data_redactor 0.7.0 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 136d8a6bfac2c1caf2f7628a23d5afb17a7afa8a5edb2346f836d007c3f65625
-  data.tar.gz: 3df79f171c3e36c0c69192a69d20d020fbb5d84b3a214a5cd7de15f5302e2141
+  metadata.gz: aae84ce43ab8d2ad6751ade655397480057d687bdff7a6b857ee2821dffeb91b
+  data.tar.gz: 6e01ebe9d76e64ac3a93c31f14f7089ddaff4645e0819dec675d7585e37c4078
 SHA512:
-  metadata.gz: a281c6884c6e748ade3fe9b5c4528fe342105e67963335f02dcda94f5692d39a5d759b6e3a0cc08b88eebae1af00bd19f830accd248329e675a39f7d7c16f4c5
-  data.tar.gz: 2f474edbc67f02a0558ceb3bd8c76a250c9e0d86be29c6dd5ebe542388a7c01f593450df77f9f0714c92c52becafb6002fbc27c8c379a2db1fb56d55fcedd3ff
+  metadata.gz: a80b34b6e35fdf97cca2d9fecf1cb136b0e0c676ca1e3080c3680aaeb41b442cb2400c371e38417703910fc023ad01a3cf61f2f4a8f8dc5d4bd681174420d2b4
+  data.tar.gz: 4dbf049d027385c21a721044ac6651f4b24b33500af98a0c4c88d7860c06eb2721ea5aab4b8793f6fcd5614cac0cc645c1f67e73b5ebf8d7ff04ead58b67a244

data/CHANGELOG.md

@@ -7,6 +7,70 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+- `DataRedactor.redact_deep(data, only:, except:, placeholder:)` — recursively redacts every String value in a nested Hash/Array structure. Non-string scalars (Integer, Float, nil, Boolean) and Hash keys are passed through unchanged. Returns a deep copy; never mutates the input. Raises `ArgumentError` on circular references.
+- `DataRedactor.redact_json(json_string, only:, except:, placeholder:)` — parses JSON, redacts via `redact_deep`, and returns valid JSON. Raises `JSON::ParserError` on invalid input.
+- HashiCorp Vault service tokens (`hvs.` prefix, 90–120 chars) — pattern `hashicorp_vault_service_token`
+- HashiCorp Vault batch tokens (`hvb.` prefix, 138–300 chars) — pattern `hashicorp_vault_batch_token`
+- HashiCorp Terraform Cloud API tokens (`<14-char-id>.atlasv1.<token>`) — pattern `hashicorp_terraform_api_token`
+
+All three HashiCorp patterns are tagged `:credentials` and do not require word-boundary wrapping (distinctive prefixes eliminate false positives).
+
+## [0.7.2] - 2026-05-09
+
+**Supersedes 0.7.1, which has been yanked from RubyGems.**
+
+0.7.1 had a release pipeline bug: the source gem and the precompiled native
+gems were published by two independent workflows, with no gating between
+them. When the native-binary builds failed (`oxidize-rb/actions/cross-gem`
+couldn't pull `rbsys/aarch64-linux:0.9.128` from Docker Hub), the source
+gem still published — leaving users with release notes that promised
+precompiled binaries that didn't exist on RubyGems. 0.7.2 ships the same
+features as 0.7.1 plus the pipeline fix.
+
+### Changed
+- **Atomic release pipeline.** Source-gem publishing moved out of `ci.yml`
+  and into `release-binaries.yml`, alongside the native-gem builds. The
+  publish job now `needs: [build-source, build-native]`; if any native
+  platform fails to build, **nothing publishes**. This guarantees the
+  RubyGems release matches what the GitHub release notes promise.
+- **Direct `rake-compiler-dock` invocation in CI** instead of the
+  `oxidize-rb/actions/cross-gem` action. Same code path as `rake gem:all`
+  locally and the existing PR-time smoke test in `ci.yml`. Uses
+  `ghcr.io/rake-compiler/*` images (no Docker Hub rate limits).
+
+### Fixed
+- All 6 precompiled native gems now actually publish on release — the
+  `aarch64-linux` variant in particular was previously failing.
+
+### Documentation
+- README installation section rewritten around the user's question
+  ("what changes for me?"). Adds explicit Docker / Alpine guidance and a
+  heads-up about `bundle lock --add-platform` for cross-platform deploys.
+
+## [0.7.1] - 2026-05-09 [YANKED]
+
+### Added
+- **Precompiled native gems** for the most common platforms — installing
+  `data_redactor` no longer requires a C toolchain on these targets:
+  - `x86_64-linux`, `aarch64-linux` (glibc)
+  - `x86_64-linux-musl`, `aarch64-linux-musl` (Alpine)
+  - `x86_64-darwin`, `arm64-darwin` (macOS Intel + Apple Silicon)
+  Each native gem ships compiled `.so` files for Ruby 3.1, 3.2, 3.3, and 3.4.
+  Bundler/RubyGems automatically picks the right gem for the host; users on
+  any other platform fall back to the source gem and compile as before.
+- `rake gem:all` task — builds every native gem locally via `rake-compiler-dock`
+  (requires Docker). Single command to regenerate the full release matrix.
+- `.github/workflows/release-binaries.yml` — builds & publishes all native
+  gems on every GitHub release. Also exposes `workflow_dispatch` so a
+  maintainer can rebuild any past release without cutting a new tag.
+
+### Changed
+- CI test matrix now includes Ruby 3.4 in addition to 3.1, 3.2, 3.3.
+- Gemspec: added `rake-compiler-dock` as a development dependency. Source-only
+  gem size is unchanged — native gems strip `ext/` and the `extconf.rb`
+  extension hook so they only carry the prebuilt `.so` files.
+
 ## [0.7.0] - 2026-05-08
 
 ### Added
@@ -106,7 +170,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - `DataRedactor.redact(text)` module function returning the input with every match replaced by `[REDACTED]`.
 - RSpec suite with one example per pattern.
 
-[Unreleased]: https://github.com/danielefrisanco/data_redactor/compare/v0.7.0...HEAD
+[Unreleased]: https://github.com/danielefrisanco/data_redactor/compare/v0.7.2...HEAD
+[0.7.2]: https://github.com/danielefrisanco/data_redactor/compare/v0.7.1...v0.7.2
+[0.7.1]: https://github.com/danielefrisanco/data_redactor/compare/v0.7.0...v0.7.1
 [0.7.0]: https://github.com/danielefrisanco/data_redactor/compare/v0.6.1...v0.7.0
 [0.6.1]: https://github.com/danielefrisanco/data_redactor/compare/v0.6.0...v0.6.1
 [0.6.0]: https://github.com/danielefrisanco/data_redactor/compare/v0.5.0...v0.6.0

data/ext/data_redactor/patterns.c

@@ -56,67 +56,70 @@ const int boundary_wrapped[NUM_PATTERNS] = {
     0, /* 26: Scaleway Access Key */
     0, /* 27: PEM private key header (generic) */
     0, /* 28: GPG Private Key Block */
+    0, /* 29: HashiCorp Vault Service Token (hvs.) */
+    0, /* 30: HashiCorp Vault Batch Token (hvb.) */
+    0, /* 31: HashiCorp Terraform Cloud API Token (atlasv1) */
     /* ---- Tier 3: IBANs (longest → shortest) ---- */
-    0, /* 29: Hungary IBAN (28 chars) */
-    0, /* 30: Poland IBAN (28 chars) */
-    0, /* 31: France IBAN (27 chars) */
-    0, /* 32: Italy IBAN (27 chars) */
-    0, /* 33: Portugal IBAN (25 chars) */
-    0, /* 34: Spain IBAN (24 chars) */
-    0, /* 35: Czechia IBAN (24 chars) */
-    0, /* 36: Romania IBAN (24 chars) */
-    0, /* 37: Sweden IBAN (24 chars) */
-    0, /* 38: Germany IBAN (22 chars) */
-    0, /* 39: Ireland IBAN (22 chars) */
-    0, /* 40: Switzerland IBAN (21 chars) */
-    0, /* 41: Austria IBAN (20 chars) */
-    0, /* 42: Netherlands IBAN (18 chars) */
-    0, /* 43: Denmark IBAN (18 chars) */
-    0, /* 44: Finland IBAN (18 chars) */
-    0, /* 45: Belgium IBAN (16 chars) */
-    0, /* 46: Norway IBAN (15 chars) */
+    0, /* 32: Hungary IBAN (28 chars) */
+    0, /* 33: Poland IBAN (28 chars) */
+    0, /* 34: France IBAN (27 chars) */
+    0, /* 35: Italy IBAN (27 chars) */
+    0, /* 36: Portugal IBAN (25 chars) */
+    0, /* 37: Spain IBAN (24 chars) */
+    0, /* 38: Czechia IBAN (24 chars) */
+    0, /* 39: Romania IBAN (24 chars) */
+    0, /* 40: Sweden IBAN (24 chars) */
+    0, /* 41: Germany IBAN (22 chars) */
+    0, /* 42: Ireland IBAN (22 chars) */
+    0, /* 43: Switzerland IBAN (21 chars) */
+    0, /* 44: Austria IBAN (20 chars) */
+    0, /* 45: Netherlands IBAN (18 chars) */
+    0, /* 46: Denmark IBAN (18 chars) */
+    0, /* 47: Finland IBAN (18 chars) */
+    0, /* 48: Belgium IBAN (16 chars) */
+    0, /* 49: Norway IBAN (15 chars) */
     /* ---- Tier 4: Structured formats (dots, dashes, slashes, @) ---- */
-    0, /* 47: Email Address */
-    0, /* 48: International Phone Number */
-    0, /* 49: Brazilian CNPJ (XX.XXX.XXX/XXXX-XX) */
-    0, /* 50: Brazilian CPF (XXX.XXX.XXX-XX) */
-    0, /* 51: UUID v4 */
-    0, /* 52: IPv4 address */
-    0, /* 53: Credit card numbers */
-    0, /* 54: Indian Aadhaar (XXXX XXXX XXXX) */
+    0, /* 50: Email Address */
+    0, /* 51: International Phone Number */
+    0, /* 52: Brazilian CNPJ (XX.XXX.XXX/XXXX-XX) */
+    0, /* 53: Brazilian CPF (XXX.XXX.XXX-XX) */
+    0, /* 54: UUID v4 */
+    0, /* 55: IPv4 address */
+    0, /* 56: Credit card numbers */
+    0, /* 57: Indian Aadhaar (XXXX XXXX XXXX) */
     /* ---- Tier 5: Letter-anchored patterns ---- */
-    0, /* 55: Mexican CURP (18 alphanum, distinctive structure) */
-    0, /* 56: Italian CF with omocodia (16 chars) */
-    0, /* 57: Italian CF basic (16 chars) */
-    0, /* 58: UK National Insurance Number */
-    0, /* 59: Spanish NIE (X/Y/Z prefix) */
-    0, /* 60: Passport letter prefix + digits */
+    0, /* 58: Mexican CURP (18 alphanum, distinctive structure) */
+    0, /* 59: Italian CF with omocodia (16 chars) */
+    0, /* 60: Italian CF basic (16 chars) */
+    0, /* 61: UK National Insurance Number */
+    0, /* 62: Spanish NIE (X/Y/Z prefix) */
+    0, /* 63: Passport letter prefix + digits */
     /* ---- Tier 6: Boundary-wrapped structured (dash/dot/slash separated) ---- */
-    1, /* 61: South Korean RRN (YYMMDD-XXXXXXX, 14 chars) */
-    1, /* 62: Swiss AHV Number (756.XXXX.XXXX.XX) */
-    1, /* 63: Finnish HETU (DDMMYY[+-A]XXXC) */
-    1, /* 64: Swedish Personnummer (YYMMDD[-+]XXXX) */
-    1, /* 65: Danish CPR Number (DDMMYY-XXXX) */
-    1, /* 66: Czech Rodné číslo (YYMMDD/XXXX) */
-    1, /* 67: US Social Security Number (XXX-XX-XXXX) */
-    1, /* 68: US ITIN (9XX-XX-XXXX) */
-    1, /* 69: Canadian SIN (XXX-XXX-XXX) */
-    1, /* 70: Australian TFN (XXX-XXX-XXX) */
-    1, /* 71: Indian PAN (AAAAA0000A) */
-    1, /* 72: Spanish DNI (8 digits + letter) */
-    1, /* 73: Hungarian Tax ID (8XXXXXXXXX, 10 digits) */
+    1, /* 64: South Korean RRN (YYMMDD-XXXXXXX, 14 chars) */
+    1, /* 65: Swiss AHV Number (756.XXXX.XXXX.XX) */
+    1, /* 66: Finnish HETU (DDMMYY[+-A]XXXC) */
+    1, /* 67: Swedish Personnummer (YYMMDD[-+]XXXX) */
+    1, /* 68: Danish CPR Number (DDMMYY-XXXX) */
+    1, /* 69: Czech Rodné číslo (YYMMDD/XXXX) */
+    1, /* 70: US Social Security Number (XXX-XX-XXXX) */
+    1, /* 71: US ITIN (9XX-XX-XXXX) */
+    1, /* 72: Canadian SIN (XXX-XXX-XXX) */
+    1, /* 73: Australian TFN (XXX-XXX-XXX) */
+    1, /* 74: Indian PAN (AAAAA0000A) */
+    1, /* 75: Spanish DNI (8 digits + letter) */
+    1, /* 76: Hungarian Tax ID (8XXXXXXXXX, 10 digits) */
     /* ---- Tier 7: Boundary-wrapped pure digits (longest → shortest) ---- */
-    1, /* 74: French NIR (15 digits) */
-    1, /* 75: South African ID (13 digits) */
-    1, /* 76: Romanian CNP (13 digits) */
-    1, /* 77: Japanese My Number (12 digits) */
-    1, /* 78: Polish PESEL (11 digits) */
-    1, /* 79: Belgian National Number (11 digits) */
-    1, /* 80: Norwegian Fødselsnummer (11 digits) */
-    1, /* 81: Passport 9 digits */
-    1, /* 82: Dutch BSN (8-9 digits) */
-    1, /* 83: Austrian Abgabenkontonummer (9 digits) */
-    1  /* 84: Polish PESEL duplicate */
+    1, /* 77: French NIR (15 digits) */
+    1, /* 78: South African ID (13 digits) */
+    1, /* 79: Romanian CNP (13 digits) */
+    1, /* 80: Japanese My Number (12 digits) */
+    1, /* 81: Polish PESEL (11 digits) */
+    1, /* 82: Belgian National Number (11 digits) */
+    1, /* 83: Norwegian Fødselsnummer (11 digits) */
+    1, /* 84: Passport 9 digits */
+    1, /* 85: Dutch BSN (8-9 digits) */
+    1, /* 86: Austrian Abgabenkontonummer (9 digits) */
+    1  /* 87: Polish PESEL duplicate */
 };
 
 /*
@@ -124,56 +127,57 @@ const int boundary_wrapped[NUM_PATTERNS] = {
  * patterns run when the caller passes a mask (only/except).
  */
 const int pattern_tags[NUM_PATTERNS] = {
-    /* 0-28: secrets, API keys, tokens, private keys, webhooks */
+    /* 0-31: secrets, API keys, tokens, private keys, webhooks */
     TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS,
     TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS,
     TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS,
     TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS,
     TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS,
     TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS,
-    /* 29-46: IBANs */
+    TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS,
+    /* 32-49: IBANs */
     TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL,
     TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL,
     TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL,
     TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL,
-    TAG_CONTACT,      /* 47: email */
-    TAG_CONTACT,      /* 48: phone */
-    TAG_TAX_ID,       /* 49: Brazilian CNPJ */
-    TAG_TAX_ID,       /* 50: Brazilian CPF */
-    TAG_OTHER,        /* 51: UUID v4 */
-    TAG_NETWORK,      /* 52: IPv4 */
-    TAG_FINANCIAL,    /* 53: credit card */
-    TAG_NATIONAL_ID,  /* 54: Indian Aadhaar */
-    TAG_NATIONAL_ID,  /* 55: Mexican CURP */
-    TAG_TAX_ID,       /* 56: Italian CF (omocodia) */
-    TAG_TAX_ID,       /* 57: Italian CF (basic) */
-    TAG_NATIONAL_ID,  /* 58: UK NIN */
-    TAG_NATIONAL_ID,  /* 59: Spanish NIE */
-    TAG_TRAVEL,       /* 60: passport letter prefix */
-    TAG_NATIONAL_ID,  /* 61: Korean RRN */
-    TAG_NATIONAL_ID,  /* 62: Swiss AHV */
-    TAG_NATIONAL_ID,  /* 63: Finnish HETU */
-    TAG_NATIONAL_ID,  /* 64: Swedish Personnummer */
-    TAG_NATIONAL_ID,  /* 65: Danish CPR */
-    TAG_NATIONAL_ID,  /* 66: Czech Rodné číslo */
-    TAG_NATIONAL_ID,  /* 67: US SSN */
-    TAG_TAX_ID,       /* 68: US ITIN */
-    TAG_NATIONAL_ID,  /* 69: Canadian SIN */
-    TAG_TAX_ID,       /* 70: Australian TFN */
-    TAG_TAX_ID,       /* 71: Indian PAN */
-    TAG_NATIONAL_ID,  /* 72: Spanish DNI */
-    TAG_TAX_ID,       /* 73: Hungarian Tax ID */
-    TAG_NATIONAL_ID,  /* 74: French NIR */
-    TAG_NATIONAL_ID,  /* 75: South African ID */
-    TAG_NATIONAL_ID,  /* 76: Romanian CNP */
-    TAG_TAX_ID,       /* 77: Japanese My Number */
-    TAG_NATIONAL_ID,  /* 78: Polish PESEL */
-    TAG_NATIONAL_ID,  /* 79: Belgian National Number */
-    TAG_NATIONAL_ID,  /* 80: Norwegian Fødselsnummer */
-    TAG_TRAVEL,       /* 81: passport 9 digits */
-    TAG_NATIONAL_ID,  /* 82: Dutch BSN */
-    TAG_TAX_ID,       /* 83: Austrian Abgabenkontonummer */
-    TAG_NATIONAL_ID   /* 84: Polish PESEL duplicate */
+    TAG_CONTACT,      /* 50: email */
+    TAG_CONTACT,      /* 51: phone */
+    TAG_TAX_ID,       /* 52: Brazilian CNPJ */
+    TAG_TAX_ID,       /* 53: Brazilian CPF */
+    TAG_OTHER,        /* 54: UUID v4 */
+    TAG_NETWORK,      /* 55: IPv4 */
+    TAG_FINANCIAL,    /* 56: credit card */
+    TAG_NATIONAL_ID,  /* 57: Indian Aadhaar */
+    TAG_NATIONAL_ID,  /* 58: Mexican CURP */
+    TAG_TAX_ID,       /* 59: Italian CF (omocodia) */
+    TAG_TAX_ID,       /* 60: Italian CF (basic) */
+    TAG_NATIONAL_ID,  /* 61: UK NIN */
+    TAG_NATIONAL_ID,  /* 62: Spanish NIE */
+    TAG_TRAVEL,       /* 63: passport letter prefix */
+    TAG_NATIONAL_ID,  /* 64: Korean RRN */
+    TAG_NATIONAL_ID,  /* 65: Swiss AHV */
+    TAG_NATIONAL_ID,  /* 66: Finnish HETU */
+    TAG_NATIONAL_ID,  /* 67: Swedish Personnummer */
+    TAG_NATIONAL_ID,  /* 68: Danish CPR */
+    TAG_NATIONAL_ID,  /* 69: Czech Rodné číslo */
+    TAG_NATIONAL_ID,  /* 70: US SSN */
+    TAG_TAX_ID,       /* 71: US ITIN */
+    TAG_NATIONAL_ID,  /* 72: Canadian SIN */
+    TAG_TAX_ID,       /* 73: Australian TFN */
+    TAG_TAX_ID,       /* 74: Indian PAN */
+    TAG_NATIONAL_ID,  /* 75: Spanish DNI */
+    TAG_TAX_ID,       /* 76: Hungarian Tax ID */
+    TAG_NATIONAL_ID,  /* 77: French NIR */
+    TAG_NATIONAL_ID,  /* 78: South African ID */
+    TAG_NATIONAL_ID,  /* 79: Romanian CNP */
+    TAG_TAX_ID,       /* 80: Japanese My Number */
+    TAG_NATIONAL_ID,  /* 81: Polish PESEL */
+    TAG_NATIONAL_ID,  /* 82: Belgian National Number */
+    TAG_NATIONAL_ID,  /* 83: Norwegian Fødselsnummer */
+    TAG_TRAVEL,       /* 84: passport 9 digits */
+    TAG_NATIONAL_ID,  /* 85: Dutch BSN */
+    TAG_TAX_ID,       /* 86: Austrian Abgabenkontonummer */
+    TAG_NATIONAL_ID   /* 87: Polish PESEL duplicate */
 };
 
 const char *pattern_names[NUM_PATTERNS] = {
@@ -206,62 +210,65 @@ const char *pattern_names[NUM_PATTERNS] = {
     "scaleway_access_key",           /* 26 */
     "pem_private_key",               /* 27 */
     "gpg_private_key",               /* 28 */
-    "iban_hu",                       /* 29 */
-    "iban_pl",                       /* 30 */
-    "iban_fr",                       /* 31 */
-    "iban_it",                       /* 32 */
-    "iban_pt",                       /* 33 */
-    "iban_es",                       /* 34 */
-    "iban_cz",                       /* 35 */
-    "iban_ro",                       /* 36 */
-    "iban_se",                       /* 37 */
-    "iban_de",                       /* 38 */
-    "iban_ie",                       /* 39 */
-    "iban_ch",                       /* 40 */
-    "iban_at",                       /* 41 */
-    "iban_nl",                       /* 42 */
-    "iban_dk",                       /* 43 */
-    "iban_fi",                       /* 44 */
-    "iban_be",                       /* 45 */
-    "iban_no",                       /* 46 */
-    "email",                         /* 47 */
-    "phone_e164",                    /* 48 */
-    "brazilian_cnpj",                /* 49 */
-    "brazilian_cpf",                 /* 50 */
-    "uuid_v4",                       /* 51 */
-    "ipv4",                          /* 52 */
-    "credit_card",                   /* 53 */
-    "indian_aadhaar",                /* 54 */
-    "mexican_curp",                  /* 55 */
-    "italian_cf_omocodia",           /* 56 */
-    "italian_cf",                    /* 57 */
-    "uk_nin",                        /* 58 */
-    "spanish_nie",                   /* 59 */
-    "passport_letter_prefix",        /* 60 */
-    "korean_rrn",                    /* 61 */
-    "swiss_ahv",                     /* 62 */
-    "finnish_hetu",                  /* 63 */
-    "swedish_personnummer",          /* 64 */
-    "danish_cpr",                    /* 65 */
-    "czech_rodne_cislo",             /* 66 */
-    "us_ssn",                        /* 67 */
-    "us_itin",                       /* 68 */
-    "canadian_sin",                  /* 69 */
-    "australian_tfn",                /* 70 */
-    "indian_pan",                    /* 71 */
-    "spanish_dni",                   /* 72 */
-    "hungarian_tax_id",              /* 73 */
-    "french_nir",                    /* 74 */
-    "south_african_id",              /* 75 */
-    "romanian_cnp",                  /* 76 */
-    "japanese_my_number",            /* 77 */
-    "polish_pesel",                  /* 78 */
-    "belgian_national_number",       /* 79 */
-    "norwegian_fodselsnummer",       /* 80 */
-    "passport_9digits",              /* 81 */
-    "dutch_bsn",                     /* 82 */
-    "austrian_abgabenkontonummer",   /* 83 */
-    "polish_pesel_2"                 /* 84 */
+    "hashicorp_vault_service_token", /* 29 */
+    "hashicorp_vault_batch_token",   /* 30 */
+    "hashicorp_terraform_api_token", /* 31 */
+    "iban_hu",                       /* 32 */
+    "iban_pl",                       /* 33 */
+    "iban_fr",                       /* 34 */
+    "iban_it",                       /* 35 */
+    "iban_pt",                       /* 36 */
+    "iban_es",                       /* 37 */
+    "iban_cz",                       /* 38 */
+    "iban_ro",                       /* 39 */
+    "iban_se",                       /* 40 */
+    "iban_de",                       /* 41 */
+    "iban_ie",                       /* 42 */
+    "iban_ch",                       /* 43 */
+    "iban_at",                       /* 44 */
+    "iban_nl",                       /* 45 */
+    "iban_dk",                       /* 46 */
+    "iban_fi",                       /* 47 */
+    "iban_be",                       /* 48 */
+    "iban_no",                       /* 49 */
+    "email",                         /* 50 */
+    "phone_e164",                    /* 51 */
+    "brazilian_cnpj",                /* 52 */
+    "brazilian_cpf",                 /* 53 */
+    "uuid_v4",                       /* 54 */
+    "ipv4",                          /* 55 */
+    "credit_card",                   /* 56 */
+    "indian_aadhaar",                /* 57 */
+    "mexican_curp",                  /* 58 */
+    "italian_cf_omocodia",           /* 59 */
+    "italian_cf",                    /* 60 */
+    "uk_nin",                        /* 61 */
+    "spanish_nie",                   /* 62 */
+    "passport_letter_prefix",        /* 63 */
+    "korean_rrn",                    /* 64 */
+    "swiss_ahv",                     /* 65 */
+    "finnish_hetu",                  /* 66 */
+    "swedish_personnummer",          /* 67 */
+    "danish_cpr",                    /* 68 */
+    "czech_rodne_cislo",             /* 69 */
+    "us_ssn",                        /* 70 */
+    "us_itin",                       /* 71 */
+    "canadian_sin",                  /* 72 */
+    "australian_tfn",                /* 73 */
+    "indian_pan",                    /* 74 */
+    "spanish_dni",                   /* 75 */
+    "hungarian_tax_id",              /* 76 */
+    "french_nir",                    /* 77 */
+    "south_african_id",              /* 78 */
+    "romanian_cnp",                  /* 79 */
+    "japanese_my_number",            /* 80 */
+    "polish_pesel",                  /* 81 */
+    "belgian_national_number",       /* 82 */
+    "norwegian_fodselsnummer",       /* 83 */
+    "passport_9digits",              /* 84 */
+    "dutch_bsn",                     /* 85 */
+    "austrian_abgabenkontonummer",   /* 86 */
+    "polish_pesel_2"                 /* 87 */
 };
 
 /*
@@ -330,126 +337,132 @@ const char *pattern_strings[NUM_PATTERNS] = {
     "-----BEGIN [A-Z ]*PRIVATE KEY-----",
     /* 28: GPG Private Key Block */
     "-----BEGIN PGP PRIVATE KEY BLOCK-----",
+    /* 29: HashiCorp Vault Service Token (hvs. + 90-120 base64url chars) */
+    "hvs\\.[A-Za-z0-9_-]{90,120}",
+    /* 30: HashiCorp Vault Batch Token (hvb. + 138-300 base64url chars) */
+    "hvb\\.[A-Za-z0-9_-]{138,300}",
+    /* 31: HashiCorp Terraform Cloud API Token (14 alphanum + .atlasv1. + 60-70 base64url chars) */
+    "[A-Za-z0-9]{14}\\.atlasv1\\.[A-Za-z0-9_=-]{60,70}",
 
     /* ---- Tier 3: IBANs (longest → shortest) ---- */
-    /* 29: Hungary IBAN (HU, 28 chars) */
+    /* 32: Hungary IBAN (HU, 28 chars) */
     "HU[0-9]{2}[0-9]{24}",
-    /* 30: Poland IBAN (PL, 28 chars) */
+    /* 33: Poland IBAN (PL, 28 chars) */
     "PL[0-9]{2}[0-9]{24}",
-    /* 31: France IBAN (FR, 27 chars) */
+    /* 34: France IBAN (FR, 27 chars) */
     "FR[0-9]{2}[0-9]{10}[A-Z0-9]{11}[0-9]{2}",
-    /* 32: Italy IBAN (IT, 27 chars) */
+    /* 35: Italy IBAN (IT, 27 chars) */
     "IT[0-9]{2}[A-Z][0-9]{10}[A-Z0-9]{12}",
-    /* 33: Portugal IBAN (PT, 25 chars) */
+    /* 36: Portugal IBAN (PT, 25 chars) */
     "PT[0-9]{2}[0-9]{21}",
-    /* 34: Spain IBAN (ES, 24 chars) */
+    /* 37: Spain IBAN (ES, 24 chars) */
     "ES[0-9]{2}[0-9]{20}",
-    /* 35: Czechia IBAN (CZ, 24 chars) */
+    /* 38: Czechia IBAN (CZ, 24 chars) */
     "CZ[0-9]{2}[0-9]{20}",
-    /* 36: Romania IBAN (RO, 24 chars) */
+    /* 39: Romania IBAN (RO, 24 chars) */
     "RO[0-9]{2}[A-Z]{4}[A-Z0-9]{16}",
-    /* 37: Sweden IBAN (SE, 24 chars) */
+    /* 40: Sweden IBAN (SE, 24 chars) */
     "SE[0-9]{2}[0-9]{20}",
-    /* 38: Germany IBAN (DE, 22 chars) */
+    /* 41: Germany IBAN (DE, 22 chars) */
     "DE[0-9]{2}[0-9]{18}",
-    /* 39: Ireland IBAN (IE, 22 chars) */
+    /* 42: Ireland IBAN (IE, 22 chars) */
     "IE[0-9]{2}[A-Z]{4}[0-9]{14}",
-    /* 40: Switzerland IBAN (CH, 21 chars) */
+    /* 43: Switzerland IBAN (CH, 21 chars) */
     "CH[0-9]{2}[0-9]{5}[A-Z0-9]{12}",
-    /* 41: Austria IBAN (AT, 20 chars) */
+    /* 44: Austria IBAN (AT, 20 chars) */
     "AT[0-9]{2}[0-9]{16}",
-    /* 42: Netherlands IBAN (NL, 18 chars) */
+    /* 45: Netherlands IBAN (NL, 18 chars) */
     "NL[0-9]{2}[A-Z]{4}[0-9]{10}",
-    /* 43: Denmark IBAN (DK, 18 chars) */
+    /* 46: Denmark IBAN (DK, 18 chars) */
     "DK[0-9]{2}[0-9]{14}",
-    /* 44: Finland IBAN (FI, 18 chars) */
+    /* 47: Finland IBAN (FI, 18 chars) */
     "FI[0-9]{2}[0-9]{14}",
-    /* 45: Belgium IBAN (BE, 16 chars) */
+    /* 48: Belgium IBAN (BE, 16 chars) */
     "BE[0-9]{2}[0-9]{12}",
-    /* 46: Norway IBAN (NO, 15 chars) */
+    /* 49: Norway IBAN (NO, 15 chars) */
     "NO[0-9]{2}[0-9]{11}",
 
     /* ---- Tier 4: Structured formats (dots, dashes, slashes, @) ---- */
-    /* 47: Email Address */
+    /* 50: Email Address */
     "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}",
-    /* 48: International Phone Number (E.164) */
+    /* 51: International Phone Number (E.164) */
     "\\+[0-9]{1,3}[- ]?[0-9][0-9 -]{6,13}[0-9]",
-    /* 49: Brazilian CNPJ (XX.XXX.XXX/XXXX-XX) */
+    /* 52: Brazilian CNPJ (XX.XXX.XXX/XXXX-XX) */
     "[0-9]{2}\\.[0-9]{3}\\.[0-9]{3}/[0-9]{4}-[0-9]{2}",
-    /* 50: Brazilian CPF (XXX.XXX.XXX-XX) */
+    /* 53: Brazilian CPF (XXX.XXX.XXX-XX) */
     "[0-9]{3}\\.[0-9]{3}\\.[0-9]{3}-[0-9]{2}",
-    /* 51: UUID v4 / Scaleway Secret Key */
+    /* 54: UUID v4 / Scaleway Secret Key */
     "[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}",
-    /* 52: IPv4 address */
+    /* 55: IPv4 address */
     "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)",
-    /* 53: Credit card numbers (Visa, Mastercard, Amex, Discover, JCB) */
+    /* 56: Credit card numbers (Visa, Mastercard, Amex, Discover, JCB) */
     "(4[0-9]{15}|4[0-9]{12}|5[1-5][0-9]{14}|6011[0-9]{12}|65[0-9]{14}|3[47][0-9]{13}|3[068][0-9]{11}|35[0-9]{14})",
-    /* 54: Indian Aadhaar (XXXX XXXX XXXX or XXXX-XXXX-XXXX) */
+    /* 57: Indian Aadhaar (XXXX XXXX XXXX or XXXX-XXXX-XXXX) */
     "[0-9]{4}[- ][0-9]{4}[- ][0-9]{4}",
 
     /* ---- Tier 5: Letter-anchored patterns ---- */
-    /* 55: Mexican CURP (18 alphanum, distinctive structure) */
+    /* 58: Mexican CURP (18 alphanum, distinctive structure) */
     "[A-Z]{4}[0-9]{6}[HM][A-Z]{5}[A-Z0-9][0-9]",
-    /* 56: Italian CF with omocodia (16 chars) */
+    /* 59: Italian CF with omocodia (16 chars) */
     "[A-Z]{6}[0-9LMNPQRSTUV]{2}[ABCDEHLMPRST][0-9LMNPQRSTUV]{2}[A-Z][0-9LMNPQRSTUV]{3}[A-Z]",
-    /* 57: Italian CF basic (16 chars) */
+    /* 60: Italian CF basic (16 chars) */
     "[A-Z]{6}[0-9]{2}[A-Z][0-9]{2}[A-Z][0-9]{3}[A-Z]",
-    /* 58: UK National Insurance Number (AA 99 99 99 A-D) */
+    /* 61: UK National Insurance Number (AA 99 99 99 A-D) */
     "[A-Z]{2} ?[0-9]{2} ?[0-9]{2} ?[0-9]{2} ?[A-D]",
-    /* 59: Spanish NIE (X/Y/Z + 7 digits + letter) */
+    /* 62: Spanish NIE (X/Y/Z + 7 digits + letter) */
     "[XYZ][0-9]{7}[A-Z]",
-    /* 60: Passport - letter prefix + digits (e.g. AB1234567) */
+    /* 63: Passport - letter prefix + digits (e.g. AB1234567) */
     "[A-Z]{1,2}[0-9]{6,7}",
 
     /* ---- Tier 6: Boundary-wrapped structured (dash/dot/slash separated) ---- */
-    /* 61: South Korean RRN (YYMMDD-XXXXXXX, 14 chars with dash) */
+    /* 64: South Korean RRN (YYMMDD-XXXXXXX, 14 chars with dash) */
     "[0-9]{6}-[0-9]{7}",
-    /* 62: Swiss AHV Number (756.XXXX.XXXX.XX) */
+    /* 65: Swiss AHV Number (756.XXXX.XXXX.XX) */
     "756\\.[0-9]{4}\\.[0-9]{4}\\.[0-9]{2}",
-    /* 63: Finnish HETU (DDMMYY[+-A]XXXC) */
+    /* 66: Finnish HETU (DDMMYY[+-A]XXXC) */
     "[0-9]{6}[-+A][0-9]{3}[0-9A-Y]",
-    /* 64: Swedish Personnummer (YYMMDD[-+]XXXX) */
+    /* 67: Swedish Personnummer (YYMMDD[-+]XXXX) */
     "[0-9]{6}[-+][0-9]{4}",
-    /* 65: Danish CPR Number (DDMMYY-XXXX) */
+    /* 68: Danish CPR Number (DDMMYY-XXXX) */
     "[0-9]{6}-[0-9]{4}",
-    /* 66: Czech Rodné číslo (YYMMDD/XXXX or YYMMDDXXXX) */
+    /* 69: Czech Rodné číslo (YYMMDD/XXXX or YYMMDDXXXX) */
     "[0-9]{6}/?[0-9]{3,4}",
-    /* 67: US Social Security Number (XXX-XX-XXXX) */
+    /* 70: US Social Security Number (XXX-XX-XXXX) */
     "[0-9]{3}-[0-9]{2}-[0-9]{4}",
-    /* 68: US ITIN (9XX-XX-XXXX) */
+    /* 71: US ITIN (9XX-XX-XXXX) */
     "9[0-9]{2}-[0-9]{2}-[0-9]{4}",
-    /* 69: Canadian SIN (XXX-XXX-XXX) */
+    /* 72: Canadian SIN (XXX-XXX-XXX) */
     "[0-9]{3}-[0-9]{3}-[0-9]{3}",
-    /* 70: Australian TFN (XXX-XXX-XXX or XXX XXX XXX) */
+    /* 73: Australian TFN (XXX-XXX-XXX or XXX XXX XXX) */
     "[0-9]{3}[- ][0-9]{3}[- ][0-9]{3}",
-    /* 71: Indian PAN (5 letters + 4 digits + 1 letter) */
+    /* 74: Indian PAN (5 letters + 4 digits + 1 letter) */
     "[A-Z]{5}[0-9]{4}[A-Z]",
-    /* 72: Spanish DNI (8 digits + 1 letter) */
+    /* 75: Spanish DNI (8 digits + 1 letter) */
     "[0-9]{8}[A-Z]",
-    /* 73: Hungarian Tax ID (starts with 8, 10 digits) */
+    /* 76: Hungarian Tax ID (starts with 8, 10 digits) */
     "8[0-9]{9}",
 
     /* ---- Tier 7: Boundary-wrapped pure digits (longest → shortest) ---- */
-    /* 74: French NIR / Social Security (15 digits) */
+    /* 77: French NIR / Social Security (15 digits) */
     "[12][0-9]{2}[01][0-9][0-9]{2}[0-9]{3}[0-9]{3}[0-9]{2}",
-    /* 75: South African ID (13 digits) */
+    /* 78: South African ID (13 digits) */
     "[0-9]{13}",
-    /* 76: Romanian CNP (13 digits, first digit 1-8) */
+    /* 79: Romanian CNP (13 digits, first digit 1-8) */
     "[1-8][0-9]{12}",
-    /* 77: Japanese My Number (12 digits) */
+    /* 80: Japanese My Number (12 digits) */
     "[0-9]{12}",
-    /* 78: Polish PESEL (11 digits) */
+    /* 81: Polish PESEL (11 digits) */
     "[0-9]{11}",
-    /* 79: Belgian National Number (11 digits) */
+    /* 82: Belgian National Number (11 digits) */
     "[0-9]{11}",
-    /* 80: Norwegian Fødselsnummer (11 digits) */
+    /* 83: Norwegian Fødselsnummer (11 digits) */
     "[0-9]{11}",
-    /* 81: Passport - 9 consecutive digits */
+    /* 84: Passport - 9 consecutive digits */
     "[0-9]{9}",
-    /* 82: Dutch BSN (8-9 digits) */
+    /* 85: Dutch BSN (8-9 digits) */
     "[0-9]{8,9}",
-    /* 83: Austrian Abgabenkontonummer (9 digits) */
+    /* 86: Austrian Abgabenkontonummer (9 digits) */
     "[0-9]{9}",
-    /* 84: Polish PESEL duplicate */
+    /* 87: Polish PESEL duplicate */
     "[0-9]{11}"
 };

data/ext/data_redactor/patterns.h

@@ -3,7 +3,7 @@
 
 #include <regex.h>
 
-#define NUM_PATTERNS 85
+#define NUM_PATTERNS 88
 
 extern const char *pattern_strings[NUM_PATTERNS];
 extern const int   boundary_wrapped[NUM_PATTERNS];

data/lib/data_redactor/version.rb

@@ -1,4 +1,4 @@
 module DataRedactor
   # Current gem version. Follows {https://semver.org Semantic Versioning 2.0.0}.
-  VERSION = "0.7.0"
+  VERSION = "0.8.0"
 end

data/lib/data_redactor.rb

@@ -1,4 +1,5 @@
 require "set"
+require "json"
 require_relative "data_redactor/version"
 require_relative "data_redactor/data_redactor" # loads the compiled .so
 
@@ -161,6 +162,54 @@ module DataRedactor
     result
   end
 
+  # Recursively redact every String value in a nested Hash/Array structure.
+  #
+  # Walks the structure depth-first. Only String leaves are passed through
+  # {redact}; all other leaf types (Integer, Float, nil, Symbol, Boolean)
+  # are copied unchanged. Hash keys are never modified.
+  #
+  # Returns a deep copy — the original structure is never mutated.
+  #
+  # @param data [Hash, Array, String, Object] the structure to walk.
+  #   Any type is accepted; non-String scalars are returned as-is.
+  # @param only [Symbol, String, Array, nil] forwarded to {redact}.
+  # @param except [Symbol, String, Array, nil] forwarded to {redact}.
+  # @param placeholder [String, :tagged, :hash] forwarded to {redact}.
+  # @return [Hash, Array, String, Object] a new structure of the same shape
+  #   with all String leaves redacted.
+  # @raise [ArgumentError] if the structure contains a circular reference.
+  #
+  # @example Rails params
+  #   safe = DataRedactor.redact_deep(params.to_h)
+  #
+  # @example Mixed filter
+  #   DataRedactor.redact_deep(payload, only: :credentials, placeholder: :tagged)
+  def redact_deep(data, only: nil, except: nil, placeholder: PLACEHOLDER_DEFAULT)
+    _walk(data, only: only, except: except, placeholder: placeholder, seen: Set.new)
+  end
+
+  # Parse +json_string+, redact every String value in the resulting structure,
+  # and return valid JSON.
+  #
+  # Delegates traversal to {redact_deep}. All keyword arguments are forwarded
+  # to {redact}.
+  #
+  # @param json_string [String] valid JSON input.
+  # @param only [Symbol, String, Array, nil] forwarded to {redact}.
+  # @param except [Symbol, String, Array, nil] forwarded to {redact}.
+  # @param placeholder [String, :tagged, :hash] forwarded to {redact}.
+  # @return [String] a JSON string with all String values redacted.
+  # @raise [JSON::ParserError] if +json_string+ is not valid JSON.
+  #
+  # @example
+  #   DataRedactor.redact_json('{"email":"alice@example.com","count":3}')
+  #   # => '{"email":"[REDACTED]","count":3}'
+  def redact_json(json_string, only: nil, except: nil, placeholder: PLACEHOLDER_DEFAULT)
+    parsed = JSON.parse(json_string)
+    redacted = redact_deep(parsed, only: only, except: except, placeholder: placeholder)
+    JSON.generate(redacted)
+  end
+
   # Register a custom redaction pattern.
   #
   # Patterns must be valid POSIX ERE. Ruby-only syntax (+\d+, +\s+, +\w+,
@@ -317,6 +366,31 @@ module DataRedactor
     bits
   end
 
+  # @api private
+  # Depth-first recursive walker for {redact_deep}.
+  # +seen+ is a Set of object_ids already on the current traversal stack,
+  # used to detect circular references.
+  def _walk(node, only:, except:, placeholder:, seen:)
+    case node
+    when String
+      redact(node, only: only, except: except, placeholder: placeholder)
+    when Hash
+      raise ArgumentError, "redact_deep: circular reference detected" if seen.include?(node.object_id)
+      seen.add(node.object_id)
+      result = node.transform_values { |v| _walk(v, only: only, except: except, placeholder: placeholder, seen: seen) }
+      seen.delete(node.object_id)
+      result
+    when Array
+      raise ArgumentError, "redact_deep: circular reference detected" if seen.include?(node.object_id)
+      seen.add(node.object_id)
+      result = node.map { |v| _walk(v, only: only, except: except, placeholder: placeholder, seen: seen) }
+      seen.delete(node.object_id)
+      result
+    else
+      node
+    end
+  end
+
   # @api private
   def pattern_enabled?(name, tag_bit, only_present, only_bits, only_names,
                        except_bits, except_names)

data/readme.md

@@ -103,6 +103,36 @@ DataRedactor.scan(text, except: :network)
 DataRedactor.scan(text, only: :contact, except: ["email"])
 ```
 
+### Hash / JSON traversal
+
+Redact every string value inside a nested Hash or Array — useful for params hashes, Sidekiq job payloads, webhook bodies, and anything that isn't a flat string:
+
+```ruby
+# Hash — returns a deep copy, never mutates the input
+result = DataRedactor.redact_deep({
+  "user"  => { "email" => "alice@example.com" },
+  "count" => 3,
+  "tags"  => ["admin", "alice@example.com"]
+})
+# => { "user" => { "email" => "[REDACTED]" }, "count" => 3, "tags" => ["admin", "[REDACTED]"] }
+
+# Hash keys are never touched — only values are redacted
+# Non-string scalars (Integer, Float, nil, Boolean) pass through unchanged
+
+# Accepts the same filters as redact
+DataRedactor.redact_deep(params, only: :credentials)
+DataRedactor.redact_deep(payload, except: :network, placeholder: :tagged)
+```
+
+```ruby
+# JSON string — parse → redact_deep → re-serialise
+safe_json = DataRedactor.redact_json('{"email":"alice@example.com","count":3}')
+# => '{"email":"[REDACTED]","count":3}'
+
+# Raises JSON::ParserError on invalid input
+DataRedactor.redact_json("not json")  # => JSON::ParserError
+```
+
 ### Custom patterns
 
 Teams often have internal IDs that the gem can't ship. Register them at boot:
@@ -179,7 +209,7 @@ Pass an empty subset (e.g. `scrub: [:headers]`) to opt out of body wrapping. For
 
 > **Body wrapping is buffering.** The middleware reads the entire response body into memory before scanning. For streaming endpoints (SSE, large file downloads, Rack::Hijack) use `scrub: [:headers]` and rely on the Logger formatter for application logs instead.
 
-## Detected patterns (85 total)
+## Detected patterns (88 total)
 
 The table below is a representative sample. Use `DataRedactor.pattern_names` for the canonical, machine-readable list — it stays in sync with the C extension automatically.
 
@@ -294,16 +324,46 @@ redactor/
 ## Requirements
 
 - Ruby >= 2.7
-- A C compiler (`gcc` or `clang`)
-- POSIX `regex.h` (standard on Linux and macOS)
+- A C compiler (`gcc` or `clang`) — only required when installing the source gem
+- POSIX `regex.h` — only required when installing the source gem (standard on Linux and macOS)
+
+## Installation
 
-## Setup
+```ruby
+# Gemfile
+gem "data_redactor"
+```
 
 ```bash
 bundle install
 ```
 
-## Compile the C extension
+That's it — there is nothing extra to configure for precompiled binaries. Bundler/RubyGems looks at your platform and Ruby version and picks the right gem automatically.
+
+### What you'll see
+
+- **On a supported platform** (Linux glibc/musl, macOS Intel/ARM): bundler downloads a precompiled gem with the C extension already built. Install is near-instant — **no compiler, no `make`, no `regex.h` headers needed**. Especially valuable in slim Docker images (`ruby:3.x-alpine`, `ruby:3.x-slim`) that don't ship `gcc`.
+- **On any other platform** (FreeBSD, OpenBSD, etc.): bundler downloads the source gem and compiles the C extension on install — the same behavior as before 0.7.1. You'll need a C compiler and POSIX `regex.h` available.
+
+### Supported precompiled targets
+
+Each precompiled gem ships compiled binaries for Ruby 3.1, 3.2, 3.3, and 3.4.
+
+| Platform | Targets |
+|---|---|
+| Linux (glibc) | `x86_64-linux`, `aarch64-linux` |
+| Linux (musl / Alpine) | `x86_64-linux-musl`, `aarch64-linux-musl` |
+| macOS | `x86_64-darwin` (Intel), `arm64-darwin` (Apple Silicon) |
+
+### Bundler-locked deploys
+
+If your `Gemfile.lock` was generated on one platform but you deploy to another, run `bundle lock --add-platform <target>` so bundler resolves the right native gem at deploy time. Example for Alpine deploys built from a glibc dev box:
+
+```bash
+bundle lock --add-platform x86_64-linux-musl aarch64-linux-musl
+```
+
+## Compile the C extension (source / development install only)
 
 ```bash
 bundle exec rake compile
@@ -311,6 +371,16 @@ bundle exec rake compile
 
 This runs `extconf.rb` via `rake-compiler`, which generates a `Makefile` and compiles `data_redactor.c` into a `.so` shared library placed under `lib/data_redactor/`.
 
+## Building precompiled gems locally
+
+Maintainers can rebuild the full set of native gems with one command (requires Docker):
+
+```bash
+bundle exec rake gem:all
+```
+
+This invokes `rake-compiler-dock` to cross-compile every supported (platform × Ruby ABI) combination. Output lands in `pkg/`.
+
 ## Run the tests
 
 ```bash

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: data_redactor
 version: !ruby/object:Gem::Version
-  version: 0.7.0
+  version: 0.8.0
 platform: ruby
 authors:
 - Daniele Frisanco
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-05-09 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake-compiler
@@ -24,6 +23,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: rake-compiler-dock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -108,7 +121,6 @@ metadata:
   changelog_uri: https://github.com/danielefrisanco/data_redactor/blob/main/CHANGELOG.md
   bug_tracker_uri: https://github.com/danielefrisanco/data_redactor/issues
   rubygems_mfa_required: 'true'
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -123,8 +135,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.22
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Redact PII and secrets from strings before sending to AI or external services
 test_files: []