npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@uniglot/wont-let-you-see

v1.2.1

Published

OpenCode plugin that masks sensitive cloud infrastructure data (AWS, Kubernetes) from LLMs

Downloads

41

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

uniglotuniglot

Keywords

opencodepluginsecurityawskubernetesk8smaskingprivacy

Readme

Won't Let You See

I won't let those LLMs to see sensitive cloud infrastructure data!

wont-let-you-see is an OpenCode plugin that masks that kinds of data. It automatically intercepts and masks AWS resources, Kubernetes secrets, and other credentials, replacing them with safe tokens. LLMs don't get any bare tokens from the tool outputs, and from you.

Note: Currently supports AWS only. GCP and Azure support may be added in the future.

Installation

npm install @uniglot/wont-let-you-see

Configuration

Add the plugin to your OpenCode configuration:

{
  "plugins": ["@uniglot/wont-let-you-see"]
}

Runtime Configuration

Configure via environment variables or JSON config file. Environment variables take precedence.

Environment Variables

| Variable | Description | Default | | ------------------------------------ | -------------------------------------------------------------------------- | ------- | | WONT_LET_YOU_SEE_ENABLED | Set to false or 0 to disable masking | true | | WONT_LET_YOU_SEE_REVEALED_PATTERNS | Comma-separated list of pattern types to reveal | (none) | | WONT_LET_YOU_SEE_CUSTOM_PATTERNS | Comma-separated list of custom patterns to mask (supports regex: prefix) | (none) |

JSON Config File

Create .wont-let-you-see.json in your project root, ~/.config/opencode/, or home directory:

{
  "enabled": true,
  "revealedPatterns": ["ipv4"],
  "customPatterns": ["123456789012", "my-secret-value"]
}

Tip: Add your AWS account ID to customPatterns. The built-in account-id pattern only matches contextual fields like "OwnerId": "123456789012", but may miss bare account IDs in terraform output or other contexts.

Custom patterns support both literal strings and regular expressions. Prefix with regex: to use regex:

{
  "customPatterns": [
    "123456789012",
    "my-secret-value",
    "regex:secret-[a-z]{3}-\\d{4}"
  ]
}

Examples

# Disable the plugin entirely
WONT_LET_YOU_SEE_ENABLED=false opencode

# Reveal specific patterns (don't mask them)
WONT_LET_YOU_SEE_REVEALED_PATTERNS=eks-cluster,ipv4 opencode

# Mask custom values with regex patterns
WONT_LET_YOU_SEE_CUSTOM_PATTERNS="regex:token-[A-Z]{8},123456789012" opencode

How It Works

The plugin hooks into four points of the OpenCode lifecycle:

  1. System prompt injection: The LLM is informed about masking behavior and how to handle unknown values
  2. Before command execution: Tokens in your command are replaced with original values
  3. After command execution: Sensitive data in output is masked with tokens
  4. User messages: Sensitive data you type is masked before reaching the LLM

Masking is applied to output from aws, terraform, kubectl, helm, pulumi, tofu, terragrunt, vault, and eksctl commands. Other commands are passed through unmodified.

Sensitive data is replaced with tokens in the format #(type-N), for example, vpc-0a1b2c3d4e5f6g7h8 becomes #(vpc-1). The mapping between tokens and real values persists across session restarts.

LLM Awareness

The LLM is automatically informed that:

  • It sees masked tokens like #(vpc-1), #(arn-2), not real values
  • The plugin unmasks tokens in infrastructure commands automatically
  • When the LLM needs to write a value it hasn't seen, it should use the placeholder format #(FILL:description) and ask you to replace it

For example, if you ask the LLM to create a terraform configuration using a VPC you haven't shown it, it will write:

resource "aws_subnet" "example" {
  vpc_id = "#(FILL:your-vpc-id)"
  # ...
}

And instruct you to replace #(FILL:your-vpc-id) with your actual VPC ID.

Supported Patterns

AWS: ARNs, EKS cluster ARNs, account IDs (contextual), access key IDs, secret access keys, VPC/subnet/security group IDs, internet/NAT/VPN/customer/transit gateways, route tables, network ACLs, EC2 instances, AMIs, EBS volumes, snapshots, ENIs, VPC endpoints, ECR repository URIs, RDS instance/cluster resource IDs, RDS proxies, RDS automated snapshots, EFS file systems/mount targets/access points, ElastiCache clusters (contextual), DynamoDB tables (contextual)

Kubernetes: EKS cluster API endpoints, node names

Common: IPv4 addresses (CIDR-aware: 10.0.0.0/16#(ipv4-1)/16), private key blocks, API keys (contextual), phone numbers (contextual: US, KR, international), email addresses, UUIDs, JWTs, base64-encoded secrets (contextual)

See patterns/ for the full pattern definitions.

Verifying the Plugin

After running an AWS command, ask the LLM:

What was the actual VPC ID from the last command?

The LLM should only know the token (e.g., #(vpc-1)), not the real value.

Limitations

  • S3 Buckets: Bucket names are not masked (often public/intentional).
  • Account IDs: Only masked in contextual JSON fields. Add to customPatterns for full coverage.
  • Phone Numbers: Only masked in contextual JSON fields (e.g., "phone", "tel", "mobile"). This prevents false positives with Unix timestamps and other numeric data common in infrastructure output.

Contributing

See CONTRIBUTING.md for how to add new patterns.

License

MIT