manual-sync: tudo-para-ia-mais-humana 2026-05-01_153128

src/mais_humana/redaction.py

@@ -63,6 +63,36 @@ class RedactionReport:
         return as_plain_data(self)
 
 
+def mask_secret_sample(pattern_id: str, sample: str) -> str:
+    cleaned = sample.strip()
+    if not cleaned:
+        return "[redacted:0]"
+    if pattern_id == "cloudflare_cfat_token":
+        return f"cfat_[redacted:{len(cleaned)}]"
+    if pattern_id == "bearer_token":
+        return f"Bearer [redacted:{len(cleaned)}]"
+    if "=" in cleaned:
+        key = cleaned.split("=", 1)[0].strip()
+        return f"{key}=[redacted:{len(cleaned)}]"
+    if ":" in cleaned:
+        key = cleaned.split(":", 1)[0].strip()
+        return f"{key}: [redacted:{len(cleaned)}]"
+    if "://" in cleaned:
+        return f"[connection-string-redacted:{len(cleaned)}]"
+    if len(cleaned) <= 8:
+        return "[redacted]"
+    return f"{cleaned[:4]}[redacted:{len(cleaned)}]"
+
+
+def redact_sensitive_text(text: str) -> str:
+    """Return text with known secret-shaped values replaced by redacted markers."""
+
+    redacted = text
+    for pattern_id, pattern in SECRET_PATTERNS:
+        redacted = pattern.sub(lambda match: mask_secret_sample(pattern_id, match.group(0)), redacted)
+    return redacted
+
+
 def is_allowlisted(line: str) -> bool:
     lowered = line.lower()
     if "cfat_" in lowered or "bearer " in lowered:
@@ -84,6 +114,7 @@ def scan_text_for_secrets(path: str, text: str) -> tuple[RedactionFinding, ...]:
             sample = match.group(0)
             if len(sample) > 90:
                 sample = sample[:87] + "..."
+            sample = mask_secret_sample(pattern_id, sample)
             severity = "critical" if pattern_id in {"private_key", "connection_string"} else "warning"
             findings.append(
                 RedactionFinding(