ake/paperclip
1
0
Fork 0
mirror of https://github.com/alkimake/paperclip.git synced 2026-06-15 02:20:38 +09:00
Code Issues Projects Releases Packages Wiki Activity
paperclip/server/src/__tests__/redaction.test.ts

67 lines
1.8 KiB
TypeScript
Raw Normal View History

Implement secrets service with local encryption, redaction, and runtime resolution Add AES-256-GCM local encrypted secrets provider with auto-generated master key, stub providers for AWS/GCP/Vault, and a secrets service that normalizes adapter configs (converting sensitive inline values to secret refs in strict mode) and resolves secret refs back to plain values at runtime. Extract redaction utilities from agent routes into shared module. Redact sensitive values in activity logs, config revisions, and approval payloads. Block rollback of revisions containing redacted secrets. Filter hidden issues from list queries. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-19 15:43:52 -06:00
import { describe, expect, it } from "vitest";
import { REDACTED_EVENT_VALUE, redactEventPayload, sanitizeRecord } from "../redaction.js";
describe("redaction", () => {
it("redacts sensitive keys and nested secret values", () => {
const input = {
apiKey: "abc123",
nested: {
AUTH_TOKEN: "token-value",
safe: "ok",
},
env: {
OPENAI_API_KEY: "sk-openai",
OPENAI_API_KEY_REF: {
type: "secret_ref",
secretId: "11111111-1111-1111-1111-111111111111",
},
OPENAI_API_KEY_PLAIN: {
type: "plain",
value: "sk-plain",
},
PAPERCLIP_API_URL: "http://localhost:3100",
},
};
const result = sanitizeRecord(input);
expect(result.apiKey).toBe(REDACTED_EVENT_VALUE);
expect(result.nested).toEqual({
AUTH_TOKEN: REDACTED_EVENT_VALUE,
safe: "ok",
});
expect(result.env).toEqual({
OPENAI_API_KEY: REDACTED_EVENT_VALUE,
OPENAI_API_KEY_REF: {
type: "secret_ref",
secretId: "11111111-1111-1111-1111-111111111111",
},
OPENAI_API_KEY_PLAIN: {
type: "plain",
value: REDACTED_EVENT_VALUE,
},
PAPERCLIP_API_URL: "http://localhost:3100",
});
});
it("redacts jwt-looking values even when key name is not sensitive", () => {
const input = {
session: "aaa.bbb.ccc",
normal: "plain",
};
const result = sanitizeRecord(input);
expect(result.session).toBe(REDACTED_EVENT_VALUE);
expect(result.normal).toBe("plain");
});
it("redacts payload objects while preserving null", () => {
expect(redactEventPayload(null)).toBeNull();
expect(redactEventPayload({ password: "hunter2", safe: "value" })).toEqual({
password: REDACTED_EVENT_VALUE,
safe: "value",
});
});
});
Reference in a new issue Copy permalink