Problem
[Secret] (src/Fallout.Build/ParameterAttribute.cs:76) is a passive marker only — there is no SensitiveValueRegistry or output scrubber anywhere, so resolved secret values are never masked from logs. docs/adr/0002-cross-provider-auth-and-secret-conventions.md rule 6 ("log masking is a framework-level service") flags this as open; the plugin SDK makes it blocking.
Outcome
Values resolved into [Secret]-marked fields never appear in any build output — framework or plugin — so a third-party plugin cannot leak a resolved secret to CI logs.
Acceptance criteria
Notes
Open questions
- How to handle transformed secrets a plugin derives (base64, URL-embedded) — scrub only the literal, or registered variants too?
Problem
[Secret](src/Fallout.Build/ParameterAttribute.cs:76) is a passive marker only — there is noSensitiveValueRegistryor output scrubber anywhere, so resolved secret values are never masked from logs.docs/adr/0002-cross-provider-auth-and-secret-conventions.mdrule 6 ("log masking is a framework-level service") flags this as open; the plugin SDK makes it blocking.Outcome
Values resolved into
[Secret]-marked fields never appear in any build output — framework or plugin — so a third-party plugin cannot leak a resolved secret to CI logs.Acceptance criteria
SensitiveValueRegistry(or equiv) registers every value injected into a[Secret]field, at injection time (value-injection middleware /IOnBuildCreated).Log,Console, or target output does not appear in captured output.Notes
docs/plugin-extraction-github.md(round 5).Open questions