#!/usr/bin/env python3
import re
import sys

s = sys.stdin.read()

# JSON / compact JSON fields
json_secret_keys = [
    "private_key", "privateKey", "PrivateKey",
    "preshared_key", "presharedKey", "PresharedKey",
]

for key in json_secret_keys:
    s = re.sub(
        rf'("{re.escape(key)}"\s*:\s*")([^"\r\n]+)(")',
        rf'\1***MASKED***\3',
        s,
    )

# WireGuard config lines, including escaped JSON client_config strings.
# Stop before real newline, JSON escaped newline, quote, comma, or closing brace.
s = re.sub(
    r'(?i)((?:PrivateKey|PresharedKey)\s*=\s*)(?!\*\*\*MASKED\*\*\*)[^\\\r\n",}]+',
    r'\1***MASKED***',
    s,
)

# UCI/env/shell assignment forms
assign_keys = [
    "private_key", "privateKey", "PrivateKey",
    "preshared_key", "presharedKey", "PresharedKey",
    "password", "passwd", "token", "secret", "api_key", "api-key",
]

for key in assign_keys:
    s = re.sub(
        rf'\b({re.escape(key)})(\s*=\s*)([\'"]?)[^\'"\s,}}]+(\3)',
        rf'\1\2\3***MASKED***\4',
        s,
        flags=re.IGNORECASE,
    )

# JSON common secrets
for key in ["password", "passwd", "token", "secret", "api_key", "api-key"]:
    s = re.sub(
        rf'("{re.escape(key)}"\s*:\s*")([^"\r\n]+)(")',
        rf'\1***MASKED***\3',
        s,
        flags=re.IGNORECASE,
    )

# Authorization headers
s = re.sub(
    r'(Authorization:\s*Bearer\s+)[A-Za-z0-9._-]+',
    r'\1***MASKED***',
    s,
    flags=re.IGNORECASE,
)

sys.stdout.write(s)
