v0.1.2

Boundary-Aware Serialization for Go. Declare Once, Enforce Everywhere.

Transform data differently as it crosses system boundaries — encrypt for storage, mask for APIs, hash on receive. Security requirements live in struct tags.

Get Started
import "github.com/zoobz-io/cereal"

type User struct {
    ID       string `json:"id"`
    Email    string `json:"email"    store.encrypt:"aes" load.decrypt:"aes" send.mask:"email"`
    Password string `json:"password" receive.hash:"argon2"`
    SSN      string `json:"ssn"      send.mask:"ssn"`
    Token    string `json:"token"    send.redact:"[REDACTED]"`
}

func (u User) Clone() User { return u }

proc, _ := cereal.NewProcessor[User]()
enc, _ := cereal.AES([]byte("32-byte-key-for-aes-256-encrypt!"))
proc.SetEncryptor(cereal.EncryptAES, enc)

received, _ := proc.Receive(ctx, user)   // Password hashed
stored, _ := proc.Store(ctx, received)    // Email encrypted
loaded, _ := proc.Load(ctx, stored)       // Email decrypted
sent, _ := proc.Send(ctx, loaded)         // Email masked, SSN masked, Token redacted
// sent.Email = "a***@example.com"
// sent.SSN   = "***-**-6789"
// sent.Token = "[REDACTED]"
86%Test Coverage
A+Go Report

Why Cereal?

Different boundaries demand different transforms. Cereal handles all four.

Four Boundaries

Receive, Load, Store, Send — each edge applies its own transforms. Hash on ingest, encrypt at rest, mask on output.

Declarative Struct Tags

Security requirements live next to the fields they protect. One place to audit, one place to change.

Built-in Cryptography

AES-GCM, RSA-OAEP, envelope encryption, Argon2, bcrypt, SHA-256, SHA-512 — all wired through struct tags.

Format-Preserving Masking

Eight content-aware maskers: email, SSN, phone, card, IP, UUID, IBAN, name. Masked data stays debuggable.

Non-Destructive

Original values never mutated. Every operation clones before transforming, guaranteeing immutability.

Provider-Agnostic Codecs

Same types and tags work with JSON, YAML, XML, MessagePack, or BSON. Swap wire formats without touching transforms.

Capabilities

Encryption, hashing, masking, and redaction — applied automatically at the right system boundary.

FeatureDescriptionLink
EncryptionAES-GCM symmetric, RSA-OAEP asymmetric, and envelope encryption for data at rest.Encryption
HashingOne-way hashing with Argon2, bcrypt, SHA-256, and SHA-512 on the receive boundary.Encryption
MaskingEight format-preserving maskers for PII in API responses. Content-aware partial masking.Masking
RedactionFull value replacement for secrets on the send boundary. Custom replacement strings.Masking
Key RotationFour production-ready patterns for zero-downtime key updates: versioned, envelope, KMS, and Decryptable.Key Rotation
Escape HatchesOverride interfaces bypass reflection on hot paths. Code generation keeps implementations in sync with tags.Escape Hatches

Articles

Browse the full cereal documentation.

OverviewBoundary-aware serialization for Go

Learn

QuickstartGet started with codec in minutes
ConceptsCore concepts and design principles
ArchitectureSystem design and internal structure of cereal

Guides

EncryptionEncrypt, decrypt, and hash sensitive fields
MaskingContent-aware partial masking for sensitive data
ProvidersAvailable codec providers and their characteristics

Cookbook

Override InterfacesBypass reflection for performance-critical paths
Key RotationPatterns for rotating encryption keys
Code GenerationGenerate override interfaces to bypass reflection

Reference

API ReferenceComplete API reference for the codec package
Tag ReferenceComplete reference for boundary struct tags
ErrorsError handling reference
© 2026 Alexander Thorwaldson