Single source of truth for sensitive key definitions.
Every key that must be encrypted in credential storage, redacted from logs, or both is defined as a triple in the canonical registry. The credential and redaction modules derive their match lists from this module rather than maintaining separate, driftable lists.
Triple Fields
Each entry is {canonical_name, category, handling}:
canonical_name-- Erlang atom insnake_case(e.g.,:api_key).category-- Classification::credential,:auth,:session, or:oauth.handling-- Protection level::encrypt_and_redact-- Encrypted at rest AND redacted from logs.:redact_only-- Redacted from logs only (not stored in credentials).
Examples
# Get all 18 sensitive key definitions
BeamAgent.SensitiveKeys.all()
# Check if a key is sensitive (any format)
BeamAgent.SensitiveKeys.is_sensitive(:api_key) # true
BeamAgent.SensitiveKeys.is_sensitive("apiKey") # true
BeamAgent.SensitiveKeys.is_sensitive("username") # falseDelegates to :beam_agent_redaction (Erlang).
Summary
Types
A sensitive key triple as defined in :beam_agent_redaction: {name, category, handling}.
Functions
Return the canonical list of sensitive key triples.
Flat list of all format variants for keys that require encryption.
Check whether a key (atom or binary, any format) is sensitive.
Canonical lowercase binary keys (no separators) for all sensitive keys.
Types
@type key_entry() :: :beam_agent_redaction.key_entry()
A sensitive key triple as defined in :beam_agent_redaction: {name, category, handling}.
Functions
@spec all() :: [key_entry(), ...]
Return the canonical list of sensitive key triples.
Flat list of all format variants for keys that require encryption.
Each multi-word key produces three variants: the atom, a camelCase binary, and a snake_case binary. Single-word keys produce two.
Check whether a key (atom or binary, any format) is sensitive.
@spec redaction_match_keys() :: [binary()]
Canonical lowercase binary keys (no separators) for all sensitive keys.