npm - shroud-privacy - Versions diffs - 2.3.0 → 2.4.0 - Mend

shroud-privacy 2.3.0 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/config-manager.js +4 -2
package/dist/detectors/regex.d.ts +2 -0
package/dist/detectors/regex.js +249 -2
package/dist/generators/codes.d.ts +65 -0
package/dist/generators/codes.js +435 -8
package/dist/types.d.ts +9 -0
package/dist/types.js +12 -0
package/package.json +1 -1

package/dist/config-manager.js CHANGED Viewed

@@ -167,8 +167,10 @@ export class ConfigManager {
         for (let i = 0; i < BUILTIN_PATTERNS.length; i++) {
             const p = BUILTIN_PATTERNS[i];
             const comma = i < BUILTIN_PATTERNS.length - 1 ? "," : "";
-            // Convert RegExp to source string
-            lines.push(`    "${p.name}": { "pattern": ${JSON.stringify(p.pattern.source)}, "category": "${p.category}", "confidence": ${p.confidence} }${comma}`);
+            // Convert RegExp to source string + flags
+            const flags = p.pattern.flags.replace("g", "") || undefined; // "g" is always added; only store extra flags (i, m, etc.)
+            const flagsPart = flags ? `, "flags": "${flags}"` : "";
+            lines.push(`    "${p.name}": { "pattern": ${JSON.stringify(p.pattern.source)}, "category": "${p.category}", "confidence": ${p.confidence}${flagsPart} }${comma}`);
         }
         lines.push("  }");
         lines.push("}");

package/dist/detectors/regex.d.ts CHANGED Viewed

@@ -23,6 +23,8 @@ export type DetectorOverrides = Record<string, {
 export type ConfigRule = {
     enabled?: boolean;
     pattern?: string;
+    /** Extra regex flags beyond "g" (e.g. "i", "m", "im"). Always gets "g" automatically. */
+    flags?: string;
     category?: string;
     confidence?: number;
 };

package/dist/detectors/regex.js CHANGED Viewed

@@ -1179,6 +1179,251 @@ export const BUILTIN_PATTERNS = [
         category: Category.ACL_NAME,
         confidence: 0.85,
     },
+    // ===================================================================
+    // Healthcare — HIPAA-relevant identifiers
+    // ===================================================================
+    // --- Date of birth (context-triggered) ---
+    {
+        // "DOB: 03/15/1987" or "DOB 1987-03-15" or "date of birth: 03/15/1987"
+        name: "dob_keyword",
+        pattern: /(?:DOB|date\s+of\s+birth|birthdate|born\s+on|birth\s+date|geburtsdatum)\s*[:=]?\s*(\d{1,2}[\/\-.]\d{1,2}[\/\-.]\d{2,4})/gi,
+        category: Category.DATE_OF_BIRTH,
+        confidence: 0.9,
+    },
+    {
+        // ISO date after DOB keyword: "DOB: 1987-03-15"
+        name: "dob_iso",
+        pattern: /(?:DOB|date\s+of\s+birth|birthdate|birth\s+date)\s*[:=]?\s*(\d{4}-\d{2}-\d{2})/gi,
+        category: Category.DATE_OF_BIRTH,
+        confidence: 0.9,
+    },
+    {
+        // Written month: "born on March 15, 1987" or "DOB: January 3, 1990"
+        name: "dob_written",
+        pattern: /(?:DOB|date\s+of\s+birth|birthdate|born\s+on|birth\s+date)\s*[:=]?\s*((?:January|February|March|April|May|June|July|August|September|October|November|December)\s+\d{1,2},?\s+\d{4})/gi,
+        category: Category.DATE_OF_BIRTH,
+        confidence: 0.9,
+    },
+    // --- Medical record number (MRN) ---
+    {
+        // "MRN: 12345678" or "medical record number: ABC-123456"
+        name: "mrn_keyword",
+        pattern: /(?:MRN|medical\s*record\s*(?:number|no|#)?|patient\s*(?:id|number|#))\s*[:=#]?\s*([A-Z0-9][\w\-]{3,19})/gi,
+        category: Category.MEDICAL_RECORD_NUMBER,
+        confidence: 0.9,
+    },
+    {
+        // US NPI (National Provider Identifier): 10-digit number with "NPI" context
+        name: "npi_number",
+        pattern: /(?:NPI|national\s*provider)\s*[:=#]?\s*(\d{10})\b/gi,
+        category: Category.MEDICAL_RECORD_NUMBER,
+        confidence: 0.95,
+    },
+    {
+        // US DEA number: 2 letters + 7 digits (e.g., "AB1234567")
+        name: "dea_number",
+        pattern: /(?:DEA|drug\s*enforcement)\s*[:=#]?\s*([A-Z][A-Z9]\d{7})\b/gi,
+        category: Category.MEDICAL_RECORD_NUMBER,
+        confidence: 0.95,
+    },
+    {
+        // Health insurance policy/member/subscriber ID
+        name: "health_insurance_id",
+        pattern: /(?:(?:health\s*)?(?:insurance|policy|member|subscriber|group)\s*(?:id|number|no|#))\s*[:=#]?\s*([A-Z0-9][\w\-]{3,19})/gi,
+        category: Category.MEDICAL_RECORD_NUMBER,
+        confidence: 0.85,
+    },
+    // ===================================================================
+    // Finance — bank accounts, routing numbers, tax IDs
+    // ===================================================================
+    // --- Bank account numbers (context-triggered) ---
+    {
+        // US routing number (ABA/transit): 9 digits with context
+        name: "us_routing_number",
+        pattern: /(?:routing|ABA|transit)\s*(?:number|no|#)?\s*[:=#]?\s*(\d{9})\b/gi,
+        category: Category.BANK_ACCOUNT_NUMBER,
+        confidence: 0.9,
+    },
+    {
+        // Bank account number with context keyword
+        name: "bank_account_keyword",
+        pattern: /(?:(?:bank\s*)?account|acct)\s*(?:number|no|#)\s*[:=#]?\s*(\d{4,17})\b/gi,
+        category: Category.BANK_ACCOUNT_NUMBER,
+        confidence: 0.85,
+    },
+    {
+        // UK sort code: XX-XX-XX with context
+        name: "uk_sort_code",
+        pattern: /(?:sort\s*code)\s*[:=#]?\s*(\d{2}-\d{2}-\d{2})\b/gi,
+        category: Category.BANK_ACCOUNT_NUMBER,
+        confidence: 0.9,
+    },
+    {
+        // SWIFT/BIC code: 8 or 11 alphanumeric characters (e.g., DEUTDEFF, BOFAUS3NXXX)
+        name: "swift_bic",
+        pattern: /(?:SWIFT|BIC|SWIFT\/BIC)\s*[:=#]?\s*([A-Z]{4}[A-Z]{2}[A-Z0-9]{2}(?:[A-Z0-9]{3})?)\b/gi,
+        category: Category.BANK_ACCOUNT_NUMBER,
+        confidence: 0.9,
+    },
+    {
+        // Standalone SWIFT/BIC pattern (distinctive 8/11-char format)
+        name: "swift_bic_standalone",
+        pattern: /\b([A-Z]{4}(?:AT|DE|CH|GB|US|FR|IT|ES|NL|BE|AU|CA|JP|CN|IN|BR|MX|ZA|SE|NO|DK|FI|IE|PT|CZ|PL|HU|RO|BG|HR|SK|SI|LT|LV|EE|MT|CY|LU|GR)[A-Z0-9]{2}(?:[A-Z0-9]{3})?)\b/g,
+        category: Category.BANK_ACCOUNT_NUMBER,
+        confidence: 0.85,
+    },
+    // --- Tax IDs ---
+    {
+        // US EIN (Employer Identification Number): XX-XXXXXXX with context
+        name: "us_ein",
+        pattern: /(?:EIN|employer\s*(?:identification|id)\s*(?:number|no|#)?|tax\s*(?:id|identification)\s*(?:number|no|#)?)\s*[:=#]?\s*(\d{2}-\d{7})\b/gi,
+        category: Category.TAX_ID,
+        confidence: 0.9,
+    },
+    {
+        // TIN/tax number generic context-triggered
+        name: "tax_id_generic",
+        pattern: /(?:TIN|tax\s*(?:id|number|identification)|taxpayer\s*(?:id|number))\s*[:=#]?\s*(\d[\d\-]{5,12})\b/gi,
+        category: Category.TAX_ID,
+        confidence: 0.85,
+    },
+    {
+        // UK UTR (Unique Taxpayer Reference): 10 digits with context
+        name: "uk_utr",
+        pattern: /(?:UTR|unique\s*taxpayer\s*(?:reference|ref))\s*[:=#]?\s*(\d{10})\b/gi,
+        category: Category.TAX_ID,
+        confidence: 0.9,
+    },
+    // ===================================================================
+    // Legal / Identity Documents
+    // ===================================================================
+    // --- Passport numbers (context-triggered) ---
+    {
+        // Generic context: "passport no: P12345678" or "passport number: 123456789"
+        name: "passport_keyword",
+        pattern: /(?:passport)\s*(?:number|no|#)?\s*[:=#]?\s*([A-Z0-9]{6,12})\b/gi,
+        category: Category.PASSPORT_NUMBER,
+        confidence: 0.9,
+    },
+    {
+        // German Reisepass: "Reisepass: C01X00T47"
+        name: "passport_de",
+        pattern: /(?:Reisepass|Personalausweis)\s*(?:Nr|number|no|#)?\.?\s*[:=#]?\s*([CFGHJKLMNPRTVWXYZ0-9]{9})\b/gi,
+        category: Category.PASSPORT_NUMBER,
+        confidence: 0.9,
+    },
+    {
+        // Travel document context: "travel document: XX1234567"
+        name: "travel_document",
+        pattern: /(?:travel\s*document)\s*(?:number|no|#)?\s*[:=#]?\s*([A-Z0-9]{6,12})\b/gi,
+        category: Category.PASSPORT_NUMBER,
+        confidence: 0.85,
+    },
+    // --- Driver's license (context-triggered) ---
+    {
+        // Generic: "driver's license: A1234567" or "DL: 12345678"
+        name: "drivers_license_keyword",
+        pattern: /(?:driver'?s?\s*licen[sc]e|DL|driving\s*licen[sc]e|F[üu]hrerschein)\s*(?:number|no|#|Nr)?\.?\s*[:=#]?\s*([A-Z0-9][\w\-]{3,19})\b/gi,
+        category: Category.DRIVERS_LICENSE,
+        confidence: 0.9,
+    },
+    {
+        // US California format: letter + 7 digits with context
+        name: "dl_california",
+        pattern: /(?:driver'?s?\s*licen[sc]e|DL)\s*(?:number|no|#)?\s*[:=#]?\s*([A-Z]\d{7})\b/gi,
+        category: Category.DRIVERS_LICENSE,
+        confidence: 0.9,
+    },
+    {
+        // License plate / vehicle registration (context-triggered, requires : or = separator)
+        name: "license_plate",
+        pattern: /(?:licen[sc]e\s*plate|registration\s*(?:number|no|#|plate)|vehicle\s*(?:plate|reg|registration)|Kennzeichen|plaque)\s*[:=#]\s*([A-Z][A-Z0-9\-]{1,11}[A-Z0-9])\b/gi,
+        category: Category.DRIVERS_LICENSE,
+        confidence: 0.85,
+    },
+    // --- Court case / docket numbers ---
+    {
+        // US federal court: "1:23-cv-01234" or "2:24-cr-00567"
+        name: "us_federal_case",
+        pattern: /\b(\d{1,2}:\d{2}-[a-z]{2}-\d{3,6})\b/g,
+        category: Category.CASE_NUMBER,
+        confidence: 0.95,
+    },
+    {
+        // Generic case/docket number with context keyword
+        name: "case_number_keyword",
+        pattern: /(?:case|docket|cause|filing)\s*(?:number|no|#)?\s*[:=#]?\s*([A-Z0-9][\w\-\/]{3,24})\b/gi,
+        category: Category.CASE_NUMBER,
+        confidence: 0.85,
+    },
+    {
+        // Patent number: "US12345678" or "EP1234567" or "WO2024123456"
+        name: "patent_number",
+        pattern: /\b((?:US|EP|WO|JP|CN|KR|AU|CA)\s?\d{4,12}(?:\s?[AB]\d?)?)\b/g,
+        category: Category.CASE_NUMBER,
+        confidence: 0.85,
+    },
+    {
+        // Aktenzeichen (German file reference): "Az.: 1 BvR 123/45" or "Az. 12 O 456/23"
+        name: "aktenzeichen",
+        pattern: /(?:Az\.?|Aktenzeichen)\s*[:=]?\s*(\d{1,3}\s+[A-Z][a-z]*\s+\d{1,5}\/\d{2,4})\b/gi,
+        category: Category.CASE_NUMBER,
+        confidence: 0.9,
+    },
+    // ===================================================================
+    // Cloud / Crypto
+    // ===================================================================
+    // --- Cryptocurrency addresses (standalone — distinctive formats) ---
+    {
+        // Ethereum address: 0x + 40 hex chars
+        name: "crypto_ethereum",
+        pattern: /\b(0x[0-9a-fA-F]{40})\b/g,
+        category: Category.CRYPTOCURRENCY_ADDRESS,
+        confidence: 0.95,
+    },
+    {
+        // Bitcoin P2PKH: starts with 1, 25-34 base58 chars
+        name: "crypto_bitcoin_p2pkh",
+        pattern: /\b(1[a-km-zA-HJ-NP-Z1-9]{25,34})\b/g,
+        category: Category.CRYPTOCURRENCY_ADDRESS,
+        confidence: 0.9,
+    },
+    {
+        // Bitcoin P2SH: starts with 3, 25-34 base58 chars
+        name: "crypto_bitcoin_p2sh",
+        pattern: /\b(3[a-km-zA-HJ-NP-Z1-9]{25,34})\b/g,
+        category: Category.CRYPTOCURRENCY_ADDRESS,
+        confidence: 0.9,
+    },
+    {
+        // Bitcoin Bech32: bc1 + 39-59 lowercase alphanum
+        name: "crypto_bitcoin_bech32",
+        pattern: /\b(bc1[a-z0-9]{39,59})\b/g,
+        category: Category.CRYPTOCURRENCY_ADDRESS,
+        confidence: 0.95,
+    },
+    {
+        // Crypto wallet/address with context keyword
+        name: "crypto_wallet_keyword",
+        pattern: /(?:wallet|crypto|bitcoin|ethereum|eth|btc)\s*(?:address|addr|id)?\s*[:=#]?\s*([a-zA-Z0-9]{26,64})\b/gi,
+        category: Category.CRYPTOCURRENCY_ADDRESS,
+        confidence: 0.85,
+    },
+    // --- AWS ARN (standalone — distinctive format) ---
+    {
+        // Full ARN: arn:aws:service:region:account-id:resource (account may be empty for S3)
+        name: "aws_arn",
+        pattern: /\b(arn:aws[a-z\-]*:[a-z0-9\-]+:[a-z0-9\-]*:\d{0,12}:[^\s"']{1,128})\b/g,
+        category: Category.AWS_ARN,
+        confidence: 0.95,
+    },
+    {
+        // AWS account ID with context: 12-digit number after "account" keyword
+        name: "aws_account_id",
+        pattern: /(?:(?:aws|amazon)\s*)?account\s*(?:id|#|number)?\s*[:=#]?\s*(\d{12})\b/gi,
+        category: Category.AWS_ARN,
+        confidence: 0.85,
+    },
 ];
 /**
  * Tracks occupied text spans and answers overlap queries in O(log n)
@@ -1273,8 +1518,9 @@ export class RegexDetector {
                     return p;
                 const updated = { ...p };
                 if (rule.pattern) {
+                    const flags = "g" + (rule.flags || "").replace(/g/g, "");
                     try {
-                        updated.pattern = new RegExp(rule.pattern, "g");
+                        updated.pattern = new RegExp(rule.pattern, flags);
                     }
                     catch { /* invalid regex — keep built-in */ }
                 }
@@ -1298,9 +1544,10 @@ export class RegexDetector {
                 if (!rule.pattern)
                     continue; // new rules must have a pattern
                 try {
+                    const flags = "g" + (rule.flags || "").replace(/g/g, "");
                     patterns.push({
                         name,
-                        pattern: new RegExp(rule.pattern, "g"),
+                        pattern: new RegExp(rule.pattern, flags),
                         category: rule.category ? resolveCategory(rule.category) : Category.CUSTOM,
                         confidence: rule.confidence ?? 0.9,
                     });

package/dist/generators/codes.d.ts CHANGED Viewed

@@ -14,7 +14,72 @@ export declare class CodeGenerator implements BaseGenerator {
     _fakeSsn(seed: number): string;
     _fakePhone(seed: number, original: string): string;
     _fakeIban(seed: number, original: string): string;
+    /**
+     * Format-aware national ID generator.
+     * Preserves structure per detected sub-type rather than generic zero-padding.
+     */
     _fakeNationalId(seed: number, original: string): string;
     _fakeJwt(seed: number): string;
+    /**
+     * GPS coordinate generator — distributes across plausible world locations
+     * instead of clustering near null island (0,0).
+     */
     _fakeGps(seed: number): string;
+    /**
+     * ICS/SCADA identifier — format-aware per sub-type.
+     * Preserves structure for OPC UA endpoints, Modbus addresses, BACnet IDs, etc.
+     */
+    _fakeIcsId(seed: number, original: string): string;
+    /**
+     * Certificate generator — produces structurally valid PEM-like blocks
+     * instead of [REDACTED-CERT-XXXX] placeholders.
+     */
+    _fakeCertificate(seed: number, original: string): string;
+    /**
+     * Format-preserving fake date of birth.
+     * Shifts the date by a deterministic offset (30-300 days) derived from seed,
+     * preserving the original format (MM/DD/YYYY, YYYY-MM-DD, DD.MM.YYYY, written month).
+     */
+    _fakeDob(seed: number, original: string): string;
+    /**
+     * Fake medical record / provider ID.
+     * Preserves format structure (letter+digits, pure digits, with dashes).
+     */
+    _fakeMedicalId(seed: number, original: string): string;
+    /**
+     * Fake bank account / routing number.
+     * Preserves format (digit count, dashes, sort code format).
+     */
+    _fakeBankAccount(seed: number, original: string): string;
+    /**
+     * Fake tax ID / EIN.
+     * Preserves format (XX-XXXXXXX for EIN, pure digits for others).
+     */
+    _fakeTaxId(seed: number, original: string): string;
+    /**
+     * Fake passport number.
+     * Preserves format: letter prefix + digit count, or pure alphanumeric.
+     */
+    _fakePassport(seed: number, original: string): string;
+    /**
+     * Fake driver's license / license plate.
+     * Preserves format structure (letter/digit positions, dashes, spaces).
+     */
+    _fakeDriversLicense(seed: number, original: string): string;
+    /**
+     * Fake case / docket / patent number.
+     * Preserves format: digit:digit-letters-digits, or prefix + digits.
+     */
+    _fakeCaseNumber(seed: number, original: string): string;
+    /**
+     * Fake cryptocurrency address.
+     * Preserves format: Ethereum (0x + 40 hex), Bitcoin P2PKH/P2SH (base58),
+     * Bitcoin Bech32 (bc1 + lowercase alphanum).
+     */
+    _fakeCryptoAddress(seed: number, original: string): string;
+    /**
+     * Fake AWS ARN.
+     * Preserves service and resource type, replaces account ID and resource name.
+     */
+    _fakeAwsArn(seed: number, original: string): string;
 }

package/dist/generators/codes.js CHANGED Viewed

@@ -42,6 +42,15 @@ export class CodeGenerator {
         Category.GPS_COORDINATE,
         Category.ICS_IDENTIFIER,
         Category.CERTIFICATE,
+        Category.DATE_OF_BIRTH,
+        Category.MEDICAL_RECORD_NUMBER,
+        Category.BANK_ACCOUNT_NUMBER,
+        Category.TAX_ID,
+        Category.PASSPORT_NUMBER,
+        Category.DRIVERS_LICENSE,
+        Category.CASE_NUMBER,
+        Category.CRYPTOCURRENCY_ADDRESS,
+        Category.AWS_ARN,
     ];
     generate(category, seed, original = "") {
         if (category === Category.API_KEY) {
@@ -72,10 +81,37 @@ export class CodeGenerator {
             return this._fakeGps(seed);
         }
         else if (category === Category.ICS_IDENTIFIER) {
-            return `ICS-${String(seed % 100000).padStart(5, "0")}`;
+            return this._fakeIcsId(seed, original);
         }
         else if (category === Category.CERTIFICATE) {
-            return `[REDACTED-CERT-${String(seed % 10000).padStart(4, "0")}]`;
+            return this._fakeCertificate(seed, original);
+        }
+        else if (category === Category.DATE_OF_BIRTH) {
+            return this._fakeDob(seed, original);
+        }
+        else if (category === Category.MEDICAL_RECORD_NUMBER) {
+            return this._fakeMedicalId(seed, original);
+        }
+        else if (category === Category.BANK_ACCOUNT_NUMBER) {
+            return this._fakeBankAccount(seed, original);
+        }
+        else if (category === Category.TAX_ID) {
+            return this._fakeTaxId(seed, original);
+        }
+        else if (category === Category.PASSPORT_NUMBER) {
+            return this._fakePassport(seed, original);
+        }
+        else if (category === Category.DRIVERS_LICENSE) {
+            return this._fakeDriversLicense(seed, original);
+        }
+        else if (category === Category.CASE_NUMBER) {
+            return this._fakeCaseNumber(seed, original);
+        }
+        else if (category === Category.CRYPTOCURRENCY_ADDRESS) {
+            return this._fakeCryptoAddress(seed, original);
+        }
+        else if (category === Category.AWS_ARN) {
+            return this._fakeAwsArn(seed, original);
         }
         return `code-${String(seed % 10000).padStart(4, "0")}`;
     }
@@ -212,20 +248,411 @@ export class CodeGenerator {
         const body = String(seed).padStart(18, "0").slice(0, 18);
         return `${cc}${check}${body}`;
     }
+    /**
+     * Format-aware national ID generator.
+     * Preserves structure per detected sub-type rather than generic zero-padding.
+     */
     _fakeNationalId(seed, original) {
-        // Preserve length and format (digits/letters)
+        const h = createHash("sha256").update(`natid:${seed}`).digest("hex");
         const len = original.length || 10;
-        const digits = String(seed).padStart(len, "0").slice(0, len);
-        return digits;
+        // Austrian SVNR: 4 digits + DDMMYY (e.g., "1234 010190")
+        if (/^\d{4}\s?\d{6}$/.test(original)) {
+            const d = h.replace(/[a-f]/g, c => String(parseInt(c, 16) % 10));
+            const hasSpace = original.includes(" ");
+            return hasSpace
+                ? `${d.slice(0, 4)} ${d.slice(4, 10)}`
+                : d.slice(0, 10);
+        }
+        // German Personalausweis: alphanumeric 9-10 chars with specific char set
+        if (/^[CFGHJKLMNPRTVWXYZ0-9]{9,10}$/.test(original)) {
+            const charset = "CFGHJKLMNPRTVWXYZ0123456789";
+            let result = "";
+            for (let i = 0; i < len; i++) {
+                result += charset[parseInt(h[i * 2] + h[i * 2 + 1], 16) % charset.length];
+            }
+            return result;
+        }
+        // Generic: preserve format character-by-character (letters stay letters, digits stay digits)
+        let result = "";
+        for (let i = 0; i < len; i++) {
+            const c = original[i];
+            if (!c || /[0-9]/.test(c)) {
+                result += String(parseInt(h[i] || "0", 16) % 10);
+            }
+            else if (/[A-Z]/.test(c)) {
+                result += "ABCDEFGHJKLMNPRSTUVWXYZ"[parseInt(h[i * 2] || "0", 16) % 23];
+            }
+            else if (/[a-z]/.test(c)) {
+                result += "abcdefghjklmnprstuvwxyz"[parseInt(h[i * 2] || "0", 16) % 23];
+            }
+            else {
+                result += c; // preserve dashes, spaces, etc.
+            }
+        }
+        return result;
     }
     _fakeJwt(seed) {
         const h = createHash("sha256").update(String(seed)).digest("base64url");
         return `eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ0ZXN0In0.${h}`;
     }
+    /**
+     * GPS coordinate generator — distributes across plausible world locations
+     * instead of clustering near null island (0,0).
+     */
     _fakeGps(seed) {
-        // Generate coordinates near null island (0,0) — clearly fake
-        const lat = ((seed % 18000) / 100 - 90).toFixed(6);
-        const lon = (((seed >>> 8) % 36000) / 100 - 180).toFixed(6);
+        // Anchor points across continents for realistic-looking coordinates
+        const anchors = [
+            [48.2, 16.4], // Vienna area
+            [40.7, -74.0], // New York area
+            [51.5, -0.1], // London area
+            [35.7, 139.7], // Tokyo area
+            [-33.9, 151.2], // Sydney area
+            [55.8, 37.6], // Moscow area
+            [-23.5, -46.6], // São Paulo area
+            [37.8, -122.4], // San Francisco area
+            [52.5, 13.4], // Berlin area
+            [1.3, 103.8], // Singapore area
+        ];
+        const anchor = anchors[seed % anchors.length];
+        // Add deterministic offset ±2 degrees (stays in the general area)
+        const latOffset = ((seed >>> 4) % 400 - 200) / 100;
+        const lonOffset = ((seed >>> 12) % 400 - 200) / 100;
+        const lat = (anchor[0] + latOffset).toFixed(6);
+        const lon = (anchor[1] + lonOffset).toFixed(6);
         return `${lat}, ${lon}`;
     }
+    /**
+     * ICS/SCADA identifier — format-aware per sub-type.
+     * Preserves structure for OPC UA endpoints, Modbus addresses, BACnet IDs, etc.
+     */
+    _fakeIcsId(seed, original) {
+        const h = createHash("sha256").update(`ics:${seed}`).digest("hex");
+        const d = h.replace(/[a-f]/g, c => String(parseInt(c, 16) % 10));
+        // OPC UA endpoint: "opc.tcp://host:port/path"
+        if (/^opc\.tcp:\/\//i.test(original)) {
+            return `opc.tcp://plc-${d.slice(0, 4)}.local:${4840 + (seed % 100)}/${h.slice(0, 8)}`;
+        }
+        // Modbus/slave/unit address: small number
+        if (/^\d{1,3}$/.test(original)) {
+            return String((seed % 247) + 1); // Modbus range 1-247
+        }
+        // BACnet device instance: up to 7 digits
+        if (/^\d{1,7}$/.test(original) && original.length > 3) {
+            return d.slice(0, original.length);
+        }
+        // DNP3 outstation address: up to 5 digits
+        if (/^\d{1,5}$/.test(original)) {
+            return d.slice(0, original.length);
+        }
+        // IEC 61850 IED name: alphanumeric device name
+        if (/^[A-Z][A-Za-z0-9_\-]{2,}$/.test(original)) {
+            const prefixes = ["PLC", "RTU", "IED", "HMI", "DCS"];
+            return prefixes[seed % prefixes.length] + "-" + d.slice(0, 4);
+        }
+        // Historian tag: dotted path like "Plant.Area.Tag"
+        if (original.includes(".") && /^[A-Za-z]/.test(original)) {
+            const parts = original.split(".");
+            const fakeParts = parts.map((_, i) => {
+                const labels = i === 0 ? ["Plant", "Site", "Facility"]
+                    : i === parts.length - 1 ? ["Tag", "Point", "Value", "Status"]
+                        : ["Area", "Unit", "Zone", "Line"];
+                return labels[parseInt(h[i * 2] || "0", 16) % labels.length] + d.slice(i, i + 2);
+            });
+            return fakeParts.join(".");
+        }
+        // Fallback: prefix + digits
+        return `ICS-${d.slice(0, 5)}`;
+    }
+    /**
+     * Certificate generator — produces structurally valid PEM-like blocks
+     * instead of [REDACTED-CERT-XXXX] placeholders.
+     */
+    _fakeCertificate(seed, original) {
+        const h = createHash("sha256").update(`cert:${seed}`).digest("hex");
+        // PEM private key
+        if (/BEGIN.*PRIVATE KEY/i.test(original)) {
+            const fakeKey = Buffer.from(h + h + h + h).toString("base64");
+            const lines = [];
+            for (let i = 0; i < fakeKey.length; i += 64) {
+                lines.push(fakeKey.slice(i, i + 64));
+            }
+            return `-----BEGIN PRIVATE KEY-----\n${lines.join("\n")}\n-----END PRIVATE KEY-----`;
+        }
+        // PEM certificate
+        if (/BEGIN CERTIFICATE/i.test(original)) {
+            const fakeCert = Buffer.from(h + h + h + h + h + h).toString("base64");
+            const lines = [];
+            for (let i = 0; i < fakeCert.length; i += 64) {
+                lines.push(fakeCert.slice(i, i + 64));
+            }
+            return `-----BEGIN CERTIFICATE-----\n${lines.join("\n")}\n-----END CERTIFICATE-----`;
+        }
+        // Short cert/key reference
+        return `CERT-${h.slice(0, 12).toUpperCase()}`;
+    }
+    /**
+     * Format-preserving fake date of birth.
+     * Shifts the date by a deterministic offset (30-300 days) derived from seed,
+     * preserving the original format (MM/DD/YYYY, YYYY-MM-DD, DD.MM.YYYY, written month).
+     */
+    _fakeDob(seed, original) {
+        const offset = (seed % 270) + 30; // 30-300 day shift
+        // Try to parse and reformat
+        // ISO: 1987-03-15
+        const isoMatch = original.match(/(\d{4})-(\d{2})-(\d{2})/);
+        if (isoMatch) {
+            const d = new Date(+isoMatch[1], +isoMatch[2] - 1, +isoMatch[3]);
+            d.setDate(d.getDate() + offset);
+            return `${d.getFullYear()}-${String(d.getMonth() + 1).padStart(2, "0")}-${String(d.getDate()).padStart(2, "0")}`;
+        }
+        // US: MM/DD/YYYY or MM-DD-YYYY or MM.DD.YYYY
+        const usMatch = original.match(/(\d{1,2})([\/\-\.])(\d{1,2})\2(\d{2,4})/);
+        if (usMatch) {
+            const year = usMatch[4].length === 2 ? 1900 + +usMatch[4] : +usMatch[4];
+            const d = new Date(year, +usMatch[1] - 1, +usMatch[3]);
+            d.setDate(d.getDate() + offset);
+            const yStr = usMatch[4].length === 2 ? String(d.getFullYear()).slice(2) : String(d.getFullYear());
+            return `${String(d.getMonth() + 1).padStart(usMatch[1].length, "0")}${usMatch[2]}${String(d.getDate()).padStart(usMatch[3].length, "0")}${usMatch[2]}${yStr}`;
+        }
+        // Written month: "March 15, 1987"
+        const months = ["January", "February", "March", "April", "May", "June",
+            "July", "August", "September", "October", "November", "December"];
+        const writtenMatch = original.match(/(January|February|March|April|May|June|July|August|September|October|November|December)\s+(\d{1,2}),?\s+(\d{4})/i);
+        if (writtenMatch) {
+            const mi = months.findIndex(m => m.toLowerCase() === writtenMatch[1].toLowerCase());
+            const d = new Date(+writtenMatch[3], mi, +writtenMatch[2]);
+            d.setDate(d.getDate() + offset);
+            return `${months[d.getMonth()]} ${d.getDate()}, ${d.getFullYear()}`;
+        }
+        // Fallback: shift digits
+        const shifted = String((seed % 28) + 1).padStart(2, "0") + "/" +
+            String((seed % 12) + 1).padStart(2, "0") + "/" +
+            String(1950 + (seed % 60));
+        return shifted;
+    }
+    /**
+     * Fake medical record / provider ID.
+     * Preserves format structure (letter+digits, pure digits, with dashes).
+     */
+    _fakeMedicalId(seed, original) {
+        const h = createHash("sha256").update(`mrn:${seed}`).digest("hex");
+        // DEA format: 2 letters + 7 digits
+        if (/^[A-Z][A-Z9]\d{7}$/.test(original)) {
+            const letters = "ABCDEFGHJKLMNPRSTUVWXYZ";
+            return letters[seed % letters.length] + letters[(seed >>> 4) % letters.length] +
+                h.replace(/[a-f]/g, d => String((parseInt(d, 16) % 10))).slice(0, 7);
+        }
+        // NPI: 10 digits
+        if (/^\d{10}$/.test(original)) {
+            return h.replace(/[a-f]/g, d => String((parseInt(d, 16) % 10))).slice(0, 10);
+        }
+        // Generic: preserve length, replace with alphanumeric
+        const len = original.length || 8;
+        let result = "";
+        for (let i = 0; i < len; i++) {
+            const c = original[i];
+            if (!c || /[A-Z]/.test(c)) {
+                result += "ABCDEFGHJKLMNPRSTUVWXYZ"[parseInt(h[i * 2] || "0", 16) % 23];
+            }
+            else if (/[0-9]/.test(c)) {
+                result += h[i] ? String(parseInt(h[i], 16) % 10) : "0";
+            }
+            else {
+                result += c; // preserve dashes, etc.
+            }
+        }
+        return result;
+    }
+    /**
+     * Fake bank account / routing number.
+     * Preserves format (digit count, dashes, sort code format).
+     */
+    _fakeBankAccount(seed, original) {
+        const h = createHash("sha256").update(`bank:${seed}`).digest("hex");
+        // SWIFT/BIC: 8 or 11 alphanumeric
+        if (/^[A-Z]{6}[A-Z0-9]{2}(?:[A-Z0-9]{3})?$/.test(original)) {
+            const banks = ["SHROUD", "FAKEBK", "TESTBK", "DEMOFI", "SYNBNK"];
+            const bank = banks[seed % banks.length];
+            const country = original.slice(4, 6); // preserve country code
+            const suffix = h.slice(0, 2).toUpperCase();
+            const branch = original.length === 11 ? h.slice(2, 5).toUpperCase() : "";
+            return bank + country + suffix + branch;
+        }
+        // Sort code: XX-XX-XX
+        if (/^\d{2}-\d{2}-\d{2}$/.test(original)) {
+            const d = h.replace(/[a-f]/g, c => String(parseInt(c, 16) % 10));
+            return `${d.slice(0, 2)}-${d.slice(2, 4)}-${d.slice(4, 6)}`;
+        }
+        // Digit-only: preserve length
+        const len = original.replace(/\D/g, "").length || 9;
+        const digits = h.replace(/[a-f]/g, c => String(parseInt(c, 16) % 10)).slice(0, len);
+        return digits.padStart(len, "0");
+    }
+    /**
+     * Fake tax ID / EIN.
+     * Preserves format (XX-XXXXXXX for EIN, pure digits for others).
+     */
+    _fakeTaxId(seed, original) {
+        const h = createHash("sha256").update(`tax:${seed}`).digest("hex");
+        const digits = h.replace(/[a-f]/g, c => String(parseInt(c, 16) % 10));
+        // EIN format: XX-XXXXXXX
+        if (/^\d{2}-\d{7}$/.test(original)) {
+            return `${digits.slice(0, 2)}-${digits.slice(2, 9)}`;
+        }
+        // Pure digits: preserve length
+        const len = original.replace(/\D/g, "").length || 10;
+        return digits.slice(0, len).padStart(len, "0");
+    }
+    /**
+     * Fake passport number.
+     * Preserves format: letter prefix + digit count, or pure alphanumeric.
+     */
+    _fakePassport(seed, original) {
+        const h = createHash("sha256").update(`passport:${seed}`).digest("hex");
+        const len = original.length || 9;
+        let result = "";
+        for (let i = 0; i < len; i++) {
+            const c = original[i];
+            if (!c || /[A-Z]/.test(c)) {
+                result += "ABCDEFGHJKLMNPRSTUVWXYZ"[parseInt(h[i * 2] || "0", 16) % 23];
+            }
+            else if (/[a-z]/.test(c)) {
+                result += "abcdefghjklmnprstuvwxyz"[parseInt(h[i * 2] || "0", 16) % 23];
+            }
+            else if (/[0-9]/.test(c)) {
+                result += String(parseInt(h[i] || "0", 16) % 10);
+            }
+            else {
+                result += c; // preserve spaces, dashes
+            }
+        }
+        return result;
+    }
+    /**
+     * Fake driver's license / license plate.
+     * Preserves format structure (letter/digit positions, dashes, spaces).
+     */
+    _fakeDriversLicense(seed, original) {
+        const h = createHash("sha256").update(`dl:${seed}`).digest("hex");
+        const len = original.length || 8;
+        let result = "";
+        for (let i = 0; i < len; i++) {
+            const c = original[i];
+            if (!c || /[A-Z]/.test(c)) {
+                result += "ABCDEFGHJKLMNPRSTUVWXYZ"[parseInt(h[i * 2] || "0", 16) % 23];
+            }
+            else if (/[0-9]/.test(c)) {
+                result += String(parseInt(h[i] || "0", 16) % 10);
+            }
+            else {
+                result += c; // preserve dashes, spaces
+            }
+        }
+        return result;
+    }
+    /**
+     * Fake case / docket / patent number.
+     * Preserves format: digit:digit-letters-digits, or prefix + digits.
+     */
+    _fakeCaseNumber(seed, original) {
+        const h = createHash("sha256").update(`case:${seed}`).digest("hex");
+        // US federal: X:XX-xx-XXXXX
+        const fedMatch = original.match(/^(\d{1,2}):(\d{2})-([a-z]{2})-(\d{3,6})$/);
+        if (fedMatch) {
+            const d = h.replace(/[a-f]/g, c => String(parseInt(c, 16) % 10));
+            return `${d.slice(0, fedMatch[1].length)}:${d.slice(2, 4)}-${fedMatch[3]}-${d.slice(4, 4 + fedMatch[4].length)}`;
+        }
+        // Patent: preserve country prefix + fake digits
+        const patentMatch = original.match(/^([A-Z]{2})\s?(\d+)(.*)$/);
+        if (patentMatch) {
+            const d = h.replace(/[a-f]/g, c => String(parseInt(c, 16) % 10));
+            return `${patentMatch[1]}${d.slice(0, patentMatch[2].length)}${patentMatch[3]}`;
+        }
+        // German Aktenzeichen: preserve structure
+        const azMatch = original.match(/^(\d{1,3})\s+([A-Z][a-z]*)\s+(\d{1,5})\/(\d{2,4})$/);
+        if (azMatch) {
+            const d = h.replace(/[a-f]/g, c => String(parseInt(c, 16) % 10));
+            return `${d.slice(0, azMatch[1].length)} ${azMatch[2]} ${d.slice(2, 2 + azMatch[3].length)}/${d.slice(5, 5 + azMatch[4].length)}`;
+        }
+        // Generic: preserve format character-by-character
+        const len = original.length || 10;
+        let result = "";
+        for (let i = 0; i < len; i++) {
+            const c = original[i];
+            if (!c || /[A-Z]/.test(c)) {
+                result += "ABCDEFGHJKLMNPRSTUVWXYZ"[parseInt(h[i * 2] || "0", 16) % 23];
+            }
+            else if (/[a-z]/.test(c)) {
+                result += "abcdefghjklmnprstuvwxyz"[parseInt(h[i * 2] || "0", 16) % 23];
+            }
+            else if (/[0-9]/.test(c)) {
+                result += String(parseInt(h[i] || "0", 16) % 10);
+            }
+            else {
+                result += c;
+            }
+        }
+        return result;
+    }
+    /**
+     * Fake cryptocurrency address.
+     * Preserves format: Ethereum (0x + 40 hex), Bitcoin P2PKH/P2SH (base58),
+     * Bitcoin Bech32 (bc1 + lowercase alphanum).
+     */
+    _fakeCryptoAddress(seed, original) {
+        const h = createHash("sha256").update(`crypto:${seed}`).digest("hex");
+        // Ethereum: 0x + 40 hex
+        if (/^0x[0-9a-fA-F]{40}$/.test(original)) {
+            return "0x" + h.slice(0, 40);
+        }
+        // Bitcoin Bech32: bc1 + lowercase alphanum
+        if (/^bc1[a-z0-9]{39,59}$/.test(original)) {
+            const len = original.length - 3; // minus "bc1"
+            const chars = "qpzry9x8gf2tvdw0s3jn54khce6mua7l"; // bech32 charset
+            let result = "bc1";
+            for (let i = 0; i < len; i++) {
+                result += chars[parseInt(h[(i * 2) % 64] + h[(i * 2 + 1) % 64], 16) % chars.length];
+            }
+            return result;
+        }
+        // Bitcoin P2PKH (starts with 1) or P2SH (starts with 3)
+        if (/^[13][a-km-zA-HJ-NP-Z1-9]{25,34}$/.test(original)) {
+            const prefix = original[0];
+            const base58 = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+            const len = original.length - 1;
+            let result = prefix;
+            for (let i = 0; i < len; i++) {
+                result += base58[parseInt(h[(i * 2) % 64] + h[(i * 2 + 1) % 64], 16) % base58.length];
+            }
+            return result;
+        }
+        // Generic: preserve length with hex-like replacement
+        return h.slice(0, original.length || 42);
+    }
+    /**
+     * Fake AWS ARN.
+     * Preserves service and resource type, replaces account ID and resource name.
+     */
+    _fakeAwsArn(seed, original) {
+        const h = createHash("sha256").update(`arn:${seed}`).digest("hex");
+        // Full ARN: arn:partition:service:region:account-id:resource
+        const arnMatch = original.match(/^(arn:[a-z\-]+:[a-z0-9\-]+:[a-z0-9\-]*:)(\d{0,12}):(.+)$/);
+        if (arnMatch) {
+            const accountLen = arnMatch[2].length;
+            const fakeAccount = accountLen > 0
+                ? h.replace(/[a-f]/g, c => String(parseInt(c, 16) % 10)).slice(0, accountLen)
+                : ""; // S3-style ARN with no account
+            const resourceParts = arnMatch[3].split("/");
+            // Preserve resource type (first part), fake the rest
+            const fakeResource = resourceParts.length > 1
+                ? resourceParts[0] + "/shroud-" + h.slice(12, 20)
+                : "shroud-" + h.slice(12, 20);
+            return arnMatch[1] + fakeAccount + ":" + fakeResource;
+        }
+        // Bare account ID (12 digits)
+        if (/^\d{12}$/.test(original)) {
+            return h.replace(/[a-f]/g, c => String(parseInt(c, 16) % 10)).slice(0, 12);
+        }
+        return `arn:aws:iam::${h.replace(/[a-f]/g, c => String(parseInt(c, 16) % 10)).slice(0, 12)}:shroud-${h.slice(0, 8)}`;
+    }
 }

package/dist/types.d.ts CHANGED Viewed

@@ -29,6 +29,15 @@ export declare enum Category {
     ICS_IDENTIFIER = "ics_identifier",
     GPS_COORDINATE = "gps_coordinate",
     CERTIFICATE = "certificate",
+    DATE_OF_BIRTH = "date_of_birth",
+    MEDICAL_RECORD_NUMBER = "medical_record_number",
+    BANK_ACCOUNT_NUMBER = "bank_account_number",
+    TAX_ID = "tax_id",
+    PASSPORT_NUMBER = "passport_number",
+    DRIVERS_LICENSE = "drivers_license",
+    CASE_NUMBER = "case_number",
+    CRYPTOCURRENCY_ADDRESS = "cryptocurrency_address",
+    AWS_ARN = "aws_arn",
     CUSTOM = "custom"
 }
 /** A detected sensitive entity in text. */

package/dist/types.js CHANGED Viewed

@@ -31,5 +31,17 @@ export var Category;
     Category["ICS_IDENTIFIER"] = "ics_identifier";
     Category["GPS_COORDINATE"] = "gps_coordinate";
     Category["CERTIFICATE"] = "certificate";
+    // Healthcare / finance / identity
+    Category["DATE_OF_BIRTH"] = "date_of_birth";
+    Category["MEDICAL_RECORD_NUMBER"] = "medical_record_number";
+    Category["BANK_ACCOUNT_NUMBER"] = "bank_account_number";
+    Category["TAX_ID"] = "tax_id";
+    // Legal / identity documents
+    Category["PASSPORT_NUMBER"] = "passport_number";
+    Category["DRIVERS_LICENSE"] = "drivers_license";
+    Category["CASE_NUMBER"] = "case_number";
+    // Cloud / crypto
+    Category["CRYPTOCURRENCY_ADDRESS"] = "cryptocurrency_address";
+    Category["AWS_ARN"] = "aws_arn";
     Category["CUSTOM"] = "custom";
 })(Category || (Category = {}));

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "shroud-privacy",
-  "version": "2.3.0",
+  "version": "2.4.0",
   "description": "Privacy and infrastructure protection for AI agents — detects sensitive data (PII, network topology, credentials, OT/SCADA) and replaces with deterministic fakes before anything reaches the LLM.",
   "type": "module",
   "main": "dist/index.js",