redact

package

v0.57.0 Latest Latest Go to latest Published: May 26, 2026 License: MIT Imports: 2 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/BackendStack21/odek

Links

Open Source Insights

Documentation ¶

Overview ¶

Package redact provides secret detection and redaction for odek output.

RedactSecrets scans text for API keys, tokens, credentials, private keys, and other secrets, replacing matched content with [REDACTED]. This prevents secrets from leaking into session files, memory episodes, and Telegram messages.

Design:

No external dependencies — pure Go regex
Compiled once at init time — zero allocation on hot path
Ordered by specificity — specific patterns (OpenAI, GitHub, AWS) before generic patterns to avoid false positives
False-positive resistant — minimum length thresholds, entropy checks

The patterns are deliberately conservative. Generic patterns require contextual prefixes (key=, token=, secret=, password=) to reduce false positives on code snippets like UUIDs or base64-encoded data.

Index ¶

func CountSecrets(text string) int
func HasSecrets(text string) bool
func IsSafe(text string) bool
func RedactChunk(chunk string) (string, bool)
func RedactSecrets(text string) string
func RedactWithCount(text string) (string, int)
func SanitizeForLog(text string) string

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func CountSecrets ¶

func CountSecrets(text string) int

CountSecrets returns the number of secret patterns found in the text. Useful for logging and metrics.

func HasSecrets ¶

func HasSecrets(text string) bool

HasSecrets returns true if the text contains any recognized secret pattern. Useful for quick pre-checks without allocating the full redacted string.

func IsSafe ¶

func IsSafe(text string) bool

IsSafe returns true if the text contains no recognized secrets. Convenience inverse of HasSecrets.

func RedactChunk ¶

func RedactChunk(chunk string) (string, bool)

RedactChunk redacts a single chunk of text and returns it along with a boolean indicating whether any secrets were found. Designed for streaming/chunked output where callers want to know per-chunk whether redaction occurred.

func RedactSecrets ¶

func RedactSecrets(text string) string

RedactSecrets scans text for known secret patterns and replaces matched content with "[REDACTED]". Returns the sanitized text.

The function is safe to call on empty strings and strings without secrets (returns the original string unchanged in the common case).

func RedactWithCount ¶

func RedactWithCount(text string) (string, int)

RedactWithCount returns both the redacted text and a count of redacted secrets, so callers can log how many were caught without a second pass.

func SanitizeForLog ¶

func SanitizeForLog(text string) string

SanitizeForLog returns a version of the text safe for logging. Unlike RedactSecrets which replaces matched substrings, this returns a descriptive summary when secrets are found. Useful for log messages where you want to know secrets WERE present without any risk of partial leakage.

Types ¶

This section is empty.

Source Files ¶

View all Source files

redact.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL