From 02242b2bd742d898515b952b7b13fa99569b875c Mon Sep 17 00:00:00 2001 From: CoderDeltaLAN Date: Wed, 17 Jun 2026 00:50:27 +0100 Subject: [PATCH] fix: match Anthropic tokens before generic sk pattern --- CHANGELOG.md | 1 + src/agent_rules_kit/redaction.py | 8 ++++---- tests/test_diagnostic_fixtures.py | 1 + tests/test_redaction.py | 15 ++++++++++++++- 4 files changed, 20 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0b3bc3b..f68e803 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ This project has a published GitHub Release line, but no stable support or API g ### Fixed +- Fixed secret redaction pattern order so Anthropic-style `sk-ant-` keys match the specific Anthropic pattern before the generic `sk-` pattern. - Tightened governance regex coverage for review/CI bypass, unsafe command guidance, and runtime network or LLM dependency findings. - Expanded secret-like token redaction coverage. - Added context-aware governance finding suppression so nearby negative guidance can avoid false positives. diff --git a/src/agent_rules_kit/redaction.py b/src/agent_rules_kit/redaction.py index 921dd1e..b867c7e 100644 --- a/src/agent_rules_kit/redaction.py +++ b/src/agent_rules_kit/redaction.py @@ -18,14 +18,14 @@ class RedactionPattern: SECRET_LIKE_PATTERNS: tuple[RedactionPattern, ...] = ( - RedactionPattern( - name="openai_api_key", - pattern=re.compile(r"sk-[A-Za-z0-9_-]{12,}"), - ), RedactionPattern( name="anthropic_api_key", pattern=re.compile(r"sk-ant-[A-Za-z0-9_-]{12,}"), ), + RedactionPattern( + name="openai_api_key", + pattern=re.compile(r"sk-[A-Za-z0-9_-]{12,}"), + ), RedactionPattern( name="jwt_token", pattern=re.compile(r"eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}"), diff --git a/tests/test_diagnostic_fixtures.py b/tests/test_diagnostic_fixtures.py index 2859d49..c863a80 100644 --- a/tests/test_diagnostic_fixtures.py +++ b/tests/test_diagnostic_fixtures.py @@ -33,6 +33,7 @@ DISALLOWED_SECRET_MARKERS = ( "sk-", + "sk-ant-", "ghp_", "AKIA", "-----BEGIN", diff --git a/tests/test_redaction.py b/tests/test_redaction.py index 2dedfaf..5592379 100644 --- a/tests/test_redaction.py +++ b/tests/test_redaction.py @@ -2,7 +2,11 @@ import unittest -from agent_rules_kit.redaction import REDACTION_TEXT, redact_secret_like_values +from agent_rules_kit.redaction import ( + REDACTION_TEXT, + SECRET_LIKE_PATTERNS, + redact_secret_like_values, +) class RedactionTests(unittest.TestCase): @@ -27,6 +31,15 @@ def test_redacts_anthropic_like_key(self) -> None: self.assertEqual(redacted, f"anthropic={REDACTION_TEXT}") self.assertNotIn(secret, redacted) + def test_anthropic_like_key_matches_specific_pattern_before_generic_sk_pattern(self) -> None: + secret = "sk-ant-api03-" + ("I" * 36) + + first_matching_pattern = next( + item for item in SECRET_LIKE_PATTERNS if item.pattern.search(secret) + ) + + self.assertEqual(first_matching_pattern.name, "anthropic_api_key") + def test_redacts_jwt_like_token(self) -> None: secret = "eyJ" + ("A" * 20) + "." + ("B" * 20) + "." + ("C" * 20)