Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/facunemi/evidence-sanitizer/llms.txt

Use this file to discover all available pages before exploring further.

Evidence Sanitizer processes text files line-by-line and span-by-span, applying 12 deterministic rule families to detect and replace credentials, tokens, cookies, and secrets with fixed redaction markers. Every rule family targets a specific surface in HTTP-style evidence — Authorization headers, Proxy-Authorization headers, Cookie headers, named API/auth headers, URL query parameters, JSON string fields, and form-urlencoded body fields. Rules never expose matched values: reports contain only rule IDs and per-rule counts.

All 12 Rule Families

Rule IDMarkerTargets
authorization.bearer<REDACTED:authorization.bearer>Authorization: Bearer credentials
authorization.basic<REDACTED:authorization.basic>Authorization: Basic credentials
authorization.other<REDACTED:authorization.credentials>Other syntactically valid Authorization schemes
proxy_authorization.bearer<REDACTED:proxy_authorization.bearer>Proxy-Authorization: Bearer credentials
proxy_authorization.basic<REDACTED:proxy_authorization.basic>Proxy-Authorization: Basic credentials
proxy_authorization.other<REDACTED:proxy_authorization.credentials>Other syntactically valid Proxy-Authorization schemes
cookie.value<REDACTED:cookie.value>Individual Cookie values in safely parsed headers
cookie.header<REDACTED:cookie.header>Whole Cookie header fallback when safe parsing fails
header.secret<REDACTED:header.secret>Selected sensitive API/auth header values
query.secret<REDACTED:query.secret>Selected sensitive URL query parameter values
json.value<REDACTED:json.value>String values of approved sensitive JSON field names
form.value<REDACTED:form.value>Raw values of approved sensitive form-urlencoded field names

Rule Evaluation Order

Rules are evaluated in a fixed sequence inside sanitize_text. Later-stage rules respect the spans already claimed by earlier ones, preventing double-redaction and overlap conflicts.
  1. Authorizationauthorization.bearer, authorization.basic, authorization.other
  2. Proxy-Authorizationproxy_authorization.bearer, proxy_authorization.basic, proxy_authorization.other
  3. Cookiecookie.value, cookie.header
  4. Sensitive Headersheader.secret
  5. Formform.value (gated by Content-Type: application/x-www-form-urlencoded)
  6. Queryquery.secret (skips spans already covered by steps 1–5)
  7. JSONjson.value (skips spans already covered by steps 1–6)
Folded proxy-authorization header spans are tracked separately and used as protected regions for the form, query, and JSON scanners — even though folded headers do not produce findings themselves.

Reports: Rule IDs and Counts Only

After sanitization, the CLI prints the output path and a report listing which rule IDs fired and how many times. Reports never include detected values, source excerpts, header names, cookie names, or parameter names.
Sanitized: evidence.txt -> evidence.sanitized.txt
Rules triggered:
authorization.bearer: 1
cookie.value: 3
header.secret: 1
query.secret: 3
When no rules trigger, the report reads:
Rules triggered: none

Individual Rule Family Pages

Authorization Headers

Bearer, Basic, and generic scheme redaction for Authorization headers — three rule IDs, three markers.

Proxy-Authorization

Dedicated proxy-specific rule IDs mirroring the Authorization rule family for Proxy-Authorization headers.

Cookie Headers

Per-name classification for Cookie header values — sensitive, telemetry, and unknown names are redacted; harmless preference cookies are preserved.

Sensitive Headers

A fixed list of API key and authentication header names redacted under rule ID header.secret.

Query Parameters

A fixed list of sensitive URL query parameter names redacted under rule ID query.secret.

JSON Fields

Conservative raw JSON-like scanning that redacts string values for approved sensitive field names under rule ID json.value.

Form Bodies

Content-Type-gated form-urlencoded body scanning for approved sensitive field names under rule ID form.value.

Build docs developers (and LLMs) love