jaredj/glotawk - Change QNGWKBROYBNQFPIS4AD4GSIWVGPVEMWISKVHTBGPJ3EF2X4HBKWAC

add, test, and document encrypted and secret strings

Created by jaredj on November 4, 2025

QNGWKBROYBNQFPIS4AD4GSIWVGPVEMWISKVHTBGPJ3EF2X4HBKWAC

Dependencies

In channels

main

Change contents

Insertion in data.awk at line 19 [4.16500]

[4.16643]

[5.39275]

    max_n += 1
    return N
}
function _encrypted_string(s) {
    _ENCRYPTED_STRING[++N] = s
    _TYPE[N] = "e"
    max_n += 1
    return N
}
function _secret_string(s) {
    _SECRET_STRING[++N] = s
    _TYPE[N] = "S"

Insertion in data.awk at line 106 [4.16500]

[6.638]

        else if(t == "S") return 1
        else if(t == "e") return 1

Replacement in data.awk at line 328 [4.16500]

B:BD[7.24027] → [7.24027:24092]

function _list_to_flat_awk_array_of_any(lis, a,      ia, c, t) {

[7.24027]

[7.24092]

function _list_to_flat_awk_array_of_any(lis, a, redactp, secretp,      ia, c, t) {

Replacement in data.awk at line 346 [4.16500]

B:BD[7.24715] → [7.24715:24775]

B:BD[7.24775] → [8.334:406]

            else if(t == "'")  a[ia[1]++] = _SYM_NUMBERS[c]
            else if(t == "(")  _list_to_flat_awk_array_of_any(c, a, ia)

[7.24715]

[7.24836]

            else if(t == "S") {
                if(redactp) {
                    a[ia[1]++] = S_REDACTED
                } else {
                    secretp[1] = 1
                    a[ia[1]++] = _SECRET_STRING[c]
                }
            } else if(t == "e") {
                if(redactp) {
                    a[ia[1]++] = S_ENCRYPTED
                } else {
                    secretp[1] = 1
                    a[ia[1]++] = _SECRET_STRING[_decrypt(_ENCRYPTED_STRING[c])]
                }
            } else if(t == "'")  a[ia[1]++] = _SYM_NUMBERS[c]
            else if(t == "(")  _list_to_flat_awk_array_of_any(c, a, redactp, secretp, ia)

Insertion in doc/releases.org at line 1 [9.37]

[9.37]

[3.157]

* v0.9: secrets
** Special forms added
encrypt decrypt with-secret-output-to unsafe-reveal reveal-encrypted
rsprintf rprintf
** Secrets
glotawk will keep your secrets. Somewhat. Here's how it works: secrets
are encrypted symmetrically with AES-256-CTR, using the
~openssl-enc(1)~ utility. The key used lives in a file which glotawk
can read. By default this is ~/usr/local/etc/lacrum/keyfile~. You can
set it to a different filename using a ~-v~ switch to ~awk~: ~awk -v
KEY_FILE=/other/dir/myfile -f glotawk~.
The reason for this feature is to hide the value of secrets that need
to be written in code that configures the system, so that the code can
be more safely version-controlled. For example, CARP passphrases need
to be set. But it wouldn't do to write the actual passphrases in a
publicly shared repository, would it?
But in this example, the world can still tell how often the CARP
passphrases are changed; and anyone can conduct offline brute-force
attacks. There's no authentication of the ciphertext, so changes to
it, inadvertent or intentional, can change the plaintext or cause
decryption errors. Assume this will happen, and change both the
secrets, and the encryption key, periodically. As presently
implemented, glotawk will not help you do this in the slightest.
Speaking of implementation, here's what exactly is implemented. There
are now three string types: strings (as before), secret strings, and
encrypted strings. Syntactically, strings are, as before, stuff
between double-quotes. Secret strings have a capital S just before the
beginning quote: ~S"shh, don't tell"~ . Encrypted strings have an e
just before the beginning quote: ~e"rfyNlBsckgA"~ . They contain
base64-encoded bytes, so they won't make much sense. So this is how
you write the two new kinds of string, in glotawk programs.
A bit of effort is expended to avoid showing secret strings.
- When you ~print~ a secret string, or take its ~repr~, it shows as
  ~S"(redacted)"~. This includes REPL results and stack traces printed
  when crashing.
- When you expect to send secrets to an output file, use
  ~with-secret-output-to~ rather than ~with-output-to~; if you send a
  secret string using ~printf~ to a non-secret output, it will throw
  an error.
- When you use ~rprintf~ instead, any secret-string arguments will be
  replaced with "(redacted)," and no error will be thrown regarding a
  non-secret output.
- When you interpolate a secret string into another string using
  ~sprintf~, the resulting string will be a secret string.
- Same as with ~rprintf~ above, you can use ~rsprintf~ to redact, and
  the result will be a plain string.
- When you ~dump~ to an image file, all secret strings are
  first transmogrified into encrypted strings.
Because of this latter automatic conversion, when you evaluate an
encrypted string, it will be transmogrified into a secret string, so
that code using the value will work the same before and after the
dump. If for some reason you need to manually convert between
encrypted and secret strings, the ~encrypt~ and ~decrypt~ functions do
the job.
When you are going to write an encrypted string literal in your
source, you'll need to know what it is, in its encrypted form. That's
what ~reveal-encrypted~ is for.
And finally, if you need an escape valve, ~unsafe-reveal~ turns a
secret or encrypted string into a plain string containing the
plaintext.
Because this functionality is implemented by writing ciphertext
linewise to temp files, and reading plaintext out of pipes linewise,
newlines are not well preserved by secret and encrypted strings. Try
to keep things to one line.

Insertion in dump.awk at line 65 [5.37838]

[5.38848]

        } else if(t == "S") {
            i = _encrypt_secret_string(i)
            v = _ENCRYPTED_STRING[i]
            v = awkescape(v)
            line = line "_ENCRYPTED_STRING[" i "] = \"" v "\"; "
        } else if(t == "e") {
            v = _ENCRYPTED_STRING[i]
            v = awkescape(v)
            line = line "_ENCRYPTED_STRING[" i "] = \"" v "\"; "

Insertion in dump.awk at line 177 [5.37838]

[10.7340]

            } else if(t == "S") {
                node = node "\\\"" S_REDACTED "\\\"|"
            } else if(t == "e") {
                node = node "\\\"" S_ENCRYPTED "\\\"|"

Insertion in dump.awk at line 197 [5.37838]

[10.8001]

        } else if(t == "S") {
            print "    n" i " [shape=record,label=\"{<n> " i "|" S_REDACTED "}\"];" >>filename
        } else if(t == "e") {
            print "    n" i " [shape=record,label=\"{<n> " i "|" S_ENCRYPTED "}\"];" >>filename

Replacement in eval.awk at line 151 [4.11057]

B:BD[3.3328] → [3.3328:3399]

            bkwal = _bind_kw_args_alist(args, env, d, hdlrs, st, errp)

[3.3328]

[3.3399]

            bkwal = _bind_kw_args_alist(args, env, outer_env, d, hdlrs, st, errp)

Replacement in eval.awk at line 454 [4.11057]
B:BD[11.16759] → [3.4273:4279]
```
    }
```
[11.16759]
[11.16760]
```
#    }
```

Insertion in eval.awk at line 569 [4.11057]

[4.16356]

        } else if(t == "S") {
            return form
        } else if(t == "e") {
            # this will transmogrify form into a secret string
            return _decrypt_encrypted_string(form)

Insertion in first-symbols.awk at line 68 [7.17737]
[12.20437]
[12.20437]
```
    _symbol("rsprintf")
```

Insertion in first-symbols.awk at line 72 [7.17737]

[12.20514]

    _symbol("encrypt")
    _symbol("decrypt")
    _symbol("unsafe-reveal")
    _symbol("reveal-encrypted")

Insertion in first-symbols.awk at line 103 [7.17737]
[12.20562]
[13.2892]
```
    _symbol("rprintf")
```
Insertion in first-symbols.awk at line 110 [7.17737]
[14.5502]
[15.3953]
```
    _symbol("with-secret-output-to")
```

Insertion in gc.awk at line 53 [5.23803]

[5.24611]

[10.2825]

                if(dot_filename)
                    print "    n" i " [fillcolor=lightpink]" >>dot_filename
            } else if(t == "S") {
                _obscure_string_in_array(_SECRET_STRING, i)
                delete _SECRET_STRING[i]

Insertion in gc.awk at line 60 [5.23803]

[10.2934]

[5.24611]

            } else if(t == "e") {
                _obscure_string_in_array(_ENCRYPTED_STRING, i)
                delete _ENCRYPTED_STRING[i]
                if(dot_filename)
                    print "    n" i " [fillcolor=lightpink]" >>dot_filename

Insertion in glotawk-common.awk at line 6 [16.1044]
[16.1084]
[16.1084]
```
@include secrets.awk
```

Insertion in io.awk at line 10 [12.9773]

[12.9995]

[11.8760]

        return _printf(_eval3(_cadr(form), env, env, d+1, hdlrs, st, errp),
                       _cddr(form), 0, env, d+1, hdlrs, st, errp)
    else if(car == _symbol("rprintf"))

Replacement in io.awk at line 14 [12.9773]

B:BD[11.8836] → [11.8836:8899]

                       _cddr(form), env, d+1, hdlrs, st, errp)

[11.8836]

[12.10100]

                       _cddr(form), 1, env, d+1, hdlrs, st, errp)

Replacement in io.awk at line 31 [12.9773]

B:BD[11.9674] → [11.9674:9764]

                               _cdddr(form), env, d+1, hdlrs, st, errp) # to be evprogged

[11.9674]

[12.11064]

                               0, _cdddr(form), env, d+1, hdlrs, st, errp) # to be evprogged
    else if(car == _symbol("with-secret-output-to"))
        return _with_output_to(_eval3(_cadr(form), env, env, d+1, hdlrs, st, errp),
                               _eval3(_caddr(form), env, env, d+1, hdlrs, st, errp),
                               1, _cdddr(form), env, d+1, hdlrs, st, errp) # to be evprogged

Replacement in io.awk at line 55 [12.9773]

B:BD[12.11794] → [11.10410:10498]

function _printf(fmt, unevald, env, d, hdlrs, st, errp,     dlave, evald, s, a, i, p) {

[12.11794]

[12.11866]

function _printf(fmt, unevald, redactp, env, d, hdlrs, st, errp,     dlave, evald, s, a, i, p, secretp) {

Replacement in io.awk at line 63 [12.9773]

B:BD[12.12085] → [12.12085:12130]

    _list_to_flat_awk_array_of_any(evald, a)

[12.12085]

[12.12130]

    _list_to_flat_awk_array_of_any(evald, a, redactp, secretp)
    if(secretp[1]) # the thing to be output is secret
        if(!_OUTPUT_SECRET)
            return _error(_cons(_string("printf: secret sent to non-secret output"),
                                _nil()),
                          env, d+1, hdlrs, st, errp)

Replacement in io.awk at line 229 [12.9773]

B:BD[12.17464] → [11.11001:11114]

function _with_output_to(redir_kind, name, forms, env, d, hdlrs, st, errp,       old_redir_kind, old_name, rv) {

[12.17464]

[12.17560]

function _with_output_to(redir_kind, name, secretp, forms, env, d, hdlrs, st, errp,       old_redir_kind, old_name, rv) {

Insertion in io.awk at line 232 [12.9773]
[12.17634]
[12.17634]
```
    old_secret     = _OUTPUT_SECRET
```
Insertion in io.awk at line 237 [12.9773]
[12.17802]
[11.11115]
```
            _OUTPUT_SECRET     = secretp
```
Insertion in io.awk at line 241 [12.9773]
[12.17937]
[12.17937]
```
            _OUTPUT_SECRET     = old_secret
```

Insertion in lib.glotawk at line 130 [18.36]

[17.991]

(defintrinsic encrypt (s))
(defintrinsic decrypt (s))
(defintrinsic unsafe-reveal (s))
(defintrinsic reveal-encrypted (s))

Insertion in lib.glotawk at line 173 [18.36]
[18.5822]
[18.5822]
```
(setq rsprintf nil)
```
Insertion in lib.glotawk at line 175 [18.36]
[18.5840]
[17.1695]
```
(setq rprintf nil)
```
Insertion in lib.glotawk at line 180 [18.36]
[18.5961]
[18.5961]
```
(setq with-secret-output-to nil)
```

Replacement in osf.awk at line 107 [7.954]

B:BD[11.4822] → [11.4822:4885]

                 _cdr(form), env, d+1, _nil(), st, abort_errp)

[11.4822]

[2.0]

                 _cdr(form), 1, env, d+1, _nil(), st, abort_errp)

Insertion in printer.awk at line 41 [4.7981]

[4.8625]

        else if(t == "e") return _repr_encrypted_string(cell)
        else if(t == "S") return _repr_secret_string(cell)

Insertion in printer.awk at line 46 [4.7981]

[4.8735]

}
function _repr_secret_string(n) {
    return "S\"" S_REDACTED "\""

Insertion in printer.awk at line 52 [4.7981]

[4.8738]

[19.2637]

function _nerf_encrypted_string(s) {
    # encrypted strings should only contain base64 that openssl can
    # grok. just in case it doesn't (encrypted string from the outside
    # with maliciously incorrect content), let's nerf it.
    gsub(/[^a-zA-Z0-9\/+=]/, "_", s)
    return s
}
    
function _repr_encrypted_string(n,     es) {
    es = _nerf_encrypted_string(_ENCRYPTED_STRING[n])
    return "e\"" es "\""
}

Replacement in reader.awk at line 82 [4.4015]

∅:D[20.1821] → [21.134:217]

B:BD[22.3490] → [21.134:217]

            else if(match(input, /^"(\\[^\n]|[^\\"])*"/)) { # double-quoted string

[20.1821]

[22.3569]

            else if(match(input, /^([Se])?"(\\[^\n]|[^\\"])*"/)) { # double-quoted string

Replacement in reader.awk at line 85 [4.4015]

∅:D[20.1892] → [22.3677:3761]

B:BD[22.3677] → [22.3677:3761]

            } else if(match(input, /^"(\\([^"]|$)|[^\\"])*/)) {  # dq string no end

[20.1892]

[22.3761]

            } else if(match(input, /^([Se]?)"(\\([^"]|$)|[^\\"])*/)) {  # dq string no end

Replacement in reader.awk at line 272 [4.4015]

B:BD[4.6785] → [20.3895:3966]

function read_atom(a, tokens, quote,    this, ans, self_quoting, ch) {

[4.6785]

[4.6825]

function read_atom(a, tokens, quote,    this, ans, self_quoting, ch, st) {

Replacement in reader.awk at line 295 [4.4015]

B:BD[4.7397] → [22.10317:10358]

        if(substr(this, 1, 1) == "\"") {

[4.7397]

[22.10358]

        if(substr(this, 1, 2) == "e\"") { # encrypted string
            # no backslash-escapes; in fact, nerf any weird characters
            ans = _nerf_encrypted_string(substr(this, 3, length(this)-3))
            ans = _encrypted_string(ans)
        } else if(substr(this, 1, 2) == "S\"") { # secret string
            ans = _secret_string(substr(this, 3, length(this)-3))
        } else if(substr(this, 1, 1) == "\"") {

Replacement in sane_lisp at line 51 [4.900]

B:BD[23.113] → [23.113:178]

  ${TEST_AWK:-awk} -v PROMPT= -v LOG_LEVEL=$LOG_LEVEL -f glotawk

[23.113]

[23.179]

  ${TEST_AWK:-awk} -v PROMPT= -v LOG_LEVEL=$LOG_LEVEL $EXTRA_AWK_ARGS -f glotawk

Replacement in sane_lisp at line 65 [4.900]
∅:D[11.2378] → [19.58:100]
B:BD[19.58] → [19.58:100]
```
        tap_fail "$3 - nonzero exit code"
```
[11.2378]
[19.100]
```
        tap_fail "$3 - unexpected exit code"
```

Insertion in sane_lisp at line 263 [4.900]

[3.4838]

[23.1583]

echo passphrase > keyfile
EXTRA_AWK_ARGS="-v KEY_FILE=keyfile" lisp_eval_should_be '(unsafe-reveal "foo")' '"foo"' 'unsafe-reveal a mere string'
EXTRA_AWK_ARGS="-v KEY_FILE=keyfile" lisp_eval_should_be 'S"foo"' 'S"(redacted)"' 'secret strings not shown'
EXTRA_AWK_ARGS="-v KEY_FILE=keyfile" lisp_eval_should_be '(sprintf "normal %s normal" S"foo")' 'S"(redacted)"' 'secretness propagates through sprintf'
EXTRA_AWK_ARGS="-v KEY_FILE=keyfile" lisp_eval_should_be '(rsprintf "normal %s normal" S"foo")' '"normal (redacted) normal"' 'secretness stops at rsprintf'

