tighten credential-path proof boundaries#86
Merged
TacoRocket merged 2 commits intomainfrom Apr 10, 2026
Merged
Conversation
TacoRocket
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changed
Tightens
chains credential-pathproof-boundary wording for candidate rows so default table output says more clearly what AzureFox has and has not actually proved.Why
The family already had a conservative join model, but non-Key Vault rows still relied on softer note text that made the operator infer too much from candidate narrowing. This change makes the proof boundary explicit in table mode and keeps the named-but-not-visible Key Vault case honest.
User impact
Operators now see stronger default wording for narrowed, tenant-wide, service-hint, and visibility-blocked credential-path rows without changing ranking or row admission.
Root cause
credential-pathhad the underlying evidence, but default rendering did not consistently expose the confidence boundary outside JSON.Validation
python3 -m pytest tests/test_terminal_ux.py -k "chains_table_mode_surfaces_priority_and_next_review or chains_keyvault_note_prefers_current_identity_access_sentence or chains_named_keyvault_not_visible_prefers_inventory_boundary"python3 -m pytest tests/test_credential_path_registry.py tests/test_chain_semantics.py tests/test_cli_smoke.py -k "credential_path"308 passed, 2 deselected