Added
allow_valuesentries may now be longer than the matched span: a finding is also cleared when an allow value contains the matched text and the whole value is present on the matching line. This lets one known-public literal (for example a full public path) clear a broad-prefix match on that line only, instead of forcing an allowlist entry for the bare prefix that would exempt it everywhere.content-guard allow add/allow listsubcommands for managingallow_valuesin the private policy from the command line, with optional provenance notes.jwt-tokenrule catching bare JSON Web Tokens anywhere in text.
Changed
- README now leads with a recorded terminal demo (
docs/assets/content-guard-redact.svg, reproducible fromcontent-guard-redact.cast) of the scan -> redact -> re-scan-clean flow, and addsCONTRIBUTING.md,SECURITY.md,CODE_OF_CONDUCT.md, and issue / pull-request templates. - README reworked for adoption: opening states what / why / how-it-differs, adds CI and PyPI version badges, a Website link, a verified real-output proof block, and “Why not gitleaks, trufflehog, or detect-secrets?” plus “What Content Guard is not” sections.
Fixed
api-key-assignmentno longer flags unquoted identifier RHS values such asapiKey = apiKeys.anthropicApiKeyortoken: daemonConfigPrimaryToken; unquoted values must now contain a digit and not be a dotted identifier chain. Identifier chain segments may contain digits (apiKeys.v2.anthropicApiKey,ctx.env.S3_SECRET_ACCESS_KEY), with JWT recall preserved by the newjwt-tokenrule. Quoted literals match as before.