Summary
Expand the redaction table in redactReason so telemetry that leaves the user's machine keeps up with today's credential formats. The current set (AWS AKIA, JWT, ghp_, generic sk-, Bearer) covers the classics; adding a handful more patterns makes the guarantee broader without a big refactor.
Where
src/relay/queue.ts:73-81
function redactReason(reason: string | null | undefined): string | null {
if (!reason) return reason ?? null;
return reason
.replace(/AKIA[0-9A-Z]{16}/g, "[REDACTED-AWS-KEY]")
.replace(/eyJ[A-Za-z0-9_=-]+\.[A-Za-z0-9_=-]+\.[A-Za-z0-9_=-]+/g, "[REDACTED-JWT]")
.replace(/ghp_[A-Za-z0-9]{36,}/g, "[REDACTED-GH-TOKEN]")
.replace(/sk-[A-Za-z0-9]{20,}/g, "[REDACTED-API-KEY]")
.replace(/Bearer\s+[A-Za-z0-9_.=+-]+/gi, "Bearer [REDACTED]");
}Why this helps
The reason field is derived from policy decisions and often includes shell-command text. In the common case it's boring metadata — but when it isn't, we'd rather cover more families than fewer. A quick gap analysis against common providers:
| Provider / Type |
Example prefix |
Currently caught? |
| Anthropic |
sk-ant-api.. / sk-ant-admin.. |
Partial (dash boundary breaks greedy match) |
| OpenAI project |
sk-proj-... |
Partial |
| GitHub family |
gho_, ghu_, ghs_, ghr_, github_pat_ |
No (only ghp_) |
| Slack |
xoxb-, xoxp-, xapp- |
No |
| Stripe |
sk_live_, sk_test_ (underscores) |
No |
| GCP service account PEM |
PEM blocks |
No |
| Google OAuth client secret |
GOCSPX- |
No |
| npm publish token |
npm_ |
No |
Expanding coverage is a quick, low-risk win: redaction is easy to unit-test with positive/negative fixtures, and the replacement table is a single file.
Proposed enhancement
const REDACTORS: Array<[RegExp, string]> = [
// AWS
[/AKIA[0-9A-Z]{16}/g, "[REDACTED-AWS-KEY]"],
[/ASIA[0-9A-Z]{16}/g, "[REDACTED-AWS-STS-KEY]"],
// Anthropic
[/sk-ant-(api|admin)\d{2}-[A-Za-z0-9_-]{20,}/g, "[REDACTED-ANTHROPIC-KEY]"],
// OpenAI
[/sk-(proj-)?[A-Za-z0-9_-]{20,}/g, "[REDACTED-OPENAI-KEY]"],
// GitHub — full family
[/gh[pousr]_[A-Za-z0-9]{36,}/g, "[REDACTED-GH-TOKEN]"],
[/github_pat_[A-Za-z0-9_]{60,}/g, "[REDACTED-GH-PAT]"],
// Slack
[/xox[baprs]-[A-Za-z0-9-]{10,}/g, "[REDACTED-SLACK-TOKEN]"],
// Stripe
[/(sk|pk|rk)_(live|test)_[A-Za-z0-9]{20,}/g, "[REDACTED-STRIPE-KEY]"],
// GCP OAuth client
[/GOCSPX-[A-Za-z0-9_-]{28}/g, "[REDACTED-GCP-OAUTH-SECRET]"],
// npm
[/npm_[A-Za-z0-9]{36,}/g, "[REDACTED-NPM-TOKEN]"],
// PEM private key blocks (any label)
[/-----BEGIN [A-Z ]*KEY-----[\s\S]+?-----END [A-Z ]*KEY-----/g, "[REDACTED-PEM-KEY]"],
// JWT (accept 2- or 3-segment)
[/eyJ[A-Za-z0-9_=-]+\.[A-Za-z0-9_=-]+(?:\.[A-Za-z0-9_=-]+)?/g, "[REDACTED-JWT]"],
// Header-style
[/(Authorization|X-Api-Key|X-Auth-Token):\s*\S+/gi, "$1: [REDACTED]"],
[/Bearer\s+[A-Za-z0-9_.=+-]+/gi, "Bearer [REDACTED]"],
];Acceptance criteria
Summary
Expand the redaction table in
redactReasonso telemetry that leaves the user's machine keeps up with today's credential formats. The current set (AWSAKIA, JWT,ghp_, genericsk-, Bearer) covers the classics; adding a handful more patterns makes the guarantee broader without a big refactor.Where
src/relay/queue.ts:73-81Why this helps
The
reasonfield is derived from policy decisions and often includes shell-command text. In the common case it's boring metadata — but when it isn't, we'd rather cover more families than fewer. A quick gap analysis against common providers:sk-ant-api../sk-ant-admin..sk-proj-...gho_,ghu_,ghs_,ghr_,github_pat_ghp_)xoxb-,xoxp-,xapp-sk_live_,sk_test_(underscores)GOCSPX-npm_Expanding coverage is a quick, low-risk win: redaction is easy to unit-test with positive/negative fixtures, and the replacement table is a single file.
Proposed enhancement
Acceptance criteria
github_pat_), GCP OAuth, npm, and PEM key blocks.redactReasonremains a single-call API.