security

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 29, 2026 License: MIT Imports: 7 Imported by: 0

Documentation

Overview

Package security holds the guardrails that keep mnemos local-first and secret-free: the SecretScanner that screens captured content before it is written, and the path/exclude rules that bound what the agent can touch.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ResolveWithin

func ResolveWithin(root, p string, exclude []string) (abs string, uri string, err error)

ResolveWithin validates a caller-supplied path against a write root and returns the cleaned absolute path and the slash-normalized, root-relative URI used as documents.uri. p may be relative to root or absolute; either way the resolved location must stay strictly under root.

It is the single guard for every write/delete the agent can trigger (mnemos.remember custom path, forget, move). It rejects, in order:

  • traversal that escapes root (a "../" prefix after cleaning),
  • a path that resolves to root itself (not a file),
  • the internal ".mnemos/" directory (db, capture sandbox),
  • any URI matching an exclude glob (the security.exclude set),
  • symlink escape: the deepest existing ancestor is resolved with EvalSymlinks and re-checked for containment, so a symlink pointing outside root cannot be used as a write target.

Types

type Finding

type Finding struct {
	// Rule is the identifier of the pattern that matched.
	Rule string
	// contains filtered or unexported fields
}

Finding is one secret match in scanned content. Rule names the pattern that fired (e.g. "aws-access-key-id"). The matched substring is held on an unexported field so it cannot leak through serialization or an external caller: the remember tool reports only Rule names and never echoes the value back to the agent. In-package code (and tests) can still read it.

type RegexScanner

type RegexScanner struct{}

RegexScanner detects secrets with a fixed set of compiled patterns. It is the default SecretScanner: cgo-free, dependency-free, and tuned for the bare strings captured via mnemos.remember (where gitleaks' file-context heuristics do not fire). Construct with NewRegexScanner.

func NewRegexScanner

func NewRegexScanner() RegexScanner

NewRegexScanner returns the default regex-based secret scanner.

func (RegexScanner) Scan

func (RegexScanner) Scan(content string) ([]Finding, error)

Scan reports every high-signal credential pattern found in content. Two distinct secrets on one line yield two findings; the same substring matched by multiple patterns is reported once, under the first (most specific) rule. The result is nil for clean content.

type SecretScanner

type SecretScanner interface {
	// Scan returns one Finding per detected secret. A clean input yields a nil
	// slice and a nil error. err is non-nil only on an operational failure, not
	// on the presence of a secret.
	Scan(content string) ([]Finding, error)
}

SecretScanner screens free-form content for credentials before it is persisted. It is the single swappable seam for secret detection: the regex implementation below can be replaced by a gitleaks-backed one without touching callers.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL