import { type RedactOptions } from './redact-options.js'; /** * Utility class for redacting sensitive data from command-line arguments. * * Uses regex-based pattern matching to dynamically detect sensitive keys * rather than relying on a static list of keywords. */ export declare class SensitiveDataRedactor { /** The mask string used to replace sensitive values. */ private static readonly REDACT_MASK; /** * Regex pattern that matches common sensitive key names. * Covers passwords, secrets, tokens, keys, credentials, auth values, * API keys, passphrases, certificates, private keys, and private data. */ private static readonly SENSITIVE_KEY_PATTERN; /** * Determines whether a key name represents sensitive data. * @param key - The key name to check * @returns true if the key matches a known sensitive pattern */ static isSensitiveKey(key: string): boolean; /** * Redacts sensitive values from a command-line arguments array. * * Supports three redaction modes based on the provided options: * 1. **Flag-based**: Flags listed in `flagsToRedactNextArgument` cause the next argument to be fully masked. * 2. **Set-style**: Flags listed in `setStyleFlags` cause the next `key=value` argument to have its value * masked if the key matches the sensitive pattern. * 3. **Inline key=value**: Any argument containing `=` where the key matches the sensitive pattern * has its value masked. * * @param arguments_ - The arguments array to redact * @param options - Configuration for redaction behavior * @returns A new array with sensitive values replaced by the redact mask */ static redactArguments(arguments_: string[], options?: RedactOptions): string[]; /** * Redacts the value portion of a `key=value` string if the key matches the sensitive pattern. * If there is no `=` or the key is not sensitive, the original string is returned unchanged. * * @param keyValue - A string potentially in `key=value` format * @returns The original string or the redacted version */ private static redactKeyValueIfSensitive; }