Skip to content

P1: env secret detection + extraction plan (dry-run)#4

Merged
pzelenin merged 1 commit into
mainfrom
p1-env-detect
Jul 9, 2026
Merged

P1: env secret detection + extraction plan (dry-run)#4
pzelenin merged 1 commit into
mainfrom
p1-env-detect

Conversation

@pzelenin

@pzelenin pzelenin commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

First slice of the env pipeline (detect → plan → apply, docs/PLAN.md §2.3):

  • Patterns as data: rules/env/secrets.yaml — 14 provider patterns compiled by core::secrets, plus a Shannon-entropy fallback (only fires on secret-suggesting identifiers, marked confidence: medium), placeholder rejection, and a known-non-secret deny-list (Stripe test/publishable keys never fire — FP policy §9.2)
  • core::scan: string-literal assignment collection for JS/TS/TSX/Python with byte spans (rewrite-ready); template strings and f-strings excluded by design
  • core::env: extraction plan — provider env keys or SCREAMING_SNAKE from the identifier, collision handling against an existing .env, findings per SPEC-FINDINGS
  • CLI: getdev env (dry-run only), --json, --fail-on (exit 1 per the exit-code contract), --env-file, --no-color
  • Secret-safety invariant: raw values are crate-private and a dedicated test asserts findings JSON never contains them — masked previews only (sk_live_…1234)
  • Fixtures: 4 positive / 3 negative, gated by integration tests; fake key bodies are sized below GitHub push protection's matchers so contributor pushes never get blocked

--write (the core::mutate atomic rewrite engine) is the next slice.

Live output on the positive fixtures:

CRITICAL   env/hardcoded-secret   stripe_live.js:2
  stripe secret assigned to 'stripeKey' (sk_live_…1234)
  → extract to STRIPE_SECRET_KEY in .env
...
5 finding(s): 4 critical · 1 high · 0 medium · 0 low · 0 info (5 fixable)
dry run — nothing written. 5 secret(s) would move to .env

First P1 slice per docs/PLAN.md §2.3 env pipeline (detect → plan → apply):

- rules/env/secrets.yaml — provider secret patterns as data (14 patterns)
- core::secrets — pattern classification + Shannon-entropy fallback
  (secret-suggesting identifier required, medium confidence), placeholder
  and known-non-secret rejection (test/publishable keys never fire),
  masked previews; raw values never leave the module unmasked
- core::scan — string-literal assignment collection (JS/TS/TSX/Python)
  with byte spans for the future rewrite; template/f-strings excluded
- core::env — plan with env-var naming, collision handling against
  existing .env, findings rendering; raw values crate-private
- getdev env command: terminal/--json output, --fail-on (exit 1), --env-file
- fixtures: 4 positive / 3 negative gated by integration tests, including
  a no-raw-values-in-JSON leak test; fixture key bodies sized to never
  trip GitHub push protection for contributors

--write (core::mutate + rewrite) is the next slice.

Signed-off-by: pzelenin <pzelenin@users.noreply.github.com>
@pzelenin pzelenin merged commit bd415bc into main Jul 9, 2026
13 checks passed
@pzelenin pzelenin deleted the p1-env-detect branch July 9, 2026 15:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant