ez_logs_agent 0.1.0

data/lib/ez_logs_agent/configuration.rb

@@ -0,0 +1,186 @@
+# frozen_string_literal: true
+
+module EzLogsAgent
+  # Configuration for the EzLogsAgent.
+  #
+  # == Noise Filtering Overview
+  #
+  # EzLogsAgent captures events but filters out noise at the agent level.
+  # Each capturer has its own exclusion mechanism:
+  #
+  # === HTTP Requests (middleware/http_request.rb)
+  # - excluded_paths: URL paths to ignore (supports * wildcard for prefix match)
+  # - DEFAULT_EXCLUDED_EXTENSIONS: Static file extensions (.js, .css, .png, etc.)
+  # - excluded_graphql_operations: GraphQL operations to skip (introspection, etc.)
+  #
+  # === Database Callbacks (capturers/database_capturer.rb)
+  # - excluded_tables: Table names to ignore (Rails internals, job queues, etc.)
+  # - IGNORED_ATTRIBUTES: Technical fields (created_at, lock_version, etc.)
+  # - SENSITIVE_PATTERNS: Attributes containing passwords, tokens, secrets
+  #
+  # === Background Jobs (capturers/job_capturer.rb)
+  # - excluded_job_classes: Job class names to ignore (health checks, etc.)
+  #
+  # == Server-Side vs Agent-Side Filtering
+  #
+  # The filtering philosophy:
+  # - Agent filters NOISE (introspection, assets, health checks, Rails internals)
+  # - Server classifies SIGNIFICANCE (reads vs writes) for UI filtering
+  #
+  # This means GraphQL queries and GET requests ARE captured by the agent,
+  # but the server classifies them as "background" so users can toggle visibility.
+  #
+  class Configuration
+    attr_accessor :server_url
+    attr_accessor :project_token
+    attr_accessor :capture_http
+    attr_accessor :capture_jobs
+    attr_accessor :capture_database
+    attr_accessor :excluded_paths
+    attr_accessor :excluded_tables
+    attr_accessor :excluded_job_classes
+    attr_accessor :excluded_graphql_operations
+    attr_accessor :excluded_graphql_variable_keys
+    attr_accessor :buffer_size
+    attr_accessor :retry_attempts
+    attr_accessor :send_interval
+    attr_accessor :log_level
+
+    # Actor extraction hook for HTTP requests (optional)
+    # Must be a callable (lambda/proc) that accepts (request, controller)
+    # and returns { kind:, id:, label:, metadata: } or nil
+    attr_accessor :actor_from_request
+
+    # Display name field mapping for database records (optional)
+    # Maps model class names to attribute names used for human-readable display
+    #
+    # Example:
+    #   config.display_name_for = {
+    #     "User" => :email,
+    #     "Product" => :name,
+    #     "Order" => :number
+    #   }
+    #
+    # IMPORTANT: Only use direct attributes, not associations.
+    # Associations will trigger database queries and should be avoided.
+    #
+    # If not configured for a model, falls back to: name → title → number → "##{id}"
+    attr_accessor :display_name_for
+
+    # Default paths excluded from HTTP capture - common Rails noise
+    DEFAULT_EXCLUDED_PATHS = [
+      "/rails/active_storage*",  # File uploads/downloads
+      "/assets*",                # Asset pipeline
+      "/packs*",                 # Webpacker assets
+      "/vite*",                  # Vite assets
+      "/health*",                # Health checks
+      "/up",                     # Rails 7.1+ health check
+      "/alive",                  # Kubernetes liveness probe
+      "/ready",                  # Kubernetes readiness probe
+      "/metrics",                # Prometheus metrics endpoint
+      "/favicon.ico",            # Browser favicon
+      "/*.hot-update.*",         # Hot module replacement
+      "/.well-known*",           # Well-known URIs (security.txt, etc.)
+      "/robots.txt",             # Search engine crawler config
+      "/sitemap.xml",            # Sitemap for crawlers
+      "/cable*",                 # ActionCable WebSocket connections
+      "/sidekiq",                # Sidekiq Web UI dashboard root (the conventional mount)
+      "/sidekiq/*",              # Sidekiq Web UI sub-paths (auto-poll noise)
+      # Authentication pages - not meaningful business actions
+      # Use */path* patterns to match auth routes anywhere (e.g., /admin/logout)
+      "*/sign_in*",              # Devise and common sign in (matches /users/sign_in, /admin/sign_in)
+      "*/sign_out*",             # Devise and common sign out
+      "*/login*",                # Common auth pattern (matches /login, /admin/login)
+      "*/logout*",               # Common auth pattern (matches /logout, /admin/logout)
+      "/users/password*",        # Devise password reset/edit
+      "/session*"                # Common auth pattern
+    ].freeze
+
+    # Default file extensions excluded from HTTP capture - static assets
+    # These are matched against the path suffix regardless of directory
+    DEFAULT_EXCLUDED_EXTENSIONS = %w[
+      .js .css .map
+      .png .jpg .jpeg .gif .svg .ico .webp
+      .woff .woff2 .ttf .eot .otf
+    ].freeze
+
+    # Default tables excluded from database capture - Rails internal tables
+    DEFAULT_EXCLUDED_TABLES = [
+      "schema_migrations",
+      "ar_internal_metadata",
+      "sessions",                         # ActiveRecord session store (plural)
+      "session",                          # ActiveRecord session store (singular)
+      "active_storage_blobs",             # ActiveStorage internals
+      "active_storage_attachments",
+      "active_storage_variant_records",
+      "solid_queue_jobs",                 # SolidQueue internals
+      "solid_queue_scheduled_executions",
+      "solid_queue_ready_executions",
+      "solid_queue_claimed_executions",
+      "solid_queue_blocked_executions",
+      "solid_queue_failed_executions",
+      "solid_queue_pauses",
+      "solid_queue_processes",
+      "solid_queue_semaphores",
+      "solid_queue_recurring_tasks",
+      "solid_queue_recurring_executions",
+      "solid_cache_entries",              # SolidCache internals
+      "solid_cable_messages"              # SolidCable internals
+    ].freeze
+
+    # Default job classes excluded from background job capture - infrastructure/health check jobs
+    DEFAULT_EXCLUDED_JOB_CLASSES = [
+      "SidekiqAlive::Worker",             # Sidekiq health check
+      "SolidQueue::CleanupJob",           # SolidQueue maintenance
+      "SolidQueue::RecurringJob"          # SolidQueue scheduler internals
+    ].freeze
+
+    # Default GraphQL operations excluded from capture - introspection and IDE queries
+    # Supports exact match and prefix match (patterns ending with *)
+    DEFAULT_EXCLUDED_GRAPHQL_OPERATIONS = [
+      "IntrospectionQuery",               # Standard IDE introspection query
+      "__*"                               # All introspection fields (__schema, __type, etc.)
+    ].freeze
+
+    DEFAULT_SERVER_URL = "https://app.ezlogs.io"
+
+    def initialize
+      @server_url = DEFAULT_SERVER_URL
+      @project_token = nil
+      @capture_http = true
+      @capture_jobs = true
+      @capture_database = true
+      @excluded_paths = []                 # User-defined; combined with DEFAULT_EXCLUDED_PATHS
+      @excluded_tables = []                # User-defined; combined with DEFAULT_EXCLUDED_TABLES
+      @excluded_job_classes = []           # User-defined; combined with DEFAULT_EXCLUDED_JOB_CLASSES
+      @excluded_graphql_operations = []    # User-defined; combined with DEFAULT_EXCLUDED_GRAPHQL_OPERATIONS
+      @excluded_graphql_variable_keys = [] # User-defined; additional sensitive variable key patterns to filter
+      @buffer_size = 10_000                # Increased for high-volume workloads (job-heavy apps)
+      @retry_attempts = 3
+      @send_interval = 3                   # More frequent sends for better throughput
+      @log_level = :warn
+      @actor_from_request = nil  # Not configured by default
+      @display_name_for = {}     # Not configured by default
+    end
+
+    # Returns all excluded paths (defaults + user-configured)
+    def all_excluded_paths
+      DEFAULT_EXCLUDED_PATHS + (@excluded_paths || [])
+    end
+
+    # Returns all excluded tables (defaults + user-configured)
+    def all_excluded_tables
+      DEFAULT_EXCLUDED_TABLES + (@excluded_tables || [])
+    end
+
+    # Returns all excluded job classes (defaults + user-configured)
+    def all_excluded_job_classes
+      DEFAULT_EXCLUDED_JOB_CLASSES + (@excluded_job_classes || [])
+    end
+
+    # Returns all excluded GraphQL operations (defaults + user-configured)
+    def all_excluded_graphql_operations
+      DEFAULT_EXCLUDED_GRAPHQL_OPERATIONS + (@excluded_graphql_operations || [])
+    end
+  end
+end

data/lib/ez_logs_agent/configuration_validator.rb

@@ -0,0 +1,139 @@
+# frozen_string_literal: true
+
+module EzLogsAgent
+  # Validates EzLogsAgent configuration and provides actionable error messages.
+  #
+  # Used at boot-time by Railtie and by the test_connection rake task
+  # to ensure configuration is valid before attempting to capture or send events.
+  #
+  # Validation philosophy:
+  # - Only validate what will cause hard failures
+  # - Provide clear, actionable error messages
+  # - Warnings for optional but recommended config
+  # - Never crash the host application
+  #
+  class ConfigurationValidator
+    # Result of configuration validation
+    #
+    # @attr_reader [Array<String>] errors Critical configuration errors
+    # @attr_reader [Array<String>] warnings Non-critical configuration warnings
+    ValidationResult = Struct.new(:errors, :warnings) do
+      def valid?
+        errors.empty?
+      end
+
+      def has_warnings?
+        warnings.any?
+      end
+    end
+
+    # Validates the given configuration
+    #
+    # @param config [EzLogsAgent::Configuration] Configuration to validate
+    # @return [ValidationResult] Validation result with errors and warnings
+    def self.validate(config)
+      errors = []
+      warnings = []
+
+      # Required: server_url must be set
+      if config.server_url.nil? || config.server_url.to_s.strip.empty?
+        errors << "server_url is required. Set it in config/initializers/ez_logs_agent.rb"
+      elsif !valid_url?(config.server_url)
+        errors << "server_url must be a valid URL (got: #{config.server_url})"
+      end
+
+      # Optional but recommended: project_token
+      if config.project_token.nil? || config.project_token.to_s.strip.empty?
+        warnings << "project_token is not set. Authentication may fail if the server requires it."
+      end
+
+      # Validate numeric fields
+      if config.buffer_size && (!config.buffer_size.is_a?(Integer) || config.buffer_size <= 0)
+        errors << "buffer_size must be a positive integer (got: #{config.buffer_size})"
+      end
+
+      if config.retry_attempts && (!config.retry_attempts.is_a?(Integer) || config.retry_attempts < 0)
+        errors << "retry_attempts must be a non-negative integer (got: #{config.retry_attempts})"
+      end
+
+      if config.send_interval && (!config.send_interval.is_a?(Numeric) || config.send_interval <= 0)
+        errors << "send_interval must be a positive number (got: #{config.send_interval})"
+      end
+
+      # Validate log_level
+      if config.log_level && !valid_log_level?(config.log_level)
+        errors << "log_level must be one of: :debug, :info, :warn, :error (got: #{config.log_level})"
+      end
+
+      # Validate boolean fields
+      unless [true, false].include?(config.capture_http)
+        errors << "capture_http must be true or false (got: #{config.capture_http})"
+      end
+
+      unless [true, false].include?(config.capture_jobs)
+        errors << "capture_jobs must be true or false (got: #{config.capture_jobs})"
+      end
+
+      unless [true, false].include?(config.capture_database)
+        errors << "capture_database must be true or false (got: #{config.capture_database})"
+      end
+
+      # Validate array fields
+      if config.excluded_paths && !config.excluded_paths.is_a?(Array)
+        errors << "excluded_paths must be an array (got: #{config.excluded_paths.class})"
+      end
+
+      if config.excluded_tables && !config.excluded_tables.is_a?(Array)
+        errors << "excluded_tables must be an array (got: #{config.excluded_tables.class})"
+      end
+
+      if config.excluded_job_classes && !config.excluded_job_classes.is_a?(Array)
+        errors << "excluded_job_classes must be an array (got: #{config.excluded_job_classes.class})"
+      end
+
+      if config.excluded_graphql_operations && !config.excluded_graphql_operations.is_a?(Array)
+        errors << "excluded_graphql_operations must be an array (got: #{config.excluded_graphql_operations.class})"
+      end
+
+      # Validate actor_from_request is callable if present
+      if config.actor_from_request && !config.actor_from_request.respond_to?(:call)
+        errors << "actor_from_request must be a callable (lambda/proc) or nil"
+      end
+
+      # Validate display_name_for is a hash if present
+      if config.display_name_for && !config.display_name_for.is_a?(Hash)
+        errors << "display_name_for must be a hash (got: #{config.display_name_for.class})"
+      end
+
+      # Warning if all capture flags are disabled
+      if !config.capture_http && !config.capture_jobs && !config.capture_database
+        warnings << "All capture flags are disabled. No events will be captured."
+      end
+
+      ValidationResult.new(errors, warnings)
+    end
+
+    # Checks if the given string is a valid URL
+    #
+    # @param url [String] URL to validate
+    # @return [Boolean] true if valid URL
+    def self.valid_url?(url)
+      return false unless url.is_a?(String)
+
+      uri = URI.parse(url)
+      uri.is_a?(URI::HTTP) || uri.is_a?(URI::HTTPS)
+    rescue URI::InvalidURIError
+      false
+    end
+
+    # Checks if the given log level is valid
+    #
+    # @param level [Symbol] Log level to validate
+    # @return [Boolean] true if valid log level
+    def self.valid_log_level?(level)
+      %i[debug info warn error].include?(level)
+    end
+
+    private_class_method :valid_url?, :valid_log_level?
+  end
+end

data/lib/ez_logs_agent/correlation.rb

@@ -0,0 +1,40 @@
+require "securerandom"
+require "request_store"
+
+module EzLogsAgent
+  module Correlation
+    STORE_KEY = :ez_logs_correlation_id
+
+    # Generate a new unique correlation ID
+    # Format: ezl_<timestamp_ms>_<random_hex_8>
+    #
+    # @return [String] A new correlation ID
+    def self.generate
+      timestamp_ms = (Time.now.to_f * 1000).to_i
+      random_hex = SecureRandom.hex(4) # 8 chars
+      "ezl_#{timestamp_ms}_#{random_hex}"
+    end
+
+    # Get the current correlation ID (or nil)
+    #
+    # @return [String, nil] The current correlation ID or nil if not set
+    def self.current
+      RequestStore.store[STORE_KEY]
+    end
+
+    # Set the current correlation ID
+    #
+    # @param value [String, nil] The correlation ID to store
+    # @return [String, nil] The stored value
+    def self.current=(value)
+      RequestStore.store[STORE_KEY] = value
+    end
+
+    # Clear the current correlation ID
+    #
+    # @return [void]
+    def self.clear
+      RequestStore.store.delete(STORE_KEY)
+    end
+  end
+end

data/lib/ez_logs_agent/event_builder.rb

@@ -0,0 +1,281 @@
+# frozen_string_literal: true
+
+require "time"
+
+module EzLogsAgent
+  # EventBuilder constructs valid Event hashes according to the Event Structure contract.
+  #
+  # This is a pure, side-effect-free builder that:
+  # - Validates required fields
+  # - Validates enum values
+  # - Enforces conditional rules (outcome ↔ error_message)
+  # - Sanitizes sensitive data
+  # - Returns a valid Event hash
+  #
+  # EventBuilder does NOT:
+  # - Buffer or send Events
+  # - Generate correlation IDs
+  # - Interact with Rails or ActiveRecord
+  # - Mutate global state
+  #
+  # @see docs/agent/event_structure.md for complete specification
+  module EventBuilder
+    # Sensitive keys that should be filtered from source_data and context
+    SENSITIVE_KEYS = %w[password token secret api_key credit_card].freeze
+
+    # Valid source types
+    VALID_SOURCE_TYPES = %w[http_request background_job database_callback].freeze
+
+    # Valid outcome values
+    VALID_OUTCOMES = %w[success failure].freeze
+
+    # Builds a valid Event hash
+    #
+    # @param source_type [String, Symbol] Event source type (http_request, background_job, database_callback)
+    # @param source_data [Hash] Technical details about the event source
+    # @param outcome [String, Symbol] Event outcome (success, failure)
+    # @param correlation_id [String, nil] Optional correlation identifier
+    # @param resource_ids [Array<Hash>] Optional array of resource identifiers
+    # @param context [Hash, nil] Optional human-readable context
+    # @param duration_ms [Integer, nil] Optional operation duration in milliseconds
+    # @param error_message [String, nil] Optional error message (required if outcome is failure)
+    # @param timestamp [String, Time, nil] Optional timestamp (defaults to current time)
+    #
+    # @return [Hash] Valid Event hash
+    # @raise [ArgumentError] If validation fails
+    #
+    # @example Building an HTTP request event
+    #   EventBuilder.build(
+    #     source_type: "http_request",
+    #     source_data: { method: "POST", path: "/api/users", status_code: 201 },
+    #     outcome: "success",
+    #     duration_ms: 124
+    #   )
+    #
+    def self.build(
+      source_type:,
+      source_data:,
+      outcome:,
+      correlation_id: nil,
+      resource_ids: [],
+      context: nil,
+      duration_ms: nil,
+      error_message: nil,
+      timestamp: nil
+    )
+      # Validate and normalize inputs
+      validated_source_type = validate_source_type!(source_type)
+      validated_source_data = validate_source_data!(source_data)
+      validated_outcome = validate_outcome!(outcome)
+      validated_timestamp = validate_timestamp!(timestamp)
+      validated_resource_ids = validate_resource_ids!(resource_ids)
+      validated_context = validate_context!(context)
+      validated_duration_ms = validate_duration_ms!(duration_ms)
+
+      # Validate conditional rules
+      validate_outcome_error_consistency!(validated_outcome, error_message)
+
+      # Sanitize sensitive data
+      sanitized_source_data = sanitize_hash(validated_source_data)
+      sanitized_context = validated_context.nil? ? nil : sanitize_hash(validated_context)
+
+      # Build and return Event hash
+      {
+        timestamp: validated_timestamp,
+        source_type: validated_source_type,
+        source_data: sanitized_source_data,
+        outcome: validated_outcome,
+        correlation_id: correlation_id,
+        resource_ids: validated_resource_ids,
+        context: sanitized_context,
+        duration_ms: validated_duration_ms,
+        error_message: error_message
+      }
+    end
+
+    # Validates source_type field
+    # @param source_type [String, Symbol]
+    # @return [String] Validated source type string
+    # @raise [ArgumentError]
+    def self.validate_source_type!(source_type)
+      raise ArgumentError, "source_type is required" if source_type.nil?
+
+      # Normalize symbol to string
+      normalized = source_type.to_s
+
+      unless VALID_SOURCE_TYPES.include?(normalized)
+        raise ArgumentError,
+              "source_type must be one of #{VALID_SOURCE_TYPES.join(', ')}, got: #{normalized}"
+      end
+
+      normalized
+    end
+    private_class_method :validate_source_type!
+
+    # Validates source_data field
+    # @param source_data [Hash]
+    # @return [Hash] Validated source data
+    # @raise [ArgumentError]
+    def self.validate_source_data!(source_data)
+      raise ArgumentError, "source_data is required" if source_data.nil?
+      raise ArgumentError, "source_data must be a Hash, got: #{source_data.class}" unless source_data.is_a?(Hash)
+
+      source_data
+    end
+    private_class_method :validate_source_data!
+
+    # Validates outcome field
+    # @param outcome [String, Symbol]
+    # @return [String] Validated outcome string
+    # @raise [ArgumentError]
+    def self.validate_outcome!(outcome)
+      raise ArgumentError, "outcome is required" if outcome.nil?
+
+      # Normalize symbol to string
+      normalized = outcome.to_s
+
+      unless VALID_OUTCOMES.include?(normalized)
+        raise ArgumentError,
+              "outcome must be one of #{VALID_OUTCOMES.join(', ')}, got: #{normalized}"
+      end
+
+      normalized
+    end
+    private_class_method :validate_outcome!
+
+    # Validates and normalizes timestamp
+    # @param timestamp [String, Time, nil]
+    # @return [String] ISO 8601 timestamp string
+    # @raise [ArgumentError]
+    def self.validate_timestamp!(timestamp)
+      return Time.now.utc.strftime("%Y-%m-%dT%H:%M:%S.%3NZ") if timestamp.nil?
+
+      case timestamp
+      when String
+        # Validate ISO 8601 format by attempting to parse
+        begin
+          Time.iso8601(timestamp)
+        rescue ArgumentError
+          raise ArgumentError, "timestamp must be valid ISO 8601 format, got: #{timestamp}"
+        end
+        timestamp
+      when Time
+        timestamp.utc.strftime("%Y-%m-%dT%H:%M:%S.%3NZ")
+      else
+        raise ArgumentError, "timestamp must be a String or Time, got: #{timestamp.class}"
+      end
+    end
+    private_class_method :validate_timestamp!
+
+    # Validates resource_ids field
+    # @param resource_ids [Array]
+    # @return [Array] Validated resource_ids array
+    # @raise [ArgumentError]
+    def self.validate_resource_ids!(resource_ids)
+      raise ArgumentError, "resource_ids must be an Array, got: #{resource_ids.class}" unless resource_ids.is_a?(Array)
+
+      resource_ids.each_with_index do |resource, index|
+        unless resource.is_a?(Hash)
+          raise ArgumentError,
+                "resource_ids[#{index}] must be a Hash, got: #{resource.class}"
+        end
+
+        unless resource.key?(:resource_type) && resource.key?(:resource_id)
+          raise ArgumentError,
+                "resource_ids[#{index}] must have :resource_type and :resource_id keys, got: #{resource.keys.inspect}"
+        end
+
+        unless resource[:resource_type].is_a?(String)
+          raise ArgumentError,
+                "resource_ids[#{index}][:resource_type] must be a String, got: #{resource[:resource_type].class}"
+        end
+
+        unless resource[:resource_id].is_a?(String)
+          raise ArgumentError,
+                "resource_ids[#{index}][:resource_id] must be a String, got: #{resource[:resource_id].class}"
+        end
+      end
+
+      resource_ids
+    end
+    private_class_method :validate_resource_ids!
+
+    # Validates context field
+    # @param context [Hash, nil]
+    # @return [Hash, nil] Validated context
+    # @raise [ArgumentError]
+    def self.validate_context!(context)
+      return nil if context.nil?
+
+      unless context.is_a?(Hash)
+        raise ArgumentError, "context must be a Hash or nil, got: #{context.class}"
+      end
+
+      context
+    end
+    private_class_method :validate_context!
+
+    # Validates duration_ms field
+    # @param duration_ms [Integer, nil]
+    # @return [Integer, nil] Validated duration_ms
+    # @raise [ArgumentError]
+    def self.validate_duration_ms!(duration_ms)
+      return nil if duration_ms.nil?
+
+      unless duration_ms.is_a?(Integer)
+        raise ArgumentError, "duration_ms must be an Integer, got: #{duration_ms.class}"
+      end
+
+      if duration_ms.negative?
+        raise ArgumentError, "duration_ms must be >= 0, got: #{duration_ms}"
+      end
+
+      duration_ms
+    end
+    private_class_method :validate_duration_ms!
+
+    # Validates outcome and error_message consistency
+    # @param outcome [String]
+    # @param error_message [String, nil]
+    # @raise [ArgumentError]
+    def self.validate_outcome_error_consistency!(outcome, error_message)
+      if outcome == "failure"
+        if error_message.nil? || error_message.empty?
+          raise ArgumentError, "error_message is required when outcome is 'failure'"
+        end
+      elsif outcome == "success"
+        unless error_message.nil?
+          raise ArgumentError, "error_message must be nil when outcome is 'success'"
+        end
+      end
+    end
+    private_class_method :validate_outcome_error_consistency!
+
+    # Recursively sanitizes a hash by filtering sensitive keys
+    # @param hash [Hash]
+    # @return [Hash] Sanitized hash with sensitive values replaced
+    def self.sanitize_hash(hash)
+      hash.each_with_object({}) do |(key, value), result|
+        if sensitive_key?(key)
+          result[key] = "[FILTERED]"
+        elsif value.is_a?(Hash)
+          result[key] = sanitize_hash(value)
+        elsif value.is_a?(Array)
+          result[key] = value.map { |item| item.is_a?(Hash) ? sanitize_hash(item) : item }
+        else
+          result[key] = value
+        end
+      end
+    end
+    private_class_method :sanitize_hash
+
+    # Checks if a key is sensitive (case-insensitive substring match)
+    # @param key [String, Symbol]
+    # @return [Boolean]
+    def self.sensitive_key?(key)
+      key_str = key.to_s.downcase
+      SENSITIVE_KEYS.any? { |sensitive| key_str.include?(sensitive) }
+    end
+    private_class_method :sensitive_key?
+  end
+end