAqB,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAWzD,CAAC;AAEF;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,GAAG,IAAI,CASpE"}
+{"version":3,"file":"pii-types.d.ts","sourceRoot":"","sources":["../../src/types/pii-types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,oBAAY,OAAO;IAEjB,MAAM,WAAW;IACjB,GAAG,QAAQ;IACX,QAAQ,aAAa;IACrB,OAAO,YAAY;IAGnB,KAAK,UAAU;IACf,KAAK,UAAU;IACf,GAAG,QAAQ;IACX,UAAU,eAAe;IAGzB,IAAI,SAAS;IACb,SAAS,cAAc;IACvB,cAAc,mBAAmB;IACjC,WAAW,gBAAgB;IAG3B,MAAM,WAAW;IACjB,WAAW,gBAAgB;IAC3B,aAAa,kBAAkB;IAG/B,OAAO,YAAY;IACnB,WAAW,gBAAgB;IAG3B,OAAO,YAAY;IACnB,WAAW,gBAAgB;IAC3B,GAAG,QAAQ;IACX,iBAAiB,sBAAsB;IACvC,eAAe,oBAAoB;IACnC,cAAc,mBAAmB;IACjC,aAAa,kBAAkB;CAChC;AAED;;GAEG;AACH,eAAO,MAAM,aAAa,EAAE,SAAS,OAAO,EAAwC,CAAC;AAErF;;GAEG;AACH,eAAO,MAAM,eAAe,EAAE,SAAS,OAAO,EAa7C,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,gBAAgB,EAAE,SAAS,OAAO,EAQ9C,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,aAAa,EAAE,SAAS,OAAO,EAM3C,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,qBAAqB,EAAE,SAAS,OAAO,EA6BnD,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,qBAAqB,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAWzD,CAAC;AAEF;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,GAAG,IAAI,CASpE"}

package/dist/types/pii-types.js

@@ -26,6 +26,14 @@ export var PIIType;
     // Custom/Business identifiers
     PIIType["CASE_ID"] = "CASE_ID";
     PIIType["CUSTOMER_ID"] = "CUSTOMER_ID";
+    // Secrets/Credentials
+    PIIType["API_KEY"] = "API_KEY";
+    PIIType["PRIVATE_KEY"] = "PRIVATE_KEY";
+    PIIType["JWT"] = "JWT";
+    PIIType["CONNECTION_STRING"] = "CONNECTION_STRING";
+    PIIType["AWS_CREDENTIALS"] = "AWS_CREDENTIALS";
+    PIIType["ENV_VAR_SECRET"] = "ENV_VAR_SECRET";
+    PIIType["CONFIG_SECRET"] = "CONFIG_SECRET";
 })(PIIType || (PIIType = {}));
 /**
  * All PII types as a readonly array for iteration
@@ -48,6 +56,18 @@ export const REGEX_PII_TYPES = [
     PIIType.CASE_ID,
     PIIType.CUSTOMER_ID,
 ];
+/**
+ * PII types that are secrets/credentials (opt-in, regex-based)
+ */
+export const SECRET_PII_TYPES = [
+    PIIType.API_KEY,
+    PIIType.PRIVATE_KEY,
+    PIIType.JWT,
+    PIIType.CONNECTION_STRING,
+    PIIType.AWS_CREDENTIALS,
+    PIIType.ENV_VAR_SECRET,
+    PIIType.CONFIG_SECRET,
+];
 /**
  * PII types that are detected via NER model (soft PII)
  */
@@ -83,6 +103,14 @@ export const DEFAULT_TYPE_PRIORITY = [
     PIIType.CREDIT_CARD,
     PIIType.TAX_ID,
     PIIType.NATIONAL_ID,
+    // Highest priority (secrets/credentials)
+    PIIType.ENV_VAR_SECRET,
+    PIIType.CONFIG_SECRET,
+    PIIType.CONNECTION_STRING,
+    PIIType.AWS_CREDENTIALS,
+    PIIType.API_KEY,
+    PIIType.PRIVATE_KEY,
+    PIIType.JWT,
 ];
 /**
  * Maps NER model labels to PIIType

package/dist/types/pii-types.js.map

@@ -1 +1 @@
