didericis/bot-bottle
1
0
Fork 0
Code Issues 7 Pull Requests 15 Actions Packages Projects Releases Wiki Activity

Harden Codex auth redaction policy #129

New Issue
Closed
opened 2026-06-02 03:58:02 -04:00 by didericis-codex · 0 comments
didericis-codex commented 2026-06-02 03:58:02 -04:00
Collaborator
Copy Link
Copy Source

Problem

Issue #117 identifies bot_bottle/codex_auth.py as a remaining security-sensitive hotspot. Its dummy auth generation and redaction behavior depend on schema knowledge and heuristics. Future Codex auth.json fields could accidentally survive redaction if they do not match the current token/secret/key naming patterns.

Desired outcome

Add a PRD for making Codex auth redaction policy explicit and coverage-driven. The PRD should cover allowlist vs denylist behavior, nested JWT/auth claim handling, regression fixtures, and failure behavior for unknown sensitive-looking fields.

Parent context

Carved out from the broader hotspot review in #117.

## Problem Issue #117 identifies `bot_bottle/codex_auth.py` as a remaining security-sensitive hotspot. Its dummy auth generation and redaction behavior depend on schema knowledge and heuristics. Future Codex `auth.json` fields could accidentally survive redaction if they do not match the current token/secret/key naming patterns. ## Desired outcome Add a PRD for making Codex auth redaction policy explicit and coverage-driven. The PRD should cover allowlist vs denylist behavior, nested JWT/auth claim handling, regression fixtures, and failure behavior for unknown sensitive-looking fields. ## Parent context Carved out from the broader hotspot review in #117.
didericis added the Kind/EnhancementKind/Security labels 2026-06-02 04:05:27 -04:00
didericis-codex was assigned by didericis 2026-06-02 04:05:34 -04:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Compat/Breaking
Breaking change that won't be backward compatible
 Kind/Bug
Something is not working
 Kind/Documentation
Documentation changes
 Kind/Enhancement
Improve existing functionality
 Kind/Feature
New functionality
 Kind/Security
This is security issue
 Kind/Testing
Issue or pull request related to testing
Priority
Critical
1
The priority is critical
Priority
High
2
The priority is high
Priority
Low
4
The priority is low
Priority
Medium
3
The priority is medium
Reviewed
Confirmed
1
Issue has been confirmed
Reviewed
Duplicate
2
This issue or pull request already exists
Reviewed
Invalid
3
Invalid issue
Reviewed
Won't Fix
3
This issue won't be fixed
Status
Abandoned
3
Somebody has started to work on this but abandoned work
Status
Blocked
1
Something is blocking this issue or pull request
Status
Need More Info
2
Feedback is required to reproduce issue or to continue work
No Label Kind/Enhancement Kind/Security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
didericis-claude (didericis (claude)) didericis-codex (didericis (codex)) didericis-gemma (gemma) didericis
No Assignees didericis-codex
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: didericis/bot-bottle#129
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?