merge: reconcile GitHub and Gitea main branches#2
Merged
Conversation
added 2 commits
June 13, 2026 17:50
…redaction tests Refs #2344 Refactored process_hook_input_with_type() to delegate to a new process_hook_with_streams() helper that accepts generic AsyncRead + AsyncWrite parameters. This enables unit testing without subprocess spawning. Added 3 new tokio tests that exercise the full I/O pipeline: - test_process_hook_with_streams_strips_secrets_from_output: confirms AWS keys present in hook input do not appear in stdout (AC#3) - test_process_hook_with_streams_clean_input_unchanged: verifies clean input passes through without spurious redaction - test_process_hook_with_streams_pre_tool_use_also_redacts: verifies pre-tool-use hook type also strips secrets The redaction logic (contains_secrets fast-check + redact_secrets) was already correct; this change adds the missing end-to-end test coverage.
…ough Remove the contains_secrets() pre-check gate at hook.rs:130-135, replacing it with an unconditional call to redact_secrets(). The gate covered only AWS keys, sk- tokens, password=, secret=, and api_key= patterns; GitHub PATs (ghp_*), Slack tokens (xox*), and connection strings (postgresql://…) all bypassed it and were written to stdout in clear text. - Remove the conditional gate and the contains_secrets import from hook.rs - Remove the now-dead contains_secrets() function and its unit test from redaction.rs (per project rule: remove dead code, do not suppress) - Add three async regression tests in hook.rs that each exercise a bypass-pattern secret type: test_process_hook_github_pat_is_redacted test_process_hook_slack_token_is_redacted test_process_hook_connection_string_is_redacted Refs #2344
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Reconciles diverged
mainbranches after terraphim_agent 1.20.4 landed on GitHubwhile Gitea advanced with hook stdout redaction work (#2344).
Cherry-picked Gitea-only commits onto GitHub main. Sanitized Slack test token
(constructed at runtime) to satisfy GitHub push protection.
Refs terraphim/terraphim-clients#20 (Gitea)