Files
hermes-skills/skills/document-redaction/SKILL.md
T

2.0 KiB

name, description
name description
document-redaction Workflows for safely redacting sensitive data (IPs, credentials, domains) from IT documents, logs, and plans.

Document Redaction & Data Sanitization

Trigger

When asked to make a document "public-safe", "redact", or "sanitize" logs, configs, or architectural plans.

Workflow

  1. Analyze the Source: Read the document to identify classes of sensitive information (Vendor names, server names, internal IPs, domains, names/emails, passwords/keys).
  2. Scripted Redaction (Python): Write a Python script using the re module for robust multi-pass regex replacements. This is far less error-prone than chained sed commands for complex files.
  3. Target Categories:
    • Entities/People: Map explicit names (e.g., John Doe -> [Lead Developer]).
    • Vendors: Map third parties (e.g., AWS, Hetzner -> [CLOUD-PROVIDER]).
    • Servers: Map hostnames (e.g., app1-bu -> [STANDBY-HOST]).
    • Emails: re.sub(r'\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,7}\b', '[EMAIL-REDACTED]', text)
    • IPs: re.sub(r'\b(?:\d{1,3}\.){3}\d{1,3}\b', '[IP-REDACTED]', text)
  4. Mandatory Verification: You MUST run grep -iE "original_term1|original_term2|ip_regex" on the generated output file to guarantee zero leakage before delivering the final artifact. Repeat the script generation/running until the grep commands return zero hits.

Pitfalls

  • Domain/Subdomain overlap: Redacting example.com might miss or corrupt sub.example.com. Map full known URLs to generic placeholders (e.g., [OPS-PORTAL-DOMAIN]).
  • Blind spots: Regex won't catch specific executive names or custom server hostnames. Explicitly map known internal names first.
  • Over-redaction: Don't redact standard public URLs (like get.docker.com or github.com) that provide technical value and pose no security risk.

Support Files

  • scripts/redact_template.py - Starter script for Python-based document redaction.