Skip to content

feat(decisioning): credential-leak guidance + write-only field strip on every echo path #463

Closed
#481
Closed
feat(decisioning): credential-leak guidance + write-only field strip on every echo path#463
#481
Labels
claude-triagedenhancementNew feature or request
@bokelley

Description

@bokelley
bokelley
opened on May 3, 2026

Parent: #452

JS source

.changeset/account-store-sync-governance.md, commit ebaa4b3a docs(server): ctx_metadata credential-leak guidance (6.7).

Defense-in-depth

Write-only credentials should be stripped at the wire-emit boundary so adopters can return loosely-typed rows or spread DB records without leaking credentials.

Specifically:

  • governance_agents[i].authentication.credentials — strip on emit.
  • billing_entity.bank — already handled by project_account_for_response.

Need the same projection treatment for governance_agents[i].authentication.

Plus: ctx_metadata credential-leak doc

Add explicit guidance to CLAUDE.md (or equivalent surface) that ctx_metadata MUST NOT contain credentials — it round-trips to the client.

Acceptance criteria

  • governance_agents[i].authentication.credentials stripped on every emit path (resolve / list / sync_governance / upsert echo).
  • Tests verify strip — including a record with credentials present in the input does not appear in the wire output.
  • Doc updated with credential-leak guidance for ctx_metadata.

Note

Some of this overlaps with #456's sync_governance(ctx) work. This issue covers the broader "every echo path" sweep + the documentation deliverable.

Metadata

Metadata

Assignees

No one assigned

    Labels

    claude-triagedenhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions