paperclip/server/src/redaction.ts

const SECRET_PAYLOAD_KEY_RE =
  /(api[-_]?key|access[-_]?token|auth(?:_?token)?|authorization|bearer|secret|passwd|password|credential|jwt|private[-_]?key|cookie|connectionstring)/i;
const JWT_VALUE_RE = /^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+(?:\.[A-Za-z0-9_-]+)?$/;
export const REDACTED_EVENT_VALUE = "***REDACTED***";

function isPlainObject(value: unknown): value is Record<string, unknown> {
  if (typeof value !== "object" || value === null || Array.isArray(value)) return false;
  const proto = Object.getPrototypeOf(value);
  return proto === Object.prototype || proto === null;
}

function sanitizeValue(value: unknown): unknown {
  if (value === null || value === undefined) return value;
  if (Array.isArray(value)) return value.map(sanitizeValue);
  if (isSecretRefBinding(value)) return value;
  if (isPlainBinding(value)) return { type: "plain", value: sanitizeValue(value.value) };
  if (!isPlainObject(value)) return value;
  return sanitizeRecord(value);
}

function isSecretRefBinding(value: unknown): value is { type: "secret_ref"; secretId: string; version?: unknown } {
  if (!isPlainObject(value)) return false;
  return value.type === "secret_ref" && typeof value.secretId === "string";
}

function isPlainBinding(value: unknown): value is { type: "plain"; value: unknown } {
  if (!isPlainObject(value)) return false;
  return value.type === "plain" && "value" in value;
}

export function sanitizeRecord(record: Record<string, unknown>): Record<string, unknown> {
  const redacted: Record<string, unknown> = {};
  for (const [key, value] of Object.entries(record)) {
    if (SECRET_PAYLOAD_KEY_RE.test(key)) {
      if (isSecretRefBinding(value)) {
        redacted[key] = sanitizeValue(value);
        continue;
      }
      if (isPlainBinding(value)) {
        redacted[key] = { type: "plain", value: REDACTED_EVENT_VALUE };
        continue;
      }
      redacted[key] = REDACTED_EVENT_VALUE;
      continue;
    }
    if (typeof value === "string" && JWT_VALUE_RE.test(value)) {
      redacted[key] = REDACTED_EVENT_VALUE;
      continue;
    }
    redacted[key] = sanitizeValue(value);
  }
  return redacted;
}

export function redactEventPayload(payload: Record<string, unknown> | null): Record<string, unknown> | null {
  if (!payload) return null;
  if (!isPlainObject(payload)) return payload;
  return sanitizeRecord(payload);
}
Implement secrets service with local encryption, redaction, and runtime resolution Add AES-256-GCM local encrypted secrets provider with auto-generated master key, stub providers for AWS/GCP/Vault, and a secrets service that normalizes adapter configs (converting sensitive inline values to secret refs in strict mode) and resolves secret refs back to plain values at runtime. Extract redaction utilities from agent routes into shared module. Redact sensitive values in activity logs, config revisions, and approval payloads. Block rollback of revisions containing redacted secrets. Filter hidden issues from list queries. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-19 15:43:52 -06:00			`const SECRET_PAYLOAD_KEY_RE =`
			`/(api[-_]?key\|access[-_]?token\|auth(?:_?token)?\|authorization\|bearer\|secret\|passwd\|password\|credential\|jwt\|private[-_]?key\|cookie\|connectionstring)/i;`
			`const JWT_VALUE_RE = /^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+(?:\.[A-Za-z0-9_-]+)?$/;`
			`export const REDACTED_EVENT_VALUE = "*REDACTED*";`

			`function isPlainObject(value: unknown): value is Record<string, unknown> {`
			`if (typeof value !== "object" \|\| value === null \|\| Array.isArray(value)) return false;`
			`const proto = Object.getPrototypeOf(value);`
			`return proto === Object.prototype \|\| proto === null;`
			`}`

			`function sanitizeValue(value: unknown): unknown {`
			`if (value === null \|\| value === undefined) return value;`
			`if (Array.isArray(value)) return value.map(sanitizeValue);`
			`if (isSecretRefBinding(value)) return value;`
			`if (isPlainBinding(value)) return { type: "plain", value: sanitizeValue(value.value) };`
			`if (!isPlainObject(value)) return value;`
			`return sanitizeRecord(value);`
			`}`

			`function isSecretRefBinding(value: unknown): value is { type: "secret_ref"; secretId: string; version?: unknown } {`
			`if (!isPlainObject(value)) return false;`
			`return value.type === "secret_ref" && typeof value.secretId === "string";`
			`}`

			`function isPlainBinding(value: unknown): value is { type: "plain"; value: unknown } {`
			`if (!isPlainObject(value)) return false;`
			`return value.type === "plain" && "value" in value;`
			`}`

			`export function sanitizeRecord(record: Record<string, unknown>): Record<string, unknown> {`
			`const redacted: Record<string, unknown> = {};`
			`for (const [key, value] of Object.entries(record)) {`
			`if (SECRET_PAYLOAD_KEY_RE.test(key)) {`
			`if (isSecretRefBinding(value)) {`
			`redacted[key] = sanitizeValue(value);`
			`continue;`
			`}`
			`if (isPlainBinding(value)) {`
			`redacted[key] = { type: "plain", value: REDACTED_EVENT_VALUE };`
			`continue;`
			`}`
			`redacted[key] = REDACTED_EVENT_VALUE;`
			`continue;`
			`}`
			`if (typeof value === "string" && JWT_VALUE_RE.test(value)) {`
			`redacted[key] = REDACTED_EVENT_VALUE;`
			`continue;`
			`}`
			`redacted[key] = sanitizeValue(value);`
			`}`
			`return redacted;`
			`}`

			`export function redactEventPayload(payload: Record<string, unknown> \| null): Record<string, unknown> \| null {`
			`if (!payload) return null;`
			`if (!isPlainObject(payload)) return payload;`
			`return sanitizeRecord(payload);`
			`}`