data_redactor 0.7.2 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 24e5a8c5434fa45e6465033d7a2792a94c0b8f0d9f3ff3ca49a3a6c3c6e4065b
-  data.tar.gz: dbe07535163dd1926ce11495aee8b8e2476eb0750a7b028c7af6a7428c6f39c5
+  metadata.gz: aae84ce43ab8d2ad6751ade655397480057d687bdff7a6b857ee2821dffeb91b
+  data.tar.gz: 6e01ebe9d76e64ac3a93c31f14f7089ddaff4645e0819dec675d7585e37c4078
 SHA512:
-  metadata.gz: af2e9c869e54e7694eec166586f4baa3b16121c02f10f160db1a422ef9f6c87237ebab3c210bd950a4ab60551e3a6b32e8ccb0d2cfd695b90343cbbd5f8bd6a0
-  data.tar.gz: 9ac096890d738968525e50d3b0d5517f92886899176991ee3ee49a218398b5b47e470ff46b4c41fa458bc3a265f0069aaef2b4010e1296708e2470b7d8638b83
+  metadata.gz: a80b34b6e35fdf97cca2d9fecf1cb136b0e0c676ca1e3080c3680aaeb41b442cb2400c371e38417703910fc023ad01a3cf61f2f4a8f8dc5d4bd681174420d2b4
+  data.tar.gz: 4dbf049d027385c21a721044ac6651f4b24b33500af98a0c4c88d7860c06eb2721ea5aab4b8793f6fcd5614cac0cc645c1f67e73b5ebf8d7ff04ead58b67a244

data/CHANGELOG.md

@@ -7,6 +7,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+- `DataRedactor.redact_deep(data, only:, except:, placeholder:)` — recursively redacts every String value in a nested Hash/Array structure. Non-string scalars (Integer, Float, nil, Boolean) and Hash keys are passed through unchanged. Returns a deep copy; never mutates the input. Raises `ArgumentError` on circular references.
+- `DataRedactor.redact_json(json_string, only:, except:, placeholder:)` — parses JSON, redacts via `redact_deep`, and returns valid JSON. Raises `JSON::ParserError` on invalid input.
+- HashiCorp Vault service tokens (`hvs.` prefix, 90–120 chars) — pattern `hashicorp_vault_service_token`
+- HashiCorp Vault batch tokens (`hvb.` prefix, 138–300 chars) — pattern `hashicorp_vault_batch_token`
+- HashiCorp Terraform Cloud API tokens (`<14-char-id>.atlasv1.<token>`) — pattern `hashicorp_terraform_api_token`
+
+All three HashiCorp patterns are tagged `:credentials` and do not require word-boundary wrapping (distinctive prefixes eliminate false positives).
+
 ## [0.7.2] - 2026-05-09
 
 **Supersedes 0.7.1, which has been yanked from RubyGems.**

data/ext/data_redactor/patterns.c

@@ -56,67 +56,70 @@ const int boundary_wrapped[NUM_PATTERNS] = {
     0, /* 26: Scaleway Access Key */
     0, /* 27: PEM private key header (generic) */
     0, /* 28: GPG Private Key Block */
+    0, /* 29: HashiCorp Vault Service Token (hvs.) */
+    0, /* 30: HashiCorp Vault Batch Token (hvb.) */
+    0, /* 31: HashiCorp Terraform Cloud API Token (atlasv1) */
     /* ---- Tier 3: IBANs (longest → shortest) ---- */
-    0, /* 29: Hungary IBAN (28 chars) */
-    0, /* 30: Poland IBAN (28 chars) */
-    0, /* 31: France IBAN (27 chars) */
-    0, /* 32: Italy IBAN (27 chars) */
-    0, /* 33: Portugal IBAN (25 chars) */
-    0, /* 34: Spain IBAN (24 chars) */
-    0, /* 35: Czechia IBAN (24 chars) */
-    0, /* 36: Romania IBAN (24 chars) */
-    0, /* 37: Sweden IBAN (24 chars) */
-    0, /* 38: Germany IBAN (22 chars) */
-    0, /* 39: Ireland IBAN (22 chars) */
-    0, /* 40: Switzerland IBAN (21 chars) */
-    0, /* 41: Austria IBAN (20 chars) */
-    0, /* 42: Netherlands IBAN (18 chars) */
-    0, /* 43: Denmark IBAN (18 chars) */
-    0, /* 44: Finland IBAN (18 chars) */
-    0, /* 45: Belgium IBAN (16 chars) */
-    0, /* 46: Norway IBAN (15 chars) */
+    0, /* 32: Hungary IBAN (28 chars) */
+    0, /* 33: Poland IBAN (28 chars) */
+    0, /* 34: France IBAN (27 chars) */
+    0, /* 35: Italy IBAN (27 chars) */
+    0, /* 36: Portugal IBAN (25 chars) */
+    0, /* 37: Spain IBAN (24 chars) */
+    0, /* 38: Czechia IBAN (24 chars) */
+    0, /* 39: Romania IBAN (24 chars) */
+    0, /* 40: Sweden IBAN (24 chars) */
+    0, /* 41: Germany IBAN (22 chars) */
+    0, /* 42: Ireland IBAN (22 chars) */
+    0, /* 43: Switzerland IBAN (21 chars) */
+    0, /* 44: Austria IBAN (20 chars) */
+    0, /* 45: Netherlands IBAN (18 chars) */
+    0, /* 46: Denmark IBAN (18 chars) */
+    0, /* 47: Finland IBAN (18 chars) */
+    0, /* 48: Belgium IBAN (16 chars) */
+    0, /* 49: Norway IBAN (15 chars) */
     /* ---- Tier 4: Structured formats (dots, dashes, slashes, @) ---- */
-    0, /* 47: Email Address */
-    0, /* 48: International Phone Number */
-    0, /* 49: Brazilian CNPJ (XX.XXX.XXX/XXXX-XX) */
-    0, /* 50: Brazilian CPF (XXX.XXX.XXX-XX) */
-    0, /* 51: UUID v4 */
-    0, /* 52: IPv4 address */
-    0, /* 53: Credit card numbers */
-    0, /* 54: Indian Aadhaar (XXXX XXXX XXXX) */
+    0, /* 50: Email Address */
+    0, /* 51: International Phone Number */
+    0, /* 52: Brazilian CNPJ (XX.XXX.XXX/XXXX-XX) */
+    0, /* 53: Brazilian CPF (XXX.XXX.XXX-XX) */
+    0, /* 54: UUID v4 */
+    0, /* 55: IPv4 address */
+    0, /* 56: Credit card numbers */
+    0, /* 57: Indian Aadhaar (XXXX XXXX XXXX) */
     /* ---- Tier 5: Letter-anchored patterns ---- */
-    0, /* 55: Mexican CURP (18 alphanum, distinctive structure) */
-    0, /* 56: Italian CF with omocodia (16 chars) */
-    0, /* 57: Italian CF basic (16 chars) */
-    0, /* 58: UK National Insurance Number */
-    0, /* 59: Spanish NIE (X/Y/Z prefix) */
-    0, /* 60: Passport letter prefix + digits */
+    0, /* 58: Mexican CURP (18 alphanum, distinctive structure) */
+    0, /* 59: Italian CF with omocodia (16 chars) */
+    0, /* 60: Italian CF basic (16 chars) */
+    0, /* 61: UK National Insurance Number */
+    0, /* 62: Spanish NIE (X/Y/Z prefix) */
+    0, /* 63: Passport letter prefix + digits */
     /* ---- Tier 6: Boundary-wrapped structured (dash/dot/slash separated) ---- */
-    1, /* 61: South Korean RRN (YYMMDD-XXXXXXX, 14 chars) */
-    1, /* 62: Swiss AHV Number (756.XXXX.XXXX.XX) */
-    1, /* 63: Finnish HETU (DDMMYY[+-A]XXXC) */
-    1, /* 64: Swedish Personnummer (YYMMDD[-+]XXXX) */
-    1, /* 65: Danish CPR Number (DDMMYY-XXXX) */
-    1, /* 66: Czech Rodné číslo (YYMMDD/XXXX) */
-    1, /* 67: US Social Security Number (XXX-XX-XXXX) */
-    1, /* 68: US ITIN (9XX-XX-XXXX) */
-    1, /* 69: Canadian SIN (XXX-XXX-XXX) */
-    1, /* 70: Australian TFN (XXX-XXX-XXX) */
-    1, /* 71: Indian PAN (AAAAA0000A) */
-    1, /* 72: Spanish DNI (8 digits + letter) */
-    1, /* 73: Hungarian Tax ID (8XXXXXXXXX, 10 digits) */
+    1, /* 64: South Korean RRN (YYMMDD-XXXXXXX, 14 chars) */
+    1, /* 65: Swiss AHV Number (756.XXXX.XXXX.XX) */
+    1, /* 66: Finnish HETU (DDMMYY[+-A]XXXC) */
+    1, /* 67: Swedish Personnummer (YYMMDD[-+]XXXX) */
+    1, /* 68: Danish CPR Number (DDMMYY-XXXX) */
+    1, /* 69: Czech Rodné číslo (YYMMDD/XXXX) */
+    1, /* 70: US Social Security Number (XXX-XX-XXXX) */
+    1, /* 71: US ITIN (9XX-XX-XXXX) */
+    1, /* 72: Canadian SIN (XXX-XXX-XXX) */
+    1, /* 73: Australian TFN (XXX-XXX-XXX) */
+    1, /* 74: Indian PAN (AAAAA0000A) */
+    1, /* 75: Spanish DNI (8 digits + letter) */
+    1, /* 76: Hungarian Tax ID (8XXXXXXXXX, 10 digits) */
     /* ---- Tier 7: Boundary-wrapped pure digits (longest → shortest) ---- */
-    1, /* 74: French NIR (15 digits) */
-    1, /* 75: South African ID (13 digits) */
-    1, /* 76: Romanian CNP (13 digits) */
-    1, /* 77: Japanese My Number (12 digits) */
-    1, /* 78: Polish PESEL (11 digits) */
-    1, /* 79: Belgian National Number (11 digits) */
-    1, /* 80: Norwegian Fødselsnummer (11 digits) */
-    1, /* 81: Passport 9 digits */
-    1, /* 82: Dutch BSN (8-9 digits) */
-    1, /* 83: Austrian Abgabenkontonummer (9 digits) */
-    1  /* 84: Polish PESEL duplicate */
+    1, /* 77: French NIR (15 digits) */
+    1, /* 78: South African ID (13 digits) */
+    1, /* 79: Romanian CNP (13 digits) */
+    1, /* 80: Japanese My Number (12 digits) */
+    1, /* 81: Polish PESEL (11 digits) */
+    1, /* 82: Belgian National Number (11 digits) */
+    1, /* 83: Norwegian Fødselsnummer (11 digits) */
+    1, /* 84: Passport 9 digits */
+    1, /* 85: Dutch BSN (8-9 digits) */
+    1, /* 86: Austrian Abgabenkontonummer (9 digits) */
+    1  /* 87: Polish PESEL duplicate */
 };
 
 /*
@@ -124,56 +127,57 @@ const int boundary_wrapped[NUM_PATTERNS] = {
  * patterns run when the caller passes a mask (only/except).
  */
 const int pattern_tags[NUM_PATTERNS] = {
-    /* 0-28: secrets, API keys, tokens, private keys, webhooks */
+    /* 0-31: secrets, API keys, tokens, private keys, webhooks */
     TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS,
     TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS,
     TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS,
     TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS,
     TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS,
     TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS,
-    /* 29-46: IBANs */
+    TAG_CREDENTIALS, TAG_CREDENTIALS, TAG_CREDENTIALS,
+    /* 32-49: IBANs */
     TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL,
     TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL,
     TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL,
     TAG_FINANCIAL, TAG_FINANCIAL, TAG_FINANCIAL,
-    TAG_CONTACT,      /* 47: email */
-    TAG_CONTACT,      /* 48: phone */
-    TAG_TAX_ID,       /* 49: Brazilian CNPJ */
-    TAG_TAX_ID,       /* 50: Brazilian CPF */
-    TAG_OTHER,        /* 51: UUID v4 */
-    TAG_NETWORK,      /* 52: IPv4 */
-    TAG_FINANCIAL,    /* 53: credit card */
-    TAG_NATIONAL_ID,  /* 54: Indian Aadhaar */
-    TAG_NATIONAL_ID,  /* 55: Mexican CURP */
-    TAG_TAX_ID,       /* 56: Italian CF (omocodia) */
-    TAG_TAX_ID,       /* 57: Italian CF (basic) */
-    TAG_NATIONAL_ID,  /* 58: UK NIN */
-    TAG_NATIONAL_ID,  /* 59: Spanish NIE */
-    TAG_TRAVEL,       /* 60: passport letter prefix */
-    TAG_NATIONAL_ID,  /* 61: Korean RRN */
-    TAG_NATIONAL_ID,  /* 62: Swiss AHV */
-    TAG_NATIONAL_ID,  /* 63: Finnish HETU */
-    TAG_NATIONAL_ID,  /* 64: Swedish Personnummer */
-    TAG_NATIONAL_ID,  /* 65: Danish CPR */
-    TAG_NATIONAL_ID,  /* 66: Czech Rodné číslo */
-    TAG_NATIONAL_ID,  /* 67: US SSN */
-    TAG_TAX_ID,       /* 68: US ITIN */
-    TAG_NATIONAL_ID,  /* 69: Canadian SIN */
-    TAG_TAX_ID,       /* 70: Australian TFN */
-    TAG_TAX_ID,       /* 71: Indian PAN */
-    TAG_NATIONAL_ID,  /* 72: Spanish DNI */
-    TAG_TAX_ID,       /* 73: Hungarian Tax ID */
-    TAG_NATIONAL_ID,  /* 74: French NIR */
-    TAG_NATIONAL_ID,  /* 75: South African ID */
-    TAG_NATIONAL_ID,  /* 76: Romanian CNP */
-    TAG_TAX_ID,       /* 77: Japanese My Number */
-    TAG_NATIONAL_ID,  /* 78: Polish PESEL */
-    TAG_NATIONAL_ID,  /* 79: Belgian National Number */
-    TAG_NATIONAL_ID,  /* 80: Norwegian Fødselsnummer */
-    TAG_TRAVEL,       /* 81: passport 9 digits */
-    TAG_NATIONAL_ID,  /* 82: Dutch BSN */
-    TAG_TAX_ID,       /* 83: Austrian Abgabenkontonummer */
-    TAG_NATIONAL_ID   /* 84: Polish PESEL duplicate */
+    TAG_CONTACT,      /* 50: email */
+    TAG_CONTACT,      /* 51: phone */
+    TAG_TAX_ID,       /* 52: Brazilian CNPJ */
+    TAG_TAX_ID,       /* 53: Brazilian CPF */
+    TAG_OTHER,        /* 54: UUID v4 */
+    TAG_NETWORK,      /* 55: IPv4 */
+    TAG_FINANCIAL,    /* 56: credit card */
+    TAG_NATIONAL_ID,  /* 57: Indian Aadhaar */
+    TAG_NATIONAL_ID,  /* 58: Mexican CURP */
+    TAG_TAX_ID,       /* 59: Italian CF (omocodia) */
+    TAG_TAX_ID,       /* 60: Italian CF (basic) */
+    TAG_NATIONAL_ID,  /* 61: UK NIN */
+    TAG_NATIONAL_ID,  /* 62: Spanish NIE */
+    TAG_TRAVEL,       /* 63: passport letter prefix */
+    TAG_NATIONAL_ID,  /* 64: Korean RRN */
+    TAG_NATIONAL_ID,  /* 65: Swiss AHV */
+    TAG_NATIONAL_ID,  /* 66: Finnish HETU */
+    TAG_NATIONAL_ID,  /* 67: Swedish Personnummer */
+    TAG_NATIONAL_ID,  /* 68: Danish CPR */
+    TAG_NATIONAL_ID,  /* 69: Czech Rodné číslo */
+    TAG_NATIONAL_ID,  /* 70: US SSN */
+    TAG_TAX_ID,       /* 71: US ITIN */
+    TAG_NATIONAL_ID,  /* 72: Canadian SIN */
+    TAG_TAX_ID,       /* 73: Australian TFN */
+    TAG_TAX_ID,       /* 74: Indian PAN */
+    TAG_NATIONAL_ID,  /* 75: Spanish DNI */
+    TAG_TAX_ID,       /* 76: Hungarian Tax ID */
+    TAG_NATIONAL_ID,  /* 77: French NIR */
+    TAG_NATIONAL_ID,  /* 78: South African ID */
+    TAG_NATIONAL_ID,  /* 79: Romanian CNP */
+    TAG_TAX_ID,       /* 80: Japanese My Number */
+    TAG_NATIONAL_ID,  /* 81: Polish PESEL */
+    TAG_NATIONAL_ID,  /* 82: Belgian National Number */
+    TAG_NATIONAL_ID,  /* 83: Norwegian Fødselsnummer */
+    TAG_TRAVEL,       /* 84: passport 9 digits */
+    TAG_NATIONAL_ID,  /* 85: Dutch BSN */
+    TAG_TAX_ID,       /* 86: Austrian Abgabenkontonummer */
+    TAG_NATIONAL_ID   /* 87: Polish PESEL duplicate */
 };
 
 const char *pattern_names[NUM_PATTERNS] = {
@@ -206,62 +210,65 @@ const char *pattern_names[NUM_PATTERNS] = {
     "scaleway_access_key",           /* 26 */
     "pem_private_key",               /* 27 */
     "gpg_private_key",               /* 28 */
-    "iban_hu",                       /* 29 */
-    "iban_pl",                       /* 30 */
-    "iban_fr",                       /* 31 */
-    "iban_it",                       /* 32 */
-    "iban_pt",                       /* 33 */
-    "iban_es",                       /* 34 */
-    "iban_cz",                       /* 35 */
-    "iban_ro",                       /* 36 */
-    "iban_se",                       /* 37 */
-    "iban_de",                       /* 38 */
-    "iban_ie",                       /* 39 */
-    "iban_ch",                       /* 40 */
-    "iban_at",                       /* 41 */
-    "iban_nl",                       /* 42 */
-    "iban_dk",                       /* 43 */
-    "iban_fi",                       /* 44 */
-    "iban_be",                       /* 45 */
-    "iban_no",                       /* 46 */
-    "email",                         /* 47 */
-    "phone_e164",                    /* 48 */
-    "brazilian_cnpj",                /* 49 */
-    "brazilian_cpf",                 /* 50 */
-    "uuid_v4",                       /* 51 */
-    "ipv4",                          /* 52 */
-    "credit_card",                   /* 53 */
-    "indian_aadhaar",                /* 54 */
-    "mexican_curp",                  /* 55 */
-    "italian_cf_omocodia",           /* 56 */
-    "italian_cf",                    /* 57 */
-    "uk_nin",                        /* 58 */
-    "spanish_nie",                   /* 59 */
-    "passport_letter_prefix",        /* 60 */
-    "korean_rrn",                    /* 61 */
-    "swiss_ahv",                     /* 62 */
-    "finnish_hetu",                  /* 63 */
-    "swedish_personnummer",          /* 64 */
-    "danish_cpr",                    /* 65 */
-    "czech_rodne_cislo",             /* 66 */
-    "us_ssn",                        /* 67 */
-    "us_itin",                       /* 68 */
-    "canadian_sin",                  /* 69 */
-    "australian_tfn",                /* 70 */
-    "indian_pan",                    /* 71 */
-    "spanish_dni",                   /* 72 */
-    "hungarian_tax_id",              /* 73 */
-    "french_nir",                    /* 74 */
-    "south_african_id",              /* 75 */
-    "romanian_cnp",                  /* 76 */
-    "japanese_my_number",            /* 77 */
-    "polish_pesel",                  /* 78 */
-    "belgian_national_number",       /* 79 */
-    "norwegian_fodselsnummer",       /* 80 */
-    "passport_9digits",              /* 81 */
-    "dutch_bsn",                     /* 82 */
-    "austrian_abgabenkontonummer",   /* 83 */
-    "polish_pesel_2"                 /* 84 */
+    "hashicorp_vault_service_token", /* 29 */
+    "hashicorp_vault_batch_token",   /* 30 */
+    "hashicorp_terraform_api_token", /* 31 */
+    "iban_hu",                       /* 32 */
+    "iban_pl",                       /* 33 */
+    "iban_fr",                       /* 34 */
+    "iban_it",                       /* 35 */
+    "iban_pt",                       /* 36 */
+    "iban_es",                       /* 37 */
+    "iban_cz",                       /* 38 */
+    "iban_ro",                       /* 39 */
+    "iban_se",                       /* 40 */
+    "iban_de",                       /* 41 */
+    "iban_ie",                       /* 42 */
+    "iban_ch",                       /* 43 */
+    "iban_at",                       /* 44 */
+    "iban_nl",                       /* 45 */
+    "iban_dk",                       /* 46 */
+    "iban_fi",                       /* 47 */
+    "iban_be",                       /* 48 */
+    "iban_no",                       /* 49 */
+    "email",                         /* 50 */
+    "phone_e164",                    /* 51 */
+    "brazilian_cnpj",                /* 52 */
+    "brazilian_cpf",                 /* 53 */
+    "uuid_v4",                       /* 54 */
+    "ipv4",                          /* 55 */
+    "credit_card",                   /* 56 */
+    "indian_aadhaar",                /* 57 */
+    "mexican_curp",                  /* 58 */
+    "italian_cf_omocodia",           /* 59 */
+    "italian_cf",                    /* 60 */
+    "uk_nin",                        /* 61 */
+    "spanish_nie",                   /* 62 */
+    "passport_letter_prefix",        /* 63 */
+    "korean_rrn",                    /* 64 */
+    "swiss_ahv",                     /* 65 */
+    "finnish_hetu",                  /* 66 */
+    "swedish_personnummer",          /* 67 */
+    "danish_cpr",                    /* 68 */
+    "czech_rodne_cislo",             /* 69 */
+    "us_ssn",                        /* 70 */
+    "us_itin",                       /* 71 */
+    "canadian_sin",                  /* 72 */
+    "australian_tfn",                /* 73 */
+    "indian_pan",                    /* 74 */
+    "spanish_dni",                   /* 75 */
+    "hungarian_tax_id",              /* 76 */
+    "french_nir",                    /* 77 */
+    "south_african_id",              /* 78 */
+    "romanian_cnp",                  /* 79 */
+    "japanese_my_number",            /* 80 */
+    "polish_pesel",                  /* 81 */
+    "belgian_national_number",       /* 82 */
+    "norwegian_fodselsnummer",       /* 83 */
+    "passport_9digits",              /* 84 */
+    "dutch_bsn",                     /* 85 */
+    "austrian_abgabenkontonummer",   /* 86 */
+    "polish_pesel_2"                 /* 87 */
 };
 
 /*
@@ -330,126 +337,132 @@ const char *pattern_strings[NUM_PATTERNS] = {
     "-----BEGIN [A-Z ]*PRIVATE KEY-----",
     /* 28: GPG Private Key Block */
     "-----BEGIN PGP PRIVATE KEY BLOCK-----",
+    /* 29: HashiCorp Vault Service Token (hvs. + 90-120 base64url chars) */
+    "hvs\\.[A-Za-z0-9_-]{90,120}",
+    /* 30: HashiCorp Vault Batch Token (hvb. + 138-300 base64url chars) */
+    "hvb\\.[A-Za-z0-9_-]{138,300}",
+    /* 31: HashiCorp Terraform Cloud API Token (14 alphanum + .atlasv1. + 60-70 base64url chars) */
+    "[A-Za-z0-9]{14}\\.atlasv1\\.[A-Za-z0-9_=-]{60,70}",
 
     /* ---- Tier 3: IBANs (longest → shortest) ---- */
-    /* 29: Hungary IBAN (HU, 28 chars) */
+    /* 32: Hungary IBAN (HU, 28 chars) */
     "HU[0-9]{2}[0-9]{24}",
-    /* 30: Poland IBAN (PL, 28 chars) */
+    /* 33: Poland IBAN (PL, 28 chars) */
     "PL[0-9]{2}[0-9]{24}",
-    /* 31: France IBAN (FR, 27 chars) */
+    /* 34: France IBAN (FR, 27 chars) */
     "FR[0-9]{2}[0-9]{10}[A-Z0-9]{11}[0-9]{2}",
-    /* 32: Italy IBAN (IT, 27 chars) */
+    /* 35: Italy IBAN (IT, 27 chars) */
     "IT[0-9]{2}[A-Z][0-9]{10}[A-Z0-9]{12}",
-    /* 33: Portugal IBAN (PT, 25 chars) */
+    /* 36: Portugal IBAN (PT, 25 chars) */
     "PT[0-9]{2}[0-9]{21}",
-    /* 34: Spain IBAN (ES, 24 chars) */
+    /* 37: Spain IBAN (ES, 24 chars) */
     "ES[0-9]{2}[0-9]{20}",
-    /* 35: Czechia IBAN (CZ, 24 chars) */
+    /* 38: Czechia IBAN (CZ, 24 chars) */
     "CZ[0-9]{2}[0-9]{20}",
-    /* 36: Romania IBAN (RO, 24 chars) */
+    /* 39: Romania IBAN (RO, 24 chars) */
     "RO[0-9]{2}[A-Z]{4}[A-Z0-9]{16}",
-    /* 37: Sweden IBAN (SE, 24 chars) */
+    /* 40: Sweden IBAN (SE, 24 chars) */
     "SE[0-9]{2}[0-9]{20}",
-    /* 38: Germany IBAN (DE, 22 chars) */
+    /* 41: Germany IBAN (DE, 22 chars) */
     "DE[0-9]{2}[0-9]{18}",
-    /* 39: Ireland IBAN (IE, 22 chars) */
+    /* 42: Ireland IBAN (IE, 22 chars) */
     "IE[0-9]{2}[A-Z]{4}[0-9]{14}",
-    /* 40: Switzerland IBAN (CH, 21 chars) */
+    /* 43: Switzerland IBAN (CH, 21 chars) */
     "CH[0-9]{2}[0-9]{5}[A-Z0-9]{12}",
-    /* 41: Austria IBAN (AT, 20 chars) */
+    /* 44: Austria IBAN (AT, 20 chars) */
     "AT[0-9]{2}[0-9]{16}",
-    /* 42: Netherlands IBAN (NL, 18 chars) */
+    /* 45: Netherlands IBAN (NL, 18 chars) */
     "NL[0-9]{2}[A-Z]{4}[0-9]{10}",
-    /* 43: Denmark IBAN (DK, 18 chars) */
+    /* 46: Denmark IBAN (DK, 18 chars) */
     "DK[0-9]{2}[0-9]{14}",
-    /* 44: Finland IBAN (FI, 18 chars) */
+    /* 47: Finland IBAN (FI, 18 chars) */
     "FI[0-9]{2}[0-9]{14}",
-    /* 45: Belgium IBAN (BE, 16 chars) */
+    /* 48: Belgium IBAN (BE, 16 chars) */
     "BE[0-9]{2}[0-9]{12}",
-    /* 46: Norway IBAN (NO, 15 chars) */
+    /* 49: Norway IBAN (NO, 15 chars) */
     "NO[0-9]{2}[0-9]{11}",
 
     /* ---- Tier 4: Structured formats (dots, dashes, slashes, @) ---- */
-    /* 47: Email Address */
+    /* 50: Email Address */
     "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}",
-    /* 48: International Phone Number (E.164) */
+    /* 51: International Phone Number (E.164) */
     "\\+[0-9]{1,3}[- ]?[0-9][0-9 -]{6,13}[0-9]",
-    /* 49: Brazilian CNPJ (XX.XXX.XXX/XXXX-XX) */
+    /* 52: Brazilian CNPJ (XX.XXX.XXX/XXXX-XX) */
     "[0-9]{2}\\.[0-9]{3}\\.[0-9]{3}/[0-9]{4}-[0-9]{2}",
-    /* 50: Brazilian CPF (XXX.XXX.XXX-XX) */
+    /* 53: Brazilian CPF (XXX.XXX.XXX-XX) */
     "[0-9]{3}\\.[0-9]{3}\\.[0-9]{3}-[0-9]{2}",
-    /* 51: UUID v4 / Scaleway Secret Key */
+    /* 54: UUID v4 / Scaleway Secret Key */
     "[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}",
-    /* 52: IPv4 address */
+    /* 55: IPv4 address */
     "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)",
-    /* 53: Credit card numbers (Visa, Mastercard, Amex, Discover, JCB) */
+    /* 56: Credit card numbers (Visa, Mastercard, Amex, Discover, JCB) */
     "(4[0-9]{15}|4[0-9]{12}|5[1-5][0-9]{14}|6011[0-9]{12}|65[0-9]{14}|3[47][0-9]{13}|3[068][0-9]{11}|35[0-9]{14})",
-    /* 54: Indian Aadhaar (XXXX XXXX XXXX or XXXX-XXXX-XXXX) */
+    /* 57: Indian Aadhaar (XXXX XXXX XXXX or XXXX-XXXX-XXXX) */
     "[0-9]{4}[- ][0-9]{4}[- ][0-9]{4}",
 
     /* ---- Tier 5: Letter-anchored patterns ---- */
-    /* 55: Mexican CURP (18 alphanum, distinctive structure) */
+    /* 58: Mexican CURP (18 alphanum, distinctive structure) */
     "[A-Z]{4}[0-9]{6}[HM][A-Z]{5}[A-Z0-9][0-9]",
-    /* 56: Italian CF with omocodia (16 chars) */
+    /* 59: Italian CF with omocodia (16 chars) */
     "[A-Z]{6}[0-9LMNPQRSTUV]{2}[ABCDEHLMPRST][0-9LMNPQRSTUV]{2}[A-Z][0-9LMNPQRSTUV]{3}[A-Z]",
-    /* 57: Italian CF basic (16 chars) */
+    /* 60: Italian CF basic (16 chars) */
     "[A-Z]{6}[0-9]{2}[A-Z][0-9]{2}[A-Z][0-9]{3}[A-Z]",
-    /* 58: UK National Insurance Number (AA 99 99 99 A-D) */
+    /* 61: UK National Insurance Number (AA 99 99 99 A-D) */
     "[A-Z]{2} ?[0-9]{2} ?[0-9]{2} ?[0-9]{2} ?[A-D]",
-    /* 59: Spanish NIE (X/Y/Z + 7 digits + letter) */
+    /* 62: Spanish NIE (X/Y/Z + 7 digits + letter) */
     "[XYZ][0-9]{7}[A-Z]",
-    /* 60: Passport - letter prefix + digits (e.g. AB1234567) */
+    /* 63: Passport - letter prefix + digits (e.g. AB1234567) */
     "[A-Z]{1,2}[0-9]{6,7}",
 
