Background
PR #663 (closes #662) added prompt redaction at the journal-write boundary covering common API-key, OAuth, AWS, PEM, and JWT shapes. Two follow-ups: expand the redaction set, and add a carve-out for the pre-commit secret-scanner that fires on test fixtures.
Task A — Expand redaction patterns
Add the following patterns to the redaction set in the journal-write boundary:
- Stripe live and test keys:
sk_live_[A-Za-z0-9]+, sk_test_[A-Za-z0-9]+, pk_live_[A-Za-z0-9]+, pk_test_[A-Za-z0-9]+
- AWS STS session tokens:
ASIA[A-Z0-9]{16,} (Access Key IDs from STS) and the matching session-token shape (long base64-ish string immediately following)
- Optional: GitHub fine-grained PAT prefix
github_pat_ (newer than the ghp_ already covered)
- Optional: Slack user tokens
xoxp-, xoxa-, xoxr- (only xoxb- bot tokens are currently covered)
Counter-test: each pattern must be tested with a synthetic fixture using the adjacent-string-literal-concat trick ("sk" "_live_ABC..." ) to bypass the existing git_commit_check.py secret-scanner false-positive (see Task B).
Surfaced as a round-4 verify-only review addendum on PR #663.
Task B — Pre-commit secret-scanner carve-out
The git_commit_check.py SACROSANCT secret-scanner fires on test fixtures that contain literal token shapes (sk-, ghp_, JWT, etc.) used to test redaction patterns. The current workaround in PR #663 was Python adjacent-string-literal-concat:
# Without concat — caught by scanner
secret = "sk-ABCDEF1234567890"
# With concat — bypasses scanner
secret = "sk" "-ABCDEF1234567890"
This is a workaround, not a fix. The scanner should recognize an explicit carve-out marker that documents why the literal exists. Two options:
Option 1: Magic comment on the line preceding the literal
# pact-secret-fixture: testing sk- redaction pattern
secret = "sk-ABCDEF1234567890"
Option 2: File-level allowlist in pact-plugin/tests/fixtures/ directory
- Files under
tests/fixtures/secrets/ are allowlisted from the scanner
- All test fixtures containing literal secrets must live under that directory
- Counter-test: place a
sk- literal outside the allowlist directory and confirm the scanner catches it
Option 2 is cleaner — moves the policy from per-line magic comments to directory-level structure. Surfaced as a follow-up sketch during PR #663's TEST phase.
Relationship to PR #663
Test plan
For Task A: parametrized tests asserting each new pattern is redacted in journal output. Counter-test by removing one pattern from the redaction set and confirming the corresponding test fails.
For Task B: structural test that walks pact-plugin/tests/fixtures/secrets/ and confirms the scanner's allowlist matches the directory contents. Counter-test by adding an unlisted file outside the allowlist with a sk- literal and confirming the scanner flags it.
Background
PR #663 (closes #662) added prompt redaction at the journal-write boundary covering common API-key, OAuth, AWS, PEM, and JWT shapes. Two follow-ups: expand the redaction set, and add a carve-out for the pre-commit secret-scanner that fires on test fixtures.
Task A — Expand redaction patterns
Add the following patterns to the redaction set in the journal-write boundary:
sk_live_[A-Za-z0-9]+,sk_test_[A-Za-z0-9]+,pk_live_[A-Za-z0-9]+,pk_test_[A-Za-z0-9]+ASIA[A-Z0-9]{16,}(Access Key IDs from STS) and the matching session-token shape (long base64-ish string immediately following)github_pat_(newer than theghp_already covered)xoxp-,xoxa-,xoxr-(onlyxoxb-bot tokens are currently covered)Counter-test: each pattern must be tested with a synthetic fixture using the adjacent-string-literal-concat trick (
"sk" "_live_ABC...") to bypass the existinggit_commit_check.pysecret-scanner false-positive (see Task B).Surfaced as a round-4 verify-only review addendum on PR #663.
Task B — Pre-commit secret-scanner carve-out
The
git_commit_check.pySACROSANCT secret-scanner fires on test fixtures that contain literal token shapes (sk-, ghp_, JWT, etc.) used to test redaction patterns. The current workaround in PR #663 was Python adjacent-string-literal-concat:This is a workaround, not a fix. The scanner should recognize an explicit carve-out marker that documents why the literal exists. Two options:
Option 1: Magic comment on the line preceding the literal
Option 2: File-level allowlist in
pact-plugin/tests/fixtures/directorytests/fixtures/secrets/are allowlisted from the scannersk-literal outside the allowlist directory and confirm the scanner catches itOption 2 is cleaner — moves the policy from per-line magic comments to directory-level structure. Surfaced as a follow-up sketch during PR #663's TEST phase.
Relationship to PR #663
Test plan
For Task A: parametrized tests asserting each new pattern is redacted in journal output. Counter-test by removing one pattern from the redaction set and confirming the corresponding test fails.
For Task B: structural test that walks
pact-plugin/tests/fixtures/secrets/and confirms the scanner's allowlist matches the directory contents. Counter-test by adding an unlisted file outside the allowlist with ask-literal and confirming the scanner flags it.