summaryrefslogtreecommitdiffhomepage
path: root/packages/kernel/src/runtime
diff options
context:
space:
mode:
authorAdam Malczewski <[email protected]>2026-06-05 17:23:13 +0900
committerAdam Malczewski <[email protected]>2026-06-05 17:23:13 +0900
commit5ae88d4e98b3b585526ab0534be8e4c12f1ac071 (patch)
tree86d6b83ac02f978979dc76fefa2308234e17d06a /packages/kernel/src/runtime
parent64a66d5e41c5ab54a1d0a7712866be722b742d4b (diff)
downloaddispatch-5ae88d4e98b3b585526ab0534be8e4c12f1ac071.tar.gz
dispatch-5ae88d4e98b3b585526ab0534be8e4c12f1ac071.zip
fix(observability): record-mode redaction leaked capitalized Authorization header — case-insensitive mask (+3 regression tests)
A live capture exposed that provider record mode saved the request Authorization header with the API key in CLEARTEXT: onExchange redaction matched lowercase 'authorization', but streamChat sends 'Authorization' (capital A) and recordFetch captures headers verbatim, so the real header slipped through. The provider.request SPAN redaction was unaffected (it masks from config.apiKey directly — journal + trace-DB showed zero leaks); the leak was record-mode-only and caught PRE-COMMIT (fixture was /tmp-only, scrubbed). Fix: redact auth case-insensitively across all captured header keys (strip Bearer, maskSecret the token, re-prepend, preserve key casing). New tests: reproduce the exact capital-Authorization leak (would have caught it), a lowercase case, and a guard that no authorization header of ANY casing survives carrying a raw sk- token. 334 tests (331 -> +3), typecheck + biome 0/0. This is the live-capture step (D5) earning its keep — real data exposed what the synthetic redaction test assumed away.
Diffstat (limited to 'packages/kernel/src/runtime')
0 files changed, 0 insertions, 0 deletions