# Redaction patterns for log-sink filter (v0.5.3+, CVE-2026-20205 response).
# Format: one regex per line. Blank lines and lines starting with '#' are ignored.
# Each pattern carries a one-line primary-source citation above it.
# Matched spans are replaced with "[REDACTED]" before the log record
# reaches any downstream handler.

# Splunk HEC tokens — https://advisory.splunk.com/advisories/SVD-2026-0419
(?i)splunk[_-]?hec[_-]?token["'\s:=]*[a-f0-9-]{36}

# GitHub personal access tokens — https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-authentication-to-github#githubs-token-formats
ghp_[A-Za-z0-9]{36}

# GitHub fine-grained PAT — https://github.blog/changelog/2022-10-18-introducing-fine-grained-personal-access-tokens/
github_pat_[A-Za-z0-9_]{82}

# AWS access key IDs — https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids
AKIA[0-9A-Z]{16}

# Anthropic API keys — https://docs.anthropic.com/en/api/getting-started
sk-ant-[a-zA-Z0-9_-]{32,}

# OpenAI API keys — https://platform.openai.com/docs/api-reference/authentication
sk-[A-Za-z0-9]{32,}

# Snowflake session tokens — https://docs.snowflake.com/en/user-guide/oauth-intro
ver:[0-9]+-hint:[A-Za-z0-9+/=]{40,}

# Azure AAD bearer tokens (JWT shape) — https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens
eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+

# Generic RFC 6750 Bearer tokens — https://datatracker.ietf.org/doc/html/rfc6750
(?i)bearer\s+[A-Za-z0-9._~+/-]{16,}=*

# Generic HTTP Basic auth — https://datatracker.ietf.org/doc/html/rfc7617
(?i)basic\s+[A-Za-z0-9+/]{16,}=*

# Slack bot/user tokens — https://api.slack.com/authentication/token-types
xox[baprs]-[A-Za-z0-9-]{10,}

# Stripe secret keys — https://stripe.com/docs/keys
sk_(test|live)_[A-Za-z0-9]{24,}

# Postmark server tokens — https://postmarkapp.com/developer/api/overview#authentication
[Pp]ostmark[_-]?[sS]erver[_-]?[tT]oken["'\s:=]+[a-f0-9-]{36}

# PEM-format private key headers — https://datatracker.ietf.org/doc/html/rfc7468
-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----
