Timmy_Foundation/hermes-agent
15
0
Fork 0
Code Issues 64 Pull Requests 2 Actions 1 Packages Projects Releases Wiki Activity

test(redact): add regression tests for lowercase variable redaction (#4367) (#5185)

Browse Source 
Add 5 regression tests from PR #4476 (gnanam1990) to prevent re-introducing
the IGNORECASE bug that caused lowercase Python/TypeScript variable assignments
to be incorrectly redacted as secrets. The core fix landed in 6367e1c4.

Tests cover:
- Lowercase Python variable with 'token' in name
- Lowercase Python variable with 'api_key' in name
- TypeScript 'await' not treated as secret value
- TypeScript 'secret' variable assignment
- 'export' prefix preserved for uppercase env vars

Co-authored-by: gnanam1990 <gnanam1990@users.noreply.github.com>
This commit is contained in:
Teknium
2026-04-05 00:10:16 -07:00
committed by GitHub
parent 0fd3de2674
commit 5b003ca4a0
1 changed files with 32 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
tests/agent/test_redact.py
View File

@@ -82,6 +82,38 @@ class TestEnvAssignments:
result = redact_sensitive_text(text)
assert result == text
def test_lowercase_python_variable_token_unchanged(self):
# Regression: #4367 — lowercase 'token' assignment must not be redacted
text = "before_tokens = response.usage.prompt_tokens"
result = redact_sensitive_text(text)
assert result == text
def test_lowercase_python_variable_api_key_unchanged(self):
# Regression: #4367 — lowercase 'api_key' must not be redacted
text = "api_key = config.get('api_key')"
result = redact_sensitive_text(text)
assert result == text
def test_typescript_await_token_unchanged(self):
# Regression: #4367 — 'await' keyword must not be redacted as a secret value
text = "const token = await getToken();"
result = redact_sensitive_text(text)
assert result == text
def test_typescript_await_secret_unchanged(self):
# Regression: #4367 — similar pattern with 'secret' variable
text = "const secret = await fetchSecret();"
result = redact_sensitive_text(text)
assert result == text
def test_export_whitespace_preserved(self):
# Regression: #4367 — whitespace before uppercase env var must be preserved
text = "export SECRET_TOKEN=mypassword"
result = redact_sensitive_text(text)
assert result.startswith("export ")
assert "SECRET_TOKEN=" in result
assert "mypassword" not in result
class TestJsonFields:
def test_json_api_key(self):