Skip to content

fix(review): port secret-scan mock carve-out and voyage/firecrawl kinds#4628

Merged
JSONbored merged 1 commit into
mainfrom
fix/content-lane-secret-scan-parity
Jul 10, 2026
Merged

fix(review): port secret-scan mock carve-out and voyage/firecrawl kinds#4628
JSONbored merged 1 commit into
mainfrom
fix/content-lane-secret-scan-parity

Conversation

@JSONbored

Copy link
Copy Markdown
Owner

Summary

  • Ports two already-proven fixes from src/review/secrets-scan.ts into src/review/content-lane/security-scan.ts, which had drifted from its two siblings (the PR-diff scanner and REES's secret-scan.ts):
    1. The LOWERCASE_HYPHENATED_MOCK_FIXTURE_PATTERN placeholder carve-out (added to secrets-scan.ts by fix(review): tighten mock placeholder carve-out to avoid secret-scan false negatives #3866) was missing here, so a fixture value like token: "mock-response-value" would auto-close a legitimate content-lane (awesome-claude/metagraphed) submission with no human queue to catch the false positive.
    2. The voyage_api_key and firecrawl_api_key patterns (added to secrets-scan.ts by fix(review): hard-block Voyage and Firecrawl secrets #3980) were entirely absent from this file's SECRET_PATTERNS and HARD_SECRET_KINDS, so a real Voyage/Firecrawl key embedded in a content submission produced no finding at all.
  • Both are ported verbatim (same regexes, same ordering relative to their neighbors) and voyage_api_key/firecrawl_api_key are added to HARD_SECRET_KINDS for auto-close parity with the PR-diff gate (safety.ts).
  • Deliberately does not do the "extract shared secret-detection module" refactor — that is a separate follow-up (Extract shared secret-detection module across secrets-scan.ts and content-lane/security-scan.ts #4608).

Closes #4604

Scope

  • The PR title follows type(scope): short summary Conventional Commit format, for example fix(api): restore profile access checks.
  • This PR is focused and does not mix unrelated backend, UI, MCP, docs, dependency, and deploy changes.
  • This follows CONTRIBUTING.md and does not reintroduce GitHub Pages, VitePress, site/, or CNAME.
  • I linked a currently open issue this PR resolves (e.g. Closes #123) — a linked open issue is required for every contributor PR.

Validation

  • git diff --check
  • npm run actionlint
  • npm run typecheck
  • npm run test:coverage locally; codecov/patch requires ≥99% coverage of the lines AND branches you changed (aim for 100% on your diff so CI variance does not fail near the threshold). Global coverage is a non-blocking trend with a loose 90% backstop, not the gate.
  • npm run test:workers
  • npm run build:mcp
  • npm run test:mcp-pack
  • npm run ui:openapi:check
  • npm run ui:lint
  • npm run ui:typecheck
  • npm run ui:build
  • npm audit --audit-level=moderate
  • New or changed behavior has unit/integration tests for new branches, fallback paths, and sanitizer boundaries

If any required check was skipped, explain why:

  • This change touches only src/review/content-lane/security-scan.ts and its unit test — no .github/workflows/**, MCP package, or apps/gittensory-ui/** files, so actionlint, test:workers, build:mcp/test:mcp-pack, ui:*, and npm audit are not exercised by the diff; left to CI's full test:ci run rather than duplicated locally. test:coverage was run scoped to the two touched test files (test/unit/content-lane-security-scan.test.ts, test/unit/secrets-scan.test.ts) with coverage restricted to the changed source file — v8 reports 100% statements/branches/functions/lines on src/review/content-lane/security-scan.ts for that run.

Safety

  • No secrets, wallet details, hotkeys, coldkeys, user PATs, private keys, raw trust scores, private rankings, or private maintainer evidence are exposed.
  • Public GitHub text stays sanitized, low-noise, and does not imply compensation guarantees or optimization tactics.
  • Auth, cookie, CORS, GitHub App, Cloudflare, or session changes include negative-path tests. (N/A — no auth/session surface touched.)
  • API/OpenAPI/MCP behavior is updated and tested where needed. (N/A — no API/OpenAPI/MCP surface touched.)
  • UI changes use live API data or real empty/error/loading states, not production mock/demo fallbacks. (N/A — no UI changed.)
  • Visible UI changes include a UI Evidence section below with JPG/JPEG or PNG screenshots arranged as organized, captioned, clickable thumbnails. SVG screenshots are not used as review evidence. Review-only screenshots or recordings are not committed to the repository. (N/A — no visible UI change.)
  • Public docs/changelogs are updated where needed; changelogs are only edited for release-prep PRs.

