Add secret redaction and path anonymization to checkpoint pipeline

Introduces the scrub package that detects and redacts 20+ secret patterns
(API keys, tokens, connection strings, private keys, emails, IPs) and
anonymizes OS usernames in file paths before DB insertion. Applied
automatically after ParseTranscript in the checkpoint flow.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Frank Guo

cmd/rekal/cli/checkpoint.go

@@ -14,6 +14,7 @@ import (
 
 	"github.com/oklog/ulid/v2"
 	"github.com/rekal-dev/rekal-cli/cmd/rekal/cli/db"
+	"github.com/rekal-dev/rekal-cli/cmd/rekal/cli/scrub"
 	"github.com/rekal-dev/rekal-cli/cmd/rekal/cli/session"
 	"github.com/spf13/cobra"
 )
@@ -138,6 +139,9 @@ func doCheckpoint(gitRoot string, w io.Writer) error {
 			continue
 		}
 
+		// Redact secrets and anonymize paths before any DB insertion.
+		scrub.Scrub(payload)
+
 		if len(payload.Turns) == 0 && len(payload.ToolCalls) == 0 {
 			continue
 		}

cmd/rekal/cli/scrub/paths.go

@@ -0,0 +1,111 @@
+package scrub
+
+import (
+	"crypto/sha256"
+	"fmt"
+	"os/user"
+	"regexp"
+	"strings"
+)
+
+// pathAnonymizer holds the precomputed state for path anonymization.
+type pathAnonymizer struct {
+	username     string
+	hashedUser   string // "user_<8hex>"
+	macPattern   *regexp.Regexp
+	linuxPattern *regexp.Regexp
+	hyphenMac    *regexp.Regexp
+	hyphenLinux  *regexp.Regexp
+	bareUser     *regexp.Regexp
+}
+
+var defaultAnonymizer *pathAnonymizer
+
+func init() {
+	u, err := user.Current()
+	if err != nil {
+		return
+	}
+	defaultAnonymizer = newAnonymizer(u.Username)
+}
+
+func newAnonymizer(username string) *pathAnonymizer {
+	if username == "" {
+		return nil
+	}
+	h := sha256.Sum256([]byte(username))
+	hashed := fmt.Sprintf("user_%x", h[:4])
+
+	escaped := regexp.QuoteMeta(username)
+	return &pathAnonymizer{
+		username:     username,
+		hashedUser:   hashed,
+		macPattern:   regexp.MustCompile(`/Users/` + escaped + `(?:/|$)`),
+		linuxPattern: regexp.MustCompile(`/home/` + escaped + `(?:/|$)`),
+		hyphenMac:    regexp.MustCompile(`-Users-` + escaped + `-`),
+		hyphenLinux:  regexp.MustCompile(`-home-` + escaped + `-`),
+		bareUser:     regexp.MustCompile(`(?:^|[/\-])` + escaped + `(?:$|[/\-])`),
+	}
+}
+
+// projectRelativeDirs are directories under the home folder where we strip
+// the full path and keep only the project-relative portion.
+var projectRelativeDirs = []string{"Documents", "Downloads", "Desktop", "Projects", "projects", "src", "repos", "code", "dev", "workspace"}
+
+// AnonymizePath replaces the username in a single file path with the hashed form.
+func AnonymizePath(path string) string {
+	if defaultAnonymizer == nil {
+		return path
+	}
+	return defaultAnonymizer.anonymizePath(path)
+}
+
+func (a *pathAnonymizer) anonymizePath(path string) string {
+	// /Users/<username>/... → /Users/<hashed>/...
+	path = a.macPattern.ReplaceAllStringFunc(path, func(m string) string {
+		return strings.Replace(m, a.username, a.hashedUser, 1)
+	})
+	// /home/<username>/... → /home/<hashed>/...
+	path = a.linuxPattern.ReplaceAllStringFunc(path, func(m string) string {
+		return strings.Replace(m, a.username, a.hashedUser, 1)
+	})
+	// Hyphen-encoded: -Users-<username>- → -Users-<hashed>-
+	path = a.hyphenMac.ReplaceAllStringFunc(path, func(m string) string {
+		return strings.Replace(m, a.username, a.hashedUser, 1)
+	})
+	path = a.hyphenLinux.ReplaceAllStringFunc(path, func(m string) string {
+		return strings.Replace(m, a.username, a.hashedUser, 1)
+	})
+	return path
+}
+
+// AnonymizeText replaces usernames in paths throughout a block of text.
+func AnonymizeText(text string) string {
+	if defaultAnonymizer == nil {
+		return text
+	}
+	return defaultAnonymizer.anonymizeText(text)
+}
+
+func (a *pathAnonymizer) anonymizeText(text string) string {
+	// Replace full paths first (most specific).
+	text = a.macPattern.ReplaceAllStringFunc(text, func(m string) string {
+		return strings.Replace(m, a.username, a.hashedUser, 1)
+	})
+	text = a.linuxPattern.ReplaceAllStringFunc(text, func(m string) string {
+		return strings.Replace(m, a.username, a.hashedUser, 1)
+	})
+	// Hyphen-encoded paths.
+	text = a.hyphenMac.ReplaceAllStringFunc(text, func(m string) string {
+		return strings.Replace(m, a.username, a.hashedUser, 1)
+	})
+	text = a.hyphenLinux.ReplaceAllStringFunc(text, func(m string) string {
+		return strings.Replace(m, a.username, a.hashedUser, 1)
+	})
+	return text
+}
+
+// NewAnonymizerForUser creates an anonymizer for a specific username (for testing).
+func NewAnonymizerForUser(username string) *pathAnonymizer {
+	return newAnonymizer(username)
+}

cmd/rekal/cli/scrub/paths_test.go

@@ -0,0 +1,107 @@
+package scrub
+
+import (
+	"crypto/sha256"
+	"fmt"
+	"strings"
+	"testing"
+)
+
+func hashedUser(username string) string {
+	h := sha256.Sum256([]byte(username))
+	return fmt.Sprintf("user_%x", h[:4])
+}
+
+func TestAnonymizeMacPath(t *testing.T) {
+	t.Parallel()
+	a := newAnonymizer("frank")
+	input := "/Users/frank/projects/rekal/main.go"
+	got := a.anonymizePath(input)
+	want := "/Users/" + hashedUser("frank") + "/projects/rekal/main.go"
+	if got != want {
+		t.Errorf("got %q, want %q", got, want)
+	}
+}
+
+func TestAnonymizeLinuxPath(t *testing.T) {
+	t.Parallel()
+	a := newAnonymizer("alice")
+	input := "/home/alice/src/project/file.py"
+	got := a.anonymizePath(input)
+	want := "/home/" + hashedUser("alice") + "/src/project/file.py"
+	if got != want {
+		t.Errorf("got %q, want %q", got, want)
+	}
+}
+
+func TestAnonymizeHyphenEncodedMac(t *testing.T) {
+	t.Parallel()
+	a := newAnonymizer("frank")
+	input := "-Users-frank-projects-rekal"
+	got := a.anonymizeText(input)
+	want := "-Users-" + hashedUser("frank") + "-projects-rekal"
+	if got != want {
+		t.Errorf("got %q, want %q", got, want)
+	}
+}
+
+func TestAnonymizeHyphenEncodedLinux(t *testing.T) {
+	t.Parallel()
+	a := newAnonymizer("bob")
+	input := "-home-bob-code-app"
+	got := a.anonymizeText(input)
+	want := "-home-" + hashedUser("bob") + "-code-app"
+	if got != want {
+		t.Errorf("got %q, want %q", got, want)
+	}
+}
+
+func TestAnonymizeTextMultipleOccurrences(t *testing.T) {
+	t.Parallel()
+	a := newAnonymizer("frank")
+	input := "Reading /Users/frank/a.go and /Users/frank/b.go"
+	got := a.anonymizeText(input)
+	if strings.Contains(got, "/Users/frank/") {
+		t.Errorf("username not fully anonymized: %s", got)
+	}
+	hashed := hashedUser("frank")
+	if count := strings.Count(got, hashed); count != 2 {
+		t.Errorf("expected 2 occurrences of hashed user, got %d: %s", count, got)
+	}
+}
+
+func TestAnonymizeNilAnonymizer(t *testing.T) {
+	t.Parallel()
+	a := newAnonymizer("")
+	if a != nil {
+		t.Error("expected nil anonymizer for empty username")
+	}
+}
+
+func TestAnonymizeNoMatchLeaveUnchanged(t *testing.T) {
+	t.Parallel()
+	a := newAnonymizer("frank")
+	input := "no paths here, just text"
+	got := a.anonymizeText(input)
+	if got != input {
+		t.Errorf("text should be unchanged: got %q", got)
+	}
+}
+
+func TestHashedUserDeterministic(t *testing.T) {
+	t.Parallel()
+	h1 := hashedUser("frank")
+	h2 := hashedUser("frank")
+	if h1 != h2 {
+		t.Errorf("hashed user should be deterministic: %s != %s", h1, h2)
+	}
+}
+
+func TestHashedUserDifferentForDifferentUsers(t *testing.T) {
+	t.Parallel()
+	h1 := hashedUser("frank")
+	h2 := hashedUser("alice")
+	if h1 == h2 {
+		t.Errorf("different users should have different hashes: %s == %s", h1, h2)
+	}
+}

cmd/rekal/cli/scrub/scrub.go

@@ -0,0 +1,24 @@
+package scrub
+
+import (
+	"github.com/rekal-dev/rekal-cli/cmd/rekal/cli/session"
+)
+
+// Scrub applies secret redaction and path anonymization to a SessionPayload
+// in place. Call this after session.ParseTranscript and before DB insertion.
+func Scrub(payload *session.SessionPayload) {
+	if payload == nil {
+		return
+	}
+
+	for i := range payload.Turns {
+		payload.Turns[i].Content = RedactText(payload.Turns[i].Content)
+		payload.Turns[i].Content = AnonymizeText(payload.Turns[i].Content)
+	}
+
+	for i := range payload.ToolCalls {
+		payload.ToolCalls[i].Path = AnonymizePath(payload.ToolCalls[i].Path)
+		payload.ToolCalls[i].CmdPrefix = RedactText(payload.ToolCalls[i].CmdPrefix)
+		payload.ToolCalls[i].CmdPrefix = AnonymizeText(payload.ToolCalls[i].CmdPrefix)
+	}
+}