data_redactor 0.6.0 → 0.7.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0c2837740c12c4424fe8837a023c6043badc61c94c99a4b53a826e57f60c362f
-  data.tar.gz: fe57411af8c23f54a462a2c71d76e8e3306adb35958001a3918e817e5bceeabc
+  metadata.gz: 24e5a8c5434fa45e6465033d7a2792a94c0b8f0d9f3ff3ca49a3a6c3c6e4065b
+  data.tar.gz: dbe07535163dd1926ce11495aee8b8e2476eb0750a7b028c7af6a7428c6f39c5
 SHA512:
-  metadata.gz: d882f103607569f259bd8bba0cb10a34c1967564bbe81909c6ba877ccecd020b53efc8df350ab08b19169239b4be276a5bb28c54d8559a17914d10044d2aa4d3
-  data.tar.gz: b567563554f6f8549c9207b43596a3aba7ef33bb44a6efab4df02a8e3de851c06caf2afe253a7b0f01ac1d37b4808e4c99a5f4b421d395169b7525eabc26ad3f
+  metadata.gz: af2e9c869e54e7694eec166586f4baa3b16121c02f10f160db1a422ef9f6c87237ebab3c210bd950a4ab60551e3a6b32e8ccb0d2cfd695b90343cbbd5f8bd6a0
+  data.tar.gz: 9ac096890d738968525e50d3b0d5517f92886899176991ee3ee49a218398b5b47e470ff46b4c41fa458bc3a265f0069aaef2b4010e1296708e2470b7d8638b83

data/CHANGELOG.md

@@ -7,6 +7,87 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.7.2] - 2026-05-09
+
+**Supersedes 0.7.1, which has been yanked from RubyGems.**
+
+0.7.1 had a release pipeline bug: the source gem and the precompiled native
+gems were published by two independent workflows, with no gating between
+them. When the native-binary builds failed (`oxidize-rb/actions/cross-gem`
+couldn't pull `rbsys/aarch64-linux:0.9.128` from Docker Hub), the source
+gem still published — leaving users with release notes that promised
+precompiled binaries that didn't exist on RubyGems. 0.7.2 ships the same
+features as 0.7.1 plus the pipeline fix.
+
+### Changed
+- **Atomic release pipeline.** Source-gem publishing moved out of `ci.yml`
+  and into `release-binaries.yml`, alongside the native-gem builds. The
+  publish job now `needs: [build-source, build-native]`; if any native
+  platform fails to build, **nothing publishes**. This guarantees the
+  RubyGems release matches what the GitHub release notes promise.
+- **Direct `rake-compiler-dock` invocation in CI** instead of the
+  `oxidize-rb/actions/cross-gem` action. Same code path as `rake gem:all`
+  locally and the existing PR-time smoke test in `ci.yml`. Uses
+  `ghcr.io/rake-compiler/*` images (no Docker Hub rate limits).
+
+### Fixed
+- All 6 precompiled native gems now actually publish on release — the
+  `aarch64-linux` variant in particular was previously failing.
+
+### Documentation
+- README installation section rewritten around the user's question
+  ("what changes for me?"). Adds explicit Docker / Alpine guidance and a
+  heads-up about `bundle lock --add-platform` for cross-platform deploys.
+
+## [0.7.1] - 2026-05-09 [YANKED]
+
+### Added
+- **Precompiled native gems** for the most common platforms — installing
+  `data_redactor` no longer requires a C toolchain on these targets:
+  - `x86_64-linux`, `aarch64-linux` (glibc)
+  - `x86_64-linux-musl`, `aarch64-linux-musl` (Alpine)
+  - `x86_64-darwin`, `arm64-darwin` (macOS Intel + Apple Silicon)
+  Each native gem ships compiled `.so` files for Ruby 3.1, 3.2, 3.3, and 3.4.
+  Bundler/RubyGems automatically picks the right gem for the host; users on
+  any other platform fall back to the source gem and compile as before.
+- `rake gem:all` task — builds every native gem locally via `rake-compiler-dock`
+  (requires Docker). Single command to regenerate the full release matrix.
+- `.github/workflows/release-binaries.yml` — builds & publishes all native
+  gems on every GitHub release. Also exposes `workflow_dispatch` so a
+  maintainer can rebuild any past release without cutting a new tag.
+
+### Changed
+- CI test matrix now includes Ruby 3.4 in addition to 3.1, 3.2, 3.3.
+- Gemspec: added `rake-compiler-dock` as a development dependency. Source-only
+  gem size is unchanged — native gems strip `ext/` and the `extconf.rb`
+  extension hook so they only carry the prebuilt `.so` files.
+
+## [0.7.0] - 2026-05-08
+
+### Added
+- **Rails / Rack / Logger integrations** under `lib/data_redactor/integrations/`. Soft-required — none are loaded by default; the gem still has zero runtime dependencies in the gemspec.
+  - `DataRedactor::Integrations::Logger` — drop-in `Logger::Formatter` that scrubs every emitted line, wraps an inner formatter (default `Logger::Formatter`), and preserves exception cause chains.
+  - `DataRedactor::Integrations::Rails.filter(...)` — returns a `(key, value)` proc for `Rails.application.config.filter_parameters`. Mutates String values in place via `String#replace`.
+  - `DataRedactor::Integrations::Rack` — middleware with selectable surfaces. `scrub:` accepts any subset of `[:body, :headers]` (default both). `:body` buffers the response and drops `Content-Length`; `:headers` scrubs sensitive response headers (`Set-Cookie`, `Authorization`, `X-Api-Key`, ...) and request headers in the env hash. Unknown surfaces raise `ArgumentError`.
+- All three integrations forward `only:`, `except:`, `placeholder:` to `DataRedactor.redact`.
+
+### Changed
+- Gemspec: added `rack` as a development dependency. No new runtime dependencies.
+
+## [0.6.1] - 2026-05-08
+
+### Added
+- Six new distinctive-prefix API key patterns under the `:credentials` tag, exposed via `DataRedactor.pattern_names`:
+  - `anthropic_api_key` — `sk-ant-apiNN-...`
+  - `openai_project_api_key` — `sk-proj-...`
+  - `gitlab_pat` — `glpat-...`
+  - `digitalocean_pat` — `dop_v1_...`
+  - `databricks_api_token` — `dapi...`
+  - `sentry_dsn` — `https://KEY@oNNN.ingest.sentry.io/PID` (also matches the legacy `KEY:SECRET@` form)
+
+### Changed
+- `NUM_PATTERNS` is now 85 (was 79). Built-in pattern indices in C have shifted accordingly; the public Ruby API and pattern names are stable.
+
 ## [0.6.0] - 2026-05-08
 
 ### Added
@@ -80,7 +161,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - `DataRedactor.redact(text)` module function returning the input with every match replaced by `[REDACTED]`.
 - RSpec suite with one example per pattern.
 
-[Unreleased]: https://github.com/danielefrisanco/data_redactor/compare/v0.6.0...HEAD
+[Unreleased]: https://github.com/danielefrisanco/data_redactor/compare/v0.7.2...HEAD
+[0.7.2]: https://github.com/danielefrisanco/data_redactor/compare/v0.7.1...v0.7.2
+[0.7.1]: https://github.com/danielefrisanco/data_redactor/compare/v0.7.0...v0.7.1
+[0.7.0]: https://github.com/danielefrisanco/data_redactor/compare/v0.6.1...v0.7.0
+[0.6.1]: https://github.com/danielefrisanco/data_redactor/compare/v0.6.0...v0.6.1
 [0.6.0]: https://github.com/danielefrisanco/data_redactor/compare/v0.5.0...v0.6.0
 [0.2.0]: https://github.com/danielefrisanco/data_redactor/compare/v0.1.0...v0.2.0
 [0.1.0]: https://github.com/danielefrisanco/data_redactor/releases/tag/v0.1.0

data/ext/data_redactor/patterns.c

@@ -30,87 +30,93 @@ const int boundary_wrapped[NUM_PATTERNS] = {
     0, /*  1: Microsoft Teams Webhook */
     0, /*  2: Slack Webhook URL */
     0, /*  3: MongoDB Connection String */
-    0, /*  4: URI with Embedded Password */
+    0, /*  4: Sentry DSN */
+    0, /*  5: URI with Embedded Password */
     /* ---- Tier 2: Long prefixed tokens ---- */
-    0, /*  5: GitHub PAT (fine-grained, 93 chars) */
-    0, /*  6: JWT */
-    0, /*  7: Grafana API Token */
-    0, /*  8: SSH Public Key */
-    0, /*  9: Bearer Token */
-    0, /* 10: Google API Key (39 chars) */
-    0, /* 11: AWS Access Key ID (20 chars) */
-    0, /* 12: AWS Secret Access Key (40 base64) */
-    0, /* 13: SendGrid API Key */
-    0, /* 14: Amazon MWS Auth Token */
-    0, /* 15: LaunchDarkly API Key */
-    0, /* 16: GitHub Classic PAT (ghp_) */
-    0, /* 17: GitHub OAuth Token (gho_) */
-    0, /* 18: Stripe Secret Key */
-    0, /* 19: ClickUp API Key */
-    0, /* 20: Scaleway Access Key */
-    0, /* 21: PEM private key header (generic) */
-    0, /* 22: GPG Private Key Block */
+    0, /*  6: GitHub PAT (fine-grained, 93 chars) */
+    0, /*  7: JWT */
+    0, /*  8: Grafana API Token */
+    0, /*  9: SSH Public Key */
+    0, /* 10: Bearer Token */
+    0, /* 11: Anthropic API Key (sk-ant-api...) */
+    0, /* 12: OpenAI Project API Key (sk-proj-...) */
+    0, /* 13: Google API Key (39 chars) */
+    0, /* 14: AWS Access Key ID (20 chars) */
+    0, /* 15: AWS Secret Access Key (40 base64) */
+    0, /* 16: SendGrid API Key */
+    0, /* 17: Amazon MWS Auth Token */
+    0, /* 18: LaunchDarkly API Key */
+    0, /* 19: GitHub Classic PAT (ghp_) */
+    0, /* 20: GitHub OAuth Token (gho_) */
+    0, /* 21: Stripe Secret Key */
+    0, /* 22: ClickUp API Key */
+    0, /* 23: GitLab Personal Access Token (glpat-) */
+    0, /* 24: DigitalOcean PAT (dop_v1_) */
+    0, /* 25: Databricks API Token (dapi) */
+    0, /* 26: Scaleway Access Key */
+    0, /* 27: PEM private key header (generic) */
+    0, /* 28: GPG Private Key Block */
     /* ---- Tier 3: IBANs (longest → shortest) ---- */
-    0, /* 23: Hungary IBAN (28 chars) */
-    0, /* 24: Poland IBAN (28 chars) */
-    0, /* 25: France IBAN (27 chars) */
-    0, /* 26: Italy IBAN (27 chars) */
-    0, /* 27: Portugal IBAN (25 chars) */
-    0, /* 28: Spain IBAN (24 chars) */
-    0, /* 29: Czechia IBAN (24 chars) */
-    0, /* 30: Romania IBAN (24 chars) */
-    0, /* 31: Sweden IBAN (24 chars) */
-    0, /* 32: Germany IBAN (22 chars) */
-    0, /* 33: Ireland IBAN (22 chars) */
-    0, /* 34: Switzerland IBAN (21 chars) */
-    0, /* 35: Austria IBAN (20 chars) */
-    0, /* 36: Netherlands IBAN (18 chars) */
-    0, /* 37: Denmark IBAN (18 chars) */
-    0, /* 38: Finland IBAN (18 chars) */
-    0, /* 39: Belgium IBAN (16 chars) */
-    0, /* 40: Norway IBAN (15 chars) */
+    0, /* 29: Hungary IBAN (28 chars) */
+    0, /* 30: Poland IBAN (28 chars) */
+    0, /* 31: France IBAN (27 chars) */
+    0, /* 32: Italy IBAN (27 chars) */
+    0, /* 33: Portugal IBAN (25 chars) */
+    0, /* 34: Spain IBAN (24 chars) */
+    0, /* 35: Czechia IBAN (24 chars) */
+    0, /* 36: Romania IBAN (24 chars) */
+    0, /* 37: Sweden IBAN (24 chars) */
+    0, /* 38: Germany IBAN (22 chars) */
+    0, /* 39: Ireland IBAN (22 chars) */
+    0, /* 40: Switzerland IBAN (21 chars) */
+    0, /* 41: Austria IBAN (20 chars) */
+    0, /* 42: Netherlands IBAN (18 chars) */
+    0, /* 43: Denmark IBAN (18 chars) */
+    0, /* 44: Finland IBAN (18 chars) */
+    0, /* 45: Belgium IBAN (16 chars) */
+    0, /* 46: Norway IBAN (15 chars) */
     /* ---- Tier 4: Structured formats (dots, dashes, slashes, @) ---- */
-    0, /* 41: Email Address */
-    0, /* 42: International Phone Number */
-    0, /* 43: Brazilian CNPJ (XX.XXX.XXX/XXXX-XX) */
-    0, /* 44: Brazilian CPF (XXX.XXX.XXX-XX) */
-    0, /* 45: UUID v4 */
-    0, /* 46: IPv4 address */
-    0, /* 47: Credit card numbers */
-    0, /* 48: Indian Aadhaar (XXXX XXXX XXXX) */
+    0, /* 47: Email Address */
+    0, /* 48: International Phone Number */
+    0, /* 49: Brazilian CNPJ (XX.XXX.XXX/XXXX-XX) */
+    0, /* 50: Brazilian CPF (XXX.XXX.XXX-XX) */
+    0, /* 51: UUID v4 */
+    0, /* 52: IPv4 address */
+    0, /* 53: Credit card numbers */
+    0, /* 54: Indian Aadhaar (XXXX XXXX XXXX) */
     /* ---- Tier 5: Letter-anchored patterns ---- */
-    0, /* 49: Mexican CURP (18 alphanum, distinctive structure) */
-    0, /* 50: Italian CF with omocodia (16 chars) */
-    0, /* 51: Italian CF basic (16 chars) */
-    0, /* 52: UK National Insurance Number */
-    0, /* 53: Spanish NIE (X/Y/Z prefix) */
-    0, /* 54: Passport letter prefix + digits */
+    0, /* 55: Mexican CURP (18 alphanum, distinctive structure) */
+    0, /* 56: Italian CF with omocodia (16 chars) */
+    0, /* 57: Italian CF basic (16 chars) */
+    0, /* 58: UK National Insurance Number */
+    0, /* 59: Spanish NIE (X/Y/Z prefix) */
+    0, /* 60: Passport letter prefix + digits */
     /* ---- Tier 6: Boundary-wrapped structured (dash/dot/slash separated) ---- */
-    1, /* 55: South Korean RRN (YYMMDD-XXXXXXX, 14 chars) */
-    1, /* 56: Swiss AHV Number (756.XXXX.XXXX.XX) */
-    1, /* 57: Finnish HETU (DDMMYY[+-A]XXXC) */
-    1, /* 58: Swedish Personnummer (YYMMDD[-+]XXXX) */
-    1, /* 59: Danish CPR Number (DDMMYY-XXXX) */
-    1, /* 60: Czech Rodné číslo (YYMMDD/XXXX) */
-    1, /* 61: US Social Security Number (XXX-XX-XXXX) */
-    1, /* 62: US ITIN (9XX-XX-XXXX) */
-    1, /* 63: Canadian SIN (XXX-XXX-XXX) */
-    1, /* 64: Australian TFN (XXX-XXX-XXX) */
-    1, /* 65: Indian PAN (AAAAA0000A) */
-    1, /* 66: Spanish DNI (8 digits + letter) */
-    1, /* 67: Hungarian Tax ID (8XXXXXXXXX, 10 digits) */
+    1, /* 61: South Korean RRN (YYMMDD-XXXXXXX, 14 chars) */
+    1, /* 62: Swiss AHV Number (756.XXXX.XXXX.XX) */
+    1, /* 63: Finnish HETU (DDMMYY[+-A]XXXC) */
+    1, /* 64: Swedish Personnummer (YYMMDD[-+]XXXX) */
+    1, /* 65: Danish CPR Number (DDMMYY-XXXX) */
+    1, /* 66: Czech Rodné číslo (YYMMDD/XXXX) */
+    1, /* 67: US Social Security Number (XXX-XX-XXXX) */
+    1, /* 68: US ITIN (9XX-XX-XXXX) */
+    1, /* 69: Canadian SIN (XXX-XXX-XXX) */
+    1, /* 70: Australian TFN (XXX-XXX-XXX) */
+    1, /* 71: Indian PAN (AAAAA0000A) */
+    1, /* 72: Spanish DNI (8 digits + letter) */
+    1, /* 73: Hungarian Tax ID (8XXXXXXXXX, 10 digits) */
     /* ---- Tier 7: Boundary-wrapped pure digits (longest → shortest) ---- */
-    1, /* 68: French NIR (15 digits) */
-    1, /* 69: South African ID (13 digits) */
-    1, /* 70: Romanian CNP (13 digits) */
-    1, /* 71: Japanese My Number (12 digits) */
-    1, /* 72: Polish PESEL (11 digits) */
-    1, /* 73: Belgian National Number (11 digits) */
-    1, /* 74: Norwegian Fødselsnummer (11 digits) */
-    1, /* 75: Passport 9 digits */
-    1, /* 76: Dutch BSN (8-9 digits) */
-    1, /* 77: Austrian Abgabenkontonummer (9 digits) */
-    1  /* 78: Polish PESEL duplicate */
+    1, /* 74: French NIR (15 digits) */
+    1, /* 75: South African ID (13 digits) */
+    1, /* 76: Romanian CNP (13 digits) */
+    1, /* 77: Japanese My Number (12 digits) */
+    1, /* 78: Polish PESEL (11 digits) */
+    1, /* 79: Belgian National Number (11 digits) */
+    1, /* 80: Norwegian Fødselsnummer (11 digits) */
+    1, /* 81: Passport 9 digits */
+    1, /* 82: Dutch BSN (8-9 digits) */
+    1, /* 83: Austrian Abgabenkontonummer (9 digits) */
+    1  /* 84: Polish PESEL duplicate */
 };
 
 /*
@@ -118,55 +124,56 @@ const int boundary_wrapped[NUM_PATTERNS] = {
  * patterns run when the caller passes a mask (only/except).
  */
 const int pattern_tags[NUM_PATTERNS] = {
-    /* 0-22: secrets, API keys, tokens, private keys, webhooks */
+    /* 0-28: secrets, API keys, tokens, private keys, webhooks */
     TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS,
     TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS,
     TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS,
     TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS,
-    TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS,
-    /* 23-40: IBANs */
+    TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS,
+    TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS,
+    /* 29-46: IBANs */
     TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL,
     TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL,
     TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL,
     TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL,
-    TAG_CONTACT,      /* 41: email */
-    TAG_CONTACT,      /* 42: phone */
-    TAG_TAX_ID,       /* 43: Brazilian CNPJ */
-    TAG_TAX_ID,       /* 44: Brazilian CPF */
-    TAG_OTHER,        /* 45: UUID v4 */
-    TAG_NETWORK,      /* 46: IPv4 */
-    TAG_FINANCIAL,    /* 47: credit card */
-    TAG_NATIONAL_ID,  /* 48: Indian Aadhaar */
-    TAG_NATIONAL_ID,  /* 49: Mexican CURP */
-    TAG_TAX_ID,       /* 50: Italian CF (omocodia) */
-    TAG_TAX_ID,       /* 51: Italian CF (basic) */
-    TAG_NATIONAL_ID,  /* 52: UK NIN */
-    TAG_NATIONAL_ID,  /* 53: Spanish NIE */
-    TAG_TRAVEL,       /* 54: passport letter prefix */
-    TAG_NATIONAL_ID,  /* 55: Korean RRN */
-    TAG_NATIONAL_ID,  /* 56: Swiss AHV */
-    TAG_NATIONAL_ID,  /* 57: Finnish HETU */
-    TAG_NATIONAL_ID,  /* 58: Swedish Personnummer */
-    TAG_NATIONAL_ID,  /* 59: Danish CPR */
-    TAG_NATIONAL_ID,  /* 60: Czech Rodné číslo */
-    TAG_NATIONAL_ID,  /* 61: US SSN */
-    TAG_TAX_ID,       /* 62: US ITIN */
-    TAG_NATIONAL_ID,  /* 63: Canadian SIN */
-    TAG_TAX_ID,       /* 64: Australian TFN */
-    TAG_TAX_ID,       /* 65: Indian PAN */
-    TAG_NATIONAL_ID,  /* 66: Spanish DNI */
-    TAG_TAX_ID,       /* 67: Hungarian Tax ID */
-    TAG_NATIONAL_ID,  /* 68: French NIR */
-    TAG_NATIONAL_ID,  /* 69: South African ID */
-    TAG_NATIONAL_ID,  /* 70: Romanian CNP */
-    TAG_TAX_ID,       /* 71: Japanese My Number */
-    TAG_NATIONAL_ID,  /* 72: Polish PESEL */
-    TAG_NATIONAL_ID,  /* 73: Belgian National Number */
-    TAG_NATIONAL_ID,  /* 74: Norwegian Fødselsnummer */
-    TAG_TRAVEL,       /* 75: passport 9 digits */
-    TAG_NATIONAL_ID,  /* 76: Dutch BSN */
-    TAG_TAX_ID,       /* 77: Austrian Abgabenkontonummer */
-    TAG_NATIONAL_ID   /* 78: Polish PESEL duplicate */
+    TAG_CONTACT,      /* 47: email */
+    TAG_CONTACT,      /* 48: phone */
+    TAG_TAX_ID,       /* 49: Brazilian CNPJ */
+    TAG_TAX_ID,       /* 50: Brazilian CPF */
+    TAG_OTHER,        /* 51: UUID v4 */
+    TAG_NETWORK,      /* 52: IPv4 */
+    TAG_FINANCIAL,    /* 53: credit card */
+    TAG_NATIONAL_ID,  /* 54: Indian Aadhaar */
+    TAG_NATIONAL_ID,  /* 55: Mexican CURP */
+    TAG_TAX_ID,       /* 56: Italian CF (omocodia) */
+    TAG_TAX_ID,       /* 57: Italian CF (basic) */
+    TAG_NATIONAL_ID,  /* 58: UK NIN */
+    TAG_NATIONAL_ID,  /* 59: Spanish NIE */
+    TAG_TRAVEL,       /* 60: passport letter prefix */
+    TAG_NATIONAL_ID,  /* 61: Korean RRN */
+    TAG_NATIONAL_ID,  /* 62: Swiss AHV */
+    TAG_NATIONAL_ID,  /* 63: Finnish HETU */
+    TAG_NATIONAL_ID,  /* 64: Swedish Personnummer */
+    TAG_NATIONAL_ID,  /* 65: Danish CPR */
+    TAG_NATIONAL_ID,  /* 66: Czech Rodné číslo */
+    TAG_NATIONAL_ID,  /* 67: US SSN */
+    TAG_TAX_ID,       /* 68: US ITIN */
+    TAG_NATIONAL_ID,  /* 69: Canadian SIN */
+    TAG_TAX_ID,       /* 70: Australian TFN */
+    TAG_TAX_ID,       /* 71: Indian PAN */
+    TAG_NATIONAL_ID,  /* 72: Spanish DNI */
+    TAG_TAX_ID,       /* 73: Hungarian Tax ID */
+    TAG_NATIONAL_ID,  /* 74: French NIR */
+    TAG_NATIONAL_ID,  /* 75: South African ID */
+    TAG_NATIONAL_ID,  /* 76: Romanian CNP */
+    TAG_TAX_ID,       /* 77: Japanese My Number */
+    TAG_NATIONAL_ID,  /* 78: Polish PESEL */
+    TAG_NATIONAL_ID,  /* 79: Belgian National Number */
+    TAG_NATIONAL_ID,  /* 80: Norwegian Fødselsnummer */
+    TAG_TRAVEL,       /* 81: passport 9 digits */
+    TAG_NATIONAL_ID,  /* 82: Dutch BSN */
+    TAG_TAX_ID,       /* 83: Austrian Abgabenkontonummer */
+    TAG_NATIONAL_ID   /* 84: Polish PESEL duplicate */
 };
 
 const char *pattern_names[NUM_PATTERNS] = {
@@ -174,81 +181,87 @@ const char *pattern_names[NUM_PATTERNS] = {
     "microsoft_teams_webhook",       /*  1 */
     "slack_webhook_url",             /*  2 */
     "mongodb_connection_string",     /*  3 */
-    "uri_with_password",             /*  4 */
-    "github_pat_fine_grained",       /*  5 */
-    "jwt",                           /*  6 */
-    "grafana_api_token",             /*  7 */
-    "ssh_public_key",                /*  8 */
-    "bearer_token",                  /*  9 */
-    "google_api_key",                /* 10 */
-    "aws_access_key_id",             /* 11 */
-    "aws_secret_access_key",         /* 12 */
-    "sendgrid_api_key",              /* 13 */
-    "amazon_mws_auth_token",         /* 14 */
-    "launchdarkly_api_key",          /* 15 */
-    "github_classic_pat",            /* 16 */
-    "github_oauth_token",            /* 17 */
-    "stripe_secret_key",             /* 18 */
-    "clickup_api_key",               /* 19 */
-    "scaleway_access_key",           /* 20 */
-    "pem_private_key",               /* 21 */
-    "gpg_private_key",               /* 22 */
-    "iban_hu",                       /* 23 */
-    "iban_pl",                       /* 24 */
-    "iban_fr",                       /* 25 */
-    "iban_it",                       /* 26 */
-    "iban_pt",                       /* 27 */
-    "iban_es",                       /* 28 */
-    "iban_cz",                       /* 29 */
-    "iban_ro",                       /* 30 */
-    "iban_se",                       /* 31 */
-    "iban_de",                       /* 32 */
-    "iban_ie",                       /* 33 */
-    "iban_ch",                       /* 34 */
-    "iban_at",                       /* 35 */
-    "iban_nl",                       /* 36 */
-    "iban_dk",                       /* 37 */
-    "iban_fi",                       /* 38 */
-    "iban_be",                       /* 39 */
-    "iban_no",                       /* 40 */
-    "email",                         /* 41 */
-    "phone_e164",                    /* 42 */
-    "brazilian_cnpj",                /* 43 */
-    "brazilian_cpf",                 /* 44 */
-    "uuid_v4",                       /* 45 */
-    "ipv4",                          /* 46 */
-    "credit_card",                   /* 47 */
-    "indian_aadhaar",                /* 48 */
-    "mexican_curp",                  /* 49 */
-    "italian_cf_omocodia",           /* 50 */
-    "italian_cf",                    /* 51 */
-    "uk_nin",                        /* 52 */
-    "spanish_nie",                   /* 53 */
-    "passport_letter_prefix",        /* 54 */
-    "korean_rrn",                    /* 55 */
-    "swiss_ahv",                     /* 56 */
-    "finnish_hetu",                  /* 57 */
-    "swedish_personnummer",          /* 58 */
-    "danish_cpr",                    /* 59 */
-    "czech_rodne_cislo",             /* 60 */
-    "us_ssn",                        /* 61 */
-    "us_itin",                       /* 62 */
-    "canadian_sin",                  /* 63 */
-    "australian_tfn",                /* 64 */
-    "indian_pan",                    /* 65 */
-    "spanish_dni",                   /* 66 */
-    "hungarian_tax_id",              /* 67 */
-    "french_nir",                    /* 68 */
-    "south_african_id",              /* 69 */
-    "romanian_cnp",                  /* 70 */
-    "japanese_my_number",            /* 71 */
-    "polish_pesel",                  /* 72 */
-    "belgian_national_number",       /* 73 */
-    "norwegian_fodselsnummer",       /* 74 */
-    "passport_9digits",              /* 75 */
-    "dutch_bsn",                     /* 76 */
-    "austrian_abgabenkontonummer",   /* 77 */
-    "polish_pesel_2"                 /* 78 */
+    "sentry_dsn",                    /*  4 */
+    "uri_with_password",             /*  5 */
+    "github_pat_fine_grained",       /*  6 */
+    "jwt",                           /*  7 */
+    "grafana_api_token",             /*  8 */
+    "ssh_public_key",                /*  9 */
+    "bearer_token",                  /* 10 */
+    "anthropic_api_key",             /* 11 */
+    "openai_project_api_key",        /* 12 */
+    "google_api_key",                /* 13 */
+    "aws_access_key_id",             /* 14 */
+    "aws_secret_access_key",         /* 15 */
+    "sendgrid_api_key",              /* 16 */
+    "amazon_mws_auth_token",         /* 17 */
+    "launchdarkly_api_key",          /* 18 */
+    "github_classic_pat",            /* 19 */
+    "github_oauth_token",            /* 20 */
+    "stripe_secret_key",             /* 21 */
+    "clickup_api_key",               /* 22 */
+    "gitlab_pat",                    /* 23 */
+    "digitalocean_pat",              /* 24 */
+    "databricks_api_token",          /* 25 */
+    "scaleway_access_key",           /* 26 */
+    "pem_private_key",               /* 27 */
+    "gpg_private_key",               /* 28 */
+    "iban_hu",                       /* 29 */
+    "iban_pl",                       /* 30 */
+    "iban_fr",                       /* 31 */
+    "iban_it",                       /* 32 */
+    "iban_pt",                       /* 33 */
+    "iban_es",                       /* 34 */
+    "iban_cz",                       /* 35 */
+    "iban_ro",                       /* 36 */
+    "iban_se",                       /* 37 */
+    "iban_de",                       /* 38 */
+    "iban_ie",                       /* 39 */
+    "iban_ch",                       /* 40 */
+    "iban_at",                       /* 41 */
+    "iban_nl",                       /* 42 */
+    "iban_dk",                       /* 43 */
+    "iban_fi",                       /* 44 */
+    "iban_be",                       /* 45 */
+    "iban_no",                       /* 46 */
+    "email",                         /* 47 */
+    "phone_e164",                    /* 48 */
+    "brazilian_cnpj",                /* 49 */
+    "brazilian_cpf",                 /* 50 */
+    "uuid_v4",                       /* 51 */
+    "ipv4",                          /* 52 */
+    "credit_card",                   /* 53 */
+    "indian_aadhaar",                /* 54 */
+    "mexican_curp",                  /* 55 */
+    "italian_cf_omocodia",           /* 56 */
+    "italian_cf",                    /* 57 */
+    "uk_nin",                        /* 58 */
+    "spanish_nie",                   /* 59 */
+    "passport_letter_prefix",        /* 60 */
+    "korean_rrn",                    /* 61 */
+    "swiss_ahv",                     /* 62 */
+    "finnish_hetu",                  /* 63 */
+    "swedish_personnummer",          /* 64 */
+    "danish_cpr",                    /* 65 */
+    "czech_rodne_cislo",             /* 66 */
+    "us_ssn",                        /* 67 */
+    "us_itin",                       /* 68 */
+    "canadian_sin",                  /* 69 */
+    "australian_tfn",                /* 70 */
+    "indian_pan",                    /* 71 */
+    "spanish_dni",                   /* 72 */
+    "hungarian_tax_id",              /* 73 */
+    "french_nir",                    /* 74 */
+    "south_african_id",              /* 75 */
+    "romanian_cnp",                  /* 76 */
+    "japanese_my_number",            /* 77 */
+    "polish_pesel",                  /* 78 */
+    "belgian_national_number",       /* 79 */
+    "norwegian_fodselsnummer",       /* 80 */
+    "passport_9digits",              /* 81 */
+    "dutch_bsn",                     /* 82 */
+    "austrian_abgabenkontonummer",   /* 83 */
+    "polish_pesel_2"                 /* 84 */
 };
 
 /*
@@ -265,166 +278,178 @@ const char *pattern_strings[NUM_PATTERNS] = {
     "https://hooks\\.slack\\.com/services/T[A-Z0-9]{8}/B[A-Z0-9]{8}/[A-Za-z0-9]{24}",
     /*  3: MongoDB Connection String (with credentials) */
     "mongodb(\\+srv)?://[^[:space:]'\"<>/:@]+:[^[:space:]'\"<>/@]+@[^[:space:]?'\"]+",
-    /*  4: URI with Embedded Password (scheme://user:pass@host) */
+    /*  4: Sentry DSN (https://KEY@host.ingest.sentry.io/PROJECT_ID) */
+    "https://[a-f0-9]{32}(:[a-f0-9]{32})?@[a-zA-Z0-9.-]+\\.ingest\\.sentry\\.io/[0-9]+",
+    /*  5: URI with Embedded Password (scheme://user:pass@host) */
     "[A-Za-z][A-Za-z0-9+_-]*://[^[:space:]/?#:@]+:[^[:space:]/?#@]+@[A-Za-z0-9.-]+",
 
     /* ---- Tier 2: Long prefixed tokens ---- */
-    /*  5: GitHub PAT fine-grained (github_pat_ + 82 chars) */
+    /*  6: GitHub PAT fine-grained (github_pat_ + 82 chars) */
     "github_pat_[0-9a-zA-Z_]{82}",
-    /*  6: JWT (three base64url segments) */
+    /*  7: JWT (three base64url segments) */
     "eyJ[A-Za-z0-9_-]{10,}\\.eyJ[A-Za-z0-9_-]{10,}\\.[A-Za-z0-9_-]+",
-    /*  7: Grafana API Token (base64 of {\"k\":\") */
+    /*  8: Grafana API Token (base64 of {\"k\":\") */
     "eyJrIjoi[A-Za-z0-9_=-]{42,}",
-    /*  8: SSH Public Key */
+    /*  9: SSH Public Key */
     "ssh-(rsa|ed25519|ecdsa) [a-zA-Z0-9/+=]{20,}",
-    /*  9: Bearer Token */
+    /* 10: Bearer Token */
     "[Bb]earer [a-zA-Z0-9_.=/+:-]{12,}",
-    /* 10: Google API Key (AIza + 35 chars) */
+    /* 11: Anthropic API Key (sk-ant-apiNN-... ~ 95+ chars) */
+    "sk-ant-api[0-9]{2}-[A-Za-z0-9_-]{90,}",
+    /* 12: OpenAI Project API Key (sk-proj-...) */
+    "sk-proj-[A-Za-z0-9_-]{20,}",
+    /* 13: Google API Key (AIza + 35 chars) */
     "AIza[0-9A-Za-z_-]{35}",
-    /* 11: AWS Access Key ID (all prefixes + 16 chars) */
+    /* 14: AWS Access Key ID (all prefixes + 16 chars) */
     "(A3T[A-Z0-9]|AKIA|ABIA|ACCA|AGPA|AIDA|ANPA|ANVA|APKA|AROA|ASCA|ASIA)[A-Z2-7]{16}",
-    /* 12: AWS Secret Access Key (40 base64 chars) */
+    /* 15: AWS Secret Access Key (40 base64 chars) */
     "[A-Za-z0-9/+=]{40}",
-    /* 13: SendGrid API Key */
+    /* 16: SendGrid API Key */
     "SG\\.[a-zA-Z0-9_-]{5,}\\.[a-zA-Z0-9_-]{5,}",
-    /* 14: Amazon MWS Auth Token */
+    /* 17: Amazon MWS Auth Token */
     "amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}",
-    /* 15: LaunchDarkly API Key (api-UUID or sdk-UUID) */
+    /* 18: LaunchDarkly API Key (api-UUID or sdk-UUID) */
     "(api|sdk)-[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}",
-    /* 16: GitHub Classic PAT (ghp_ + 36 chars) */
+    /* 19: GitHub Classic PAT (ghp_ + 36 chars) */
     "ghp_[0-9a-zA-Z]{36}",
-    /* 17: GitHub OAuth Token (gho_ + 36 chars) */
+    /* 20: GitHub OAuth Token (gho_ + 36 chars) */
     "gho_[0-9a-zA-Z]{36}",
-    /* 18: Stripe Secret Key (sk_live_ + 24 chars) */
+    /* 21: Stripe Secret Key (sk_live_ + 24 chars) */
     "sk_live_[0-9a-zA-Z]{24}",
-    /* 19: ClickUp API Key */
+    /* 22: ClickUp API Key */
     "pk_[0-9]{6,8}_[A-Z0-9]{32}",
-    /* 20: Scaleway Access Key (SCW + 17 chars) */
+    /* 23: GitLab Personal Access Token (glpat- + 20 chars) */
+    "glpat-[0-9a-zA-Z_-]{20}",
+    /* 24: DigitalOcean PAT (dop_v1_ + 64 hex chars) */
+    "dop_v1_[a-f0-9]{64}",
+    /* 25: Databricks API Token (dapi + 32 hex chars) */
+    "dapi[a-f0-9]{32}",
+    /* 26: Scaleway Access Key (SCW + 17 chars) */
     "SCW[A-Z0-9]{17}",
-    /* 21: PEM private key header (generic) */
+    /* 27: PEM private key header (generic) */
     "-----BEGIN [A-Z ]*PRIVATE KEY-----",
-    /* 22: GPG Private Key Block */
+    /* 28: GPG Private Key Block */
     "-----BEGIN PGP PRIVATE KEY BLOCK-----",
 
     /* ---- Tier 3: IBANs (longest → shortest) ---- */
-    /* 23: Hungary IBAN (HU, 28 chars) */
+    /* 29: Hungary IBAN (HU, 28 chars) */
     "HU[0-9]{2}[0-9]{24}",
-    /* 24: Poland IBAN (PL, 28 chars) */
+    /* 30: Poland IBAN (PL, 28 chars) */
     "PL[0-9]{2}[0-9]{24}",
-    /* 25: France IBAN (FR, 27 chars) */
+    /* 31: France IBAN (FR, 27 chars) */
     "FR[0-9]{2}[0-9]{10}[A-Z0-9]{11}[0-9]{2}",
-    /* 26: Italy IBAN (IT, 27 chars) */
+    /* 32: Italy IBAN (IT, 27 chars) */
     "IT[0-9]{2}[A-Z][0-9]{10}[A-Z0-9]{12}",
-    /* 27: Portugal IBAN (PT, 25 chars) */
+    /* 33: Portugal IBAN (PT, 25 chars) */
     "PT[0-9]{2}[0-9]{21}",
-    /* 28: Spain IBAN (ES, 24 chars) */
+    /* 34: Spain IBAN (ES, 24 chars) */
     "ES[0-9]{2}[0-9]{20}",
-    /* 29: Czechia IBAN (CZ, 24 chars) */
+    /* 35: Czechia IBAN (CZ, 24 chars) */
     "CZ[0-9]{2}[0-9]{20}",
-    /* 30: Romania IBAN (RO, 24 chars) */
+    /* 36: Romania IBAN (RO, 24 chars) */
     "RO[0-9]{2}[A-Z]{4}[A-Z0-9]{16}",
-    /* 31: Sweden IBAN (SE, 24 chars) */
+    /* 37: Sweden IBAN (SE, 24 chars) */
     "SE[0-9]{2}[0-9]{20}",
-    /* 32: Germany IBAN (DE, 22 chars) */
+    /* 38: Germany IBAN (DE, 22 chars) */
     "DE[0-9]{2}[0-9]{18}",
-    /* 33: Ireland IBAN (IE, 22 chars) */
+    /* 39: Ireland IBAN (IE, 22 chars) */
     "IE[0-9]{2}[A-Z]{4}[0-9]{14}",
-    /* 34: Switzerland IBAN (CH, 21 chars) */
+    /* 40: Switzerland IBAN (CH, 21 chars) */
     "CH[0-9]{2}[0-9]{5}[A-Z0-9]{12}",
-    /* 35: Austria IBAN (AT, 20 chars) */
+    /* 41: Austria IBAN (AT, 20 chars) */
     "AT[0-9]{2}[0-9]{16}",
-    /* 36: Netherlands IBAN (NL, 18 chars) */
+    /* 42: Netherlands IBAN (NL, 18 chars) */
     "NL[0-9]{2}[A-Z]{4}[0-9]{10}",
-    /* 37: Denmark IBAN (DK, 18 chars) */
+    /* 43: Denmark IBAN (DK, 18 chars) */
     "DK[0-9]{2}[0-9]{14}",
-    /* 38: Finland IBAN (FI, 18 chars) */
+    /* 44: Finland IBAN (FI, 18 chars) */
     "FI[0-9]{2}[0-9]{14}",
-    /* 39: Belgium IBAN (BE, 16 chars) */
+    /* 45: Belgium IBAN (BE, 16 chars) */
     "BE[0-9]{2}[0-9]{12}",
-    /* 40: Norway IBAN (NO, 15 chars) */
+    /* 46: Norway IBAN (NO, 15 chars) */
     "NO[0-9]{2}[0-9]{11}",
 
     /* ---- Tier 4: Structured formats (dots, dashes, slashes, @) ---- */
-    /* 41: Email Address */
+    /* 47: Email Address */
     "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}",
-    /* 42: International Phone Number (E.164) */
+    /* 48: International Phone Number (E.164) */
     "\\+[0-9]{1,3}[- ]?[0-9][0-9 -]{6,13}[0-9]",
-    /* 43: Brazilian CNPJ (XX.XXX.XXX/XXXX-XX) */
+    /* 49: Brazilian CNPJ (XX.XXX.XXX/XXXX-XX) */
     "[0-9]{2}\\.[0-9]{3}\\.[0-9]{3}/[0-9]{4}-[0-9]{2}",
-    /* 44: Brazilian CPF (XXX.XXX.XXX-XX) */
+    /* 50: Brazilian CPF (XXX.XXX.XXX-XX) */
     "[0-9]{3}\\.[0-9]{3}\\.[0-9]{3}-[0-9]{2}",
-    /* 45: UUID v4 / Scaleway Secret Key */
+    /* 51: UUID v4 / Scaleway Secret Key */
     "[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}",
-    /* 46: IPv4 address */
+    /* 52: IPv4 address */
     "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)",
-    /* 47: Credit card numbers (Visa, Mastercard, Amex, Discover, JCB) */
+    /* 53: Credit card numbers (Visa, Mastercard, Amex, Discover, JCB) */
     "(4[0-9]{15}|4[0-9]{12}|5[1-5][0-9]{14}|6011[0-9]{12}|65[0-9]{14}|3[47][0-9]{13}|3[068][0-9]{11}|35[0-9]{14})",
-    /* 48: Indian Aadhaar (XXXX XXXX XXXX or XXXX-XXXX-XXXX) */
+    /* 54: Indian Aadhaar (XXXX XXXX XXXX or XXXX-XXXX-XXXX) */
     "[0-9]{4}[- ][0-9]{4}[- ][0-9]{4}",
 
     /* ---- Tier 5: Letter-anchored patterns ---- */
-    /* 49: Mexican CURP (18 alphanum, distinctive structure) */
+    /* 55: Mexican CURP (18 alphanum, distinctive structure) */
     "[A-Z]{4}[0-9]{6}[HM][A-Z]{5}[A-Z0-9][0-9]",
-    /* 50: Italian CF with omocodia (16 chars) */
+    /* 56: Italian CF with omocodia (16 chars) */
     "[A-Z]{6}[0-9LMNPQRSTUV]{2}[ABCDEHLMPRST][0-9LMNPQRSTUV]{2}[A-Z][0-9LMNPQRSTUV]{3}[A-Z]",
-    /* 51: Italian CF basic (16 chars) */
+    /* 57: Italian CF basic (16 chars) */
     "[A-Z]{6}[0-9]{2}[A-Z][0-9]{2}[A-Z][0-9]{3}[A-Z]",
-    /* 52: UK National Insurance Number (AA 99 99 99 A-D) */
+    /* 58: UK National Insurance Number (AA 99 99 99 A-D) */
     "[A-Z]{2} ?[0-9]{2} ?[0-9]{2} ?[0-9]{2} ?[A-D]",
-    /* 53: Spanish NIE (X/Y/Z + 7 digits + letter) */
+    /* 59: Spanish NIE (X/Y/Z + 7 digits + letter) */
     "[XYZ][0-9]{7}[A-Z]",
-    /* 54: Passport - letter prefix + digits (e.g. AB1234567) */
+    /* 60: Passport - letter prefix + digits (e.g. AB1234567) */
     "[A-Z]{1,2}[0-9]{6,7}",
 
     /* ---- Tier 6: Boundary-wrapped structured (dash/dot/slash separated) ---- */
-    /* 55: South Korean RRN (YYMMDD-XXXXXXX, 14 chars with dash) */
+    /* 61: South Korean RRN (YYMMDD-XXXXXXX, 14 chars with dash) */
     "[0-9]{6}-[0-9]{7}",
-    /* 56: Swiss AHV Number (756.XXXX.XXXX.XX) */
+    /* 62: Swiss AHV Number (756.XXXX.XXXX.XX) */
     "756\\.[0-9]{4}\\.[0-9]{4}\\.[0-9]{2}",
-    /* 57: Finnish HETU (DDMMYY[+-A]XXXC) */
+    /* 63: Finnish HETU (DDMMYY[+-A]XXXC) */
     "[0-9]{6}[-+A][0-9]{3}[0-9A-Y]",
-    /* 58: Swedish Personnummer (YYMMDD[-+]XXXX) */
+    /* 64: Swedish Personnummer (YYMMDD[-+]XXXX) */
     "[0-9]{6}[-+][0-9]{4}",
-    /* 59: Danish CPR Number (DDMMYY-XXXX) */
+    /* 65: Danish CPR Number (DDMMYY-XXXX) */
     "[0-9]{6}-[0-9]{4}",
-    /* 60: Czech Rodné číslo (YYMMDD/XXXX or YYMMDDXXXX) */
+    /* 66: Czech Rodné číslo (YYMMDD/XXXX or YYMMDDXXXX) */
     "[0-9]{6}/?[0-9]{3,4}",
-    /* 61: US Social Security Number (XXX-XX-XXXX) */
+    /* 67: US Social Security Number (XXX-XX-XXXX) */
     "[0-9]{3}-[0-9]{2}-[0-9]{4}",
-    /* 62: US ITIN (9XX-XX-XXXX) */
+    /* 68: US ITIN (9XX-XX-XXXX) */
     "9[0-9]{2}-[0-9]{2}-[0-9]{4}",
-    /* 63: Canadian SIN (XXX-XXX-XXX) */
+    /* 69: Canadian SIN (XXX-XXX-XXX) */
     "[0-9]{3}-[0-9]{3}-[0-9]{3}",
-    /* 64: Australian TFN (XXX-XXX-XXX or XXX XXX XXX) */
+    /* 70: Australian TFN (XXX-XXX-XXX or XXX XXX XXX) */
     "[0-9]{3}[- ][0-9]{3}[- ][0-9]{3}",
-    /* 65: Indian PAN (5 letters + 4 digits + 1 letter) */
+    /* 71: Indian PAN (5 letters + 4 digits + 1 letter) */
     "[A-Z]{5}[0-9]{4}[A-Z]",
-    /* 66: Spanish DNI (8 digits + 1 letter) */
+    /* 72: Spanish DNI (8 digits + 1 letter) */
     "[0-9]{8}[A-Z]",
-    /* 67: Hungarian Tax ID (starts with 8, 10 digits) */
+    /* 73: Hungarian Tax ID (starts with 8, 10 digits) */
     "8[0-9]{9}",
 
     /* ---- Tier 7: Boundary-wrapped pure digits (longest → shortest) ---- */
-    /* 68: French NIR / Social Security (15 digits) */
+    /* 74: French NIR / Social Security (15 digits) */
     "[12][0-9]{2}[01][0-9][0-9]{2}[0-9]{3}[0-9]{3}[0-9]{2}",
-    /* 69: South African ID (13 digits) */
+    /* 75: South African ID (13 digits) */
     "[0-9]{13}",
-    /* 70: Romanian CNP (13 digits, first digit 1-8) */
+    /* 76: Romanian CNP (13 digits, first digit 1-8) */
     "[1-8][0-9]{12}",
-    /* 71: Japanese My Number (12 digits) */
+    /* 77: Japanese My Number (12 digits) */
     "[0-9]{12}",
-    /* 72: Polish PESEL (11 digits) */
+    /* 78: Polish PESEL (11 digits) */
     "[0-9]{11}",
-    /* 73: Belgian National Number (11 digits) */
+    /* 79: Belgian National Number (11 digits) */
     "[0-9]{11}",
-    /* 74: Norwegian Fødselsnummer (11 digits) */
+    /* 80: Norwegian Fødselsnummer (11 digits) */
     "[0-9]{11}",
-    /* 75: Passport - 9 consecutive digits */
+    /* 81: Passport - 9 consecutive digits */
     "[0-9]{9}",
-    /* 76: Dutch BSN (8-9 digits) */
+    /* 82: Dutch BSN (8-9 digits) */
     "[0-9]{8,9}",
-    /* 77: Austrian Abgabenkontonummer (9 digits) */
+    /* 83: Austrian Abgabenkontonummer (9 digits) */
     "[0-9]{9}",
-    /* 78: Polish PESEL duplicate */
+    /* 84: Polish PESEL duplicate */
     "[0-9]{11}"
 };

data/ext/data_redactor/patterns.h

@@ -3,7 +3,7 @@
 
 #include <regex.h>
 
-#define NUM_PATTERNS 79
+#define NUM_PATTERNS 85
 
 extern const char *pattern_strings[NUM_PATTERNS];
 extern const int   boundary_wrapped[NUM_PATTERNS];

data/lib/data_redactor/integrations/logger.rb

@@ -0,0 +1,42 @@
+require "logger"
+require "data_redactor"
+
+module DataRedactor
+  module Integrations
+    # Logger formatter that runs every log message through {DataRedactor.redact}
+    # before delegating to an inner formatter.
+    #
+    # @example Drop-in replacement for Ruby's default formatter
+    #   logger = Logger.new($stdout)
+    #   logger.formatter = DataRedactor::Integrations::Logger.new
+    #   logger.info("Auth failed for user alice@example.com")
+    #   # => "I, [...] -- : Auth failed for user [REDACTED]"
+    #
+    # @example Wrapping an existing formatter (e.g. Rails JSON logger)
+    #   logger.formatter = DataRedactor::Integrations::Logger.new(
+    #     inner: Rails.logger.formatter,
+    #     only:  [:credentials, :contact]
+    #   )
+    class Logger
+      # @param inner [#call, nil] formatter to wrap. Defaults to {::Logger::Formatter}.
+      # @param only [Symbol, String, Array, nil] forwarded to {DataRedactor.redact}.
+      # @param except [Symbol, String, Array, nil] forwarded to {DataRedactor.redact}.
+      # @param placeholder forwarded to {DataRedactor.redact}.
+      def initialize(inner: ::Logger::Formatter.new, only: nil, except: nil, placeholder: DataRedactor::PLACEHOLDER_DEFAULT)
+        @inner = inner
+        @only = only
+        @except = except
+        @placeholder = placeholder
+      end
+
+      # Formatter contract — called by Logger for every emitted line.
+      # Lets the inner formatter render whatever it likes (string, exception,
+      # arbitrary object) and scrubs the resulting line in one pass. Keeps the
+      # exception cause chain intact so downstream formatters still see it.
+      def call(severity, time, progname, msg)
+        line = @inner.call(severity, time, progname, msg)
+        DataRedactor.redact(line.to_s, only: @only, except: @except, placeholder: @placeholder)
+      end
+    end
+  end
+end

data/lib/data_redactor/integrations/rack.rb

@@ -0,0 +1,121 @@
+require "data_redactor"
+
+module DataRedactor
+  module Integrations
+    # Rack middleware that scrubs sensitive data from selectable surfaces of
+    # the response (and request headers, for downstream loggers to see scrubbed
+    # values).
+    #
+    # @example Both surfaces (default)
+    #   use DataRedactor::Integrations::Rack, scrub: [:body, :headers]
+    #
+    # @example Headers only — leave the response body untouched
+    #   use DataRedactor::Integrations::Rack, scrub: [:headers]
+    #
+    # ### Surfaces
+    #
+    # - `:body` — wraps the response body so emitted bytes pass through
+    #   {DataRedactor.redact} before reaching the client. Drops the
+    #   `Content-Length` header (the redacted body may have a different
+    #   byte length, and recomputing requires buffering).
+    # - `:headers` — scrubs response headers in place. Sensitive request
+    #   headers (`Authorization`, `Cookie`, `X-Api-Key`, etc.) are redacted in
+    #   the env hash so any downstream middleware that logs them sees scrubbed
+    #   values.
+    class Rack
+      DEFAULT_SCRUB = [:body, :headers].freeze
+
+      SENSITIVE_REQUEST_HEADERS = %w[
+        HTTP_AUTHORIZATION
+        HTTP_PROXY_AUTHORIZATION
+        HTTP_COOKIE
+        HTTP_X_API_KEY
+        HTTP_X_AUTH_TOKEN
+        HTTP_X_ACCESS_TOKEN
+      ].freeze
+
+      SENSITIVE_RESPONSE_HEADERS = %w[
+        Set-Cookie
+        Authorization
+        X-Api-Key
+        X-Auth-Token
+        X-Access-Token
+      ].freeze
+
+      # @param app [#call] the Rack app
+      # @param scrub [Array<Symbol>] which surfaces to redact. Subset of
+      #   `[:body, :headers]`. Defaults to `[:body, :headers]`.
+      # @param only forwarded to {DataRedactor.redact}
+      # @param except forwarded to {DataRedactor.redact}
+      # @param placeholder forwarded to {DataRedactor.redact}
+      def initialize(app, scrub: DEFAULT_SCRUB, only: nil, except: nil, placeholder: DataRedactor::PLACEHOLDER_DEFAULT)
+        @app = app
+        @scrub = Array(scrub).map(&:to_sym)
+        unknown = @scrub - [:body, :headers]
+        unless unknown.empty?
+          raise ArgumentError, "unknown scrub surface(s) #{unknown.inspect}; valid: [:body, :headers]"
+        end
+        @only = only
+        @except = except
+        @placeholder = placeholder
+      end
+
+      def call(env)
+        scrub_request_headers(env) if @scrub.include?(:headers)
+        status, headers, body = @app.call(env)
+        headers = scrub_response_headers(headers) if @scrub.include?(:headers)
+        if @scrub.include?(:body)
+          body, headers = wrap_body(body, headers)
+        end
+        [status, headers, body]
+      end
+
+      private
+
+      def redact(s)
+        DataRedactor.redact(s, only: @only, except: @except, placeholder: @placeholder)
+      end
+
+      def scrub_request_headers(env)
+        SENSITIVE_REQUEST_HEADERS.each do |key|
+          value = env[key]
+          env[key] = redact(value) if value.is_a?(String) && !value.empty?
+        end
+      end
+
+      def scrub_response_headers(headers)
+        # Rack 3 uses lower-case header names; Rack 2 uses Capitalized.
+        # Match case-insensitively against our known list.
+        sensitive_lc = SENSITIVE_RESPONSE_HEADERS.map(&:downcase)
+        headers.each_with_object({}) do |(key, value), out|
+          if sensitive_lc.include?(key.to_s.downcase)
+            out[key] = scrub_header_value(value)
+          else
+            out[key] = value
+          end
+        end
+      end
+
+      def scrub_header_value(value)
+        case value
+        when String then redact(value)
+        when Array  then value.map { |v| v.is_a?(String) ? redact(v) : v }
+        else value
+        end
+      end
+
+      def wrap_body(body, headers)
+        # Buffer the body, redact, return as a single-element array.
+        # Stripping Content-Length because the redacted body may differ in
+        # byte length; downstream servers will recompute or chunk-encode.
+        buffered = +""
+        body.each { |chunk| buffered << chunk.to_s }
+        body.close if body.respond_to?(:close)
+
+        scrubbed = redact(buffered)
+        new_headers = headers.reject { |k, _| k.to_s.downcase == "content-length" }
+        [[scrubbed], new_headers]
+      end
+    end
+  end
+end

data/lib/data_redactor/integrations/rails.rb

@@ -0,0 +1,38 @@
+require "data_redactor"
+
+module DataRedactor
+  module Integrations
+    # Rails `config.filter_parameters` adapter. Returns a `Proc` that Rails
+    # invokes with `(key, value)` for every leaf in the params tree; we redact
+    # the value in place when it is a String.
+    #
+    # @example
+    #   # config/initializers/filter_parameter_logging.rb
+    #   require "data_redactor/integrations/rails"
+    #   Rails.application.config.filter_parameters += [
+    #     DataRedactor::Integrations::Rails.filter
+    #   ]
+    #
+    # @example Restricting to specific tags
+    #   Rails.application.config.filter_parameters += [
+    #     DataRedactor::Integrations::Rails.filter(only: [:credentials, :financial])
+    #   ]
+    module Rails
+      module_function
+
+      # @param only forwarded to {DataRedactor.redact}
+      # @param except forwarded to {DataRedactor.redact}
+      # @param placeholder forwarded to {DataRedactor.redact}
+      # @return [Proc] a `(key, value)` proc compatible with `config.filter_parameters`
+      def filter(only: nil, except: nil, placeholder: DataRedactor::PLACEHOLDER_DEFAULT)
+        lambda do |_key, value|
+          next unless value.is_a?(String)
+          # Rails' Parameter Filter mutates the value in place. We can't
+          # reassign `value` here, so use String#replace.
+          redacted = DataRedactor.redact(value, only: only, except: except, placeholder: placeholder)
+          value.replace(redacted) if redacted != value
+        end
+      end
+    end
+  end
+end

data/lib/data_redactor/version.rb

@@ -1,4 +1,4 @@
 module DataRedactor
   # Current gem version. Follows {https://semver.org Semantic Versioning 2.0.0}.
-  VERSION = "0.6.0"
+  VERSION = "0.7.2"
 end

data/readme.md

@@ -128,7 +128,58 @@ DataRedactor.clear_custom_patterns!               # mostly for test suites
 
 **`boundary: true`** — wraps the pattern with `(^|[^0-9A-Za-z])(PATTERN)([^0-9A-Za-z]|$)` so it only fires when the token is not embedded in a longer alphanumeric string. Incompatible with patterns that contain capture groups.
 
-## Detected patterns (79 total)
+## Integrations
+
+Optional adapters for Logger, Rails, and Rack. None are loaded automatically — `require` only what you use, and the gem adds zero runtime dependencies in the gemspec.
+
+### Logger formatter
+
+Drop-in `Logger::Formatter` replacement that scrubs every emitted line:
+
+```ruby
+require "data_redactor/integrations/logger"
+
+logger = Logger.new($stdout)
+logger.formatter = DataRedactor::Integrations::Logger.new
+logger.info("Auth failed for alice@example.com")
+# => I, [...] -- : Auth failed for [REDACTED]
+```
+
+Wraps an inner formatter (defaults to `Logger::Formatter`), so it composes with structured loggers. Forwards `only:`, `except:`, `placeholder:` to `DataRedactor.redact`. Exception messages and arbitrary objects are scrubbed too — the wrapped object is passed unchanged to the inner formatter so the exception cause chain is preserved; only the rendered string is redacted.
+
+### Rails `filter_parameters` adapter
+
+```ruby
+# config/initializers/filter_parameter_logging.rb
+require "data_redactor/integrations/rails"
+
+Rails.application.config.filter_parameters += [
+  DataRedactor::Integrations::Rails.filter
+]
+```
+
+Returns a `(key, value)` proc compatible with Rails' parameter filter. String values are mutated in place via `String#replace` so Rails sees the redacted value. Non-strings are left alone. Accepts the same `only:`/`except:`/`placeholder:` kwargs.
+
+### Rack middleware
+
+```ruby
+# config.ru
+require "data_redactor/integrations/rack"
+
+use DataRedactor::Integrations::Rack, scrub: [:body, :headers]
+run MyApp
+```
+
+`scrub:` selects which surfaces to redact (default `[:body, :headers]`):
+
+- **`:body`** — buffers the response body, runs `DataRedactor.redact` over it, returns it as a single chunk. Drops the `Content-Length` header so the server recomputes (the redacted body may differ in byte length).
+- **`:headers`** — scrubs sensitive **response** headers (`Set-Cookie`, `Authorization`, `X-Api-Key`, `X-Auth-Token`, `X-Access-Token`) in place, and sensitive **request** headers (`HTTP_AUTHORIZATION`, `HTTP_PROXY_AUTHORIZATION`, `HTTP_COOKIE`, `HTTP_X_API_KEY`, `HTTP_X_AUTH_TOKEN`, `HTTP_X_ACCESS_TOKEN`) in the env hash so any downstream middleware that logs them sees redacted values.
+
+Pass an empty subset (e.g. `scrub: [:headers]`) to opt out of body wrapping. Forwards `only:`/`except:`/`placeholder:` to `DataRedactor.redact`. Unknown surfaces raise `ArgumentError` at boot.
+
+> **Body wrapping is buffering.** The middleware reads the entire response body into memory before scanning. For streaming endpoints (SSE, large file downloads, Rack::Hijack) use `scrub: [:headers]` and rely on the Logger formatter for application logs instead.
+
+## Detected patterns (85 total)
 
 The table below is a representative sample. Use `DataRedactor.pattern_names` for the canonical, machine-readable list — it stays in sync with the C extension automatically.
 
@@ -136,15 +187,22 @@ The table below is a representative sample. Use `DataRedactor.pattern_names` for
 
 | # | Pattern | Example |
 |---|---|---|
-| 0 | AWS Access Key ID | `AKIAIOSFODNN7EXAMPLE` |
-| 1 | AWS Secret Access Key | 40-character base64 string |
-| 5 | Google API Key | `AIzaSyXXXX...` |
-| 6 | GitHub Personal Access Token | `github_pat_XXXX...` |
-| 7 | Slack Webhook URL | `https://hooks.slack.com/services/T.../B.../...` |
-| 8 | Stripe Secret Key | `sk_live_XXXX...` |
-| 9 | PEM Private Key header | `-----BEGIN RSA PRIVATE KEY-----` |
-| 13 | Scaleway Access Key | `SCW12345ABCDE6789FGHIJ` |
-| 14 | UUID v4 / Scaleway Secret Key | `550e8400-e29b-41d4-a716-446655440000` |
+| — | AWS Access Key ID | `AKIAIOSFODNN7EXAMPLE` |
+| — | AWS Secret Access Key | 40-character base64 string |
+| — | Google API Key | `AIzaSyXXXX...` |
+| — | GitHub Personal Access Token | `github_pat_XXXX...` |
+| — | GitHub Classic PAT / OAuth | `ghp_XXXX...` / `gho_XXXX...` |
+| — | Slack Webhook URL | `https://hooks.slack.com/services/T.../B.../...` |
+| — | Stripe Secret Key | `sk_live_XXXX...` |
+| — | Anthropic API Key | `sk-ant-api03-XXXX...` |
+| — | OpenAI Project API Key | `sk-proj-XXXX...` |
+| — | GitLab Personal Access Token | `glpat-XXXX...` |
+| — | DigitalOcean PAT | `dop_v1_XXXX...` |
+| — | Databricks API Token | `dapiXXXX...` |
+| — | Sentry DSN | `https://KEY@oNNN.ingest.sentry.io/PID` |
+| — | PEM Private Key header | `-----BEGIN RSA PRIVATE KEY-----` |
+| — | Scaleway Access Key | `SCW12345ABCDE6789FGHIJ` |
+| — | UUID v4 / Scaleway Secret Key | `550e8400-e29b-41d4-a716-446655440000` |
 
 ### Travel documents
 
@@ -236,16 +294,46 @@ redactor/
 ## Requirements
 
 - Ruby >= 2.7
-- A C compiler (`gcc` or `clang`)
-- POSIX `regex.h` (standard on Linux and macOS)
+- A C compiler (`gcc` or `clang`) — only required when installing the source gem
+- POSIX `regex.h` — only required when installing the source gem (standard on Linux and macOS)
+
+## Installation
 
-## Setup
+```ruby
+# Gemfile
+gem "data_redactor"
+```
 
 ```bash
 bundle install
 ```
 
-## Compile the C extension
+That's it — there is nothing extra to configure for precompiled binaries. Bundler/RubyGems looks at your platform and Ruby version and picks the right gem automatically.
+
+### What you'll see
+
+- **On a supported platform** (Linux glibc/musl, macOS Intel/ARM): bundler downloads a precompiled gem with the C extension already built. Install is near-instant — **no compiler, no `make`, no `regex.h` headers needed**. Especially valuable in slim Docker images (`ruby:3.x-alpine`, `ruby:3.x-slim`) that don't ship `gcc`.
+- **On any other platform** (FreeBSD, OpenBSD, etc.): bundler downloads the source gem and compiles the C extension on install — the same behavior as before 0.7.1. You'll need a C compiler and POSIX `regex.h` available.
+
+### Supported precompiled targets
+
+Each precompiled gem ships compiled binaries for Ruby 3.1, 3.2, 3.3, and 3.4.
+
+| Platform | Targets |
+|---|---|
+| Linux (glibc) | `x86_64-linux`, `aarch64-linux` |
+| Linux (musl / Alpine) | `x86_64-linux-musl`, `aarch64-linux-musl` |
+| macOS | `x86_64-darwin` (Intel), `arm64-darwin` (Apple Silicon) |
+
+### Bundler-locked deploys
+
+If your `Gemfile.lock` was generated on one platform but you deploy to another, run `bundle lock --add-platform <target>` so bundler resolves the right native gem at deploy time. Example for Alpine deploys built from a glibc dev box:
+
+```bash
+bundle lock --add-platform x86_64-linux-musl aarch64-linux-musl
+```
+
+## Compile the C extension (source / development install only)
 
 ```bash
 bundle exec rake compile
@@ -253,6 +341,16 @@ bundle exec rake compile
 
 This runs `extconf.rb` via `rake-compiler`, which generates a `Makefile` and compiles `data_redactor.c` into a `.so` shared library placed under `lib/data_redactor/`.
 
+## Building precompiled gems locally
+
+Maintainers can rebuild the full set of native gems with one command (requires Docker):
+
+```bash
+bundle exec rake gem:all
+```
+
+This invokes `rake-compiler-dock` to cross-compile every supported (platform × Ruby ABI) combination. Output lands in `pkg/`.
+
 ## Run the tests
 
 ```bash
@@ -267,7 +365,7 @@ bundle exec rake
 
 ## How it works
 
-1. At load time, `Init_data_redactor` compiles all 79 regex patterns once using `regcomp` (POSIX ERE) and stores them as static `regex_t` structs. Patterns marked as boundary-wrapped are expanded with `wrap_boundary()` before compilation.
+1. At load time, `Init_data_redactor` compiles all 85 regex patterns once using `regcomp` (POSIX ERE) and stores them as static `regex_t` structs. Patterns marked as boundary-wrapped are expanded with `wrap_boundary()` before compilation.
 2. `DataRedactor.redact(text)` receives a Ruby `String`, converts it to a C `char*` via `StringValueCStr`, and runs each compiled pattern in sequence on a working buffer.
 3. For each pattern, `replace_all_matches` iterates using `regexec`, copies non-matching segments to a fresh output buffer, and inserts `[REDACTED]` in place of each match. For boundary-wrapped patterns, `regexec` is called with `nmatch=4` and sub-match groups `[1]`/`[3]` identify the boundary characters so they are preserved verbatim.
 4. The output buffer is grown with `realloc` as needed. After all patterns are applied the result is returned as a Ruby `String` via `rb_str_new_cstr`. All intermediate `malloc`/`strdup` allocations are explicitly `free`d.

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: data_redactor
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.7.2
 platform: ruby
 authors:
 - Daniele Frisanco
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-05-08 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake-compiler
@@ -24,6 +23,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: rake-compiler-dock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -52,10 +65,25 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.9'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
 description: A Ruby gem with a C extension for high-performance scanning and redaction
-  of 79 sensitive patterns — API keys, tokens, credentials, IBANs, national IDs, emails,
-  phone numbers, and PII from 15+ countries. Designed to sanitize text before sending
-  to LLMs, logging systems, or any public/third-party API.
+  of 85 sensitive patterns — API keys, tokens, credentials, IBANs, national IDs, emails,
+  phone numbers, and PII from 15+ countries. Optional Logger formatter, Rails filter_parameters
+  adapter, and Rack middleware. Designed to sanitize text before sending to LLMs,
+  logging systems, or any public/third-party API.
 email:
 - daniele.frisanco@gmail.com
 executables: []
@@ -79,6 +107,9 @@ files:
 - ext/data_redactor/scan.h
 - ext/data_redactor/tags.h
 - lib/data_redactor.rb
+- lib/data_redactor/integrations/logger.rb
+- lib/data_redactor/integrations/rack.rb
+- lib/data_redactor/integrations/rails.rb
 - lib/data_redactor/version.rb
 - readme.md
 homepage: https://github.com/danielefrisanco/data_redactor
@@ -90,7 +121,6 @@ metadata:
   changelog_uri: https://github.com/danielefrisanco/data_redactor/blob/main/CHANGELOG.md
   bug_tracker_uri: https://github.com/danielefrisanco/data_redactor/issues
   rubygems_mfa_required: 'true'
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -105,8 +135,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.22
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Redact PII and secrets from strings before sending to AI or external services
 test_files: []