Documentation
¶
Overview ¶
Package security holds the guardrails that keep mnemos local-first and secret-free: the SecretScanner that screens captured content before it is written, and the path/exclude rules that bound what the agent can touch.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ResolveWithin ¶
ResolveWithin validates a caller-supplied path against a write root and returns the cleaned absolute path and the slash-normalized, root-relative URI used as documents.uri. p may be relative to root or absolute; either way the resolved location must stay strictly under root.
It is the single guard for every write/delete the agent can trigger (mnemos.remember custom path, forget, move). It rejects, in order:
- traversal that escapes root (a "../" prefix after cleaning),
- a path that resolves to root itself (not a file),
- the internal ".mnemos/" directory (db, capture sandbox),
- any URI matching an exclude glob (the security.exclude set),
- symlink escape: the deepest existing ancestor is resolved with EvalSymlinks and re-checked for containment, so a symlink pointing outside root cannot be used as a write target.
Types ¶
type Finding ¶
type Finding struct {
// Rule is the identifier of the pattern that matched.
Rule string
// contains filtered or unexported fields
}
Finding is one secret match in scanned content. Rule names the pattern that fired (e.g. "aws-access-key-id"). The matched substring is held on an unexported field so it cannot leak through serialization or an external caller: the remember tool reports only Rule names and never echoes the value back to the agent. In-package code (and tests) can still read it.
type RegexScanner ¶
type RegexScanner struct{}
RegexScanner detects secrets with a fixed set of compiled patterns. It is the default SecretScanner: cgo-free, dependency-free, and tuned for the bare strings captured via mnemos.remember (where gitleaks' file-context heuristics do not fire). Construct with NewRegexScanner.
func NewRegexScanner ¶
func NewRegexScanner() RegexScanner
NewRegexScanner returns the default regex-based secret scanner.
func (RegexScanner) Scan ¶
func (RegexScanner) Scan(content string) ([]Finding, error)
Scan reports every high-signal credential pattern found in content. Two distinct secrets on one line yield two findings; the same substring matched by multiple patterns is reported once, under the first (most specific) rule. The result is nil for clean content.
type SecretScanner ¶
type SecretScanner interface {
// Scan returns one Finding per detected secret. A clean input yields a nil
// slice and a nil error. err is non-nil only on an operational failure, not
// on the presence of a secret.
Scan(content string) ([]Finding, error)
}
SecretScanner screens free-form content for credentials before it is persisted. It is the single swappable seam for secret detection: the regex implementation below can be replaced by a gitleaks-backed one without touching callers.