molecule-ai/molecule-core
41
0
Fork 2
Code Issues 43 Pull Requests 17 Actions 54 Packages Projects Releases Wiki Activity
c4c2bcba83
molecule-core/platform
History
Molecule AI Backend Engineer c4c2bcba83 fix(security): SAFE-T1201 — redact secrets in commit_memory before persistence 
Adds `redactSecrets()` to the MemoriesHandler, scrubbing known credential
patterns before every INSERT into agent_memories, regardless of scope.

Closes #838. Satisfies SAFE-T1201 gate.

Patterns redacted (with `[REDACTED:<CLASS>]` replacement):
- Env-var assignments: `*_API_KEY=`, `*_TOKEN=`, `*_SECRET=`
- HTTP Bearer tokens
- sk-... prefixed keys (OpenAI / Anthropic format)
- ctx7_... tokens (context7)
- Base64 blobs ≥ 33 chars

The audit log SHA-256 hash now reflects the sanitised content (not the
raw input) so the forensic trail remains consistent with what was stored.

Tests added:
- TestRedactSecrets_CleanContent_PassesThrough
- TestRedactSecrets_APIKeyPattern_IsRedacted (API_KEY / TOKEN / SECRET)
- TestRedactSecrets_BearerToken_IsRedacted
- TestRedactSecrets_SKToken_IsRedacted
- TestRedactSecrets_Ctx7Token_IsRedacted
- TestRedactSecrets_Base64Blob_IsRedacted
- TestCommitMemory_SecretInContent_IsRedactedBeforeInsert

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-17 23:38:57 +00:00
..
cmd/server feat(registry): workspace hibernation — auto-pause idle workspaces (#711) 2026-04-17 13:27:39 +00:00
docs/adr fix(wsauth): restore ValidateAnyToken removed-workspace JOIN (#682 defense-in-depth), restore ADR-001 blast-radius docs 2026-04-17 12:25:44 +00:00
internal fix(security): SAFE-T1201 — redact secrets in commit_memory before persistence 2026-04-17 23:38:57 +00:00
migrations fix(scheduler): detect phantom-producing crons — consecutive-empty tracking (closes #795) 2026-04-17 19:06:35 +00:00
pkg/provisionhook fix(github): refresh installation token when TTL < 10 min (#547) (#567) 2026-04-17 00:47:03 +00:00
Dockerfile fix: address all code review findings + remove exposed secrets 2026-04-16 05:05:49 -07:00
Dockerfile.tenant fix: address all code review findings + remove exposed secrets 2026-04-16 05:05:49 -07:00
entrypoint-tenant.sh feat(platform): auto-detect SaaS tenant → control plane provisioner 2026-04-16 11:50:52 -07:00
go.mod feat(platform): wire github-app-auth plugin for per-installation tokens 2026-04-16 12:52:20 -07:00
go.sum feat(platform): wire github-app-auth plugin for per-installation tokens 2026-04-16 12:52:20 -07:00