feat(redact): add value-pattern redaction for JWTs and PEM blocks#15
Conversation
The README documents JWT and PEM block stripping as default record-time behavior, but the implementation only covered key-name patterns. This adds DEFAULT_REDACT_VALUE_PATTERNS (JWT three-segment base64url, PEM BEGIN block) and redactValues(), wires both into the stdio record path, and extends the redact test suite with 11 new cases.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ddc62d0077
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| * Covers JWT bearer tokens (header starts with `eyJ`) and PEM blocks. | ||
| */ | ||
| export const DEFAULT_REDACT_VALUE_PATTERNS: RegExp[] = [ | ||
| /^eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/, |
There was a problem hiding this comment.
The new JWT value pattern only matches strings that are exactly header.payload.signature, so common values like "Bearer <jwt>" are not redacted. This leaves a real secret-leak path whenever a bearer token appears under a non-sensitive key name (so key-based redaction does not trigger), which is exactly the case this value-based pass is meant to cover.
Useful? React with 👍 / 👎.
1 participant
Why
The README documents three categories of default redaction on every
recordrun: key-name patterns (*_token,authorization, etc.), JWTs, and PEM blocks. The key-name category was implemented; the JWT and PEM categories were not. Any real-world recording that passes a bearer JWT or an inline private key in a JSON-RPC message would land those secrets in the transcript file unredacted.What
DEFAULT_REDACT_VALUE_PATTERNS: RegExp[]tosrc/redact.ts: a JWT three-segment base64url pattern and a PEM-----BEGINblock pattern.redactValues(value, patterns)tosrc/redact.ts: walks a value tree and replaces any string whose content matches a pattern with<REDACTED>, independent of key name.src/record.ts: each frame is now run throughredactValues(redactDeep(msg, keyPatterns), DEFAULT_REDACT_VALUE_PATTERNS).Tests
test/redact.test.ts.DEFAULT_REDACT_VALUE_PATTERNSmembership checks.Self-merge gate
src/index.tsnot touched;redactDeepsignature unchangedtest/redact.test.tsGenerated by Claude Code