40 lines
1.1 KiB
Python
40 lines
1.1 KiB
Python
"""
|
|
Redaction and data-boundary policy helpers for layered memory.
|
|
"""
|
|
|
|
import re
|
|
|
|
from .memory_policy import MemoryPolicy
|
|
|
|
|
|
DEFAULT_REDACTION_RULES = ["api_key", "token", "password", "secret", "private_key"]
|
|
_VALUE_PATTERN = r"([^\s,;]+)"
|
|
|
|
|
|
def should_allow_layer_write(layer: str, policy: MemoryPolicy) -> bool:
|
|
if layer.startswith("user_") and not policy.allow_user_global_write:
|
|
return False
|
|
return True
|
|
|
|
|
|
def apply_redaction_rules(text: str, rules: list[str]) -> str:
|
|
effective_rules = rules or DEFAULT_REDACTION_RULES
|
|
redacted = text
|
|
for rule in effective_rules:
|
|
escaped = re.escape(rule)
|
|
patterns = [
|
|
rf"({escaped}\s*[:=]\s*){_VALUE_PATTERN}",
|
|
rf"({escaped}\s+){_VALUE_PATTERN}",
|
|
]
|
|
for pattern in patterns:
|
|
redacted = re.sub(
|
|
pattern,
|
|
r"\1[REDACTED]",
|
|
redacted,
|
|
flags=re.IGNORECASE,
|
|
)
|
|
return redacted
|
|
|
|
|
|
def is_record_visible_to_project(record_project_id: str, active_project_id: str) -> bool:
|
|
return record_project_id == active_project_id
|