Documentation
¶
Overview ¶
Package redact provides secret detection and redaction for odek output.
RedactSecrets scans text for API keys, tokens, credentials, private keys, and other secrets, replacing matched content with [REDACTED]. This prevents secrets from leaking into session files, memory episodes, and Telegram messages.
Design:
- No external dependencies — pure Go regex
- Compiled once at init time — zero allocation on hot path
- Ordered by specificity — specific patterns (OpenAI, GitHub, AWS) before generic patterns to avoid false positives
- False-positive resistant — minimum length thresholds, entropy checks
The patterns are deliberately conservative. Generic patterns require contextual prefixes (key=, token=, secret=, password=) to reduce false positives on code snippets like UUIDs or base64-encoded data.
Index ¶
- func CountSecrets(text string) int
- func HasSecrets(text string) bool
- func IsSafe(text string) bool
- func RedactChunk(chunk string) (string, bool)
- func RedactSecrets(text string) string
- func RedactWithCount(text string) (string, int)
- func RegisterSecret(value string)
- func RegisterSecretsFromEnv()
- func ResetSecrets()
- func SanitizeForLog(text string) string
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CountSecrets ¶
CountSecrets returns the number of secret patterns found in the text. Useful for logging and metrics.
func HasSecrets ¶
HasSecrets returns true if the text contains any recognized secret pattern or any registered known secret value. Useful for quick pre-checks without allocating the full redacted string.
func IsSafe ¶
IsSafe returns true if the text contains no recognized secrets. Convenience inverse of HasSecrets.
func RedactChunk ¶
RedactChunk redacts a single chunk of text and returns it along with a boolean indicating whether any secrets were found. Designed for streaming/chunked output where callers want to know per-chunk whether redaction occurred.
func RedactSecrets ¶
RedactSecrets scans text for known secret patterns and replaces matched content with "[REDACTED]". Returns the sanitized text.
Two layers run: first the known-value layer (exact secret values registered via RegisterSecret, plus their common encodings), then the format-pattern layer below. The known-value layer is the reliable one for odek's own secrets — it catches them even when printed in a format the patterns miss (a bare echo of a non-standard token, base64/hex encodings, etc.).
The function is safe to call on empty strings and strings without secrets (returns the original string unchanged in the common case).
func RedactWithCount ¶
RedactWithCount returns both the redacted text and a count of redacted secrets, so callers can log how many were caught without a second pass.
func RegisterSecret ¶ added in v1.1.0
func RegisterSecret(value string)
RegisterSecret records a known secret value so that it — and its common encodings (base64 std/url, hex, percent-encoding, reversed) — are redacted from all tool output. Values shorter than minSecretLen are ignored to avoid over-redaction. Safe to call repeatedly and concurrently; callers should register before any tool output is produced (i.e. at startup).
func RegisterSecretsFromEnv ¶ added in v1.1.0
func RegisterSecretsFromEnv()
RegisterSecretsFromEnv scans the process environment for variables whose names look sensitive and registers their values. This automatically covers secrets injected via .env (docker env_file) or ~/.odek/secrets.env without the caller having to enumerate them.
func ResetSecrets ¶ added in v1.1.0
func ResetSecrets()
ResetSecrets clears the known-value registry. Intended for tests.
func SanitizeForLog ¶
SanitizeForLog returns a version of the text safe for logging. Unlike RedactSecrets which replaces matched substrings, this returns a descriptive summary when secrets are found. Useful for log messages where you want to know secrets WERE present without any risk of partial leakage.
Types ¶
This section is empty.
Source Files