dbveil 0.1.0__tar.gz

dbveil-0.1.0/.github/workflows/publish.yml

@@ -0,0 +1,61 @@
+name: Publish to PyPI
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Build & test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: astral-sh/setup-uv@v5
+
+      - name: Create venv & install (with dev extras)
+        run: |
+          uv venv --python 3.12
+          uv pip install -e '.[dev]'
+
+      - name: Test
+        run: .venv/bin/pytest -q
+
+      - name: Verify version matches release tag
+        run: |
+          TAG="${GITHUB_REF_NAME#v}"
+          PKG=$(grep -m1 '^version = ' pyproject.toml | sed -E 's/^version = "(.*)"/\1/')
+          echo "release tag: $TAG | pyproject version: $PKG"
+          if [ "$TAG" != "$PKG" ]; then
+            echo "::error::Release tag ($TAG) != pyproject version ($PKG). Bump version in pyproject.toml before releasing."
+            exit 1
+          fi
+
+      - name: Build sdist + wheel
+        run: uv build
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  publish:
+    name: Publish to PyPI
+    needs: build
+    runs-on: ubuntu-latest
+    environment:
+      name: pypi
+      url: https://pypi.org/p/dbveil
+    permissions:
+      id-token: write   # required for trusted publishing (OIDC)
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1

dbveil-0.1.0/.gitignore

@@ -0,0 +1,14 @@
+__pycache__/
+*.py[cod]
+.venv/
+venv/
+*.egg-info/
+dist/
+build/
+.pytest_cache/
+.ruff_cache/
+
+# local config + secrets + audit output
+pgveil.yaml
+*-audit.jsonl
+.env

dbveil-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Mathusan Selvarajah
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

dbveil-0.1.0/PKG-INFO

@@ -0,0 +1,194 @@
+Metadata-Version: 2.4
+Name: dbveil
+Version: 0.1.0
+Summary: A local read-only, PII-redacting proxy that lets AI agents query your database safely.
+Project-URL: Homepage, https://github.com/mathu97/dbveil
+Project-URL: Repository, https://github.com/mathu97/dbveil
+Author: Mathusan Selvarajah
+License-Expression: MIT
+License-File: LICENSE
+Keywords: ai,claude,database,mcp,pii,postgres,proxy,read-only,redaction
+Requires-Python: >=3.10
+Requires-Dist: asyncpg>=0.29
+Requires-Dist: mcp>=1.2
+Requires-Dist: pglast>=6.0
+Requires-Dist: pydantic>=2.6
+Requires-Dist: pyyaml>=6.0
+Requires-Dist: rich>=13.7
+Requires-Dist: typer>=0.12
+Provides-Extra: dev
+Requires-Dist: pytest-asyncio>=0.23; extra == 'dev'
+Requires-Dist: pytest>=8.0; extra == 'dev'
+Provides-Extra: llm
+Requires-Dist: httpx>=0.27; extra == 'llm'
+Provides-Extra: ner
+Requires-Dist: presidio-analyzer>=2.2; extra == 'ner'
+Requires-Dist: presidio-anonymizer>=2.2; extra == 'ner'
+Description-Content-Type: text/markdown
+
+# veil
+
+**A local read-only, PII-redacting proxy that lets AI agents query your database safely.**
+
+Point Claude Code (or any MCP client) at `veil` instead of your database. Every query is
+forced through three deterministic guarantees before a single row reaches the model:
+
+1. **Read-only guard** — the query is parsed with Postgres's real grammar (`libpg_query`).
+   Only `SELECT` / `SHOW` / `EXPLAIN` survive. Writes, DDL, multi-statements, data-modifying
+   CTEs, `SELECT INTO`, and row locks are rejected *before execution* — not by asking the model
+   nicely, by refusing to run them.
+2. **PII redaction** — results are scrubbed before they leave your machine: deterministic
+   column rules + always-on regex for structured PII (emails, phones, cards, SSNs), with an
+   optional NER/LLM backstop for free-text.
+3. **Audit** — every query and verdict is appended to a log you can tail live in a TUI.
+
+A guarded chokepoint in front of the DB, shrunk to a single open-source command with zero
+infrastructure to stand up.
+
+```
+Claude Code ──MCP──▶  veil  ──READ ONLY txn──▶  your database
+                       │
+                       ├─ guard:   parse → allow SELECT only
+                       ├─ redact:  column rules + regex + (optional) NER/LLM
+                       └─ audit:   veil-audit.jsonl
+```
+
+## Why
+
+You want an agent to act as a data analyst over real tables — "compare what we drafted vs what
+was actually sent" — without (a) risking a destructive query or (b) shipping customer PII to a
+model provider. Handing an agent raw DB credentials and hoping it only writes `SELECT` is not a
+control. `veil` makes the unsafe paths impossible at the layer the agent can't talk its way past.
+
+## Install
+
+```bash
+pip install dbveil          # or: uv pip install dbveil
+# optional extras:
+pip install 'dbveil[ner]'   # Presidio NER backstop for names/addresses
+pip install 'dbveil[llm]'   # local-LLM (Ollama) redaction
+```
+
+## Quickstart
+
+```bash
+veil init          # interactive: DB URL + auto-detect PII columns → writes veil.yaml
+veil doctor        # verify guard, connectivity, and that READ ONLY actually blocks writes
+veil test-query "SELECT email, created_at FROM users LIMIT 5"   # try it without an agent
+veil up            # run the MCP proxy on stdio (what Claude Code connects to)
+```
+
+Try a write to see the guard refuse it:
+
+```bash
+veil test-query "DELETE FROM users"
+# BLOCKED — write or DDL operation detected: DELETE
+```
+
+### Connect Claude Code
+
+```bash
+claude mcp add veil -- veil up
+```
+
+or commit a `.mcp.json` so your whole team gets it:
+
+```json
+{
+  "mcpServers": {
+    "veil": { "command": "veil", "args": ["up"], "env": { "VEIL_CONFIG": "veil.yaml" } }
