TheDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/facunemi/evidence-sanitizer/llms.txt
Use this file to discover all available pages before exploring further.
sanitize command creates a sanitized copy of a single evidence text file, replacing recognized sensitive values with deterministic redaction markers and printing a safe report of which rule families triggered. The original input file is never modified — all output lands in an explicitly provided destination path that must not already exist.
Usage
Arguments and Options
Path to the evidence text file to sanitize. Must be a readable regular file encoded in strict UTF-8 or UTF-8 with BOM. The file must not exceed 10 MiB and must not contain NUL bytes. This file is never modified.
Path where the sanitized copy will be written. The parent directory must already exist. The path must not already exist (the command uses exclusive creation and will error if a file or symlink is present at this location). The resolved path must not refer to the same file as
INPUT.When set, the command performs all validation, reading, decoding, and detection steps but writes no output file and creates no temporary files. The report of triggered rule counts is printed to stdout exactly as it would be for a normal run, prefixed with
Dry run: no output written. Use this flag to audit what will be redacted before committing to a sanitized copy.Behavior and Safety Guarantees
Thesanitize command enforces a strict safety model at every stage:
- Input file is never modified. All changes are written exclusively to the
--outputpath. - Output path must not already exist. The command uses exclusive file creation (
open("xb")). If a file or symlink already exists at the output path, the command exits with an error before writing anything. - Output parent directory must already exist. The command does not create intermediate directories.
- Output path must not resolve to the same file as input. Both paths are resolved before any I/O begins.
- Maximum input size: 10 MiB. Files larger than 10,485,760 bytes are rejected before reading their contents.
- Input must be strict UTF-8 or UTF-8 with BOM. Any other encoding causes an input error. UTF-8 BOM presence, line endings (LF/CRLF/mixed), and final-newline state are preserved in the output.
- NUL bytes are rejected. Input containing
\x00bytes is refused with an input error.
Output Format
A successful run prints the input and output paths, followed by a count of every rule ID that triggered, sorted alphabetically:When No Rules Trigger
If no sensitive values are detected in the input, the command still writes the output file (an identical copy of the input) and reports:Before and After Example
The following synthetic HTTP request demonstrates several rule families triggering in a single file. Input (evidence.txt):
evidence.sanitized.txt):
theme=dark is left unchanged — theme is a known harmless cookie name. The Host header and grant_type form field are not in the sensitive name sets and are likewise left untouched.