crackerjack 0.32.0__py3-none-any.whl → 0.33.1__py3-none-any.whl

crackerjack/services/secure_subprocess.py

@@ -1,10 +1,3 @@
-"""
-Secure subprocess execution with environment sanitization and command validation.
-
-This module provides production-ready security for all subprocess operations in Crackerjack,
-implementing comprehensive validation, sanitization, and logging to prevent injection attacks.
-"""
-
 import os
 import re
 import subprocess
@@ -16,26 +9,18 @@ from .security_logger import SecurityEventLevel, SecurityEventType, get_security
 
 
 class SecurityError(Exception):
-    """Raised when a security violation is detected."""
-
     pass
 
 
 class CommandValidationError(SecurityError):
-    """Raised when command validation fails."""
-
     pass
 
 
 class EnvironmentValidationError(SecurityError):
-    """Raised when environment validation fails."""
-
     pass
 
 
 class SubprocessSecurityConfig:
-    """Configuration for secure subprocess execution."""
-
     def __init__(
         self,
         max_command_length: int = 10000,
@@ -44,7 +29,7 @@ class SubprocessSecurityConfig:
         max_env_vars: int = 1000,
         allowed_executables: set[str] | None = None,
         blocked_executables: set[str] | None = None,
-        max_timeout: float = 3600,  # 1 hour max
+        max_timeout: float = 3600,
         enable_path_validation: bool = True,
         enable_command_logging: bool = True,
     ):
@@ -92,24 +77,20 @@ class SubprocessSecurityConfig:
 
 
 class SecureSubprocessExecutor:
-    """Secure subprocess executor with comprehensive validation and logging."""
-
     def __init__(self, config: SubprocessSecurityConfig | None = None):
         self.config = config or SubprocessSecurityConfig()
         self.security_logger = get_security_logger()
 
-        # Dangerous patterns for command injection detection
         self.dangerous_patterns = [
-            r"[;&|`$(){}[\]<>*?~]",  # Shell metacharacters
-            r"\.\./",  # Path traversal
-            r"\$\{.*\}",  # Variable expansion
-            r"`.*`",  # Command substitution
-            r"\$\(.*\)",  # Command substitution
-            r">\s*/",  # Redirect to system paths
-            r"<\s*/",  # Redirect from system paths
+            r"[;&|`$(){}[\]<>*?~]",
+            r"\.\./",
+            r"\$\{.*\}",
+            r"`.*`",
+            r"\$\(.*\)",
+            r">\s*/",
+            r"<\s*/",
         ]
 
-        # Environment variables that should never be passed through
         self.dangerous_env_vars = {
             "LD_PRELOAD",
             "DYLD_INSERT_LIBRARIES",
@@ -125,7 +106,6 @@ class SecureSubprocessExecutor:
             "BASHOPTS",
         }
 
-        # Minimal safe environment variables
         self.safe_env_vars = {
             "HOME",
             "USER",
@@ -152,28 +132,6 @@ class SecureSubprocessExecutor:
         check: bool = False,
         **kwargs: t.Any,
     ) -> subprocess.CompletedProcess[str]:
-        """
-        Execute a subprocess with comprehensive security validation.
-
-        Args:
-            command: Command and arguments as list
-            cwd: Working directory (validated for path traversal)
-            env: Environment variables (will be sanitized)
-            timeout: Maximum execution time
-            input_data: Input to pass to subprocess
-            capture_output: Whether to capture stdout/stderr
-            text: Whether to use text mode
-            check: Whether to raise on non-zero exit
-            **kwargs: Additional subprocess.run arguments
-
-        Returns:
-            CompletedProcess result
-
-        Raises:
-            SecurityError: If security validation fails
-            CommandValidationError: If command validation fails
-            EnvironmentValidationError: If environment validation fails
-        """
         start_time = time.time()
 
         try:
@@ -215,16 +173,12 @@ class SecureSubprocessExecutor:
         kwargs: dict[str, t.Any],
         start_time: float,
     ) -> subprocess.CompletedProcess[str]:
-        """Execute subprocess with validation and logging."""
-        # Validate and sanitize all inputs
         execution_params = self._prepare_execution_params(command, cwd, env, timeout)
 
-        # Log and execute subprocess
         result = self._execute_subprocess(
             execution_params, input_data, capture_output, text, check, kwargs
         )
 
-        # Log success
         self._log_successful_execution(execution_params, result, start_time)
         return result
 
@@ -235,7 +189,6 @@ class SecureSubprocessExecutor:
         env: dict[str, str] | None,
         timeout: float | None,
     ) -> dict[str, t.Any]:
-        """Prepare and validate all execution parameters."""
         return {
             "command": self._validate_command(command),
             "cwd": self._validate_cwd(cwd),
@@ -252,7 +205,6 @@ class SecureSubprocessExecutor:
         check: bool,
         kwargs: dict[str, t.Any],
     ) -> subprocess.CompletedProcess[str]:
-        """Execute subprocess with validated parameters."""
         if self.config.enable_command_logging:
             self.security_logger.log_subprocess_execution(
                 command=params["command"],
@@ -279,13 +231,12 @@ class SecureSubprocessExecutor:
         result: subprocess.CompletedProcess[str],
         start_time: float,
     ) -> None:
-        """Log successful subprocess execution."""
         execution_time = time.time() - start_time
         if self.config.enable_command_logging:
             self.security_logger.log_security_event(
                 SecurityEventType.SUBPROCESS_EXECUTION,
                 SecurityEventLevel.LOW,
-                f"Subprocess completed successfully in {execution_time:.2f}s",
+                f"Subprocess completed successfully in {execution_time: .2f}s",
                 command_preview=params["command"][:3],
                 execution_time=execution_time,
                 exit_code=result.returncode,
@@ -294,7 +245,6 @@ class SecureSubprocessExecutor:
     def _handle_timeout_error(
         self, command: list[str], timeout: float | None, start_time: float
     ) -> None:
-        """Handle subprocess timeout errors."""
         execution_time = time.time() - start_time
         self.security_logger.log_subprocess_timeout(
             command=command,
@@ -305,7 +255,6 @@ class SecureSubprocessExecutor:
     def _handle_process_error(
         self, command: list[str], error: subprocess.CalledProcessError
     ) -> None:
-        """Handle subprocess called process errors."""
         self.security_logger.log_subprocess_failure(
             command=command,
             exit_code=error.returncode,
@@ -313,7 +262,6 @@ class SecureSubprocessExecutor:
         )
 
     def _handle_unexpected_error(self, command: list[str], error: Exception) -> None:
-        """Handle unexpected subprocess errors."""
         self.security_logger.log_security_event(
             SecurityEventType.SUBPROCESS_FAILURE,
             SecurityEventLevel.HIGH,
@@ -324,7 +272,6 @@ class SecureSubprocessExecutor:
         )
 
     def _validate_command(self, command: list[str]) -> list[str]:
-        """Validate command arguments for security issues."""
         self._validate_command_structure(command)
 
         validated_command, issues = self._validate_command_arguments(command)
@@ -334,11 +281,9 @@ class SecureSubprocessExecutor:
         return validated_command
 
     def _validate_command_structure(self, command: list[str]) -> None:
-        """Validate basic command structure."""
         if not command:
             raise CommandValidationError("Command cannot be empty")
 
-        # Check overall command length
         total_length = sum(len(arg) for arg in command)
         if total_length > self.config.max_command_length:
             raise CommandValidationError(
@@ -348,19 +293,16 @@ class SecureSubprocessExecutor:
     def _validate_command_arguments(
         self, command: list[str]
     ) -> tuple[list[str], list[str]]:
-        """Validate individual command arguments."""
         validated_command = []
         issues = []
 
         for i, arg in enumerate(command):
-            # Check argument length
             if len(arg) > self.config.max_arg_length:
                 issues.append(
                     f"Argument {i} too long: {len(arg)} > {self.config.max_arg_length}"
                 )
                 continue
 
-            # Check for injection patterns
             if self._has_dangerous_patterns(arg, i, issues):
                 continue
 
@@ -369,7 +311,6 @@ class SecureSubprocessExecutor:
         return validated_command, issues
 
     def _has_dangerous_patterns(self, arg: str, index: int, issues: list[str]) -> bool:
-        """Check if argument has dangerous patterns."""
         for pattern in self.dangerous_patterns:
             if re.search(pattern, arg):
                 issues.append(
@@ -381,7 +322,6 @@ class SecureSubprocessExecutor:
     def _validate_executable_permissions(
         self, validated_command: list[str], issues: list[str]
     ) -> None:
-        """Validate executable allowlist/blocklist."""
         if not validated_command:
             return
 
