Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

📊 PR Status — #27 PILOT-304

CI Checks (2/2 passing)

Canary

🧪 Running — dispatched run 26692500596, pending completion.

Jira

PILOT-304 — QA/IN-REVIEW (unassigned). Updated: 2026-05-30T22:11 EEST.

Last operator activity

PR created by matthew-pilot at 19:11 UTC. No operator activity yet.

🔍 PR Explanation — #27 PILOT-304

What this does

Extends audit entry redaction from top-level keys only to recursive deep inspection: nested maps, deeply-nested maps, and inline secrets embedded in string values (e.g. JSON blobs or key=value pairs).

The problem

The existing redactKey() check only looked at the top-level attrs slice passed to BuildEntry. If an operator logged a config map like {"host":"x","token":"sk-secret"}, the token appeared unredacted in the audit log. Similarly, a raw JSON string like {"api_key":"sk-emb"} in an env value would leak its secret because the scanner didnt look inside string values.

Walkthrough: 2 files (+158/−8)

audit/audit.go (+105/−8)

1. BuildEntry refactored (line 277): switches from string concatenation to strings.Builder. Calls new formatVal(k, v) instead of inline redaction — delegates all formatting and redaction to the new recursive pipeline.

2. formatVal(k, v) — top-level dispatcher:

   • If key matches redactKey() → <redacted> (unchanged behavior).
   • If value is map[string]interface{} → delegates to formatMap (recursive).
   • If value is string → runs through scanSecrets (new: inline secret scanning).
   • Otherwise → fmt.Sprintf("%v") as before.

3. formatMap(prefix, m) — recursive map walker:

   • Formats as prefix={k1=v1, k2=v2, ...}.
   • For each key: redacts if secret, recurses into nested maps, scans string values.

4. scanSecrets(s) — string value scanner:

   • Scans for secret-key prefixes embedded in string values (JSON "token":"...", key=value pairs, etc.).
   • Replaces the value portion with <redacted>.
   • Uses substring matching (no regex dependency).

5. findValueEnd(s) — value boundary detector:

   • Stops at first whitespace, comma, quote, or newline after a secret key prefix.

6. secretKeyPrefixes — pattern list:

   • admin_token, private_key, api_key, signature, token, password, passwd, secret, bearer, credential
   • Both JSON ("key":") and plain (key=) formats. Longer prefixes first to avoid partial matches.

audit/zz_redaction_test.go (+53/−0) — 5 new test cases:

• Nested map with token → redacted
• Deeply nested map (2 levels) → redacted
• Stringified JSON with embedded token → scanned and redacted
• key=value string with api_key=sk-kv → scanned and redacted
• Clean string (host=ex.com) → untouched

Why this approach

• Zero new dependencies — substring matching, no regex. Keeps the audit package dependency surface small.
• Recursive by construction — any nesting depth works because formatMap calls formatVal which can call formatMap.
• Backward-compatible — top-level redactKey() behavior is unchanged. The new code adds deeper scanning alongside the existing check.