Documentation
¶
Index ¶
Constants ¶
const RedactedPlaceholder = "REDACTED"
RedactedPlaceholder is the replacement text used for redacted secrets.
Variables ¶
This section is empty.
Functions ¶
func ConfigurePII ¶ added in v0.5.1
func ConfigurePII(cfg PIIConfig)
ConfigurePII sets the global PII redaction configuration. Pre-compiles patterns so the hot path (String → detectPII) does no compilation. Call once at startup after loading settings. Thread-safe.
func JSONLBytes ¶
JSONLBytes is a convenience wrapper around JSONLContent for []byte content.
func JSONLContent ¶
JSONLContent parses each line as JSON to determine which string values need redaction, then performs targeted replacements on the raw JSON bytes. Lines with no secrets are returned unchanged, preserving original formatting.
For multi-line JSON content (e.g., pretty-printed single JSON objects like OpenCode export), the function first attempts to parse the entire content as a single JSON value. This ensures field-aware redaction (which skips ID fields) is used instead of falling back to entropy-based detection on raw text lines, which would corrupt high-entropy identifiers.
func String ¶
String replaces secrets and PII in s using layered detection: 1. Entropy-based: high-entropy alphanumeric sequences (threshold 4.5) 2. Pattern-based: gitleaks regex rules (180+ known secret formats) 3. PII detection: email, phone, address patterns (only when configured via ConfigurePII) A string is redacted if ANY method flags it.
Types ¶
type PIICategory ¶ added in v0.5.1
type PIICategory string
PIICategory identifies a category of personally identifiable information.
const ( PIIEmail PIICategory = "email" PIIPhone PIICategory = "phone" PIIAddress PIICategory = "address" )
type PIIConfig ¶ added in v0.5.1
type PIIConfig struct {
// Enabled globally enables/disables PII redaction.
// When false, no PII patterns are checked (secrets still redacted).
Enabled bool
// Categories maps each PII category to whether it is enabled.
// Missing keys default to false (disabled).
Categories map[PIICategory]bool
// CustomPatterns allows teams to define additional regex patterns.
// Each key is a label used in the replacement token (uppercased),
// and each value is a regex pattern string.
// Example: {"employee_id": `EMP-\d{6}`} produces [REDACTED_EMPLOYEE_ID].
CustomPatterns map[string]string
// contains filtered or unexported fields
}
PIIConfig controls which PII categories are detected and redacted.
Source Files