Skip to content

Scrub [Secret] values from all log output (plugin-SDK prerequisite) #443

Description

@ChrisonSimtian

Problem

[Secret] (src/Fallout.Build/ParameterAttribute.cs:76) is a passive marker only — there is no SensitiveValueRegistry or output scrubber anywhere, so resolved secret values are never masked from logs. docs/adr/0002-cross-provider-auth-and-secret-conventions.md rule 6 ("log masking is a framework-level service") flags this as open; the plugin SDK makes it blocking.

Outcome

Values resolved into [Secret]-marked fields never appear in any build output — framework or plugin — so a third-party plugin cannot leak a resolved secret to CI logs.

Acceptance criteria

  • A central SensitiveValueRegistry (or equiv) registers every value injected into a [Secret] field, at injection time (value-injection middleware / IOnBuildCreated).
  • Logging middleware scrubs registered values from stdout, stderr, target logs, and the build summary before write.
  • Scrubbing covers plugin-emitted output, not only framework output.
  • Test: a secret written via Log, Console, or target output does not appear in captured output.

Notes

Open questions

  • How to handle transformed secrets a plugin derives (base64, URL-embedded) — scrub only the literal, or registered variants too?

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requesttarget/2026Targets the 2026 calendar-version line (current). See ADR-0004.

    Fields

    No fields configured for Feature.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions