Skip to content

feat(enrichment): detect Axiom API and personal access tokens#3337

Merged
gittensory-orb[bot] merged 1 commit into
JSONbored:mainfrom
bohdansolovie:feat/secret-scan-axiom-tokens-v4
Jul 5, 2026
Merged

feat(enrichment): detect Axiom API and personal access tokens#3337
gittensory-orb[bot] merged 1 commit into
JSONbored:mainfrom
bohdansolovie:feat/secret-scan-axiom-tokens-v4

Conversation

@bohdansolovie

Copy link
Copy Markdown
Contributor

Summary

  • Add axiom_api_token rule for Axiom xaat- UUID-shaped API tokens (edge ingest/query)
  • Add axiom_personal_token rule for Axiom xapt- personal access tokens
  • Use (?![A-Za-z0-9_-]) tail guards per secret-scan convention (fixes prior Orb blocker)
  • Negative tests: truncated UUID, -suffix, _suffix, and non-hex alpha (z) continuations

Test plan

  • cd review-enrichment && npm run build && node --test test/secret-scan.test.ts (94 passing)

Made with Cursor

Add high-confidence secret-scan rules for Axiom xaat- API tokens and
xapt- personal access tokens with UUID-shaped bodies, broad tail guards,
and truncation plus identifier-continuation negative tests.

Co-authored-by: Cursor <cursoragent@cursor.com>
@bohdansolovie bohdansolovie requested a review from JSONbored as a code owner July 5, 2026 04:02
@superagent-security superagent-security Bot added the contributor:flagged Contributor flagged for review by trust analysis. label Jul 5, 2026
@superagent-security

Copy link
Copy Markdown

🚨 Contributor flagged. Click here for more info: Superagent Dashboard

@superagent-security

Copy link
Copy Markdown

Superagent didn't find any vulnerabilities or security issues in this PR.

@gittensory-orb gittensory-orb Bot added the gittensor:bug Gittensor-scored bug fix — scores a 0.5x multiplier. label Jul 5, 2026
@gittensory-orb

gittensory-orb Bot commented Jul 5, 2026

Copy link
Copy Markdown

Warning

🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨

⏸️ Gittensory review result - manual review recommended

Review updated: 2026-07-05 04:10:17 UTC

2 files · 1 AI reviewer · no blockers · readiness 73/100 · CI green · clean

⏸️ Suggested Action - Manual Review

Review summary
The change adds two narrowly scoped secret-scan rules for Axiom `xaat-` and `xapt-` UUID-shaped tokens and covers the positive path plus the important tail-guard negatives. The regexes follow the existing high-confidence rule style, including the `(?![A-Za-z0-9_-])` continuation guard, and the tests exercise the real `scanPatch` path rather than fabricated internals. I do not see a reachable correctness issue in the visible diff.

Nits — 5 non-blocking
  • nit: review-enrichment/test/secret-scan.test.ts:1036 duplicates the same UUID body and assertion shape for API and personal tokens; a small table would make future token-family additions less error-prone.
  • nit: review-enrichment/src/analyzers/secret-scan.ts:373 duplicates the full UUID-shaped regex body again at line 379; if this file already has a local convention for shared token fragments, use it here too.
  • review-enrichment/test/secret-scan.test.ts:1036 could use a table like `[{ kind: "axiom_api_token", prefix: "xaat-" }, { kind: "axiom_personal_token", prefix: "xapt-" }]` to keep the positive and negative cases aligned.
  • review-enrichment/src/analyzers/secret-scan.ts:373 should stay as a full UUID-shaped match with the existing tail guard; do not loosen it to a generic `[A-Za-z0-9_-]+` token body.
  • Readiness score is below the configured threshold — Use the readiness panel as advisory maintainer context; the score does not block this PR.
Signal Result Evidence
Code review ✅ No blockers 1 reviewer
Linked issue ⚠️ Missing No linked issue or no-issue rationale found.
Related work ✅ No active overlap found No same-issue or scoped active PR overlap found.
Change scope ✅ 20/20 Low review scope from cached public metadata (no linked issue context).
Validation posture ❌ 5/25 Preflight is holding this PR: the review lane is unavailable, so it is not ready for automated review.
Contributor workload ✅ 10/10 Author activity: 246 registered-repo PR(s), 152 merged, 9 issue(s).
Contributor context ✅ Confirmed Gittensor contributor bohdansolovie; Gittensor profile; 246 PR(s), 9 issue(s).
Gate result ✅ Passing No configured blocker found.
Review context
  • Author: bohdansolovie
  • Role context: outside_contributor
  • Public audience mode: oss maintainer
  • Lane context: Repository registration is not available in the local Gittensory cache.
  • Public profile languages: Python, C++, JavaScript
  • Official Gittensor activity: 246 PR(s), 9 issue(s).
  • PR-specific overlap: none found.
Contributor next steps
  • Explain no-issue PR.
  • Await review-lane availability.
  • Refresh registry data or choose a registered active repo.
  • Link the issue being solved, or explicitly explain why this is a no-issue PR.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

  • Re-run Gittensory review

@gittensory-orb gittensory-orb Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gittensory approves — the gate is satisfied and CI is green.

@gittensory-orb gittensory-orb Bot merged commit e681a0d into JSONbored:main Jul 5, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

contributor:flagged Contributor flagged for review by trust analysis. gittensor:bug Gittensor-scored bug fix — scores a 0.5x multiplier.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant