Fix secrets detection redaction gating

Signed-off-by: lucarlig <luca.carlig@ibm.com>

Author: lucarlig

plugins/rust/python-package/secrets_detection/cpex_secrets_detection/secrets_detection_rust/__init__.pyi

@@ -4,7 +4,6 @@
 import builtins
 import typing
 __all__ = [
-    "SecretsDetectionPluginCore",
     "SecretsDetectionPluginCore",
     "py_scan_container",
 ]

plugins/rust/python-package/secrets_detection/src/bin/stub_gen.rs

@@ -10,16 +10,8 @@ use secrets_detection_rust::stub_info;
 
 fn curate_extension_stub() {
     let stub_path = Path::new("cpex_secrets_detection/secrets_detection_rust/__init__.pyi");
-    let mut content = fs::read_to_string(stub_path).expect("Failed to read generated stub file");
-    content = content.replace(
-        "\"py_scan_container\",\n]",
-        "\"SecretsDetectionPluginCore\",\n    \"py_scan_container\",\n]",
-    );
-    if !content.contains("class SecretsDetectionPluginCore:") {
-        content.push_str(
-            "\n\n@typing.final\nclass SecretsDetectionPluginCore:\n    def __new__(cls, config: dict) -> SecretsDetectionPluginCore: ...\n    def prompt_pre_fetch(self, payload: typing.Any, context: typing.Any) -> typing.Any: ...\n    def tool_post_invoke(self, payload: typing.Any, context: typing.Any) -> typing.Any: ...\n    def resource_post_fetch(self, payload: typing.Any, context: typing.Any) -> typing.Any: ...\n",
-        );
-    }
+    let content = fs::read_to_string(stub_path).expect("Failed to read generated stub file");
+    let content = content.trim_end().to_string() + "\n";
     fs::write(stub_path, content).expect("Failed to write curated stub file");
 }
 

plugins/rust/python-package/secrets_detection/src/plugin.rs

@@ -48,7 +48,7 @@ impl SecretsDetectionPluginCore {
             );
         }
 
-        if self.config.redact && !redacted.is(&source) {
+        if self.config.redact && count > 0 {
             payload.setattr("args", &redacted)?;
             return build_framework_object(
                 py,
@@ -97,7 +97,7 @@ impl SecretsDetectionPluginCore {
             );
         }
 
-        if self.config.redact && !redacted.is(&value) {
+        if self.config.redact && count > 0 {
             payload.setattr("result", &redacted)?;
             return build_framework_object(
                 py,
@@ -149,7 +149,7 @@ impl SecretsDetectionPluginCore {
             );
         }
 
-        if self.config.redact && !redacted.is(&text) {
+        if self.config.redact && count > 0 {
             content.setattr("text", &redacted)?;
             return build_framework_object(
                 py,

plugins/rust/python-package/secrets_detection/tests/test_plugin.py

@@ -92,6 +92,19 @@ async def test_prompt_pre_fetch_redacts_without_blocking(self, plugin):
         assert result.modified_payload.args["input"] == "AWS_ACCESS_KEY_ID=[REDACTED]"
         assert result.metadata == {"secrets_redacted": True, "count": 1}
 
+    async def test_prompt_pre_fetch_leaves_clean_payload_unmodified(self, plugin):
+        payload = PromptPrehookPayload(
+            prompt_id="prompt-1",
+            args={"input": "hello world"},
+        )
+
+        result = await plugin.prompt_pre_fetch(payload, _make_context())
+
+        assert result.continue_processing is True
+        assert result.violation is None
+        assert result.modified_payload is None
+        assert result.metadata == {}
+
     async def test_prompt_pre_fetch_blocks_without_redaction(self):
         plugin = SecretsDetectionPlugin(_make_config(block_on_detection=True, redact=False))
         payload = PromptPrehookPayload(
@@ -131,6 +144,22 @@ async def test_tool_post_invoke_redacts_mcp_content_payload(self, plugin):
         assert result.modified_payload.result["isError"] is False
         assert result.metadata == {"secrets_redacted": True, "count": 1}
 
+    async def test_tool_post_invoke_leaves_clean_payload_unmodified(self, plugin):
+        payload = ToolPostInvokePayload(
+            name="writer",
+            result={
+                "content": [{"type": "text", "text": "plain text"}],
+                "isError": False,
+            },
+        )
+
+        result = await plugin.tool_post_invoke(payload, _make_context())
+
+        assert result.continue_processing is True
+        assert result.violation is None
+        assert result.modified_payload is None
+        assert result.metadata == {}
+
     async def test_resource_post_fetch_redacts_text_content(self, plugin):
         payload = ResourcePostFetchPayload(
             uri="file:///tmp/secret.txt",
@@ -144,6 +173,19 @@ async def test_resource_post_fetch_redacts_text_content(self, plugin):
         assert result.modified_payload.content.text == "SLACK_TOKEN=[REDACTED]"
         assert result.metadata == {"secrets_redacted": True, "count": 1}
 
+    async def test_resource_post_fetch_leaves_clean_payload_unmodified(self, plugin):
+        payload = ResourcePostFetchPayload(
+            uri="file:///tmp/secret.txt",
+            content=ResourceContent(text="plain text"),
+        )
+
+        result = await plugin.resource_post_fetch(payload, _make_context())
+
+        assert result.continue_processing is True
+        assert result.violation is None
+        assert result.modified_payload is None
+        assert result.metadata == {}
+
     async def test_resource_post_fetch_blocks_when_threshold_met(self):
         plugin = SecretsDetectionPlugin(
             _make_config(block_on_detection=True, redact=False, min_findings_to_block=1)