Insertion in sane_lisp at line 269 [4.900]

[23.1584]

[4.3557]

EXTRA_AWK_ARGS="-v KEY_FILE=keyfile" lisp_eval_should_be '(unsafe-reveal (sprintf "normal %s normal" S"foo"))' '"normal foo normal"' 'unsafe-reveal a secret string'
EXTRA_AWK_ARGS="-v KEY_FILE=keyfile" lisp_eval_should_be '(decrypt (encrypt "foo"))' 'S"(redacted)"' 'decrypt returns a secret string'
EXTRA_AWK_ARGS="-v KEY_FILE=keyfile" lisp_eval_should_be '(unsafe-reveal (encrypt "foo"))' '"foo"' 'unsafe-reveal an encrypted string'
EXTRA_AWK_ARGS="-v KEY_FILE=keyfile" lisp_eval_should_be '(printf "%s\n" S"foo")' '' 'printf will not print secrets to non-secret output' 87
EXTRA_AWK_ARGS="-v KEY_FILE=keyfile" lisp_eval_should_be '(with-secret-output-to ">>" "/dev/stdout" (printf "%s\n" S"foo"))' 'foo
()' 'printf will print secrets to secret outputs'
EXTRA_AWK_ARGS="-v KEY_FILE=keyfile" lisp_eval_should_be '(rprintf "normal %s normal\n" S"foo")' 'normal (redacted) normal
()' 'rprintf will redact secrets and print to non-secret output'
# this U2FsdGVkX1 seems to reliably come out of openssl enc
# -aes-256-ctr. the rest, of course, will and must be different every
# time, because CTR uses a nonce.
EXTRA_AWK_ARGS="-v KEY_FILE=keyfile" lisp_eval_should_be '(not (null (match (reveal-encrypted "foo") "^U2FsdGVkX1")))' 'true' 'reveal-encrypted, normal string'
EXTRA_AWK_ARGS="-v KEY_FILE=keyfile" lisp_eval_should_be '(not (null (match (reveal-encrypted (encrypt "foo")) "^U2FsdGVkX1")))' 'true' 'reveal-encrypted, encrypted string'
EXTRA_AWK_ARGS="-v KEY_FILE=keyfile" lisp_eval_should_be '(not (null (match (reveal-encrypted (decrypt (encrypt "foo"))) "^U2FsdGVkX1")))' 'true' 'reveal-encrypted, secret string'
EXTRA_AWK_ARGS="-v KEY_FILE=keyfile" lisp_eval_should_be '(setq x S"woyfutnwyu") (dump "test-dump-file-2")' 'S"(redacted)"
true' 'dumping with a secret string'
if grep woyfutnwyu test-dump-file-2; then
    tap_fail "secret string encrypted in dump"
else
    tap_pass "secret string encrypted in dump"
fi
rm -f keyfile
rm -f test-dump-file-2

File addition: secrets.awk (----------)

[24.1]

