Langfuse.Masking (Langfuse v0.2.0)

View Source

Data masking for sensitive information in Langfuse traces.

This module provides utilities to mask sensitive data (like API keys, passwords, credit card numbers) before sending to Langfuse. Masking helps comply with data privacy requirements while still enabling observability.

Configuration

Configure masking patterns in your application config:

config :langfuse,
  masking: [
    enabled: true,
    patterns: [
      {~r/sk-[a-zA-Z0-9]{32,}/, "[MASKED_API_KEY]"},
      {~r/\b\d{4}[- ]?\d{4}[- ]?\d{4}[- ]?\d{4}\b/, "[MASKED_CARD]"},
      {~r/password["']?\s*[:=]\s*["']?[^"'\s]+/, "password: [MASKED]"}
    ],
    mask_keys: [:password, :secret, :api_key, :token, :authorization]
  ]

Usage

Masking is automatically applied when configured. You can also apply it manually:

masked = Langfuse.Masking.mask("My API key is sk-abc123...")
# => "My API key is [MASKED_API_KEY]"

masked = Langfuse.Masking.mask_value(%{password: "secret123", name: "test"})
# => %{password: "[MASKED]", name: "test"}

Custom Masking Function

For complex masking logic, provide a custom function:

config :langfuse,
  masking: [
    enabled: true,
    mask_fn: &MyApp.Masking.custom_mask/1
  ]

Summary

Types

config()

Masking configuration options.

Functions

enabled?()

Returns whether masking is enabled.

mask(value)

Masks sensitive data in the given value.

mask_map(map)

Masks sensitive keys in a map.

mask_string(string)

Masks a string using configured patterns.

Types

config()

@type config() :: [
  enabled: boolean(),
  patterns: [{Regex.t(), String.t()}],
  mask_keys: [atom()],
  mask_fn: (term() -> term()) | nil
]

Masking configuration options.

Functions

enabled?()

@spec enabled?() :: boolean()

Returns whether masking is enabled.

Examples

iex> Langfuse.Masking.enabled?()
false

mask(value)

@spec mask(term()) :: term()

Masks sensitive data in the given value.

Applies configured patterns and key-based masking to strings and maps. Returns the original value unchanged if masking is disabled.

Examples

iex> Langfuse.Masking.mask("API key: sk-test1234567890abcdefghij")
"API key: [MASKED_API_KEY]"

iex> Langfuse.Masking.mask(%{user: "alice", password: "secret"})
%{user: "alice", password: "[MASKED]"}

mask_map(map)

@spec mask_map(map()) :: map()

Masks sensitive keys in a map.

Keys matching configured mask_keys have their values replaced with "[MASKED]".

Examples

iex> Langfuse.Masking.mask_map(%{username: "alice", password: "secret123"})
%{username: "alice", password: "[MASKED]"}

mask_string(string)

@spec mask_string(String.t()) :: String.t()

Masks a string using configured patterns.

Examples

iex> Langfuse.Masking.mask_string("Contact: test@example.com")
"Contact: [MASKED_EMAIL]"