SLT.V1.002 – Integrate secrets scrubber #86
Description
[SLT.V1.002] Integrate secrets scrubber
Overview
Introduce configurable redaction patterns that run before Shiplog stores journal attachments so sensitive tokens or API keys never persist in refs or exported logs.
References & Assets
- Figma / Design: N/A
- Product Spec (Notion / Confluence): N/A
- Related Issues / PRs: SLT.V1.001
- Feature Flags / Experiments: N/A
- Other Assets: N/A
User Story
As a release engineer,
I want Shiplog to scrub secrets from journal attachments automatically,
so that no credentials or tokens are leaked when logs are stored in Git.
Acceptance Criteria
- Redaction patterns and allowlists can be configured per repository/policy
- Shiplog applies redaction before persisting log attachments and notes
- Redacted entries leave audit breadcrumbs indicating replacements
- Dockerized Bats coverage verifies redaction and bypass scenarios
Definition of Done
Git journal attachments respect configured redaction rules, tests cover positive and negative cases, and docs explain configuration and defaults.
Scope
In-Scope
- Configurable scrubber patterns and allowlist
- Integration into attachment pipeline with tests
- Documentation updates for policy/env references
Out-of-Scope
- Retrofitting historical entries
- UI tooling for pattern editing
Deliverables
- Est. Lines of Code: ~200
- Est. Blast Radius:
lib/attachments.sh, policy schema, docs
Implementation Details
High-Level Approach
Add pattern configuration to policy, implement scrubbing utility invoked before attachments are persisted, and ensure dry-run/preview workflows surface redaction results.
Affected Areas
- lib/attachments.sh
- policy schema / validator
- docs/features/policy.md
- tests/helpers/common.bash
Implementation Steps
- Extend policy schema with scrubber configuration and defaults
- Implement redaction helper invoked from attachment pipeline
- Add allowlist logic and logging for skipped replacements
- Update docs and examples
- Add Dockerized Bats cases
Test Plan
Happy Path
- Attachment with secret string is redacted before commit
- Allowlisted strings remain intact
Edge Cases
- Multiple overlapping patterns redact correctly
- Large attachments redact without performance issues
Failure Cases
- Misconfigured pattern surfaces descriptive error and fails safe
Monitoring & Success Metrics
- Audit log shows redaction summaries without leaking secret content
QA Sign-off Matrix
| Environment | Surface (browser / device / API) | Owner | Status | Notes |
|---|---|---|---|---|
| Local Docker | CLI | TBD | Pending | Covered via make test |
Requirements
Hard Requirements
- Secret scrubber executes on every attachment prior to persistence
Soft Requirements
- Redaction actions are logged for auditing
Runtime Requirements
- Must operate with default POSIX toolchain (no extra deps)
Dependencies & Approvals
- Policy schema update reviewed by maintainers
- Security review of redaction patterns
Production Notes
Priority: 4 / 5
High priority to protect credentials (P1 in roadmap).
Complexity: 3 / 5
Moderate implementation effort across policy, CLI, and tests.
Estimate: 16 - 24 hours
Includes schema, implementation, docs, and tests.
Risk & Rollback
- Primary Risks: Over-redaction breaking diagnostics; under-redaction leaking secrets
- Mitigations: Allowlist configuration, thorough test coverage
- Rollback / Kill Switch: Feature flag in policy to disable scrubber
Additional Notes
Blocked by SLT.V1.001 for plugin lifecycle coordination.