alkdev/hub
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
hub/tasks/architecture/storage/document-payload-redaction.md
glm-5.1 2b63cda1c7 Setup repo: migrate architecture specs, code stubs, and tasks from alkhub_ts 
Copy architecture docs, ADRs, storage domain specs, research, reviews,
and 56 storage architecture tasks from the alkhub_ts monorepo. Adapt for
standalone @alkdev/hub repo structure (src/ not packages/hub/).

Sanitize all sensitive information:
- Replace private IPs (10.0.0.1) with localhost defaults
- Remove internal server hostnames (dev1, ns528096)
- Replace /workspace/ private paths with npm package references
- Remove hardcoded credentials from examples
- Rewrite infrastructure.md without private network details

Add Deno project scaffolding: deno.json (pinned deps), .gitignore,
AGENTS.md, entry point. Migrate existing code stubs (crypto, config
types, logger) with updated import paths.
2026-05-25 10:56:32 +00:00

1.3 KiB
Raw Permalink Blame History

id, name, status, depends_on, scope, risk, impact, level
id name status depends_on scope risk impact level
document-payload-redaction Document Call Graph Payload Redaction Strategy completed
narrow medium component implementation

Description

W08: The input and output JSONB columns on call_graph_nodes store full call payloads. Operations like hub.register (which receives auth tokens) would store API keys and secrets in cleartext. The truncation strategy (10KB) addresses size, not sensitive data. No redaction is mentioned.

Add a section to call-graph.md on sensitive data handling. Options: operation handlers mark fields as redacted; call graph writer applies field-level redaction by convention (fields named password, token, secret, key); truncation strategy extended with redaction pass.

Acceptance Criteria

  • call-graph.md has a "Sensitive Data Handling" section
  • Redaction strategy is specified (field-level by convention, handler-driven, or both)
  • Default redacted field names defined (e.g., password, token, secret, key, apiKey, authorization)
  • Redaction applies before DB write (not on read)

References

  • docs/reviews/storage-architecture-review-2026-04-21.md#W08
  • docs/architecture/storage/call-graph.md:22-23

Notes

To be filled by implementation agent

Summary

To be filled on completion

Reference in New Issue View Git Blame Copy Permalink