P1: env secret detection + extraction plan (dry-run)#4
Merged
Conversation
First P1 slice per docs/PLAN.md §2.3 env pipeline (detect → plan → apply): - rules/env/secrets.yaml — provider secret patterns as data (14 patterns) - core::secrets — pattern classification + Shannon-entropy fallback (secret-suggesting identifier required, medium confidence), placeholder and known-non-secret rejection (test/publishable keys never fire), masked previews; raw values never leave the module unmasked - core::scan — string-literal assignment collection (JS/TS/TSX/Python) with byte spans for the future rewrite; template/f-strings excluded - core::env — plan with env-var naming, collision handling against existing .env, findings rendering; raw values crate-private - getdev env command: terminal/--json output, --fail-on (exit 1), --env-file - fixtures: 4 positive / 3 negative gated by integration tests, including a no-raw-values-in-JSON leak test; fixture key bodies sized to never trip GitHub push protection for contributors --write (core::mutate + rewrite) is the next slice. Signed-off-by: pzelenin <pzelenin@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
First slice of the env pipeline (detect → plan → apply, docs/PLAN.md §2.3):
rules/env/secrets.yaml— 14 provider patterns compiled bycore::secrets, plus a Shannon-entropy fallback (only fires on secret-suggesting identifiers, markedconfidence: medium), placeholder rejection, and a known-non-secret deny-list (Stripe test/publishable keys never fire — FP policy §9.2)core::scan: string-literal assignment collection for JS/TS/TSX/Python with byte spans (rewrite-ready); template strings and f-strings excluded by designcore::env: extraction plan — provider env keys or SCREAMING_SNAKE from the identifier, collision handling against an existing.env, findings per SPEC-FINDINGSgetdev env(dry-run only),--json,--fail-on(exit 1 per the exit-code contract),--env-file,--no-colorsk_live_…1234)--write(thecore::mutateatomic rewrite engine) is the next slice.Live output on the positive fixtures: