elven-logs-interceptor-python 0.1.16__tar.gz → 0.1.17__tar.gz

{elven_logs_interceptor_python-0.1.16 → elven_logs_interceptor_python-0.1.17}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: elven-logs-interceptor-python
-Version: 0.1.16
+Version: 0.1.17
 Summary: Production-grade logs interceptor for Python with Loki transport, resilience, batching, and framework integrations.
 Author: Elven Observability
 License: MIT
@@ -123,12 +123,16 @@ logging.getLogger(__name__).info(
 
 Supported aliases: `warning(...)`, `exception(...)` and `critical(...)`.
 
-Sensitive fields such as `cpf`, `cnpj`, `cpfCnpj`, `password`, `token` and `authorization` are
-redacted by default. In messages, the library redacts only the sensitive
-fragment/value and preserves the rest of the log. In structured context,
-sensitive keys redact the full value. Set `LOGS_FILTER_SANITIZE=false`,
-`LOGS_SANITIZE=false`, or `UO_LOGS_SANITIZE=false` only when raw sensitive data
-is explicitly required and approved.
+Sensitive fields such as `cpf`, `cnpj`, `cpfCnpj`, `documento`,
+`numeroDocumento`, `taxId`, `apiKey`, `clientSecret`, `senha`, `password`,
+`token`, `authorization`, `cartao/cartão`, `chavePix` and related credential
+fields are redacted by default. In messages, the library redacts only the
+sensitive fragment/value and preserves the rest of the log. In structured
+context, sensitive keys redact the full value. The key matcher normalizes
+common `snake_case`, `camelCase`, `kebab-case`, dotted variants, and accents.
+Set `LOGS_FILTER_SANITIZE=false`, `LOGS_SANITIZE=false`, or
+`UO_LOGS_SANITIZE=false` only when raw sensitive data is explicitly required
+and approved.
 
 ## Environment Variables
 

{elven_logs_interceptor_python-0.1.16 → elven_logs_interceptor_python-0.1.17}/README.md

@@ -62,12 +62,16 @@ logging.getLogger(__name__).info(
 
 Supported aliases: `warning(...)`, `exception(...)` and `critical(...)`.
 
-Sensitive fields such as `cpf`, `cnpj`, `cpfCnpj`, `password`, `token` and `authorization` are
-redacted by default. In messages, the library redacts only the sensitive
-fragment/value and preserves the rest of the log. In structured context,
-sensitive keys redact the full value. Set `LOGS_FILTER_SANITIZE=false`,
-`LOGS_SANITIZE=false`, or `UO_LOGS_SANITIZE=false` only when raw sensitive data
-is explicitly required and approved.
+Sensitive fields such as `cpf`, `cnpj`, `cpfCnpj`, `documento`,
+`numeroDocumento`, `taxId`, `apiKey`, `clientSecret`, `senha`, `password`,
+`token`, `authorization`, `cartao/cartão`, `chavePix` and related credential
+fields are redacted by default. In messages, the library redacts only the
+sensitive fragment/value and preserves the rest of the log. In structured
+context, sensitive keys redact the full value. The key matcher normalizes
+common `snake_case`, `camelCase`, `kebab-case`, dotted variants, and accents.
+Set `LOGS_FILTER_SANITIZE=false`, `LOGS_SANITIZE=false`, or
+`UO_LOGS_SANITIZE=false` only when raw sensitive data is explicitly required
+and approved.
 
 ## Environment Variables
 

{elven_logs_interceptor_python-0.1.16 → elven_logs_interceptor_python-0.1.17}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "elven-logs-interceptor-python"
-version = "0.1.16"
+version = "0.1.17"
 description = "Production-grade logs interceptor for Python with Loki transport, resilience, batching, and framework integrations."
 readme = "README.md"
 requires-python = ">=3.10"

{elven_logs_interceptor_python-0.1.16 → elven_logs_interceptor_python-0.1.17}/src/logs_interceptor/application/config_service.py

@@ -24,13 +24,25 @@ from ..types import LogLevel
 DEFAULT_LEVELS: list[LogLevel] = ["debug", "info", "warn", "error", "fatal"]
 DEFAULT_SENSITIVE_PATTERNS = [
     r"password",
+    r"senha",
     r"token",
     r"secret",
+    r"segredo",
     r"api[_-]?key",
+    r"chave[_-]?api",
     r"authorization",
+    r"credential",
     r"credit[_-]?card",
+    r"cartao",
     r"ssn",
     r"cpf[_-]?cnpj",
+    r"cnpj[_-]?cpf",
+    r"tax[_-]?id",
+    r"document[_-]?number",
+    r"documento",
+    r"numero[_-]?documento",
+    r"passaporte",
+    r"passport",
     r"cnpj",
     r"cpf",
 ]

{elven_logs_interceptor_python-0.1.16 → elven_logs_interceptor_python-0.1.17}/src/logs_interceptor/utils.py

@@ -8,6 +8,7 @@ import re
 import secrets
 import sys
 import traceback
+import unicodedata
 from collections.abc import Iterable, Mapping
 from dataclasses import asdict, fields, is_dataclass
 from datetime import datetime
@@ -39,6 +40,58 @@ except Exception:  # pragma: no cover - optional dependency
 TRUE_VALUES = {"1", "true", "yes", "on"}
 FALSE_VALUES = {"0", "false", "no", "off"}
 
+_SENSITIVE_KEY_TOKENS = (
+    "password",
+    "passwd",
+    "passphrase",
+    "pwd",
+    "senha",
+    "senhas",
+    "token",
+    "jwt",
+    "secret",
+    "segredo",
+    "clientsecret",
+    "privatekey",
+    "apikey",
+    "chaveapi",
+    "chavesecreta",
+    "chaveacesso",
+    "chavepix",
+    "accesskey",
+    "authorization",
+    "credentials",
+    "credential",
+    "credenciais",
+    "credencial",
+    "cpfcnpj",
+    "cnpjcpf",
+    "cpf",
+    "cnpj",
+    "taxid",
+    "taxidentifier",
+    "documentnumber",
+    "documentid",
+    "documento",
+    "numerodocumento",
+    "documentoidentificacao",
+    "passport",
+    "passaporte",
+    "ssn",
+    "creditcard",
+    "cardnumber",
+    "cartao",
+    "numerocartao",
+    "cvv",
+    "cvc",
+    "pixkey",
+    "bankaccount",
+    "accountnumber",
+    "numeroconta",
+    "iban",
+    "email",
+)
+
 
 def parse_bool(value: str | None, default: bool) -> bool:
     if value is None:
@@ -395,10 +448,7 @@ def detect_sensitive_data(text: str, patterns: Iterable[str]) -> bool:
 def redact_sensitive_text(text: str, sensitive_patterns: Iterable[str]) -> str:
     """Redact sensitive values while preserving the surrounding log message."""
     patterns = list(sensitive_patterns)
-    redacted = text
-
-    for pattern in patterns:
-        redacted = _redact_key_value_pattern(redacted, pattern)
+    redacted = _redact_sensitive_key_values(text, patterns)
 
     common_replacements: tuple[tuple[re.Pattern[str], str], ...] = (
         (
@@ -436,31 +486,70 @@ def redact_sensitive_text(text: str, sensitive_patterns: Iterable[str]) -> str:
     return redacted
 
 
-def _redact_key_value_pattern(text: str, key_pattern: str) -> str:
-    quoted = re.compile(
-        rf"(?P<prefix>(?:[\"']?{key_pattern}[\"']?)\s*[:=]\s*)(?P<quote>[\"'])(?P<value>.*?)(?P=quote)",
+def _redact_sensitive_key_values(text: str, sensitive_patterns: Iterable[str]) -> str:
+    key_value = re.compile(
+        r"(?P<key_quote>[\"']?)(?P<key>[A-Za-z_][\w.\-]*)(?P=key_quote)"
+        r"(?P<separator>\s*[:=]\s*)"
+        r"(?P<value_quote>[\"'])(?P<value>.*?)(?P=value_quote)",
         re.IGNORECASE,
     )
-    redacted = quoted.sub(r"\g<prefix>\g<quote>[REDACTED]\g<quote>", text)
+
+    def _replace_key_value(match: re.Match[str]) -> str:
+        if not _is_sensitive_key(match.group("key"), sensitive_patterns):
+            return match.group(0)
+        return (
+            f"{match.group('key_quote')}{match.group('key')}{match.group('key_quote')}"
+            f"{match.group('separator')}{match.group('value_quote')}[REDACTED]"
+            f"{match.group('value_quote')}"
+        )
+
+    redacted = key_value.sub(_replace_key_value, text)
 
     unquoted = re.compile(
-        rf"(?P<prefix>(?:[\"']?{key_pattern}[\"']?)\s*[:=]\s*)(?P<value>[^\s,;&}}\]\"']+)",
+        r"(?P<key>[A-Za-z_][\w.\-]*)"
+        r"(?P<separator>\s*[:=]\s*)"
+        r"(?P<value>[^\s,;&}}\]\"']+)",
         re.IGNORECASE,
     )
 
     def _replace_unquoted(match: re.Match[str]) -> str:
+        if not _is_sensitive_key(match.group("key"), sensitive_patterns):
+            return match.group(0)
         value = match.group("value")
         if value.lower() in {"bearer", "basic"} or value == "[REDACTED]":
             return match.group(0)
-        return f"{match.group('prefix')}[REDACTED]"
+        return f"{match.group('key')}{match.group('separator')}[REDACTED]"
 
     redacted = unquoted.sub(_replace_unquoted, redacted)
 
     query = re.compile(
-        rf"(?P<prefix>[?&](?:{key_pattern})=)(?P<value>[^&#\s]+)",
+        r"(?P<prefix>[?&](?P<key>[A-Za-z_][\w.\-]*)=)(?P<value>[^&#\s]+)",
         re.IGNORECASE,
     )
-    return query.sub(r"\g<prefix>[REDACTED]", redacted)
+
+    def _replace_query(match: re.Match[str]) -> str:
+        if not _is_sensitive_key(match.group("key"), sensitive_patterns):
+            return match.group(0)
+        return f"{match.group('prefix')}[REDACTED]"
+
+    return query.sub(_replace_query, redacted)
+
+
+def _is_sensitive_key(key: str, sensitive_patterns: Iterable[str]) -> bool:
+    compiled = [re.compile(pattern, re.IGNORECASE) for pattern in sensitive_patterns]
+    if any(pattern.search(key) for pattern in compiled):
+        return True
+    normalized = _normalize_sensitive_key(key)
+    return any(token in normalized for token in _SENSITIVE_KEY_TOKENS)
+
+
+def _normalize_sensitive_key(key: str) -> str:
+    ascii_key = (
+        unicodedata.normalize("NFKD", key)
+        .encode("ascii", "ignore")
+        .decode("ascii")
+    )
+    return re.sub(r"[^a-z0-9]", "", ascii_key.lower())
 
 
 def _looks_like_value_pattern(pattern: str) -> bool:
@@ -490,7 +579,9 @@ def sanitize_data(
     sanitized: dict[str, Any] = {}
 
     for key, value in data.items():
-        key_sensitive = any(pattern.search(key) for pattern in compiled)
+        key_sensitive = any(pattern.search(key) for pattern in compiled) or _is_sensitive_key(
+            key, sensitive_patterns
+        )
         if key_sensitive:
             sanitized[key] = "[REDACTED]"
             continue