fix(security): add missing provider token patterns to secret redaction

[ColinM-sys]

Summary

• Add 10 new token-prefix patterns to secret-patterns.ts covering OpenAI, Anthropic, Slack, AWS, HuggingFace, GitLab, Groq, and PyPI.
• Mirror all new patterns in scripts/debug.sh per the single-source-of-truth contract.

Why

The redaction system only caught NVIDIA and GitHub tokens. Every other provider's API keys passed through unredacted. Verified locally:

# BEFORE (unredacted — leaked to terminal/logs)
Your key is sk-proj-abc123def456ghi789jkl012mno345pqr678

# AFTER (redacted)
Your key is sk-p****

NemoClaw explicitly supports OpenAI, Anthropic, Slack, and HuggingFace as providers. Their tokens appear in error messages, subprocess output, and nemoclaw debug dumps — all of which flow through redact(). CWE-532 (Insertion of Sensitive Information into Log File).

What changed

• src/lib/secret-patterns.ts — added 10 new prefix patterns to TOKEN_PREFIX_PATTERNS and corresponding entries to EXPECTED_SHELL_PREFIXES
• scripts/debug.sh — added matching sed patterns to redact()

Test plan

• npm run build:cli — compiles cleanly
• Local verification: all 7 tested token formats (OpenAI, Slack, AWS, HuggingFace, GitLab, Groq, Anthropic) now redacted
• test/secret-redaction.test.ts consistency check should pass (verifies shell prefixes match TS prefixes)

Signed-off-by: ColinM-sys cmcdonough@50words.com

Summary by CodeRabbit

• Chores
  • Expanded secret-masking to cover additional API keys and tokens (OpenAI sk-proj/sk, Slack xoxb/xoxp/xoxe.xoxp, AWS AKIA/ASIA, Hugging Face, GitLab, Groq, PyPI, Anthropic), improving protection in debug output and logs.
  • Aligned runtime redaction patterns so masking is consistent across tools while preserving existing env/arg and Bearer token redaction.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: e18d3a01-b28a-473c-9a5e-3785d73b8396

📥 Commits

Reviewing files that changed from the base of the PR and between e19e7ed and 1a35979.

📒 Files selected for processing (1)

• scripts/debug.sh

---

📝 Walkthrough

Walkthrough

Extended secret-detection and redaction rules: added regexes and shell-prefix entries for additional token formats (OpenAI sk-proj/sk, Slack xox*, AWS AKIA/ASIA, Hugging Face hf_, GitLab glpat-, Groq gsk_, PyPI pypi-, Anthropic sk-ant-). Core flow and other patterns unchanged.

Changes

Cohort / File(s)	Summary
Secret redaction script scripts/debug.sh	Added additional sed -E redaction rules to mask new token formats (OpenAI sk-proj/sk, Slack xoxb/xoxp/xoxe.xoxp, AWS AKIA/ASIA, hf_, glpat-, gsk_, pypi-, sk-ant-). Existing rules preserved; only inline comments added.
Secret pattern library src/lib/secret-patterns.ts	Extended TOKEN_PREFIX_PATTERNS with new regex entries and added corresponding strings to EXPECTED_SHELL_PREFIXES (same prefixes as above) to keep detection aligned. CONTEXT_PATTERNS and overall composition unchanged.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped through logs at break of day,

Nosed out keys that tried to hide away,
From AKIA to sk-proj’s gleam,
I tucked them safe, removed the seam,
Now prints are calm — I munch and sway. 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding missing provider token patterns to secret redaction logic across both TypeScript and shell script files.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/lib/secret-patterns.ts (1)

60-75: ⚠️ Potential issue | 🟠 Major

Add missing xoxe.xoxp- to EXPECTED_SHELL_PREFIXES.

Line 29 introduces xoxe.xoxp- detection, but Lines 60-75 omit that prefix from the shell consistency list. This leaves a gap where shell redaction drift for this token type won’t be caught by the consistency test.

🔧 Proposed fix

 export const EXPECTED_SHELL_PREFIXES = [
   "nvapi-",
   "nvcf-",
   "ghp_",
   "github_pat_",
   "sk-proj-",
   "sk-",
   "xoxb-",
   "xoxp-",
+  "xoxe.xoxp-",
   "AKIA",
   "hf_",
   "glpat-",
   "gsk_",
   "pypi-",
   "sk-ant-",
 ];

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/lib/secret-patterns.ts` around lines 60 - 75, The EXPECTED_SHELL_PREFIXES
array in src/lib/secret-patterns.ts is missing the "xoxe.xoxp-" prefix
referenced elsewhere; update the EXPECTED_SHELL_PREFIXES constant to include
"xoxe.xoxp-" (e.g., add "xoxe.xoxp-" to the exported array) so the shell
redaction consistency test covering tokens like xoxe.xoxp- will detect drift;
modify the array in the EXPECTED_SHELL_PREFIXES declaration accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scripts/debug.sh`:
- Around line 134-144: The redact() rules in scripts/debug.sh are missing Slack
tokens of the form "xoxe.xoxp-…"; update the sed rules inside redact() to add a
regex that matches that pattern (for example a new line analogous to the
existing Slack rules such as: a substitution matching
"xoxe\.xoxp-[A-Za-z0-9_.-]{10,}" and replacing with "<REDACTED>"). Place this
new rule alongside the other Slack token rules (e.g., near the existing
xoxb-/xoxp- rules) so xoxe.xoxp- tokens are also redacted.

---

Outside diff comments:
In `@src/lib/secret-patterns.ts`:
- Around line 60-75: The EXPECTED_SHELL_PREFIXES array in
src/lib/secret-patterns.ts is missing the "xoxe.xoxp-" prefix referenced
elsewhere; update the EXPECTED_SHELL_PREFIXES constant to include "xoxe.xoxp-"
(e.g., add "xoxe.xoxp-" to the exported array) so the shell redaction
consistency test covering tokens like xoxe.xoxp- will detect drift; modify the
array in the EXPECTED_SHELL_PREFIXES declaration accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: c362677f-0159-43e5-b590-28711109d907

📥 Commits

Reviewing files that changed from the base of the PR and between 121148c and 0df852c.

📒 Files selected for processing (2)

• scripts/debug.sh
• src/lib/secret-patterns.ts

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/lib/secret-patterns.ts`:
- Around line 30-31: The regex /AKIA[A-Z0-9]{16}/g in src/lib/secret-patterns.ts
only matches long-term AWS keys and misses temporary keys that start with ASIA;
update the pattern to match both prefixes by replacing /AKIA[A-Z0-9]{16}/g with
/A(?:K|S)IA[A-Z0-9]{16}/g (and apply the same replacement for the other
occurrence in the file), ensuring both AKIA and ASIA access key IDs are
redacted.
- Line 69: The new secret pattern "xoxe.xoxp-" added in
src/lib/secret-patterns.ts must be redacted by the debug script; update
scripts/debug.sh in the redact() sed rules to add a rule that matches the
"xoxe.xoxp-" prefix (e.g., a sed expression like -e
's/xoxe\\.xoxp-[A-Za-z0-9_-]{10,}/<REDACTED>/g' ) alongside the existing xoxb-
and xoxp- rules so tokens with the xoxe.xoxp- prefix are replaced in debug
output.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 6a8cbe1d-7ae2-42cf-bf24-1ee600dea636

📥 Commits

Reviewing files that changed from the base of the PR and between 0df852c and 4d44af9.

📒 Files selected for processing (1)

• src/lib/secret-patterns.ts

[wscurran]

✨ Thanks for submitting this PR that proposes a fix for the secret redaction to add missing provider token patterns, which could help improve the security of the system by properly redacting sensitive information.

[wscurran]

✨ Thanks for submitting this PR that proposes a fix for the secret redaction to add missing provider token patterns, which could help improve the security of the system by properly redacting sensitive information.

[coderabbitai]

🧹 Nitpick comments (1)

scripts/debug.sh (1)

138-140: Use standard comments instead of backticked pseudo-comments for improved maintainability.

Lines 138 and 140 use backticks (`# ...`) to include documentation, which are command substitutions in bash, not comments. While syntactically valid and passing ShellCheck, this non-idiomatic pattern is fragile and harder to maintain in a security-sensitive redaction path. Consider moving these explanations to standard comments on separate lines above the corresponding -e patterns.

🔧 Suggested alternative

+    # xoxe.xoxp- = Slack config token prefix
     -e 's/xoxe\.xoxp-[A-Za-z0-9_-]{10,}/<REDACTED>/g' \
+    # AWS access key IDs: AKIA = long-term, ASIA = temporary/session
     -e 's/AKIA[A-Z0-9]{16}/<REDACTED>/g' \

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@scripts/debug.sh` around lines 138 - 140, The script uses backticked
pseudo-comments (e.g., the sequences starting with `# xoxe.xoxp-` and `# AWS
access key IDs:`) which invoke command substitution instead of real comments;
replace each backticked pseudo-comment with a proper bash comment line (start
with #) placed immediately above the related sed -e pattern (for example above
the -e 's/xoxe\.xoxp-[A-Za-z0-9_-]{10,}/<REDACTED>/g' and above the -e pattern
for AKIA/ASIA keys) so the explanatory text is non-executing, readable, and
maintainable.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@scripts/debug.sh`:
- Around line 138-140: The script uses backticked pseudo-comments (e.g., the
sequences starting with `# xoxe.xoxp-` and `# AWS access key IDs:`) which invoke
command substitution instead of real comments; replace each backticked
pseudo-comment with a proper bash comment line (start with #) placed immediately
above the related sed -e pattern (for example above the -e
's/xoxe\.xoxp-[A-Za-z0-9_-]{10,}/<REDACTED>/g' and above the -e pattern for
AKIA/ASIA keys) so the explanatory text is non-executing, readable, and
maintainable.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 3b045d71-f280-46b6-87ee-15e0eb043488

📥 Commits

Reviewing files that changed from the base of the PR and between 4d44af9 and e19e7ed.

📒 Files selected for processing (2)

• scripts/debug.sh
• src/lib/secret-patterns.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• src/lib/secret-patterns.ts