Ji?TdZddlZddlZddlZejeZejdddvZ gdZ dZ ej de d ej Zd Zej d ed ej Zej d ej Zej dZej dZej dej Zej dZej dde zdzZdedefdZdedefdZGddejZdS)a2Regex-based secret redaction for logs and tool output. Applies pattern matching to mask API keys, tokens, and credentials before they reach log files, verbose output, or gateway logs. Short tokens (< 18 chars) are fully masked. Longer tokens preserve the first 6 and last 4 characters for debuggability. NHERMES_REDACT_SECRETS)0falsenooff)zsk-[A-Za-z0-9_-]{10,}zghp_[A-Za-z0-9]{10,}zgithub_pat_[A-Za-z0-9_]{10,}zgho_[A-Za-z0-9]{10,}zghu_[A-Za-z0-9]{10,}zghs_[A-Za-z0-9]{10,}zghr_[A-Za-z0-9]{10,}zxox[baprs]-[A-Za-z0-9-]{10,}zAIza[A-Za-z0-9_-]{30,}zpplx-[A-Za-z0-9]{10,}zfal_[A-Za-z0-9_-]{10,}zfc-[A-Za-z0-9]{10,}zbb_live_[A-Za-z0-9_-]{10,}zgAAAA[A-Za-z0-9_=-]{20,}zAKIA[A-Z0-9]{16}zsk_live_[A-Za-z0-9]{10,}zsk_test_[A-Za-z0-9]{10,}zrk_live_[A-Za-z0-9]{10,}zSG\.[A-Za-z0-9_-]{10,}zhf_[A-Za-z0-9]{10,}zr8_[A-Za-z0-9]{10,}znpm_[A-Za-z0-9]{10,}zpypi-[A-Za-z0-9_-]{10,}zdop_v1_[A-Za-z0-9]{10,}zdoo_v1_[A-Za-z0-9]{10,}zam_[A-Za-z0-9_-]{10,}zsk_[A-Za-z0-9_]{10,}ztvly-[A-Za-z0-9]{10,}zexa_[A-Za-z0-9]{10,}z9(?:API_?KEY|TOKEN|SECRET|PASSWORD|PASSWD|CREDENTIAL|AUTH)z([A-Z_]*z[A-Z_]*)\s*=\s*(['\"]?)(\S+)\2z(?:api_?[Kk]ey|token|secret|password|access_token|refresh_token|auth_token|bearer|secret_value|raw_secret|secret_input|key_material)z("z")\s*:\s*"([^"]+)"z!(Authorization:\s*Bearer\s+)(\S+)z#(bot)?(\d{8,}):([-A-Za-z0-9_]{30,})zH-----BEGIN[A-Z ]*PRIVATE KEY-----[\s\S]*?-----END[A-Z ]*PRIVATE KEY-----zK((?:postgres(?:ql)?|mysql|mongodb(?:\+srv)?|redis|amqp)://[^:]+:)([^@]+)(@)z (\+[1-9]\d{6,14})(?![A-Za-z0-9])z(?|dSt|tst|}|s|Sts|Std|}d}t ||}d}t ||}td|}d}t||}td|}td|}d }t||}|S) zApply all redaction patterns to a block of text. Safe to call on any string -- non-matching text passes through unchanged. Disabled when security.redact_secrets is false in config.yaml. NcFt|dS)N)rgroupms rz'redact_sensitive_text..|sK $;$;rc|d|d|d}}}|d|t||S)Nr=rr)rnamequotevalues r _redact_envz*redact_sensitive_text.._redact_envsSWWQZZQWWQZZUe;;; E 2 2;E;;;rc|d|d}}|dt|dS)Nrrz: ""r!)rkeyr$s r _redact_jsonz+redact_sensitive_text.._redact_jsons>WWQZZU//+e,,////rcr|dt|dzS)Nrrr!rs rrz'redact_sensitive_text..s'!''!**{1771::666rch|dpd}|d}||dS)Nrrrz:***r)rprefixdigitss r_redact_telegramz/redact_sensitive_text.._redact_telegrams9!r&&&&&&rz[REDACTED PRIVATE KEY]c\|dd|dS)Nrrrr,rs rrz'redact_sensitive_text..s(1771::(F(F!''!**(F(Frc|d}t|dkr|dddz|ddzS|dddz|ddzS)Nrrz****r)rr)rphones r _redact_phonez,redact_sensitive_text.._redact_phones`  u::??!9v%bcc 2 2RaRy6!E"##J..r) isinstancestr_REDACT_ENABLED _PREFIX_REsub_ENV_ASSIGN_RE_JSON_FIELD_RE_AUTH_HEADER_RE _TELEGRAM_RE_PRIVATE_KEY_RE_DB_CONNSTR_RE_SIGNAL_PHONE_RE)rr%r)r/r6s rredact_sensitive_textrClsO  |t dC 4yy    >>;;T B BD<<<   k4 0 0D000   lD 1 1D   66   D '''   ,d 3 3D   7 > >D   FF M MD///    t 4 4D KrcBeZdZdZdfd Zdejdeffd ZxZ S) RedactingFormatterz9Log formatter that redacts secrets from all log messages.N%c @tj|||fi|dSN)super__init__)selffmtdatefmtstylekwargs __class__s rrJzRedactingFormatter.__init__s,gu7777777rrecordr cdt|}t|SrH)rIformatrC)rKrQoriginalrPs rrSzRedactingFormatter.formats&77>>&))$X...r)NNrF) __name__ __module__ __qualname____doc__rJlogging LogRecordr8rS __classcell__)rPs@rrErEsrCC888888/W./3//////////rrE)rXrYosre getLoggerrUloggergetenvlowerr9_PREFIX_PATTERNS_SECRET_ENV_NAMEScompile IGNORECASEr<_JSON_KEY_NAMESr=r>r?r@rArBjoinr:r8rrC FormatterrErrrjs  8 $ $")3R88>>@@HccBQA!AAAM Z-/---M "*(Mrz* "*O RM2:ABBRZSXX&6777:OO )s)s))))999999x/////*/////r