debug: add redacted Droid debug artifacts

[EffortlessSteven]

Problem

The preceding raw-artifact removal PR removes default runtime debug artifacts. That closes the unsafe default, but it also removes a useful debugging path.

The replacement should not upload broad runtime directories with a blocklist of exclusions. It should build a new allowlisted bundle and redact selected files before upload.

Change

• Add debug_artifacts with supported modes:
  • none
  • redacted
• Default remains debug_artifacts: none.
• Add debug_artifact_retention_days, default 1.
• Add redacted debug artifact preparation.
• Upload only ${{ runner.temp }}/droid-debug-artifacts/**.
• Keep actions/upload-artifact SHA-pinned.

Review map

Area	Files	What to check
Public API	action.yml	Defaults and mode validation.
Upload boundary	action.yml	Upload path is only the sanitized bundle.
Collection	src/debug-artifacts/collect.ts	Allowlist collection, cleanup, recursion bounds, symlink skipping, manifest paths.
Redaction	src/debug-artifacts/redact.ts	JSON, JSONL, text, token-like, and high-entropy redaction.
Entrypoint	src/entrypoints/prepare-debug-artifacts.ts	Env handling and bundle preparation.
Tests	test/debug-artifacts/*, test/action-yml.test.ts	Redaction, collection, and no-raw-upload invariants.
Docs	README.md	Default-off behavior and redacted mode.

Behavior

Default:

debug_artifacts: none

No debug bundle is prepared or uploaded.

Opt-in:

debug_artifacts: redacted

The action creates and uploads only:

${{ runner.temp }}/droid-debug-artifacts/**

Raw runtime state is not uploaded.

Artifact model

The redacted bundle is built as a new directory. It does not copy $HOME/.factory wholesale.

Included files are allowlisted and written with .redacted suffixes. Unknown runtime files are skipped.

Dependency

This PR is stacked on #86.

Until #86 lands, GitHub may show the raw-artifact removal diff in this PR as well. The intended review surface for this PR is the redacted debug artifact mode added after that removal.

This PR assumes the raw .factory/** and droid-prompts/** upload path has already been removed.

Related issue

Related: Factory-AI/droid-action#20, because this PR adds a nested actions/upload-artifact usage and keeps it SHA-pinned.

This does not resolve Factory-AI/droid-action#20 unless all nested action references are audited.

Validation

bun test test/action-yml.test.ts test/debug-artifacts/redact.test.ts test/debug-artifacts/prepare-debug-artifacts.test.ts
bun run typecheck
bun run format:check

cd base-action
bun test
bun run typecheck
bun run format:check

Non-goals

• No raw artifact mode.
• No model changes.
• No settings path changes.
• No comment/status behavior changes.
• No claim that redaction is a perfect secret scanner.

Contribution license

This repository does not currently include a FOSS license or contributor license agreement.

For this pull request, I expressly grant Factory AI and its affiliates a perpetual, worldwide, royalty-free, irrevocable license to use, copy, modify, publish, distribute, sublicense, and relicense these contributions, including as part of this repository or any related Factory AI product or service.