fix(tess): redact chat persistence and egress #725

Merged
jason.woltje merged 6 commits from fix/tess-redaction into main 2026-07-13 01:14:17 +00:00
Owner

Summary

  • redact classified content before chat persistence and socket egress
  • keep streaming fragments until a safe redaction boundary or bounded overflow
  • keep provider login material out of chat output

Verification

  • pnpm exec turbo run typecheck lint test --force (88 successful, 0 cached)
  • pnpm format:check

Refs #707

## Summary - redact classified content before chat persistence and socket egress - keep streaming fragments until a safe redaction boundary or bounded overflow - keep provider login material out of chat output ## Verification - `pnpm exec turbo run typecheck lint test --force` (88 successful, 0 cached) - `pnpm format:check` Refs #707
jason.woltje added 6 commits 2026-07-13 00:48:20 +00:00
Author
Owner

VERIFIED APPROVE reviewer-of-record [W-jarvis:reviewer] head 726f7ab772

Evidence:

  • Exact PR/branch head verified: 726f7ab7726ff3fe1cb8e6d7f65cdcae9b8d0802.
  • PR CI green on exact head: ci/woodpecker/pr/ci success.
  • Reviewed SEC-005 persistence hooks: user messages and assistant messages are passed through redactSensitiveContent() before brain.conversations.addMessage(), and metadata carries redaction classifications.
  • Reviewed SEC-005 egress hooks: assistant text/thinking deltas are buffered until a safe redaction boundary, then emitted only after redactSensitiveContent(); split secret labels/values and private-key blocks are held until redaction can happen, with bounded overflow redaction.
  • Canary coverage proves the hook path would fail without the change: split sk_... secret is not emitted, split token=... is not emitted, private-key block is not emitted, overflow emits [REDACTED_STREAM_OVERFLOW], and assistant persistence stores [REDACTED_SECRET] plus classification metadata. Redaction unit canaries cover secret + PII formats before persistence/egress use.
  • Provider login hardening removes auth URLs and raw poll tokens from chat output/metadata; only a token digest is stored in Valkey and command output contains provider name only.
  • git diff --check clean; no credential material or secret values in the PR diff beyond test canaries.
VERIFIED APPROVE reviewer-of-record [W-jarvis:reviewer] head 726f7ab7726ff3fe1cb8e6d7f65cdcae9b8d0802 Evidence: - Exact PR/branch head verified: `726f7ab7726ff3fe1cb8e6d7f65cdcae9b8d0802`. - PR CI green on exact head: `ci/woodpecker/pr/ci` success. - Reviewed SEC-005 persistence hooks: user messages and assistant messages are passed through `redactSensitiveContent()` before `brain.conversations.addMessage()`, and metadata carries redaction classifications. - Reviewed SEC-005 egress hooks: assistant text/thinking deltas are buffered until a safe redaction boundary, then emitted only after `redactSensitiveContent()`; split secret labels/values and private-key blocks are held until redaction can happen, with bounded overflow redaction. - Canary coverage proves the hook path would fail without the change: split `sk_...` secret is not emitted, split `token=...` is not emitted, private-key block is not emitted, overflow emits `[REDACTED_STREAM_OVERFLOW]`, and assistant persistence stores `[REDACTED_SECRET]` plus classification metadata. Redaction unit canaries cover secret + PII formats before persistence/egress use. - Provider login hardening removes auth URLs and raw poll tokens from chat output/metadata; only a token digest is stored in Valkey and command output contains provider name only. - `git diff --check` clean; no credential material or secret values in the PR diff beyond test canaries.
jason.woltje merged commit 7b9f40d3b7 into main 2026-07-13 01:14:17 +00:00
jason.woltje deleted branch fix/tess-redaction 2026-07-13 01:14:17 +00:00
Sign in to join this conversation.
No Reviewers
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: mosaicstack/stack#725