Class: RosettAi::Retrofit::SecretDetector

Inherits:

Object

• Object
• RosettAi::Retrofit::SecretDetector

Defined in:

lib/rosett_ai/retrofit/secret_detector.rb

Overview

Detects sensitive values in parsed configuration data and replaces them with $secret:env:NAME references.

Recognises API keys, tokens, passwords, and other secrets by key name patterns and value heuristics (length, entropy, prefixes).

Author:

• hugo

• claude

Constant Summary

SENSITIVE_KEY_PATTERNS =

[
  /api[_-]?key/i,
  /secret/i,
  /token/i,
  /password/i,
  /credential/i,
  /auth/i,
  /private[_-]?key/i
].freeze

SECRET_VALUE_PREFIXES =

['sk-', 'pk-', 'ghp_', 'gho_', 'ghs_', 'github_pat_', 'xoxb-', 'xoxp-'].freeze

MIN_SECRET_LENGTH =

20

Instance Method Summary

• #initialize(warnings: []) ⇒ SecretDetector constructor

  A new instance of SecretDetector.

• #redact(data, prefix: '') ⇒ Hash

  Scans a hash and replaces sensitive values with secret references.

Constructor Details

#initialize(warnings: []) ⇒ SecretDetector

Returns a new instance of SecretDetector.

Parameters:

• warnings (Array<String>) (defaults to: []) —

  mutable array for warning messages

# File 'lib/rosett_ai/retrofit/secret_detector.rb', line 32

def initialize(warnings: [])
  @warnings = warnings
end

Instance Method Details

#redact(data, prefix: '') ⇒ Hash

Scans a hash and replaces sensitive values with secret references.

Parameters:

• data (Hash) —

  parsed configuration data

• prefix (String) (defaults to: '') —

  key path prefix for env var naming

Returns:

• (Hash) —

  data with secrets replaced

# File 'lib/rosett_ai/retrofit/secret_detector.rb', line 41

def redact(data, prefix: '')
  data.each_with_object({}) do |(key, value), result|
    full_key = prefix.empty? ? key.to_s : "#{prefix}_#{key}"
    result[key] = redact_value(key.to_s, value, full_key)
  end
end