Skip to content

fix: prevent publish abort on auto-generated logger-credential named values#220

Merged
EMaher merged 3 commits into
mainfrom
fix/redaction-guard-auto-generated-named-values
Jul 2, 2026
Merged

fix: prevent publish abort on auto-generated logger-credential named values#220
EMaher merged 3 commits into
mainfrom
fix/redaction-guard-auto-generated-named-values

Conversation

@EMaher

@EMaher EMaher commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

apiops publish aborts with a false-positive secret-redaction error when the source APIM has loggers (Application Insights / Event Hub).

APIM auto-generates secret named values named Logger-Credentials--<hex> (24-char hex IDs) to hold logger credentials. These are redacted to *** REDACTED *** on extract. The publish pre-flight redaction guard scanned them and aborted before issuing a single PUT:

Publish aborted: 2 artifact(s) still contain the redaction marker '*** REDACTED ***'.
  - namedValues/6a46928afa1f751d044d805e (properties.value)
  - namedValues/6a46928afa1f751d044d8063 (properties.value)

However, the publisher already skips these auto-generated named values in splitNamedValues() — APIM recreates them when the referencing logger is published — unless the user supplies an explicit override. The guard did not apply the same filter, so it flagged redaction markers in artifacts that are never sent to APIM.

Fix

  • Make the redaction guard mirror the publisher: in scanNamedValue(), skip auto-generated named values that have no explicit override. This guarantees the invariant the guard skips a named value iff publish skips it — no path exists where a placeholder secret is skipped by the guard but still PUT to APIM.
  • Extract hasNamedValueOverride() into override-merger.ts as the single source of truth shared by both call sites (also avoids a publish-servicesecret-redaction-guard circular import).

Testing

  • Added 2 unit tests to secret-redaction-guard.test.ts:
    • auto-generated named value without an override is skipped (asserts the resource is never read)
    • auto-generated named value with an override is still scanned (marker still caught)
  • Existing secret / non-secret / KeyVault-backed / policy cases remain green.
  • Full unit suite passes; ESLint clean.
  • Validated end-to-end against a live APIM roundtrip (all-resource-types integration test): publish now clears the pre-flight guard on the Logger-Credentials--* named values.

Notes

  • Cherry-picked from the copilot/delete-unmatched-parameter-fix branch (originally commit f0894aa) so this important fix can land independently and be approved ASAP.
  • Reviewed against the constitution (§VI Testability, §VIII Secret Safety) — no blockers.

Related Issue(s)

None.

EMaher added 2 commits July 2, 2026 17:38
…values

The publish pre-flight redaction guard scanned every named value, including
APIM auto-generated logger credentials (24-char hex IDs, e.g.
Logger-Credentials--<hex>) whose secret values are redacted on extract. Because
splitNamedValues() already skips these during publish (APIM recreates them when
the referencing logger is published), the guard flagged markers in artifacts
that are never sent to APIM and aborted the publish with a false positive.

Make the guard mirror the publisher: skip auto-generated named values that have
no explicit override. Extract hasNamedValueOverride() into override-merger.ts as
the single source of truth shared by both call sites.
@EMaher
EMaher requested a review from petehauge July 2, 2026 17:44
@EMaher EMaher self-assigned this Jul 2, 2026
Comment thread CHANGELOG.md Outdated
@EMaher

EMaher commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

@copilot - Revert the change to CHANGELOG.md

Copilot AI commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

@copilot - Revert the change to CHANGELOG.md

Done in c29bcb4CHANGELOG.md has been reverted.

Copilot finished work on behalf of EMaher July 2, 2026 18:38
@EMaher
EMaher merged commit b27b85c into main Jul 2, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants