{"id":50413563,"url":"https://github.com/kalix127/secret-stripper","last_synced_at":"2026-05-31T05:00:58.408Z","repository":{"id":359926438,"uuid":"1248032650","full_name":"kalix127/secret-stripper","owner":"kalix127","description":"A small Rust CLI that strips secrets from your clipboard on demand. Bind a hotkey, highlight text, press the chord - the clipboard holds a redacted version.","archived":false,"fork":false,"pushed_at":"2026-05-24T06:30:53.000Z","size":1203,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-24T07:19:35.913Z","etag":null,"topics":["cli","clipboard","pii","privacy","redaction","rust","secrets","security"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kalix127.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":"kalix127"}},"created_at":"2026-05-24T05:12:05.000Z","updated_at":"2026-05-24T06:30:56.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/kalix127/secret-stripper","commit_stats":null,"previous_names":["kalix127/secret-stripper"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/kalix127/secret-stripper","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kalix127%2Fsecret-stripper","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kalix127%2Fsecret-stripper/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kalix127%2Fsecret-stripper/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kalix127%2Fsecret-stripper/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kalix127","download_url":"https://codeload.github.com/kalix127/secret-stripper/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kalix127%2Fsecret-stripper/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33719601,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-31T02:00:06.040Z","response_time":95,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","clipboard","pii","privacy","redaction","rust","secrets","security"],"created_at":"2026-05-31T05:00:57.522Z","updated_at":"2026-05-31T05:00:58.396Z","avatar_url":"https://github.com/kalix127.png","language":"Rust","funding_links":["https://github.com/sponsors/kalix127"],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/kalix127/secret-stripper\"\u003e\u003cimg src=\"https://shieldcn.dev/group/badge/platform-Linux_%7C_macOS_%7C_Windows-blue+crates/secret-stripper+github/license/kalix127/secret-stripper.svg?variant=secondary\" alt=\"status\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cimg src=\"https://raw.githubusercontent.com/kalix127/secret-stripper/main/.github/assets/banner.gif\" width=\"100%\"\u003e\n\n**A small Rust CLI that strips secrets from your clipboard on demand. Bind a hotkey, highlight text, press the chord - the clipboard holds a redacted version. Normal Ctrl+C / Ctrl+V is never intercepted.**\n\n## Contents\n\n- [Quick Start](#quick-start)\n- [Supported OS](#supported-os)\n- [Platform setup](#platform-setup)\n  - [macOS setup](#macos-setup)\n  - [Windows setup](#windows-setup)\n- [What It Detects](#what-it-detects)\n- [Auto-redact paste into AI TUIs](#auto-redact-paste-into-ai-tuis)\n- [Contributing](#contributing)\n- [Star history](#star-history)\n- [License](#license)\n\n---\n\n## Quick Start\n\n**Linux** - one command, no extra setup:\n\n```bash\ncurl -sSf https://secretstripper.download/install.sh | bash\n```\n\nDefault chord: `Ctrl+Alt+X`.\n\n**macOS** - needs a one-time global-hotkey helper (skhd or Hammerspoon). See [macOS setup](#macos-setup) for permissions and troubleshooting.\n\n```bash\nbrew install koekeishiya/formulae/skhd\ncurl -sSf https://secretstripper.download/install.sh | bash\n# Grant skhd Accessibility: System Settings -\u003e Privacy \u0026 Security -\u003e Accessibility\nskhd --restart-service\n```\n\nDefault chord: `Cmd+Shift+C`.\n\n**Windows (PowerShell)** - needs AutoHotkey v2. See [Windows setup](#windows-setup) for the full flow.\n\n```powershell\nwinget install AutoHotkey.AutoHotkey\niwr -useb https://secretstripper.download/install.ps1 | iex\n```\n\nDefault chord: `Ctrl+Alt+C`.\n\n**From [crates.io](https://crates.io/crates/secret-stripper) (Rust)** - same per-OS prerequisites apply (skhd on macOS, AutoHotkey on Windows):\n\n```bash\ncargo install secret-stripper \u0026\u0026 secret-stripper init\n```\n\n**From source (git):**\n\n```bash\ncargo install --git https://github.com/kalix127/secret-stripper.git --locked \u0026\u0026 secret-stripper init\n```\n\nAfter install, highlight text and press your chord. On Linux the PRIMARY selection is read directly, so you can skip the `Ctrl+C`. Paste with `Ctrl+V` (`Cmd+V` on macOS).\n\nRun `secret-stripper menu` to tune settings, or `secret-stripper --help` for all commands.\n\n---\n\n## Supported OS\n\n| OS | Status | Hotkey backend |\n|----|--------|----------------|\n| Linux | ✅ Supported | gsettings (GNOME / Cinnamon / Unity / Budgie / Pantheon), gsettings (MATE schema), xfconf-query (XFCE), kwriteconfig + qdbus (KDE Plasma 5/6) |\n| macOS | ✅ Supported | skhd (`~/.skhdrc`) or Hammerspoon (`~/.hammerspoon/init.lua`); manual instructions if neither is installed |\n| Windows | ✅ Supported | AutoHotkey v2 (`%APPDATA%\\secret-stripper\\secret-stripper.ahk`) - install via `winget install AutoHotkey.AutoHotkey` |\n\n## Platform setup\n\n### macOS setup\n\nThere is no zero-install way to register a true global hotkey on macOS without a resident process. Secret Stripper itself stays one-shot, so it delegates hotkey capture to one of two well-known helpers: [skhd](https://github.com/koekeishiya/skhd) (lightweight, recommended) or [Hammerspoon](https://www.hammerspoon.org/) (heavier, scriptable). If neither is installed, `init` falls back to printing manual binding instructions.\n\n1. **Install skhd via Homebrew:**\n\n   ```bash\n   brew install koekeishiya/formulae/skhd\n   ```\n\n2. **Run `secret-stripper init`.** It writes `~/.skhdrc`, the launchd LaunchAgent for the daily update check, and the config file. Output includes a \"DE binding\" line: `OK` if skhd / Hammerspoon was detected, `FAILED` with install hints if not.\n\n3. **Grant skhd Accessibility permission.** skhd needs this to intercept global hotkeys, otherwise it silently captures nothing. Open **System Settings -\u003e Privacy \u0026 Security -\u003e Accessibility**, click `+`, add `/usr/local/bin/skhd`, and toggle it on. If skhd was already running, restart it so the new permission takes effect:\n\n   ```bash\n   skhd --restart-service\n   ```\n\n4. **Test the chord:**\n\n   ```bash\n   echo \"test@example.com\" | pbcopy\n   # Press your chord (default: Cmd+Shift+C)\n   pbpaste     # expect: [REDACTED]\n   ```\n\n*Hammerspoon alternative:* `brew install --cask hammerspoon`, open it once to grant Accessibility, then run `secret-stripper init` - it writes the binding into `~/.hammerspoon/init.lua` instead of `~/.skhdrc`.\n\n*Default chord:* `Cmd+Shift+C`. macOS apps often claim Cmd-modifier chords, so if it conflicts with something you use (browser DevTools, Finder \"Copy Path\", etc.), rebind from `secret-stripper menu -\u003e Rebind Hotkey`. Two safer options if you want to plan ahead: `Cmd+Option+X` or `Cmd+Ctrl+X`.\n\n### Windows setup\n\nWindows has no zero-install way to register a true global hotkey. Same constraint as macOS - Secret Stripper delegates hotkey capture to [AutoHotkey](https://www.autohotkey.com/) v2 (the Windows analogue of skhd). AutoHotkey uses the Win32 `RegisterHotKey` API under the hood and is the only mechanism that delivers the chord reliably across focused windows, full-screen apps, and elevated processes. AutoHotkey is required - `init` aborts with an install hint if it cannot find it.\n\n1. **Install AutoHotkey via winget:**\n\n   ```powershell\n   winget install AutoHotkey.AutoHotkey\n   ```\n\n   The package installs AutoHotkey v2 to `C:\\Program Files\\AutoHotkey\\v2\\`.\n\n2. **Run `secret-stripper init`.** It writes `%APPDATA%\\secret-stripper\\secret-stripper.ahk`, drops a startup `.lnk` so AHK re-launches the script at every login, and starts the AHK process immediately so the chord is live without a logout.\n\n3. **Test the chord:**\n\n   ```powershell\n   Set-Clipboard \"test@example.com\"\n   # Press your chord (default: Ctrl+Alt+C)\n   Get-Clipboard    # expect: [REDACTED]\n   ```\n\n- The hotkey is limited to `Ctrl+Alt+\u003ckey\u003e` (optionally with `Shift`); other chords are rejected.\n- No PRIMARY selection: the flow is two steps (`Ctrl+C`, then your chord).\n- The AHK script runs the redaction with a hidden console, so no window flashes on each trigger.\n- The daily update check runs as a `schtasks` daily task at 11:00.\n- *Uninstall* kills the AHK process bound to our script and removes the `.ahk` file and the startup `.lnk`. Other AHK scripts you have running are untouched.\n\n---\n\n## What It Detects\n\n| Category | Examples |\n|----------|---------|\n| **🔴 Cloud Secrets** | AWS keys, Google API keys, Azure credentials, OpenAI tokens, Stripe keys, Heroku API keys |\n| **🔴 Auth Tokens** | GitHub tokens, GitLab tokens, Slack tokens, Discord tokens, JWTs, bearer tokens, NPM tokens |\n| **🔴 Cryptographic Keys** | RSA/EC/OpenSSH private keys, PGP private keys, SSH public keys |\n| **🔴 PII** | Credit card numbers, SSNs, phone numbers, email addresses, passport numbers |\n| **🟠 Connection Strings** | PostgreSQL, MongoDB, Redis, MySQL, JDBC URLs with credentials |\n| **🟡 Heuristic** | Unusual strings, env files with secrets, JSON with password fields, base64-encoded content |\n| **🟢 Safe** | Normal text, emails, documents - no false alerts |\n\nFor the full list of buckets, severity tiers, and patterns, see [DETECTION_COVERAGE.md](DETECTION_COVERAGE.md).\n\n---\n\n## Redaction styles\n\nPick how detected secrets are replaced from `secret-stripper menu` -\u003e **Redaction Style**:\n\n| Style | Output for `aws=AKIAIOSFODNN7EXAMPLE` |\n|-------|----------------------------------------|\n| **Marker** (default) | `aws=[REDACTED]` - uses a configurable marker string (eight presets + custom) |\n| **Drop** | `aws=` - removes the matched bytes entirely |\n| **Typed** | `aws=[AWS_ACCESS_KEY_ID]` - replaces each span with a tag derived from the matched pattern name |\n| **Placeholder** | `aws=AKIAIOSFODNN7EXAMPLE` - swaps in a realistic but fake sample value for the matched pattern (an email becomes `user@example.com`, a Stripe key `sk_test_4eC39HqLyjWDarjtT1zdp7dc`) |\n\nThe same setting applies to the hotkey trigger, the `redact` pipeline subcommand, and the `paste-guard` AI-TUI wrapper.\n\n---\n\n## Auto-redact paste into AI TUIs\n\n`secret-stripper init` looks for installed AI terminal tools (Claude Code, Codex CLI, aider, Gemini CLI, Continue, opencode) and prints a ready-to-copy shell alias block. Each alias routes the tool through `paste-guard`, a PTY wrapper that intercepts clipboard pastes and redacts secrets before they reach the AI's prompt - typing and normal output are untouched. Copy the snippet into your shell config (`~/.zshrc`, `~/.bashrc`, `~/.config/fish/config.fish`, or your PowerShell profile) and open a new shell:\n\n```bash\n# ----------------------------------\nalias claude='secret-stripper paste-guard -- claude'\nalias codex='secret-stripper paste-guard -- codex'\n# ----------------------------------\n```\n\nSecret Stripper never writes to your shell rc on its own. To stop routing through `paste-guard`, delete the block between the dashed comment lines.\n\n**Scope.** `paste-guard` is a per-process wrapper - it only filters pastes into the *one* command you ran it on. Daily use of `ssh`, `psql`, `vim`, `kubectl`, the bare shell prompt, GUI apps, the system clipboard - all completely untouched. You can also add aliases for non-AI tools by hand (live demos against `psql` / `mysql`, screen-recordings) - wrapping leaf commands is fine, wrapping a whole shell usually is not.\n\nYou can also pipe arbitrary text through the same engine:\n\n```bash\ncat secrets.log | secret-stripper redact \u003e clean.log\n```\n\n**Limitations.** Bracketed paste must be supported by your terminal (every modern emulator does, including the VSCode integrated terminal and tmux passthrough); typed secrets are never modified, only pasted ones; paste payloads above 1 MiB fall through unredacted.\n\n---\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for build, test, lint, and commit conventions.\n\n## Star history\n\n\u003ca href=\"https://star-history.com/#kalix127/secret-stripper\u0026Date\"\u003e\n  \u003cimg src=\"https://api.star-history.com/svg?repos=kalix127/secret-stripper\u0026type=Date\" alt=\"Star history chart\" width=\"100%\"\u003e\n\u003c/a\u003e\n\n## License\n\n[MIT](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkalix127%2Fsecret-stripper","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkalix127%2Fsecret-stripper","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkalix127%2Fsecret-stripper/lists"}