@@ -397,7 +337,6 @@ class SecureSubprocessExecutor:
             issues.append(f"Executable '{executable}' is blocked")
 
     def _handle_validation_results(self, command: list[str], issues: list[str]) -> None:
-        """Handle validation results and logging."""
         validation_passed = len(issues) == 0
         if self.config.enable_command_logging:
             self.security_logger.log_subprocess_command_validation(
@@ -407,7 +346,6 @@ class SecureSubprocessExecutor:
             )
 
         if issues:
-            # Block dangerous commands
             self.security_logger.log_dangerous_command_blocked(
                 command=command,
                 reason="Command validation failed",
@@ -418,7 +356,6 @@ class SecureSubprocessExecutor:
             )
 
     def _validate_cwd(self, cwd: Path | str | None) -> Path | None:
-        """Validate working directory for path traversal."""
         if cwd is None:
             return None
 
@@ -428,10 +365,8 @@ class SecureSubprocessExecutor:
         cwd_path = Path(cwd) if isinstance(cwd, str) else cwd
 
         try:
-            # Resolve to absolute path and check for traversal
             resolved_path = cwd_path.resolve()
 
-            # Check for dangerous path components
             path_str = str(resolved_path)
             if ".." in path_str or path_str.startswith(
                 ("/etc", "/usr/bin", "/bin", "/sbin")
@@ -448,13 +383,12 @@ class SecureSubprocessExecutor:
             raise CommandValidationError(f"Invalid working directory '{cwd}': {e}")
 
     def _sanitize_environment(self, env: dict[str, str] | None) -> dict[str, str]:
-        """Sanitize environment variables."""
         if env is None:
             env = os.environ.copy()
 
         self._validate_environment_size(env)
 
-        filtered_vars = []
+        filtered_vars: list[str] = []
         sanitized_env = self._filter_environment_variables(env, filtered_vars)
 
         self._add_safe_environment_variables(sanitized_env)
@@ -463,7 +397,6 @@ class SecureSubprocessExecutor:
         return sanitized_env
 
     def _validate_environment_size(self, env: dict[str, str]) -> None:
-        """Validate environment variable count limits."""
         if len(env) > self.config.max_env_vars:
             self.security_logger.log_security_event(
                 SecurityEventType.INPUT_SIZE_EXCEEDED,
@@ -479,7 +412,6 @@ class SecureSubprocessExecutor:
     def _filter_environment_variables(
         self, env: dict[str, str], filtered_vars: list[str]
     ) -> dict[str, str]:
-        """Filter environment variables for security."""
         sanitized_env = {}
 
         for key, value in env.items():
@@ -499,7 +431,6 @@ class SecureSubprocessExecutor:
     def _is_dangerous_environment_key(
         self, key: str, value: str, filtered_vars: list[str]
     ) -> bool:
-        """Check if environment key is dangerous."""
         if key in self.dangerous_env_vars:
             filtered_vars.append(key)
             self.security_logger.log_environment_variable_filtered(
@@ -513,7 +444,6 @@ class SecureSubprocessExecutor:
     def _is_environment_value_too_long(
         self, key: str, value: str, filtered_vars: list[str]
     ) -> bool:
-        """Check if environment value exceeds length limits."""
         if len(value) > self.config.max_env_var_length:
             filtered_vars.append(key)
             self.security_logger.log_environment_variable_filtered(
@@ -527,8 +457,7 @@ class SecureSubprocessExecutor:
     def _has_environment_injection(
         self, key: str, value: str, filtered_vars: list[str]
     ) -> bool:
-        """Check if environment value has injection patterns."""
-        for pattern in self.dangerous_patterns[:3]:  # Check first 3 most dangerous
+        for pattern in self.dangerous_patterns[:3]:
             if re.search(pattern, value):
                 filtered_vars.append(key)
                 self.security_logger.log_environment_variable_filtered(
@@ -540,7 +469,6 @@ class SecureSubprocessExecutor:
         return False
 
     def _add_safe_environment_variables(self, sanitized_env: dict[str, str]) -> None:
-        """Add essential safe environment variables."""
         for safe_var in self.safe_env_vars:
             if safe_var not in sanitized_env and safe_var in os.environ:
                 sanitized_env[safe_var] = os.environ[safe_var]
@@ -548,7 +476,6 @@ class SecureSubprocessExecutor:
     def _log_environment_sanitization(
         self, original_count: int, sanitized_count: int, filtered_vars: list[str]
     ) -> None:
-        """Log environment sanitization results."""
         if self.config.enable_command_logging:
             self.security_logger.log_subprocess_environment_sanitized(
                 original_count=original_count,
@@ -557,7 +484,6 @@ class SecureSubprocessExecutor:
             )
 
     def _validate_timeout(self, timeout: float | None) -> float | None:
-        """Validate timeout value."""
         if timeout is None:
             return None
 
@@ -579,14 +505,12 @@ class SecureSubprocessExecutor:
         return timeout
 
 
-# Global secure executor instance
 _global_executor: SecureSubprocessExecutor | None = None
 
 
 def get_secure_executor(
     config: SubprocessSecurityConfig | None = None,
 ) -> SecureSubprocessExecutor:
-    """Get the global secure subprocess executor."""
     global _global_executor
     if _global_executor is None:
         _global_executor = SecureSubprocessExecutor(config)
@@ -597,9 +521,4 @@ def execute_secure_subprocess(
     command: list[str],
     **kwargs: t.Any,
 ) -> subprocess.CompletedProcess[str]:
-    """
-    Convenience function for secure subprocess execution.
-
-    This is the recommended way to execute subprocesses in Crackerjack.
-    """
     return get_secure_executor().execute_secure(command, **kwargs)

crackerjack/services/security.py

@@ -1,5 +1,6 @@
 import os
 import tempfile
+import typing as t
 from contextlib import suppress
 from pathlib import Path
 
@@ -8,7 +9,6 @@ from crackerjack.services.regex_patterns import SAFE_PATTERNS
 
 
 class SecurityService:
-    # Security token masking patterns - now using validated patterns from regex_patterns.py
     TOKEN_PATTERN_NAMES = [
         "mask_pypi_token",
         "mask_github_token",
@@ -28,31 +28,16 @@ class SecurityService:
     }
 
     def mask_tokens(self, text: str) -> str:
-        """
-        Mask sensitive tokens in text using validated regex patterns.
-
-        This method applies security token masking patterns to hide:
-        - PyPI authentication tokens (pypi-*)
-        - GitHub personal access tokens (ghp_*)
-        - Generic long tokens (32+ characters)
-        - Token assignments (token="value")
-        - Password assignments (password="value")
-        - Environment variable values
-
-        Returns masked text with sensitive data replaced by "**** or similar.
-        """
         if not text:
             return text
 
         masked_text = text
 
-        # Apply validated token masking patterns
         for pattern_name in self.TOKEN_PATTERN_NAMES:
             if pattern_name in SAFE_PATTERNS:
                 pattern = SAFE_PATTERNS[pattern_name]
                 masked_text = pattern.apply(masked_text)
 
-        # Also mask sensitive environment variable values
         for env_var in self.SENSITIVE_ENV_VARS:
             value = os.getenv(env_var)
             if value and len(value) > 8:
@@ -96,7 +81,7 @@ class SecurityService:
                 with suppress(OSError):
                     temp_file.unlink()
                 raise FileError(
-                    message="Failed to set secure file permissions",
+                    message="Failed to set[t.Any] secure file permissions",
                     details=str(e),
                     recovery="Check file system permissions and try again",
                 ) from e
@@ -147,30 +132,17 @@ class SecurityService:
         return env_summary
 
     def validate_token_format(self, token: str, token_type: str | None = None) -> bool:
-        """
-        Validate token format for known token types.
-
-        Args:
-            token: The token string to validate
-            token_type: Optional token type ("pypi", "github", or None)
-
-        Returns:
-            True if the token appears to be valid for the specified type
-        """
         if not token:
             return False
         if len(token) < 8:
             return False
 
         if token_type and token_type.lower() == "pypi":
-            # PyPI tokens start with "pypi-" (not "pypi -" which was a typo)
             return token.startswith("pypi-") and len(token) >= 16
 
         if token_type and token_type.lower() == "github":
-            # GitHub personal access tokens: ghp_ + 36 chars = 40 total
             return token.startswith("ghp_") and len(token) == 40
 
-        # Generic validation for unknown token types
         return len(token) >= 16 and not token.isspace()
 
     def create_secure_command_env(
@@ -198,3 +170,62 @@ class SecurityService:
             secure_env.pop(var, None)
 
         return secure_env
+
+    def validate_file_safety(self, path: str | Path) -> bool:
+        try:
+            file_path = Path(path)
+
+            if not file_path.exists():
+                return False
+
+            if file_path.is_symlink():
+                return False
+            return True
+        except Exception:
+            return False
+
+    def check_hardcoded_secrets(self, content: str) -> list[dict[str, t.Any]]:
+        secrets = []
+
+        patterns = {
+            "api_key": r'api[_-]?key["\s]*[: =]["\s]*([a-zA-Z0-9_-]{20, })',
+            "password": r'password["\s]*[: =]["\s]*([^\s"]{8, })',
+            "token": r'token["\s]*[: =]["\s]*([a-zA-Z0-9_-]{20, })',
+        }
+
+        import re
+
+        for secret_type, pattern in patterns.items():
+            matches = re.finditer(pattern, content, re.IGNORECASE)
+            for match in matches:
+                secrets.append(
+                    {
+                        "type": secret_type,
+                        "value": match.group(1)[:10] + "...",
+                        "line": content[: match.start()].count("\n") + 1,
+                    }
+                )
+        return secrets
+
+    def is_safe_subprocess_call(self, cmd: list[str]) -> bool:
+        if not cmd:
+            return False
+
+        dangerous_commands = {
+            "rm",
+            "rmdir",
+            "del",
+            "format",
+            "fdisk",
+            "sudo",
+            "su",
+            "chmod",
+            "chown",
+            "curl",
+            "wget",
+            "nc",
+            "netcat",
+        }
+
+        command = cmd[0].split("/")[-1]
+        return command not in dangerous_commands

crackerjack/services/security_logger.py

@@ -1,5 +1,6 @@
 import json
 import logging
+import os
 import time
 import typing as t
 from enum import Enum
@@ -36,7 +37,7 @@ class SecurityEventType(str, Enum):
     STATUS_ACCESS_ATTEMPT = "status_access_attempt"
     SENSITIVE_DATA_SANITIZED = "sensitive_data_sanitized"
     STATUS_INFORMATION_DISCLOSURE = "status_information_disclosure"
-    # Authentication and authorization events
+
     ACCESS_DENIED = "access_denied"
     API_KEY_CREATED = "api_key_created"
     API_KEY_REVOKED = "api_key_revoked"
@@ -45,40 +46,40 @@ class SecurityEventType(str, Enum):
     AUTH_SUCCESS = "auth_success"
     LOCAL_ACCESS_GRANTED = "local_access_granted"
     INSUFFICIENT_PRIVILEGES = "insufficient_privileges"
-    # Circuit breaker and resilience events
+
     CIRCUIT_BREAKER_CLOSED = "circuit_breaker_closed"
     CIRCUIT_BREAKER_HALF_OPEN = "circuit_breaker_half_open"
     CIRCUIT_BREAKER_OPEN = "circuit_breaker_open"
     CIRCUIT_BREAKER_RESET = "circuit_breaker_reset"
-    # Collection and data processing events
+
     COLLECTION_END = "collection_end"
     COLLECTION_ERROR = "collection_error"
     COLLECTION_START = "collection_start"
     STATUS_COLLECTED = "status_collected"
     FILE_READ_ERROR = "file_read_error"
-    # Connection and network events
+
     CONNECTION_CLOSED = "connection_closed"
     CONNECTION_ESTABLISHED = "connection_established"
     CONNECTION_IDLE = "connection_idle"
     CONNECTION_TIMEOUT = "connection_timeout"
-    # Request lifecycle events
+
     REQUEST_END = "request_end"
     REQUEST_START = "request_start"
     REQUEST_TIMEOUT = "request_timeout"
-    # Resource and operation management events
+
     RESOURCE_CLEANUP = "resource_cleanup"
     RESOURCE_EXHAUSTED = "resource_exhausted"
     RESOURCE_LIMIT_EXCEEDED = "resource_limit_exceeded"
     SERVICE_CLEANUP = "service_cleanup"
     SERVICE_START = "service_start"
     SERVICE_STOP = "service_stop"
-    # Operation monitoring events
+
     MONITORING_ERROR = "monitoring_error"
     OPERATION_DURATION_EXCEEDED = "operation_duration_exceeded"
     OPERATION_FAILURE = "operation_failure"
     OPERATION_SUCCESS = "operation_success"
     OPERATION_TIMEOUT = "operation_timeout"
-    # Input validation events
+
     INVALID_INPUT = "invalid_input"
 
 
@@ -125,7 +126,12 @@ class SecurityLogger:
 
         if not self.logger.handlers:
             console_handler = logging.StreamHandler()
-            console_handler.setLevel(logging.WARNING)
+
+            debug_enabled = os.environ.get("CRACKERJACK_DEBUG", "0") == "1"
+            if debug_enabled:
+                console_handler.setLevel(logging.WARNING)
+            else:
+                console_handler.setLevel(logging.CRITICAL + 1)
 
             formatter = logging.Formatter(
                 "%(asctime)s - SECURITY - %(levelname)s-%(message)s"
@@ -296,12 +302,11 @@ class SecurityLogger:
         env_vars_count: int = 0,
         **kwargs: t.Any,
     ) -> None:
-        """Log secure subprocess execution."""
         self.log_security_event(
             SecurityEventType.SUBPROCESS_EXECUTION,
             SecurityEventLevel.LOW,
             f"Subprocess executed: {' '.join(command[:3])}{'...' if len(command) > 3 else ''}",
-            command=command[:10],  # Log first 10 args only
+            command=command[:10],
             cwd=cwd,
             env_vars_count=env_vars_count,
             **kwargs,
@@ -314,14 +319,13 @@ class SecurityLogger:
         filtered_vars: list[str],
         **kwargs: t.Any,
     ) -> None:
-        """Log environment sanitization for subprocess."""
         self.log_security_event(
             SecurityEventType.SUBPROCESS_ENVIRONMENT_SANITIZED,
             SecurityEventLevel.LOW,
             f"Environment sanitized: {original_count} -> {sanitized_count} vars",
             original_count=original_count,
             sanitized_count=sanitized_count,
-            filtered_vars=filtered_vars[:20],  # Log first 20 filtered vars
+            filtered_vars=filtered_vars[:20],
             **kwargs,
         )
 
@@ -332,7 +336,6 @@ class SecurityLogger:
         issues: list[str] | None = None,
         **kwargs: t.Any,
     ) -> None:
-        """Log subprocess command validation results."""
         level = SecurityEventLevel.LOW if validation_result else SecurityEventLevel.HIGH
         status = "passed" if validation_result else "failed"
 
@@ -353,7 +356,6 @@ class SecurityLogger:
         actual_duration: float,
         **kwargs: t.Any,
     ) -> None:
-        """Log subprocess timeout events."""
         self.log_security_event(
             SecurityEventType.SUBPROCESS_TIMEOUT,
             SecurityEventLevel.MEDIUM,
@@ -367,14 +369,13 @@ class SecurityLogger:
     def log_subprocess_failure(
         self, command: list[str], exit_code: int, error_output: str, **kwargs: t.Any
     ) -> None:
-        """Log subprocess execution failures."""
         self.log_security_event(
             SecurityEventType.SUBPROCESS_FAILURE,
             SecurityEventLevel.MEDIUM,
             f"Subprocess failed (exit code {exit_code}): {' '.join(command[:2])}{'...' if len(command) > 2 else ''}",
             command_preview=command[:3],
             exit_code=exit_code,
-            error_preview=error_output[:200],  # Log first 200 chars of error
+            error_preview=error_output[:200],
             **kwargs,
         )
 
@@ -385,7 +386,6 @@ class SecurityLogger:
         dangerous_patterns: list[str],
         **kwargs: t.Any,
     ) -> None:
-        """Log blocking of dangerous commands."""
         self.log_security_event(
             SecurityEventType.DANGEROUS_COMMAND_BLOCKED,
             SecurityEventLevel.CRITICAL,
@@ -403,7 +403,6 @@ class SecurityLogger:
         value_preview: str | None = None,
         **kwargs: t.Any,
     ) -> None:
-        """Log filtering of environment variables."""
         self.log_security_event(
             SecurityEventType.ENVIRONMENT_VARIABLE_FILTERED,
             SecurityEventLevel.LOW,
@@ -422,7 +421,6 @@ class SecurityLogger:
         data_keys: list[str] | None = None,
         **kwargs: t.Any,
     ) -> None:
-        """Log status endpoint access attempts."""
         self.log_security_event(
             SecurityEventType.STATUS_ACCESS_ATTEMPT,
             SecurityEventLevel.LOW,
@@ -442,7 +440,6 @@ class SecurityLogger:
         patterns_matched: list[str] | None = None,
         **kwargs: t.Any,
     ) -> None:
-        """Log sensitive data sanitization events."""
         self.log_security_event(
             SecurityEventType.SENSITIVE_DATA_SANITIZED,
             SecurityEventLevel.LOW,
@@ -462,7 +459,6 @@ class SecurityLogger:
         severity: str = "medium",
         **kwargs: t.Any,
     ) -> None:
-        """Log potential information disclosure in status responses."""
         level_map = {
             "low": SecurityEventLevel.LOW,
             "medium": SecurityEventLevel.MEDIUM,