Feature: Shared PII redactor for logs + crashes

- New `redact` module: one composed regex with named groups dispatches per pattern (Unix/Windows home, /Volumes, /media, SMB UNC + smb://, *.local, IPv4/IPv6, email, URL userinfo, /tmp + /var + /private + /opt).
- Path-shape preservation: keeps file extension and allowlisted parent dir name (`Documents`, `Library`, `Application Support`, ...); collapses unknown dirs to `<dir>` so project codenames don't leak.
- 19 redact tests + 21 crash reporter tests pass: per-pattern, idempotency, golden corpus snapshot (~140 synthesized lines, regenerate via `REGENERATE_REDACT_CORPUS=1`), histogram coverage check, and negatives (`cmdr_lib::network::smb_client`, `0.1.2-alpha`, etc. unchanged).
- `crash_reporter::sanitize_panic_message` now delegates to `redact::redact_panic_message` (kept as a thin wrapper for one cycle).

Author: vdavid

apps/desktop/src-tauri/src/crash_reporter/CLAUDE.md

@@ -27,8 +27,11 @@ Both paths write to `crash-report.json` in the app data dir (same dir as `settin
 ## Key design decisions
 
 - **Opt-in only** (`updates.crashReports` defaults to `false`). Consistent with the "no telemetry" stance.
-- **No PII, ever.** Panic messages are sanitized to strip file paths before writing. No file names, usernames, device
-  IDs, or license keys are included.
+- **No PII, ever.** Panic messages are sanitized via the shared
+  [`crate::redact`](../redact/CLAUDE.md) module to strip file paths, hostnames, IPs, emails,
+  and URL userinfo before writing. The `sanitize_panic_message` function in `mod.rs` is a
+  thin wrapper around `redact::redact_panic_message`. No file names, usernames, device IDs,
+  or license keys are included.
 - **Dev mode: capture only, never send.** Crash files are written (useful for testing), but the send path is skipped to
   avoid polluting production data.
 - **Crash loop protection**: If the crash file's timestamp is less than five seconds before the current launch, skip

apps/desktop/src-tauri/src/crash_reporter/mod.rs

@@ -10,8 +10,8 @@ mod symbolicate;
 mod tests;
 
 use crate::config;
+use crate::redact;
 use crate::settings;
-use regex::Regex;
 use serde::{Deserialize, Serialize};
 use std::path::{Path, PathBuf};
 use std::sync::OnceLock;
@@ -154,23 +154,11 @@ fn extract_panic_message(info: &std::panic::PanicHookInfo<'_>) -> Option<String>
     Some(info.to_string())
 }
 
-/// Strip file paths from panic messages to prevent PII leaks.
-/// Matches Unix paths (/Users/..., /home/..., /tmp/...) and Windows paths (C:\...).
+/// Strip PII from panic messages. Thin wrapper around the shared redactor; kept here so
+/// callers don't need to know about `crate::redact` and so existing tests have a stable
+/// entry point during the migration.
 fn sanitize_panic_message(message: &str) -> String {
-    static RE: OnceLock<Regex> = OnceLock::new();
-    let re = RE.get_or_init(|| {
-        // Match Unix absolute paths and Windows drive paths.
-        // Captures paths like /Users/foo/bar.rs:42:5 or C:\Users\foo\bar.rs
-        Regex::new(
-            r#"(?x)
-            (?:
-                /(?:Users|home|tmp|var|private|opt|usr|nix)[/][^\s"':;,)}\]]+
-              | [A-Z]:\\[^\s"':;,)}\]]+
-            )"#,
-        )
-        .expect("valid regex")
-    });
-    re.replace_all(message, "<path>").into_owned()
+    redact::redact_panic_message(message)
 }
 
 fn parse_backtrace_frames(backtrace_str: &str) -> Vec<String> {

apps/desktop/src-tauri/src/crash_reporter/tests.rs

@@ -111,13 +111,17 @@ fn nonexistent_crash_file_returns_none() {
     assert!(result.is_none());
 }
 
+// Sanitization is delegated to `crate::redact` (see `redact/tests.rs` for full pattern
+// coverage). These tests verify the wrapper still strips the same PII the old sanitizer
+// did, just with the new path-shape-preserving output.
+
 #[test]
 fn sanitize_unix_home_path() {
     let msg = r#"No such file or directory (os error 2): /Users/john/Documents/secret-project/file.txt"#;
     let sanitized = sanitize_panic_message(msg);
     assert!(!sanitized.contains("/Users/john"));
     assert!(!sanitized.contains("secret-project"));
-    assert!(sanitized.contains("<path>"));
+    assert!(sanitized.contains("$HOME"));
 }
 
 #[test]
@@ -126,23 +130,25 @@ fn sanitize_linux_home_path() {
     let sanitized = sanitize_panic_message(msg);
     assert!(!sanitized.contains("/home/alice"));
     assert!(!sanitized.contains("id_rsa"));
-    assert!(sanitized.contains("<path>"));
+    assert!(sanitized.contains("$HOME"));
 }
 
 #[test]
 fn sanitize_windows_path() {
     let msg = r"couldn't read C:\Users\Bob\Desktop\passwords.txt";
     let sanitized = sanitize_panic_message(msg);
     assert!(!sanitized.contains(r"C:\Users\Bob"));
-    assert!(sanitized.contains("<path>"));
+    assert!(sanitized.contains("$HOME"));
 }
 
 #[test]
 fn sanitize_tmp_path() {
     let msg = "error at /tmp/build-abc123/src/main.rs:42:5";
     let sanitized = sanitize_panic_message(msg);
-    assert!(!sanitized.contains("/tmp/build"));
-    assert!(sanitized.contains("<path>"));
+    assert!(!sanitized.contains("/tmp/build-abc123"));
+    // Path-shape preservation keeps the `/tmp/` prefix and the file extension.
+    assert!(sanitized.contains("/tmp/"));
+    assert!(sanitized.contains("<file>.rs"));
 }
 
 #[test]
@@ -158,8 +164,8 @@ fn sanitize_multiple_paths() {
     let sanitized = sanitize_panic_message(msg);
     assert!(!sanitized.contains("/Users/a"));
     assert!(!sanitized.contains("/Users/b"));
-    // Should have two <path> replacements
-    assert_eq!(sanitized.matches("<path>").count(), 2);
+    // Two paths → two $HOME replacements.
+    assert_eq!(sanitized.matches("$HOME").count(), 2);
 }
 
 #[test]

apps/desktop/src-tauri/src/lib.rs

@@ -98,6 +98,7 @@ mod network;
 mod permissions;
 #[cfg(target_os = "linux")]
 mod permissions_linux;
+mod redact;
 pub mod search;
 mod secrets;
 mod settings;

apps/desktop/src-tauri/src/redact/CLAUDE.md

@@ -0,0 +1,91 @@
+# Redact
+
+Path-shape-preserving redactor used by the crash reporter and (Phase 4+) the error reporter.
+
+The hot path is `redact_line`, called once per log line. One composed regex with named capture
+groups drives a single pass; the dispatch closure inspects which group matched and calls the
+matching rewriter. `Cow::Borrowed` is returned for lines with no matches so the no-PII case
+costs zero allocations.
+
+## Pattern table
+
+| Group           | Matches                                              | Rewrites to                                             |
+| --------------- | ---------------------------------------------------- | ------------------------------------------------------- |
+| `unix_home`     | `/Users/<user>/...`, `/home/<user>/...`              | `$HOME/<allowlisted-parent-or-dir>/<file>.<ext>`        |
+| `win_home`      | `C:\Users\<user>\...`                                | `$HOME\<allowlisted-parent-or-dir>\<file>.<ext>`        |
+| `unix_system`   | `/tmp/...`, `/var/...`, `/private/...`, `/opt/...`   | Prefix kept; tail walked with same shape rules          |
+| `volumes`       | `/Volumes/<label>/...` (label may contain spaces)    | `/Volumes/<volume>/<allowlisted-or-dir>/<file>.<ext>`   |
+| `media`         | `/media/<label>/...` (label may contain spaces)      | `/media/<volume>/<allowlisted-or-dir>/<file>.<ext>`     |
+| `smb_uri`       | `smb://host/share/...`                               | `smb://<host>/<share>/<redacted tail>`                  |
+| `unc`           | `\\host\share\...`                                   | `\\<host>\<share>\<redacted tail>`                      |
+| `url_userinfo`  | `scheme://user[:pass]@host/...`                      | `scheme://<userinfo>@host/...` (host preserved)         |
+| `email`         | `local@domain.tld` (loose RFC 5321 ish)              | `<email>`                                               |
+| `mdns`          | `<label>.local` bare hostnames                       | `<host>.local`                                          |
+| `ipv4`          | dotted-quad with valid octet ranges                  | `<ipv4>`                                                |
+| `ipv6`          | full + common compact forms (`::1`, `fe80::1`, ...)  | `<ipv6>`                                                |
+
+### Path-shape preservation
+
+For paths, we keep:
+
+- The **mount/home prefix** as a fixed token (`$HOME`, `/Volumes/<volume>`, `/media/<volume>`,
+  `/tmp/`, etc.).
+- The **immediate parent directory name** if it's in the allowlist
+  (`Documents`, `Downloads`, `Desktop`, `Library`, `src`, `Pictures`, `Movies`, `Music`,
+  `Public`, `AppData`, `Application Support`).
+- The **file extension** if it's <= 8 ASCII alphanumeric chars.
+
+Everything else collapses to `<dir>` or `<file>`. So
+`/Users/john/Documents/budget.pdf` → `$HOME/Documents/<file>.pdf`, but
+`/Users/john/SecretProject/budget.pdf` → `$HOME/<dir>/<file>.pdf`.
+
+### Decision: why path-shape preservation + allowlist
+
+Tradeoff between debuggability ("I can see this is a Documents path") and PII safety
+("but I don't want to leak project codenames"). The allowlist captures the dirs that are
+near-universal across users — anything custom collapses. Net result: triagers can usually
+guess the failure context without seeing the user's secrets.
+
+### Decision: MTP device names not handled in Phase 1
+
+The plan listed "MTP device names (from log target prefix)" but the cross-cutting reminder
+clarifies: redactor operates on the message body, not the target. Bare device names like
+`Pixel 9 Pro` in the message body are too generic to detect without context. If we end up
+needing this, we'll add a per-call `RedactionContext` rather than baking it into the global
+regex.
+
+## How to add a new pattern
+
+Three steps:
+
+1. Add a new alternative inside `redactor_regex()` with a unique `(?P<group_name>...)` and
+   write a corresponding rewriter (or extend `dispatch`) to map matches to redacted output.
+2. Add a dedicated test in `tests.rs` with at least 6 input→expected tuples covering edge
+   cases (start of line, middle of line, embedded in punctuation, multiple per line).
+3. Append two or three lines to `fixtures/log-corpus.txt` exercising the new pattern.
+   Update `fixtures/log-corpus.redacted.txt` to match. The `replacement_count_histogram`
+   test will tell you if the corpus is missing your pattern.
+
+## Files
+
+| File                                | Purpose                                                       |
+| ----------------------------------- | ------------------------------------------------------------- |
+| `mod.rs`                            | Public API + composed regex + path rewriters                  |
+| `tests.rs`                          | Per-pattern tests, idempotency, golden corpus, histogram      |
+| `fixtures/log-corpus.txt`           | Synthesized log lines covering every pattern class            |
+| `fixtures/log-corpus.redacted.txt`  | Expected redaction of the corpus (golden snapshot)            |
+
+## Gotchas
+
+- The dispatch order in `dispatch()` mirrors the alternation order in the regex. SMB URIs
+  with userinfo (`smb://user@host/...`) match `smb_uri` first (it's listed earlier) — they
+  do **not** fall through to `url_userinfo`. The userinfo is dropped along with the host.
+- `redact_text` splits on `\n` and redacts each line independently. This keeps regex `\b`
+  anchors predictable and lets us return `Cow::Borrowed` per line.
+- Verbose regex mode (`(?x)`) ignores whitespace **outside** character classes. Inside
+  `[...]` whitespace is literal, so `[A-Za-z]` is fine but `[ A-Za-z ]` would match a space.
+- Paths with embedded spaces like `/Volumes/My Backup Drive/...` are matched by allowing
+  single spaces between path components. Multi-space gaps stop the match.
+- The `url_userinfo` pattern preserves the host on purpose — the assumption is that the host
+  is part of a well-known service URL the developer needs to see. If we ever store private
+  hosts in URLs, revisit this.