wifi-densepose

Commit Graph

Author	SHA1	Message	Date
rUv	5287497a4a	security(homecore-migrate): redact secret value from malformed secrets.yaml error (#1089 ) * fix(homecore-migrate): redact secret value from malformed secrets.yaml error (secret-leak) `read_secrets` wrapped serde_yaml's parse error into `MigrateError::YamlParse { source }`. serde_yaml's message for a typed-tag coercion failure embeds the offending scalar verbatim, e.g. `invalid value: string "<the-secret-value>"`. That error propagates out of `read_secrets`, is `?`-returned by the `InspectSecrets` CLI path in main.rs, and printed to stderr by anyhow — leaking a secret value despite the CLI's deliberate `<redacted>` design. Fix: secrets.yaml parse failures now map to a new redacting variant `MigrateError::SecretsParse { path, line, column }` that carries only the file path and a coarse location (from `serde_yaml::Error::location()`), never the scalar content. Other (non-secret) YAML files keep `YamlParse`. Pinned by `secrets::tests::malformed_secrets_error_never_contains_secret_value` (asserts the rendered error AND its full #[source] chain never contain the secret value; fails on the old `YamlParse` path) plus `malformed_secrets_error_reports_location` (still fail-closed + locatable). ADR-165 secret-handling rule: a secret value must never appear in output. Co-Authored-By: claude-flow <ruv@ruv.net> * docs(homecore-migrate): record secret-leak fix in ADR-165 + CHANGELOG Note the secrets.yaml error-redaction fix and the review's clean dimensions (read-only source / no traversal / no panic / fail-closed versioning / no injection) in ADR-165 §2.4, bump the test-evidence count 19→21 in §2.6, and add an [Unreleased] Security entry to CHANGELOG. Co-Authored-By: claude-flow <ruv@ruv.net>	2026-06-14 23:09:55 -04:00
ruv	e3696da8d8	docs(adr): write ADR-165 (HOMECORE-MIGRATE), repoint migrate 134→165 — ADR-164 G3 homecore-migrate cited "ADR-134 (HOMECORE-MIGRATE)", but on-disk ADR-134 is "First-Class CIR Support" — a different decision. The migrate crate was governed by a phantom identity (ADR-164 Gap G3). - New ADR-165-homecore-migrate-from-home-assistant.md (next free number), reverse-documented from the shipped P1 scaffold: HA .storage reader, versioned format gate (unknown minor_version = hard error), per-artifact parsers, inspect CLI, structured errors. Status: Accepted — P1 scaffold (full conversion P2). Trust-boundary rationale for the untrusted .storage import is the centerpiece. - Repointed every ADR-134 governing reference in v2/crates/homecore-migrate/ (Cargo.toml, README.md, src/lib.rs, src/config_entries.rs, src/storage_format/mod.rs) → ADR-165. Left the ADR-132 (recorder-feature) refs intact. Explanatory renumber notes retained. - On-disk ADR-134 (CIR) untouched. ADR-126 series-map registry row owner-gated. Docs/comments only — cargo build -p homecore-migrate --no-default-features still compiles. Co-Authored-By: claude-flow <ruv@ruv.net>	2026-06-12 23:00:33 -04:00

Author

SHA1

Message

Date

rUv

5287497a4a

security(homecore-migrate): redact secret value from malformed secrets.yaml error (#1089 )

* fix(homecore-migrate): redact secret value from malformed secrets.yaml error (secret-leak)

`read_secrets` wrapped serde_yaml's parse error into `MigrateError::YamlParse {
source }`. serde_yaml's message for a typed-tag coercion failure embeds the
offending scalar verbatim, e.g. `invalid value: string "<the-secret-value>"`.
That error propagates out of `read_secrets`, is `?`-returned by the
`InspectSecrets` CLI path in main.rs, and printed to stderr by anyhow — leaking
a secret value despite the CLI's deliberate `<redacted>` design.

Fix: secrets.yaml parse failures now map to a new redacting variant
`MigrateError::SecretsParse { path, line, column }` that carries only the file
path and a coarse location (from `serde_yaml::Error::location()`), never the
scalar content. Other (non-secret) YAML files keep `YamlParse`.

Pinned by `secrets::tests::malformed_secrets_error_never_contains_secret_value`
(asserts the rendered error AND its full #[source] chain never contain the
secret value; fails on the old `YamlParse` path) plus
`malformed_secrets_error_reports_location` (still fail-closed + locatable).

ADR-165 secret-handling rule: a secret value must never appear in output.

Co-Authored-By: claude-flow <ruv@ruv.net>

* docs(homecore-migrate): record secret-leak fix in ADR-165 + CHANGELOG

Note the secrets.yaml error-redaction fix and the review's clean dimensions
(read-only source / no traversal / no panic / fail-closed versioning / no
injection) in ADR-165 §2.4, bump the test-evidence count 19→21 in §2.6, and add
an [Unreleased] Security entry to CHANGELOG.

Co-Authored-By: claude-flow <ruv@ruv.net>

2026-06-14 23:09:55 -04:00

ruv

e3696da8d8

docs(adr): write ADR-165 (HOMECORE-MIGRATE), repoint migrate 134→165 — ADR-164 G3

homecore-migrate cited "ADR-134 (HOMECORE-MIGRATE)", but on-disk ADR-134 is
"First-Class CIR Support" — a different decision. The migrate crate was governed
by a phantom identity (ADR-164 Gap G3).

- New ADR-165-homecore-migrate-from-home-assistant.md (next free number),
  reverse-documented from the shipped P1 scaffold: HA .storage reader, versioned
  format gate (unknown minor_version = hard error), per-artifact parsers, inspect
  CLI, structured errors. Status: Accepted — P1 scaffold (full conversion P2).
  Trust-boundary rationale for the untrusted .storage import is the centerpiece.
- Repointed every ADR-134 governing reference in v2/crates/homecore-migrate/
  (Cargo.toml, README.md, src/lib.rs, src/config_entries.rs,
  src/storage_format/mod.rs) → ADR-165. Left the ADR-132 (recorder-feature)
  refs intact. Explanatory renumber notes retained.
- On-disk ADR-134 (CIR) untouched. ADR-126 series-map registry row owner-gated.

Docs/comments only — cargo build -p homecore-migrate --no-default-features
still compiles.

Co-Authored-By: claude-flow <ruv@ruv.net>

2026-06-12 23:00:33 -04:00

2 Commits