Consider disabling ArchiveConfigPlugin to prevent credential leakage in archives

[oboehmer]

Context

Raised in PR #697 review (item #10).

PR #697 disables EnvironmentDebugPlugin to prevent environment variable credentials from leaking into archive artifacts. However, ArchiveConfigPlugin (also in PyATS debug.py) remains enabled and writes pyats.configuration.yaml and easypy.configuration.yaml to archives.

Risk

• nac-test own credentials are always injected as environment variables (including in auto-generated testbed.yaml files), so the current risk is low.
• User-provided testbed files with hardcoded device credentials could potentially be reflected into archive artifacts through this plugin.

Proposed fix

Add ArchiveConfigPlugin: enabled: False to the plugin config in SubprocessRunner._create_config_files() as a defense-in-depth measure.

Related

• PR fix(pyats): refactor pyats config file creation (incl disable EnvironmentDebugPlugin) #697 (fix/689-570-disable-env-debug-plugin)
• Security: Disable pyATS EnvironmentDebugPlugin to prevent credential exposure in env.txt #689, Tech Debt: Consolidate PyATS config file creation in SubprocessRunner #570