From 5b003ca4a00403f02590e362fd7ba7062adfaa3d Mon Sep 17 00:00:00 2001 From: Teknium <127238744+teknium1@users.noreply.github.com> Date: Sun, 5 Apr 2026 00:10:16 -0700 Subject: [PATCH] test(redact): add regression tests for lowercase variable redaction (#4367) (#5185) Add 5 regression tests from PR #4476 (gnanam1990) to prevent re-introducing the IGNORECASE bug that caused lowercase Python/TypeScript variable assignments to be incorrectly redacted as secrets. The core fix landed in 6367e1c4. Tests cover: - Lowercase Python variable with 'token' in name - Lowercase Python variable with 'api_key' in name - TypeScript 'await' not treated as secret value - TypeScript 'secret' variable assignment - 'export' prefix preserved for uppercase env vars Co-authored-by: gnanam1990 --- tests/agent/test_redact.py | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/tests/agent/test_redact.py b/tests/agent/test_redact.py index 6b7cfa586..83b1b4d1a 100644 --- a/tests/agent/test_redact.py +++ b/tests/agent/test_redact.py @@ -82,6 +82,38 @@ class TestEnvAssignments: result = redact_sensitive_text(text) assert result == text + def test_lowercase_python_variable_token_unchanged(self): + # Regression: #4367 — lowercase 'token' assignment must not be redacted + text = "before_tokens = response.usage.prompt_tokens" + result = redact_sensitive_text(text) + assert result == text + + def test_lowercase_python_variable_api_key_unchanged(self): + # Regression: #4367 — lowercase 'api_key' must not be redacted + text = "api_key = config.get('api_key')" + result = redact_sensitive_text(text) + assert result == text + + def test_typescript_await_token_unchanged(self): + # Regression: #4367 — 'await' keyword must not be redacted as a secret value + text = "const token = await getToken();" + result = redact_sensitive_text(text) + assert result == text + + def test_typescript_await_secret_unchanged(self): + # Regression: #4367 — similar pattern with 'secret' variable + text = "const secret = await fetchSecret();" + result = redact_sensitive_text(text) + assert result == text + + def test_export_whitespace_preserved(self): + # Regression: #4367 — whitespace before uppercase env var must be preserved + text = "export SECRET_TOKEN=mypassword" + result = redact_sensitive_text(text) + assert result.startswith("export ") + assert "SECRET_TOKEN=" in result + assert "mypassword" not in result + class TestJsonFields: def test_json_api_key(self):