auth-sanitizer 0.1.4 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 134e152d645296157cf025d9f20f4b025c2d08c93e73309112d6a7e7a9f785c3
-  data.tar.gz: 379cd508b6292e2c1185a5ac698f6f0d641c5f3bd5a9ea7163021cb07afa4544
+  metadata.gz: ee9c13c8e833242ae444802320b2a44204222f09529c8d7d588bbb7f725e2dff
+  data.tar.gz: 7fc39449d814609f58f5c7b6ce432bbb14fb532e5cf84e0a3f296e7e2e770763
 SHA512:
-  metadata.gz: d2e89fd515ca049f65513c2ebc298734059633723277ae406d00d930323aa4b16ed4107e18e89e794e8baf2068724abc9ca0397b986f1724c700308165d7bea1
-  data.tar.gz: d744e2ee6178191389e5ed202e9013114bd939de28c73323cad589afb6175a4b38045356b911523d54865c262a3c8a3beb05d91fc7e9b96fb44de477a7bc62f1
+  metadata.gz: 1c3fdbb99b0835a7694818b891daebe08bdc6e1cd95348e214970bf02c3ece6caa41fc9ae9d22a118720c9064baf16c066c0a7718121362b7d7141622ec2ccd9
+  data.tar.gz: 9057c5111136395c5418bfbd2acde6206d42a7c4b19d67e7fff8ae5449675019608557d4582ac53bd62f9b1792cdf56a186ffaac10989b5148a180e2cc48efcd

data/CHANGELOG.md

@@ -30,6 +30,48 @@ Please file a bug if you notice a violation of semantic versioning.
 
 ### Security
 
+## [0.2.0] - 2026-06-04
+
+- TAG: [v0.2.0][0.2.0t]
+- COVERAGE: 100.00% -- 145/145 lines in 6 files
+- BRANCH COVERAGE: 100.00% -- 28/28 branches in 6 files
+- 84.62% documented
+
+### Changed
+
+- Changed `FilteredAttributes#inspect` to redact narrow patterns from
+  `super.inspect` instead of rebuilding object inspect output, preserving host
+  inspect behavior.
+
+### Fixed
+
+- Redacted configured attributes inside standard Ruby hash inspect fragments,
+  including nested attribute hashes.
+
+## [0.1.5] - 2026-06-03
+
+- TAG: [v0.1.5][0.1.5t]
+- COVERAGE: 100.00% -- 138/138 lines in 6 files
+- BRANCH COVERAGE: 100.00% -- 28/28 branches in 6 files
+- 84.62% documented
+
+### Added
+
+- Added `VersionGem::Basic` helpers to `Auth::Sanitizer::Version`.
+
+### Changed
+
+- Refreshed generated package metadata, support documentation, CI workflows,
+  and development dependency floors from the current kettle-jem template.
+- Documented that CI workflows and appraisals now target MRI Ruby 2.4+ while
+  runtime compatibility remains MRI Ruby 2.2+.
+
+### Fixed
+
+- Prevented isolated loader namespace leakage on Ruby 2.5 and older TruffleRuby runtimes.
+- Protected the custom gemspec version loader from templating rewrites so
+  version detection does not define top-level `Auth` on older Rubies.
+
 ## [0.1.4] - 2026-05-21
 
 - TAG: [v0.1.4][0.1.4t]
@@ -95,7 +137,11 @@ Please file a bug if you notice a violation of semantic versioning.
 
 - Initial release
 
-[Unreleased]: https://github.com//ruby-oauth/auth-sanitizer/compare/v0.1.4...HEAD
+[Unreleased]: https://github.com/ruby-oauth/auth-sanitizer/compare/v0.2.0...HEAD
+[0.2.0]: https://github.com/ruby-oauth/auth-sanitizer/compare/v0.1.5...v0.2.0
+[0.2.0t]: https://github.com/ruby-oauth/auth-sanitizer/releases/tag/v0.2.0
+[0.1.5]: https://github.com/ruby-oauth/auth-sanitizer/compare/v0.1.4...v0.1.5
+[0.1.5t]: https://github.com/ruby-oauth/auth-sanitizer/releases/tag/v0.1.5
 [0.1.4]: https://github.com//ruby-oauth/auth-sanitizer/compare/v0.1.3...v0.1.4
 [0.1.4t]: https://github.com//ruby-oauth/auth-sanitizer/releases/tag/v0.1.4
 [0.1.3]: https://github.com//ruby-oauth/auth-sanitizer/compare/v0.1.2...v0.1.3

data/CITATION.cff

@@ -7,7 +7,7 @@ type: software
 authors:
   - given-names: "Peter H."
     family-names: "Boling"
-    email: "floss@glatzo.com"
+    email: "floss@galtzo.com"
     affiliation: "galtzo.com"
     orcid: 'https://orcid.org/0009-0008-8519-441X'
 identifiers:

data/CODE_OF_CONDUCT.md

@@ -71,11 +71,6 @@ reporter of any incident.
 Community leaders will follow these Community Impact Guidelines in determining
 the consequences for any action they deem in violation of this Code of Conduct:
 
-* Participants will be tolerant of opposing views.
-* Participants must ensure that their language and actions are free of personal attacks and disparaging personal remarks.
-* When interpreting the words and actions of others, participants should always assume good intentions.
-* Behaviour which can be reasonably considered harassment will not be tolerated.
-
 ### 1. Correction
 
 **Community Impact**: Use of inappropriate language or other behavior deemed

data/CONTRIBUTING.md

@@ -8,19 +8,27 @@ To submit a patch, please fork the project, create a patch with tests, and send
 
 Remember to [![Keep A Changelog][📗keep-changelog-img]][📗keep-changelog] if you make changes.
 
+## Developer Certificate of Origin
+
+In order to protect users of this project, we require all contributors to comply with the
+[Developer Certificate of Origin](https://developercertificate.org/).
+This ensures that all contributions are properly licensed and attributed.
+
 ## Help out!
 
-Take a look at the `reek` list which is the file called `REEK` and find something to improve.
+Take a look at the open issues and pull requests, or use the gem and find something to improve.
 
 Follow these instructions:
 
-1. Fork the repository
-2. Create a feature branch (`git checkout -b my-new-feature`)
-3. Make some fixes.
-4. Commit changes (`git commit -am 'Added some feature'`)
-5. Push to the branch (`git push origin my-new-feature`)
-6. Make sure to add tests for it. This is important, so it doesn't break in a future release.
-7. Create new Pull Request.
+1. Join the Discord: [![Live Chat on Discord][✉️discord-invite-img]][✉️discord-invite]
+2. Fork the repository
+3. Create your feature branch (`git checkout -b my-new-feature`)
+4. Make some fixes.
+5. Commit your changes (`git commit -am 'Added some feature'`)
+6. Push to the branch (`git push origin my-new-feature`)
+7. Make sure to add tests for it. This is important, so it doesn't break in a future release.
+8. Create new Pull Request.
+9. Announce it in the channel for this org in the [Discord][✉️discord-invite]!
 
 ## Executables vs Rake tasks
 
@@ -42,6 +50,22 @@ There are many Rake tasks available as well. You can see them by running:
 bin/rake -T
 ```
 
+## Code quality checks
+
+Run the Reek task when you want a smell check that fails on current findings:
+
+```shell
+bin/rake reek
+```
+
+Refresh the checked-in `REEK` backlog through the rake task, not by redirecting
+the raw `reek` executable output. The rake task uses the project bundle and
+avoids stale generated binstubs shadowing the Reek gem executable:
+
+```shell
+bin/rake reek:update
+```
+
 ## Environment Variables for Local Development
 
 Below are the primary environment variables recognized by stone_checksums (and its integrated tools). Unless otherwise noted, set boolean values to the string "true" to enable.
@@ -78,11 +102,32 @@ Git hooks and commit message helpers (exe/kettle-commit-msg)
 - GIT_HOOK_FOOTER_SENTINEL: Required when footer append is enabled — a unique first-line sentinel to prevent duplicates
 - GIT_HOOK_FOOTER_APPEND_DEBUG: Extra debug output in the footer template (true/false)
 
+Git diff driver setup
+- Local setup writes repository `.gitattributes` entries and local Git `diff.smorg-*` command config so this checkout uses StructuredMerge semantic diffs.
+- Global setup registers `diff.smorg-*` commands once in the user Git config; use it when you work across several StructuredMerge-enabled repositories.
+- Include-file setup writes `.git/smorg/config` and includes it from local Git config, keeping command registrations out of the repository files.
+- Git hosting forges generally ignore external diff drivers, so pull request views may still show raw textual diffs even when local `git diff` uses semantic drivers.
+
+```console
+K_JEM_TEMPLATING=true bundle exec kettle-jem install
+```
+
+Troubleshooting Git diffs
+- Use `git diff --no-ext-diff` to compare against Git's built-in diff output.
+- Use `git diff --no-textconv` when a textconv projection obscures the raw file bytes you need to inspect.
+- If Git reports a missing `smorg-*` executable, rerun `bundle install` and the setup command above, then check `git config --local --get-regexp '^diff\.smorg-'`.
+- To remove managed local entries, run `K_JEM_TEMPLATING=true bundle exec kettle-jem install --undo`; remove global command registrations with `git config --global --unset-all diff.smorg-ruby.command`.
+
 For a quick starting point, this repository’s `mise.toml` defines the shared defaults, and `.env.local` can override them locally. Copy `.env.local.example` to `.env.local`, use `KEY=value` lines, and either activate `mise` in your shell or run commands through `mise exec -C /path/to/project -- ...`.
 
 ## Appraisals
 
 From time to time the [appraisal2][🚎appraisal2] gemfiles in `gemfiles/` will need to be updated.
+Generated appraisal and CI workflow floors are controlled by `ruby.test_minimum`
+in `.structuredmerge/kettle-jem.yml`; this project was templated with `ruby.test_minimum: 2.4`.
+That value describes the lowest Ruby version expected to run the test/development
+toolchain, and it may be higher than the gemspec runtime floor.
+
 They are created and updated with the commands:
 
 ```console
@@ -97,22 +142,20 @@ bin/rake appraisal:reset
 
 When adding an appraisal to CI, check the [runner tool cache][🏃‍♂️runner-tool-cache] to see which runner to use.
 
-## The Reek List
-
-Take a look at the `reek` list which is the file called `REEK` and find something to improve.
+## Run Tests
 
-To refresh the `reek` list:
+Run tests via `kettle-test` (provided by `kettle-test`). It runs RSpec, writes the full log to
+`tmp/kettle-test/rspec-TIMESTAMP.log`, and prints a compact highlight block with timing, seed,
+pass/fail count, failing example list, and SimpleCov coverage percentages.
 
 ```console
-bundle exec reek > REEK
+bundle exec kettle-test
 ```
 
-## Run Tests
-
-To run all tests
+For targeted runs, disable the hard coverage threshold to avoid false failures:
 
 ```console
-bundle exec rake test
+K_SOUP_COV_MIN_HARD=false bundle exec kettle-test spec/path/to/spec.rb
 ```
 
 ### Spec organization (required)
@@ -183,33 +226,34 @@ NOTE: To build without signing the gem set `SKIP_GEM_SIGNING` to any value in th
 1. Run `bin/setup && bin/rake` as a "test, coverage, & linting" sanity check
 2. Update the version number in `version.rb`, and ensure `CHANGELOG.md` reflects changes
 3. Run `bin/setup && bin/rake` again as a secondary check, and to update `Gemfile.lock`
-4. Run `git commit -am "🔖 Prepare release v<VERSION>"` to commit the changes
-5. Run `git push` to trigger the final CI pipeline before release, and merge PRs
+4. Run `bin/rake yard` to regenerate the docs site using the canonical docs task
+5. Run `git commit -am "🔖 Prepare release v<VERSION>"` to commit the changes
+6. Run `git push` to trigger the final CI pipeline before release, and merge PRs
     - NOTE: Remember to [check the build][🧪build].
-6. Run `export GIT_TRUNK_BRANCH_NAME="$(git remote show origin | grep 'HEAD branch' | cut -d ' ' -f5)" && echo $GIT_TRUNK_BRANCH_NAME`
-7. Run `git checkout $GIT_TRUNK_BRANCH_NAME`
-8. Run `git pull origin $GIT_TRUNK_BRANCH_NAME` to ensure latest trunk code
-9. Optional for older Bundler (< 2.7.0): Set `SOURCE_DATE_EPOCH` so `rake build` and `rake release` use the same timestamp and generate the same checksums
+7. Run `export GIT_TRUNK_BRANCH_NAME="$(git remote show origin | grep 'HEAD branch' | cut -d ' ' -f5)" && echo $GIT_TRUNK_BRANCH_NAME`
+8. Run `git checkout $GIT_TRUNK_BRANCH_NAME`
+9. Run `git pull origin $GIT_TRUNK_BRANCH_NAME` to ensure latest trunk code
+10. Optional for older Bundler (< 2.7.0): Set `SOURCE_DATE_EPOCH` so `rake build` and `rake release` use the same timestamp and generate the same checksums
     - If your Bundler is >= 2.7.0, you can skip this; builds are reproducible by default.
     - Run `export SOURCE_DATE_EPOCH=$EPOCHSECONDS && echo $SOURCE_DATE_EPOCH`
     - If the echo above has no output, then it didn't work.
     - Note: `zsh/datetime` module is needed, if running `zsh`.
     - In older versions of `bash` you can use `date +%s` instead, i.e. `export SOURCE_DATE_EPOCH=$(date +%s) && echo $SOURCE_DATE_EPOCH`
-10. Run `bundle exec rake build`
-11. Run `bin/gem_checksums` (more context [1][🔒️rubygems-checksums-pr], [2][🔒️rubygems-guides-pr])
+11. Run `bundle exec rake build`
+12. Run `bin/gem_checksums` (more context [1][🔒️rubygems-checksums-pr], [2][🔒️rubygems-guides-pr])
     to create SHA-256 and SHA-512 checksums. This functionality is provided by the `stone_checksums`
     [gem][💎stone_checksums].
     - The script automatically commits but does not push the checksums
-12. Sanity check the SHA256, comparing with the output from the `bin/gem_checksums` command:
+13. Sanity check the SHA256, comparing with the output from the `bin/gem_checksums` command:
     - `sha256sum pkg/<gem name>-<version>.gem`
-13. Run `bundle exec rake release` which will create a git tag for the version,
+14. Run `bundle exec rake release` which will create a git tag for the version,
     push git commits and tags, and push the `.gem` file to the gem host configured in the gemspec.
 
-[📜src-gl]: https://gitlab.com/ruby-oauth/auth-sanitizer/
+[📜src-gl]: https://gitlab.com/ruby-oauth/auth-sanitizer
 [📜src-cb]: https://codeberg.org/ruby-oauth/auth-sanitizer
 [📜src-gh]: https://github.com/ruby-oauth/auth-sanitizer
 [🧪build]: https://github.com/ruby-oauth/auth-sanitizer/actions
-[🤝conduct]: https://gitlab.com/ruby-oauth/auth-sanitizer/-/blob/main/CODE_OF_CONDUCT.md
+[🤝conduct]: https://github.com/ruby-oauth/auth-sanitizer/blob/main/CODE_OF_CONDUCT.md
 [🖐contrib-rocks]: https://contrib.rocks
 [🖐contributors]: https://github.com/ruby-oauth/auth-sanitizer/graphs/contributors
 [🚎contributors-gl]: https://gitlab.com/ruby-oauth/auth-sanitizer/-/graphs/main
@@ -225,3 +269,4 @@ NOTE: To build without signing the gem set `SKIP_GEM_SIGNING` to any value in th
 [📌major-versions-not-sacred]: https://tom.preston-werner.com/2022/05/23/major-version-numbers-are-not-sacred.html
 [🚎appraisal2]: https://github.com/appraisal-rb/appraisal2
 [🏃‍♂️runner-tool-cache]: https://github.com/ruby/ruby-builder/releases/tag/toolcache
+[✉️discord-invite]: https://discord.gg/3qme4XHNKN

data/LICENSE.md

@@ -0,0 +1,10 @@
+# License
+
+This project is made available under the following license.
+Choose the option that best fits your use case:
+
+- [MIT](MIT.md)
+
+## Copyright Notice
+
+Copyright (c) 2026 Peter H. Boling

data/README.md

@@ -1,17 +1,10 @@
-[![Galtzo FLOSS Logo by Aboling0, CC BY-SA 4.0][🖼️galtzo-i]][🖼️galtzo-discord] [![ruby-lang Logo, Yukihiro Matsumoto, Ruby Visual Identity Team, CC BY-SA 2.5][🖼️ruby-lang-i]][🖼️ruby-lang] [![oauth2 Logo by Chris Messina, CC BY-SA 3.0][🖼️oauth2-i]][🖼️oauth2]
+<a href="https://github.com/ruby-oauth"><img alt="ruby-oauth Logo by Aboling0, CC BY-SA 4.0" src="https://logos.galtzo.com/assets/images/ruby-oauth/avatar-128px.svg" width="14%" align="right"/></a>
 
-[🖼️galtzo-i]: https://logos.galtzo.com/assets/images/galtzo-floss/avatar-192px.svg
-[🖼️galtzo-discord]: https://discord.gg/3qme4XHNKN
-[🖼️ruby-lang-i]: https://logos.galtzo.com/assets/images/ruby-lang/avatar-192px.svg
-[🖼️ruby-lang]: https://www.ruby-lang.org/
-[🖼️oauth2-i]: https://logos.galtzo.com/assets/images/oauth/oauth2/avatar-192px.svg
-[🖼️oauth2]: https://github.com/ruby-oauth/oauth2
+# 💎 Auth::Sanitizer
 
-# 🟥 Auth::Sanitizer
+[![Version][👽versioni]][👽version] [![GitHub tag (latest SemVer)][⛳️tag-img]][⛳️tag] [![License: MIT][📄license-img]][📄license] [![Downloads Rank][👽dl-ranki]][👽dl-rank] [![CodeCov Test Coverage][🏀codecovi]][🏀codecov] [![Coveralls Test Coverage][🏀coveralls-img]][🏀coveralls] [![QLTY Test Coverage][🏀qlty-covi]][🏀qlty-cov] [![QLTY Maintainability][🏀qlty-mnti]][🏀qlty-mnt] [![CI Heads][🚎3-hd-wfi]][🚎3-hd-wf] [![CI Runtime Dependencies @ HEAD][🚎12-crh-wfi]][🚎12-crh-wf] [![CI Current][🚎11-c-wfi]][🚎11-c-wf] [![CI Truffle Ruby][🚎9-t-wfi]][🚎9-t-wf] [![CI JRuby][🚎10-j-wfi]][🚎10-j-wf] [![Deps Locked][🚎13-🔒️-wfi]][🚎13-🔒️-wf] [![Deps Unlocked][🚎14-🔓️-wfi]][🚎14-🔓️-wf] [![CI Test Coverage][🚎2-cov-wfi]][🚎2-cov-wf] [![CI Style][🚎5-st-wfi]][🚎5-st-wf] [![Apache SkyWalking Eyes License Compatibility Check][🚎15-🪪-wfi]][🚎15-🪪-wf]
 
-[![Version][👽versioni]][👽version] [![GitHub tag (latest SemVer)][⛳️tag-img]][⛳️tag] [![License: MIT][📄license-img]][📄license-ref] [![Downloads Rank][👽dl-ranki]][👽dl-rank] [![CodeCov Test Coverage][🏀codecovi]][🏀codecov] [![Coveralls Test Coverage][🏀coveralls-img]][🏀coveralls] [![QLTY Test Coverage][🏀qlty-covi]][🏀qlty-cov] [![QLTY Maintainability][🏀qlty-mnti]][🏀qlty-mnt] [![CI Heads][🚎3-hd-wfi]][🚎3-hd-wf] [![CI Runtime Dependencies @ HEAD][🚎12-crh-wfi]][🚎12-crh-wf] [![CI Current][🚎11-c-wfi]][🚎11-c-wf] [![CI Truffle Ruby][🚎9-t-wfi]][🚎9-t-wf] [![CI JRuby][🚎10-j-wfi]][🚎10-j-wf] [![Deps Locked][🚎13-🔒️-wfi]][🚎13-🔒️-wf] [![Deps Unlocked][🚎14-🔓️-wfi]][🚎14-🔓️-wf] [![CI Test Coverage][🚎2-cov-wfi]][🚎2-cov-wf] [![CI Style][🚎5-st-wfi]][🚎5-st-wf] [![CodeQL][🖐codeQL-img]][🖐codeQL] [![Apache SkyWalking Eyes License Compatibility Check][🚎15-🪪-wfi]][🚎15-🪪-wf]
-
-`if ci_badges.map(&:color).detect { it != "green"}` ☝️ [let me know][🖼️galtzo-discord], as I may have missed the [discord notification][🖼️galtzo-discord].
+`if ci_badges.map(&:color).detect { it != "green"}` ☝️ [let me know][✉️discord-invite], as I may have missed the [discord notification][✉️discord-invite].
 
 ---
 
@@ -20,13 +13,13 @@
 [![OpenCollective Backers][🖇osc-backers-i]][🖇osc-backers] [![OpenCollective Sponsors][🖇osc-sponsors-i]][🖇osc-sponsors] [![Sponsor Me on Github][🖇sponsor-img]][🖇sponsor] [![Liberapay Goal Progress][⛳liberapay-img]][⛳liberapay] [![Donate on PayPal][🖇paypal-img]][🖇paypal] [![Buy me a coffee][🖇buyme-small-img]][🖇buyme] [![Donate on Polar][🖇polar-img]][🖇polar] [![Donate at ko-fi.com][🖇kofi-img]][🖇kofi]
 
 <details>
-    <summary>👣 How will this project approach the September 2025 hostile takeover of RubyGems? 🚑️</summary>
+ <summary>👣 How will this project approach the September 2025 hostile takeover of RubyGems? 🚑️</summary>
 
 I've summarized my thoughts in [this blog post](https://dev.to/galtzo/hostile-takeover-of-rubygems-my-thoughts-5hlo).
 
 </details>
 
-## 🌻 Synopsis
+## 🌻 Synopsis <a href="https://discord.gg/3qme4XHNKN"><img alt="Galtzo FLOSS Logo by Aboling0, CC BY-SA 4.0" src="https://logos.galtzo.com/assets/images/galtzo-floss/avatar-128px.svg" width="8%" align="right"/></a> <a href="https://ruby-toolbox.com"><img alt="ruby-lang Logo, Yukihiro Matsumoto, Ruby Visual Identity Team, CC BY-SA 2.5" src="https://logos.galtzo.com/assets/images/ruby-lang/avatar-128px.svg" width="8%" align="right"/></a>
 
 `auth-sanitizer` provides small, dependency-light helpers for keeping OAuth and authentication secrets out of object
 inspection and log output.
@@ -34,7 +27,7 @@ inspection and log output.
 The gem is intentionally narrow in scope. It does not change HTTP requests, token objects, persistence, or application
 configuration for you. Instead, it gives host gems and applications two reusable redaction surfaces:
 
-- `Auth::Sanitizer::FilteredAttributes` redacts selected instance variables from `#inspect`.
+- `Auth::Sanitizer::FilteredAttributes` redacts selected attributes from standard Ruby `#inspect` output.
 - `Auth::Sanitizer::SanitizedLogger` wraps an existing logger and redacts sensitive values from string log messages.
 
 Out of the box, logger sanitization filters the key names most commonly found in OAuth and OpenID Connect debug output:
@@ -79,40 +72,44 @@ This gem is used by the following libraries to ensure clean output:
 
 ## 💡 Info you can shake a stick at
 
-| Tokens to Remember      | [![Gem name][⛳️name-img]][⛳️gem-name] [![Gem namespace][⛳️namespace-img]][⛳️gem-namespace]                                                                                                                                                                                                                                                                          |
+| Tokens to Remember | [![Gem name][⛳️name-img]][⛳️gem-name] [![Gem namespace][⛳️namespace-img]][⛳️gem-namespace] |
 |-------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Works with JRuby        | [![JRuby 9.3 Compat][💎jruby-9.3i]][🚎jruby-9.3-wf] <br/> [![JRuby 9.4 Compat][💎jruby-9.4i]][🚎jruby-9.4-wf] [![JRuby current Compat][💎jruby-c-i]][🚎10-j-wf] [![JRuby HEAD Compat][💎jruby-headi]][🚎3-hd-wf]|
+| Works with JRuby | [![JRuby 9.2 Compat][💎jruby-9.2i]][🚎jruby-9.2-wf] [![JRuby 9.3 Compat][💎jruby-9.3i]][🚎jruby-9.3-wf] <br/> [![JRuby 9.4 Compat][💎jruby-9.4i]][🚎jruby-9.4-wf] [![JRuby current Compat][💎jruby-c-i]][🚎10-j-wf] [![JRuby HEAD Compat][💎jruby-headi]][🚎3-hd-wf]|
 | Works with Truffle Ruby | [![Truffle Ruby 22.3 Compat][💎truby-22.3i]][🚎truby-22.3-wf] [![Truffle Ruby 23.0 Compat][💎truby-23.0i]][🚎truby-23.0-wf] [![Truffle Ruby 23.1 Compat][💎truby-23.1i]][🚎truby-23.1-wf] <br/> [![Truffle Ruby 24.2 Compat][💎truby-24.2i]][🚎truby-24.2-wf] [![Truffle Ruby 25.0 Compat][💎truby-25.0i]][🚎truby-25.0-wf] [![Truffle Ruby current Compat][💎truby-c-i]][🚎9-t-wf]|
-| Works with MRI Ruby 4   | [![Ruby 4.0 Compat][💎ruby-4.0i]][🚎11-c-wf] [![Ruby current Compat][💎ruby-c-i]][🚎11-c-wf] [![Ruby HEAD Compat][💎ruby-headi]][🚎3-hd-wf]|
-| Works with MRI Ruby 3   | [![Ruby 3.0 Compat][💎ruby-3.0i]][🚎ruby-3.0-wf] [![Ruby 3.1 Compat][💎ruby-3.1i]][🚎ruby-3.1-wf] [![Ruby 3.2 Compat][💎ruby-3.2i]][🚎ruby-3.2-wf] [![Ruby 3.3 Compat][💎ruby-3.3i]][🚎ruby-3.3-wf] [![Ruby 3.4 Compat][💎ruby-3.4i]][🚎ruby-3.4-wf]|
-| Works with MRI Ruby 2   | ![Ruby 2.2 Compat][💎ruby-2.2i] <br/> [![Ruby 2.3 Compat][💎ruby-2.3i]][🚎ruby-2.3-wf] [![Ruby 2.4 Compat][💎ruby-2.4i]][🚎ruby-2.4-wf] [![Ruby 2.5 Compat][💎ruby-2.5i]][🚎ruby-2.5-wf] [![Ruby 2.6 Compat][💎ruby-2.6i]][🚎ruby-2.6-wf] [![Ruby 2.7 Compat][💎ruby-2.7i]][🚎ruby-2.7-wf]|
-| Support & Community     | [![Join Me on Daily.dev's RubyFriends][✉️ruby-friends-img]][✉️ruby-friends] [![Live Chat on Discord][✉️discord-invite-img-ftb]][✉️discord-invite] [![Get help from me on Upwork][👨🏼‍🏫expsup-upwork-img]][👨🏼‍🏫expsup-upwork] [![Get help from me on Codementor][👨🏼‍🏫expsup-codementor-img]][👨🏼‍🏫expsup-codementor]                                       |
-| Source                  | [![Source on GitLab.com][📜src-gl-img]][📜src-gl] [![Source on CodeBerg.org][📜src-cb-img]][📜src-cb] [![Source on Github.com][📜src-gh-img]][📜src-gh] [![The best SHA: dQw4w9WgXcQ!][🧮kloc-img]][🧮kloc]                                                                                                                                                         |
-| Documentation           | [![Current release on RubyDoc.info][📜docs-cr-rd-img]][🚎yard-current] [![YARD on Galtzo.com][📜docs-head-rd-img]][🚎yard-head] [![Maintainer Blog][🚂maint-blog-img]][🚂maint-blog] [![GitLab Wiki][📜gl-wiki-img]][📜gl-wiki] [![GitHub Wiki][📜gh-wiki-img]][📜gh-wiki]                                                                                          |
-| Compliance              | [![License: MIT][📄license-img]][📄license-ref] [![Compatible with Apache Software Projects: Verified by SkyWalking Eyes][📄license-compat-img]][📄license-compat] [![📄ilo-declaration-img]][📄ilo-declaration] [![Security Policy][🔐security-img]][🔐security] [![Contributor Covenant 2.1][🪇conduct-img]][🪇conduct] [![SemVer 2.0.0][📌semver-img]][📌semver] |
-| Style                   | [![Enforced Code Style Linter][💎rlts-img]][💎rlts] [![Keep-A-Changelog 1.0.0][📗keep-changelog-img]][📗keep-changelog] [![Gitmoji Commits][📌gitmoji-img]][📌gitmoji] [![Compatibility appraised by: appraisal2][💎appraisal2-img]][💎appraisal2]                                                                                                                  |
-| Maintainer 🎖️          | [![Follow Me on LinkedIn][💖🖇linkedin-img]][💖🖇linkedin] [![Follow Me on Ruby.Social][💖🐘ruby-mast-img]][💖🐘ruby-mast] [![Follow Me on Bluesky][💖🦋bluesky-img]][💖🦋bluesky] [![Contact Maintainer][🚂maint-contact-img]][🚂maint-contact] [![My technical writing][💖💁🏼‍♂️devto-img]][💖💁🏼‍♂️devto]                                                      |
-| `...` 💖                | [![Find Me on WellFound:][💖✌️wellfound-img]][💖✌️wellfound] [![Find Me on CrunchBase][💖💲crunchbase-img]][💖💲crunchbase] [![My LinkTree][💖🌳linktree-img]][💖🌳linktree] [![More About Me][💖💁🏼‍♂️aboutme-img]][💖💁🏼‍♂️aboutme] [🧊][💖🧊berg] [🐙][💖🐙hub]  [🛖][💖🛖hut] [🧪][💖🧪lab]                                                                   |
+| Works with MRI Ruby 4 | [![Ruby 4.0 Compat][💎ruby-4.0i]][🚎11-c-wf] [![Ruby current Compat][💎ruby-c-i]][🚎11-c-wf] [![Ruby HEAD Compat][💎ruby-headi]][🚎3-hd-wf]|
+| Works with MRI Ruby 3 | [![Ruby 3.0 Compat][💎ruby-3.0i]][🚎ruby-3.0-wf] [![Ruby 3.1 Compat][💎ruby-3.1i]][🚎ruby-3.1-wf] [![Ruby 3.2 Compat][💎ruby-3.2i]][🚎ruby-3.2-wf] [![Ruby 3.3 Compat][💎ruby-3.3i]][🚎ruby-3.3-wf] [![Ruby 3.4 Compat][💎ruby-3.4i]][🚎ruby-3.4-wf]|
+| Works with MRI Ruby 2 | ![Ruby 2.2 Compat][💎ruby-2.2i] <br/> [![Ruby 2.4 Compat][💎ruby-2.4i]][🚎ruby-2.4-wf] [![Ruby 2.5 Compat][💎ruby-2.5i]][🚎ruby-2.5-wf] [![Ruby 2.6 Compat][💎ruby-2.6i]][🚎ruby-2.6-wf] [![Ruby 2.7 Compat][💎ruby-2.7i]][🚎ruby-2.7-wf]|
+| Support & Community | [![Join Me on Daily.dev's RubyFriends][✉️ruby-friends-img]][✉️ruby-friends] [![Live Chat on Discord][✉️discord-invite-img-ftb]][✉️discord-invite] [![Get help from me on Upwork][👨🏼‍🏫expsup-upwork-img]][👨🏼‍🏫expsup-upwork] [![Get help from me on Codementor][👨🏼‍🏫expsup-codementor-img]][👨🏼‍🏫expsup-codementor] |
+| Source | [![Source on GitLab.com][📜src-gl-img]][📜src-gl] [![Source on CodeBerg.org][📜src-cb-img]][📜src-cb] [![Source on Github.com][📜src-gh-img]][📜src-gh] [![The best SHA: dQw4w9WgXcQ!][🧮kloc-img]][🧮kloc] |
+| Documentation | [![Current release on RubyDoc.info][📜docs-cr-rd-img]][🚎yard-current] [![YARD on Galtzo.com][📜docs-head-rd-img]][🚎yard-head] [![Maintainer Blog][🚂maint-blog-img]][🚂maint-blog] [![GitLab Wiki][📜gl-wiki-img]][📜gl-wiki] [![GitHub Wiki][📜gh-wiki-img]][📜gh-wiki] |
+| Compliance | [![License: MIT][📄license-img]][📄license] [![Apache license compatibility: Category A][📄license-compat-img]][📄license-compat] [![📄ilo-declaration-img]][📄ilo-declaration] [![Security Policy][🔐security-img]][🔐security] [![Contributor Covenant 2.1][🪇conduct-img]][🪇conduct] [![SemVer 2.0.0][📌semver-img]][📌semver] |
+| Style | [![Enforced Code Style Linter][💎rlts-img]][💎rlts] [![Keep-A-Changelog 1.0.0][📗keep-changelog-img]][📗keep-changelog] [![Gitmoji Commits][📌gitmoji-img]][📌gitmoji] [![Compatibility appraised by: appraisal2][💎appraisal2-img]][💎appraisal2] |
+| Maintainer 🎖️ | [![Follow Me on LinkedIn][💖🖇linkedin-img]][💖🖇linkedin] [![Follow Me on Ruby.Social][💖🐘ruby-mast-img]][💖🐘ruby-mast] [![Follow Me on Bluesky][💖🦋bluesky-img]][💖🦋bluesky] [![Contact Maintainer][🚂maint-contact-img]][🚂maint-contact] [![My technical writing][💖💁🏼‍♂️devto-img]][💖💁🏼‍♂️devto] |
+| `...` 💖 | [![Find Me on WellFound:][💖✌️wellfound-img]][💖✌️wellfound] [![Find Me on CrunchBase][💖💲crunchbase-img]][💖💲crunchbase] [![My LinkTree][💖🌳linktree-img]][💖🌳linktree] [![More About Me][💖💁🏼‍♂️aboutme-img]][💖💁🏼‍♂️aboutme] [🧊][💖🧊berg] [🐙][💖🐙hub] [🛖][💖🛖hut] [🧪][💖🧪lab] |
 
 ### Compatibility
 
 Compatible with MRI Ruby 2.2.0+, and concordant releases of JRuby, and TruffleRuby.
+CI workflows and Appraisals are generated for MRI Ruby 2.4+.
+This test floor is configured by `ruby.test_minimum` in `.kettle-jem.yml` and
+may be higher than the gem's runtime compatibility floor when legacy Rubies are
+not practical for the current toolchain.
 
-| 🚚 _Amazing_ test matrix was brought to you by | 🔎 appraisal2 🔎 and the color 💚 green 💚             |
+| 🚚 _Amazing_ test matrix was brought to you by | 🔎 appraisal2 🔎 and the color 💚 green 💚 |
 |------------------------------------------------|--------------------------------------------------------|
-| 👟 Check it out!                               | ✨ [github.com/appraisal-rb/appraisal2][💎appraisal2] ✨ |
+| 👟 Check it out! | ✨ [github.com/appraisal-rb/appraisal2][💎appraisal2] ✨ |
 
 ### Federated DVCS
 
 <details markdown="1">
-  <summary>Find this repo on federated forges (Coming soon!)</summary>
+ <summary>Find this repo on federated forges (Coming soon!)</summary>
 
-| Federated [DVCS][💎d-in-dvcs] Repository        | Status                                                                | Issues                    | PRs                      | Wiki                      | CI                       | Discussions                  |
+| Federated [DVCS][💎d-in-dvcs] Repository | Status | Issues | PRs | Wiki | CI | Discussions |
 |-------------------------------------------------|-----------------------------------------------------------------------|---------------------------|--------------------------|---------------------------|--------------------------|------------------------------|
-| 🧪 [ruby-oauth/auth-sanitizer on GitLab][📜src-gl]   | The Truth                                                             | [💚][🤝gl-issues]         | [💚][🤝gl-pulls]         | [💚][📜gl-wiki]           | 🐭 Tiny Matrix           | ➖                            |
-| 🧊 [ruby-oauth/auth-sanitizer on CodeBerg][📜src-cb] | An Ethical Mirror ([Donate][🤝cb-donate])                             | [💚][🤝cb-issues]         | [💚][🤝cb-pulls]         | ➖                         | ⭕️ No Matrix             | ➖                            |
-| 🐙 [ruby-oauth/auth-sanitizer on GitHub][📜src-gh]   | Another Mirror                                                        | [💚][🤝gh-issues]         | [💚][🤝gh-pulls]         | [💚][📜gh-wiki]           | 💯 Full Matrix           | [💚][gh-discussions]         |
-| 🎮️ [Discord Server][✉️discord-invite]          | [![Live Chat on Discord][✉️discord-invite-img-ftb]][✉️discord-invite] | [Let's][✉️discord-invite] | [talk][✉️discord-invite] | [about][✉️discord-invite] | [this][✉️discord-invite] | [library!][✉️discord-invite] |
+| 🧪 [ruby-oauth/auth-sanitizer on GitLab][📜src-gl] | The Truth | [💚][🤝gl-issues] | [💚][🤝gl-pulls] | [💚][📜gl-wiki] | 🐭 Tiny Matrix | ➖ |
+| 🧊 [ruby-oauth/auth-sanitizer on CodeBerg][📜src-cb] | An Ethical Mirror ([Donate][🤝cb-donate]) | [💚][🤝cb-issues] | [💚][🤝cb-pulls] | ➖ | ⭕️ No Matrix | ➖ |
+| 🐙 [ruby-oauth/auth-sanitizer on GitHub][📜src-gh] | Another Mirror | [💚][🤝gh-issues] | [💚][🤝gh-pulls] | [💚][📜gh-wiki] | 💯 Full Matrix | [💚][gh-discussions] |
+| 🎮️ [Discord Server][✉️discord-invite] | [![Live Chat on Discord][✉️discord-invite-img-ftb]][✉️discord-invite] | [Let's][✉️discord-invite] | [talk][✉️discord-invite] | [about][✉️discord-invite] | [this][✉️discord-invite] | [library!][✉️discord-invite] |
 
 </details>
 
@@ -123,7 +120,7 @@ Compatible with MRI Ruby 2.2.0+, and concordant releases of JRuby, and TruffleRu
 Available as part of the Tidelift Subscription.
 
 <details markdown="1">
-  <summary>Need enterprise-level guarantees?</summary>
+ <summary>Need enterprise-level guarantees?</summary>
 
 The maintainers of this and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source packages you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact packages you use.
 
@@ -155,41 +152,6 @@ If bundler is not being used to manage dependencies, install the gem by executin
 gem install auth-sanitizer
 ```
 
-### 🔒 Secure Installation
-
-<details markdown="1">
-  <summary>For Medium or High Security Installations</summary>
-
-This gem is cryptographically signed and has verifiable [SHA-256 and SHA-512][💎SHA_checksums] checksums by
-[stone_checksums][💎stone_checksums]. Be sure the gem you install hasn’t been tampered with
-by following the instructions below.
-
-Add my public key (if you haven’t already; key expires 2045-04-29) as a trusted certificate:
-
-```console
-gem cert --add <(curl -Ls https://raw.github.com/galtzo-floss/certs/main/pboling.pem)
-```
-
-You only need to do that once.  Then proceed to install with:
-
-```console
-gem install auth-sanitizer -P HighSecurity
-```
-
-The `HighSecurity` trust profile will verify signed gems, and not allow the installation of unsigned dependencies.
-
-If you want to up your security game full-time:
-
-```console
-bundle config set --global trust-policy MediumSecurity
-```
-
-`MediumSecurity` instead of `HighSecurity` is necessary if not all the gems you use are signed.
-
-NOTE: Be prepared to track down certs for signed gems and add them the same way you added mine.
-
-</details>
-
 ## ⚙️ Configuration
 
 Most applications can use the defaults. Configuration is available when a host gem or application wants to align
@@ -255,7 +217,7 @@ unless auth_sanitizer_spec && auth_sanitizer_requirement.satisfied_by?(auth_sani
 end
 auth_sanitizer_loader_path = File.join(
   auth_sanitizer_spec.full_gem_path,
-  "lib/auth_sanitizer/loader.rb",
+  "lib/auth_sanitizer/loader.rb"
 )
 unless File.file?(auth_sanitizer_loader_path)
   raise LoadError, "auth-sanitizer #{auth_sanitizer_requirement} loader not found at #{auth_sanitizer_loader_path}"
@@ -287,7 +249,7 @@ unless auth_sanitizer_spec && auth_sanitizer_requirement.satisfied_by?(auth_sani
 end
 auth_sanitizer_loader_path = File.join(
   auth_sanitizer_spec.full_gem_path,
-  "lib/auth_sanitizer/loader.rb",
+  "lib/auth_sanitizer/loader.rb"
 )
 unless File.file?(auth_sanitizer_loader_path)
   raise LoadError, "auth-sanitizer #{auth_sanitizer_requirement} loader not found at #{auth_sanitizer_loader_path}"
@@ -297,7 +259,7 @@ auth_sanitizer_loader_namespace = Module.new
 auth_sanitizer_loader_namespace.module_eval(
   File.read(auth_sanitizer_loader_path),
   auth_sanitizer_loader_path,
-  1,
+  1
 )
 
 AUTH_SANITIZER = auth_sanitizer_loader_namespace
@@ -353,7 +315,7 @@ logger = Auth::Sanitizer::SanitizedLogger.new(
     api_key
     private_key
     session_secret
-  ],
+  ]
 )
 ```
 
@@ -363,7 +325,7 @@ You can also replace the list entirely:
 logger = Auth::Sanitizer::SanitizedLogger.new(
   Logger.new($stdout),
   filtered_keys: %w[my_secret],
-  label: "[GONE]",
+  label: "[GONE]"
 )
 ```
 
@@ -395,8 +357,43 @@ class OAuthCredential
 end
 ```
 
-Declared names are matched against instance variable names. For example, `filtered_attributes :access_token` redacts
-`@access_token` in `#inspect`.
+`FilteredAttributes#inspect` delegates to `super.inspect` first, then redacts only narrow, standard Ruby inspect
+fragments for configured names. This preserves host object inspect behavior instead of rebuilding the object's output.
+
+For example, `filtered_attributes :access_token` redacts `@access_token="..."` in normal object inspect output:
+
+```ruby
+OAuthCredential.new("secret", Time.now).inspect
+# => #<OAuthCredential:0x... @access_token=[FILTERED], @expires_at=2026-06-04 08:00:00 -0600>
+```
+
+Configured names are also redacted when they appear as string-valued keys inside standard Ruby hash inspect fragments,
+which is useful for adapter models that store attributes in an internal hash:
+
+```ruby
+class IdentityRecord
+  include Auth::Sanitizer::FilteredAttributes
+
+  filtered_attributes :password_digest
+
+  def initialize(identity_data)
+    @identity_data = identity_data
+  end
+end
+
+IdentityRecord.new({id: 1, password_digest: "$2a$secret"}).inspect
+# => #<IdentityRecord:0x... @identity_data={id: 1, password_digest: [FILTERED]}>
+```
+
+The inspect redactor intentionally leaves unsupported or highly customized inspect formats unchanged. It only replaces
+quoted string values in these standard shapes:
+
+- `@name="value"`
+- `{name: "value"}`
+- `{:name => "value"}`
+- `{"name" => "value"}`
+
+This conservative behavior avoids breaking host models whose `inspect` output has application-specific formatting.
 
 Calling `filtered_attributes` again replaces the class-level list:
 
@@ -461,15 +458,16 @@ end
 response = TokenResponse.new(
   access_token: "access-token-value",
   refresh_token: "refresh-token-value",
-  scope: "profile email",
+  scope: "profile email"
 )
 
 response.inspect
-# => #<TokenResponse:123456 @access_token=[FILTERED], @refresh_token=[FILTERED], @scope="profile email">
+# => #<TokenResponse:0x... @access_token=[FILTERED], @refresh_token=[FILTERED], @scope="profile email">
 ```
 
 Only the configured attributes are redacted. Other instance variables remain visible so inspected objects are still
-useful while debugging.
+useful while debugging. Inspect filtering is conservative: unsupported custom formats are left unchanged rather than
+risking a malformed `inspect` result.
 
 ### Redact Logger Output
 
@@ -524,7 +522,7 @@ Use `filtered_keys:` for application-specific secrets:
 logger = Auth::Sanitizer::SanitizedLogger.new(
   Logger.new($stdout),
   filtered_keys: %w[access_token api_key signing_secret],
-  label: "[SECRET]",
+  label: "[SECRET]"
 )
 
 logger.debug("api_key=12345&access_token=abc123")
@@ -553,8 +551,8 @@ While ruby-oauth tools are free software and will always be, the project would b
 Raising a monthly budget of... "dollars" would make the project more sustainable.
 
 We welcome both individual and corporate sponsors! We also offer a
-wide array of funding channels to account for your preferences
-(although currently [Open Collective][🖇osc] is our preferred funding platform).
+wide array of funding channels to account for your preferences.
+Currently, [Open Collective][🖇osc] is our preferred funding platform.
 
 **If you're working in a company that's making significant use of ruby-oauth tools we'd
 appreciate it if you suggest to your company to become a ruby-oauth sponsor.**
@@ -566,7 +564,7 @@ You can support the development of ruby-oauth tools via
 [Open Collective][🖇osc]
 and [Tidelift][🏙️entsup-tidelift].
 
-| 📍 NOTE                                                                                                                                                                                                              |
+| 📍 NOTE |
 |----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | If doing a sponsorship in the form of donation is problematic for your company <br/> from an accounting standpoint, we'd recommend the use of Tidelift, <br/> where you can get a support-like subscription instead. |
 
@@ -594,7 +592,7 @@ No sponsors yet. Be the first!
 
 ### Another way to support open-source
 
-I’m driven by a passion to foster a thriving open-source community – a space where people can tackle complex problems, no matter how small.  Revitalizing libraries that have fallen into disrepair, and building new libraries focused on solving real-world challenges, are my passions.  I was recently affected by layoffs, and the tech jobs market is unwelcoming. I’m reaching out here because your support would significantly aid my efforts to provide for my family, and my farm (11 🐔 chickens, 2 🐶 dogs, 3 🐰 rabbits, 8 🐈‍ cats).
+I’m driven by a passion to foster a thriving open-source community – a space where people can tackle complex problems, no matter how small. Revitalizing libraries that have fallen into disrepair, and building new libraries focused on solving real-world challenges, are my passions. I was recently affected by layoffs, and the tech jobs market is unwelcoming. I’m reaching out here because your support would significantly aid my efforts to provide for my family, and my farm (11 🐔 chickens, 2 🐶 dogs, 3 🐰 rabbits, 8 🐈‍ cats).
 
 If you work at a company that uses my work, please encourage them to support me as a corporate sponsor. My work on gems you use might show up in `bundle fund`.
 
@@ -611,7 +609,7 @@ See [SECURITY.md][🔐security].
 ## 🤝 Contributing
 
 If you need some ideas of where to help, you could work on adding more code coverage,
-or if it is already 💯 (see [below](#code-coverage)) check [reek](REEK), [issues][🤝gh-issues], or [PRs][🤝gh-pulls],
+or if it is already 💯 (see [below](#code-coverage)) check [issues][🤝gh-issues] or [PRs][🤝gh-pulls],
 or use the gem and think about how it could be better.
 
 We [![Keep A Changelog][📗keep-changelog-img]][📗keep-changelog] so if you make changes, remember to update it.
@@ -624,12 +622,17 @@ See [CONTRIBUTING.md][🤝contributing].
 
 ### Code Coverage
 
+<details markdown="1">
+<summary>Coverage service badges</summary>
+
 [![Coverage Graph][🏀codecov-g]][🏀codecov]
 
 [![Coveralls Test Coverage][🏀coveralls-img]][🏀coveralls]
 
 [![QLTY Test Coverage][🏀qlty-covi]][🏀qlty-cov]
 
+</details>
+
 ### 🪇 Code of Conduct
 
 Everyone interacting with this project's codebases, issue trackers,
@@ -644,13 +647,13 @@ Made with [contributors-img][🖐contrib-rocks].
 Also see GitLab Contributors: [https://gitlab.com/ruby-oauth/auth-sanitizer/-/graphs/main][🚎contributors-gl]
 
 <details>
-    <summary>⭐️ Star History</summary>
+ <summary>⭐️ Star History</summary>
 
-<a href="https://star-history.com/#ruby-oauth/auth-sanitizer&Date">
+<a href="https://star-history.com/ruby-oauth/auth-sanitizer&Date">
  <picture>
-   <source media="(prefers-color-scheme: dark)" srcset="https://api.star-history.com/svg?repos=ruby-oauth/auth-sanitizer&type=Date&theme=dark" />
-   <source media="(prefers-color-scheme: light)" srcset="https://api.star-history.com/svg?repos=ruby-oauth/auth-sanitizer&type=Date" />
-   <img alt="Star History Chart" src="https://api.star-history.com/svg?repos=ruby-oauth/auth-sanitizer&type=Date" />
+ <source media="(prefers-color-scheme: dark)" srcset="https://api.star-history.com/svg?repos=ruby-oauth/auth-sanitizer&type=Date&theme=dark" />
+ <source media="(prefers-color-scheme: light)" srcset="https://api.star-history.com/svg?repos=ruby-oauth/auth-sanitizer&type=Date" />
+ <img alt="Star History Chart" src="https://api.star-history.com/svg?repos=ruby-oauth/auth-sanitizer&type=Date" />
  </picture>
 </a>
 
@@ -658,19 +661,8 @@ Also see GitLab Contributors: [https://gitlab.com/ruby-oauth/auth-sanitizer/-/gr
 
 ## 📌 Versioning
 
-This Library adheres to [![Semantic Versioning 2.0.0][📌semver-img]][📌semver].
-Violations of this scheme should be reported as bugs.
-Specifically, if a minor or patch version is released that breaks backward compatibility,
-a new version should be immediately released that restores compatibility.
-Breaking changes to the public API will only be introduced with new major versions.
-
-> dropping support for a platform is both obviously and objectively a breaking change <br/>
->—Jordan Harband ([@ljharb](https://github.com/ljharb), maintainer of SemVer) [in SemVer issue 716][📌semver-breaking]
-
-I understand that policy doesn't work universally ("exceptions to every rule!"),
-but it is the policy here.
-As such, in many cases it is good to specify a dependency on this library using
-the [Pessimistic Version Constraint][📌pvc] with two digits of precision.
+This library follows [![Semantic Versioning 2.0.0][📌semver-img]][📌semver] for its public API where practical.
+For most applications, prefer the [Pessimistic Version Constraint][📌pvc] with two digits of precision.
 
 For example:
 
@@ -681,8 +673,8 @@ spec.add_dependency("auth-sanitizer", "~> 0.0")
 <details markdown="1">
 <summary>📌 Is "Platform Support" part of the public API? More details inside.</summary>
 
-SemVer should, IMO, but doesn't explicitly, say that dropping support for specific Platforms
-is a *breaking change* to an API, and for that reason the bike shedding is endless.
+Dropping support for a platform can be a breaking change for affected users.
+If a release changes supported platforms, it should be called out clearly in the changelog and versioned with that impact in mind.
 
 To get a better understanding of how SemVer is intended to work over a project's lifetime,
 read this article from the creator of SemVer:
@@ -702,6 +694,13 @@ the [MIT](MIT.md) [![License: MIT][📄license-img]][📄license-ref].
 
 See [LICENSE.md][📄license] for the official copyright notice.
 
+<details markdown="1">
+<summary>Copyright holders</summary>
+
+- Copyright (c) 2026 Peter H. Boling
+
+</details>
+
 ## 🤑 A request for help
 
 Maintainers have teeth and need to pay their dentists.
@@ -721,6 +720,8 @@ To say "thanks!" ☝️ Join the Discord or 👇️ send money.
 
 ### Please give the project a star ⭐ ♥.
 
+Many parts of this project are actively managed by a [kettle-jem](https://github.com/structuredmerge/structuredmerge-ruby/tree/main/gems/kettle-jem) smart template utilizing [StructuredMerge.org](https://structuredmerge.org) merge contracts.
+
 Thanks for RTFM. ☺️
 
 [⛳liberapay-img]: https://img.shields.io/liberapay/goal/pboling.svg?logo=liberapay&color=a51611&style=flat
@@ -765,7 +766,7 @@ Thanks for RTFM. ☺️
 [⛳️gem-name]: https://bestgems.org/gems/auth-sanitizer
 [⛳️name-img]: https://img.shields.io/badge/name-auth--sanitizer-3C2D2D.svg?style=square&logo=rubygems&logoColor=red
 [⛳️tag-img]: https://img.shields.io/github/tag/ruby-oauth/auth-sanitizer.svg
-[⛳️tag]: http://github.com/ruby-oauth/auth-sanitizer/releases
+[⛳️tag]: https://github.com/ruby-oauth/auth-sanitizer/releases
 [🚂maint-blog]: http://www.railsbling.com/tags/auth-sanitizer
 [🚂maint-blog-img]: https://img.shields.io/badge/blog-railsbling-0093D0.svg?style=for-the-badge&logo=rubyonrails&logoColor=orange
 [🚂maint-contact]: http://www.railsbling.com/contact
@@ -800,7 +801,7 @@ Thanks for RTFM. ☺️
 [💁🏼‍♂️peterboling]: http://www.peterboling.com
 [🚂railsbling]: http://www.railsbling.com
 [📜src-gl-img]: https://img.shields.io/badge/GitLab-FBA326?style=for-the-badge&logo=Gitlab&logoColor=orange
-[📜src-gl]: https://gitlab.com/ruby-oauth/auth-sanitizer/
+[📜src-gl]: https://gitlab.com/ruby-oauth/auth-sanitizer
 [📜src-cb-img]: https://img.shields.io/badge/CodeBerg-4893CC?style=for-the-badge&logo=CodeBerg&logoColor=blue
 [📜src-cb]: https://codeberg.org/ruby-oauth/auth-sanitizer
 [📜src-gh-img]: https://img.shields.io/badge/GitHub-238636?style=for-the-badge&logo=Github&logoColor=green
@@ -809,8 +810,8 @@ Thanks for RTFM. ☺️
 [📜docs-head-rd-img]: https://img.shields.io/badge/YARD_on_Galtzo.com-HEAD-943CD2?style=for-the-badge&logo=readthedocs&logoColor=white
 [📜gl-wiki]: https://gitlab.com/ruby-oauth/auth-sanitizer/-/wikis/home
 [📜gh-wiki]: https://github.com/ruby-oauth/auth-sanitizer/wiki
-[📜gl-wiki-img]: https://img.shields.io/badge/wiki-examples-943CD2.svg?style=for-the-badge&logo=gitlab&logoColor=white
-[📜gh-wiki-img]: https://img.shields.io/badge/wiki-examples-943CD2.svg?style=for-the-badge&logo=github&logoColor=white
+[📜gl-wiki-img]: https://img.shields.io/badge/wiki-gitlab-943CD2.svg?style=for-the-badge&logo=gitlab&logoColor=white
+[📜gh-wiki-img]: https://img.shields.io/badge/wiki-github-943CD2.svg?style=for-the-badge&logo=github&logoColor=white
 [👽dl-rank]: https://bestgems.org/gems/auth-sanitizer
 [👽dl-ranki]: https://img.shields.io/gem/rd/auth-sanitizer.svg
 [👽version]: https://bestgems.org/gems/auth-sanitizer
@@ -823,9 +824,6 @@ Thanks for RTFM. ☺️
 [🏀codecovi]: https://codecov.io/gh/ruby-oauth/auth-sanitizer/graph/badge.svg
 [🏀coveralls]: https://coveralls.io/github/ruby-oauth/auth-sanitizer?branch=main
 [🏀coveralls-img]: https://coveralls.io/repos/github/ruby-oauth/auth-sanitizer/badge.svg?branch=main
-[🖐codeQL]: https://github.com/ruby-oauth/auth-sanitizer/security/code-scanning
-[🖐codeQL-img]: https://github.com/ruby-oauth/auth-sanitizer/actions/workflows/codeql-analysis.yml/badge.svg
-[🚎ruby-2.3-wf]: https://github.com/ruby-oauth/auth-sanitizer/actions/workflows/ruby-2.3.yml
 [🚎ruby-2.4-wf]: https://github.com/ruby-oauth/auth-sanitizer/actions/workflows/ruby-2.4.yml
 [🚎ruby-2.5-wf]: https://github.com/ruby-oauth/auth-sanitizer/actions/workflows/ruby-2.5.yml
 [🚎ruby-2.6-wf]: https://github.com/ruby-oauth/auth-sanitizer/actions/workflows/ruby-2.6.yml
@@ -835,6 +833,7 @@ Thanks for RTFM. ☺️
 [🚎ruby-3.2-wf]: https://github.com/ruby-oauth/auth-sanitizer/actions/workflows/ruby-3.2.yml
 [🚎ruby-3.3-wf]: https://github.com/ruby-oauth/auth-sanitizer/actions/workflows/ruby-3.3.yml
 [🚎ruby-3.4-wf]: https://github.com/ruby-oauth/auth-sanitizer/actions/workflows/ruby-3.4.yml
+[🚎jruby-9.2-wf]: https://github.com/ruby-oauth/auth-sanitizer/actions/workflows/jruby-9.2.yml
 [🚎jruby-9.3-wf]: https://github.com/ruby-oauth/auth-sanitizer/actions/workflows/jruby-9.3.yml
 [🚎jruby-9.4-wf]: https://github.com/ruby-oauth/auth-sanitizer/actions/workflows/jruby-9.4.yml
 [🚎truby-22.3-wf]: https://github.com/ruby-oauth/auth-sanitizer/actions/workflows/truffleruby-22.3.yml
@@ -863,7 +862,6 @@ Thanks for RTFM. ☺️
 [🚎15-🪪-wf]: https://github.com/ruby-oauth/auth-sanitizer/actions/workflows/license-eye.yml
 [🚎15-🪪-wfi]: https://github.com/ruby-oauth/auth-sanitizer/actions/workflows/license-eye.yml/badge.svg
 [💎ruby-2.2i]: https://img.shields.io/badge/Ruby-2.2_(%F0%9F%9A%ABCI)-AABBCC?style=for-the-badge&logo=ruby&logoColor=white
-[💎ruby-2.3i]: https://img.shields.io/badge/Ruby-2.3-DF00CA?style=for-the-badge&logo=ruby&logoColor=white
 [💎ruby-2.4i]: https://img.shields.io/badge/Ruby-2.4-DF00CA?style=for-the-badge&logo=ruby&logoColor=white
 [💎ruby-2.5i]: https://img.shields.io/badge/Ruby-2.5-DF00CA?style=for-the-badge&logo=ruby&logoColor=white
 [💎ruby-2.6i]: https://img.shields.io/badge/Ruby-2.6-DF00CA?style=for-the-badge&logo=ruby&logoColor=white
@@ -882,6 +880,7 @@ Thanks for RTFM. ☺️
 [💎truby-24.2i]: https://img.shields.io/badge/Truffle_Ruby-24.2-34BCB1?style=for-the-badge&logo=ruby&logoColor=pink
 [💎truby-25.0i]: https://img.shields.io/badge/Truffle_Ruby-25.0-34BCB1?style=for-the-badge&logo=ruby&logoColor=pink
 [💎truby-c-i]: https://img.shields.io/badge/Truffle_Ruby-current-34BCB1?style=for-the-badge&logo=ruby&logoColor=green
+[💎jruby-9.2i]: https://img.shields.io/badge/JRuby-9.2-FBE742?style=for-the-badge&logo=ruby&logoColor=red
 [💎jruby-9.3i]: https://img.shields.io/badge/JRuby-9.3-FBE742?style=for-the-badge&logo=ruby&logoColor=red
 [💎jruby-9.4i]: https://img.shields.io/badge/JRuby-9.4-FBE742?style=for-the-badge&logo=ruby&logoColor=red
 [💎jruby-c-i]: https://img.shields.io/badge/JRuby-current-FBE742?style=for-the-badge&logo=ruby&logoColor=green
@@ -893,34 +892,35 @@ Thanks for RTFM. ☺️
 [🤝cb-issues]: https://codeberg.org/ruby-oauth/auth-sanitizer/issues
 [🤝cb-pulls]: https://codeberg.org/ruby-oauth/auth-sanitizer/pulls
 [🤝cb-donate]: https://donate.codeberg.org/
-[🤝contributing]: CONTRIBUTING.md
-[🏀codecov-g]: https://codecov.io/gh/ruby-oauth/auth-sanitizer/graphs/tree.svg
+[🤝contributing]: https://github.com/ruby-oauth/auth-sanitizer/blob/main/CONTRIBUTING.md
+[🏀codecov-g]: https://codecov.io/gh/ruby-oauth/auth-sanitizer/graph/badge.svg
 [🖐contrib-rocks]: https://contrib.rocks
 [🖐contributors]: https://github.com/ruby-oauth/auth-sanitizer/graphs/contributors
 [🖐contributors-img]: https://contrib.rocks/image?repo=ruby-oauth/auth-sanitizer
 [🚎contributors-gl]: https://gitlab.com/ruby-oauth/auth-sanitizer/-/graphs/main
-[🪇conduct]: CODE_OF_CONDUCT.md
+[🪇conduct]: https://github.com/ruby-oauth/auth-sanitizer/blob/main/CODE_OF_CONDUCT.md
 [🪇conduct-img]: https://img.shields.io/badge/Contributor_Covenant-2.1-259D6C.svg
 [📌pvc]: http://guides.rubygems.org/patterns/#pessimistic-version-constraint
 [📌semver]: https://semver.org/spec/v2.0.0.html
 [📌semver-img]: https://img.shields.io/badge/semver-2.0.0-259D6C.svg?style=flat
 [📌semver-breaking]: https://github.com/semver/semver/issues/716#issuecomment-869336139
 [📌major-versions-not-sacred]: https://tom.preston-werner.com/2022/05/23/major-version-numbers-are-not-sacred.html
-[📌changelog]: CHANGELOG.md
+[📌changelog]: https://github.com/ruby-oauth/auth-sanitizer/blob/main/CHANGELOG.md
 [📗keep-changelog]: https://keepachangelog.com/en/1.0.0/
 [📗keep-changelog-img]: https://img.shields.io/badge/keep--a--changelog-1.0.0-34495e.svg?style=flat
 [📌gitmoji]: https://gitmoji.dev
 [📌gitmoji-img]: https://img.shields.io/badge/gitmoji_commits-%20%F0%9F%98%9C%20%F0%9F%98%8D-34495e.svg?style=flat-square
 [🧮kloc]: https://www.youtube.com/watch?v=dQw4w9WgXcQ
-[🧮kloc-img]: https://img.shields.io/badge/KLOC-0.135-FFDD67.svg?style=for-the-badge&logo=YouTube&logoColor=blue
-[🔐security]: SECURITY.md
+[🧮kloc-img]: https://img.shields.io/badge/KLOC-0.145-FFDD67.svg?style=for-the-badge&logo=YouTube&logoColor=blue
+[🔐security]: https://github.com/ruby-oauth/auth-sanitizer/blob/main/SECURITY.md
 [🔐security-img]: https://img.shields.io/badge/security-policy-259D6C.svg?style=flat
 [📄copyright-notice-explainer]: https://opensource.stackexchange.com/questions/5778/why-do-licenses-such-as-the-mit-license-specify-a-single-year
 [📄license]: LICENSE.md
-[📄license-ref]: https://opensource.org/licenses/MIT
+[📄license-ref]: MIT.md
 [📄license-img]: https://img.shields.io/badge/License-MIT-259D6C.svg
-[📄license-compat]: https://dev.to/galtzo/how-to-check-license-compatibility-41h0
-[📄license-compat-img]: https://img.shields.io/badge/Apache_Compatible:_Category_A-%E2%9C%93-259D6C.svg?style=flat&logo=Apache
+[📄license-compat]: https://www.apache.org/legal/resolved.html#category-a
+[📄license-compat-img]: https://img.shields.io/badge/Apache_Compatible:_Category_A-✓-259D6C.svg?style=flat&logo=Apache
+
 [📄ilo-declaration]: https://www.ilo.org/declaration/lang--en/index.htm
 [📄ilo-declaration-img]: https://img.shields.io/badge/ILO_Fundamental_Principles-✓-259D6C.svg?style=flat
 [🚎yard-current]: http://rubydoc.info/gems/auth-sanitizer

data/SECURITY.md

@@ -4,7 +4,7 @@
 
 | Version  | Supported |
 |----------|-----------|
-| 1.latest | ✅         |
+| 0.latest | ✅         |
 
 ## Security contact information
 
@@ -12,8 +12,6 @@ To report a security vulnerability, please use the
 [Tidelift security contact](https://tidelift.com/security).
 Tidelift will coordinate the fix and disclosure.
 
-More detailed explanation of the process is in [IRP.md][IRP]
-
 ## Additional Support
 
 If you are interested in support for versions older than the latest release,
@@ -21,4 +19,3 @@ please consider sponsoring the project / maintainer @ https://liberapay.com/pbol
 or find other sponsorship links in the [README].
 
 [README]: README.md
-[IRP]: IRP.md

data/certs/pboling.pem

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEgDCCAuigAwIBAgIBATANBgkqhkiG9w0BAQsFADBDMRUwEwYDVQQDDAxwZXRl
+ci5ib2xpbmcxFTATBgoJkiaJk/IsZAEZFgVnbWFpbDETMBEGCgmSJomT8ixkARkW
+A2NvbTAeFw0yNTA1MDQxNTMzMDlaFw00NTA0MjkxNTMzMDlaMEMxFTATBgNVBAMM
+DHBldGVyLmJvbGluZzEVMBMGCgmSJomT8ixkARkWBWdtYWlsMRMwEQYKCZImiZPy
+LGQBGRYDY29tMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAruUoo0WA
+uoNuq6puKWYeRYiZekz/nsDeK5x/0IEirzcCEvaHr3Bmz7rjo1I6On3gGKmiZs61
+LRmQ3oxy77ydmkGTXBjruJB+pQEn7UfLSgQ0xa1/X3kdBZt6RmabFlBxnHkoaGY5
+mZuZ5+Z7walmv6sFD9ajhzj+oIgwWfnEHkXYTR8I6VLN7MRRKGMPoZ/yvOmxb2DN
+coEEHWKO9CvgYpW7asIihl/9GMpKiRkcYPm9dGQzZc6uTwom1COfW0+ZOFrDVBuV
+FMQRPswZcY4Wlq0uEBLPU7hxnCL9nKK6Y9IhdDcz1mY6HZ91WImNslOSI0S8hRpj
+yGOWxQIhBT3fqCBlRIqFQBudrnD9jSNpSGsFvbEijd5ns7Z9ZMehXkXDycpGAUj1
+to/5cuTWWw1JqUWrKJYoifnVhtE1o1DZ+LkPtWxHtz5kjDG/zR3MG0Ula0UOavlD
+qbnbcXPBnwXtTFeZ3C+yrWpE4pGnl3yGkZj9SMTlo9qnTMiPmuWKQDatAgMBAAGj
+fzB9MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQWBBQE8uWvNbPVNRXZ
+HlgPbc2PCzC4bjAhBgNVHREEGjAYgRZwZXRlci5ib2xpbmdAZ21haWwuY29tMCEG
+A1UdEgQaMBiBFnBldGVyLmJvbGluZ0BnbWFpbC5jb20wDQYJKoZIhvcNAQELBQAD
+ggGBAJbnUwfJQFPkBgH9cL7hoBfRtmWiCvdqdjeTmi04u8zVNCUox0A4gT982DE9
+wmuN12LpdajxZONqbXuzZvc+nb0StFwmFYZG6iDwaf4BPywm2e/Vmq0YG45vZXGR
+L8yMDSK1cQXjmA+ZBKOHKWavxP6Vp7lWvjAhz8RFwqF9GuNIdhv9NpnCAWcMZtpm
+GUPyIWw/Cw/2wZp74QzZj6Npx+LdXoLTF1HMSJXZ7/pkxLCsB8m4EFVdb/IrW/0k
+kNSfjtAfBHO8nLGuqQZVH9IBD1i9K6aSs7pT6TW8itXUIlkIUI2tg5YzW6OFfPzq
+QekSkX3lZfY+HTSp/o+YvKkqWLUV7PQ7xh1ZYDtocpaHwgxe/j3bBqHE+CUPH2vA
+0V/FwdTRWcwsjVoOJTrYcff8pBZ8r2MvtAc54xfnnhGFzeRHfcltobgFxkAXdE6p
+DVjBtqT23eugOqQ73umLcYDZkc36vnqGxUBSsXrzY9pzV5gGr2I8YUxMqf6ATrZt
+L9nRqA==
+-----END CERTIFICATE-----

data/lib/auth/sanitizer/filtered_attributes.rb

@@ -34,10 +34,10 @@ module Auth
       # the current {Auth::Sanitizer.filtered_label} value.
       module InitializerMethods
         def initialize(*args, &block)
-          super(*args, &block)
+          super
           @thing_filter = ThingFilter.new(
             self.class.filtered_attribute_names,
-            label: Auth::Sanitizer.filtered_label,
+            label: Auth::Sanitizer.filtered_label
           )
         end
       end
@@ -93,16 +93,34 @@ module Auth
       #
       # @return [String]
       def inspect
-        return super if thing_filter.things.empty?
+        inspected = super
+        return inspected if thing_filter.things.empty?
 
-        inspected_vars = instance_variables.map do |var|
-          if thing_filter.filtered?(var)
-            "#{var}=#{thing_filter.label}"
-          else
-            "#{var}=#{instance_variable_get(var).inspect}"
+        redact_inspected_values(inspected.dup)
+      end
+
+      private
+
+      INSPECTED_STRING_VALUE = /"(?:(?:\\.)|[^"\\])*"/
+      INSPECTED_REDACTABLE_VALUE = /
+        (?:
+          (@([A-Za-z_]\w*[!?=]?)=) |
+          ([,{]\s*([A-Za-z_]\w*[!?=]?):\s*) |
+          ([,{]\s*:([A-Za-z_]\w*[!?=]?)\s*=>\s*) |
+          ([,{]\s*"([A-Za-z_]\w*[!?=]?)"\s*=>\s*)
+        )
+        #{INSPECTED_STRING_VALUE}
+      /x
+      private_constant :INSPECTED_STRING_VALUE, :INSPECTED_REDACTABLE_VALUE
+
+      def redact_inspected_values(inspected)
+        inspected.gsub(INSPECTED_REDACTABLE_VALUE) do |match|
+          captures = Regexp.last_match.captures
+          prefix, = captures.each_slice(2).detect do |(_candidate_prefix, candidate_key)|
+            thing_filter.things.include?(candidate_key)
           end
+          prefix ? "#{prefix}#{thing_filter.label}" : match
         end
-        "#<#{self.class}:#{object_id} #{inspected_vars.join(", ")}>"
       end
     end
   end

data/lib/auth/sanitizer/sanitized_logger.rb

@@ -219,7 +219,7 @@ module Auth
       # @param [String] message Logger message
       # @return [String] Sanitized logger message
       def sanitize_authorization_header(message)
-        message.gsub(/(Authorization:\s*)(?:\"[^\"]*\"|[^\r\n]+)/i, "\\1\"#{thing_filter.label}\"")
+        message.gsub(/(Authorization:\s*)(?:"[^"]*"|[^\r\n]+)/i, "\\1\"#{thing_filter.label}\"")
       end
 
       # Redact JSON-style values for configured sensitive key names.
@@ -227,7 +227,7 @@ module Auth
       # @param [String] message Logger message
       # @return [String] Sanitized logger message
       def sanitize_json_pairs(message)
-        message.gsub(/([\"'])(#{thing_filter.pattern_source})\1(\s*:\s*)([\"'])(.*?)\4/i) do
+        message.gsub(/(["'])(#{thing_filter.pattern_source})\1(\s*:\s*)(["'])(.*?)\4/i) do
           %(#{$1}#{$2}#{$1}#{$3}#{$4}#{thing_filter.label}#{$4})
         end
       end
@@ -237,7 +237,7 @@ module Auth
       # @param [String] message Logger message
       # @return [String] Sanitized logger message
       def sanitize_form_and_query_pairs(message)
-        message.gsub(/(\b(?:#{thing_filter.pattern_source})=)([^&\s\"]+)/i, "\\1#{thing_filter.label}")
+        message.gsub(/(\b(?:#{thing_filter.pattern_source})=)([^&\s"]+)/i, "\\1#{thing_filter.label}")
       end
     end
   end

data/lib/auth/sanitizer/version.rb

@@ -3,7 +3,7 @@
 module Auth
   module Sanitizer
     module Version
-      VERSION = "0.1.4"
+      VERSION = "0.2.0"
     end
     VERSION = Version::VERSION # Traditional Constant Location
   end

data/lib/auth/sanitizer.rb

@@ -1,7 +1,13 @@
 # frozen_string_literal: true
 
+require "version_gem"
+
 require_relative "sanitizer/version"
 require_relative "sanitizer/thing_filter"
 require_relative "sanitizer/core"
 require_relative "sanitizer/filtered_attributes"
 require_relative "sanitizer/sanitized_logger"
+
+Auth::Sanitizer::Version.class_eval do
+  extend VersionGem::Basic
+end

data/lib/auth_sanitizer/loader.rb

@@ -22,12 +22,38 @@ module AuthSanitizer
       # @return [Module] isolated Auth::Sanitizer module
       def load_isolated
         namespace = Module.new
+        auth_namespace = Module.new
+        namespace.const_set(:Auth, auth_namespace)
+
         FILES.each do |relative_path|
           path = File.expand_path("../#{relative_path}", __dir__)
-          namespace.module_eval(File.read(path), path, 1)
+          auth_namespace.module_eval(isolated_source(path), path, 1)
         end
+
         namespace.const_get(:Auth).const_get(:Sanitizer)
       end
+
+      private
+
+      # Remove the public top-level Auth wrapper before evaluating a file inside
+      # the anonymous Auth namespace. This keeps the normal files unchanged while
+      # avoiding Object::Auth leakage on runtimes where Module#module_eval still
+      # resolves nested module declarations through Object.
+      def isolated_source(path)
+        lines = File.readlines(path)
+        wrapper_index = lines.index("module Auth\n")
+        return lines.join.split("Auth::Sanitizer").join("Sanitizer") unless wrapper_index
+
+        lines.delete_at(wrapper_index)
+        closing_index = lines.rindex("end\n")
+        lines.delete_at(closing_index) if closing_index
+
+        wrapper_index.upto(lines.length - 1) do |index|
+          line = lines[index]
+          lines[index] = line.start_with?("  ") ? line[2..-1] : line
+        end
+        lines.join.split("Auth::Sanitizer").join("Sanitizer")
+      end
     end
   end
 end

data/sig/auth/sanitizer/version.rbs

@@ -0,0 +1,8 @@
+module Auth
+  module Sanitizer
+    module Version
+      VERSION: String
+    end
+    VERSION: String
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: auth-sanitizer
 version: !ruby/object:Gem::Version
-  version: 0.1.4
+  version: 0.2.0
 platform: ruby
 authors:
 - Peter H. Boling
@@ -64,6 +64,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.8
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -71,6 +74,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.8
 - !ruby/object:Gem::Dependency
   name: bundler-audit
   requirement: !ruby/object:Gem::Requirement
@@ -145,20 +151,40 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '2.0'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.0.10
+        version: 2.0.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '2.0'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.0.10
+        version: 2.0.3
+- !ruby/object:Gem::Dependency
+  name: turbo_tests2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.1.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.1.1
 - !ruby/object:Gem::Dependency
   name: ruby-progressbar
   requirement: !ruby/object:Gem::Requirement
@@ -199,21 +225,21 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '2.0'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.0.3
+        version: 2.0.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '2.0'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.0.3
-description: "\U0001F7E5 Configurable KV output redaction. Sanitize/filter your secrets."
+        version: 2.0.1
+description: "\U0001F48E Configurable KV output redaction. Sanitize/filter your secrets."
 email:
 - floss@galtzo.com
 executables: []
@@ -224,8 +250,8 @@ extra_rdoc_files:
 - CODE_OF_CONDUCT.md
 - CONTRIBUTING.md
 - FUNDING.md
+- LICENSE.md
 - README.md
-- REEK
 - RUBOCOP.md
 - SECURITY.md
 files:
@@ -234,10 +260,11 @@ files:
 - CODE_OF_CONDUCT.md
 - CONTRIBUTING.md
 - FUNDING.md
+- LICENSE.md
 - README.md
-- REEK
 - RUBOCOP.md
 - SECURITY.md
+- certs/pboling.pem
 - lib/auth/sanitizer.rb
 - lib/auth/sanitizer/core.rb
 - lib/auth/sanitizer/filtered_attributes.rb
@@ -246,15 +273,16 @@ files:
 - lib/auth/sanitizer/version.rb
 - lib/auth_sanitizer/loader.rb
 - sig/auth/sanitizer.rbs
+- sig/auth/sanitizer/version.rbs
 homepage: https://github.com/ruby-oauth/auth-sanitizer
 licenses:
 - MIT
 metadata:
-  homepage_uri: https://auth-sanitizer.galtzo.com/
-  source_code_uri: https://github.com/ruby-oauth/auth-sanitizer/tree/v0.1.4
-  changelog_uri: https://github.com/ruby-oauth/auth-sanitizer/blob/v0.1.4/CHANGELOG.md
+  homepage_uri: https://auth-sanitizer.galtzo.com
+  source_code_uri: https://github.com/ruby-oauth/auth-sanitizer/tree/v0.2.0
+  changelog_uri: https://github.com/ruby-oauth/auth-sanitizer/blob/v0.2.0/CHANGELOG.md
   bug_tracker_uri: https://github.com/ruby-oauth/auth-sanitizer/issues
-  documentation_uri: https://www.rubydoc.info/gems/auth-sanitizer/0.1.4
+  documentation_uri: https://www.rubydoc.info/gems/auth-sanitizer/0.2.0
   funding_uri: https://github.com/sponsors/pboling
   wiki_uri: https://github.com/ruby-oauth/auth-sanitizer/wiki
   news_uri: https://www.railsbling.com/tags/auth-sanitizer
@@ -262,7 +290,7 @@ metadata:
   rubygems_mfa_required: 'true'
 rdoc_options:
 - "--title"
-- "auth-sanitizer - \U0001F7E5 Configurable KV output redaction"
+- "auth-sanitizer - \U0001F48E Configurable KV output redaction"
 - "--main"
 - README.md
 - "--exclude"
@@ -283,7 +311,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.11
+rubygems_version: 4.0.10
 specification_version: 4
-summary: "\U0001F7E5 Configurable KV output redaction"
+summary: "\U0001F48E Configurable KV output redaction"
 test_files: []