Secret Shape Scanner
Paste an .env, a config, or a log. It finds secrets by their shape, the way a leaked key actually looks, rather than trusting the field name, and redacts them in place. Everything runs in your browser. Nothing is uploaded.
Paste, then run. Secrets are matched by shape and redacted in place.
This is a preview of a Tessera pack
The browser demo runs a handful of shape detectors client-side. The full check ships in Tessera, an offline toolkit of 24 job packs that turn a repository into one reviewable HTML report. The config pack inventories every key across your env and code, redacts leaked secrets by name and by value shape, and reports drift.
Every pack follows one contract: normalize, validate, generate artifacts. No services, no API keys, no network calls.
$ pip install tesserakit-config
$ pipx install tesserakit-config # isolated CLI install
$ uv tool install tesserakit-config
$ tessera run --input . --output run
# then open run/index.html