/** * Match-value redaction utility. * * The engine's `ATRMatch.matchedPatterns` field can contain the raw text that * triggered a rule. Downstream integrations that include matched values in * log lines, error messages, or telemetry payloads risk re-exposing the very * secrets that the rule fired on (e.g., AWS access keys, OAuth tokens, * cookies, prompt-injection payloads containing user PII). * * Pass each entry of `match.matchedPatterns` through `redactMatchedValue()` * before logging or surfacing it externally. The function preserves enough * context for triage (rule shape, length, leading marker bytes) without * keeping the secret bytes themselves. * * @example * import { redactMatchedValue } from "agent-threat-rules/redact"; * for (const match of engine.evaluate(event)) { * logger.warn({ * rule: match.rule.id, * redacted_patterns: match.matchedPatterns.map(redactMatchedValue), * }); * } */ /** * Options for `redactMatchedValue`. */ export interface RedactOptions { /** * Number of leading bytes to keep visible as a triage hint. Defaults to 4. * Set to 0 to keep no prefix at all. */ headBytes?: number; /** * Maximum length of the returned redacted string. Defaults to 80. */ maxLength?: number; } /** * Replace a raw matched value with a triage-safe summary. * * The output never contains more than `headBytes` (default 4) of the original * value. The remainder is replaced with a structured placeholder that records * the recognised secret class (when known), the original length, and an * elision marker. Whitespace and surrounding punctuation are preserved so the * summary still reads as a token in log lines. * * Returns a string of at most `maxLength` characters (default 80). */ export declare function redactMatchedValue(value: string, options?: RedactOptions): string; /** * Convenience helper: apply `redactMatchedValue` to every entry of an array. */ export declare function redactMatchedValues(values: ReadonlyArray, options?: RedactOptions): string[]; //# sourceMappingURL=redact.d.ts.map