Redacts secrets from values before they are persisted to audit snapshots.

Two layers run on every value:

• String/value pattern match — strings are matched against the configured :redaction_patterns regexes (e.g. Authorization: Bearer X).

• Map-key name match — when traversing a map, any key whose normalized name contains a sensitive token (api_key, secret, token, password, authorization, bearer) has its value replaced with "[REDACTED]" regardless of the value's shape. This catches {"api_key": "live_..."} that the regex pass would miss because the secret value isn't surrounded by the matching context.