From a9202037302371c5c3bf420403e07d3e1e006c59 Mon Sep 17 00:00:00 2001
From: claude <eric+claude@dideric.is>
Date: Thu, 25 Jun 2026 02:33:34 +0000
Subject: [PATCH] fix(dlp): skip projection passes when exact variant is
 safe-listed

When a supervisor-approved safe-token exactly matched an env secret
(Pass 1), Passes 2 & 3 (alnum projection) still ran and re-blocked on
the same value.  Track whether any variant was found-and-approved and
skip the projection passes for that secret in that case.
---
 bot_bottle/dlp_detectors.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/bot_bottle/dlp_detectors.py b/bot_bottle/dlp_detectors.py
index e46960d..d4a4cb1 100644
--- a/bot_bottle/dlp_detectors.py
+++ b/bot_bottle/dlp_detectors.py
@@ -222,6 +222,7 @@ def scan_known_secrets(
             continue
 
         # Pass 1: exact match across encoded variants (original behaviour).
+        approved_exact = False
         for variant in _encoded_variants(value):
             pos = text.find(variant)
             if pos >= 0:
@@ -229,6 +230,7 @@ def scan_known_secrets(
                 # (PRD 0062); a different encoding of the same secret is a
                 # fresh block.
                 if safe_tokens is not None and variant in safe_tokens:
+                    approved_exact = True
                     continue
                 return ScanResult(
                     severity="block",
@@ -237,6 +239,10 @@ def scan_known_secrets(
                     context=_snippet(text, pos, pos + len(variant)),
                     matched=variant,
                 )
+        if approved_exact:
+            # Exact match was found and approved; projection passes would
+            # fire on the same value, so skip them for this secret.
+            continue
 
         # Pass 2 & 3: fragmentation-resistant projection checks.
         secret_alnum = _alnum_projection(value)