fix(signals): redact plural economic and identity terms

[Dexterity104]

Summary

• PUBLIC_UNSAFE_TERMS in src/signals/redaction.ts is the canonical public/private boundary behind isPublicSafeText, but only reward and score carried a wildcard suffix. The remaining economic and identity nouns were bare, so the trailing word boundary in \b(...)\b landed before a plural "s" and let wallets, hotkeys, coldkeys, mnemonics, payouts, and rankings pass as public-safe.
• Those plurals can reach public GitHub surfaces (PR and issue comments, check annotations, notifications, badge, extension payloads, slop and advisory reasons), so the gap is a genuine leak on the public boundary.
• The fix groups every pluralizable noun under one shared \w* suffix, mirroring the existing reward\w*/score\w* and the plural hardening already merged for the sibling comment sanitizer in src/github/commands.ts. farming is a gerund and the trust/reviewability compounds stay bare, since "trust scores" is already covered by score\w*.
• A new branch-counted regression test pins every plural form to rejected. The change stays narrow and self-explanatory, so a separate tracking issue is not needed.

Scope

• The PR title follows type(scope): short summary Conventional Commit format, for example fix(api): restore profile access checks.
• This PR is focused and does not mix unrelated backend, UI, MCP, docs, dependency, and deploy changes.
• This follows CONTRIBUTING.md and does not reintroduce GitHub Pages, VitePress, site/, or CNAME.
• Linked an issue, or this is small enough that the summary explains why an issue is not needed.

Validation

• git diff --check
• npm run actionlint
• npm run typecheck
• npm run test:coverage
• npm run test:workers
• npm run build:mcp
• npm run test:mcp-pack
• npm run ui:openapi:check
• npm run ui:lint
• npm run ui:typecheck
• npm run ui:build
• npm audit --audit-level=moderate
• New or changed behavior has unit/integration tests for new branches, fallback paths, and sanitizer boundaries

If any required check was skipped, explain why:

• None. The change is backend only and touches no workflows, UI, OpenAPI, MCP, or migrations, so the full gate passes unchanged. Coverage on the changed file is 100% across statements, branches, and functions.

Safety

• No secrets, wallet details, hotkeys, coldkeys, user PATs, private keys, raw trust scores, private rankings, or private maintainer evidence are exposed.
• Public GitHub text stays sanitized, low-noise, and does not imply compensation guarantees or optimization tactics.
• Auth, cookie, CORS, GitHub App, Cloudflare, or session changes include negative-path tests.
• API/OpenAPI/MCP behavior is updated and tested where needed.
• UI changes use live API data or real empty/error/loading states, not production mock/demo fallbacks.
• Visible UI changes include a UI Evidence section below with JPG/JPEG or PNG screenshots arranged as organized, captioned, clickable thumbnails. SVG screenshots are not used as review evidence. Review-only screenshots or recordings are not committed to the repository.
• Public docs/changelogs are updated where needed; changelogs are only edited for release-prep PRs.

UI Evidence

Not applicable. This is a backend-only change to the redaction primitive with no visible UI, frontend, docs, or extension surface.

Notes

• Keeps the canonical PUBLIC_UNSAFE_TERMS consistent with the plural hardening already shipped for the comment sanitizer, so the public boundary is uniform across surfaces.
• The grouped (?:...)\w* form shares a single suffix and is behaviorally identical to writing the suffix per term, verified against the original by an exhaustive comparison with zero regressions.

[superagent-security]

Superagent didn't find any vulnerabilities or security issues in this PR.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.37%. Comparing base (880351e) to head (52aea1e).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1389   +/-   ##
=======================================
  Coverage   95.37%   95.37%           
=======================================
  Files         192      192           
  Lines       20857    20857           
  Branches     7542     7542           
=======================================
  Hits        19892    19892           
  Misses        383      383           
  Partials      582      582           

Files with missing lines	Coverage Δ
src/signals/redaction.ts	100.00% <100.00%> (ø)

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[gittensory-orb]

Important

Gittensory found maintainer review notes

Scoped related-work signals were found for this PR. They are advisory unless the gate reports a blocker.

Readiness score: 48/100

Signal	Result	Evidence	Action
Linked issue	⚠️ Missing	No linked issue or no-issue rationale found.	Explain no-issue PR.
Related work	⚠️ 1 scoped overlap	Top overlaps are listed below; lower-confidence bulk is hidden.	Review top overlaps.
Review load	❌ 8/20	Readiness component derived from cached public PR metadata and labels.	Add scope summary.
Validation evidence	❌ 5/25	Cached preflight status is hold.	Fix blocker.
Open PR queue	❌ 3/10	39 open PR(s), 12 likely reviewable, 27 unlinked.	Expect slower review.
Contributor context	✅ Confirmed Gittensor contributor	Dexterity104; Gittensor profile; 84 PR(s), 11 issue(s).	No action.
Gate result	⚠️ Advisory only	Advisory only.	No action.

Signal definitions

• Related work = same linked issue, overlapping active PRs, or title/path similarity.
• Review load = cached public PR metadata such as size labels, changed paths, and preflight status.
• Open PR queue = repo-wide review pressure; it is not a PR quality failure.
• Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

Review context

• Author: Dexterity104
• Role context: outside_contributor
• Public audience mode: oss maintainer
• Lane context: Repository registration is not available in the local Gittensory cache.
• Public profile languages: not available
• Official Gittensor activity: 84 PR(s), 11 issue(s).
• Related work: Titles/paths share 6 meaningful terms. (PR #1387)

Maintainer notes

• Repo lane is not ready for a confident recommendation: Repository registration is not available in the local Gittensory cache.
• No linked issue detected: The planned PR does not reference a closing issue or explicit linked issue number.
• Possible duplicate or overlapping work: 1 related open work cluster(s) were detected.

Contributor next steps

• Explain no-issue PR.
• Review top overlaps.
• Add scope summary.
• Fix blocker.
• Expect slower review.
• Refresh registry data or choose a registered active repo.
• Link the issue being solved, or explicitly explain why this is a no-issue PR.
• Check active issues and PRs before submitting.

• Re-run Gittensory review

---

💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

[JSONbored]

Of the two identical submissions this is the one we keep — its test covers the plural cases the twin omits, pinning more of the new branch. The fix is right: hoisting \w* across the singular nouns closes the gap. Merge this, close #1387.

[JSONbored]

Of the two identical submissions this is the one we keep — its test covers the plural cases the twin omits, pinning more of the new branch. The fix is right: hoisting \w* across the singular nouns closes the gap. Merge this, close #1387.