idZddlZddlZddlZejeZejdddvZ gdZ dZ ej de d Z d Zej d ed ejZej d ejZej dZej dZej dejZej dZej dZej dZej dde zdzZdedefdZdedefdZGddejZdS)a2Regex-based secret redaction for logs and tool output. Applies pattern matching to mask API keys, tokens, and credentials before they reach log files, verbose output, or gateway logs. Short tokens (< 18 chars) are fully masked. Longer tokens preserve the first 6 and last 4 characters for debuggability. NHERMES_REDACT_SECRETS)0falsenooff)#zsk-[A-Za-z0-9_-]{10,}zghp_[A-Za-z0-9]{10,}zgithub_pat_[A-Za-z0-9_]{10,}zgho_[A-Za-z0-9]{10,}zghu_[A-Za-z0-9]{10,}zghs_[A-Za-z0-9]{10,}zghr_[A-Za-z0-9]{10,}zxox[baprs]-[A-Za-z0-9-]{10,}zAIza[A-Za-z0-9_-]{30,}zpplx-[A-Za-z0-9]{10,}zfal_[A-Za-z0-9_-]{10,}zfc-[A-Za-z0-9]{10,}zbb_live_[A-Za-z0-9_-]{10,}zgAAAA[A-Za-z0-9_=-]{20,}zAKIA[A-Z0-9]{16}zsk_live_[A-Za-z0-9]{10,}zsk_test_[A-Za-z0-9]{10,}zrk_live_[A-Za-z0-9]{10,}zSG\.[A-Za-z0-9_-]{10,}zhf_[A-Za-z0-9]{10,}zr8_[A-Za-z0-9]{10,}znpm_[A-Za-z0-9]{10,}zpypi-[A-Za-z0-9_-]{10,}zdop_v1_[A-Za-z0-9]{10,}zdoo_v1_[A-Za-z0-9]{10,}zam_[A-Za-z0-9_-]{10,}zsk_[A-Za-z0-9_]{10,}ztvly-[A-Za-z0-9]{10,}zexa_[A-Za-z0-9]{10,}zgsk_[A-Za-z0-9]{10,}zsyt_[A-Za-z0-9]{10,}zretaindb_[A-Za-z0-9]{10,}zhsk-[A-Za-z0-9]{10,}zmem0_[A-Za-z0-9]{10,}zbrv_[A-Za-z0-9]{10,}z9(?:API_?KEY|TOKEN|SECRET|PASSWORD|PASSWD|CREDENTIAL|AUTH)z([A-Z0-9_]{0,50}z&[A-Z0-9_]{0,50})\s*=\s*(['\"]?)(\S+)\2z(?:api_?[Kk]ey|token|secret|password|access_token|refresh_token|auth_token|bearer|secret_value|raw_secret|secret_input|key_material)z("z")\s*:\s*"([^"]+)"z!(Authorization:\s*Bearer\s+)(\S+)z#(bot)?(\d{8,}):([-A-Za-z0-9_]{30,})zH-----BEGIN[A-Z ]*PRIVATE KEY-----[\s\S]*?-----END[A-Z ]*PRIVATE KEY-----zK((?:postgres(?:ql)?|mysql|mongodb(?:\+srv)?|redis|amqp)://[^:]+:)([^@]+)(@)z2eyJ[A-Za-z0-9_-]{10,}(?:\.[A-Za-z0-9_=-]{4,}){0,2}z<@!?(\d{17,20})>z (\+[1-9]\d{6,14})(?![A-Za-z0-9])z(?z'redact_sensitive_text..sK $;$;rc|d|d|d}}}|d|t||S)Nr=rr)rnamequotevalues r _redact_envz*redact_sensitive_text.._redact_envsSWWQZZQWWQZZUe;;; E 2 2;E;;;rc|d|d}}|dt|dS)Nrrz: ""r")rkeyr%s r _redact_jsonz+redact_sensitive_text.._redact_jsons>WWQZZU//+e,,////rcr|dt|dzS)Nrrr"rs rrz'redact_sensitive_text..s'!''!**{1771::666rch|dpd}|d}||dS)Nrrrz:***r)rprefixdigitss r_redact_telegramz/redact_sensitive_text.._redact_telegrams9!r&&&&&&rz[REDACTED PRIVATE KEY]c\|dd|dS)Nrrr r-rs rrz'redact_sensitive_text..s(1771::(F(F!''!**(F(FrcFt|dS)Nrrrs rrz'redact_sensitive_text..sQWWQZZ!8!8rc@dd|dvrdnddS)Nz<@!rrz***>r-rs rrz'redact_sensitive_text..s+-X 9J9J##PR-X-X-Xrc|d}t|dkr|dddz|ddzS|dddz|ddzS)Nrrz****r)rr)rphones r _redact_phonez,redact_sensitive_text.._redact_phones`  u::??!9v%bcc 2 2RaRy6!E"##J..r) isinstancestr_REDACT_ENABLED _PREFIX_REsub_ENV_ASSIGN_RE_JSON_FIELD_RE_AUTH_HEADER_RE _TELEGRAM_RE_PRIVATE_KEY_RE_DB_CONNSTR_RE_JWT_RE_DISCORD_MENTION_RE_SIGNAL_PHONE_RE)rr&r*r0r:s rredact_sensitive_textrI|s  |t dC 4yy    >>;;T B BD<<<   k4 0 0D000   lD 1 1D   66   D '''   ,d 3 3D   7 > >D   FF M MD ;;88$ ? ?D  " "#X#XZ^ _ _D///    t 4 4D KrcBeZdZdZdfd Zdejdeffd ZxZ S) RedactingFormatterz9Log formatter that redacts secrets from all log messages.N%c @tj|||fi|dSN)super__init__)selffmtdatefmtstylekwargs __class__s rrPzRedactingFormatter.__init__s,gu7777777rrecordr cdt|}t|SrN)rOformatrI)rQrWoriginalrVs rrYzRedactingFormatter.formats&77>>&))$X...r)NNrL) __name__ __module__ __qualname____doc__rPlogging LogRecordr<rY __classcell__)rVs@rrKrKsrCC888888/W./3//////////rrK)r^r_osre getLoggerr[loggergetenvlowerr=_PREFIX_PATTERNS_SECRET_ENV_NAMEScompiler@_JSON_KEY_NAMES IGNORECASErArBrCrDrErFrGrHjoinr>r<rrI FormatterrKrrrps,  8 $ $")3R88>>@@Hcc$$$NQU+UUU Z-/---M "*(Mrz* "*O RM "*%  !bj!4552:ABBRZSXX&6777:OO )s)s))))??????D/////*/////r