"""敏感信息过滤模块。"""

import re
from typing import Final

SENSITIVE_PATTERNS: Final[list[str]] = [
    r"(password|passwd|pwd)\s*=\s*\S+",
    r"(api[_-]?key|apikey)\s*[=:]\s*\S+",
    r"(token|access_token|auth_token)\s*[=:]\s*\S+",
    r"(secret|secret_key)\s*[=:]\s*\S+",
    r"Bearer\s+\S+",
    r"-----BEGIN\s+.*PRIVATE\s+KEY-----",
    r"-----BEGIN\s+.*CERTIFICATE-----",
]

# Patterns that keep the key name and only redact the value
_KEY_VALUE_PATTERNS: Final[list[tuple[str, str]]] = [
    (r"(password|passwd|pwd)\s*=\s*(\S+)", r"\1=[REDACTED]"),
    (r"(api[_-]?key|apikey)\s*[=:]\s*(\S+)", r"\1=[REDACTED]"),
    (r"(token|access_token|auth_token)\s*[=:]\s*(\S+)", r"\1=[REDACTED]"),
    (r"(secret|secret_key)\s*[=:]\s*(\S+)", r"\1=[REDACTED]"),
]

_COMPILED_SANITIZERS = [
    (re.compile(pattern, re.IGNORECASE), replacement)
    for pattern, replacement in _KEY_VALUE_PATTERNS
] + [
    (re.compile(pattern, re.IGNORECASE), "[REDACTED]")
    for pattern in [
        r"Bearer\s+\S+",
        r"-----BEGIN\s+.*PRIVATE\s+KEY-----",
        r"-----BEGIN\s+.*CERTIFICATE-----",
    ]
]


def sanitize_output(output: str) -> str:
    """
    过滤输出中的敏感信息。

    Args:
        output: 原始输出字符串

    Returns:
        过滤后的安全输出
    """
    sanitized = output
    for pattern, replacement in _COMPILED_SANITIZERS:
        sanitized = pattern.sub(replacement, sanitized)
    return sanitized


def contains_secrets(text: str) -> bool:
    """
    检查文本是否包含敏感信息。

    Args:
        text: 要检查的文本

    Returns:
        如果包含敏感信息返回 True
    """
    for pattern, _ in _COMPILED_SANITIZERS:
        if pattern.search(text):
            return True
    return False