From 65d4374118d742db23179caf6cd16a6679468101 Mon Sep 17 00:00:00 2001
From: "Molecule AI Dev Engineer A (Kimi)"
 <dev-engineer-a-kimi@agents.moleculesai.app>
Date: Mon, 15 Jun 2026 11:33:30 +0000
Subject: [PATCH] ci(lint): exempt memories.go redaction table from
 forbidden-env-key scan (#2918)

The Layer-3 forbidden-env-key linter matched the quoted label
"GITHUB_PAT" in the memory redaction table at
workspace-server/internal/handlers/memories.go. That label is a secret-
redaction category, not an env-var injection sink. Add memories.go to
EXEMPT_PATHS so the lint no longer false-positives on a security control.

Fixes #2918.

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .gitea/workflows/lint-forbidden-env-keys.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.gitea/workflows/lint-forbidden-env-keys.yml b/.gitea/workflows/lint-forbidden-env-keys.yml
index 712d255cd..0ea7e24f6 100644
--- a/.gitea/workflows/lint-forbidden-env-keys.yml
+++ b/.gitea/workflows/lint-forbidden-env-keys.yml
@@ -106,6 +106,10 @@ jobs:
             "workspace-server/internal/handlers/workspace_provision_forbidden_env_test.go"
             "workspace-server/internal/provisioner/provisioner.go"
             "workspace-server/internal/provisioner/provisioner_test.go"
+            # Class 3 — secret redaction table: the quoted forbidden names here
+            # are category labels for regexps that *strip* secrets from memory
+            # content, not env-var injection sinks. core#2918.
+            "workspace-server/internal/handlers/memories.go"
             # Class 2 — pre-existing persona-fallback / org-helper paths
             # that set the GITEA_TOKEN fallback lane (stripped downstream
             # by provisioner.buildContainerEnv per forensic #145). The
-- 
2.52.0