i:dZddlZddlZddlZejeZehdZehdZ ej dd dvZ gdZ d Zejd ed Zd Zejd edejZejdejZejdZejdZejdejZejdZejdZejdZejdZejdZejdZejdde zdzZddddddd e d!e!d"e!d#e!d$e d%e d&e fd'Z"d(e d&e fd)Z#d*e d&e fd+Z$d,e d&e fd-Z%d,e d&e fd.Z&d,e d&e fd/Z'd0d1d,e d2e(d&e fd3Z)Gd4d5ej*Z+dS)6a2Regex-based secret redaction for logs and tool output. Applies pattern matching to mask API keys, tokens, and credentials before they reach log files, verbose output, or gateway logs. Short tokens (< 18 chars) are fully masked. Longer tokens preserve the first 6 and last 4 characters for debuggability. N>x-amz-signaturejwtkeyauthcodetokenapikeysecretapi_keysessionid_tokenpassword signature access_token client_secret refresh_token>rrrrr r r r r private_keyr authorizationrrHERMES_REDACT_SECRETS)1trueyeson)#zsk-[A-Za-z0-9_-]{10,}zghp_[A-Za-z0-9]{10,}zgithub_pat_[A-Za-z0-9_]{10,}zgho_[A-Za-z0-9]{10,}zghu_[A-Za-z0-9]{10,}zghs_[A-Za-z0-9]{10,}zghr_[A-Za-z0-9]{10,}zxox[baprs]-[A-Za-z0-9-]{10,}zAIza[A-Za-z0-9_-]{30,}zpplx-[A-Za-z0-9]{10,}zfal_[A-Za-z0-9_-]{10,}zfc-[A-Za-z0-9]{10,}zbb_live_[A-Za-z0-9_-]{10,}zgAAAA[A-Za-z0-9_=-]{20,}zAKIA[A-Z0-9]{16}zsk_live_[A-Za-z0-9]{10,}zsk_test_[A-Za-z0-9]{10,}zrk_live_[A-Za-z0-9]{10,}zSG\.[A-Za-z0-9_-]{10,}zhf_[A-Za-z0-9]{10,}zr8_[A-Za-z0-9]{10,}znpm_[A-Za-z0-9]{10,}zpypi-[A-Za-z0-9_-]{10,}zdop_v1_[A-Za-z0-9]{10,}zdoo_v1_[A-Za-z0-9]{10,}zam_[A-Za-z0-9_-]{10,}zsk_[A-Za-z0-9_]{10,}ztvly-[A-Za-z0-9]{10,}zexa_[A-Za-z0-9]{10,}zgsk_[A-Za-z0-9]{10,}zsyt_[A-Za-z0-9]{10,}zretaindb_[A-Za-z0-9]{10,}zhsk-[A-Za-z0-9]{10,}zmem0_[A-Za-z0-9]{10,}zbrv_[A-Za-z0-9]{10,}z9(?:API_?KEY|TOKEN|SECRET|PASSWORD|PASSWD|CREDENTIAL|AUTH)z([A-Z0-9_]{0,50}z&[A-Z0-9_]{0,50})\s*=\s*(['\"]?)(\S+)\2z(?:api_?[Kk]ey|token|secret|password|access_token|refresh_token|auth_token|bearer|secret_value|raw_secret|secret_input|key_material)z("z")\s*:\s*"([^"]+)"z!(Authorization:\s*Bearer\s+)(\S+)z#(bot)?(\d{8,}):([-A-Za-z0-9_]{30,})zH-----BEGIN[A-Z ]*PRIVATE KEY-----[\s\S]*?-----END[A-Z ]*PRIVATE KEY-----zK((?:postgres(?:ql)?|mysql|mongodb(?:\+srv)?|redis|amqp)://[^:]+:)([^@]+)(@)z2eyJ[A-Za-z0-9_-]{10,}(?:\.[A-Za-z0-9_=-]{4,}){0,2}z<@!?(\d{17,20})>z (\+[1-9]\d{6,14})(?![A-Za-z0-9])z;(https?|wss?|ftp)://([^\s/?#]+)([^\s?#]*)\?([^\s#]+)(#\S*)?z+(https?|wss?|ftp)://([^/\s:@]+):([^/\s@]+)@zH^[A-Za-z_][A-Za-z0-9_.-]*=[^&\s]*(?:&[A-Za-z_][A-Za-z0-9_.-]*=[^&\s]*)+$z(?>> mask_secret("sk-proj-abcdef1234567890") 'sk-p...7890' >>> mask_secret("short") # fully masked '***' >>> mask_secret("") # empty default '' >>> mask_secret("", empty="(not set)") # empty override '(not set)' >>> mask_secret("long-token", head=6, tail=4, floor=18) '***' Nz...)len)r$rr r!r"r#s 1/home/ubuntu/.hermes/hermes-agent/agent/redact.py mask_secretr)sOP   5zzEETEl . .udUVV} . ..rc0|sdSt|dddS)uOMask a log token — conservative 18-char floor, preserves 6 prefix / 4 suffix.rr)rr r!)r))rs r( _mask_tokenr.s( u u11B 7 7 77r*queryc`|s|Sg}|dD]~}d|vr|||d\}}}|tvr||di||d|S)aRedact sensitive parameter values in a URL query string. Handles `k=v&k=v` format. Sensitive keys (case-insensitive) have values replaced with `***`. Non-sensitive keys pass through unchanged. Empty or malformed pairs are preserved as-is. &=z=***)splitappend partitionlower_SENSITIVE_QUERY_PARAMSjoin)r/partspairr_r$s r(_redact_query_stringr<s  E C   d?? LL    s++ Q 99;;1 1 1 LLC & & & & LL     88E??r*textcfdtjdtfd}t||S)uScan text for URLs with query strings and redact sensitive params. Catches opaque tokens that don't match vendor prefix regexes, e.g. `https://example.com/cb?code=ABC123&state=xyz` → `...?code=***&state=xyz`. mr%c|d}|d}|d}t|d}|dpd}|d||d||S) Nrr://?)groupr<)r?scheme authoritypathr/fragments r(_subz&_redact_url_query_params.._subsGGAJJ wwqzz$QWWQZZ00771::#@@Y@@@u@h@@@r*)reMatchstr_URL_WITH_QUERY_REsub)r=rLs r(_redact_url_query_paramsrRsD AASAAAA  ! !$ - --r*c:td|S)zStrip `user:password@` from HTTP/WS/FTP URLs. DB protocols (postgres, mysql, mongodb, redis, amqp) are handled separately by `_DB_CONNSTR_RE`. c^|dd|ddS)NrArErBz:***@rGr?s r(z&_redact_url_userinfo..s+QWWQZZ55AGGAJJ555r*)_URL_USERINFO_RErQr=s r(_redact_url_userinforZs%   55   r*c|rd|vsd|vr|St|s|St|S)uNRedact sensitive values in a form-urlencoded body. Only applies when the entire input looks like a pure form body (k=v&k=v with no newlines, no other text). Single-line non-form text passes through unchanged. This is a conservative pass — the `_redact_url_query_params` function handles embedded query strings.  r1) _FORM_BODY_REmatchstripr<rYs r(_redact_form_bodyr`$sZ 44<<3d??   tzz|| , ,  - --r*F)forcerac |dSt|tst|}|s|S|s ts|Std|}d}t ||}d}t ||}td|}d}t||}td|}td|}td |}t|}t|}t|}td |}d }t ||}|S) ugApply all redaction patterns to a block of text. Safe to call on any string -- non-matching text passes through unchanged. Disabled by default — enable via security.redact_secrets: true in config.yaml. Set force=True for safety boundaries that must never return raw secrets regardless of the user's global logging redaction preference. NcFt|dS)NrAr.rGrVs r(rWz'redact_sensitive_text..FsK $;$;r*c|d|d|d}}}|d|t||S)NrArBrCr2rGr.)r?namequoter$s r( _redact_envz*redact_sensitive_text.._redact_envIsSWWQZZQWWQZZUe;;; E 2 2;E;;;r*c|d|d}}|dt|dS)NrArBz: ""rf)r?rr$s r( _redact_jsonz+redact_sensitive_text.._redact_jsonOs>WWQZZU//+e,,////r*cr|dt|dzS)NrArBrfrVs r(rWz'redact_sensitive_text..Vs'!''!**{1771::666r*ch|dpd}|d}||dS)NrArrBz:***rU)r?prefixdigitss r(_redact_telegramz/redact_sensitive_text.._redact_telegram[s9!r&&&&&&r*z[REDACTED PRIVATE KEY]c\|dd|dS)NrArrCrUrVs r(rWz'redact_sensitive_text..es(1771::(F(F!''!**(F(Fr*cFt|dS)NrrdrVs r(rWz'redact_sensitive_text..hsQWWQZZ!8!8r*c@dd|dvrdnddS)Nz<@!rrz***>rUrVs r(rWz'redact_sensitive_text..us+-X 9J9J##PR-X-X-Xr*c|d}t|dkr|dddz|ddzS|dddz|ddzS)NrArBz****r)rGr')r?phones r( _redact_phonez,redact_sensitive_text.._redact_phonexs`  u::??!9v%bcc 2 2RaRy6!E"##J..r*) isinstancerO_REDACT_ENABLED _PREFIX_RErQ_ENV_ASSIGN_RE_JSON_FIELD_RE_AUTH_HEADER_RE _TELEGRAM_RE_PRIVATE_KEY_RE_DB_CONNSTR_RE_JWT_RErZrRr`_DISCORD_MENTION_RE_SIGNAL_PHONE_RE)r=rarirlrqr{s r(redact_sensitive_textr4s |t dC 4yy  _  >>;;T B BD<<<   k4 0 0D000   lD 1 1D   66   D '''   ,d 3 3D   7 > >D   FF M MD ;;88$ ? ?D  % %D $D ) )D T " "D  " "#X#XZ^ _ _D///    t 4 4D Kr*cBeZdZdZdfd Zdejdeffd ZxZ S) RedactingFormatterz9Log formatter that redacts secrets from all log messages.N%c @tj|||fi|dSN)super__init__)selffmtdatefmtstylekwargs __class__s r(rzRedactingFormatter.__init__s,gu7777777r*recordr%cdt|}t|Sr)rformatr)rroriginalrs r(rzRedactingFormatter.formats&77>>&))$X...r*)NNr) __name__ __module__ __qualname____doc__rlogging LogRecordrOr __classcell__)rs@r(rrsrCC888888/W./3//////////r*r),rrosrM getLoggerrlogger frozensetr7_SENSITIVE_BODY_KEYSgetenvr6r}_PREFIX_PATTERNS_SECRET_ENV_NAMEScompiler_JSON_KEY_NAMES IGNORECASErrrrrrrrrPrXr]r8r~rOintr)r.r<rRrZr`boolr Formatterrr*r(rs  8 $ $ $)%%%,!y""".")3R88>>@@D^^$$$NQU+UUU Z-/---M "*(Mrz* "*O RM "*%  !bj!4552:ABB  RZ2:2  O RZSXX&6777:OO ,/,/,/ ,/ ,/  ,/  ,/  ,/ ,/ ,/,/,/,/^8s8s8888, .3 .3 . . . . s s     .C .C . . . . 7<KKKKtKKKKK\/////*/////r*