using System.Text.RegularExpressions;
namespace MCPForUnity.Editor.Security
{
///
/// Scrubs secrets out of text before it is logged or returned. Use on every error/log
/// path that might contain an auth header or a key value.
///
public static class SecretRedactor
{
private const string Mask = "***REDACTED***";
// Authorization-scheme tokens: "Bearer xxx", "Key xxx", "Token xxx".
private static readonly Regex SchemeToken = new Regex(
@"\b(Bearer|Key|Token)\s+\S{6,}",
RegexOptions.IgnoreCase | RegexOptions.Compiled);
/// Redact auth-scheme tokens from arbitrary text (cheap; no store reads).
public static string Scrub(string text)
{
if (string.IsNullOrEmpty(text)) return text;
return SchemeToken.Replace(text, m => m.Groups[1].Value + " " + Mask);
}
/// Redact a specific known secret value as well as auth-scheme tokens.
public static string Scrub(string text, string secret)
{
if (string.IsNullOrEmpty(text)) return text;
if (!string.IsNullOrEmpty(secret) && secret.Length >= 4)
{
text = text.Replace(secret, Mask);
}
return Scrub(text);
}
}
}