pub fn redact_secrets(text: &str) -> StringExpand description
Conservative pre-persist secret redaction for locally-drafted rule text.
This is the Rust analogue of the cloud’s redactSecrets in
difflore-cloud/src/lib/redact-secrets.ts; it mirrors the SAME secret
classes so a rule drafted locally is scrubbed before it is written to the
SQLite skills store (and lazily embedded), exactly as the cloud scrubs
before persisting/embedding a candidate. The classes, in priority order:
- Provider-prefixed credentials + JWTs — redacted on shape alone
(
gh[opsu]_…,github_pat_…,sk-…,xox[baprs]-…,AKIA…, JWTeyJ….….…). Bearer <token>(HTTP Authorization style) — unless the token is a plain code reference.<keyword> [:=] <value>assignments for api_key / access_token / refresh_token / id_token / auth_token / bearer_token / client_secret / webhook_secret / secret / password / passwd / pwd — redacted ONLY when the value both carries secret-like entropy AND is not a code reference.
Conservative by design: it runs over real review prose and quoted code
snippets, so a false positive silently corrupts a legitimate rule. The
keyword-assignment class therefore never fires on config.apiKey,
process.env.API_KEY, getToken(), or a plain identifier; the prefix/JWT
classes fire only on their distinctive high-entropy shape. Plain prose, git
SHAs, and UUIDs are left untouched (see the unit tests).