Structured workflow for obfsck feature work — covers ObfuscationLevel logic, config/secrets.yaml group gating, the PII min_level invariant, and the TDD loop for adding patterns or flags. Use when implementing any obfsck feature from the backlog.
Structured guide for implementing features in ~/dev/obfsck. Encodes the mental model so you don't re-read src/lib.rs from scratch each time.
Minimal ← secrets only (API keys, tokens, private keys)
Standard ← + IPs, emails, containers, usernames, PII
Paranoid ← + paths, hostnames, high-entropy strings
Default in CLI: --level minimal
YAML pattern layer (config/secrets.yaml) — regex patterns grouped by category
enabled flag and optional min_level fieldparanoid_only: true/falseredact.rs main()( ) — regex-based structural patterns
src/lib.rsObfuscator::obfuscate()ObfuscationLevelobfuscate_text()PII YAML patterns: min_level: standard → only fire at Standard or Paranoid
Structural emails/IPs: only fire at Standard or Paranoid in obfuscate_text()
At --level minimal: PII is untouched. This is a load-bearing invariant. Tests must assert it.
| Priority | Item |
|---|---|
| P100 | --pii off flag / explicit level-gating for PII; tests for minimal invariant |
| P75 | Fix username regex \w+ → [A-Za-z0-9._-]+ |
| P50 | Integration tests for redact CLI file I/O |
| P50 | Narrow GitHub secret-scanning ignore rules |
| P25 | Combine UUID + hex scans into one pass |
| P25 | Streaming I/O + cached regex |
| P25 | Golden/snapshot tests for demo fixtures |
| P25 | Document new CLI flags in README |
cd ~/dev/obfsck
cargo test 2>&1 | tail -10 # baseline
cat src/lib.rs | grep -A5 "pub enum ObfuscationLevel"
cat src/bin/redact.rs | head -50
For a new flag or behavior, add to the appropriate test file:
#[cfg(test)] in src/lib.rs or near the structtests/ directorytests/golden_tests.rs (see obfsck-test-harness agent)Run the test to confirm it fails:
cargo test <test_name> 2>&1
Common patterns:
Adding a CLI flag (src/bin/redact.rs):
#[arg(long, default_value = "true")]