Update ghs_ token detection/redaction for stateless JWT format

[Copilot]

GitHub App installation tokens (ghs_) now use a long stateless JWT-like format (including . and _), while existing patterns assumed fixed-length alphanumeric tokens. This caused DLP matching and CLI redaction to miss valid new-format tokens.

• DLP pattern update

  • Updated src/dlp.ts:
    • ghs_[a-zA-Z0-9]{36} → ghs_[A-Za-z0-9._]{36,}
  • This aligns ghs_ detection with the new token shape/length expectations.

• Secret redaction update

  • Updated src/redact-secrets.ts GitHub token matcher:
    • \b(gh[pousr]_[a-zA-Z0-9]{36,255}) → \b(gh[pousr]_[A-Za-z0-9._]{36,})
  • Removes the old upper bound and allows JWT-compatible characters so redaction covers full tokens instead of stopping at delimiters.

• Focused test coverage

  • Updated src/dlp.test.ts expected ghs_ regex string and added a stateless JWT-style ghs_ case with long segments plus . / _.
  • Added src/cli.test.ts case verifying redaction of long JWT-style ghs_ tokens.

// Before
regex: 'ghs_[a-zA-Z0-9]{36}'

// After
regex: 'ghs_[A-Za-z0-9._]{36,}'

[Copilot]

Pull request overview

Updates GitHub App installation token (ghs_) detection and redaction to handle newer stateless/JWT-like token formats so DLP blocking and CLI log redaction don’t miss valid tokens.

Changes:

• Expanded ghs_ DLP regex to allow longer tokens containing . / _.
• Expanded GitHub token redaction regex to allow . / _ and removed the previous max-length cap.
• Added tests covering long JWT-like ghs_ tokens for both DLP detection and CLI redaction.

Show a summary per file

File	Description
src/redact-secrets.ts	Broadens GitHub token redaction regex to cover JWT-like ghs_ formats.
src/dlp.ts	Broadens ghs_ DLP pattern to match longer token shapes including . / _.
src/dlp.test.ts	Updates expected ghs_ regex string and adds a long JWT-like ghs_ detection test.
src/cli.test.ts	Adds a CLI redaction test for long JWT-like ghs_ tokens.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 4/4 changed files
• Comments generated: 4

[lpcox]

@copilot address review feedback

[Copilot]

@copilot address review feedback

Addressed in 68e2c41.

Updated both ghs_ matchers to include - ([A-Za-z0-9._-]{36,}) in DLP and redaction, and updated the DLP/CLI tests to include JWT-like ghs_ tokens containing . _ and - to prevent regressions.

[github-actions]

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric	Base	PR	Delta
Lines	96.53%	96.58%	📈 +0.05%
Statements	96.37%	96.42%	📈 +0.05%
Functions	97.99%	97.99%	➡️ +0.00%
Branches	90.88%	90.84%	📉 -0.04%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/config-writer.ts	89.3% → 90.9% (+1.65%)	89.3% → 90.9% (+1.65%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

Smoke Test Results

✅ GitHub MCP: Connected (PR #3782: "feat: document model alias logging and wire debugTokens through config")
❌ GitHub.com: File test not found at expected path
❌ File Write/Read: /tmp/smoke-test-file.txt missing

Status: ❌ FAIL

Triggered by @Copilot • Assignees: @lpcox @Copilot

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

BYOK Offline Mode Smoke Test Results

✅ GitHub MCP: PR #3790 - [WIP] Standardize JSONL log record format
❌ File I/O: Test file not found at /tmp/smoke-test-file.txt
❌ GitHub.com: HTTP code not provided in workflow variables
✅ BYOK Inference: Successfully processing this prompt via api-proxy → api.githubcopilot.com

Mode: COPILOT_OFFLINE=true (BYOK offline mode)
Overall: PARTIAL PASS (2/4 tests)

PR Context: #3786 by @Copilot, assigned to @lpcox, @Copilot

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

Smoke Test Codex: FAIL

PRs reviewed: feat: document model alias logging and wire debugTokens through config; Increase smoke-claude max-turns from 2 to 10
✅ GitHub PR read; ❌ safeinputs-gh unavailable
✅ Playwright title; ❌ Tavily exposed no search tool
✅ File/bash; ❌ discussion safe-input unavailable; ✅ build
Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Service Connectivity Test Results

❌ Redis: Connection timeout/failed
❌ PostgreSQL pg_isready: No response
❌ PostgreSQL SELECT 1: Not tested (pg_isready failed)

Result: FAIL — Unable to reach host.docker.internal services from AWF sandbox

🔌 Service connectivity validated by Smoke Services

[github-actions]

🧪 Chroot Runtime Version Test Results

Compared runtime versions between host and chroot environments:

Runtime	Host Version	Chroot Version	Match?
Python	3.12.13	3.12.3	❌ NO
Node.js	v24.15.0	v22.22.3	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall Result: Some version mismatches detected

Analysis

• Go: ✅ Perfect match - chroot successfully uses host Go installation
• Python: ❌ Minor version mismatch (3.12.13 vs 3.12.3)
• Node.js: ❌ Major+minor mismatch (v24.15.0 vs v22.22.3)

The Go match confirms that chroot bind mounts work correctly. Python and Node.js differences suggest the container may have its own installations that take precedence over host bind mounts.

Tested by Smoke Chroot

[github-actions]

Smoke Test FAIL. MCP: ❌, Conn: ❌, File: ✅, Bash: ✅

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

🏗️ Build Test Suite Results

All build tests completed successfully! ✅

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	1/1 passed	✅ PASS
Node.js	execa	✅	1/1 passed	✅ PASS
Node.js	p-limit	✅	1/1 passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

---

Summary

• Total projects tested: 18
• Passed: 18
• Failed: 0
• All ecosystems successfully built and tested their respective projects

Generated by Build Test Suite for issue #3786 · ● 8.4M · ◷