mirror of
https://github.com/tiennm99/ccs.git
synced 2026-07-16 20:17:45 +00:00
Two remaining gaps in the sensitive-value detector flagged by PR-Agent on #1248: 1. The TOML/YAML key regex only matched bare keys, so values written under quoted keys like `"API_KEY" = "secret"` were never masked. Accept basic-string and literal-string quoted keys and normalize the captured key (strip quotes, unescape) before isSensitiveKey. 2. The string-skip helper used indexOf for the next quote character, so a value like `AUTH_TOKEN = ["a \"quoted\" value", "x"]` could terminate scanning early and leak unrelated text or under-mask the secret. Introduce skipString that honors backslash escapes for basic strings and is used by both the TOML array walker and the JSON balanced-brace walker. Adds regression tests for both edge cases.