ralph-workflow 0.7.18

PROMPT-driven multi-agent orchestrator for git repos
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

//! Redaction utilities for cloud-mode I/O boundary.
//!
//! This module provides compiled regex patterns for secret redaction.
//! The patterns are cached using LazyLock for performance.

use std::sync::LazyLock;

static BEARER_TOKEN_RE: LazyLock<regex::Regex> =
    LazyLock::new(|| regex::Regex::new(r"(?i)(bearer\s+)\S+").expect("valid regex"));

static COMMON_QUERY_RE: LazyLock<regex::Regex> = LazyLock::new(|| {
    const KEYS: [&str; 5] = [
        "access_token=",
        "token=",
        "password=",
        "passwd=",
        "oauth_token=",
    ];
    let pattern = format!("(?i)({})([^&\\s]*)", KEYS.join("|"));
    regex::Regex::new(&pattern).expect("valid regex")
});

static TOKEN_LIKE_RE: LazyLock<regex::Regex> = LazyLock::new(|| {
    const PREFIXES: [&str; 6] = ["ghp_", "github_pat_", "glpat-", "xoxb-", "xapp-", "ya29."];
    let pattern = format!(
        "({})[A-Za-z0-9_\\-\\.]+",
        PREFIXES
            .iter()
            .map(|&s| regex::escape(s))
            .collect::<Vec<_>>()
            .join("|")
    );
    regex::Regex::new(&pattern).expect("valid regex")
});

pub fn redact_bearer_tokens(input: &str) -> String {
    BEARER_TOKEN_RE
        .replace_all(input, "$1<redacted>")
        .to_string()
}

pub fn redact_common_query_params(input: &str) -> String {
    COMMON_QUERY_RE
        .replace_all(input, |caps: &regex::Captures| {
            let key = caps.get(1).map_or("", |m| m.as_str());
            format!("{}<redacted>", key)
        })
        .to_string()
}

pub fn redact_token_like_substrings(input: &str) -> String {
    TOKEN_LIKE_RE.replace_all(input, "<redacted>").to_string()
}