Thanks for your interest in contributing to scrub.txt! This project is built to help people safely use AI services without leaking sensitive data, and every contribution makes it better for everyone.
git clone https://github.com/springdom/scrub-txt.git
cd scrub-txt
npm install
npm run devThe app runs at http://localhost:5173. Changes hot-reload instantly.
This is the single best way to contribute. If you know the format of an API key, token, or secret that we don't currently detect, you can add it in minutes.
Where: src/lib/patterns.js
Every pattern is an object with this structure:
{
id: 'service_key', // unique snake_case id
label: 'Service Name Keys', // what shows in the Rules panel
enabled: true, // on by default? (use false for high false-positive patterns)
regex: /pattern-here/g, // must have the global flag
tag: 'API_KEY', // which generator to use (see below)
group: 'Keys & Secrets', // UI grouping
}Available tags (each produces different fake data):
API_KEY— generic key replacementPRIVATE_KEY— PEM private key blockPUBLIC_KEY— PEM public key blockCERTIFICATE— PEM certificate blockSSH_PUB— SSH public keyWG_KEY— WireGuard keyJWT— JSON Web TokenWEBHOOK— webhook URLBEARER— Bearer tokenPASSWORD— password assignmentENV_VAR— environment variableCONN_STRING— database connection string
If none of these fit, you can add a new tag — just also add a matching generator in src/lib/generators.js and a color in src/lib/colors.js.
Testing your pattern:
- Add the pattern to
patterns.js - Run
npm run dev - Paste a sample of the key/token format into the input
- Verify it gets detected and replaced with sensible fake data
- Test edge cases — make sure it doesn't false-positive on normal text
Open an issue with:
- What you expected to happen
- What actually happened
- A sample input that reproduces the issue (scrub any real sensitive data first!)
- Browser and OS
If you know a key format that should be detected but you're not comfortable writing regex, open an issue with:
- The service name
- A description or example of the key format (use fake/expired keys only)
- Any documentation links about the format
The entire UI is in src/App.jsx. If you're making visual changes, include a screenshot in your PR.
The core logic is in src/lib/engine.js. The scrub() and rehydrate() functions are pure — they take data in and return data out with no side effects. Please keep it that way.
src/
├── App.jsx # All UI code (single component)
├── main.jsx # React entry point
├── index.css # Global styles
└── lib/
├── patterns.js # Detection patterns (regex + metadata)
├── generators.js # Fake data factories per tag type
├── engine.js # scrub() and rehydrate() core functions
└── colors.js # Color assignments for UI highlighting
- Keep PRs focused — one pattern, one bug fix, or one feature per PR
- Run
npm run buildbefore submitting to make sure nothing breaks - If adding a pattern, include a test case in the PR description showing what it catches
- Don't introduce external dependencies without discussion first — the project is intentionally dependency-light
- No linter configured yet — just match the existing style
- 2-space indentation
- Single quotes for strings
- Trailing commas in arrays and objects
- Everything stays client-side. No network calls, no analytics, no tracking. This is non-negotiable.
- No external dependencies in the engine.
patterns.js,generators.js, andengine.jsmust remain framework-agnostic with zero imports beyond each other. - False positives are worse than false negatives. A pattern that flags normal text is more harmful than missing an obscure key format. When in doubt, set
enabled: falseas the default. - Realistic fake data over placeholder tags. We use
user1@example.comnot[EMAIL_1]. This keeps AI responses useful.
Open a Discussion on GitHub or file an issue. We're happy to help you get started.