feat: unified task.json schema migration and multi-module updates

- Create task-schema.json (JSON Schema draft-07) with 10 field blocks fusing Unified JSONL, 6-field Task JSON, and Solution Schema advantages - Migrate unified-execute-with-file from JSONL to .task/*.json directory scanning - Migrate 3 producers (lite-plan, plan-converter, collaborative-plan) to .task/*.json multi-file output - Add review-cycle Phase 7.5 export-to-tasks (FIX-*.json) and issue-resolve --export-tasks option - Add schema compatibility annotations to action-planning-agent, workflow-plan, and tdd-plan - Add spec-generator skill phases and templates - Add memory v2 pipeline (consolidation, extraction, job scheduler, embedder) - Add secret-redactor utility and core-memory enhancements - Add codex-lens accuracy benchmarks and staged env config overrides
2026-02-28 09:23:08 +08:00 · 2026-02-11 17:40:56 +08:00
parent 7aa1038951
commit 99ee4e7d36
36 changed files with 7823 additions and 315 deletions
--- a/ccw/src/utils/secret-redactor.ts
+++ b/ccw/src/utils/secret-redactor.ts
@@ -0,0 +1,50 @@
+/**
+ * Secret Redactor - Regex-based secret pattern detection and replacement
+ *
+ * Scans text for common secret patterns (API keys, tokens, credentials)
+ * and replaces them with [REDACTED_SECRET] to prevent leakage into
+ * memory extraction outputs.
+ *
+ * Patterns are intentionally specific (prefix-based) to minimize false positives.
+ */
+
+const REDACTED = '[REDACTED_SECRET]';
+
+/**
+ * Secret patterns with named regex for each category.
+ * Each pattern targets a specific, well-known secret format.
+ */
+const SECRET_PATTERNS: ReadonlyArray<{ name: string; regex: RegExp }> = [
+  // OpenAI API keys: sk-<20+ alphanumeric chars>
+  { name: 'openai_key', regex: /sk-[A-Za-z0-9]{20,}/g },
+  // AWS Access Key IDs: AKIA<16 uppercase alphanumeric chars>
+  { name: 'aws_key', regex: /AKIA[0-9A-Z]{16}/g },
+  // Bearer tokens: Bearer <16+ token chars>
+  { name: 'bearer_token', regex: /Bearer\s+[A-Za-z0-9._\-]{16,}/g },
+  // Secret assignments: key=value or key:value patterns for known secret variable names
+  { name: 'secret_assignment', regex: /(?:api_key|token|secret|password)[:=]\S+/gi },
+];
+
+/**
+ * Apply regex-based secret pattern matching and replacement.
+ *
+ * Scans the input text for 4 pattern categories:
+ * 1. OpenAI API keys (sk-...)
+ * 2. AWS Access Key IDs (AKIA...)
+ * 3. Bearer tokens (Bearer ...)
+ * 4. Secret variable assignments (api_key=..., token:..., etc.)
+ *
+ * @param text - Input text to scan for secrets
+ * @returns Text with all matched secrets replaced by [REDACTED_SECRET]
+ */
+export function redactSecrets(text: string): string {
+  if (!text) return text;
+
+  let result = text;
+  for (const { regex } of SECRET_PATTERNS) {
+    // Reset lastIndex for global regexes to ensure fresh match on each call
+    regex.lastIndex = 0;
+    result = result.replace(regex, REDACTED);
+  }
+  return result;
+}