Secret Redaction for Config & Logs

utils/redaction only blurs PIL screenshots, and secrets_scan only detects and reports findings — neither returns a masked copy of a config dict or string safe for logs, reports, or config_bundle export. This reuses the secrets_scan detector to produce a redacted copy.

Pure standard library (re + reuse of secrets_scan); imports no PySide6. Every function is pure (data in, redacted copy out), so it is fully deterministic in CI.

Headless API

from je_auto_control import redact_config, redact_secret_text

safe = redact_config({"db": {"password": secret}, "name": "alice"})
# {"db": {"password": "***"}, "name": "alice"}

line = redact_secret_text(f"auth failed for token {token}")
# "auth failed for token ***"

redact_config returns a deep copy of a nested structure with secret-looking values masked, reusing secrets_scan (key-name patterns such as password / api_key, known value formats like AWS keys and bearer tokens, and high-entropy strings); values already referencing the vault (${secrets.*}) are left intact. redact_secret_text masks secret-looking tokens within a free-text string (a log line) while preserving the surrounding words and whitespace. Both accept a custom mask (default "***"). The function is named redact_secret_text to stay distinct from the prompt-injection guardrail.redact_text.

Executor commands

AC_redact_config returns {redacted} for an obj (JSON accepted); AC_redact_secret_text returns {text}. Both accept an optional mask and are exposed as MCP tools (ac_redact_config / ac_redact_secret_text) and as Script Builder commands under Security.