data_redactor 0.7.2 → 0.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 24e5a8c5434fa45e6465033d7a2792a94c0b8f0d9f3ff3ca49a3a6c3c6e4065b
-  data.tar.gz: dbe07535163dd1926ce11495aee8b8e2476eb0750a7b028c7af6a7428c6f39c5
+  metadata.gz: 007d59e430d1675a13b84670f6c34c300f8b72fd7ee4744aa191f846bb89b072
+  data.tar.gz: a23f3b99c3ead341d2c9415a1b4b2eb32a45ee002f052a8e58d928eb1ce03919
 SHA512:
-  metadata.gz: af2e9c869e54e7694eec166586f4baa3b16121c02f10f160db1a422ef9f6c87237ebab3c210bd950a4ab60551e3a6b32e8ccb0d2cfd695b90343cbbd5f8bd6a0
-  data.tar.gz: 9ac096890d738968525e50d3b0d5517f92886899176991ee3ee49a218398b5b47e470ff46b4c41fa458bc3a265f0069aaef2b4010e1296708e2470b7d8638b83
+  metadata.gz: ccd4f6f97a0110585e4f43f9402eac2a1f57b2aef01a3c6870f0e57ea578377291a7367ee924585d9d11e92af98f4178bb0b9488c1a24a2338f6a41936efad30
+  data.tar.gz: 5281171119b4892167a6b1d55e0996db47408c8a6d334656998f8f2ca50794a3a7b5c987132369ca32965da0943f954eab61f34f5a97c683b8a14851e9beca1e

data/CHANGELOG.md

@@ -7,6 +7,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.9.0] - 2026-05-22
+
+### Added
+- `DataRedactor.name_pattern(first, last, middle:)` — generates a POSIX ERE that matches a person's name across common written variations (case-insensitivity, First/Last order swaps, `Last, First`, initials, diacritics, and interchangeable space/hyphen separators). Returns a String ready to pass to `add_pattern`. The pattern is boundary-wrapped, so `"Mario"` matches as a word but not inside `"Mariolino"`. When `middle:` is given, both the no-middle and with-middle forms match.
+
+## [0.8.0] - 2026-05-21
+
+### Added
+- `DataRedactor.redact_deep(data, only:, except:, placeholder:)` — recursively redacts every String value in a nested Hash/Array structure. Non-string scalars (Integer, Float, nil, Boolean) and Hash keys are passed through unchanged. Returns a deep copy; never mutates the input. Raises `ArgumentError` on circular references.
+- `DataRedactor.redact_json(json_string, only:, except:, placeholder:)` — parses JSON, redacts via `redact_deep`, and returns valid JSON. Raises `JSON::ParserError` on invalid input.
+- HashiCorp Vault service tokens (`hvs.` prefix, 90–120 chars) — pattern `hashicorp_vault_service_token`
+- HashiCorp Vault batch tokens (`hvb.` prefix, 138–300 chars) — pattern `hashicorp_vault_batch_token`
+- HashiCorp Terraform Cloud API tokens (`<14-char-id>.atlasv1.<token>`) — pattern `hashicorp_terraform_api_token`
+
+All three HashiCorp patterns are tagged `:credentials` and do not require word-boundary wrapping (distinctive prefixes eliminate false positives).
+
 ## [0.7.2] - 2026-05-09
 
 **Supersedes 0.7.1, which has been yanked from RubyGems.**
@@ -161,7 +177,9 @@ features as 0.7.1 plus the pipeline fix.
 - `DataRedactor.redact(text)` module function returning the input with every match replaced by `[REDACTED]`.
 - RSpec suite with one example per pattern.
 
-[Unreleased]: https://github.com/danielefrisanco/data_redactor/compare/v0.7.2...HEAD
+[Unreleased]: https://github.com/danielefrisanco/data_redactor/compare/v0.9.0...HEAD
+[0.9.0]: https://github.com/danielefrisanco/data_redactor/compare/v0.8.0...v0.9.0
+[0.8.0]: https://github.com/danielefrisanco/data_redactor/compare/v0.7.2...v0.8.0
 [0.7.2]: https://github.com/danielefrisanco/data_redactor/compare/v0.7.1...v0.7.2
 [0.7.1]: https://github.com/danielefrisanco/data_redactor/compare/v0.7.0...v0.7.1
 [0.7.0]: https://github.com/danielefrisanco/data_redactor/compare/v0.6.1...v0.7.0

data/ext/data_redactor/patterns.c

@@ -56,67 +56,70 @@ const int boundary_wrapped[NUM_PATTERNS] = {
     0, /* 26: Scaleway Access Key */
     0, /* 27: PEM private key header (generic) */
     0, /* 28: GPG Private Key Block */
+    0, /* 29: HashiCorp Vault Service Token (hvs.) */
+    0, /* 30: HashiCorp Vault Batch Token (hvb.) */
+    0, /* 31: HashiCorp Terraform Cloud API Token (atlasv1) */
     /* ---- Tier 3: IBANs (longest → shortest) ---- */
-    0, /* 29: Hungary IBAN (28 chars) */
-    0, /* 30: Poland IBAN (28 chars) */
-    0, /* 31: France IBAN (27 chars) */
-    0, /* 32: Italy IBAN (27 chars) */
-    0, /* 33: Portugal IBAN (25 chars) */
-    0, /* 34: Spain IBAN (24 chars) */
-    0, /* 35: Czechia IBAN (24 chars) */
-    0, /* 36: Romania IBAN (24 chars) */
-    0, /* 37: Sweden IBAN (24 chars) */
-    0, /* 38: Germany IBAN (22 chars) */
-    0, /* 39: Ireland IBAN (22 chars) */
-    0, /* 40: Switzerland IBAN (21 chars) */
-    0, /* 41: Austria IBAN (20 chars) */
-    0, /* 42: Netherlands IBAN (18 chars) */
-    0, /* 43: Denmark IBAN (18 chars) */
-    0, /* 44: Finland IBAN (18 chars) */
-    0, /* 45: Belgium IBAN (16 chars) */
-    0, /* 46: Norway IBAN (15 chars) */
+    0, /* 32: Hungary IBAN (28 chars) */
+    0, /* 33: Poland IBAN (28 chars) */
+    0, /* 34: France IBAN (27 chars) */
+    0, /* 35: Italy IBAN (27 chars) */
+    0, /* 36: Portugal IBAN (25 chars) */
+    0, /* 37: Spain IBAN (24 chars) */
+    0, /* 38: Czechia IBAN (24 chars) */
+    0, /* 39: Romania IBAN (24 chars) */
+    0, /* 40: Sweden IBAN (24 chars) */
+    0, /* 41: Germany IBAN (22 chars) */
+    0, /* 42: Ireland IBAN (22 chars) */
+    0, /* 43: Switzerland IBAN (21 chars) */
+    0, /* 44: Austria IBAN (20 chars) */
+    0, /* 45: Netherlands IBAN (18 chars) */
+    0, /* 46: Denmark IBAN (18 chars) */
+    0, /* 47: Finland IBAN (18 chars) */
+    0, /* 48: Belgium IBAN (16 chars) */
+    0, /* 49: Norway IBAN (15 chars) */
     /* ---- Tier 4: Structured formats (dots, dashes, slashes, @) ---- */
-    0, /* 47: Email Address */
-    0, /* 48: International Phone Number */
-    0, /* 49: Brazilian CNPJ (XX.XXX.XXX/XXXX-XX) */
-    0, /* 50: Brazilian CPF (XXX.XXX.XXX-XX) */
-    0, /* 51: UUID v4 */
-    0, /* 52: IPv4 address */
-    0, /* 53: Credit card numbers */
-    0, /* 54: Indian Aadhaar (XXXX XXXX XXXX) */
+    0, /* 50: Email Address */
+    0, /* 51: International Phone Number */
+    0, /* 52: Brazilian CNPJ (XX.XXX.XXX/XXXX-XX) */
+    0, /* 53: Brazilian CPF (XXX.XXX.XXX-XX) */
+    0, /* 54: UUID v4 */
+    0, /* 55: IPv4 address */
+    0, /* 56: Credit card numbers */
+    0, /* 57: Indian Aadhaar (XXXX XXXX XXXX) */
     /* ---- Tier 5: Letter-anchored patterns ---- */
-    0, /* 55: Mexican CURP (18 alphanum, distinctive structure) */
-    0, /* 56: Italian CF with omocodia (16 chars) */
-    0, /* 57: Italian CF basic (16 chars) */
-    0, /* 58: UK National Insurance Number */
-    0, /* 59: Spanish NIE (X/Y/Z prefix) */
-    0, /* 60: Passport letter prefix + digits */
+    0, /* 58: Mexican CURP (18 alphanum, distinctive structure) */
+    0, /* 59: Italian CF with omocodia (16 chars) */
+    0, /* 60: Italian CF basic (16 chars) */
+    0, /* 61: UK National Insurance Number */
+    0, /* 62: Spanish NIE (X/Y/Z prefix) */
+    0, /* 63: Passport letter prefix + digits */
     /* ---- Tier 6: Boundary-wrapped structured (dash/dot/slash separated) ---- */
-    1, /* 61: South Korean RRN (YYMMDD-XXXXXXX, 14 chars) */
-    1, /* 62: Swiss AHV Number (756.XXXX.XXXX.XX) */
-    1, /* 63: Finnish HETU (DDMMYY[+-A]XXXC) */
-    1, /* 64: Swedish Personnummer (YYMMDD[-+]XXXX) */
-    1, /* 65: Danish CPR Number (DDMMYY-XXXX) */
-    1, /* 66: Czech Rodné číslo (YYMMDD/XXXX) */
-    1, /* 67: US Social Security Number (XXX-XX-XXXX) */
-    1, /* 68: US ITIN (9XX-XX-XXXX) */
-    1, /* 69: Canadian SIN (XXX-XXX-XXX) */
-    1, /* 70: Australian TFN (XXX-XXX-XXX) */
-    1, /* 71: Indian PAN (AAAAA0000A) */
-    1, /* 72: Spanish DNI (8 digits + letter) */
-    1, /* 73: Hungarian Tax ID (8XXXXXXXXX, 10 digits) */
+    1, /* 64: South Korean RRN (YYMMDD-XXXXXXX, 14 chars) */
+    1, /* 65: Swiss AHV Number (756.XXXX.XXXX.XX) */
+    1, /* 66: Finnish HETU (DDMMYY[+-A]XXXC) */
+    1, /* 67: Swedish Personnummer (YYMMDD[-+]XXXX) */
+    1, /* 68: Danish CPR Number (DDMMYY-XXXX) */
+    1, /* 69: Czech Rodné číslo (YYMMDD/XXXX) */
+    1, /* 70: US Social Security Number (XXX-XX-XXXX) */
+    1, /* 71: US ITIN (9XX-XX-XXXX) */
+    1, /* 72: Canadian SIN (XXX-XXX-XXX) */
+    1, /* 73: Australian TFN (XXX-XXX-XXX) */
+    1, /* 74: Indian PAN (AAAAA0000A) */
+    1, /* 75: Spanish DNI (8 digits + letter) */
+    1, /* 76: Hungarian Tax ID (8XXXXXXXXX, 10 digits) */
     /* ---- Tier 7: Boundary-wrapped pure digits (longest → shortest) ---- */
-    1, /* 74: French NIR (15 digits) */
-    1, /* 75: South African ID (13 digits) */
-    1, /* 76: Romanian CNP (13 digits) */
-    1, /* 77: Japanese My Number (12 digits) */
-    1, /* 78: Polish PESEL (11 digits) */
-    1, /* 79: Belgian National Number (11 digits) */
-    1, /* 80: Norwegian Fødselsnummer (11 digits) */
-    1, /* 81: Passport 9 digits */
-    1, /* 82: Dutch BSN (8-9 digits) */
-    1, /* 83: Austrian Abgabenkontonummer (9 digits) */
-    1  /* 84: Polish PESEL duplicate */
+    1, /* 77: French NIR (15 digits) */
+    1, /* 78: South African ID (13 digits) */
+    1, /* 79: Romanian CNP (13 digits) */
+    1, /* 80: Japanese My Number (12 digits) */
+    1, /* 81: Polish PESEL (11 digits) */
+    1, /* 82: Belgian National Number (11 digits) */
+    1, /* 83: Norwegian Fødselsnummer (11 digits) */
+    1, /* 84: Passport 9 digits */
+    1, /* 85: Dutch BSN (8-9 digits) */
+    1, /* 86: Austrian Abgabenkontonummer (9 digits) */
+    1  /* 87: Polish PESEL duplicate */
 };
 
 /*
@@ -124,56 +127,57 @@ const int boundary_wrapped[NUM_PATTERNS] = {
  * patterns run when the caller passes a mask (only/except).
  */
 const int pattern_tags[NUM_PATTERNS] = {
-    /* 0-28: secrets, API keys, tokens, private keys, webhooks */
+    /* 0-31: secrets, API keys, tokens, private keys, webhooks */
     TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS,
     TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS,
     TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS,
     TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS,
     TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS,
     TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS,
-    /* 29-46: IBANs */
+    TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS,
+    /* 32-49: IBANs */
     TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL,
     TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL,
     TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL,
     TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL,
-    TAG_CONTACT,      /* 47: email */
-    TAG_CONTACT,      /* 48: phone */
-    TAG_TAX_ID,       /* 49: Brazilian CNPJ */
-    TAG_TAX_ID,       /* 50: Brazilian CPF */
-    TAG_OTHER,        /* 51: UUID v4 */
-    TAG_NETWORK,      /* 52: IPv4 */
-    TAG_FINANCIAL,    /* 53: credit card */
-    TAG_NATIONAL_ID,  /* 54: Indian Aadhaar */
-    TAG_NATIONAL_ID,  /* 55: Mexican CURP */
-    TAG_TAX_ID,       /* 56: Italian CF (omocodia) */
-    TAG_TAX_ID,       /* 57: Italian CF (basic) */
-    TAG_NATIONAL_ID,  /* 58: UK NIN */
-    TAG_NATIONAL_ID,  /* 59: Spanish NIE */
-    TAG_TRAVEL,       /* 60: passport letter prefix */
-    TAG_NATIONAL_ID,  /* 61: Korean RRN */
-    TAG_NATIONAL_ID,  /* 62: Swiss AHV */
-    TAG_NATIONAL_ID,  /* 63: Finnish HETU */
-    TAG_NATIONAL_ID,  /* 64: Swedish Personnummer */
-    TAG_NATIONAL_ID,  /* 65: Danish CPR */
-    TAG_NATIONAL_ID,  /* 66: Czech Rodné číslo */
-    TAG_NATIONAL_ID,  /* 67: US SSN */
-    TAG_TAX_ID,       /* 68: US ITIN */
-    TAG_NATIONAL_ID,  /* 69: Canadian SIN */
-    TAG_TAX_ID,       /* 70: Australian TFN */
-    TAG_TAX_ID,       /* 71: Indian PAN */
-    TAG_NATIONAL_ID,  /* 72: Spanish DNI */
-    TAG_TAX_ID,       /* 73: Hungarian Tax ID */
-    TAG_NATIONAL_ID,  /* 74: French NIR */
-    TAG_NATIONAL_ID,  /* 75: South African ID */
-    TAG_NATIONAL_ID,  /* 76: Romanian CNP */
-    TAG_TAX_ID,       /* 77: Japanese My Number */
-    TAG_NATIONAL_ID,  /* 78: Polish PESEL */
-    TAG_NATIONAL_ID,  /* 79: Belgian National Number */
-    TAG_NATIONAL_ID,  /* 80: Norwegian Fødselsnummer */
-    TAG_TRAVEL,       /* 81: passport 9 digits */
-    TAG_NATIONAL_ID,  /* 82: Dutch BSN */
-    TAG_TAX_ID,       /* 83: Austrian Abgabenkontonummer */
-    TAG_NATIONAL_ID   /* 84: Polish PESEL duplicate */
+    TAG_CONTACT,      /* 50: email */
+    TAG_CONTACT,      /* 51: phone */
+    TAG_TAX_ID,       /* 52: Brazilian CNPJ */
+    TAG_TAX_ID,       /* 53: Brazilian CPF */
+    TAG_OTHER,        /* 54: UUID v4 */
+    TAG_NETWORK,      /* 55: IPv4 */
+    TAG_FINANCIAL,    /* 56: credit card */
+    TAG_NATIONAL_ID,  /* 57: Indian Aadhaar */
+    TAG_NATIONAL_ID,  /* 58: Mexican CURP */
+    TAG_TAX_ID,       /* 59: Italian CF (omocodia) */
+    TAG_TAX_ID,       /* 60: Italian CF (basic) */
+    TAG_NATIONAL_ID,  /* 61: UK NIN */
+    TAG_NATIONAL_ID,  /* 62: Spanish NIE */
+    TAG_TRAVEL,       /* 63: passport letter prefix */
+    TAG_NATIONAL_ID,  /* 64: Korean RRN */
+    TAG_NATIONAL_ID,  /* 65: Swiss AHV */
+    TAG_NATIONAL_ID,  /* 66: Finnish HETU */
+    TAG_NATIONAL_ID,  /* 67: Swedish Personnummer */
+    TAG_NATIONAL_ID,  /* 68: Danish CPR */
+    TAG_NATIONAL_ID,  /* 69: Czech Rodné číslo */
+    TAG_NATIONAL_ID,  /* 70: US SSN */
+    TAG_TAX_ID,       /* 71: US ITIN */
+    TAG_NATIONAL_ID,  /* 72: Canadian SIN */
+    TAG_TAX_ID,       /* 73: Australian TFN */
+    TAG_TAX_ID,       /* 74: Indian PAN */
+    TAG_NATIONAL_ID,  /* 75: Spanish DNI */
+    TAG_TAX_ID,       /* 76: Hungarian Tax ID */
+    TAG_NATIONAL_ID,  /* 77: French NIR */
+    TAG_NATIONAL_ID,  /* 78: South African ID */
+    TAG_NATIONAL_ID,  /* 79: Romanian CNP */
+    TAG_TAX_ID,       /* 80: Japanese My Number */
+    TAG_NATIONAL_ID,  /* 81: Polish PESEL */
+    TAG_NATIONAL_ID,  /* 82: Belgian National Number */
+    TAG_NATIONAL_ID,  /* 83: Norwegian Fødselsnummer */
+    TAG_TRAVEL,       /* 84: passport 9 digits */
+    TAG_NATIONAL_ID,  /* 85: Dutch BSN */
+    TAG_TAX_ID,       /* 86: Austrian Abgabenkontonummer */
+    TAG_NATIONAL_ID   /* 87: Polish PESEL duplicate */
 };
 
 const char *pattern_names[NUM_PATTERNS] = {
@@ -206,62 +210,65 @@ const char *pattern_names[NUM_PATTERNS] = {
     "scaleway_access_key",           /* 26 */
     "pem_private_key",               /* 27 */
     "gpg_private_key",               /* 28 */
-    "iban_hu",                       /* 29 */
-    "iban_pl",                       /* 30 */
-    "iban_fr",                       /* 31 */
-    "iban_it",                       /* 32 */
-    "iban_pt",                       /* 33 */
-    "iban_es",                       /* 34 */
-    "iban_cz",                       /* 35 */
-    "iban_ro",                       /* 36 */
-    "iban_se",                       /* 37 */
-    "iban_de",                       /* 38 */
-    "iban_ie",                       /* 39 */
-    "iban_ch",                       /* 40 */
-    "iban_at",                       /* 41 */
-    "iban_nl",                       /* 42 */
-    "iban_dk",                       /* 43 */
-    "iban_fi",                       /* 44 */
-    "iban_be",                       /* 45 */
-    "iban_no",                       /* 46 */
-    "email",                         /* 47 */
-    "phone_e164",                    /* 48 */
-    "brazilian_cnpj",                /* 49 */
-    "brazilian_cpf",                 /* 50 */
-    "uuid_v4",                       /* 51 */
-    "ipv4",                          /* 52 */
-    "credit_card",                   /* 53 */
-    "indian_aadhaar",                /* 54 */
-    "mexican_curp",                  /* 55 */
-    "italian_cf_omocodia",           /* 56 */
-    "italian_cf",                    /* 57 */
-    "uk_nin",                        /* 58 */
-    "spanish_nie",                   /* 59 */
-    "passport_letter_prefix",        /* 60 */
-    "korean_rrn",                    /* 61 */
-    "swiss_ahv",                     /* 62 */
-    "finnish_hetu",                  /* 63 */
-    "swedish_personnummer",          /* 64 */
-    "danish_cpr",                    /* 65 */
-    "czech_rodne_cislo",             /* 66 */
-    "us_ssn",                        /* 67 */
-    "us_itin",                       /* 68 */
-    "canadian_sin",                  /* 69 */
-    "australian_tfn",                /* 70 */
-    "indian_pan",                    /* 71 */
-    "spanish_dni",                   /* 72 */
-    "hungarian_tax_id",              /* 73 */
-    "french_nir",                    /* 74 */
-    "south_african_id",              /* 75 */
-    "romanian_cnp",                  /* 76 */
-    "japanese_my_number",            /* 77 */
-    "polish_pesel",                  /* 78 */
-    "belgian_national_number",       /* 79 */
-    "norwegian_fodselsnummer",       /* 80 */
-    "passport_9digits",              /* 81 */
-    "dutch_bsn",                     /* 82 */
-    "austrian_abgabenkontonummer",   /* 83 */
-    "polish_pesel_2"                 /* 84 */
+    "hashicorp_vault_service_token", /* 29 */
+    "hashicorp_vault_batch_token",   /* 30 */
+    "hashicorp_terraform_api_token", /* 31 */
+    "iban_hu",                       /* 32 */
+    "iban_pl",                       /* 33 */
+    "iban_fr",                       /* 34 */
+    "iban_it",                       /* 35 */
+    "iban_pt",                       /* 36 */
+    "iban_es",                       /* 37 */
+    "iban_cz",                       /* 38 */
+    "iban_ro",                       /* 39 */
+    "iban_se",                       /* 40 */
+    "iban_de",                       /* 41 */
+    "iban_ie",                       /* 42 */
+    "iban_ch",                       /* 43 */
+    "iban_at",                       /* 44 */
+    "iban_nl",                       /* 45 */
+    "iban_dk",                       /* 46 */
+    "iban_fi",                       /* 47 */
+    "iban_be",                       /* 48 */
+    "iban_no",                       /* 49 */
+    "email",                         /* 50 */
+    "phone_e164",                    /* 51 */
+    "brazilian_cnpj",                /* 52 */
+    "brazilian_cpf",                 /* 53 */
+    "uuid_v4",                       /* 54 */
+    "ipv4",                          /* 55 */
+    "credit_card",                   /* 56 */
+    "indian_aadhaar",                /* 57 */
+    "mexican_curp",                  /* 58 */
+    "italian_cf_omocodia",           /* 59 */
+    "italian_cf",                    /* 60 */
+    "uk_nin",                        /* 61 */
+    "spanish_nie",                   /* 62 */
+    "passport_letter_prefix",        /* 63 */
+    "korean_rrn",                    /* 64 */
+    "swiss_ahv",                     /* 65 */
+    "finnish_hetu",                  /* 66 */
+    "swedish_personnummer",          /* 67 */
+    "danish_cpr",                    /* 68 */
+    "czech_rodne_cislo",             /* 69 */
+    "us_ssn",                        /* 70 */
+    "us_itin",                       /* 71 */
+    "canadian_sin",                  /* 72 */
+    "australian_tfn",                /* 73 */
+    "indian_pan",                    /* 74 */
+    "spanish_dni",                   /* 75 */
+    "hungarian_tax_id",              /* 76 */
+    "french_nir",                    /* 77 */
+    "south_african_id",              /* 78 */
+    "romanian_cnp",                  /* 79 */
+    "japanese_my_number",            /* 80 */
+    "polish_pesel",                  /* 81 */
+    "belgian_national_number",       /* 82 */
+    "norwegian_fodselsnummer",       /* 83 */
+    "passport_9digits",              /* 84 */
+    "dutch_bsn",                     /* 85 */
+    "austrian_abgabenkontonummer",   /* 86 */
+    "polish_pesel_2"                 /* 87 */
 };
 
 /*
@@ -330,126 +337,132 @@ const char *pattern_strings[NUM_PATTERNS] = {
     "-----BEGIN [A-Z ]*PRIVATE KEY-----",
     /* 28: GPG Private Key Block */
     "-----BEGIN PGP PRIVATE KEY BLOCK-----",
+    /* 29: HashiCorp Vault Service Token (hvs. + 90-120 base64url chars) */
+    "hvs\\.[A-Za-z0-9_-]{90,120}",
+    /* 30: HashiCorp Vault Batch Token (hvb. + 138-300 base64url chars) */
+    "hvb\\.[A-Za-z0-9_-]{138,300}",
+    /* 31: HashiCorp Terraform Cloud API Token (14 alphanum + .atlasv1. + 60-70 base64url chars) */
+    "[A-Za-z0-9]{14}\\.atlasv1\\.[A-Za-z0-9_=-]{60,70}",
 
     /* ---- Tier 3: IBANs (longest → shortest) ---- */
-    /* 29: Hungary IBAN (HU, 28 chars) */
+    /* 32: Hungary IBAN (HU, 28 chars) */
     "HU[0-9]{2}[0-9]{24}",
-    /* 30: Poland IBAN (PL, 28 chars) */
+    /* 33: Poland IBAN (PL, 28 chars) */
     "PL[0-9]{2}[0-9]{24}",
-    /* 31: France IBAN (FR, 27 chars) */
+    /* 34: France IBAN (FR, 27 chars) */
     "FR[0-9]{2}[0-9]{10}[A-Z0-9]{11}[0-9]{2}",
-    /* 32: Italy IBAN (IT, 27 chars) */
+    /* 35: Italy IBAN (IT, 27 chars) */
     "IT[0-9]{2}[A-Z][0-9]{10}[A-Z0-9]{12}",
-    /* 33: Portugal IBAN (PT, 25 chars) */
+    /* 36: Portugal IBAN (PT, 25 chars) */
     "PT[0-9]{2}[0-9]{21}",
-    /* 34: Spain IBAN (ES, 24 chars) */
+    /* 37: Spain IBAN (ES, 24 chars) */
     "ES[0-9]{2}[0-9]{20}",
-    /* 35: Czechia IBAN (CZ, 24 chars) */
+    /* 38: Czechia IBAN (CZ, 24 chars) */
     "CZ[0-9]{2}[0-9]{20}",
-    /* 36: Romania IBAN (RO, 24 chars) */
+    /* 39: Romania IBAN (RO, 24 chars) */
     "RO[0-9]{2}[A-Z]{4}[A-Z0-9]{16}",
-    /* 37: Sweden IBAN (SE, 24 chars) */
+    /* 40: Sweden IBAN (SE, 24 chars) */
     "SE[0-9]{2}[0-9]{20}",
-    /* 38: Germany IBAN (DE, 22 chars) */
+    /* 41: Germany IBAN (DE, 22 chars) */
     "DE[0-9]{2}[0-9]{18}",
-    /* 39: Ireland IBAN (IE, 22 chars) */
+    /* 42: Ireland IBAN (IE, 22 chars) */
     "IE[0-9]{2}[A-Z]{4}[0-9]{14}",
-    /* 40: Switzerland IBAN (CH, 21 chars) */
+    /* 43: Switzerland IBAN (CH, 21 chars) */
     "CH[0-9]{2}[0-9]{5}[A-Z0-9]{12}",
-    /* 41: Austria IBAN (AT, 20 chars) */
+    /* 44: Austria IBAN (AT, 20 chars) */
     "AT[0-9]{2}[0-9]{16}",
-    /* 42: Netherlands IBAN (NL, 18 chars) */
+    /* 45: Netherlands IBAN (NL, 18 chars) */
     "NL[0-9]{2}[A-Z]{4}[0-9]{10}",
-    /* 43: Denmark IBAN (DK, 18 chars) */
+    /* 46: Denmark IBAN (DK, 18 chars) */
     "DK[0-9]{2}[0-9]{14}",
-    /* 44: Finland IBAN (FI, 18 chars) */
+    /* 47: Finland IBAN (FI, 18 chars) */
     "FI[0-9]{2}[0-9]{14}",
-    /* 45: Belgium IBAN (BE, 16 chars) */
+    /* 48: Belgium IBAN (BE, 16 chars) */
     "BE[0-9]{2}[0-9]{12}",
-    /* 46: Norway IBAN (NO, 15 chars) */
+    /* 49: Norway IBAN (NO, 15 chars) */
     "NO[0-9]{2}[0-9]{11}",
 
     /* ---- Tier 4: Structured formats (dots, dashes, slashes, @) ---- */
-    /* 47: Email Address */
+    /* 50: Email Address */
     "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}",
-    /* 48: International Phone Number (E.164) */
+    /* 51: International Phone Number (E.164) */
     "\\+[0-9]{1,3}[- ]?[0-9][0-9 -]{6,13}[0-9]",
-    /* 49: Brazilian CNPJ (XX.XXX.XXX/XXXX-XX) */
+    /* 52: Brazilian CNPJ (XX.XXX.XXX/XXXX-XX) */
     "[0-9]{2}\\.[0-9]{3}\\.[0-9]{3}/[0-9]{4}-[0-9]{2}",
-    /* 50: Brazilian CPF (XXX.XXX.XXX-XX) */
+    /* 53: Brazilian CPF (XXX.XXX.XXX-XX) */
     "[0-9]{3}\\.[0-9]{3}\\.[0-9]{3}-[0-9]{2}",
-    /* 51: UUID v4 / Scaleway Secret Key */
+    /* 54: UUID v4 / Scaleway Secret Key */
     "[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}",
-    /* 52: IPv4 address */
+    /* 55: IPv4 address */
     "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)",
-    /* 53: Credit card numbers (Visa, Mastercard, Amex, Discover, JCB) */
+    /* 56: Credit card numbers (Visa, Mastercard, Amex, Discover, JCB) */
     "(4[0-9]{15}|4[0-9]{12}|5[1-5][0-9]{14}|6011[0-9]{12}|65[0-9]{14}|3[47][0-9]{13}|3[068][0-9]{11}|35[0-9]{14})",
-    /* 54: Indian Aadhaar (XXXX XXXX XXXX or XXXX-XXXX-XXXX) */
+    /* 57: Indian Aadhaar (XXXX XXXX XXXX or XXXX-XXXX-XXXX) */
     "[0-9]{4}[- ][0-9]{4}[- ][0-9]{4}",
 
     /* ---- Tier 5: Letter-anchored patterns ---- */
-    /* 55: Mexican CURP (18 alphanum, distinctive structure) */
+    /* 58: Mexican CURP (18 alphanum, distinctive structure) */
     "[A-Z]{4}[0-9]{6}[HM][A-Z]{5}[A-Z0-9][0-9]",
-    /* 56: Italian CF with omocodia (16 chars) */
+    /* 59: Italian CF with omocodia (16 chars) */
     "[A-Z]{6}[0-9LMNPQRSTUV]{2}[ABCDEHLMPRST][0-9LMNPQRSTUV]{2}[A-Z][0-9LMNPQRSTUV]{3}[A-Z]",
-    /* 57: Italian CF basic (16 chars) */
+    /* 60: Italian CF basic (16 chars) */
     "[A-Z]{6}[0-9]{2}[A-Z][0-9]{2}[A-Z][0-9]{3}[A-Z]",
-    /* 58: UK National Insurance Number (AA 99 99 99 A-D) */
+    /* 61: UK National Insurance Number (AA 99 99 99 A-D) */
     "[A-Z]{2} ?[0-9]{2} ?[0-9]{2} ?[0-9]{2} ?[A-D]",
-    /* 59: Spanish NIE (X/Y/Z + 7 digits + letter) */
+    /* 62: Spanish NIE (X/Y/Z + 7 digits + letter) */
     "[XYZ][0-9]{7}[A-Z]",
-    /* 60: Passport - letter prefix + digits (e.g. AB1234567) */
+    /* 63: Passport - letter prefix + digits (e.g. AB1234567) */
     "[A-Z]{1,2}[0-9]{6,7}",
 
     /* ---- Tier 6: Boundary-wrapped structured (dash/dot/slash separated) ---- */
-    /* 61: South Korean RRN (YYMMDD-XXXXXXX, 14 chars with dash) */
+    /* 64: South Korean RRN (YYMMDD-XXXXXXX, 14 chars with dash) */
     "[0-9]{6}-[0-9]{7}",
-    /* 62: Swiss AHV Number (756.XXXX.XXXX.XX) */
+    /* 65: Swiss AHV Number (756.XXXX.XXXX.XX) */
     "756\\.[0-9]{4}\\.[0-9]{4}\\.[0-9]{2}",
-    /* 63: Finnish HETU (DDMMYY[+-A]XXXC) */
+    /* 66: Finnish HETU (DDMMYY[+-A]XXXC) */
     "[0-9]{6}[-+A][0-9]{3}[0-9A-Y]",
-    /* 64: Swedish Personnummer (YYMMDD[-+]XXXX) */
+    /* 67: Swedish Personnummer (YYMMDD[-+]XXXX) */
     "[0-9]{6}[-+][0-9]{4}",
-    /* 65: Danish CPR Number (DDMMYY-XXXX) */
+    /* 68: Danish CPR Number (DDMMYY-XXXX) */
     "[0-9]{6}-[0-9]{4}",
-    /* 66: Czech Rodné číslo (YYMMDD/XXXX or YYMMDDXXXX) */
+    /* 69: Czech Rodné číslo (YYMMDD/XXXX or YYMMDDXXXX) */
     "[0-9]{6}/?[0-9]{3,4}",
-    /* 67: US Social Security Number (XXX-XX-XXXX) */
+    /* 70: US Social Security Number (XXX-XX-XXXX) */
     "[0-9]{3}-[0-9]{2}-[0-9]{4}",
-    /* 68: US ITIN (9XX-XX-XXXX) */
+    /* 71: US ITIN (9XX-XX-XXXX) */
     "9[0-9]{2}-[0-9]{2}-[0-9]{4}",
-    /* 69: Canadian SIN (XXX-XXX-XXX) */
+    /* 72: Canadian SIN (XXX-XXX-XXX) */
     "[0-9]{3}-[0-9]{3}-[0-9]{3}",
-    /* 70: Australian TFN (XXX-XXX-XXX or XXX XXX XXX) */
+    /* 73: Australian TFN (XXX-XXX-XXX or XXX XXX XXX) */
     "[0-9]{3}[- ][0-9]{3}[- ][0-9]{3}",
-    /* 71: Indian PAN (5 letters + 4 digits + 1 letter) */
+    /* 74: Indian PAN (5 letters + 4 digits + 1 letter) */
     "[A-Z]{5}[0-9]{4}[A-Z]",
-    /* 72: Spanish DNI (8 digits + 1 letter) */
+    /* 75: Spanish DNI (8 digits + 1 letter) */
     "[0-9]{8}[A-Z]",
-    /* 73: Hungarian Tax ID (starts with 8, 10 digits) */
+    /* 76: Hungarian Tax ID (starts with 8, 10 digits) */
     "8[0-9]{9}",
 
     /* ---- Tier 7: Boundary-wrapped pure digits (longest → shortest) ---- */
-    /* 74: French NIR / Social Security (15 digits) */
+    /* 77: French NIR / Social Security (15 digits) */
     "[12][0-9]{2}[01][0-9][0-9]{2}[0-9]{3}[0-9]{3}[0-9]{2}",
-    /* 75: South African ID (13 digits) */
+    /* 78: South African ID (13 digits) */
     "[0-9]{13}",
-    /* 76: Romanian CNP (13 digits, first digit 1-8) */
+    /* 79: Romanian CNP (13 digits, first digit 1-8) */
     "[1-8][0-9]{12}",
-    /* 77: Japanese My Number (12 digits) */
+    /* 80: Japanese My Number (12 digits) */
     "[0-9]{12}",
-    /* 78: Polish PESEL (11 digits) */
+    /* 81: Polish PESEL (11 digits) */
     "[0-9]{11}",
-    /* 79: Belgian National Number (11 digits) */
+    /* 82: Belgian National Number (11 digits) */
     "[0-9]{11}",
-    /* 80: Norwegian Fødselsnummer (11 digits) */
+    /* 83: Norwegian Fødselsnummer (11 digits) */
     "[0-9]{11}",
-    /* 81: Passport - 9 consecutive digits */
+    /* 84: Passport - 9 consecutive digits */
     "[0-9]{9}",
-    /* 82: Dutch BSN (8-9 digits) */
+    /* 85: Dutch BSN (8-9 digits) */
     "[0-9]{8,9}",
-    /* 83: Austrian Abgabenkontonummer (9 digits) */
+    /* 86: Austrian Abgabenkontonummer (9 digits) */
     "[0-9]{9}",
-    /* 84: Polish PESEL duplicate */
+    /* 87: Polish PESEL duplicate */
     "[0-9]{11}"
 };

data/ext/data_redactor/patterns.h

@@ -3,7 +3,7 @@
 
 #include <regex.h>
 
-#define NUM_PATTERNS 85
+#define NUM_PATTERNS 88
 
 extern const char *pattern_strings[NUM_PATTERNS];
 extern const int   boundary_wrapped[NUM_PATTERNS];

data/lib/data_redactor/integrations/rack.rb

@@ -1,6 +1,12 @@
 require "data_redactor"
 
 module DataRedactor
+  # Namespace for the optional framework adapters under
+  # +lib/data_redactor/integrations/+ ({Logger}, +Rails+, {Rack}).
+  #
+  # Each adapter is soft-required — none load with +require "data_redactor"+;
+  # +require+ only the one you need. They add no runtime gem dependencies and
+  # all redaction is delegated to {DataRedactor.redact}.
   module Integrations
     # Rack middleware that scrubs sensitive data from selectable surfaces of
     # the response (and request headers, for downstream loggers to see scrubbed
@@ -23,8 +29,13 @@ module DataRedactor
     #   the env hash so any downstream middleware that logs them sees scrubbed
     #   values.
     class Rack
+      # Surfaces scrubbed when +scrub:+ is not given to {#initialize}.
+      # @return [Array<Symbol>]
       DEFAULT_SCRUB = [:body, :headers].freeze
 
+      # Request-header env keys redacted in place when +:headers+ is scrubbed,
+      # so downstream middleware that logs the env sees scrubbed values.
+      # @return [Array<String>] Rack env keys (HTTP_-prefixed, upper-case).
       SENSITIVE_REQUEST_HEADERS = %w[
         HTTP_AUTHORIZATION
         HTTP_PROXY_AUTHORIZATION
@@ -34,6 +45,9 @@ module DataRedactor
         HTTP_X_ACCESS_TOKEN
       ].freeze
 
+      # Response headers whose values are redacted when +:headers+ is scrubbed.
+      # Matched case-insensitively (Rack 2 capitalises, Rack 3 lower-cases).
+      # @return [Array<String>]
       SENSITIVE_RESPONSE_HEADERS = %w[
         Set-Cookie
         Authorization
@@ -60,6 +74,13 @@ module DataRedactor
         @placeholder = placeholder
       end
 
+      # Rack entry point. Scrubs the configured surfaces of the request and
+      # response and returns the standard Rack response triple.
+      #
+      # @param env [Hash] the Rack environment.
+      # @return [Array(Integer, Hash, #each)] the +[status, headers, body]+
+      #   triple, with sensitive data redacted from the surfaces named in
+      #   +scrub:+. When +:body+ is scrubbed, +Content-Length+ is dropped.
       def call(env)
         scrub_request_headers(env) if @scrub.include?(:headers)
         status, headers, body = @app.call(env)

data/lib/data_redactor/name_pattern.rb

@@ -0,0 +1,170 @@
+# frozen_string_literal: true
+
+module DataRedactor
+  # Maps a base ASCII letter to the set of accented characters that should
+  # also match it. Used to make generated name patterns diacritic-tolerant:
+  # an input "Jose" still matches "José", and "Munoz" matches "Muñoz".
+  #
+  # @api private
+  DIACRITIC_FOLD = {
+    "a" => "àáâãäåāăą",
+    "c" => "çćĉċč",
+    "e" => "èéêëēĕėęě",
+    "i" => "ìíîïĩīĭįı",
+    "n" => "ñńņňʼn",
+    "o" => "òóôõöøōŏő",
+    "u" => "ùúûüũūŭůűų",
+    "y" => "ýÿŷ",
+    "s" => "śŝşš",
+    "z" => "źżž",
+    "g" => "ĝğġģ",
+    "l" => "ĺļľŀł",
+    "r" => "ŕŗř",
+    "t" => "ţťŧ"
+  }.freeze
+
+  module_function
+
+  # Build a POSIX ERE that matches a person's name across common written
+  # variations, ready to hand to {add_pattern}.
+  #
+  # The returned pattern is **boundary-wrapped** — it embeds
+  # +(^|[^A-Za-z])+ ... +([^A-Za-z]|$)+ so that +"Mario"+ matches as a whole
+  # word but not inside +"Mariolino"+. Because the wrapper uses capture
+  # groups, register the pattern with the default +boundary: false+ (do
+  # **not** pass +boundary: true+ — that would double-wrap and reject the
+  # groups).
+  #
+  # Variations covered:
+  # - **Case** — every letter becomes a case-insensitive character class
+  #   (+[Mm][Aa]...+), since POSIX ERE has no +/i+ flag.
+  # - **Order** — +"First Last"+, +"Last First"+, +"Last, First"+,
+  #   +"Last,First"+.
+  # - **Initials** — +"M. Last"+, +"M Last"+, +"First R."+, +"First R"+,
+  #   +"M.R."+, +"M R"+, +"MR"+.
+  # - **Diacritics** — an ASCII letter with a {DIACRITIC_FOLD} entry also
+  #   matches its accented forms (+"Jose"+ matches +"José"+). An accented
+  #   input letter also matches its bare ASCII form.
+  # - **Separators** — spaces and hyphens are interchangeable between and
+  #   within name parts. A hyphenated part like +"Anne-Marie"+ also matches
+  #   +"Anne Marie"+, +"AnneMarie"+, and each half on its own (+"Anne"+,
+  #   +"Marie"+). Multi-word parts like +"Van der Berg"+ tolerate any
+  #   space/hyphen separator between words.
+  #
+  # @param first [String] the given name. May contain hyphens or spaces.
+  # @param last [String] the family name. May contain hyphens or spaces.
+  # @param middle [String, nil] optional middle name. When given, the pattern
+  #   matches **both** the no-middle forms and the with-middle forms.
+  # @return [String] a POSIX ERE source string.
+  # @raise [ArgumentError] if +first+ or +last+ is not a non-empty String,
+  #   or +middle+ is given but is not a non-empty String.
+  #
+  # @example Register a name pattern
+  #   DataRedactor.add_pattern(
+  #     name:  "person_mario_rossi",
+  #     regex: DataRedactor.name_pattern("Mario", "Rossi"),
+  #     tag:   :contact
+  #   )
+  #
+  # @example With a middle name
+  #   DataRedactor.name_pattern("Mario", "Rossi", middle: "Luigi")
+  def name_pattern(first, last, middle: nil)
+    _validate_name_arg!(first, "first")
+    _validate_name_arg!(last, "last")
+    _validate_name_arg!(middle, "middle") unless middle.nil?
+
+    first_tok  = _part_token(first)
+    last_tok   = _part_token(last)
+    middle_tok = middle && _part_token(middle)
+
+    # Separator between name parts. Optional so initial-only forms collapse
+    # ("MR", "M.R.") and so "First,Last" with no space still matches.
+    sep = "[ ,-]*"
+
+    bodies = []
+    bodies << "#{first_tok}#{sep}#{last_tok}"            # First Last
+    bodies << "#{last_tok}#{sep}#{first_tok}"            # Last First / Last, First
+
+    if middle_tok
+      bodies << "#{first_tok}#{sep}#{middle_tok}#{sep}#{last_tok}" # First Middle Last
+      bodies << "#{last_tok}#{sep}#{first_tok}#{sep}#{middle_tok}" # Last First Middle
+    end
+
+    "(^|[^A-Za-z])(#{bodies.join('|')})([^A-Za-z]|$)"
+  end
+
+  # @api private
+  # Build the alternation for one name part: the full case-insensitive name,
+  # or its initial (with optional dot). Hyphenated/multi-word parts also
+  # match each sub-word alone and tolerant separators between sub-words.
+  #
+  # @param part [String] a single name part, e.g. "Mario" or "Anne-Marie".
+  # @return [String] a parenthesised POSIX ERE alternation.
+  def _part_token(part)
+    words = part.split(/[ -]+/).reject(&:empty?)
+
+    word_alts = words.map { |w| _word_alternatives(w) }
+
+    forms = []
+    # whole part with tolerant separators between its words
+    forms << word_alts.map { |alts| "(#{alts.join('|')})" }.join("[ -]?")
+    # each word on its own (covers "Anne" / "Marie" from "Anne-Marie")
+    if words.length > 1
+      word_alts.each { |alts| forms << "(#{alts.join('|')})" }
+    end
+
+    "(#{forms.uniq.join('|')})"
+  end
+
+  # @api private
+  # Alternatives for a single whitespace-free word: the full name (each
+  # letter as a case-insensitive, diacritic-folded class) and its initial.
+  #
+  # @param word [String] a single word with no spaces or hyphens.
+  # @return [Array<String>] alternation members for this word.
+  def _word_alternatives(word)
+    full    = word.chars.map { |ch| _letter_class(ch) }.join
+    initial = "#{_letter_class(word[0])}\\.?"
+    [full, initial]
+  end
+
+  # @api private
+  # Build a POSIX bracket expression matching one letter case-insensitively
+  # and, where applicable, its accented variants.
+  #
+  # @param char [String] a single character.
+  # @return [String] a bracket expression, e.g. "[Mm]" or "[EeÈÉÊËèéêë]".
+  def _letter_class(char)
+    down = char.downcase
+    up   = char.upcase
+    members = [down]
+    members << up unless up == down
+
+    base = DIACRITIC_FOLD.key?(down) ? down : _ascii_base(down)
+    if base && DIACRITIC_FOLD.key?(base)
+      accented = DIACRITIC_FOLD[base]
+      members << accented << accented.upcase
+      members << base << base.upcase # accented input still matches bare ASCII
+    end
+
+    "[#{members.join}]"
+  end
+
+  # @api private
+  # If +char+ is an accented letter, return the bare ASCII letter it folds
+  # to; otherwise nil.
+  #
+  # @param char [String] a single lowercase character.
+  # @return [String, nil]
+  def _ascii_base(char)
+    DIACRITIC_FOLD.each { |ascii, accents| return ascii if accents.include?(char) }
+    nil
+  end
+
+  # @api private
+  def _validate_name_arg!(value, label)
+    return if value.is_a?(String) && !value.strip.empty?
+
+    raise ArgumentError, "#{label} must be a non-empty String, got #{value.inspect}"
+  end
+end

data/lib/data_redactor/version.rb

@@ -1,4 +1,4 @@
 module DataRedactor
   # Current gem version. Follows {https://semver.org Semantic Versioning 2.0.0}.
-  VERSION = "0.7.2"
+  VERSION = "0.9.0"
 end

data/lib/data_redactor.rb

@@ -1,6 +1,8 @@
 require "set"
+require "json"
 require_relative "data_redactor/version"
 require_relative "data_redactor/data_redactor" # loads the compiled .so
+require_relative "data_redactor/name_pattern"
 
 # High-performance regex-based redactor for sensitive data.
 #
@@ -161,6 +163,54 @@ module DataRedactor
     result
   end
 
+  # Recursively redact every String value in a nested Hash/Array structure.
+  #
+  # Walks the structure depth-first. Only String leaves are passed through
+  # {redact}; all other leaf types (Integer, Float, nil, Symbol, Boolean)
+  # are copied unchanged. Hash keys are never modified.
+  #
+  # Returns a deep copy — the original structure is never mutated.
+  #
+  # @param data [Hash, Array, String, Object] the structure to walk.
+  #   Any type is accepted; non-String scalars are returned as-is.
+  # @param only [Symbol, String, Array, nil] forwarded to {redact}.
+  # @param except [Symbol, String, Array, nil] forwarded to {redact}.
+  # @param placeholder [String, :tagged, :hash] forwarded to {redact}.
+  # @return [Hash, Array, String, Object] a new structure of the same shape
+  #   with all String leaves redacted.
+  # @raise [ArgumentError] if the structure contains a circular reference.
+  #
+  # @example Rails params
+  #   safe = DataRedactor.redact_deep(params.to_h)
+  #
+  # @example Mixed filter
+  #   DataRedactor.redact_deep(payload, only: :credentials, placeholder: :tagged)
+  def redact_deep(data, only: nil, except: nil, placeholder: PLACEHOLDER_DEFAULT)
+    _walk(data, only: only, except: except, placeholder: placeholder, seen: Set.new)
+  end
+
+  # Parse +json_string+, redact every String value in the resulting structure,
+  # and return valid JSON.
+  #
+  # Delegates traversal to {redact_deep}. All keyword arguments are forwarded
+  # to {redact}.
+  #
+  # @param json_string [String] valid JSON input.
+  # @param only [Symbol, String, Array, nil] forwarded to {redact}.
+  # @param except [Symbol, String, Array, nil] forwarded to {redact}.
+  # @param placeholder [String, :tagged, :hash] forwarded to {redact}.
+  # @return [String] a JSON string with all String values redacted.
+  # @raise [JSON::ParserError] if +json_string+ is not valid JSON.
+  #
+  # @example
+  #   DataRedactor.redact_json('{"email":"alice@example.com","count":3}')
+  #   # => '{"email":"[REDACTED]","count":3}'
+  def redact_json(json_string, only: nil, except: nil, placeholder: PLACEHOLDER_DEFAULT)
+    parsed = JSON.parse(json_string)
+    redacted = redact_deep(parsed, only: only, except: except, placeholder: placeholder)
+    JSON.generate(redacted)
+  end
+
   # Register a custom redaction pattern.
   #
   # Patterns must be valid POSIX ERE. Ruby-only syntax (+\d+, +\s+, +\w+,
@@ -317,6 +367,31 @@ module DataRedactor
     bits
   end
 
+  # @api private
+  # Depth-first recursive walker for {redact_deep}.
+  # +seen+ is a Set of object_ids already on the current traversal stack,
+  # used to detect circular references.
+  def _walk(node, only:, except:, placeholder:, seen:)
+    case node
+    when String
+      redact(node, only: only, except: except, placeholder: placeholder)
+    when Hash
+      raise ArgumentError, "redact_deep: circular reference detected" if seen.include?(node.object_id)
+      seen.add(node.object_id)
+      result = node.transform_values { |v| _walk(v, only: only, except: except, placeholder: placeholder, seen: seen) }
+      seen.delete(node.object_id)
+      result
+    when Array
+      raise ArgumentError, "redact_deep: circular reference detected" if seen.include?(node.object_id)
+      seen.add(node.object_id)
+      result = node.map { |v| _walk(v, only: only, except: except, placeholder: placeholder, seen: seen) }
+      seen.delete(node.object_id)
+      result
+    else
+      node
+    end
+  end
+
   # @api private
   def pattern_enabled?(name, tag_bit, only_present, only_bits, only_names,
                        except_bits, except_names)

data/readme.md

@@ -8,7 +8,32 @@ A Ruby gem with a C extension for high-performance regex-based redaction of sens
 
 ## What it does
 
-DataRedactor scans text for sensitive patterns and replaces matches with `[REDACTED]`. It uses a C extension backed by POSIX `regex.h` so the heavy lifting happens outside the Ruby VM, making it fast enough for large payloads.
+DataRedactor scans text for sensitive data — API keys and cloud secrets, IBANs,
+credit cards, national IDs, emails, phone numbers, IPs, and more — and replaces
+each match with a placeholder. The scanning runs in a C extension backed by POSIX
+`regex.h`, so the heavy lifting happens outside the Ruby VM and stays fast enough
+to run inline on large payloads.
+
+It ships **88 built-in patterns** across 15+ countries, grouped into tags
+(`:credentials`, `:financial`, `:contact`, ...) so you can redact only what you
+care about. Beyond plain strings it can walk nested Hashes, Arrays, and JSON,
+audit a payload without mutating it (`scan`), and plug into Logger, Rails, and
+Rack. You can also register your own patterns at boot.
+
+### Use cases
+
+- **Log scrubbing** — drop the `Logger` formatter in so no secret or PII ever
+  reaches disk or your log aggregator.
+- **Rails parameter filtering** — feed `filter_parameters` a redactor-backed proc
+  to keep request params out of logs and error reports.
+- **HTTP request/response sanitising** — Rack middleware scrubs response bodies
+  and sensitive headers in flight.
+- **Sanitising LLM / API payloads** — run `redact_deep` over a params hash or
+  `redact_json` over a JSON body before it leaves the process.
+- **Compliance & auditing** — `scan` reports every match with byte offsets, tag,
+  and pattern name without changing the text, for false-positive tuning.
+- **Internal identifiers** — register company-specific patterns (`add_pattern`)
+  or generate them from a person's name (`name_pattern`).
 
 ## Usage
 
@@ -103,6 +128,36 @@ DataRedactor.scan(text, except: :network)
 DataRedactor.scan(text, only: :contact, except: ["email"])
 ```
 
+### Hash / JSON traversal
+
+Redact every string value inside a nested Hash or Array — useful for params hashes, Sidekiq job payloads, webhook bodies, and anything that isn't a flat string:
+
+```ruby
+# Hash — returns a deep copy, never mutates the input
+result = DataRedactor.redact_deep({
+  "user"  => { "email" => "alice@example.com" },
+  "count" => 3,
+  "tags"  => ["admin", "alice@example.com"]
+})
+# => { "user" => { "email" => "[REDACTED]" }, "count" => 3, "tags" => ["admin", "[REDACTED]"] }
+
+# Hash keys are never touched — only values are redacted
+# Non-string scalars (Integer, Float, nil, Boolean) pass through unchanged
+
+# Accepts the same filters as redact
+DataRedactor.redact_deep(params, only: :credentials)
+DataRedactor.redact_deep(payload, except: :network, placeholder: :tagged)
+```
+
+```ruby
+# JSON string — parse → redact_deep → re-serialise
+safe_json = DataRedactor.redact_json('{"email":"alice@example.com","count":3}')
+# => '{"email":"[REDACTED]","count":3}'
+
+# Raises JSON::ParserError on invalid input
+DataRedactor.redact_json("not json")  # => JSON::ParserError
+```
+
 ### Custom patterns
 
 Teams often have internal IDs that the gem can't ship. Register them at boot:
@@ -128,6 +183,46 @@ DataRedactor.clear_custom_patterns!               # mostly for test suites
 
 **`boundary: true`** — wraps the pattern with `(^|[^0-9A-Za-z])(PATTERN)([^0-9A-Za-z]|$)` so it only fires when the token is not embedded in a longer alphanumeric string. Incompatible with patterns that contain capture groups.
 
+### Name patterns
+
+Personal names can't ship as built-ins — every team has different ones — but the regex
+boilerplate to match a name across its written variations is the same every time.
+`name_pattern` generates that regex for you, ready to hand to `add_pattern`:
+
+```ruby
+DataRedactor.add_pattern(
+  name:  "person_mario_rossi",
+  regex: DataRedactor.name_pattern("Mario", "Rossi"),
+  tag:   :contact
+)
+
+DataRedactor.redact("ticket from Mario Rossi about ...")
+# => "ticket from [REDACTED] about ..."
+```
+
+A single generated pattern matches all of these:
+
+- **Case** — `Mario Rossi`, `mario rossi`, `MARIO ROSSI`
+- **Order** — `Mario Rossi`, `Rossi Mario`, `Rossi, Mario`, `Rossi,Mario`
+- **Initials** — `M. Rossi`, `M Rossi`, `Mario R.`, `M.R.`, `MR`
+- **Diacritics** — `name_pattern("Jose", "Munoz")` also matches `José Muñoz` (and vice versa)
+- **Separators** — spaces and hyphens are interchangeable. `name_pattern("Anne-Marie", "Berg")`
+  matches `Anne-Marie Berg`, `Anne Marie Berg`, `AnneMarie Berg`, and each half alone
+  (`Anne Berg`, `Marie Berg`). Multi-word parts like `"Van der Berg"` tolerate any
+  space/hyphen separator between words.
+
+It does **not** match a name embedded in a longer word — `Mario` will not fire inside
+`Mariolino` — because the generated pattern is boundary-wrapped. For that reason, register
+it with the default `boundary: false` (the wrapper is already baked into the returned
+string; `boundary: true` would double-wrap and reject its capture groups).
+
+Pass `middle:` to also cover a middle name — both the no-middle and with-middle forms match:
+
+```ruby
+DataRedactor.name_pattern("Mario", "Rossi", middle: "Luigi")
+# matches "Mario Rossi" AND "Mario Luigi Rossi" AND "Rossi Mario Luigi"
+```
+
 ## Integrations
 
 Optional adapters for Logger, Rails, and Rack. None are loaded automatically — `require` only what you use, and the gem adds zero runtime dependencies in the gemspec.
@@ -179,7 +274,7 @@ Pass an empty subset (e.g. `scrub: [:headers]`) to opt out of body wrapping. For
 
 > **Body wrapping is buffering.** The middleware reads the entire response body into memory before scanning. For streaming endpoints (SSE, large file downloads, Rack::Hijack) use `scrub: [:headers]` and rely on the Logger formatter for application logs instead.
 
-## Detected patterns (85 total)
+## Detected patterns (88 total)
 
 The table below is a representative sample. Use `DataRedactor.pattern_names` for the canonical, machine-readable list — it stays in sync with the C extension automatically.
 
@@ -276,7 +371,9 @@ redactor/
 ├── lib/
 │   ├── data_redactor.rb          # Ruby entry point, loads the .so
 │   └── data_redactor/
-│       └── version.rb
+│       ├── version.rb
+│       ├── name_pattern.rb        # name_pattern helper — generates a name regex for add_pattern
+│       └── integrations/          # soft-required Logger / Rails / Rack adapters
 ├── ext/
 │   └── data_redactor/
 │       ├── extconf.rb            # Checks for C headers, generates Makefile (globs *.c)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: data_redactor
 version: !ruby/object:Gem::Version
-  version: 0.7.2
+  version: 0.9.0
 platform: ruby
 authors:
 - Daniele Frisanco
@@ -110,6 +110,7 @@ files:
 - lib/data_redactor/integrations/logger.rb
 - lib/data_redactor/integrations/rack.rb
 - lib/data_redactor/integrations/rails.rb
+- lib/data_redactor/name_pattern.rb
 - lib/data_redactor/version.rb
 - readme.md
 homepage: https://github.com/danielefrisanco/data_redactor