| """Tests for the secret scrubber used before session upload.""" |
|
|
| from agent.core.redact import scrub, scrub_string |
|
|
|
|
| def test_hf_token(): |
| s = "here is a token hf_" + "A" * 35 + " ok" |
| out = scrub_string(s) |
| assert "hf_" not in out |
| assert "[REDACTED_HF_TOKEN]" in out |
|
|
|
|
| def test_anthropic_key(): |
| s = "key=sk-ant-api03_" + "a" * 40 |
| out = scrub_string(s) |
| |
| assert "sk-ant-api03_" not in out |
|
|
|
|
| def test_github_token(): |
| s = "ghp_" + "a" * 40 |
| out = scrub_string(s) |
| assert out == "[REDACTED_GITHUB_TOKEN]" |
|
|
|
|
| def test_github_fine_grained_pat(): |
| |
| s = "github_pat_" + "A1B2_" * 10 |
| out = scrub_string(s) |
| assert "github_pat_" not in out |
| assert "[REDACTED_GITHUB_TOKEN]" in out |
|
|
|
|
| def test_aws_key_id(): |
| s = "AWS_ACCESS_KEY_ID=AKIAABCDEFGHIJKLMNOP" |
| out = scrub_string(s) |
| assert "AKIAABCDEFGHIJKLMNOP" not in out |
|
|
|
|
| def test_bearer_header(): |
| s = "Authorization: Bearer abcdef0123456789abcdef0123456789" |
| out = scrub_string(s) |
| assert "abcdef0123456789abcdef0123456789" not in out |
| assert "Bearer [REDACTED]" in out |
|
|
|
|
| def test_env_var_style(): |
| s = "HF_TOKEN=hf_" + "x" * 40 + " run" |
| out = scrub_string(s) |
| |
| assert "hf_xxxx" not in out |
|
|
|
|
| def test_scrub_nested_dict_and_list(): |
| payload = { |
| "msg": "token hf_" + "Z" * 35, |
| "tools": [ |
| {"args": {"secret": "ghp_" + "Q" * 40}}, |
| "no secrets here", |
| ], |
| "n": 42, |
| } |
| out = scrub(payload) |
| |
| assert "hf_" in payload["msg"] |
| |
| assert "[REDACTED_HF_TOKEN]" in out["msg"] |
| assert out["tools"][0]["args"]["secret"] == "[REDACTED_GITHUB_TOKEN]" |
| assert out["tools"][1] == "no secrets here" |
| assert out["n"] == 42 |
|
|
|
|
| def test_scrub_preserves_non_strings(): |
| assert scrub(None) is None |
| assert scrub(123) == 123 |
| assert scrub(True) is True |
|
|