UI Evidence

N/A — no visible UI/frontend/docs change.

Notes

  • Test fixtures for the two new patterns and the mock-fixture carve-out mirror the equivalent cases already in test/unit/secrets-scan.test.ts; a parity it.each block at the bottom of test/unit/content-lane-security-scan.test.ts was extended to assert the content-lane scanner and the PR-diff scanner (secrets-scan.ts) now detect identical kinds for voyage_api_key, firecrawl_api_key, and the mock-fixture case — guarding against this exact class of drift recurring before the shared-module extraction (Extract shared secret-detection module across secrets-scan.ts and content-lane/security-scan.ts #4608) lands.

@superagent-security

Copy link
Copy Markdown
Contributor

Superagent didn't find any vulnerabilities or security issues in this PR.

@codecov

codecov Bot commented Jul 10, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.11%. Comparing base (2234cb7) to head (0da7bca).
⚠️ Report is 8 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #4628   +/-   ##
=======================================
  Coverage   94.11%   94.11%           
=======================================
  Files         432      432           
  Lines       38370    38372    +2     
  Branches    13989    13990    +1     
=======================================
+ Hits        36113    36115    +2     
  Misses       1600     1600           
  Partials      657      657           
Files with missing lines Coverage Δ
src/review/content-lane/security-scan.ts 100.00% <100.00%> (ø)
🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@gittensory-orb gittensory-orb Bot added the gittensor:bug Gittensor-scored bug fix — scores a 0.5x multiplier. label Jul 10, 2026
@gittensory-orb

gittensory-orb Bot commented Jul 10, 2026

Copy link
Copy Markdown

Warning

🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨

⏸️ Gittensory review result - manual review recommended

Review updated: 2026-07-10 08:47:47 UTC

2 files · 1 AI reviewer · 1 blocker · readiness 82/100 · CI green · unstable

⏸️ Suggested Action - Manual Review

  • Possible leaked secret in the diff (generic_secret_assignment) — Remove the secret from the diff, rotate the exposed credential, then re-run the gate.

Review summary
This ports two previously-fixed detections from secrets-scan.ts into the content-lane scanner verbatim: the voyage_api_key/firecrawl_api_key patterns (plus their HARD_SECRET_KINDS entries) and the LOWERCASE_HYPHENATED_MOCK_FIXTURE_PATTERN carve-out. Both additions are byte-identical to the already-proven code in secrets-scan.ts, the new tests exercise both positive/negative cases plus a parity check against the PR-diff gate, and the PR correctly defers the 'extract shared module' refactor to a separate follow-up (#4608) instead of scope-creeping it in here.

Nits — 6 non-blocking
  • src/review/content-lane/security-scan.ts:72 — the ported LOWERCASE_HYPHENATED_MOCK_FIXTURE_PATTERN (`^(?:[a-z]+-)*mock(?:-[a-z]+)*$`) was auto-flagged as ReDoS-prone; tracing it shows hyphens are literal delimiters `[a-z]+` can't cross, so there's no ambiguous partitioning like the classic `(a+)+` shape — worth a quick fuzz test for your own peace of mind, but it's byte-identical to what's already live in secrets-scan.ts, so this diff changes nothing about that exposure.
  • Now that voyage_api_key/firecrawl_api_key and the mock-fixture carve-out live in three near-identical copies (safety.ts's PR-diff scanner, secrets-scan.ts, content-lane/security-scan.ts), consider linking this PR from Extract shared secret-detection module across secrets-scan.ts and content-lane/security-scan.ts #4608 as concrete evidence for why that extraction is worth prioritizing.
  • test/unit/content-lane-security-scan.test.ts:109-118,283 — the split-literal secret fixtures (GENERIC_VALUE, etc.) are intentional test data, not real leaked credentials; flagging only so it's on record they aren't a leak.
  • Once Extract shared secret-detection module across secrets-scan.ts and content-lane/security-scan.ts #4608 lands, these three pattern arrays are the concrete drift risk to eliminate — this PR is a good example to cite for why.
  • No functional changes needed here; this is ready to merge on its own correctness merits (validate/validate-code CI status is outside this review's scope).
  • PR author also opened the linked issue — Link an issue that was opened by a different contributor, or provide a rationale for why this self-authored issue represents genuine discovery work.

