redact

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 1, 2026 License: MIT Imports: 6 Imported by: 0

Documentation

Overview

Package redact sanitizes error messages and strings before they are returned to an LLM. It strips sensitive information such as Bearer tokens, API keys, file paths, IP addresses, stack traces, and long base64 strings.

Index

Constants

View Source 
const StoreSchema = `` /* 541-byte string literal not displayed */

StoreSchema creates the tables for runtime-manageable redaction rules.

Table redact_patterns: blacklist patterns (things to redact). Table redact_whitelist: whitelist patterns (things to preserve, skip redaction).

Both tables support is_active for enable/disable without deletion.

Variables

This section is empty.

Functions

func ContainsSensitive 

func ContainsSensitive(s string) bool

ContainsSensitive returns true if any default rule matches in the string. Useful for pre-checks before logging or returning errors.

func SanitizeError 

func SanitizeError(msg string) string

SanitizeError is a convenience function that applies Defaults() to an error message.

func StripGoStackTraces 

func StripGoStackTraces(s string) string

StripGoStackTraces is a fast-path helper that only removes Go stack traces without applying the full rule set.

Types

type PatternEntry 

type PatternEntry struct {
	Name     string
	Pattern  string
	Replace  string
	IsActive bool
}

PatternEntry is a row from redact_patterns.

type Redactor 

type Redactor struct {
	// contains filtered or unexported fields
}

Redactor applies a pipeline of rules to sanitize strings.

func New 

func New(ruleSets ...[]Rule) *Redactor

New creates a Redactor from the given rule slices (merged in order).

func (*Redactor) RedactMap 

func (r *Redactor) RedactMap(m map[string]string) map[string]string

RedactMap applies the redactor to all string values in a map (shallow). Non-string values are left as-is. Returns a new map.

func (*Redactor) Rules 

func (r *Redactor) Rules() []Rule

Rules returns the rules currently configured in the Redactor.

func (*Redactor) Sanitize 

func (r *Redactor) Sanitize(s string) string

Sanitize applies all rules in order and returns the cleaned string.

func (*Redactor) SanitizeLines 

func (r *Redactor) SanitizeLines(s string) string

SanitizeLines applies the redactor to each line of a multi-line string, preserving the line structure. Empty lines are kept.

func (*Redactor) Wrap 

func (r *Redactor) Wrap(extra ...[]Rule) *Redactor

Wrap returns a new Redactor that prepends additional rules before the existing ones. Useful for layering project-specific rules on top of defaults.

type Rule 

type Rule struct {
	Name    string
	Pattern *regexp.Regexp
	Replace string
}

Rule defines a single redaction pattern.

func Custom 

func Custom(name, pattern, replace string) []Rule

Custom creates a single-rule slice for use with New.

func Defaults 

func Defaults() []Rule

Defaults returns the standard set of redaction rules covering tokens, paths, addresses, stack traces, and encoded strings.

func Merge 

func Merge(ruleSets ...[]Rule) []Rule

Merge combines multiple rule slices into a single slice.

func MustCompileRule 

func MustCompileRule(name, pattern, replace string) Rule

MustCompileRule creates a Rule, panicking if the pattern is invalid. Intended for package-level var declarations.

func SQLitePaths 

func SQLitePaths() []Rule

SQLitePaths returns rules that redact SQLite database file paths.

func (Rule) String 

func (r Rule) String() string

String returns a human-readable summary of a Rule.

type Store 

type Store struct {
	// contains filtered or unexported fields
}

Store is a SQLite-backed, runtime-updatable redaction engine. It loads blacklist patterns (what to redact) and whitelist patterns (what to preserve) from the database. Patterns can be added, removed, or toggled at runtime and reloaded without restart.

func NewStore 

func NewStore(db *sql.DB, opts ...StoreOption) *Store

NewStore creates a Store backed by the given database. Call Init() to create the tables, then Reload() to load patterns.

func (*Store) AddPattern 

func (s *Store) AddPattern(name, pattern, replace string) error

AddPattern inserts or replaces a blacklist pattern in the database. Call Reload() after to pick up changes.

func (*Store) AddWhitelist 

func (s *Store) AddWhitelist(name, pattern string) error

AddWhitelist inserts or replaces a whitelist pattern in the database.

func (*Store) Init 

func (s *Store) Init() error

Init creates the redact_patterns and redact_whitelist tables.

func (*Store) ListPatterns 

func (s *Store) ListPatterns() ([]PatternEntry, error)

ListPatterns returns all blacklist patterns (active and inactive).

func (*Store) ListWhitelist 

func (s *Store) ListWhitelist() ([]WhitelistEntry, error)

ListWhitelist returns all whitelist patterns (active and inactive).

func (*Store) Reload 

func (s *Store) Reload() error

Reload reads all active patterns from the database and compiles them. Invalid regex patterns are logged and skipped.

func (*Store) RemovePattern 

func (s *Store) RemovePattern(name string) error

RemovePattern deactivates a blacklist pattern.

func (*Store) RemoveWhitelist 

func (s *Store) RemoveWhitelist(name string) error

RemoveWhitelist deactivates a whitelist pattern.

func (*Store) Sanitize 

func (s *Store) Sanitize(input string) string

Sanitize applies the full pipeline: static rules + dynamic blacklist, but preserves substrings matching any whitelist pattern.

Order: whitelisted substrings are temporarily replaced with placeholders, then all rules (static + dynamic) are applied, then placeholders are restored.

type StoreOption 

type StoreOption func(*Store)

StoreOption configures a Store.

func WithStaticRules 

func WithStaticRules(rules ...[]Rule) StoreOption

WithStaticRules sets the static (code-defined) rules that are always applied in addition to the dynamic database rules.

type WhitelistEntry 

type WhitelistEntry struct {
	Name     string
	Pattern  string
	IsActive bool
}

WhitelistEntry is a row from redact_whitelist.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.