feat(transforms): add SES censorship evasion function

[boneskull]

Description

Extracts the rewriteComment function from @endo/bundle-source/src/transform.js and exposes it as transformComment in the evade-censor export. This should be considered an experimental API.

Motivation

We could use this functionality in LavaMoat itself, so extracting it into a module lighter than @endo/bundle-source seems appropriate.

The function is not exported from the main entry point, nor documented publicly, as to avoid committing to a API we may not be ready to commit to. I can change this, if desired!

Notes

• @babel/types is added as a production dependency, because the "public" API surface depends on types from this module.
• Did not export the new function from the main entry point.
• Added some unit tests.
• Used homoglyphs.
• Removed the dummy test index.
• Added barebones README.md

Questions

• Why do we make everything a CommentBlock?
• Why do we replace the end-of-comment marker?
• Is it preferable to use character escapes or no?

[kriskowal]

I defer to @michaelfig or @erights regarding the comment end marker escape and why we replace // with /* style comments. We should capture the reasoning in the code!

I have no strong feelings about how to escape homoglphys.

Also worth noting that there are other evasive transforms we hope to add one day to provide better compatibility with the ecosystem, particularly transforms that break strings that have censored terms.

[boneskull]

@kriskowal Which unit test do you mean?

[erights]

why we replace // with /* style comments. We should capture the reasoning in the code!

I do not remember being aware that we changed comments this way, so I also do not remember why. If I was aware at the time, my apologies for not capturing or at least leaving more clues.

[kriskowal]

@kriskowal Which unit test do you mean?

There is none as such and we are relying on integration tests inside bundle-source for the effect. I’m willing to continue in that vein.

[boneskull]

There is none as such and we are relying on integration tests inside bundle-source for the effect. I’m willing to continue in that vein.

For posterity: this PR does include some unit tests.

[boneskull]

What do you think of exporting evadeCensor(source, sourceMap) => {source, sourceMap} for less public coupling?

@kriskowal

This sounds like I'd need to copy makeLocationUnmapper() and other functions from bundle-source/src/transform.js here as well.

Was the intention to rehome the entirety of bundle-source/src/transform.js into the transform pkg? Apologies if that wasn't clear. And if so, you want it all in this PR (with multiple, logical commits)?

[kriskowal]

What do you think of exporting evadeCensor(source, sourceMap) => {source, sourceMap} for less public coupling?

@kriskowal

This sounds like I'd need to copy makeLocationUnmapper() and other functions from bundle-source/src/transform.js here as well.

Was the intention to rehome the entirety of bundle-source/src/transform.js into the transform pkg? Apologies if that wasn't clear. And if so, you want it all in this PR (with multiple, logical commits)?

I had not thought that many steps ahead, but that would seem to be necessary in order to decouple the public interface from the encapsulated dependencies, so I’m in favor.

[boneskull]

this is getting closer, but I need to add some more tests. I'm not sure how unit-y I can make them, though...

[boneskull]

@kriskowal Please let me know if my test fixtures in @endo/transforms are overkill

[boneskull]

I suppose I should update README.md with API docs too

[boneskull]

@kriskowal OK, I've

1. Renamed the package (I did not change the version number, however)
2. Updated the README
3. Narrowed the API so that only a single function is exported. Renamed it
4. Created a couple additional adapter functions so that, ideally, swapping out the underlying AST implementation won't be so painful
5. Accidentally discovered how to implement function overloading via JSDoc

[boneskull]

linefeeds. lol

[boneskull]

OK. Don't touch anything. @kriskowal can I be done please

[boneskull]

8d9d2b7 was committed from windows where I am evidently not setup properly with gpg.

[kriskowal]

Thanks, @boneskull. You’re green. Would you like to squash some or all of the commits or shall I command Github to do so on your behalf?

[boneskull]

@kriskowal Squashed