feat(data-masking): add Data Masking utility

[svozza]

Summary

Changes

This PR is an experiment in delivering a full feature, end to end, using spec-driven development and agentic coding. As such, I have set it as a draft. We may or may not merge this, but if we do, only after a thorough review by the team. The purpose of this PR is as much to provoke discussion as it is to implement a feature. I would appreciate if @dreamorosi and @sdangol could look at the code and give their opinions.

From my perspective, I think this was a very successful experiment: I am happy with the code quality and I also took the opportunity to add property tests, which are a perfect fit for this sort of logic.

Something I would note is that this probably worked so well because of how well-defined the issue was by @walmsles, and also that we could use the Python implementation as a reference.

One place I differed from the proposed implementation was that I don't batch the calls to KMS. This simplifies the API and means we mirror the Python implementation exactly. While ordinarily this would be a performance concern, we use the caching feature in the AWS Cryptography library to ensure that we only ever make one call to KMS when encrypting multiple fields.

What's included

• @aws-lambda-powertools/data-masking package with erase, encrypt, and decrypt operations
• AWSEncryptionSDKProvider using KMS envelope encryption (@aws-crypto/client-node as optional peer dep)
• Field selection via dot notation, [*] array wildcards, and .* object wildcards
• Custom masking rules (regex, dynamic length, custom strings)
• Encryption context (AAD) for integrity and authenticity
• Prototype pollution protection
• Unit tests with property-based testing via fast-check
• E2e test scaffolding (CDK stack + Lambda handlers)
• Documentation mirroring the Python Powertools data masking docs

A note on field path resolution

The Python implementation uses jsonpath_ng for field selection, which natively supports both querying and path extraction for write-back. We considered using a JavaScript JSONPath library (e.g. jsonpath-plus) to match this approach, but decided against it for a few reasons:

- jsonpath-plus (9.8m weekly downloads) is marked as unmaintained by its maintainers
- We already have @aws-lambda-powertools/jmespath in-house

Instead, we use JMESPath to validate expressions and a small ((approx. 20 line)) custom walker to resolve wildcards ([*] and *) into concrete paths for write-back. JMESPath is read-only by design so it can't be used for path extraction directly, but the walker is simple, well-tested, and avoids any new dependencies.

There is however another library, jsonpath, that has 3.8m weekly downloads. I am always hesitant to introduce new dependencies to the project but I think if we want feature parity with Python we will need to take the dependency on. I would like to hear the maintainers thoughts before committing to this course of action though.

Update: The JMESPath dependency has been removed. It was unnecessary since we only used it for reading, and keeping it could mislead users into thinking we support the full JMESPath spec for writes. Instead, we use a small custom walker that supports:

• dot notation (obj.key)
• wildcard for object keys (obj.*.key)
• wildcard for arrays (obj.[*].key)

These three cases are validated with property tests, which are much more thorough than traditional unit tests.

Issue number: closes #4960

---

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[dreamorosi]

Is the optional options?: ErrorOptions missing intentional?

[dreamorosi]

Is the optional options?: ErrorOptions missing intentional?

[dreamorosi]

Let's add a comment to explain what this is

[dreamorosi]

Need to set public on the constructor

[dreamorosi]

Add comments documenting the two props

[dreamorosi]

consider if needs to be as const

[dreamorosi]

This as unknown as T needs looking into it - right now I think it's needed because DEFAULT_MASK_VALUE is a string and we're casting it to T but the bigger question is: does the return type need to stay T or should it be string? Can it ever not be a string?

[dreamorosi]

Ok this is a recursive function that can return objects - so this as unknown as T is basically "the leaf state" of the recursion which is always a string but we're telling it to be T. So because it's a public method we need to keep T but it could've been probably T | string.

[dreamorosi]

Might want to use the "isNullorUndefined" (look up exact name) helper from commons here

[dreamorosi]

Need to document args & options in the comment above.

[dreamorosi]

This looks odd - the way I understand it right now is that we replace the entire value/object with DEFAULT_MASK_VALUE if I don't specify any option - which feels odd. I don't know for sure, but at the moment I'd expect instead to replace ALL values in the object instead?

[dreamorosi]

Is this really unreachable or is the agent lazy?

[dreamorosi]

Ok I got it now, maybe we want to consider changing options.fields in the signature to not optional and make it default to[] so that the below never happens.

[dreamorosi]

Can we consider destructuring options at the top of this method.

[dreamorosi]

This function needs a comment explaining what it does as it's a bit hard to reason about

[dreamorosi]

Should this always be the default mask value or should the customer be able to override it? Current behavior always sets the default

[dreamorosi]

might want to use isString helper from commons

[dreamorosi]

What happens if I set a custom mask (i.e. +) and also want it dynamic at the same time?

[dreamorosi]

These seem to be mutually exclusive in the implementation and meaning - if that's the case the type should reflect it.

[dreamorosi]

Review all the options to make sure that the mutual exclusion is reflecting the implementation

[dreamorosi]

Maybe this could be its own named function in the method

const encrypt = provider.encrypt(JSON.stringify(data), options?.context);

[dreamorosi]

This might need to be allSettled - check what happens if one of them fails

[dreamorosi]

Maybe this is fine because as you said it's an all or nothing op - I'm just curious to see how the error is bubbled up.

[dreamorosi]

Should we consider emitting a warning here? It's good that we prevent the customer from shooting themselves in the foot, but they should know so they can fix the field paths or the data.

[dreamorosi]

Consider splitting these in their own types file under provider

[dreamorosi]

All these need documenting

[dreamorosi]

Can we call this client (singular?) I get that it's an object we compose from functions coming from the encryption sdk but it reads weird and a client class is an object after all

[dreamorosi]

Consider making this a regular import at the top using the same pattern that we use in Idempotency for the persistence layers - which looks something like this:

import { DataMasking } from '@aws-lambda-powertools/data-masking'; // this does not include any provider
import { AWSEncryptionSDKProvider } from '@aws-lambda-powertools/data-masking/aws-provider';

const datamasking = new DataMasking({ provider: new AWSEncryptionSDKProvider() });

This way the provider gets its own sub-path export which functionally makes it opt-in.

[dreamorosi]

This might also allow you to not have #init to be async - which then in turn means you could do it in the constructor.

[dreamorosi]

Check that the defaults are aligned with the Python implementation.

[dreamorosi]

Should we make this a custom package-managed error like all others

[dreamorosi]

Consider extracting all these in separate files

[dreamorosi]

Why is this magic number so special?

[dreamorosi]

Let's make sure that the KMS Key actually gets cleaned up after the test