diff options
| author | Adam Malczewski <[email protected]> | 2026-06-05 17:23:13 +0900 |
|---|---|---|
| committer | Adam Malczewski <[email protected]> | 2026-06-05 17:23:13 +0900 |
| commit | 5ae88d4e98b3b585526ab0534be8e4c12f1ac071 (patch) | |
| tree | 86d6b83ac02f978979dc76fefa2308234e17d06a /packages/kernel/src | |
| parent | 64a66d5e41c5ab54a1d0a7712866be722b742d4b (diff) | |
| download | dispatch-5ae88d4e98b3b585526ab0534be8e4c12f1ac071.tar.gz dispatch-5ae88d4e98b3b585526ab0534be8e4c12f1ac071.zip | |
fix(observability): record-mode redaction leaked capitalized Authorization header — case-insensitive mask (+3 regression tests)
A live capture exposed that provider record mode saved the request Authorization header with the API key in CLEARTEXT: onExchange redaction matched lowercase 'authorization', but streamChat sends 'Authorization' (capital A) and recordFetch captures headers verbatim, so the real header slipped through. The provider.request SPAN redaction was unaffected (it masks from config.apiKey directly — journal + trace-DB showed zero leaks); the leak was record-mode-only and caught PRE-COMMIT (fixture was /tmp-only, scrubbed). Fix: redact auth case-insensitively across all captured header keys (strip Bearer, maskSecret the token, re-prepend, preserve key casing).
New tests: reproduce the exact capital-Authorization leak (would have caught it), a lowercase case, and a guard that no authorization header of ANY casing survives carrying a raw sk- token. 334 tests (331 -> +3), typecheck + biome 0/0. This is the live-capture step (D5) earning its keep — real data exposed what the synthetic redaction test assumed away.
Diffstat (limited to 'packages/kernel/src')
0 files changed, 0 insertions, 0 deletions
