-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathmasking.zod.ts
More file actions
41 lines (34 loc) · 2.03 KB
/
masking.zod.ts
File metadata and controls
41 lines (34 loc) · 2.03 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
// Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
import { z } from 'zod';
/**
* Data masking protocol for PII protection
*/
import { lazySchema } from '../shared/lazy-schema';
export const MaskingStrategySchema = lazySchema(() => z.enum([
'redact', // Complete redaction: ****
'partial', // Partial masking: 138****5678
'hash', // Hash value: sha256(value)
'tokenize', // Tokenization: token-12345
'randomize', // Randomize: generate random value
'nullify', // Null value: null
'substitute', // Substitute with dummy data
]).describe('Data masking strategy for PII protection'));
export type MaskingStrategy = z.infer<typeof MaskingStrategySchema>;
export const MaskingRuleSchema = lazySchema(() => z.object({
field: z.string().describe('Field name to apply masking to'),
strategy: MaskingStrategySchema.describe('Masking strategy to use'),
pattern: z.string().optional().describe('Regex pattern for partial masking'),
preserveFormat: z.boolean().default(true).describe('Keep the original data format after masking'),
preserveLength: z.boolean().default(true).describe('Keep the original data length after masking'),
roles: z.array(z.string()).optional().describe('Roles that see masked data'),
exemptRoles: z.array(z.string()).optional().describe('Roles that see unmasked data'),
}).describe('Masking rule for a single field'));
export type MaskingRule = z.infer<typeof MaskingRuleSchema>;
export type MaskingRuleInput = z.input<typeof MaskingRuleSchema>;
export const MaskingConfigSchema = lazySchema(() => z.object({
enabled: z.boolean().default(false).describe('Enable data masking'),
rules: z.array(MaskingRuleSchema).describe('List of field-level masking rules'),
auditUnmasking: z.boolean().default(true).describe('Log when masked data is accessed unmasked'),
}).describe('Top-level data masking configuration for PII protection'));
export type MaskingConfig = z.infer<typeof MaskingConfigSchema>;
export type MaskingConfigInput = z.input<typeof MaskingConfigSchema>;