The audit sweep wrongly FAILED ~9 converted ci-script repos on two heuristics:
- token-contract now accepts the secure indirection pass "$PASS_ENTRY" /
pass "$VAR", not only a hard-coded pass <literal-path>.
- leak scan flattens \-continuations + folds the pipe target onto the echo
line, then exempts the echo "$TOKEN" | <cmd> ... --password-stdin/--pass-stdin
stdin-feed idiom; bare echo to stdout/file and set -x still FAIL.
Adds --self-test with six inline fixtures locking in both fixes and the
three must-still-catch leaks.
Oleks
d265a79ddb