-{"version":3,"file":"pii-types.js","sourceRoot":"","sources":["../../src/types/pii-types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,MAAM,CAAN,IAAY,OA2BX;AA3BD,WAAY,OAAO;IACjB,uBAAuB;IACvB,4BAAiB,CAAA;IACjB,sBAAW,CAAA;IACX,gCAAqB,CAAA;IACrB,8BAAmB,CAAA;IAEnB,sBAAsB;IACtB,0BAAe,CAAA;IACf,0BAAe,CAAA;IACf,sBAAW,CAAA;IACX,oCAAyB,CAAA;IAEzB,wBAAwB;IACxB,wBAAa,CAAA;IACb,kCAAuB,CAAA;IACvB,4CAAiC,CAAA;IACjC,sCAA2B,CAAA;IAE3B,6BAA6B;IAC7B,4BAAiB,CAAA;IACjB,sCAA2B,CAAA;IAC3B,0CAA+B,CAAA;IAE/B,8BAA8B;IAC9B,8BAAmB,CAAA;IACnB,sCAA2B,CAAA;AAC7B,CAAC,EA3BW,OAAO,KAAP,OAAO,QA2BlB;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAAuB,MAAM,CAAC,MAAM,CAAC,OAAO,CAAc,CAAC;AAErF;;GAEG;AACH,MAAM,CAAC,MAAM,eAAe,GAAuB;IACjD,OAAO,CAAC,KAAK;IACb,OAAO,CAAC,KAAK;IACb,OAAO,CAAC,IAAI;IACZ,OAAO,CAAC,SAAS;IACjB,OAAO,CAAC,WAAW;IACnB,OAAO,CAAC,UAAU;IAClB,OAAO,CAAC,GAAG;IACX,OAAO,CAAC,cAAc;IACtB,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,WAAW;IACnB,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,WAAW;CACpB,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAAuB;IAC/C,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,GAAG;IACX,OAAO,CAAC,QAAQ;IAChB,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,aAAa;CACtB,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAuB;IACvD,2BAA2B;IAC3B,OAAO,CAAC,GAAG;IACX,OAAO,CAAC,UAAU;IAClB,OAAO,CAAC,QAAQ;IAChB,OAAO,CAAC,GAAG;IACX,OAAO,CAAC,MAAM;IACd,kBAAkB;IAClB,OAAO,CAAC,aAAa;IACrB,OAAO,CAAC,KAAK;IACb,OAAO,CAAC,KAAK;IACb,OAAO,CAAC,OAAO;IACf,yCAAyC;IACzC,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,WAAW;IACnB,OAAO,CAAC,cAAc;IACtB,OAAO,CAAC,SAAS;IACjB,OAAO,CAAC,IAAI;IACZ,OAAO,CAAC,WAAW;IACnB,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,WAAW;CACpB,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAA4B;IAC5D,GAAG,EAAE,OAAO,CAAC,MAAM;IACnB,MAAM,EAAE,OAAO,CAAC,MAAM;IACtB,GAAG,EAAE,OAAO,CAAC,GAAG;IAChB,YAAY,EAAE,OAAO,CAAC,GAAG;IACzB,GAAG,EAAE,OAAO,CAAC,QAAQ;IACrB,QAAQ,EAAE,OAAO,CAAC,QAAQ;IAC1B,GAAG,EAAE,OAAO,CAAC,QAAQ,EAAE,uBAAuB;IAC9C,IAAI,EAAE,OAAO,CAAC,aAAa;IAC3B,qCAAqC;IACrC,IAAI,EAAE,OAAO,CAAC,OAAO;CACtB,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,KAAa;IAClD,iCAAiC;IACjC,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAE7D,IAAI,UAAU,KAAK,GAAG,EAAE,CAAC;QACvB,OAAO,IAAI,CAAC,CAAC,qBAAqB;IACpC,CAAC;IAED,OAAO,qBAAqB,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC;AACnD,CAAC"}
+{"version":3,"file":"pii-types.js","sourceRoot":"","sources":["../../src/types/pii-types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,MAAM,CAAN,IAAY,OAoCX;AApCD,WAAY,OAAO;IACjB,uBAAuB;IACvB,4BAAiB,CAAA;IACjB,sBAAW,CAAA;IACX,gCAAqB,CAAA;IACrB,8BAAmB,CAAA;IAEnB,sBAAsB;IACtB,0BAAe,CAAA;IACf,0BAAe,CAAA;IACf,sBAAW,CAAA;IACX,oCAAyB,CAAA;IAEzB,wBAAwB;IACxB,wBAAa,CAAA;IACb,kCAAuB,CAAA;IACvB,4CAAiC,CAAA;IACjC,sCAA2B,CAAA;IAE3B,6BAA6B;IAC7B,4BAAiB,CAAA;IACjB,sCAA2B,CAAA;IAC3B,0CAA+B,CAAA;IAE/B,8BAA8B;IAC9B,8BAAmB,CAAA;IACnB,sCAA2B,CAAA;IAE3B,sBAAsB;IACtB,8