DEV Community

Ramu Narasinga
Ramu Narasinga

Posted on

`sanitizeCredentials` function in Archon codebase.

#opensource #github #sanitize #agents

In this article, we review sanitizeCredentials function in Archon codebase. You will learn:

  1. What is Archon?

  2. sanitizeCredentials function

  3. sanitizeError function.

What is Archon?

Archon is a workflow engine for AI coding agents. Define multi-step development workflows in YAML — code review, bug fixes, feature implementation, testing — and run them with a single command.

It is an open-source harness builder for AI coding. Make AI coding deterministic and repeatable.

Learn more about Archon.

What it looks like?

Here’s an example of an Archon workflow that plans, implements in a loop until tests pass, gets your approval, then creates the PR:

# .archon/workflows/build-feature.yaml
nodes:
  - id: plan
    prompt: "Explore the codebase and create an implementation plan"

  - id: implement
    depends_on: [plan]
    loop:                                      # AI loop - iterate until done
      prompt: "Read the plan. Implement the next task. Run validation."
      until: ALL_TASKS_COMPLETE
      fresh_context: true                      # Fresh session each iteration

  - id: run-tests
    depends_on: [implement]
    bash: "bun run validate"                   # Deterministic - no AI

  - id: review
    depends_on: [run-tests]
    prompt: "Review all changes against the plan. Fix any issues."

  - id: approve
    depends_on: [review]
    loop:                                      # Human approval gate
      prompt: "Present the changes for review. Address any feedback."
      until: APPROVED
      interactive: true                        # Pauses and waits for human input

  - id: create-pr
    depends_on: [approve]
    prompt: "Push changes and create a pull request"
Enter fullscreen mode Exit fullscreen mode

Tell your coding agent what you want, and Archon handles the rest:

You: Use archon to add dark mode to the settings page

Agent: I'll run the archon-idea-to-pr workflow for this.
       → Creating isolated worktree on branch archon/task-dark-mode...
       → Planning...
       → Implementing (task 1/4)...
       → Implementing (task 2/4)...
       → Tests failing - iterating...
       → Tests passing after 2 iterations
       → Code review complete - 0 issues
       → PR ready: https://github.com/you/project/pull/47
Enter fullscreen mode Exit fullscreen mode

I picked this info from the Archon’s Github README.md.

sanitizeCredentials function

I found this function, sanitizeCredentials in the Archon/packages/core/src/utils/credential-sanitizer.ts and it is defined as below:

/**
 * Credential Sanitizer
 * Removes sensitive values from strings to prevent credential leaks
 */

const SENSITIVE_ENV_VARS = ['GH_TOKEN', 'GITHUB_TOKEN'];

function escapeRegExp(str: string): string {
  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
}

export function sanitizeCredentials(input: string): string {
  let result = input;

  for (const envVar of SENSITIVE_ENV_VARS) {
    const value = process.env[envVar];
    if (value && value.length > 0) {
      result = result.replace(new RegExp(escapeRegExp(value), 'g'), '[REDACTED]');
    }
  }

  // Catch any URL-embedded credentials we might have missed
  result = result.replace(/https:\/\/[^@\s]+@github\.com/g, '@github.com'">https://[REDACTED]@github.com');

  return result;
}
Enter fullscreen mode Exit fullscreen mode

SENSITIVE_ENV_VARS is defined as an array containing the keys that need to be redacted.

sanitizeCredentials removes sensitive values from strings to prevent credential leaks. This function is straight forward but where this used and why?

If you just look under this function in the same, you will find sanitizeError defined.

sanitizeError function

sanitizeError is defined as shown below:

export function sanitizeError(error: Error): Error {
  const sanitized = new Error(sanitizeCredentials(error.message));
  if (error.stack) {
    sanitized.stack = sanitizeCredentials(error.stack);
  }
  return sanitized;
}
Enter fullscreen mode Exit fullscreen mode

This redacts the sensitive info in the error message. Interesting. Where is this used? I always use symbols that pop up when you click on a variable/function name.

One such usage is found in packages/core/handlers/clone.ts:

try {
    await execFileAsync('git', ['clone', cloneUrl, targetPath]);
} catch (error) {
  const safeErr = sanitizeError(error as Error);
  throw new Error(`Failed to clone repository: ${safeErr.message}`);
}
Enter fullscreen mode Exit fullscreen mode

About me:

Hey, my name is Ramu Narasinga. Email: ramu.narasinga@gmail.com

Tired of AI slop?

I spent 3+ years studying OSS codebases and wrote 350+ articles on what makes them production-grade. I built an open source tool that reviews your PR against your existing codebase patterns.

Your codebase. Your patterns. Enforced.

Get started for free — thinkthroo.com

References

  1. Archon/packages/core/src/utils/credential-sanitizer.ts

  2. archon.diy/

  3. Archon/packages/core/src/utils/credential-sanitizer.ts

  4. Archon/packages/core/src/handlers/clone.ts#L270

Top comments (0)