Severity: π High (enterprise secret leak)
DEFAULT_REDACTION_RULES in src/perseus/redaction.py:27β62 covers Anthropic, OpenAI, GitHub, AWS, Slack, Bearer, JWT, PEM, HuggingFace, Google API, GitLab, Stripe, PyPI, Sentry, Discord β but not Atlassian API tokens, which start with ATATT3xFfGF0 and are commonly used in Perseus workflows (twg skill, JIRA/Confluence MCP).
Suggested fix
Add to defaults:
{"name": "atlassian_api_token",
"pattern": r"\bATATT3xFfGF0[A-Za-z0-9_\-=]{20,}\b"},
{"name": "atlassian_confluence_token",
"pattern": r"\bATCTT3xFfGF0[A-Za-z0-9_\-=]{20,}\b"},Also consider:
- Atlassian OAuth client secrets
- Bitbucket app passwords (no fixed prefix β context-based detection)
Acceptance criteria
- Test:
ATATT3xFfGF0 + 30 random chars is redacted by defaults.
- Document the new rules in
docs/redaction.md.
Severity: π High (enterprise secret leak)
DEFAULT_REDACTION_RULESinsrc/perseus/redaction.py:27β62covers Anthropic, OpenAI, GitHub, AWS, Slack, Bearer, JWT, PEM, HuggingFace, Google API, GitLab, Stripe, PyPI, Sentry, Discord β but not Atlassian API tokens, which start withATATT3xFfGF0and are commonly used in Perseus workflows (twgskill, JIRA/Confluence MCP).Suggested fix
Add to defaults:
{"name": "atlassian_api_token", "pattern": r"\bATATT3xFfGF0[A-Za-z0-9_\-=]{20,}\b"}, {"name": "atlassian_confluence_token", "pattern": r"\bATCTT3xFfGF0[A-Za-z0-9_\-=]{20,}\b"},Also consider:
Acceptance criteria
ATATT3xFfGF0+ 30 random chars is redacted by defaults.docs/redaction.md.