feat: refuse secrets on write/edit and bound read output#14
Merged
Conversation
Add an engine-level restricted-data screen so write/edit refuse high-confidence secrets (API keys, tokens, JWT, PEM private keys, password/secret assignments, OTP codes, SSNs, payment cards) before anything is persisted, with a stable greppable refusal message. Add a 64 KB read-output budget that clamps oversized bodies on a codepoint boundary and appends a marker noting the stored file is complete. Both run in the router so CLI verbs, the local MCP server, and future consumers inherit one behavior. Bumps version to 0.1.3.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes two verified requirement gaps in the engine so every surface (CLI verbs, local MCP, future consumers) inherits one behavior.
Gap 1 - secret refusal was description-only
The write/edit tool descriptions claim secrets are refused, but nothing enforced it. Adds
src/contract/restricted-data.ts, a deliberately NARROW high-confidence screen (mirrors the cloud MCP's detector byte-for-byte): provider key/token prefixes, JWTs, PEM private keys, labeled password/secret assignments (placeholder-allowlisted), OTP/MFA codes, government IDs, and Luhn-valid payment cards. Ordinary notes that merely mention "password" or "auth" pass.router.write/router.editnow scan body + frontmatter (andnew_strfor str_replace) and throwRestrictedContentErrorbefore anything is persisted. Stable, greppable refusal message; the matched value is never echoed back.Gap 2 - read had no size budget
memory__readreturned the body verbatim, unbounded to the model. Addssrc/contract/read-budget.ts: a 64 KB read-output budget.router.readclamps oversized bodies on a UTF-8 codepoint boundary and appends a marker naming the shown/total byte counts and stating the stored file is complete and unchanged. The clamp is on the read path only, so an edit's internal full-body read is untouched.Tests
restricted-data.test.ts- every secret class refused (write + edit), clean bodies pass, exact canonical message, no value echo, frontmatter-hidden secrets.read-budget.test.ts- under / at / over the boundary, marker content, codepoint-safe cut, view shape preserved.router-guards.test.ts- end-to-end through the real git backend: write/edit refuse (incl. str_replace injecting a secret), refused ops persist nothing, oversized read clamps + marks while the on-disk copy stays whole.89 tests pass; type-check, lint, format, build all green. Version 0.1.2 -> 0.1.3.