forked from molecule-ai/molecule-core
c4c2bcba83
Adds `redactSecrets()` to the MemoriesHandler, scrubbing known credential patterns before every INSERT into agent_memories, regardless of scope. Closes #838. Satisfies SAFE-T1201 gate. Patterns redacted (with `[REDACTED:<CLASS>]` replacement): - Env-var assignments: `*_API_KEY=`, `*_TOKEN=`, `*_SECRET=` - HTTP Bearer tokens - sk-... prefixed keys (OpenAI / Anthropic format) - ctx7_... tokens (context7) - Base64 blobs ≥ 33 chars The audit log SHA-256 hash now reflects the sanitised content (not the raw input) so the forensic trail remains consistent with what was stored. Tests added: - TestRedactSecrets_CleanContent_PassesThrough - TestRedactSecrets_APIKeyPattern_IsRedacted (API_KEY / TOKEN / SECRET) - TestRedactSecrets_BearerToken_IsRedacted - TestRedactSecrets_SKToken_IsRedacted - TestRedactSecrets_Ctx7Token_IsRedacted - TestRedactSecrets_Base64Blob_IsRedacted - TestCommitMemory_SecretInContent_IsRedactedBeforeInsert Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| cmd/server | ||
| docs/adr | ||
| internal | ||
| migrations | ||
| pkg/provisionhook | ||
| Dockerfile | ||
| Dockerfile.tenant | ||
| entrypoint-tenant.sh | ||
| go.mod | ||
| go.sum | ||