src/security.py

from __future__ import annotations

import re

SECRET_PATTERNS = [
    re.compile(r"hf_[A-Za-z0-9_\-]{20,}"),
    re.compile(r"Bearer\s+[A-Za-z0-9_\.\-]+", re.IGNORECASE),
    re.compile(r"(HF_TOKEN|OAUTH_TOKEN|ACCESS_TOKEN|AUTHORIZATION|PASSWORD|SECRET)\s*[:=]\s*[^\s]+", re.IGNORECASE),
]


def redact(text: str | None) -> str:
    """Best-effort redaction for logs/reports shown in the UI.

    This is intentionally conservative. It is not a complete DLP system,
    but it protects against obvious token leaks in first-version outputs.
    """
    if not text:
        return ""

    redacted = text
    for pattern in SECRET_PATTERNS:
        redacted = pattern.sub("[REDACTED]", redacted)
    return redacted