customable/claude-mem
1
0
Fork 0
Code Issues 1 Pull requests 5 Projects Releases 163 Packages 2 Wiki Activity Actions

feat(shared): add secret detection and redaction #213

Merged
jack merged 5 commits from feat/191-secret-detection into main 2026-01-24 17:40:13 +00:00
Conversation 0 Commits 5 Files changed 5 +397 -5
jack commented 2026-01-24 17:20:35 +00:00
Owner
Copy link

Summary

Implements Issue #191 - Automatic detection and redaction of secrets in prompts and observations.

Features

Secret Detection Patterns

  • API Keys: OpenAI (sk-), Anthropic (sk-ant-), GitHub PAT (ghp_), GitLab PAT (glpat-)
  • AWS: Access Keys (AKIA), Secret Access Keys
  • Passwords: Generic password/secret/token patterns
  • Connection Strings: MongoDB, PostgreSQL, MySQL, Redis URIs
  • Private Keys: RSA, EC, DSA, OpenSSH private key headers
  • Tokens: JWT, Bearer tokens, Basic Auth

Configuration

{
  "SECRET_DETECTION_ENABLED": true,
  "SECRET_DETECTION_MODE": "redact"  // "redact" | "skip" | "warn"
}

Modes

  • redact: Replace secrets with [REDACTED:type] (default)
  • skip: Don't store observations/prompts containing secrets
  • warn: Log warning but store unchanged

Changes

  • packages/shared/src/secret-detector.ts (NEW)

    • detectSecrets() - Find secrets in text
    • redactSecrets() - Replace secrets with placeholders
    • processSecrets() - Process based on config
    • calculateEntropy() - Shannon entropy for high-entropy detection

  • packages/shared/src/settings.ts

    • Added SECRET_DETECTION_ENABLED setting
    • Added SECRET_DETECTION_MODE setting

  • packages/hooks/src/handlers/post-tool-use.ts

    • Redact secrets in tool input/output before sending to backend

  • packages/hooks/src/handlers/user-prompt-submit.ts

    • Redact secrets in user prompts before storing

Test plan

  • Submit a prompt containing sk-test1234567890123456789012345678901234
  • Verify it's redacted to [REDACTED:openai_key] in database
  • Use a tool that outputs a password pattern
  • Verify tool output is redacted
  • Set SECRET_DETECTION_MODE: "skip" and verify observations are skipped
  • Set SECRET_DETECTION_MODE: "warn" and verify secrets are logged but stored

Closes #191

🤖 Generated with Claude Code

## Summary Implements Issue #191 - Automatic detection and redaction of secrets in prompts and observations. ## Features ### Secret Detection Patterns - **API Keys**: OpenAI (`sk-`), Anthropic (`sk-ant-`), GitHub PAT (`ghp_`), GitLab PAT (`glpat-`) - **AWS**: Access Keys (`AKIA`), Secret Access Keys - **Passwords**: Generic password/secret/token patterns - **Connection Strings**: MongoDB, PostgreSQL, MySQL, Redis URIs - **Private Keys**: RSA, EC, DSA, OpenSSH private key headers - **Tokens**: JWT, Bearer tokens, Basic Auth ### Configuration ```json { "SECRET_DETECTION_ENABLED": true, "SECRET_DETECTION_MODE": "redact" // "redact" | "skip" | "warn" } ``` ### Modes - **redact**: Replace secrets with `[REDACTED:type]` (default) - **skip**: Don't store observations/prompts containing secrets - **warn**: Log warning but store unchanged ## Changes - **packages/shared/src/secret-detector.ts** (NEW) - `detectSecrets()` - Find secrets in text - `redactSecrets()` - Replace secrets with placeholders - `processSecrets()` - Process based on config - `calculateEntropy()` - Shannon entropy for high-entropy detection - **packages/shared/src/settings.ts** - Added `SECRET_DETECTION_ENABLED` setting - Added `SECRET_DETECTION_MODE` setting - **packages/hooks/src/handlers/post-tool-use.ts** - Redact secrets in tool input/output before sending to backend - **packages/hooks/src/handlers/user-prompt-submit.ts** - Redact secrets in user prompts before storing ## Test plan - [ ] Submit a prompt containing `sk-test1234567890123456789012345678901234` - [ ] Verify it's redacted to `[REDACTED:openai_key]` in database - [ ] Use a tool that outputs a password pattern - [ ] Verify tool output is redacted - [ ] Set `SECRET_DETECTION_MODE: "skip"` and verify observations are skipped - [ ] Set `SECRET_DETECTION_MODE: "warn"` and verify secrets are logged but stored Closes #191 🤖 Generated with [Claude Code](https://claude.com/claude-code)
feat(shared): add secret detection and redaction
All checks were successful
CI / build (pull_request) Successful in 52s
Details
a05f787930 
Implements Issue #191 - Automatic detection and redaction of secrets.

- Add secret-detector.ts utility with:
  - Pattern-based detection for API keys, passwords, connection strings
  - Support for OpenAI, Anthropic, AWS, GitHub, GitLab tokens
  - JWT, Bearer token, and Basic Auth detection
  - Configurable modes: redact, skip, or warn
  - Shannon entropy calculation for high-entropy strings

- Add settings:
  - SECRET_DETECTION_ENABLED (default: true)
  - SECRET_DETECTION_MODE (default: 'redact')

- Integrate into hooks:
  - post-tool-use.ts: Redact secrets in tool input/output
  - user-prompt-submit.ts: Redact secrets in user prompts

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
jonas.hanisch force-pushed feat/191-secret-detection from a05f787930
All checks were successful
CI / build (pull_request) Successful in 52s
Details
to ba17f4c33c
All checks were successful
CI / build (pull_request) Successful in 39s
Details
2026-01-24 17:26:45 +00:00 Compare
Merge branch 'main' into feat/191-secret-detection
All checks were successful
CI / build (pull_request) Successful in 1m5s
Details
e604527ff6
Merge branch 'main' into feat/191-secret-detection
All checks were successful
CI / build (pull_request) Successful in 54s
Details
34b49cce3a
Merge branch 'main' into feat/191-secret-detection
All checks were successful
CI / build (pull_request) Successful in 1m15s
Details
177ad5faa4
Merge branch 'main' into feat/191-secret-detection
All checks were successful
CI / build (pull_request) Successful in 56s
Details
cea6170673
jack merged commit cc821621ac into main 2026-01-24 17:40:13 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
good first issue

Good for newcomers

  
has-pr

Issue has an associated pull request

  
help wanted

Community contributions welcome

  
idea

Idea or concept - not yet ready for implementation

  
priority
critical
Urgent issue requiring immediate attention

  
priority
high
High priority issue

  
priority
low
Low priority issue

  
priority
medium
Medium priority issue

  
status
blocked
Blocked by external dependency

  
status
in-progress
Currently being worked on

  
status
needs-review
Awaiting code review

  
status
ready
Ready to be worked on

  
type
bug
Something isn't working

  
type
docs
Documentation improvements

  
type
enhancement
Improvement to existing functionality

  
type
feature
New feature or request

  
type
refactor
Code refactoring without functional changes

No labels
good first issue
has-pr
help wanted
idea
priority
critical
priority
high
priority
low
priority
medium
status
blocked
status
in-progress
status
needs-review
status
ready
type
bug
type
docs
type
enhancement
type
feature
type
refactor
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
customable/claude-mem!213
No description provided.