import os
import re

class ENVMasquerade:
    """
    Masks environment variables in strings to prevent accidental exposure.
    Automatically detects common API key patterns and replaces with safe placeholders.
    """
    
    # Common patterns for API keys and secrets
    KEY_PATTERNS = [
        r'API_KEY=[\'\"]?[A-Za-z0-9_\-]{20,}[\'\"]?',
        r'API_SECRET=[\'\"]?[A-Za-z0-9_\-]{20,}[\'\"]?',
        r'DATABASE_URL=[\'\"]?postgresql://[^\s\'\"]+[\'\"]?',
        r'PASSWORD=[\'\"]?[^\s\'\"]{8,}[\'\"]?'
    ]
    
    @staticmethod
    def mask_string(text):
        """
        Masks sensitive environment variables in the given text.
        Returns: Text with sensitive values replaced by [MASKED]
        """
        masked_text = text
        
        for pattern in ENVMasquerade.KEY_PATTERNS:
            # Find and replace the value portion while keeping the key
            masked_text = re.sub(
                pattern,
                lambda m: re.sub(r'=[\'\"]?[^\s\'\"]+[\'\"]?', '=[MASKED]', m.group()),
                masked_text,
                flags=re.IGNORECASE
            )
        
        return masked_text
    
    @staticmethod
    def generate_fake_env():
        """
        Generates realistic fake environment variables for demos.
        Returns: Dictionary of fake but plausible environment variables
        """
        return {
            "API_KEY": "sk_test_4eC39HqLyjWDarjtT1zdp7dc",
            "DATABASE_URL": "postgresql://user:password@localhost:5432/demo_db",
            "SECRET_KEY": "your-secret-key-here-12345"
        }

# Usage example:
# sensitive_text = "API_KEY=sk_live_1234567890abcdefghijklmnop"
# safe_text = ENVMasquerade.mask_string(sensitive_text)
# print(safe_text)  # Output: API_KEY=[MASKED]"

The Problem: Your Environment Variables Are Having an Identity Crisis

Let's be honest—environment variable management has become the digital equivalent of that junk drawer in your kitchen. You start with good intentions: "I'll keep this organized!" Fast forward three months, and you're digging through .env files like a raccoon in a trash can, hoping to find which one contains the "real" database password before your staging environment crashes for the eighth time today.

Why does this problem exist? Because as developers, we're expected to be security experts, system administrators, and configuration wizards while also writing code that doesn't crash when someone sneezes on the server. The result? We create .env files like they're going out of style, copy-paste credentials between them, and inevitably commit one to GitHub with a cheerful commit message: "Fixed that bug!" Meanwhile, your company's entire user database is now available to anyone with an internet connection and mild curiosity.

The absurdity reaches its peak when you're giving a demo. You carefully craft a beautiful presentation, rehearse your talking points, and then—BAM—your terminal proudly displays "API_KEY=sk_live_1234567890abcdef" on the big screen for 200 people to see. Or worse, you tweet a screenshot of your "cool new feature" and only realize three days later that your Slack bot token is clearly visible in the corner. At this point, you might as well just print your credentials on business cards and hand them out at conferences.

The Solution: ENV Masquerade to the Rescue

I built ENV Masquerade to solve this ridiculous situation. It's like a bouncer for your terminal output—it checks what's trying to get displayed and says "not today, buddy" to anything that looks sensitive. The tool works by hooking into your terminal session and scanning output for patterns that match common secret formats (API keys, database URLs, tokens, etc.). When it finds something suspicious, it automatically replaces the sensitive parts with '[REDACTED]' before they ever hit your screen.

But wait, there's more! ENV Masquerade also has a sixth sense for when you're about to do something truly stupid. Like running a production database migration with your local credentials? It'll throw up a warning that's more dramatic than your mother catching you with your hand in the cookie jar. "HEY GENIUS, YOU'RE USING PRODUCTION CREDENTIALS ON YOUR LOCAL MACHINE. DO YOU WANT TO BANKRUPT THE COMPANY TODAY?" (Paraphrased, but the sentiment is there.)

And for those moments when you need to share your screen or take a screenshot for documentation, ENV Masquerade can generate fake-but-realistic-looking environment variables. Need to show your team how your configuration works? It'll create something like "API_KEY=sk_test_abcdef1234567890" that looks legit but won't actually work if someone tries to use it. It's the developer equivalent of those fake credit card numbers they use in movies.

How to Use It: Because Reading Documentation Is Hard

Installation is straightforward—because if it weren't, you'd just keep leaking credentials anyway. You can install it via npm:

npm install -g env-masquerade

Or if you're one of those cool kids using yarn:

yarn global add env-masquerade

Once installed, you just need to source it in your shell configuration. Add this to your .bashrc or .zshrc:

source $(which env-masquerade-init)

Here's a snippet from the main detection logic that shows how it identifies sensitive values:

function maskSensitiveValues(output) {
  const patterns = [
    /(api[_-]?key)[\s=:]+([a-zA-Z0-9_\-]{20,})/gi,
    /(secret)[\s=:]+([a-zA-Z0-9_\-]{10,})/gi,
    /(token)[\s=:]+([a-zA-Z0-9_\-]{15,})/gi,
    /(password)[\s=:]+([^\s]{6,})/gi
  ];
  
  return patterns.reduce((text, pattern) => {
    return text.replace(pattern, '$1=[REDACTED]');
  }, output);
}

Check out the full source code on GitHub to see all the clever ways it protects you from yourself.

Key Features That Actually Help

• Auto-masks sensitive values in terminal output: Replaces API keys, tokens, and passwords with '[REDACTED]' before they appear on your screen. No more accidentally sharing secrets in screenshots or recordings.
• Warns when you're about to run commands with production credentials locally: Gives you a friendly (read: slightly judgmental) warning when it detects production environment variables in a local context.
• Generates fake-but-realistic-looking environment variables for demo/screenshot purposes: Creates convincing fake values that maintain the format of real secrets without actually being valid.
• Configurable patterns: Add your own regex patterns for company-specific secret formats.
• Lightweight and non-intrusive: Only activates when needed, doesn't slow down your terminal.

Conclusion: Stop Embarrassing Yourself

At the end of the day, ENV Masquerade won't write your code for you, fix your bugs, or make your coffee. But it will prevent you from becoming the next headline on Hacker News about "Company X leaks millions of user records due to developer error." It's the digital equivalent of checking your fly before you leave the bathroom—a small step that prevents major embarrassment.

The benefits are clear: fewer security incidents, less time wasted debugging environment issues, and the ability to share your screen without having a panic attack. Plus, you'll finally be able to take those sweet, sweet coding screenshots for Twitter without worrying that you just donated your AWS credentials to the internet at large.

So do yourself a favor and try it out. Your future self—and your company's security team—will thank you. And if nothing else, at least you won't be that developer who accidentally committed the production database password to GitHub with the commit message "oops."

Try it out: https://github.com/BoopyCode/env-variable-masquerade

Remember: Your API keys should be like your underwear—changed regularly and never shown in public.