Summary
detect._is_sensitive → _generic_keyword_hit silently drops any file whose stem ends in token/tokens ("keyword ends the stem → names the contents"). That rule is right for api_token.txt / github-personal-access-token, but it also swallows ordinary docs whose topic is tokens — and there is no escape hatch: .graphifyinclude's docstring says sensitive files "are still excluded later", and no config/env overrides the skip.
Observed (graphifyy 0.8.36)
A prompt-template file in a resume-tooling repo:
references/prompts/derive-locked-tokens.md
It's an LLM prompt about locking proper-noun tokens during a rewrite — pure markdown, no credentials. detect() returned it in skipped_sensitive, so the file was missing from the graph entirely. Silent: the report shows only a count, so a single dropped file in a 200-file corpus is easy to miss until a query comes back empty.
Note the existing long-slug carve-out (token-economics-of-recall.md from #436/#718) doesn't help here, because the keyword is at the END of the stem — derive-locked-tokens is a 3-word descriptive slug that happens to end in the head noun.
Why renaming isn't a great answer
We did rename it (derive-token-locks.md) and that works, but it's the tool reshaping the project: the file was named after the function it feeds (derive_locked_tokens()), and any repo in the NLP/LLM space ("tokens" is core vocabulary) will keep tripping this.
Suggested fixes (any of)
- Tighten the end-of-stem rule: require a credential-store extension (
.txt, .env, .key, .json, extensionless) or a short (≤2-word) stem before treating an end-of-stem token(s) as a secret. A 3+-word kebab slug ending in tokens with a .md extension is a topic, not a credential store — same insight as the existing mid-phrase carve-out.
- Let
.graphifyinclude override the sensitive skip for explicitly allowlisted paths (opt-in, user-stated intent).
- At minimum, list the skipped filenames in GRAPH_REPORT.md (not just a count) so the drop isn't silent.
Summary
detect._is_sensitive→_generic_keyword_hitsilently drops any file whose stem ends intoken/tokens("keyword ends the stem → names the contents"). That rule is right forapi_token.txt/github-personal-access-token, but it also swallows ordinary docs whose topic is tokens — and there is no escape hatch:.graphifyinclude's docstring says sensitive files "are still excluded later", and no config/env overrides the skip.Observed (graphifyy 0.8.36)
A prompt-template file in a resume-tooling repo:
It's an LLM prompt about locking proper-noun tokens during a rewrite — pure markdown, no credentials.
detect()returned it inskipped_sensitive, so the file was missing from the graph entirely. Silent: the report shows only a count, so a single dropped file in a 200-file corpus is easy to miss until a query comes back empty.Note the existing long-slug carve-out (
token-economics-of-recall.mdfrom #436/#718) doesn't help here, because the keyword is at the END of the stem —derive-locked-tokensis a 3-word descriptive slug that happens to end in the head noun.Why renaming isn't a great answer
We did rename it (
derive-token-locks.md) and that works, but it's the tool reshaping the project: the file was named after the function it feeds (derive_locked_tokens()), and any repo in the NLP/LLM space ("tokens" is core vocabulary) will keep tripping this.Suggested fixes (any of)
.txt,.env,.key,.json, extensionless) or a short (≤2-word) stem before treating an end-of-stemtoken(s)as a secret. A 3+-word kebab slug ending intokenswith a.mdextension is a topic, not a credential store — same insight as the existing mid-phrase carve-out..graphifyincludeoverride the sensitive skip for explicitly allowlisted paths (opt-in, user-stated intent).