From 96619d74702a811f09e2d6e230674bea5ea6d986 Mon Sep 17 00:00:00 2001 From: Garry Tan Date: Sun, 22 Mar 2026 12:23:32 -0700 Subject: [PATCH] =?UTF-8?q?fix(browse):=20improve=20storage=20redaction=20?= =?UTF-8?q?=E2=80=94=20word-boundary=20keys=20+=20more=20value=20prefixes?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Key regex: use underscore/dot/hyphen boundaries instead of \b (which treats _ as word char). Now correctly redacts auth_token, session_token while skipping keyboardShortcuts, monkeyPatch, primaryKey. Value regex: add AWS (AKIA), Stripe (sk_live_, pk_live_), Anthropic (sk-ant-), Google (AIza), Sendgrid (SG.), Supabase (sbp_) prefixes. Co-Authored-By: Claude Opus 4.6 (1M context) --- browse/src/read-commands.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/browse/src/read-commands.ts b/browse/src/read-commands.ts index 7559b1f6..5d93156c 100644 --- a/browse/src/read-commands.ts +++ b/browse/src/read-commands.ts @@ -291,8 +291,8 @@ export async function handleReadCommand( sessionStorage: { ...sessionStorage }, })); // Redact values that look like secrets (tokens, keys, passwords, JWTs) - const SENSITIVE_KEY = /token|secret|key|password|credential|auth|jwt|session|csrf|api.?key/i; - const SENSITIVE_VALUE = /^(eyJ|sk-|pk-|ghp_|gho_|github_pat_|xox[bpsa]-|Bearer\s)/; + const SENSITIVE_KEY = /(^|[_.-])(token|secret|key|password|credential|auth|jwt|session|csrf)($|[_.-])|api.?key/i; + const SENSITIVE_VALUE = /^(eyJ|sk-|sk_live_|sk_test_|pk_live_|pk_test_|rk_live_|sk-ant-|ghp_|gho_|github_pat_|xox[bpsa]-|AKIA[A-Z0-9]{16}|AIza|SG\.|Bearer\s|sbp_)/; const redacted = JSON.parse(JSON.stringify(storage)); for (const storeType of ['localStorage', 'sessionStorage'] as const) { const store = redacted[storeType];