BAAmB,CAAA;IACnB,sCAA2B,CAAA;IAC3B,sBAAW,CAAA;IACX,kDAAuC,CAAA;IACvC,8CAAmC,CAAA;IACnC,4CAAiC,CAAA;IACjC,0CAA+B,CAAA;AACjC,CAAC,EApCW,OAAO,KAAP,OAAO,QAoClB;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAAuB,MAAM,CAAC,MAAM,CAAC,OAAO,CAAc,CAAC;AAErF;;GAEG;AACH,MAAM,CAAC,MAAM,eAAe,GAAuB;IACjD,OAAO,CAAC,KAAK;IACb,OAAO,CAAC,KAAK;IACb,OAAO,CAAC,IAAI;IACZ,OAAO,CAAC,SAAS;IACjB,OAAO,CAAC,WAAW;IACnB,OAAO,CAAC,UAAU;IAClB,OAAO,CAAC,GAAG;IACX,OAAO,CAAC,cAAc;IACtB,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,WAAW;IACnB,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,WAAW;CACpB,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAuB;IAClD,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,WAAW;IACnB,OAAO,CAAC,GAAG;IACX,OAAO,CAAC,iBAAiB;IACzB,OAAO,CAAC,eAAe;IACvB,OAAO,CAAC,cAAc;IACtB,OAAO,CAAC,aAAa;CACtB,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAAuB;IAC/C,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,GAAG;IACX,OAAO,CAAC,QAAQ;IAChB,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,aAAa;CACtB,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAuB;IACvD,2BAA2B;IAC3B,OAAO,CAAC,GAAG;IACX,OAAO,CAAC,UAAU;IAClB,OAAO,CAAC,QAAQ;IAChB,OAAO,CAAC,GAAG;IACX,OAAO,CAAC,MAAM;IACd,kBAAkB;IAClB,OAAO,CAAC,aAAa;IACrB,OAAO,CAAC,KAAK;IACb,OAAO,CAAC,KAAK;IACb,OAAO,CAAC,OAAO;IACf,yCAAyC;IACzC,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,WAAW;IACnB,OAAO,CAAC,cAAc;IACtB,OAAO,CAAC,SAAS;IACjB,OAAO,CAAC,IAAI;IACZ,OAAO,CAAC,WAAW;IACnB,OAAO,CAAC,MAAM;IACd,OAAO,CAAC,WAAW;IACnB,yCAAyC;IACzC,OAAO,CAAC,cAAc;IACtB,OAAO,CAAC,aAAa;IACrB,OAAO,CAAC,iBAAiB;IACzB,OAAO,CAAC,eAAe;IACvB,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,WAAW;IACnB,OAAO,CAAC,GAAG;CACZ,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAA4B;IAC5D,GAAG,EAAE,OAAO,CAAC,MAAM;IACnB,MAAM,EAAE,OAAO,CAAC,MAAM;IACtB,GAAG,EAAE,OAAO,CAAC,GAAG;IAChB,YAAY,EAAE,OAAO,CAAC,GAAG;IACzB,GAAG,EAAE,OAAO,CAAC,QAAQ;IACrB,QAAQ,EAAE,OAAO,CAAC,QAAQ;IAC1B,GAAG,EAAE,OAAO,CAAC,QAAQ,EAAE,uBAAuB;IAC9C,IAAI,EAAE,OAAO,CAAC,aAAa;IAC3B,qCAAqC;IACrC,IAAI,EAAE,OAAO,CAAC,OAAO;CACtB,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,KAAa;IAClD,iCAAiC;IACjC,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAE7D,IAAI,UAAU,KAAK,GAAG,EAAE,CAAC;QACvB,OAAO,IAAI,CAAC,CAAC,qBAAqB;IACpC,CAAC;IAED,OAAO,qBAAqB,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC;AACnD,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "rehydra",
-  "version": "0.5.2",
+  "version": "0.6.0",
   "description": "On-device PII anonymization module for high-privacy AI workflows",
   "main": "dist/index.js",
   "module": "dist/index.js",
@@ -65,6 +65,10 @@
         "types": "./dist/cli/main.d.ts",
         "default": "./dist/cli/main.js"
       }
+    },
+    "./opencode-plugin": {
+      "types": "./dist/opencode-plugin/index.d.ts",
+      "default": "./dist/opencode-plugin/index.js"
     }
   },
   "files": [