Skip to content

fix(security): redact secrets and paths in compression_failure_pairs before storage#1838

Merged
bug-ops merged 2 commits intomainfrom
1801-plaintext-pii-secrets
Mar 15, 2026
Merged

fix(security): redact secrets and paths in compression_failure_pairs before storage#1838
bug-ops merged 2 commits intomainfrom
1801-plaintext-pii-secrets

Conversation

@bug-ops
Copy link
Copy Markdown
Owner

@bug-ops bug-ops commented Mar 15, 2026

Fixes #1801.

Summary

  • Added redact_sensitive() function in crates/zeph-memory/src/sqlite/compression_guidelines.rs using two static LazyLock<Regex> patterns:
    • SECRET_RE: matches known secret prefixes (sk-, sk_live_, sk_test_, AKIA, ghp_, gho_, -----BEGIN, xoxb-, xoxp-, AIza, ya29., glpat-, hf_, npm_, dckr_pat_) and replaces with [REDACTED]
    • PATH_RE: matches filesystem paths (/home/, /Users/, /root/, /tmp/, /var/) and replaces with [PATH]
  • Applied to both compressed_context and failure_reason in log_compression_failure() before truncate_field() calls
  • regex moved from optional to unconditional dep in zeph-memory (storage-layer sanitization must run regardless of feature flags; regex was already a transitive dep)
  • 7 new unit tests added

Design notes

zeph-core::redact::scrub_content() was considered but rejected: zeph-core already depends on zeph-memory, making the reverse dep a circular dependency. The ~30-line inline implementation matches the existing pattern in community.rs.

Returns Cow::Borrowed when nothing matches (zero-alloc fast path).

Limitations (follow-up)

  • No retroactive scrubbing of existing rows
  • JWT tokens, email addresses, DB connection strings not covered
  • 12 of 14 SECRET_RE prefixes lack explicit tests (low priority)

@bug-ops
fix(security): redact secrets and paths in compression_failure_pairs …
9b40740 
…before storage (#1801)

Apply redact_sensitive() to compressed_context and failure_reason
in log_compression_failure() before truncation and SQLite insert.
The function uses two static LazyLock<Regex> patterns: one for
known secret prefixes (sk-, AKIA, ghp_, Bearer, etc.) and one
for filesystem paths (/home/, /Users/, /tmp/, etc.).

regex moved from optional to unconditional dep in zeph-memory since
storage-layer sanitization must run regardless of feature flags.
@github-actions github-actions bot added documentation Improvements or additions to documentation memory zeph-memory crate (SQLite) rust Rust code changes dependencies Dependency updates bug Something isn't working size/M Medium PR (51-200 lines) labels Mar 15, 2026
@bug-ops bug-ops enabled auto-merge (squash) March 15, 2026 16:11
@bug-ops bug-ops merged commit b448127 into main Mar 15, 2026
15 checks passed
@bug-ops bug-ops deleted the 1801-plaintext-pii-secrets branch March 15, 2026 16:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug Something isn't working dependencies Dependency updates documentation Improvements or additions to documentation memory zeph-memory crate (SQLite) rust Rust code changes size/M Medium PR (51-200 lines)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

security: plaintext PII/secrets risk in compression_failure_pairs table

1 participant

@bug-ops