Expand description
Output redaction engine for secretsh.
Redactor builds an Aho-Corasick multi-pattern automaton from a set of
(key_name, secret_value) pairs and uses it to scan child-process output
in O(n) time, replacing every occurrence of a secret (in raw or encoded
form) with a bracketed label such as [REDACTED_DB_PASS].
§Encoded variants
For each secret value the engine generates up to six patterns:
| Encoding | Replacement label |
|---|---|
| Raw bytes | [REDACTED_KEY] |
| Base64 standard | [REDACTED_KEY_B64] |
| Base64 URL-safe | [REDACTED_KEY_B64URL] |
| URL percent-enc. | [REDACTED_KEY_URL] |
| Hex lowercase | [REDACTED_KEY_HEX] |
| Hex uppercase | [REDACTED_KEY_HEX] |
Encoded variants that are byte-for-byte identical to the raw value are skipped to avoid duplicate automaton patterns. Empty secret values are also skipped entirely.
Structs§
- Redactor
- Multi-pattern output redactor.