Structural redactor for ssh argv vectors.
Preserve the shape of the argv (every flag in its place, every
option preserved, count unchanged) while replacing Tainted slots with
stable hash tokens like <host:#a3f4> / <id:#7c2>.
The redactor is structurally aware: it understands the standard
ssh(1) flag syntax and knows which slots can hold a hostname /
identity / port. But it is intentionally CONSERVATIVE — it ONLY
touches slots whose contents are Tainted. Plain strings pass
through unchanged.
A hostname is whatever the user happens to call their VPS. We don't
want to pattern-match hostnames (false positives, false negatives).
Instead, the credential resolver / plan compiler decides what is
sensitive by wrapping in Tainted. The redactor's job is to take
that signal and present it as a token rather than a <redacted ...>
blob — preserving structural fidelity for debugging.
Single-arg flags (the next argv slot is the value):
-l <user> → identity -i <keyfile> → identity (keyfile path) -p <port> → port -o <key=val> → option (passed through; we don't parse it) -F, -E, -S, -W, -L, -R, -D, -J, -Q, -e, -m, -c, -O, -B (each of the above takes a value in the following slot)
Boolean flags (no following value): -1 -2 -4 -6 -A -a -C -f -G -g -K -k -M -N -n -q -s -T -t -V -v -X -x -Y -y
Anything that doesn't look like a flag and appears after we've consumed flags is treated as the destination (host, or user@host).
Plain strings: pass through verbatim.
Tainted slots: replaced with their <src:#hash> token form. If a
Tainted carries :source :argv-host, you get
<host:#xxxx>; for :argv-id you get <id:#xxxx>;
the source label IS the token prefix.
Repeated Tainted with the same underlying value within a single argv produces the SAME token (because the hash is value-stable within a JVM). Operators can spot "this argv references the same host twice" at a glance.
The function does NOT call untaint and does NOT lengthen or shorten the argv. Output count == input count.
Structural redactor for ssh argv vectors.
## Goal
Preserve the *shape* of the argv (every flag in its place, every
option preserved, count unchanged) while replacing Tainted slots with
stable hash tokens like `<host:#a3f4>` / `<id:#7c2>`.
The redactor is structurally aware: it understands the standard
ssh(1) flag syntax and knows which slots can hold a hostname /
identity / port. But it is intentionally CONSERVATIVE — it ONLY
touches slots whose contents are `Tainted`. Plain strings pass
through unchanged.
## Why conservative
A hostname is whatever the user happens to call their VPS. We don't
want to pattern-match hostnames (false positives, false negatives).
Instead, the credential resolver / plan compiler decides what is
sensitive by wrapping in `Tainted`. The redactor's job is to take
that signal and present it as a token rather than a `<redacted ...>`
blob — preserving structural fidelity for debugging.
## Recognized ssh flag idioms
Single-arg flags (the next argv slot is the value):
-l <user> → identity
-i <keyfile> → identity (keyfile path)
-p <port> → port
-o <key=val> → option (passed through; we don't parse it)
-F, -E, -S, -W, -L, -R, -D, -J, -Q, -e, -m, -c, -O, -B
(each of the above takes a value in the following slot)
Boolean flags (no following value): -1 -2 -4 -6 -A -a -C -f -G -g
-K -k -M -N -n -q -s -T -t -V -v -X -x -Y -y
Anything that doesn't look like a flag and appears after we've
consumed flags is treated as the destination (host, or user@host).
## Behavior
Plain strings: pass through verbatim.
Tainted slots: replaced with their `<src:#hash>` token form. If a
Tainted carries `:source` :argv-host, you get
`<host:#xxxx>`; for :argv-id you get `<id:#xxxx>`;
the source label IS the token prefix.
Repeated Tainted with the same underlying value within a single
argv produces the SAME token (because the hash is value-stable
within a JVM). Operators can spot "this argv references the same
host twice" at a glance.
The function does NOT call untaint and does NOT lengthen or shorten
the argv. Output count == input count.(redact-ssh-argv argv)Redact an SSH argv vector, preserving structure (flag positions and
total count) but replacing any Tainted slots with stable hash tokens
like <host:#a3f4>.
Returns a vector of the same length as argv. Plain strings pass
through untouched. Tainted slots become token strings.
The redactor walks left-to-right:
Redact an SSH argv vector, preserving structure (flag positions and
total count) but replacing any Tainted slots with stable hash tokens
like `<host:#a3f4>`.
Returns a vector of the same length as `argv`. Plain strings pass
through untouched. Tainted slots become token strings.
The redactor walks left-to-right:
- When it sees a value-flag (e.g. "-l"), the NEXT slot is treated
as that flag's value with a flag-appropriate default source
("id" for -l/-i, "port" for -p).
- When it sees a non-flag slot at "host position" (after
flag-and-value pairs are consumed), Tainted slots get the "host"
prefix by default.
- Plain strings are NEVER hashed — the redactor does not guess
which non-Tainted slot might be sensitive.cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |