Production-grade security utilities for Node.js applications. Zero external dependencies — uses only Node.js built-in modules.
- Path traversal prevention — blocks
../, null bytes, Windows drive letters - Prompt injection detection — catches 15+ LLM injection patterns
- Shell command sanitization — strips dangerous characters
- Schema validation — type checking, required fields, pattern matching
- Service/capability/strategy validators — structured config validation
- PBKDF2 key derivation (100K iterations, SHA-512)
- Per-value encryption — each field gets unique IV + auth tag
- TOML vault format — encrypted credentials stored as TOML
- File-level encryption — encrypt/decrypt entire credential files
- Password prompt at boot — interactive master password entry
- Email addresses —
user@example.com→[EMAIL] - Phone numbers — international and US formats
- IP addresses — IPv4 patterns
- File paths — Windows and Unix paths
- API keys — Bearer tokens, API key patterns
- JWTs — JSON Web Token detection and redaction
- Custom patterns — extensible redaction rules
One-time migration tool: reads plaintext TOML credentials, encrypts with AES-256-GCM, writes .enc.toml alongside originals.
const validate = require('./lib/validate.cjs');
const secrets = require('./lib/secrets.cjs');
const redact = require('./lib/redact.cjs');
// Validate input
validate.validateStrategy({ name: "restart", weight: 0.5 });
validate.isPathSafe("../../../etc/passwd"); // false
validate.detectPromptInjection("ignore previous instructions"); // true
validate.sanitizeShell("rm -rf /; echo safe"); // "rm -rf echo safe"
// Encrypt/decrypt
const key = await secrets.deriveKey("master-password");
const encrypted = secrets.encrypt("sensitive-data", key);
const decrypted = secrets.decrypt(encrypted, key);
// Redact PII
redact("Contact john@example.com or call 555-1234");
// → "Contact [EMAIL] or call [PHONE]"npm test75+ tests covering all modules including edge cases, boundary conditions, and security-specific scenarios.
MIT