Externalize audit pipeline services

tests/audit-generation-persistence-source.test.ts

@@ -285,6 +285,29 @@ test("sanitizer masks env-backed secret values in persistence", () => {
   );
 });
 
+test("persistence sanitizer handles external service secrets with regex metacharacters", () => {
+  for (const secretKey of ["SCREENSHOTONE_API_KEY", "JINA_API_KEY"]) {
+    assert.equal(
+      hasPattern(auditGenerationSource, new RegExp(`["']${secretKey}["']`)),
+      true,
+      `Persistence sanitizer should redact ${secretKey}.`,
+    );
+  }
+
+  assert.equal(
+    auditGenerationSource.includes(
+      'return value.replace(/[.*+?^${}()|[\\]\\\\]/g, "\\\\$&");',
+    ),
+    true,
+    "escapeRegExp should escape regex metacharacters with the canonical character class.",
+  );
+  assert.equal(
+    auditGenerationSource.includes("/[.*+?^${}()|[\\\\]\\\\]/g"),
+    false,
+    "escapeRegExp should not keep the malformed bracket/backslash character class.",
+  );
+});
+
 test("finishAuditGenerationRun updates run status/counters/currentStep", () => {
   const finishSource = extractExportSource("finishAuditGenerationRun");