updatedToolOutput. OFF by default — operators opt in via ORK_SECRET_HOOK env var.| # | Pattern | Class | Action on hit | Audit verdict |
|---|---|---|---|---|
| 1 | github-pat | bounded | in-place [REDACTED:github-pat] | tightened — added github_pat_ FN |
| 2 | anthropic-key | bounded | in-place | ship as-is |
| 3 | openai-project-key | bounded | in-place | NEW — sk-proj-* was silent FN |
| 4 | openai-key | bounded | in-place | tightened — exact 48 chars |
| 5 | aws-access-key-id | bounded | in-place | loosened — AKIA + ASIA + AROA + AIDA + … |
| 6 | slack-token | bounded | in-place | extended — added xoxe/xoxs/xapp |
| 7 | ssh-private-key | critical | GATE entire output | ship as-is |
| 8 | gpg-private-key | critical | GATE | ship as-is |
| 9 | aws-secret-access-key | critical | GATE (with assignment context) | tightened — case-insensitive |
| Mode | Default | Behavior | When to use |
|---|---|---|---|
| OFF | ✓ | Hook returns early; zero overhead | Initial rollout — preserve current behavior |
| AUDIT | Writes .claude/state/secret-audit.jsonl; output unchanged | Tune regex set against real traffic ~30d before flipping enforcement | |
| REDACT | Bounded → in-place; critical → gate entire output | After AUDIT shows low FP rate |
The AUDIT step matters: regex false positives are the failure mode operators feared most when shipping output mutation. AUDIT lets you observe FPs against real traffic before any model behavior changes.
Growing corpus of negative fixtures (must NOT match) is the regression guard. Adding a "this matched but shouldn't" case is one line in negative-corpus.ts. Today's negative corpus catches: UUIDs, git SHAs, npm sha512 integrity, JWTs without claims, bcrypt hashes, IPv6, isolated 40-char base64 (no AWS context), npm shrinkwrap, build artifacts.