Concerns raised — review before merging

  • Possible leaked secret in the diff (generic_secret_assignment) — Remove the secret from the diff, rotate the exposed credential, then re-run the gate.
Signal Result Evidence
Code review ❌ 1 blocker 1 reviewer
Linked issue ✅ Linked #4604
Related work ⚠️ 1 scoped overlap Top overlaps are listed below; lower-confidence bulk is hidden.
Change scope ❌ 8/20 High review scope from cached public metadata (1 linked issue).
Validation posture ✅ 25/25 PR body includes validation/test evidence.
Contributor workload ✅ 10/10 Author activity: 48 registered-repo PR(s), 40 merged, 334 issue(s).
Contributor context ✅ Confirmed Gittensor contributor JSONbored; Gittensor profile; 48 PR(s), 334 issue(s).
Gate result ❌ Blocking Repo-configured hard blocker found.
Linked issue satisfaction

Addressed
The diff adds the LOWERCASE_HYPHENATED_MOCK_FIXTURE_PATTERN carve-out to isPlaceholderSecretValue and adds voyage_api_key/firecrawl_api_key patterns plus HARD_SECRET_KINDS entries to content-lane/security-scan.ts, matching both fixes requested in the issue, and includes regression tests mirroring secrets-scan.test.ts for mock fixtures, both new key kinds, and cross-file parity. All three acceptanc

Review context
  • Author: JSONbored
  • Role context: owner (maintainer lane)
  • Public audience mode: oss maintainer
  • Lane context: Repository is configured for direct PR review.
  • Public profile languages: not available
  • Official Gittensor activity: 48 PR(s), 334 issue(s).
  • Related work: Titles/paths share 7 meaningful terms. (issue #4604, issue #4608)
Contributor next steps
  • Treat this as maintainer-lane context rather than normal contributor-lane activity.
  • Review top overlaps.
  • Add a concise scope and risk note.
  • Check active issues and PRs before submitting.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

  • Re-run Gittensory review

@gittensory-orb gittensory-orb Bot added the manual-review Gittensor contributor context label Jul 10, 2026
…ds (#4604)

content-lane/security-scan.ts had drifted from its two siblings
(secrets-scan.ts, review-enrichment's secret-scan.ts): it was missing the
LOWERCASE_HYPHENATED_MOCK_FIXTURE_PATTERN placeholder carve-out added by
#3866, so a fixture value like `token: "mock-response-value"` would
auto-close a legitimate content-lane submission with no human queue to
catch the false positive. It was also missing the voyage_api_key and
firecrawl_api_key patterns added to secrets-scan.ts by #3980, so a real
Voyage/Firecrawl key embedded in a content submission produced no
finding at all.

Ports both fixes verbatim into the content-lane copy and adds both kinds
to its HARD_SECRET_KINDS set for auto-close parity with the PR-diff gate.
No shared-module extraction here — that is tracked separately in #4608.
@JSONbored JSONbored force-pushed the fix/content-lane-secret-scan-parity branch from 161ae0d to 0da7bca Compare July 10, 2026 08:36
@JSONbored JSONbored merged commit 4966ef9 into main Jul 10, 2026
11 checks passed
@JSONbored JSONbored deleted the fix/content-lane-secret-scan-parity branch July 10, 2026 08:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gittensor:bug Gittensor-scored bug fix — scores a 0.5x multiplier. manual-review Gittensor contributor context

Development

Successfully merging this pull request may close these issues.

Port missing secret-scan fixes to content-lane/security-scan.ts

1 participant