refactor(test/e2e): route fixture redaction through canonical entry

[laitingsheng]

Summary

Collapse the two redaction entry points in the E2E fixture stack so per-test explicit secret values and canonical secret-shape matches share a single redactString call. The fixture bridge no longer carries its own redaction pattern source; SecretStore only supplies the explicit values it knows about and delegates.

Related Issue

Closes #4989

Changes

• test/e2e-scenario/scenarios/orchestrators/redaction.ts: redactString now accepts an optional explicitValues iterable and applies them longest first with the [REDACTED] sentinel before the canonical regex passes run with <REDACTED>. The two sentinels stay distinct so explicit-value hits remain visually separable from regex hits in artifacts.
• test/e2e-scenario/framework/secrets.ts: drops the standalone redactText export. SecretStore.redact is now a thin delegate that hands its env-derived plus caller-supplied values to redactString in one call.
• test/e2e-scenario/framework/shell-probe.ts: drops the redactText import and the double-pass through redactText + this.redact; the probe now calls the injected redact(text, redactionValues) once.
• test/e2e-scenario/framework-tests/e2e-redaction-entry.test.ts (new): asserts the single-entry contract — both sentinels coexist, longest-first ordering protects nested values, empty values are ignored, and SecretStore.redact unions env-derived and caller-supplied values through the canonical entry.

Canonical secret-shape regex parity with src/lib/security/secret-patterns.ts (e2e-redaction-parity.test.ts) stays unchanged; no second product secret-pattern mirror is introduced.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• npm run docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

---

Signed-off-by: Tinson Lai tinsonl@nvidia.com

Summary by CodeRabbit

• New Features

  • Redaction now covers both explicit secret literals and canonical secret patterns, applying longest-first matching to avoid substring leaks.

• Tests

  • Added end-to-end tests validating unified redaction, handling of empty/whitespace values, and union of env-derived and caller-supplied secrets while preserving non-secret fields.
  • Added fixture tests ensuring probe-level enforcement and correct scrubbing order for overlapping values.

• Chores

  • Consolidated test redaction plumbing; removed a standalone test helper in favor of a shared redaction provider.

[github-actions]

E2E Advisor Recommendation

Required E2E: e2e-scenario-framework, ubuntu-repo-cloud-openclaw
Optional E2E: ubuntu-invalid-nvidia-key-negative, e2e-vitest-scenarios-live

Dispatch hint: ubuntu-repo-cloud-openclaw

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• e2e-scenario-framework (low): Directly exercises the modified E2E framework code and tests: SecretStore.redact, ShellProbe redactionValues enforcement, redaction parity/entry-point behavior, and PhaseOrchestrator secret-env/redacted-evidence contracts.
• ubuntu-repo-cloud-openclaw (high): Runs the canonical typed scenario through the real scenario orchestrator with NVIDIA_API_KEY-backed onboarding, smoke, inference, and credentials suites. This validates that the changed redaction/child-spawn infrastructure still works in a real assistant flow and does not break secret-bearing scenario execution.

Optional E2E

• ubuntu-invalid-nvidia-key-negative (medium): Useful adjacent negative-path confidence for secret-bearing onboarding failure reporting and scenario artifact hygiene, but not merge-blocking because the direct framework tests cover the redaction mechanics changed in this PR.
• e2e-vitest-scenarios-live (low): Runs the live Vitest repo CLI smoke path, which uses the E2E fixture ShellProbe/artifact stack without provisioning a full sandbox. This is a cheaper additional signal for ShellProbe artifact writing and redaction plumbing.

New E2E recommendations

• E2E scenario framework dispatch coverage (medium): There is no small workflow-dispatchable E2E job dedicated to npx vitest run --project e2e-scenario-framework; today the direct coverage is available through the broader self-hosted full Vitest job or an ad hoc command. A dedicated dispatch job would let redaction/shell-probe/framework-only changes get fast targeted coverage without requiring a full sandbox scenario.
  • Suggested test: Add a workflow-dispatchable E2E scenario framework job that runs npx vitest run --project e2e-scenario-framework --silent=false --reporter=default and uploads fixture artifacts on failure.

Dispatch hint

• Workflow: .github/workflows/e2e-scenarios.yaml
• jobs input: ubuntu-repo-cloud-openclaw

[github-actions]

E2E Scenario Advisor Recommendation

Required scenario E2E: e2e-scenarios-all
Optional scenario E2E: None

Dispatch required scenario E2E:

• gh workflow run e2e-scenarios-all.yaml --ref <pr-head-ref>

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required scenario E2E

• e2e-scenarios-all: Changes touch shared scenario framework/orchestrator redaction and shell-probe infrastructure used by scenario execution and evidence handling across the suite, so the full scenario fan-out should run.
  • Dispatch: gh workflow run e2e-scenarios-all.yaml --ref <pr-head-ref>

Optional scenario E2E

• None.

Relevant changed files

• test/e2e-scenario/framework-tests/e2e-fixture-context.test.ts
• test/e2e-scenario/framework-tests/e2e-redaction-entry.test.ts
• test/e2e-scenario/framework/secrets.ts
• test/e2e-scenario/framework/shell-probe.ts
• test/e2e-scenario/scenarios/orchestrators/redaction.ts

[coderabbitai]

📝 Walkthrough

Walkthrough

Unify redaction by extending redactString(text, explicitValues?) to handle explicit literals longest-first, route SecretStore and ShellProbe through it (removing redactText), and add Vitest contract tests verifying explicit vs canonical redaction behavior and edge cases.

Changes

Redaction Entry Point Consolidation

Layer / File(s)	Summary
Extend redaction entry point with explicit values test/e2e-scenario/scenarios/orchestrators/redaction.ts	redactString() gains explicitValues?: Iterable<string>; deduplicates non-empty values, sorts longest-first, replaces explicit literals with [REDACTED] (EXPLICIT_REDACTED), then applies existing regex-based canonical redaction.
Route fixture SecretStore through canonical entry point test/e2e-scenario/framework/secrets.ts	Updated docs and SecretStore.redact() now returns redactString(text, this.redactionValues(extraValues)), removing the standalone redactText() helper.
Route shell probe through canonical entry point test/e2e-scenario/framework/shell-probe.ts	Module docs revised and ShellProbe.run/redactProbeText now enforce explicit redactionValues locally (filter, dedupe, sort longest-first, replace matches with "[REDACTED]") then delegate to the injected this.redact(text, redactionValues).
Add comprehensive redaction contract tests test/e2e-scenario/framework-tests/e2e-redaction-entry.test.ts, test/e2e-scenario/framework-tests/e2e-fixture-context.test.ts	New Vitest suites asserting explicit vs canonical redaction markers, longest-first behavior for overlapping explicit values, ignoring empty/whitespace explicit values, no-op when nothing matches, SecretStore.redact() env+caller integration, and ShellProbe enforcement of options.redactionValues.

Sequence Diagram

sequenceDiagram
  participant TestSuite as Test Suite
  participant SecretStore as SecretStore.redact()
  participant ShellProbe as ShellProbe.redactProbeText()
  participant redactString as redactString()
  participant ExplicitPass as Explicit Value Replacement
  participant CanonicalPass as Canonical Pattern Redaction
  TestSuite->>SecretStore: redact(text, extraValues)
  TestSuite->>ShellProbe: redactProbeText(text)
  SecretStore->>redactString: redactString(text, env + extraValues)
  ShellProbe->>redactString: redactString(text, redactionValues)
  redactString->>ExplicitPass: deduplicate & sort longest-first
  ExplicitPass->>CanonicalPass: continue with regex patterns
  CanonicalPass->>redactString: return redacted text
  redactString->>SecretStore: return redacted text
  redactString->>ShellProbe: return redacted text
  SecretStore->>TestSuite: return redacted text
  ShellProbe->>TestSuite: return redacted text

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• NVIDIA/NemoClaw#4965: Introduced fixture SecretStore and ShellProbe wiring that this PR consolidates into the unified redactString entry point.

Suggested labels

v0.0.62

Suggested reviewers

• jyaunches
• cv

Poem

🐇 I hop through tests with a nose so bright,
Longest-first nibbling keeps the secrets tight,
Canonical tokens blink out of sight,
One redaction path in the moonlight,
All artifacts tidy by morning light.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: consolidating fixture redaction to route through a canonical entry point rather than multiple paths.
Linked Issues check	✅ Passed	The PR successfully addresses all four acceptance criteria from #4989: consolidates redaction into a single entry point, maintains canonical secret patterns, preserves explicit-value redaction, and avoids duplicate pattern mirrors.
Out of Scope Changes check	✅ Passed	All changes align directly with the PR objective to consolidate redaction entry points; no unrelated modifications detected across all modified test files and framework code.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch refactor/e2e-redaction-consolidation

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 0 worth checking, 0 nice ideas
Since last review: 2 prior items resolved, 0 still apply, 0 new items found

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/e2e-scenario/framework/shell-probe.ts`:
- Around line 140-151: enforcedValues should be applied locally before
delegating to this.redact and in canonical explicit-value order to avoid
partial-overlap leaks; change enforceLocalRedaction/redactProbeText so
enforcedValues = redactionValues.filter(...).sort((a,b)=>b.length-a.length) and
redactProbeText first runs enforceLocalRedaction(text) (replacing exact matches
with "[REDACTED]") then passes that result into this.redact(...,
redactionValues), falling back to this.redact(text, redactionValues) when no
enforcedValues.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: d08f3654-84c2-4c2a-b8c2-481677e992d1

📥 Commits

Reviewing files that changed from the base of the PR and between a8b4196 and 496f23a.

📒 Files selected for processing (2)

• test/e2e-scenario/framework-tests/e2e-fixture-context.test.ts
• test/e2e-scenario/framework/shell-probe.ts

[coderabbitai]

🧹 Nitpick comments (1)

test/e2e-scenario/framework-tests/e2e-fixture-context.test.ts (1)

165-205: ⚡ Quick win

Consider adding positive assertions for [REDACTED] to confirm redaction occurred.

The test correctly verifies that neither the full longer secret nor the -beta-gamma-delta suffix appear in the output, confirming longest-first ordering. However, the test uses only negative assertions (.not.toContain). If the subprocess produced no output at all, the test would still pass.

Adding positive assertions that [REDACTED] appears in result.stdout and result.stderr would increase confidence that:

1. The subprocess successfully output the secret.
2. Redaction actually occurred (vs. empty/missing output).

The previous test at lines 152-153 includes these positive checks, so adding them here would maintain consistency.

✨ Suggested enhancement

   expect(result.exitCode).toBe(0);
+  expect(result.stdout).toContain("[REDACTED]");
+  expect(result.stderr).toContain("[REDACTED]");
   expect(result.stdout).not.toContain(longer);
   expect(result.stdout).not.toContain("-beta-gamma-delta");

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e-scenario/framework-tests/e2e-fixture-context.test.ts` around lines
165 - 205, Add positive assertions to confirm redaction occurred: after
obtaining result from ShellProbe.run in the "shell probe scrubs overlapping..."
test, assert that result.stdout and result.stderr contain the literal
"[REDACTED]"; likewise assert the serialized result file content (variable
written) and the artifact files read via
artifacts.pathFor("shell/overlap-shorter-first.stdout.txt") and "...stderr.txt"
contain "[REDACTED]". Keep these checks alongside the existing negative
assertions to ensure the subprocess emitted the secret and it was actually
redacted.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/e2e-scenario/framework-tests/e2e-fixture-context.test.ts`:
- Around line 165-205: Add positive assertions to confirm redaction occurred:
after obtaining result from ShellProbe.run in the "shell probe scrubs
overlapping..." test, assert that result.stdout and result.stderr contain the
literal "[REDACTED]"; likewise assert the serialized result file content
(variable written) and the artifact files read via
artifacts.pathFor("shell/overlap-shorter-first.stdout.txt") and "...stderr.txt"
contain "[REDACTED]". Keep these checks alongside the existing negative
assertions to ensure the subprocess emitted the secret and it was actually
redacted.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 9f47d269-aded-4516-9537-77430d4c80d1

📥 Commits

Reviewing files that changed from the base of the PR and between 496f23a and 215c153.

📒 Files selected for processing (2)

• test/e2e-scenario/framework-tests/e2e-fixture-context.test.ts
• test/e2e-scenario/framework/shell-probe.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• test/e2e-scenario/framework/shell-probe.ts