data_redactor 0.16.0-arm64-darwin → 0.17.0-arm64-darwin

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 87c178770af1ed45ec30bad82d0492c00ab22ed0edd586e45004d7f957b83633
-  data.tar.gz: faac6457de9c29c260d961552d1dfe9c8630c4337a4de248364415da063d4777
+  metadata.gz: 3385fb2002595de048f01063e071f0412d980a6fb3fc0bb0582825101f8e844e
+  data.tar.gz: 6697ddbdbe27edfa1c42be5139b8b7839df461474c20ff7db116873a77d5afdc
 SHA512:
-  metadata.gz: 8d47cb0649e47b261f55322492fa0aeb46c760bf7df3c0633718f9df01f9e442345f4959b27226ecf6a8337c86ceef9333e6965e68c94cb2ef7ac917abb5820f
-  data.tar.gz: ed87211137a545daa54fc0b36dd6520e192f86edfb31f69fb138782e6270948f52a2a77f24fb042e75e3b8f7957efef4adec300bb65a84e36cd36312c3269fa4
+  metadata.gz: 69c893d101b200460bba95371a14296d1e1146d4b3a646bbc10011809bbebdefb91a762ed7724079011b4f45c39e01007474f41c47e7c6b5d6fba878cb9166fc
+  data.tar.gz: 31b8f13784c02607e90e6ec7b2d5e2e7897aaa214e78a91c0de75225676759056ec0aa220e28140a9a8c105d31d373c2837689083abcb227a347ba99e3465201

data/CHANGELOG.md

@@ -7,6 +7,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.17.0] - 2026-06-21
+
+### Added
+- **Transparent `ruby_llm` integration (opt-in monkeypatch).**
+  `require "data_redactor/integrations/ruby_llm"` then
+  `DataRedactor::Integrations::RubyLLM.install!` prepends a small patch onto
+  `RubyLLM::Protocol#render`, so **every** outbound request is deep-redacted
+  before it is posted — no per-call `.redact`. One hook covers all providers
+  (Anthropic, OpenAI, Gemini, Bedrock, Responses) and scrubs the user prompt,
+  system prompt, tool definitions, and any file/command-output that an agent fed
+  back as a tool result (all inlined as strings in the payload). Forwards
+  `only:`/`except:`/`placeholder:`; idempotent; fails fast at `install!` if an
+  unsupported `ruby_llm` version is loaded or `Protocol#render` is missing.
+  **Limitation:** base64 attachments (PDFs/images/audio) and URL-referenced
+  files are not redacted — the secret bytes are encoded or remote, so patterns
+  cannot see them. This is a monkeypatch on internal API and is version-pinned;
+  the clean alternative remains per-call `DataRedactor.redact` before `chat.ask`.
+
 ## [0.16.0] - 2026-06-21
 
 ### Added
@@ -336,7 +354,8 @@ features as 0.7.1 plus the pipeline fix.
 - `DataRedactor.redact(text)` module function returning the input with every match replaced by `[REDACTED]`.
 - RSpec suite with one example per pattern.
 
-[Unreleased]: https://github.com/danielefrisanco/data_redactor/compare/v0.16.0...HEAD
+[Unreleased]: https://github.com/danielefrisanco/data_redactor/compare/v0.17.0...HEAD
+[0.17.0]: https://github.com/danielefrisanco/data_redactor/compare/v0.16.0...v0.17.0
 [0.16.0]: https://github.com/danielefrisanco/data_redactor/compare/v0.15.0...v0.16.0
 [0.15.0]: https://github.com/danielefrisanco/data_redactor/compare/v0.14.1...v0.15.0
 [0.14.1]: https://github.com/danielefrisanco/data_redactor/compare/v0.14.0...v0.14.1

data/README.md

@@ -358,7 +358,28 @@ chat.ask(DataRedactor.redact(user_input))
 # the model receives: "My card is [REDACTED] and my email is [REDACTED]"
 ```
 
-Wrap each prompt (and any `with_instructions` system prompt) in `DataRedactor.redact` before passing it to `ask`. This is a per-call step you opt into — RubyLLM does not yet expose a request hook for automatic, transparent redaction of every outbound call ([crmne/ruby_llm#765](https://github.com/crmne/ruby_llm/issues/765) tracks the connection-middleware hook that would enable it).
+Wrap each prompt (and any `with_instructions` system prompt) in `DataRedactor.redact` before passing it to `ask`. This is a per-call step you opt into, and it's the recommended approach.
+
+#### Transparent mode (every request, no per-call wrapping)
+
+If you'd rather redact **every** outbound request automatically — including the system prompt, tool definitions, and any file contents or shell-command output an agent feeds back as a tool result — opt into the monkeypatch:
+
+```ruby
+require "ruby_llm"
+require "data_redactor/integrations/ruby_llm"
+
+DataRedactor::Integrations::RubyLLM.install!   # once, at boot
+
+chat = RubyLLM.chat(model: "claude-opus-4-8")
+chat.ask("my card is 4111111111111111")        # sent as "my card is [REDACTED]"
+```
+
+`install!` prepends a patch onto `RubyLLM::Protocol#render` — the one point where every provider (Anthropic, OpenAI, Gemini, Bedrock, Responses) has assembled its final request — and deep-redacts the payload before it's posted. It forwards `only:`/`except:`/`placeholder:`, is idempotent, and **fails fast** at `install!` if an unsupported `ruby_llm` version is loaded or the internal API has moved (so it never silently leaks).
+
+Two caveats, by design:
+
+- **It's a monkeypatch on RubyLLM internals**, pinned to a supported version range. Prefer per-call `DataRedactor.redact` (above) unless you specifically need transparency. RubyLLM does not yet expose a public request hook ([crmne/ruby_llm#765](https://github.com/crmne/ruby_llm/issues/765) tracks the connection-middleware hook that would let us drop the patch).
+- **Base64 attachments** (PDFs, images, audio sent inline) and **URL-referenced files** are not redacted — the sensitive bytes are encoded or remote, so patterns cannot see them.
 
 ## Detected patterns (89 total)
 

data/lib/data_redactor/integrations/ruby_llm.rb

@@ -0,0 +1,120 @@
+require "data_redactor"
+
+module DataRedactor
+  module Integrations
+    # Transparent outbound redaction for the `ruby_llm` gem (crmne/ruby_llm).
+    #
+    # Calling {install!} prepends a small module onto `RubyLLM::Protocol` that
+    # deep-redacts the **rendered request payload** before it is posted to any
+    # provider. `Protocol#render` is the single point where every provider
+    # (Anthropic, OpenAI/chat_completions, Gemini, Bedrock/Converse, Responses)
+    # has assembled its final request Hash, so one hook covers them all without
+    # knowing any provider-specific shape.
+    #
+    # Because the payload is walked with {DataRedactor.redact_deep}, this scrubs
+    # **every String leaf** in the request: the user prompt, the system prompt,
+    # tool definitions, and — crucially — any file contents or shell-command
+    # output that an agent fed back in as a tool result, since those are already
+    # inlined as strings in `messages` by the time `render` runs.
+    #
+    # This is a monkeypatch (a `prepend` onto a private internal class). It is
+    # opt-in and pinned: {install!} raises unless a supported `ruby_llm` version
+    # is loaded and `RubyLLM::Protocol#render` still exists, so an upstream
+    # refactor fails loudly at install time rather than silently leaking data.
+    # Prefer this only when you need redaction to be *transparent*; otherwise
+    # redact per call with {DataRedactor.redact} before `chat.ask`.
+    #
+    # ## What is NOT redacted
+    # - **Base64 attachments** (PDFs, images, audio sent inline as base64) — the
+    #   sensitive bytes are encoded, so patterns cannot see into them.
+    # - **URL-referenced files/images** — the content lives on a remote server
+    #   and never enters the payload.
+    #
+    # @example Make every ruby_llm request redacted, app-wide
+    #   require "data_redactor/integrations/ruby_llm"
+    #   DataRedactor::Integrations::RubyLLM.install!
+    #
+    #   chat = RubyLLM.chat(model: "claude-opus-4-8")
+    #   chat.ask("my card is 4111111111111111")  # sent as "my card is [REDACTED]"
+    #
+    # @example Scope the redaction with the usual filters
+    #   DataRedactor::Integrations::RubyLLM.install!(only: [:financial, :contact])
+    module RubyLLM
+      module_function
+
+      # ruby_llm versions whose `Protocol#render` chokepoint this integration
+      # has been verified against. Bump (and re-verify) on each ruby_llm release.
+      SUPPORTED_VERSION = "~> 1.16"
+
+      # Prepend the redaction patch onto `RubyLLM::Protocol`. Idempotent: a
+      # second call with the patch already installed is a no-op (the filter
+      # options from the first successful install are kept).
+      #
+      # The `only:`/`except:`/`placeholder:` filters are captured here and
+      # applied to every subsequent request.
+      #
+      # @param only [Symbol, String, Array, nil] forwarded to {DataRedactor.redact_deep}.
+      # @param except [Symbol, String, Array, nil] forwarded to {DataRedactor.redact_deep}.
+      # @param placeholder [String, Symbol] forwarded to {DataRedactor.redact_deep}.
+      # @return [void]
+      # @raise [RuntimeError] if `ruby_llm` is not loaded, the loaded version is
+      #   outside {SUPPORTED_VERSION}, or `RubyLLM::Protocol#render` is missing
+      #   (i.e. an upstream refactor moved the chokepoint).
+      def install!(only: nil, except: nil, placeholder: DataRedactor::PLACEHOLDER_DEFAULT)
+        ensure_compatible!
+
+        @options = { only: only, except: except, placeholder: placeholder }
+        return if installed?
+
+        ::RubyLLM::Protocol.prepend(PayloadPatch)
+      end
+
+      # @return [Boolean] whether the redaction patch is currently on
+      #   `RubyLLM::Protocol`.
+      def installed?
+        defined?(::RubyLLM::Protocol) &&
+          ::RubyLLM::Protocol.ancestors.include?(PayloadPatch)
+      end
+
+      # @!visibility private
+      # @return [Hash] the filter options captured at {install!}.
+      def options
+        @options ||= { only: nil, except: nil, placeholder: DataRedactor::PLACEHOLDER_DEFAULT }
+      end
+
+      # @!visibility private
+      def ensure_compatible!
+        unless defined?(::RubyLLM::VERSION)
+          raise "data_redactor ruby_llm integration: require \"ruby_llm\" before calling install!"
+        end
+
+        unless Gem::Requirement.new(SUPPORTED_VERSION).satisfied_by?(Gem::Version.new(::RubyLLM::VERSION))
+          raise "data_redactor ruby_llm integration supports ruby_llm #{SUPPORTED_VERSION}, " \
+                "got #{::RubyLLM::VERSION}. Check for a newer data_redactor or pin ruby_llm."
+        end
+
+        unless ::RubyLLM::Protocol.method_defined?(:render) || ::RubyLLM::Protocol.private_method_defined?(:render)
+          raise "data_redactor ruby_llm integration: RubyLLM::Protocol#render not found — " \
+                "the upstream request-rendering API changed. This integration needs an update."
+        end
+      end
+
+      # Prepended onto `RubyLLM::Protocol`. `Protocol#complete` calls
+      # `payload = render(...)` and then posts that payload, so redacting the
+      # return value of `render` redacts the request without touching anything
+      # else in the send path.
+      module PayloadPatch
+        def render(*args, **kwargs)
+          payload = super
+          opts = DataRedactor::Integrations::RubyLLM.options
+          DataRedactor.redact_deep(
+            payload,
+            only: opts[:only],
+            except: opts[:except],
+            placeholder: opts[:placeholder]
+          )
+        end
+      end
+    end
+  end
+end

data/lib/data_redactor/version.rb

@@ -1,4 +1,4 @@
 module DataRedactor
   # Current gem version. Follows {https://semver.org Semantic Versioning 2.0.0}.
-  VERSION = "0.16.0"
+  VERSION = "0.17.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: data_redactor
 version: !ruby/object:Gem::Version
-  version: 0.16.0
+  version: 0.17.0
 platform: arm64-darwin
 authors:
 - Daniele Frisanco
@@ -120,6 +120,7 @@ files:
 - lib/data_redactor/integrations/openai.rb
 - lib/data_redactor/integrations/rack.rb
 - lib/data_redactor/integrations/rails.rb
+- lib/data_redactor/integrations/ruby_llm.rb
 - lib/data_redactor/name_pattern.rb
 - lib/data_redactor/refinements.rb
 - lib/data_redactor/version.rb