SLT.V1.002 – Integrate secrets scrubber

[flyingrobots]

[SLT.V1.002] Integrate secrets scrubber

Overview

Introduce configurable redaction patterns that run before Shiplog stores journal attachments so sensitive tokens or API keys never persist in refs or exported logs.

References & Assets

• Figma / Design: N/A
• Product Spec (Notion / Confluence): N/A
• Related Issues / PRs: SLT.V1.001
• Feature Flags / Experiments: N/A
• Other Assets: N/A

User Story

As a release engineer,
I want Shiplog to scrub secrets from journal attachments automatically,
so that no credentials or tokens are leaked when logs are stored in Git.

Acceptance Criteria

• Redaction patterns and allowlists can be configured per repository/policy
• Shiplog applies redaction before persisting log attachments and notes
• Redacted entries leave audit breadcrumbs indicating replacements
• Dockerized Bats coverage verifies redaction and bypass scenarios

Definition of Done

Git journal attachments respect configured redaction rules, tests cover positive and negative cases, and docs explain configuration and defaults.

Scope

In-Scope

• Configurable scrubber patterns and allowlist
• Integration into attachment pipeline with tests
• Documentation updates for policy/env references

Out-of-Scope

• Retrofitting historical entries
• UI tooling for pattern editing

Deliverables

• Est. Lines of Code: ~200
• Est. Blast Radius: lib/attachments.sh, policy schema, docs

Implementation Details

High-Level Approach

Add pattern configuration to policy, implement scrubbing utility invoked before attachments are persisted, and ensure dry-run/preview workflows surface redaction results.

Affected Areas

• lib/attachments.sh
• policy schema / validator
• docs/features/policy.md
• tests/helpers/common.bash

Implementation Steps

• Extend policy schema with scrubber configuration and defaults
• Implement redaction helper invoked from attachment pipeline
• Add allowlist logic and logging for skipped replacements
• Update docs and examples
• Add Dockerized Bats cases

Test Plan

Happy Path

• Attachment with secret string is redacted before commit
• Allowlisted strings remain intact

Edge Cases

• Multiple overlapping patterns redact correctly
• Large attachments redact without performance issues

Failure Cases

• Misconfigured pattern surfaces descriptive error and fails safe

Monitoring & Success Metrics

• Audit log shows redaction summaries without leaking secret content

QA Sign-off Matrix

Environment	Surface (browser / device / API)	Owner	Status	Notes
Local Docker	CLI	TBD	Pending	Covered via make test

Requirements

Hard Requirements

• Secret scrubber executes on every attachment prior to persistence

Soft Requirements

• Redaction actions are logged for auditing

Runtime Requirements

• Must operate with default POSIX toolchain (no extra deps)

Dependencies & Approvals

• Policy schema update reviewed by maintainers
• Security review of redaction patterns

---

Production Notes

Priority: 4 / 5

High priority to protect credentials (P1 in roadmap).

Complexity: 3 / 5

Moderate implementation effort across policy, CLI, and tests.

Estimate: 16 - 24 hours

Includes schema, implementation, docs, and tests.

Risk & Rollback

• Primary Risks: Over-redaction breaking diagnostics; under-redaction leaking secrets
• Mitigations: Allowlist configuration, thorough test coverage
• Rollback / Kill Switch: Feature flag in policy to disable scrubber

---

Additional Notes

Blocked by SLT.V1.001 for plugin lifecycle coordination.

[flyingrobots]

Estimate: 3 hours.

Rationale:

• Pattern config and allowlist
• Integrate into log path
• Add tests for redaction