Enhance security on redaction of sensitive data in response, optimize queued questions #27
Merged
Conversation
Move secret scrub regexes out of session_runtime.py into a properties-style resource file using name=regex entries and derive replacement placeholders automatically from the pattern name. Expand output-side redaction coverage for common secret-looking content, including PEM-like blocks, certificate blocks, long hex-like blobs, and long base64-like blobs, without decoding the content. Add regression tests for the externalized scrub patterns and the new redaction cases while preserving existing token redaction behavior.
daocha
changed the title
daocha
changed the title
Refactor base.py Externalize secret scrub patterns in a properties file, widen coverage for modern provider keys and common sensitive OS/auth material, and make the scrubber configurable through ENABLE_SECRET_SCRUB_FILTER with a strongly recommended default of true. Update config and regression tests for the new queue flow, queue decision callbacks, secret scrub patterns, and the secret scrub feature flag.
dcha-agent
added a commit
that referenced
this pull request
Mar 28, 2026
… queued questions (#27) * Refine queued question handling and strengthen output secret scrubbing * Externalize secret scrub patterns in a properties file, widen coverage for modern provider keys and common sensitive OS/auth material, and make the scrubber configurable through ENABLE_SECRET_SCRUB_FILTER with a strongly recommended default of true. * Expand output-side redaction coverage for common secret-looking content, including PEM-like blocks, certificate blocks, long hex-like blobs, and long base64-like blobs, without decoding the content. Add regression tests for the externalized scrub patterns and the new redaction cases while preserving existing token redaction behavior. Refactor base.py Update config and regression tests for the new queue flow, queue decision callbacks, secret scrub patterns, and the secret scrub feature flag. --------- Co-authored-by: Dcha Agent <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Externalize secret scrub patterns and expand output redaction coverage
Move secret scrub regexes out of session_runtime.py into a properties-style resource file using name=regex entries and derive replacement placeholders automatically from the pattern name.
Expand output-side redaction coverage for common secret-looking content, including PEM-like blocks, certificate blocks, long hex-like blobs, and long base64-like blobs, without decoding the content.
Add regression tests for the externalized scrub patterns and the new redaction cases while preserving existing token redaction behavior.