Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/facunemi/evidence-sanitizer/llms.txt

Use this file to discover all available pages before exploring further.

Evidence Sanitizer scans evidence text for JSON-like "key": "value" pairs and redacts the string value when the key matches a known sensitive field name. The scanner is intentionally conservative — it uses raw string-level scanning rather than a full JSON parser, which means it handles valid JSON as found in typical evidence but does not validate, reserialize, or normalize JSON structure. Only direct string values are redacted; numbers, booleans, null, arrays, and objects are left unchanged.

Rule ID and Marker

Rule IDMarker
json.value<REDACTED:json.value>

Sensitive JSON Field Names

The following field names trigger json.value redaction (matched case-insensitively after ASCII lowercase normalization): token, access_token, accesstoken, refresh_token, refreshtoken, id_token, idtoken, auth_token, authtoken, jwt, session, session_id, sessionid, sid, api_key, apikey, x_api_key, xapikey, password, passwd, pwd, client_secret, clientsecret, shared_secret, sharedsecret, private_key, privatekey, sig, signature, x_amz_signature, xamzsignature, x_goog_signature, xgoogsignature, client_assertion, clientassertion, saml_response, samlresponse

Before/After Example

From the README:
{"access_token":"synthetic-access-token","refresh_token":"synthetic-refresh-token","token_type":"Bearer","client_secret":"synthetic-client-secret","user_id":"user-123"}
{"access_token":"<REDACTED:json.value>","refresh_token":"<REDACTED:json.value>","token_type":"Bearer","client_secret":"<REDACTED:json.value>","user_id":"user-123"}
From the golden fixture json_api_body_mixed:
{"access_token":"synthetic-access-token","refresh_token":"synthetic-refresh-token","id_token":"synthetic-id-token","token_type":"Bearer","client_secret":"synthetic-client-secret","password":"synthetic-password","api_key":"synthetic-api-key","user_id":"user-123","theme":"dark"}
{"access_token":"<REDACTED:json.value>","refresh_token":"<REDACTED:json.value>","id_token":"<REDACTED:json.value>","token_type":"Bearer","client_secret":"<REDACTED:json.value>","password":"<REDACTED:json.value>","api_key":"<REDACTED:json.value>","user_id":"user-123","theme":"dark"}
token_type, user_id, and theme are not in the sensitive field name list and are left unchanged.

Only Direct String Values

The json.value rule only redacts when the value is a JSON string literal (enclosed in ""). The following value types are not redacted even if the field name is in the sensitive list:
  • Numbers: {"token": 12345} → unchanged
  • Booleans: {"session": true} → unchanged
  • Null: {"sid": null} → unchanged
  • Arrays: {"access_token": ["a", "b"]} → unchanged
  • Objects: {"client_secret": {"key": "val"}} → unchanged
Nested sensitive string fields inside arrays or objects may still be redacted if they independently form a matched "key": "value" pair in the raw scan.

Case-Insensitive Field Name Matching

Field names are normalized to ASCII lowercase before lookup. "Access_Token", "ACCESS_TOKEN", and "access_token" all match the same entry.

Conservative Raw Scanning

The JSON scanner does not build a parse tree. It finds " characters in the text, attempts to parse a JSON string key, looks for : after the key, then looks for a " opening a string value. A match is only recorded when all three elements — quoted key, colon separator (with optional whitespace), and quoted string value — are found in sequence. Strings containing CR or LF, or invalid escape sequences, cause the scanner to skip forward and continue rather than aborting.

Overlap Protection

The JSON scanner is evaluated last, after Authorization, Proxy-Authorization, Cookie, Sensitive Header, Form, and Query findings. If a candidate JSON value span overlaps any existing finding, the JSON finding is suppressed.
Authorization: Bearer synthetic-bearer-token
{"access_token": "synthetic-bearer-token"}
In the above example, if the "synthetic-bearer-token" string in the JSON body overlaps with an authorization.bearer span, the json.value finding for that specific value is skipped. The Authorization finding is authoritative. Folded Proxy-Authorization header spans are also registered as protected regions and prevent JSON findings from firing inside them.

Idempotence

If the string value payload (the content between the quotes) is already exactly <REDACTED:json.value>, no finding is produced.
Full JSON parsing, validation, and reserialization are out of scope. Malformed JSON that still contains readable "key": "value" pairs may have its string values redacted. JSON with unusual formatting (e.g., multi-line string values with literal newlines) may not be matched.

Build docs developers (and LLMs) love