v1.0.0
First production release. SCRUB is a single-binary forward proxy that masks
secrets / PII / sensitive data on outbound LLM-provider requests and rehydrates
them on responses (including streaming). The 0.x entries below built up to this;
from 1.0 the public CLI, config schema, and chart values follow SemVer.
Highlights
- Engine: reversible sentinel masking (
⟦S:TYPE·id⟧), single-pass detection
(glossary + regex meta-engine + entropy + heuristic NER), provider-aware scan
paths, and streaming/SSE-correct rehydration. - Secret sources:
.env, file, and HashiCorp Vault (KV v2); a curated ruleset. - Sessions: request- or session-scoped pseudonyms; in-memory or Redis backend
with node-disjoint ids and AES-256-GCM at-rest encryption. - Policy: dry-run, per-route overrides, multi-tenant isolation, constant-time auth.
- Transport: TLS termination and interception (SNI-transparent + CONNECT proxy)
with on-the-fly per-host certs; usable as an OS HTTP proxy. - Auditing: tamper-evident hash-chained audit log + full (masked) transaction log.
- Delivery: static multi-arch binaries, a multi-arch container image, and a
Helm chart (single-node + HA StatefulSet/Redis) published as an OCI artifact;
a documentation website.