fix: redact interpolated secrets from telemetry and experience files (plan 003)#71
Open
DavertMik wants to merge 3 commits into
Open
fix: redact interpolated secrets from telemetry and experience files (plan 003)#71DavertMik wants to merge 3 commits into
DavertMik wants to merge 3 commits into
Conversation
Knowledge files interpolate ${env.SECRET} into cleartext at load time; those
resolved values flowed into two persisted/exported sinks — the Langfuse trace
input and on-disk (often git-committed) experience files. Separately,
${config.*} could expand credential leaves like ${config.ai.apiKey} into every
prompt and both sinks.
Add src/utils/secrets.ts (a process-global secret registry + redactSecrets).
The env interpolation branch registers credential-named values (still returning
cleartext, since the model must type the real password) and both sinks now run
redactSecrets on the serialized/content string. Credential-named ${config.*}
paths are blocked from interpolating at all.
Deferred (see plan 003 Maintenance notes): masking in the LLM request itself,
the AI SDK experimental_telemetry inputs, and the Testomat.io reporter.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Explorbot Self-RegressionCommit
Attempt details
Session analysis — basic (native): Session AnalysisThe issue tracking system core flows are operational: creating issues with labels, viewing issue details, keyword search, and filter reset all work correctly. The test suite completed with all scenarios passing. Coverage
What works
Execution Issues
|
Per re-review: iterate registered secrets longest-first in redactSecrets so a secret that is a substring of another no longer leaves a partial-secret fragment (genuine hardening for a security fix). Group SECRET_NAME_TOKENS with the other module consts. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements plan 003 (
plans/003-redact-secrets-from-persistence-and-telemetry.md) — a P1 security fix.Problem
Knowledge files interpolate
${env.APP_PASSWORD}(and other${env.*}/${config.*}) into cleartext at load time. Those resolved secrets then flow into two persisted/exported sinks:JSON.stringify(metadata.input)shipped to telemetry).example/experience/*).Separately,
${config.*}walked the entire config object and stringified any leaf, so${config.ai.apiKey}silently expanded the provider API key into every prompt and both sinks.Fix
src/utils/secrets.ts: a process-global secret registry (registerSecret),redactSecrets(text),isSecretName(name)(credential-name denylist), andclearRegisteredSecrets()for test isolation.knowledge-tracker.ts: theenvbranch registers credential-named values (still returns cleartext — the model must type the real password), and theconfigbranch blocks credential-named keys from interpolating at all (SEC-03).observability.ts+experience-tracker.ts: runredactSecretson the serialized telemetry string and on experience content before write. Both are single chokepoints.Verification
bun test tests/unit/secrets.test.ts tests/unit/knowledge-tracker.test.ts→ 15 pass (incl.${config.ai.apiKey}blocked, and${env.APP_PASSWORD}register→redact end-to-end)bun test tests/unit→ 736 pass, 0 fail;bun run lintcleanDeferred (intentional — see plan Maintenance notes)
Masking the credential in (a) the LLM request itself (needs CodeceptJS
secret()+ a prompt change), (b) the AI SDK'sexperimental_telemetryinputs, and (c) the Testomat.io reporter. This PR is not a complete secret-masking solution — it closes the two persisted/exported sinks we control.🤖 Generated with Claude Code