Skip to content

Fix stack 03: redact camelCase secrets, bound event sanitizer#27

Merged
ebarti merged 2 commits into
review-fixes/02-cancellationfrom
review-fixes/03-events
Jul 2, 2026
Merged

Fix stack 03: redact camelCase secrets, bound event sanitizer#27
ebarti merged 2 commits into
review-fixes/02-cancellationfrom
review-fixes/03-events

Conversation

@ebarti

@ebarti ebarti commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Stacked review-fix PR 3/N (base: review-fixes/02-cancellation).

REVIEW.md §3.4, §3.5:

  • camelCase secret keys leaked. Redaction only normalized dashes, so accessToken/refreshToken/authToken/apiKey in event metadata were not redacted. Now camelCase boundaries are split before the checks. Count keys (inputTokens, max_tokens) and the deliberate auth_source label stay visible; denylist also gains credential/private_key/passwd.
  • Bad metadata could abort a run. Event builders run before safe_emit's guard, so a cyclic or extremely nested task.metadata raised RecursionError out of the builder. _sanitize now bounds depth and detects cycles, emitting truncation markers instead of raising — honoring the documented "never aborts a runtime" guarantee.

Tests: camelCase redaction, cyclic metadata, deep metadata. Full suite 152 passed / 12 skipped; ruff + mypy strict clean.


Round 2 (re-review follow-up)

  • Separator-less secret keys (accesstoken, ACCESSTOKEN, sessiontoken) are now redacted via a trailing-suffix rule on sensitive segments; plural usage counters (inputtokens, totaltokens) stay visible. Regression test added.

@ebarti ebarti force-pushed the review-fixes/03-events branch from 12424d5 to 1168cb4 Compare July 2, 2026 10:00
ebarti added 2 commits July 2, 2026 16:37
…clic/deep metadata

- Redaction missed camelCase/concatenated secret keys (accessToken,
  refreshToken, authToken, apiKey) because normalization only handled
  dashes. Now camelCase boundaries are split before the substring/segment
  checks, so 'accessToken' reaches the 'token' segment rule. Plural/count
  keys (inputTokens, max_tokens) and the deliberately-emitted auth_source
  label stay visible. Also extends the substring denylist with credential /
  private_key / passwd.
- Event builders run before safe_emit's try/except, so a cyclic or extremely
  nested task.metadata made _sanitize raise RecursionError and abort run(),
  breaking the 'never aborts a runtime' guarantee. _sanitize now bounds
  recursion depth and detects cycles, emitting truncation markers instead of
  raising.

Refs REVIEW.md §3.4, §3.5.
The segment rule only matched a sensitive segment after splitting on '_', so a
key with no separator and no camelCase boundary (e.g. "accesstoken") never
produced a bare "token" segment and leaked. Also match a sensitive segment as a
trailing suffix, which keeps plural usage counters visible ("inputtokens" ends
with "tokens", not "token").
@ebarti ebarti force-pushed the review-fixes/03-events branch 2 times, most recently from cb1c5be to 03048df Compare July 2, 2026 15:14
@ebarti ebarti merged commit 03048df into review-fixes/02-cancellation Jul 2, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant