Evidence Sanitizer processes text files line-by-line and span-by-span, applying 12 deterministic rule families to detect and replace credentials, tokens, cookies, and secrets with fixed redaction markers. Every rule family targets a specific surface in HTTP-style evidence — Authorization headers, Proxy-Authorization headers, Cookie headers, named API/auth headers, URL query parameters, JSON string fields, and form-urlencoded body fields. Rules never expose matched values: reports contain only rule IDs and per-rule counts.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/facunemi/evidence-sanitizer/llms.txt
Use this file to discover all available pages before exploring further.
All 12 Rule Families
| Rule ID | Marker | Targets |
|---|---|---|
authorization.bearer | <REDACTED:authorization.bearer> | Authorization: Bearer credentials |
authorization.basic | <REDACTED:authorization.basic> | Authorization: Basic credentials |
authorization.other | <REDACTED:authorization.credentials> | Other syntactically valid Authorization schemes |
proxy_authorization.bearer | <REDACTED:proxy_authorization.bearer> | Proxy-Authorization: Bearer credentials |
proxy_authorization.basic | <REDACTED:proxy_authorization.basic> | Proxy-Authorization: Basic credentials |
proxy_authorization.other | <REDACTED:proxy_authorization.credentials> | Other syntactically valid Proxy-Authorization schemes |
cookie.value | <REDACTED:cookie.value> | Individual Cookie values in safely parsed headers |
cookie.header | <REDACTED:cookie.header> | Whole Cookie header fallback when safe parsing fails |
header.secret | <REDACTED:header.secret> | Selected sensitive API/auth header values |
query.secret | <REDACTED:query.secret> | Selected sensitive URL query parameter values |
json.value | <REDACTED:json.value> | String values of approved sensitive JSON field names |
form.value | <REDACTED:form.value> | Raw values of approved sensitive form-urlencoded field names |
Rule Evaluation Order
Rules are evaluated in a fixed sequence insidesanitize_text. Later-stage rules respect the spans already claimed by earlier ones, preventing double-redaction and overlap conflicts.
- Authorization —
authorization.bearer,authorization.basic,authorization.other - Proxy-Authorization —
proxy_authorization.bearer,proxy_authorization.basic,proxy_authorization.other - Cookie —
cookie.value,cookie.header - Sensitive Headers —
header.secret - Form —
form.value(gated byContent-Type: application/x-www-form-urlencoded) - Query —
query.secret(skips spans already covered by steps 1–5) - JSON —
json.value(skips spans already covered by steps 1–6)
Folded proxy-authorization header spans are tracked separately and used as protected regions for the form, query, and JSON scanners — even though folded headers do not produce findings themselves.
Reports: Rule IDs and Counts Only
After sanitization, the CLI prints the output path and a report listing which rule IDs fired and how many times. Reports never include detected values, source excerpts, header names, cookie names, or parameter names.Individual Rule Family Pages
Authorization Headers
Bearer, Basic, and generic scheme redaction for
Authorization headers — three rule IDs, three markers.Proxy-Authorization
Dedicated proxy-specific rule IDs mirroring the Authorization rule family for
Proxy-Authorization headers.Cookie Headers
Per-name classification for
Cookie header values — sensitive, telemetry, and unknown names are redacted; harmless preference cookies are preserved.Sensitive Headers
A fixed list of API key and authentication header names redacted under rule ID
header.secret.Query Parameters
A fixed list of sensitive URL query parameter names redacted under rule ID
query.secret.JSON Fields
Conservative raw JSON-like scanning that redacts string values for approved sensitive field names under rule ID
json.value.Form Bodies
Content-Type-gated form-urlencoded body scanning for approved sensitive field names under rule ID form.value.