Feat/memory encryption at rest#11
Conversation
- Introduced `field-encryption.mjs` for AES-256-GCM encryption and decryption of sensitive memory data. - Added `postgres-statements.mjs` to manage memory statements with encryption support, including functions for splitting and merging memory statements. - Created `memory_statements.sql` for defining the database schema for storing encrypted memory statements. - Implemented tests for encryption and decryption processes, ensuring sensitive data is not exposed in plaintext. - Updated `package.json` to include new modules for field encryption and memory statements.
|
SSoC26 Labeling: This Pull Request has been automatically linked to the corresponding issue labels: |
|
SSoC26 Warning: We noticed that you haven't created a corresponding dummy PR in the main Context repository yet. |
|
Hi, this contribution is being made in the Memact/Memory repository. Could you please clarify whether a separate dummy PR is still required in the main Context repository for SSoC26 tracking? If so, I'll create it and link it here |
|
@Ingole712521 Definitely. Without a dummy PR, SSoC won't take this PR under account. |
|
ok |
SSoC26 Review UpdateWe have verified that your implementation for Memory Encryption at Rest looks excellent and passes all 34 unit tests successfully! However, because this contribution is located in a sub-repository ( Once the dummy PR is open, the automation will automatically link, label, and proceed with the merge. Thank you! |
|
give me some time i will create a dummy pr |
|
@keepsloading done with the Dummy PR |
|
Dummy PR detected in Memact/Context (#73). |
feat #5
Add transparent AES-256-GCM encryption for sensitive memory statements at rest in PostgreSQL
Summary
field-encryption.mjswith AES-256-GCM encrypt/decrypt using keys fromMEMACT_MEMORY_ENCRYPTION_KEYand optionalMEMACT_MEMORY_ENCRYPTION_KEY_ID.postgres-statements.mjsandsql/memory_statements.sqlto store public metadata in plain columns while encrypting sensitive statement fields (summary,value,attributes,provenance,sources, etc.) intosensitive_payload+ IV + auth tag.createPostgresStatementStore()for transparent encrypt-on-write / decrypt-on-read, plus optionalcreatePgQueryExecutor()for real PostgreSQL via thepgpackage."peanuts"are not readable as plaintext in stored table payloads.Why
Sensitive memory statement content must not sit in PostgreSQL as readable plaintext. This change encrypts statement columns at rest while keeping queryable metadata (type, field path, sensitivity, label) available for indexing and access control.