Skip to content

fix(one-way-doors): unify credential noun list across revoke/reset/rotate#2025

Open
jbetala7 wants to merge 1 commit into
garrytan:mainfrom
jbetala7:oss/fix-one-way-doors-credential-noun-parity
Open

fix(one-way-doors): unify credential noun list across revoke/reset/rotate#2025
jbetala7 wants to merge 1 commit into
garrytan:mainfrom
jbetala7:oss/fix-one-way-doors-credential-noun-parity

Conversation

@jbetala7

@jbetala7 jbetala7 commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Problem

scripts/one-way-doors.ts is the secondary keyword safety net for AskUserQuestion calls that fire without a registry id. A false negative here auto-approves a destructive op (the question is treated as two-way / preference-suppressible instead of one-way / always-ask).

Its three credential patterns are meant to be parallel across revoke/reset/rotate (the inline comment says they "allow filler words between verb and noun"; the #1839 test header states the patterns "must be parallel across revoke/reset/rotate"). They were not:

revoke: api key | token |          credential | access key | password   (missing: secret)
reset:  api key | token |          credential |              password   (missing: secret, access key)
rotate: api key | token | secret | credential | access key | password   (complete)

Root cause

secret lived only in the rotate alternation, and access key was absent from reset. So these phrasings slipped through as two-way on main (c7ae632, v1.58.1.0):

two-way   revoke my secret      <- should be one-way
two-way   reset my secret       <- should be one-way
two-way   reset my access key   <- should be one-way
ONE-WAY   rotate my secret

This is the same false-negative class #1839 fixed for rotate ... password; that fix unified one verb's nouns but left revoke/reset short.

Fix

Give all three verbs an identical credential noun alternation (api key | token | secret | credential | access key | password). Pure widening of an over-narrow safety net: no previously-caught phrasing stops matching, and the additions are conservative (a credential verb + credential noun is exactly what this net is for).

Testing

bun test test/one-way-doors.test.ts — 4 pass, 28 assertions. Added a regression test asserting every <verb> my <noun> pair across all three verbs and all six nouns classifies one-way; it fails on main for the three cases above and passes with this change.

Fixes #2024

@jbetala7 @claude
fix(one-way-doors): unify credential noun list across revoke/reset/ro…
9b8a8e5 
…tate

The secondary keyword safety net's three credential patterns are meant to
be parallel, but revoke was missing "secret" and reset was missing
"secret" and "access key". Those nouns only lived in the rotate
alternation, so "revoke my secret", "reset my secret", and
"reset my access key" classified as two-way (auto-decidable) instead of
one-way (always ask) -- a false negative in a destructive-op safety net,
the same class garrytan#1839 fixed for "rotate ... password".

Give all three verbs an identical noun alternation and extend the
regression test to assert every verb x noun pair is one-way.

Fixes garrytan#2024

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@trunk-io

trunk-io Bot commented Jun 16, 2026

Copy link
Copy Markdown

Merging to main in this repository is managed by Trunk.

  • To merge this pull request, check the box to the left or comment /trunk merge below.

After your PR is submitted to the merge queue, this comment will be automatically updated with its status. If the PR fails, failure details will also be posted here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

one-way-doors: revoke/reset credential patterns miss nouns rotate has — 'reset my secret' leaks through as two-way

1 participant

@jbetala7