/** * =============================================================================== * SECURE REDACTION UTILITIES * =============================================================================== * * Provides utilities for redacting sensitive information from logs and outputs. * This module is the first line of defense against information leakage. * * SECURITY PRINCIPLE: Never log raw values that could contain PII, financial * data, credentials, or business-sensitive information. Instead, log metadata * about the value (type, length, hash prefix) for debugging. * * @example * ```typescript * import { redact, redactObject, isSensitiveField } from './redaction.js'; * * // Redact a single value * const safe = redact(customerEmail); * // Returns: { type: 'string', length: 25, preview: 'cust***' } * * // Redact all sensitive fields in an object * const safePayload = redactObject(erpResponse); * ``` * * =============================================================================== */ /** * Redaction placeholder for logs. */ export declare const REDACTED = ""; /** * Patterns that indicate a field name contains sensitive data. * These are matched case-insensitively against field names. */ export declare const SENSITIVE_FIELD_PATTERNS: readonly RegExp[]; /** * Specific field names that should always be redacted regardless of pattern. */ export declare const SENSITIVE_FIELD_NAMES: Set; /** * Result of redacting a value - preserves metadata for debugging. */ export interface RedactedValue { /** Original type of the value */ type: string; /** Length of string representation */ length: number; /** First 4 chars with asterisks (for correlation) */ preview?: string; /** SHA-256 hash prefix (8 chars) for correlation without exposure */ hashPrefix?: string; /** Whether the value was null/undefined */ isNull?: boolean; /** For arrays, the count of elements */ count?: number; } /** * Check if a field name matches sensitive patterns. * * @param fieldName - The field name to check * @returns true if the field name indicates sensitive data */ export declare function isSensitiveField(fieldName: string): boolean; /** * Compute a safe hash prefix for correlation purposes. * Uses a salted hash to prevent rainbow table attacks. * * @param value - Value to hash * @param salt - Optional salt (defaults to empty string) * @returns First 8 characters of SHA-256 hash */ export declare function hashPrefix(value: unknown, salt?: string): string; /** * Create a safe preview of a string value. * Shows first 4 characters followed by asterisks. * * @param value - String to preview * @returns Safe preview string */ export declare function safePreview(value: string): string; /** * Redact a single value, returning metadata for debugging. * * @param value - Any value that might be sensitive * @param includeHash - Whether to include hash prefix for correlation * @returns Redacted metadata object * * @example * ```typescript * redact('john.doe@company.com') * // Returns: { type: 'string', length: 20, preview: 'john***' } * * redact({ nested: 'data' }) * // Returns: { type: 'object', length: 18 } * ``` */ export declare function redact(value: unknown, includeHash?: boolean): RedactedValue; /** * Redact all values in an object, automatically detecting sensitive fields. * * @param obj - Object to redact * @param options - Redaction options * @returns New object with sensitive values redacted * * @example * ```typescript * const payload = { * customerId: '12345', * email: 'john@example.com', * action: 'purchase' * }; * * redactObject(payload) * // Returns: { * // customerId: { type: 'string', length: 5, preview: '1234***' }, * // email: { type: 'string', length: 16, preview: 'john***' }, * // action: 'purchase' // Not sensitive, passed through * // } * ``` */ export declare function redactObject(obj: Record, options?: { /** Redact ALL fields, not just sensitive ones */ redactAll?: boolean; /** Include hash prefixes for correlation */ includeHashes?: boolean; /** Additional field names to treat as sensitive */ additionalSensitive?: string[]; /** Field names to explicitly allow (whitelist) */ allowList?: string[]; }): Record; /** * Redact sensitive patterns from a string (for log messages). * * @param message - Message that might contain sensitive data * @returns Message with sensitive patterns replaced */ export declare function redactString(message: string): string; //# sourceMappingURL=redaction.d.ts.map