Context
The security best-practices report identified that the current custom secret scanner is a useful fast guardrail, but its pattern set is intentionally narrow and should not be treated as complete DLP before live MailPlus or selected-text-cache work.
Evidence
scripts/check-detect-secrets.sh:47-58 scans for a small fixed set of token prefixes and environment variable names.docs/privacy-redaction-boundaries.md:17-22, docs/privacy-redaction-boundaries.md:56-61, and docs/privacy-redaction-boundaries.md:151-155 cover broader sensitive material: reset links, magic login links, OAuth URLs, payment links, attachment text, prompt payloads, and response dumps.
Acceptance criteria
- Document the scanner as a fast baseline guardrail, not comprehensive DLP.
- Add targeted patterns or checks for likely MailPlus-specific leaks before live integration work, including
.eml, .mbox, OAuth URLs, magic/reset links, payment links, and local SQLite/cache filenames.
- Keep false positives manageable for synthetic fixtures and docs.
- Add script validation covering at least one newly-detected MailPlus-specific leak shape and one allowed synthetic fixture/doc shape.
Context
The security best-practices report identified that the current custom secret scanner is a useful fast guardrail, but its pattern set is intentionally narrow and should not be treated as complete DLP before live MailPlus or selected-text-cache work.
Evidence
scripts/check-detect-secrets.sh:47-58scans for a small fixed set of token prefixes and environment variable names.docs/privacy-redaction-boundaries.md:17-22,docs/privacy-redaction-boundaries.md:56-61, anddocs/privacy-redaction-boundaries.md:151-155cover broader sensitive material: reset links, magic login links, OAuth URLs, payment links, attachment text, prompt payloads, and response dumps.Acceptance criteria
.eml,.mbox, OAuth URLs, magic/reset links, payment links, and local SQLite/cache filenames.