     /* ---- Tier 6: Boundary-wrapped structured (dash/dot/slash separated) ---- */
-    /* 61: South Korean RRN (YYMMDD-XXXXXXX, 14 chars with dash) */
+    /* 64: South Korean RRN (YYMMDD-XXXXXXX, 14 chars with dash) */
     "[0-9]{6}-[0-9]{7}",
-    /* 62: Swiss AHV Number (756.XXXX.XXXX.XX) */
+    /* 65: Swiss AHV Number (756.XXXX.XXXX.XX) */
     "756\\.[0-9]{4}\\.[0-9]{4}\\.[0-9]{2}",
-    /* 63: Finnish HETU (DDMMYY[+-A]XXXC) */
+    /* 66: Finnish HETU (DDMMYY[+-A]XXXC) */
     "[0-9]{6}[-+A][0-9]{3}[0-9A-Y]",
-    /* 64: Swedish Personnummer (YYMMDD[-+]XXXX) */
+    /* 67: Swedish Personnummer (YYMMDD[-+]XXXX) */
     "[0-9]{6}[-+][0-9]{4}",
-    /* 65: Danish CPR Number (DDMMYY-XXXX) */
+    /* 68: Danish CPR Number (DDMMYY-XXXX) */
     "[0-9]{6}-[0-9]{4}",
-    /* 66: Czech Rodné číslo (YYMMDD/XXXX or YYMMDDXXXX) */
+    /* 69: Czech Rodné číslo (YYMMDD/XXXX or YYMMDDXXXX) */
     "[0-9]{6}/?[0-9]{3,4}",
-    /* 67: US Social Security Number (XXX-XX-XXXX) */
+    /* 70: US Social Security Number (XXX-XX-XXXX) */
     "[0-9]{3}-[0-9]{2}-[0-9]{4}",
-    /* 68: US ITIN (9XX-XX-XXXX) */
+    /* 71: US ITIN (9XX-XX-XXXX) */
     "9[0-9]{2}-[0-9]{2}-[0-9]{4}",
-    /* 69: Canadian SIN (XXX-XXX-XXX) */
+    /* 72: Canadian SIN (XXX-XXX-XXX) */
     "[0-9]{3}-[0-9]{3}-[0-9]{3}",
-    /* 70: Australian TFN (XXX-XXX-XXX or XXX XXX XXX) */
+    /* 73: Australian TFN (XXX-XXX-XXX or XXX XXX XXX) */
     "[0-9]{3}[- ][0-9]{3}[- ][0-9]{3}",
-    /* 71: Indian PAN (5 letters + 4 digits + 1 letter) */
+    /* 74: Indian PAN (5 letters + 4 digits + 1 letter) */
     "[A-Z]{5}[0-9]{4}[A-Z]",
-    /* 72: Spanish DNI (8 digits + 1 letter) */
+    /* 75: Spanish DNI (8 digits + 1 letter) */
     "[0-9]{8}[A-Z]",
-    /* 73: Hungarian Tax ID (starts with 8, 10 digits) */
+    /* 76: Hungarian Tax ID (starts with 8, 10 digits) */
     "8[0-9]{9}",
 
     /* ---- Tier 7: Boundary-wrapped pure digits (longest → shortest) ---- */
-    /* 74: French NIR / Social Security (15 digits) */
+    /* 77: French NIR / Social Security (15 digits) */
     "[12][0-9]{2}[01][0-9][0-9]{2}[0-9]{3}[0-9]{3}[0-9]{2}",
-    /* 75: South African ID (13 digits) */
+    /* 78: South African ID (13 digits) */
     "[0-9]{13}",
-    /* 76: Romanian CNP (13 digits, first digit 1-8) */
+    /* 79: Romanian CNP (13 digits, first digit 1-8) */
     "[1-8][0-9]{12}",
-    /* 77: Japanese My Number (12 digits) */
+    /* 80: Japanese My Number (12 digits) */
     "[0-9]{12}",
-    /* 78: Polish PESEL (11 digits) */
+    /* 81: Polish PESEL (11 digits) */
     "[0-9]{11}",
-    /* 79: Belgian National Number (11 digits) */
+    /* 82: Belgian National Number (11 digits) */
     "[0-9]{11}",
-    /* 80: Norwegian Fødselsnummer (11 digits) */
+    /* 83: Norwegian Fødselsnummer (11 digits) */
     "[0-9]{11}",
-    /* 81: Passport - 9 consecutive digits */
+    /* 84: Passport - 9 consecutive digits */
     "[0-9]{9}",
-    /* 82: Dutch BSN (8-9 digits) */
+    /* 85: Dutch BSN (8-9 digits) */
     "[0-9]{8,9}",
-    /* 83: Austrian Abgabenkontonummer (9 digits) */
+    /* 86: Austrian Abgabenkontonummer (9 digits) */
     "[0-9]{9}",
-    /* 84: Polish PESEL duplicate */
+    /* 87: Polish PESEL duplicate */
     "[0-9]{11}"
 };

data/ext/data_redactor/patterns.h

@@ -3,7 +3,7 @@
 
 #include <regex.h>
 
-#define NUM_PATTERNS 85
+#define NUM_PATTERNS 88
 
 extern const char *pattern_strings[NUM_PATTERNS];
 extern const int   boundary_wrapped[NUM_PATTERNS];

data/lib/data_redactor/version.rb

@@ -1,4 +1,4 @@
 module DataRedactor
   # Current gem version. Follows {https://semver.org Semantic Versioning 2.0.0}.
-  VERSION = "0.7.2"
+  VERSION = "0.8.0"
 end

data/lib/data_redactor.rb

@@ -1,4 +1,5 @@
 require "set"
+require "json"
 require_relative "data_redactor/version"
 require_relative "data_redactor/data_redactor" # loads the compiled .so
 
@@ -161,6 +162,54 @@ module DataRedactor
     result
   end
 
+  # Recursively redact every String value in a nested Hash/Array structure.
+  #
+  # Walks the structure depth-first. Only String leaves are passed through
+  # {redact}; all other leaf types (Integer, Float, nil, Symbol, Boolean)
+  # are copied unchanged. Hash keys are never modified.
+  #
+  # Returns a deep copy — the original structure is never mutated.
+  #
+  # @param data [Hash, Array, String, Object] the structure to walk.
+  #   Any type is accepted; non-String scalars are returned as-is.
+  # @param only [Symbol, String, Array, nil] forwarded to {redact}.
+  # @param except [Symbol, String, Array, nil] forwarded to {redact}.
+  # @param placeholder [String, :tagged, :hash] forwarded to {redact}.
+  # @return [Hash, Array, String, Object] a new structure of the same shape
+  #   with all String leaves redacted.
+  # @raise [ArgumentError] if the structure contains a circular reference.
+  #
+  # @example Rails params
+  #   safe = DataRedactor.redact_deep(params.to_h)
+  #
+  # @example Mixed filter
+  #   DataRedactor.redact_deep(payload, only: :credentials, placeholder: :tagged)
+  def redact_deep(data, only: nil, except: nil, placeholder: PLACEHOLDER_DEFAULT)
+    _walk(data, only: only, except: except, placeholder: placeholder, seen: Set.new)
+  end
+
+  # Parse +json_string+, redact every String value in the resulting structure,
+  # and return valid JSON.
+  #
+  # Delegates traversal to {redact_deep}. All keyword arguments are forwarded
+  # to {redact}.
+  #
+  # @param json_string [String] valid JSON input.
+  # @param only [Symbol, String, Array, nil] forwarded to {redact}.
+  # @param except [Symbol, String, Array, nil] forwarded to {redact}.
+  # @param placeholder [String, :tagged, :hash] forwarded to {redact}.
+  # @return [String] a JSON string with all String values redacted.
+  # @raise [JSON::ParserError] if +json_string+ is not valid JSON.
+  #
+  # @example
+  #   DataRedactor.redact_json('{"email":"alice@example.com","count":3}')
+  #   # => '{"email":"[REDACTED]","count":3}'
+  def redact_json(json_string, only: nil, except: nil, placeholder: PLACEHOLDER_DEFAULT)
+    parsed = JSON.parse(json_string)
+    redacted = redact_deep(parsed, only: only, except: except, placeholder: placeholder)
+    JSON.generate(redacted)
+  end
+
   # Register a custom redaction pattern.
   #
   # Patterns must be valid POSIX ERE. Ruby-only syntax (+\d+, +\s+, +\w+,
@@ -317,6 +366,31 @@ module DataRedactor
     bits
   end
 
+  # @api private
+  # Depth-first recursive walker for {redact_deep}.
+  # +seen+ is a Set of object_ids already on the current traversal stack,
+  # used to detect circular references.
+  def _walk(node, only:, except:, placeholder:, seen:)
+    case node
+    when String
+      redact(node, only: only, except: except, placeholder: placeholder)
+    when Hash
+      raise ArgumentError, "redact_deep: circular reference detected" if seen.include?(node.object_id)
+      seen.add(node.object_id)
+      result = node.transform_values { |v| _walk(v, only: only, except: except, placeholder: placeholder, seen: seen) }
+      seen.delete(node.object_id)
+      result
+    when Array
+      raise ArgumentError, "redact_deep: circular reference detected" if seen.include?(node.object_id)
+      seen.add(node.object_id)
+      result = node.map { |v| _walk(v, only: only, except: except, placeholder: placeholder, seen: seen) }
+      seen.delete(node.object_id)
+      result
+    else
+      node
+    end
+  end
+
   # @api private
   def pattern_enabled?(name, tag_bit, only_present, only_bits, only_names,
                        except_bits, except_names)

data/readme.md

@@ -103,6 +103,36 @@ DataRedactor.scan(text, except: :network)
 DataRedactor.scan(text, only: :contact, except: ["email"])
 ```
 
+### Hash / JSON traversal
+
+Redact every string value inside a nested Hash or Array — useful for params hashes, Sidekiq job payloads, webhook bodies, and anything that isn't a flat string:
+
+```ruby
+# Hash — returns a deep copy, never mutates the input
+result = DataRedactor.redact_deep({
+  "user"  => { "email" => "alice@example.com" },
+  "count" => 3,
+  "tags"  => ["admin", "alice@example.com"]
+})
+# => { "user" => { "email" => "[REDACTED]" }, "count" => 3, "tags" => ["admin", "[REDACTED]"] }
+
+# Hash keys are never touched — only values are redacted
+# Non-string scalars (Integer, Float, nil, Boolean) pass through unchanged
+
+# Accepts the same filters as redact
+DataRedactor.redact_deep(params, only: :credentials)
+DataRedactor.redact_deep(payload, except: :network, placeholder: :tagged)
+```
+
+```ruby
+# JSON string — parse → redact_deep → re-serialise
+safe_json = DataRedactor.redact_json('{"email":"alice@example.com","count":3}')
+# => '{"email":"[REDACTED]","count":3}'
+
+# Raises JSON::ParserError on invalid input
+DataRedactor.redact_json("not json")  # => JSON::ParserError
+```
+
 ### Custom patterns
 
 Teams often have internal IDs that the gem can't ship. Register them at boot:
@@ -179,7 +209,7 @@ Pass an empty subset (e.g. `scrub: [:headers]`) to opt out of body wrapping. For
 
 > **Body wrapping is buffering.** The middleware reads the entire response body into memory before scanning. For streaming endpoints (SSE, large file downloads, Rack::Hijack) use `scrub: [:headers]` and rely on the Logger formatter for application logs instead.
 
-## Detected patterns (85 total)
+## Detected patterns (88 total)
 
 The table below is a representative sample. Use `DataRedactor.pattern_names` for the canonical, machine-readable list — it stays in sync with the C extension automatically.
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: data_redactor
 version: !ruby/object:Gem::Version
-  version: 0.7.2
+  version: 0.8.0
 platform: ruby
 authors:
 - Daniele Frisanco