+  }
+}
+```
+
+Now the agent has three tools — `query`, `list_tables`, `describe_table` — and physically
+cannot write or see raw PII.
+
+### Watch it live
+
+```bash
+veil monitor       # TUI tailing veil-audit.jsonl: allowed / blocked / redaction counts
+```
+
+## Configuration
+
+`veil init` writes a commented `veil.yaml`. Full reference in
+[`examples/veil.example.yaml`](examples/veil.example.yaml). The essentials:
+
+```yaml
+database:
+  url: ${DATABASE_URL}          # env refs kept out of the file
+
+guard:
+  allow_select_star: false      # block SELECT * on PII tables; force explicit columns
+  max_rows: 1000
+  statement_timeout_ms: 15000
+  pii_tables: [contacts, users]
+
+redact:
+  builtin_patterns: { email: true, phone: true, credit_card: true, ssn: true, ip: false }
+  columns:
+    - { column: email,     strategy: hash }      # sha256, still join-able
+    - { column: full_name, strategy: mask }      # -> [redacted]
+    - { column: ssn,       strategy: partial, keep: 4 }
+  ner: { enabled: false, engine: presidio }      # optional backstop
+```
+
+## How redaction is layered (and its honest limits)
+
+`veil` defends from the **deterministic** side first, because that's the only kind you can trust
+not to leak:
+
+| Layer | What it catches | Deterministic? |
+|---|---|---|
+| **Column rules** | Known PII columns (`email`, `ssn`, …) by name | ✅ yes |
+| **Built-in regex** | Emails, phones, Luhn-valid cards, SSNs, IPs — even aliased or in free-text | ✅ yes |
+| **NER (Presidio)** | Names / addresses in free-text the above miss | ⚠️ probabilistic |
+| **LLM (Ollama)** | Same, via a local model | ⚠️ probabilistic, experimental |
+
+**Use the probabilistic layers only as a backstop.** ML/NER *will* eventually miss a name or an
+oddly-formatted address — that's a leak. For columns you already know are sensitive, the column
+rules are the real control. The LLM redactor fails *closed*: if the model errors, the cell is
+masked, never passed through.
+
+## Security model
+
+- **Two independent read-only layers.** The parser rejects non-reads, *and* every query runs
+  inside a `SET TRANSACTION READ ONLY` transaction — so even a parser gap can't write.
+- **Give veil a least-privilege credential.** Best practice is a `GRANT SELECT`-only database
+  role (ideally on a read replica). Then "read-only" is enforced by the database itself, and the
+  credential `veil` holds is low-blast-radius: a leak exposes already-masked reads and can write
+  nothing. `veil doctor` confirms the READ ONLY transaction rejects writes against your DB.
+- **PII never leaves your machine unmasked.** Redaction happens in-process, before results are
+  serialized to the MCP client.
+
+## Secure connectivity
+
+`veil` connects to whatever DSN you give it, so the network path is yours to choose:
+
+- **Tailscale** — put your DB behind a tailnet and point `database.url` at the tailnet host. No
+  public DB port.
+- **Short-lived credentials** — `${DATABASE_URL}` is expanded at load, so you can inject an
+  ephemeral token (RDS IAM auth, Cloud SQL IAM, a Vault dynamic user) instead of a static
+  password.
+- **Railway / managed PaaS** — use the provided TLS endpoint with a dedicated read-only role.
+
+## Roadmap
+
+- **Postgres wire-protocol frontend** — so `psql`, BI tools, and any client (not just MCP) get
+  the same guard + redaction. The pipeline is already frontend-agnostic.
+- **More engines** — MySQL, SQLite (the guard's parser is the only Postgres-specific piece; it's
+  a pluggable backend).
+- **Schema-aware lineage** — resolve aliased PII columns back to their source table.
+
+## Development
+
+```bash
+uv venv && source .venv/bin/activate
+uv pip install -e '.[dev]'
+pytest
+```
+
+## License
+
+MIT

dbveil-0.1.0/README.md

@@ -0,0 +1,166 @@
+# veil
+
+**A local read-only, PII-redacting proxy that lets AI agents query your database safely.**
+
+Point Claude Code (or any MCP client) at `veil` instead of your database. Every query is
+forced through three deterministic guarantees before a single row reaches the model:
+
+1. **Read-only guard** — the query is parsed with Postgres's real grammar (`libpg_query`).
+   Only `SELECT` / `SHOW` / `EXPLAIN` survive. Writes, DDL, multi-statements, data-modifying
+   CTEs, `SELECT INTO`, and row locks are rejected *before execution* — not by asking the model
+   nicely, by refusing to run them.
+2. **PII redaction** — results are scrubbed before they leave your machine: deterministic
+   column rules + always-on regex for structured PII (emails, phones, cards, SSNs), with an
+   optional NER/LLM backstop for free-text.
+3. **Audit** — every query and verdict is appended to a log you can tail live in a TUI.
+
+A guarded chokepoint in front of the DB, shrunk to a single open-source command with zero
+infrastructure to stand up.
+
+```
+Claude Code ──MCP──▶  veil  ──READ ONLY txn──▶  your database
+                       │
+                       ├─ guard:   parse → allow SELECT only
+                       ├─ redact:  column rules + regex + (optional) NER/LLM
+                       └─ audit:   veil-audit.jsonl
+```
+
+## Why
+
+You want an agent to act as a data analyst over real tables — "compare what we drafted vs what
+was actually sent" — without (a) risking a destructive query or (b) shipping customer PII to a
+model provider. Handing an agent raw DB credentials and hoping it only writes `SELECT` is not a
+control. `veil` makes the unsafe paths impossible at the layer the agent can't talk its way past.
+
+## Install
+
+```bash
+pip install dbveil          # or: uv pip install dbveil
+# optional extras:
+pip install 'dbveil[ner]'   # Presidio NER backstop for names/addresses
+pip install 'dbveil[llm]'   # local-LLM (Ollama) redaction
+```
+
+## Quickstart
+
+```bash
+veil init          # interactive: DB URL + auto-detect PII columns → writes veil.yaml
+veil doctor        # verify guard, connectivity, and that READ ONLY actually blocks writes
+veil test-query "SELECT email, created_at FROM users LIMIT 5"   # try it without an agent
+veil up            # run the MCP proxy on stdio (what Claude Code connects to)
+```
+
+Try a write to see the guard refuse it:
+
+```bash
+veil test-query "DELETE FROM users"
+# BLOCKED — write or DDL operation detected: DELETE
+```
+
+### Connect Claude Code
+
+```bash
+claude mcp add veil -- veil up
+```
+
+or commit a `.mcp.json` so your whole team gets it:
+
+```json
+{
+  "mcpServers": {
+    "veil": { "command": "veil", "args": ["up"], "env": { "VEIL_CONFIG": "veil.yaml" } }
+  }
+}
+```
+
+Now the agent has three tools — `query`, `list_tables`, `describe_table` — and physically
+cannot write or see raw PII.
+
+### Watch it live
+
+```bash
+veil monitor       # TUI tailing veil-audit.jsonl: allowed / blocked / redaction counts
+```
+
+## Configuration
+
+`veil init` writes a commented `veil.yaml`. Full reference in
+[`examples/veil.example.yaml`](examples/veil.example.yaml). The essentials:
+
+```yaml
+database:
+  url: ${DATABASE_URL}          # env refs kept out of the file
+
+guard:
+  allow_select_star: false      # block SELECT * on PII tables; force explicit columns
+  max_rows: 1000
+  statement_timeout_ms: 15000
+  pii_tables: [contacts, users]
+
+redact:
+  builtin_patterns: { email: true, phone: true, credit_card: true, ssn: true, ip: false }
+  columns:
+    - { column: email,     strategy: hash }      # sha256, still join-able
+    - { column: full_name, strategy: mask }      # -> [redacted]
+    - { column: ssn,       strategy: partial, keep: 4 }
+  ner: { enabled: false, engine: presidio }      # optional backstop
+```
+
+## How redaction is layered (and its honest limits)
+
+`veil` defends from the **deterministic** side first, because that's the only kind you can trust
+not to leak:
+
+| Layer | What it catches | Deterministic? |
+|---|---|---|
+| **Column rules** | Known PII columns (`email`, `ssn`, …) by name | ✅ yes |
+| **Built-in regex** | Emails, phones, Luhn-valid cards, SSNs, IPs — even aliased or in free-text | ✅ yes |
+| **NER (Presidio)** | Names / addresses in free-text the above miss | ⚠️ probabilistic |
+| **LLM (Ollama)** | Same, via a local model | ⚠️ probabilistic, experimental |
+
+**Use the probabilistic layers only as a backstop.** ML/NER *will* eventually miss a name or an
+oddly-formatted address — that's a leak. For columns you already know are sensitive, the column
+rules are the real control. The LLM redactor fails *closed*: if the model errors, the cell is
+masked, never passed through.
+
+## Security model
+
+- **Two independent read-only layers.** The parser rejects non-reads, *and* every query runs
+  inside a `SET TRANSACTION READ ONLY` transaction — so even a parser gap can't write.
+- **Give veil a least-privilege credential.** Best practice is a `GRANT SELECT`-only database
+  role (ideally on a read replica). Then "read-only" is enforced by the database itself, and the
+  credential `veil` holds is low-blast-radius: a leak exposes already-masked reads and can write
+  nothing. `veil doctor` confirms the READ ONLY transaction rejects writes against your DB.
+- **PII never leaves your machine unmasked.** Redaction happens in-process, before results are
+  serialized to the MCP client.
+
+## Secure connectivity
+
+`veil` connects to whatever DSN you give it, so the network path is yours to choose:
+
+- **Tailscale** — put your DB behind a tailnet and point `database.url` at the tailnet host. No
+  public DB port.
+- **Short-lived credentials** — `${DATABASE_URL}` is expanded at load, so you can inject an
+  ephemeral token (RDS IAM auth, Cloud SQL IAM, a Vault dynamic user) instead of a static
+  password.
+- **Railway / managed PaaS** — use the provided TLS endpoint with a dedicated read-only role.
+
+## Roadmap
+
+- **Postgres wire-protocol frontend** — so `psql`, BI tools, and any client (not just MCP) get
+  the same guard + redaction. The pipeline is already frontend-agnostic.
+- **More engines** — MySQL, SQLite (the guard's parser is the only Postgres-specific piece; it's
+  a pluggable backend).
+- **Schema-aware lineage** — resolve aliased PII columns back to their source table.
+
+## Development
+
+```bash
+uv venv && source .venv/bin/activate
+uv pip install -e '.[dev]'
+pytest
+```
+
+## License
+
+MIT

dbveil-0.1.0/examples/veil.example.yaml

@@ -0,0 +1,44 @@
+# veil configuration — https://github.com/mathu97/dbveil
+# Copy to veil.yaml and edit. Secrets should stay in env vars (${VAR} is expanded at load).
+
+database:
+  url: ${DATABASE_URL}   # e.g. postgresql://ai_analyst:***@db.internal:5432/app
+
+guard:
+  allow_select_star: false      # block SELECT * on PII tables; force explicit column lists
+  max_rows: 1000                # cap rows returned to the agent
+  statement_timeout_ms: 15000   # kill slow queries
+  pii_tables:                   # SELECT * is always rejected on these
+    - contacts
+    - users
+
+redact:
+  # Deterministic, always-on regex redaction for structured PII. Catches values
+  # even when aliased (SELECT email AS e) or buried in free-text columns.
+  builtin_patterns:
+    email: true
+    phone: true
+    credit_card: true   # Luhn-checked to cut false positives
+    ssn: true
+    ip: false
+  hash_salt: ""         # set a stable secret to keep hashed values join-able across runs
+
+  # Column-level rules applied by output column name.
+  # strategy: mask (-> [redacted]) | null | hash (sha256, join-able) | partial (keep last N)
+  columns:
+    - { column: email, strategy: hash }
+    - { column: phone, strategy: mask }
+    - { column: full_name, strategy: mask }
+    - { column: ssn, strategy: partial, keep: 4 }
+
+  # Optional probabilistic NER for free-text PII (names, addresses) the rules above miss.
+  # Backstop only, never the sole control. Needs: pip install 'dbveil[ner]'  (or [llm])
+  ner:
+    enabled: false
+    engine: presidio            # presidio | llm
+    entities: [PERSON, LOCATION, EMAIL_ADDRESS, PHONE_NUMBER]
+    score_threshold: 0.5
+    ollama_url: http://localhost:11434
+    ollama_model: llama3.2
+
+audit_log: veil-audit.jsonl

dbveil-0.1.0/pyproject.toml

@@ -0,0 +1,42 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+name = "dbveil"
+version = "0.1.0"
+description = "A local read-only, PII-redacting proxy that lets AI agents query your database safely."
+readme = "README.md"
+license = "MIT"
+requires-python = ">=3.10"
+authors = [{ name = "Mathusan Selvarajah" }]
+keywords = ["database", "postgres", "mcp", "pii", "redaction", "ai", "read-only", "proxy", "claude"]
+dependencies = [
+    "asyncpg>=0.29",
+    "pglast>=6.0",
+    "pydantic>=2.6",
+    "pyyaml>=6.0",
+    "typer>=0.12",
+    "rich>=13.7",
+    "mcp>=1.2",
+]
+
+[project.optional-dependencies]
+ner = ["presidio-analyzer>=2.2", "presidio-anonymizer>=2.2"]
+llm = ["httpx>=0.27"]
+dev = ["pytest>=8.0", "pytest-asyncio>=0.23"]
+
+[project.scripts]
+veil = "veil.cli:app"
+dbveil = "veil.cli:app"
+
+[project.urls]
+Homepage = "https://github.com/mathu97/dbveil"
+Repository = "https://github.com/mathu97/dbveil"
+
+[tool.hatch.build.targets.wheel]
+packages = ["veil"]
+
+[tool.pytest.ini_options]
+asyncio_mode = "auto"
+testpaths = ["tests"]

dbveil-0.1.0/tests/test_guard.py

@@ -0,0 +1,73 @@
+from veil.guard import check_query
+
+
+def test_plain_select_allowed():
+    assert check_query("SELECT id, name FROM users").allowed
+
+
+def test_join_and_aggregate_allowed():
+    sql = "SELECT u.id, count(*) FROM users u JOIN orders o ON o.user_id = u.id GROUP BY u.id"
+    assert check_query(sql).allowed
+
+
+def test_cte_select_allowed():
+    sql = "WITH recent AS (SELECT * FROM logs WHERE ts > now() - interval '1 day') SELECT count(*) FROM recent"
+    assert check_query(sql).allowed
+
+
+def test_show_allowed():
+    assert check_query("SHOW server_version").allowed
+
+
+def test_explain_allowed_but_analyze_blocked():
+    assert check_query("EXPLAIN SELECT 1").allowed
+    assert not check_query("EXPLAIN ANALYZE SELECT 1").allowed
+
+
+def test_writes_blocked():
+    for sql in [
+        "INSERT INTO t (x) VALUES (1)",
+        "UPDATE t SET x = 1",
+        "DELETE FROM t",
+        "DROP TABLE t",
+        "TRUNCATE t",
+        "ALTER TABLE t ADD COLUMN y int",
+        "CREATE TABLE t (x int)",
+        "GRANT SELECT ON t TO public",
+    ]:
+        assert not check_query(sql).allowed, sql
+
+
+def test_data_modifying_cte_blocked():
+    sql = "WITH w AS (DELETE FROM t RETURNING *) SELECT * FROM w"
+    assert not check_query(sql).allowed
+
+
+def test_multi_statement_blocked():
+    assert not check_query("SELECT 1; DROP TABLE t").allowed
+
+
+def test_select_into_blocked():
+    assert not check_query("SELECT * INTO backup FROM users").allowed
+
+
+def test_locking_clause_blocked():
+    assert not check_query("SELECT * FROM users FOR UPDATE").allowed
+
+
+def test_select_star_on_pii_table_blocked():
+    r = check_query("SELECT * FROM contacts", pii_tables=["contacts"])
+    assert not r.allowed
+
+
+def test_select_star_on_non_pii_table_allowed():
+    assert check_query("SELECT * FROM metrics", pii_tables=["contacts"]).allowed
+
+
+def test_select_star_allowed_when_configured():
+    assert check_query("SELECT * FROM contacts", allow_select_star=True, pii_tables=["contacts"]).allowed
+
+
+def test_garbage_blocked():
+    assert not check_query("this is not sql").allowed
+    assert not check_query("").allowed

dbveil-0.1.0/tests/test_redact.py

@@ -0,0 +1,67 @@
+from veil.config import BuiltinPatterns, ColumnRule, RedactConfig, RedactStrategy
+from veil.redact import Redactor
+from veil.redact.column_rules import apply_column_rules
+from veil.redact.patterns import redact_text
+from veil.result import ResultSet
+
+
+def test_column_mask():
+    rows = [[1, "alice@example.com"]]
+    n = apply_column_rules(["id", "email"], rows, [ColumnRule(column="email")])
+    assert rows[0][1] == "[redacted]"
+    assert n == 1
+
+
+def test_column_null():
+    rows = [["secret"]]
+    apply_column_rules(["x"], rows, [ColumnRule(column="x", strategy=RedactStrategy.NULL)])
+    assert rows[0][0] is None
+
+
+def test_column_hash_is_deterministic():
+    rows1 = [["a@b.com"]]
+    rows2 = [["a@b.com"]]
+    rule = [ColumnRule(column="e", strategy=RedactStrategy.HASH)]
+    apply_column_rules(["e"], rows1, rule)
+    apply_column_rules(["e"], rows2, rule)
+    assert rows1[0][0] == rows2[0][0]
+    assert rows1[0][0].startswith("sha256:")
+
+
+def test_column_partial():
+    rows = [["123456789"]]
+    apply_column_rules(["ssn"], rows, [ColumnRule(column="ssn", strategy=RedactStrategy.PARTIAL, keep=4)])
+    assert rows[0][0].endswith("6789")
+    assert rows[0][0].startswith("*")
+
+
+def test_pattern_email_phone_ssn():
+    text, n = redact_text("reach alice@example.com or 415-555-2671, ssn 123-45-6789", BuiltinPatterns())
+    assert "[email]" in text and "[phone]" in text and "[ssn]" in text
+    assert n == 3
+
+
+def test_pattern_credit_card_luhn():
+    text, n = redact_text("card 4111111111111111 here", BuiltinPatterns())
+    assert "[card]" in text and n == 1
+    text2, n2 = redact_text("not a card 1234567890123456", BuiltinPatterns())
+    assert n2 == 0
+
+
+def test_pattern_ip_opt_in():
+    off, n_off = redact_text("host 10.0.0.1", BuiltinPatterns(ip=False))
+    on, n_on = redact_text("host 10.0.0.1", BuiltinPatterns(ip=True))
+    assert n_off == 0 and "[ip]" in on
+
+
+def test_redactor_end_to_end():
+    cfg = RedactConfig(columns=[ColumnRule(column="email", strategy=RedactStrategy.HASH)])
+    rs = ResultSet(
+        columns=["id", "email", "note"],
+        rows=[[1, "a@b.com", "call me at 415-555-2671"]],
+        row_count=1,
+    )
+    n = Redactor(cfg).apply(rs)
+    assert rs.rows[0][1].startswith("sha256:")
+    assert "[phone]" in rs.rows[0][2]
+    assert n >= 2