# SPDX-License-Identifier: BSD-2-Clause
BEGIN {
    if(!KEY_FILE) {
        KEY_FILE = "/usr/local/etc/lacrum/key"
    }
    # ciphertext must be base64-encoded (as well as, you know,
    # encrypted)
    ENCRYPT_COMMAND = ("openssl enc    -aes-256-ctr -pbkdf2 -a -kfile " KEY_FILE)
    DECRYPT_COMMAND = ("openssl enc -d -aes-256-ctr -pbkdf2 -a -kfile " KEY_FILE)
    S_REDACTED = "(redacted)"
    S_ENCRYPTED = "(encrypted)"
}
# eval cases for encrypt, decrypt, unsafe-reveal are in string.awk.
# eval.awk also has a case for when an encrypted string is evaluated.
function _obscure_string_in_array(arr, n) {
    gsub(/./, "x", arr[n])
}
function _decrypt_encrypted_string(n, env, d, hdlrs, st, errp,    line, out, status, dcmd, tfn, oors) {
    # attempts to write via pipe and read via pipe from the same
    # subprocess have failed. so we use a temporary file. note that we
    # put the ciphertext, not the plaintext, in the temporary file.
    if( (status = ("mktemp" | getline tfn)) < 0) {
        return _error(_cons(_string("could not mktemp"),_nil()))
    }
    close("mktemp")
    if(!tfn)
        return _error(_cons(_string("no filename resulted from mktemp"),
                            _nil()), env, d, hdlrs, st, errp)
    # ok now we have a temp file name
    print _ENCRYPTED_STRING[n] > tfn
    close(tfn)
    dcmd = DECRYPT_COMMAND " < " tfn
    while( (status = (dcmd | getline line)) > 0 ) {
        out = out line
    }
    close(dcmd)
    if(status < 0) {
        return _error(_cons(_string("decrypting an encrypted string failed"),
                            _nil()), env, d, hdlrs, st, errp)
    }
    _SECRET_STRING[n] = out
    _TYPE[n] = "S"
    _obscure_string_in_array(_ENCRYPTED_STRING, n)
    delete _ENCRYPTED_STRING[n]
    system("rm -f " tfn)
    return n
}
function _encrypt_string_base(typename, arr, n, env, d, hdlrs, st, errp,      line, out, status, ecmd, tfn, oors) {
    # attempts to write via pipe and read via pipe from the same
    # subprocess have failed. so we use a temporary file. note that we
    # put the ciphertext, not the plaintext, in the temporary file.
    if( (status = ("mktemp" | getline tfn)) < 0) {
        return _error(_cons(_string("could not mktemp"),_nil()))
    }
    close("mktemp")
    if(!tfn)
        return _error(_cons(_string("no filename resulted from mktemp"),
                            _nil()), env, d, hdlrs, st, errp)
    # ok now we have a temp file name
    ecmd = ENCRYPT_COMMAND " > " tfn
    oors = ORS
    ORS = ""
    print arr[n] | ecmd
    ORS = oors
    close(ecmd)
    while( (status = (getline line < tfn)) > 0 ) {
        out = out line
    }
    close(tfn)
    if(!out) {
        return _error(_cons(_string("encrypting a " typename " failed"),
                            _nil()))
    }
    _ENCRYPTED_STRING[n] = out
    _TYPE[n] = "e"
    _obscure_string_in_array(arr, n)
    delete arr[n]
    system("rm -f " tfn)
    return n
}
function _encrypt_secret_string(n, env, d, hdlrs, st, errp) {
    return _encrypt_string_base("secret string", _SECRET_STRING, n,
                                env, d, hdlrs, st, errp)
}
function _encrypt_string(n, env, d, hdlrs, st, errp) {
    return _encrypt_string_base("string", _STRING, n,
                                env, d, hdlrs, st, errp)
}
function _encrypt(n, env, d, hdlrs, st, errp,    t) {
    if(_atom_awk(n)) {
        if(!_is_literal(n)) {
            t = _TYPE[n]
            if(t == "S")
                return _encrypt_secret_string(n)
            else if(t == "s")
                return _encrypt_string(n)
            else if(t == "e")
                return _error(_cons(_string("cannot encrypt an encrypted string"),
                                    _nil()), env, d, hdlrs, st, errp)
        }
    }
    return _error(_cons(_string("cannot encrypt %s: " \
                                "need a string or secret string"),
                        _cons(_string(_repr(n)),
                              _nil())),
                  env, d, hdlrs, st, errp)
}
function _decrypt(n, env, d, hdlrs, st, errp,     t) {
    if(_atom_awk(n)) {
        if(!_is_literal(n)) {
            t = _TYPE[n]
            if(t == "e")
                return _decrypt_encrypted_string(n, env, d, hdlrs, st, errp)
        }
    }
    return _error(_cons(_string("cannot decrypt %s: " \
                                "need an encrypted string"),
                        _cons(_string(_repr(n)),
                              _nil())),
                  env, d, hdlrs, st, errp)
}
function _unsafe_reveal(n, env, d, hdlrs, st, errp,     t) {
    if(_atom_awk(n)) {
        if(!_is_literal(n)) {
            t = _TYPE[n]
            if(t == "S") {
                _STRING[n] = _SECRET_STRING[n]
                _TYPE[n] = "s"
                _obscure_string_in_array(_SECRET_STRING, n)
                delete _SECRET_STRING[n]
                return n
            } else if(t == "s") {
                return n
            } else if(t == "e") {
                return _unsafe_reveal(_decrypt(n), env, d, hdlrs, st, errp)
            }
        }
    }
    return _error(_cons(_string("cannot reveal %s: " \
                                "need a secret string"),
                        _cons(_string(_repr(n)),
                              _nil())),
                  env, d, hdlrs, st, errp)
}
function _reveal_encrypted(n, env, d, hdlrs, st, errp,     t) {
    if(_atom_awk(n)) {
        if(!_is_literal(n)) {
            t = _TYPE[n]
            if(t == "s") {
                n = _encrypt_string(n, env, d, hdlrs, st, errp)
                if(_is_null(n)) return n  # an error happened
                t = _TYPE[n]
            } else if(t == "S") {
                n = _encrypt_secret_string(n, env, d, hdlrs, st, errp)
                if(_is_null(n)) return n  # an error happened
                t = _TYPE[n]
            }
            # not else if. after the above, or because it was already,
            # t should now be "e".
            if(t == "e") {
                return _string(_ENCRYPTED_STRING[n])
            }
        }
    }
    # if we have not returned, n was or is a weird type
    return _error(_cons(_string("cannot reveal-encrypted %s: must be a string or secret string"),
                        _cons(n, _nil())),
                  env, d, hdlrs, st, errp)
}

Deletion in string.awk at line 41 [12.35]
B:BD[12.1922] → [12.1922:1937]
```
        # same
```

Replacement in string.awk at line 42 [12.35]

B:BD[11.1644] → [11.1644:1708]

                        _cddr(form), env, d+1, hdlrs, st, errp)

[11.1644]

[12.2044]

                        _cddr(form), 0, env, d+1, hdlrs, st, errp)
    else if(car == _symbol("rsprintf")) # redacting sprintf
        return _sprintf(_eval3(_cadr(form), env, env, d+1, hdlrs, st, errp),
                        _cddr(form), 1, env, d+1, hdlrs, st, errp)

Insertion in string.awk at line 53 [12.35]

[11.1936]

[12.2358]

    if(car == _symbol("encrypt"))   # see secrets.awk
        return _encrypt(_eval3(_cadr(form), env, env, d+1, hdlrs, st, errp),
                        env, d+1, hdlrs, st, errp)
    else if(car == _symbol("decrypt"))
        return _decrypt(_eval3(_cadr(form), env, env, d+1, hdlrs, st, errp),
                        env, d+1, hdlrs, st, errp)
    else if(car == _symbol("unsafe-reveal"))
        return _unsafe_reveal(_eval3(_cadr(form), env, env, d+1, hdlrs, st, errp),
                              env, d+1, hdlrs, st, errp)
    else if(car == _symbol("reveal-encrypted"))
        return _reveal_encrypted(_eval3(_cadr(form), env, env, d+1, hdlrs, st, errp),
                                 env, d+1, hdlrs, st, errp)

Replacement in string.awk at line 260 [12.35]

B:BD[12.7572] → [11.2078:2167]

function _sprintf(fmt, unevald, env, d, hdlrs, st, errp,     dlave, evald, s, a, i, p) {

[12.7572]

[12.7645]

function _sprintf(fmt, unevald, redactp, env, d, hdlrs, st, errp,     dlave, evald, s, a, i, p, secretp) {

Insertion in string.awk at line 262 [12.35]
[12.7655]
[12.7655]
```
    secretp[1] = 0
```

Replacement in string.awk at line 269 [12.35]

B:BD[12.7901] → [12.7901:7946]

    _list_to_flat_awk_array_of_any(evald, a)

[12.7901]

[12.7946]

    if(redactp)
        _list_to_flat_awk_array_of_any(evald, a, 1, secretp)
    else
        _list_to_flat_awk_array_of_any(evald, a, 0, secretp)

Replacement in string.awk at line 316 [12.35]

B:BD[12.9680] → [12.9680:9702]

    return _string(s)

[12.9680]

[12.9702]

    if(secretp[1]) {
        return _secret_string(s)
    } else {
        return _string(s)
    }