fix(review): port secret-scan mock carve-out and voyage/firecrawl kinds#4628
Conversation
|
Superagent didn't find any vulnerabilities or security issues in this PR. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #4628 +/- ##
=======================================
Coverage 94.11% 94.11%
=======================================
Files 432 432
Lines 38370 38372 +2
Branches 13989 13990 +1
=======================================
+ Hits 36113 36115 +2
Misses 1600 1600
Partials 657 657
🚀 New features to boost your workflow:
|
|
Warning 🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨 ⏸️ Gittensory review result - manual review recommendedReview updated: 2026-07-10 08:47:47 UTC
⏸️ Suggested Action - Manual Review
Review summary Nits — 6 non-blocking
Concerns raised — review before merging
Linked issue satisfactionAddressed Review context
Contributor next steps
Signal definitions
🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed 💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →. Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.
|
…ds (#4604) content-lane/security-scan.ts had drifted from its two siblings (secrets-scan.ts, review-enrichment's secret-scan.ts): it was missing the LOWERCASE_HYPHENATED_MOCK_FIXTURE_PATTERN placeholder carve-out added by #3866, so a fixture value like `token: "mock-response-value"` would auto-close a legitimate content-lane submission with no human queue to catch the false positive. It was also missing the voyage_api_key and firecrawl_api_key patterns added to secrets-scan.ts by #3980, so a real Voyage/Firecrawl key embedded in a content submission produced no finding at all. Ports both fixes verbatim into the content-lane copy and adds both kinds to its HARD_SECRET_KINDS set for auto-close parity with the PR-diff gate. No shared-module extraction here — that is tracked separately in #4608.
161ae0d to
0da7bca
Compare
Summary
src/review/secrets-scan.tsintosrc/review/content-lane/security-scan.ts, which had drifted from its two siblings (the PR-diff scanner and REES'ssecret-scan.ts):LOWERCASE_HYPHENATED_MOCK_FIXTURE_PATTERNplaceholder carve-out (added tosecrets-scan.tsby fix(review): tighten mock placeholder carve-out to avoid secret-scan false negatives #3866) was missing here, so a fixture value liketoken: "mock-response-value"would auto-close a legitimate content-lane (awesome-claude/metagraphed) submission with no human queue to catch the false positive.voyage_api_keyandfirecrawl_api_keypatterns (added tosecrets-scan.tsby fix(review): hard-block Voyage and Firecrawl secrets #3980) were entirely absent from this file'sSECRET_PATTERNSandHARD_SECRET_KINDS, so a real Voyage/Firecrawl key embedded in a content submission produced no finding at all.voyage_api_key/firecrawl_api_keyare added toHARD_SECRET_KINDSfor auto-close parity with the PR-diff gate (safety.ts).Closes #4604
Scope
type(scope): short summaryConventional Commit format, for examplefix(api): restore profile access checks.CONTRIBUTING.mdand does not reintroduce GitHub Pages, VitePress,site/, orCNAME.Closes #123) — a linked open issue is required for every contributor PR.Validation
git diff --checknpm run actionlintnpm run typechecknpm run test:coveragelocally;codecov/patchrequires ≥99% coverage of the lines AND branches you changed (aim for 100% on your diff so CI variance does not fail near the threshold). Global coverage is a non-blocking trend with a loose 90% backstop, not the gate.npm run test:workersnpm run build:mcpnpm run test:mcp-packnpm run ui:openapi:checknpm run ui:lintnpm run ui:typechecknpm run ui:buildnpm audit --audit-level=moderateIf any required check was skipped, explain why:
src/review/content-lane/security-scan.tsand its unit test — no.github/workflows/**, MCP package, orapps/gittensory-ui/**files, soactionlint,test:workers,build:mcp/test:mcp-pack,ui:*, andnpm auditare not exercised by the diff; left to CI's fulltest:cirun rather than duplicated locally.test:coveragewas run scoped to the two touched test files (test/unit/content-lane-security-scan.test.ts,test/unit/secrets-scan.test.ts) with coverage restricted to the changed source file — v8 reports 100% statements/branches/functions/lines onsrc/review/content-lane/security-scan.tsfor that run.Safety
UI Evidencesection below with JPG/JPEG or PNG screenshots arranged as organized, captioned, clickable thumbnails. SVG screenshots are not used as review evidence. Review-only screenshots or recordings are not committed to the repository. (N/A — no visible UI change.)UI Evidence
N/A — no visible UI/frontend/docs change.
Notes
test/unit/secrets-scan.test.ts; a parityit.eachblock at the bottom oftest/unit/content-lane-security-scan.test.tswas extended to assert the content-lane scanner and the PR-diff scanner (secrets-scan.ts) now detect identical kinds forvoyage_api_key,firecrawl_api_key, and the mock-fixture case — guarding against this exact class of drift recurring before the shared-module extraction (Extract shared secret-detection module across secrets-scan.ts and content-lane/security-scan.ts #4608) lands.