nomyo-router/security.py

"""Secret-masking helpers used when logging or surfacing backend errors."""
import re


def _mask_secrets(text: str) -> str:
    """
    Mask common API key patterns to avoid leaking secrets in logs or error payloads.
    """
    if not text:
        return text
    # OpenAI-style keys (sk-...) and generic "api key" mentions
    text = re.sub(r"sk-[A-Za-z0-9]{4}[A-Za-z0-9_-]*", "sk-***redacted***", text)
    text = re.sub(r"(?i)(api[-_ ]key\s*[:=]\s*)([^\s]+)", r"\1***redacted***", text)
    return text