Skip to content

fix(network): zeroize bot-auth seed on drop and harden secret handling#1195

Merged
chaliy merged 1 commit intomainfrom
2026-04-09-process-and-ship-issue-1177
Apr 11, 2026
Merged

fix(network): zeroize bot-auth seed on drop and harden secret handling#1195
chaliy merged 1 commit intomainfrom
2026-04-09-process-and-ship-issue-1177

Conversation

@chaliy
Copy link
Copy Markdown
Contributor

@chaliy chaliy commented Apr 9, 2026
edited
Loading

What

  • Store bot-auth secret material as raw seed bytes and explicitly zeroize them in Drop.
  • Keep Debug output redacted for BotAuthConfig.
  • Add regression test verifying seed bytes are wiped on drop.
  • Keep bot-auth feature wired to zeroize.
  • Update threat-model and request-signing specs to reflect TM-CRY-001 mitigation.

Why

Issue #1177 requires explicit key-material hygiene: prevent long-lived secret exposure in memory and improve security-audit clarity around cryptographic material handling.

How

  • BotAuthConfig now holds seed: [u8; 32] and calls seed.zeroize() in Drop.
  • SigningKey is reconstructed only at use sites (keyid, signing, public-key derivation).
  • Added tests:
    • seed_zeroized_on_drop
    • debug_redacts_key_material
  • Updated docs/specs:
    • Threat category TM-CRY and mitigation TM-CRY-001
    • Request-signing spec language updated to Drop-based zeroization

Validation

  • cargo fmt --check
  • cargo test -p bashkit --features bot-auth network::bot_auth -- --nocapture
  • cargo clippy -p bashkit --features bot-auth -- -D warnings
  • just pre-pr (known environment failure in bash comparison due missing host tools bc/file, unrelated to this patch)

Closes #1177.

@chaliy
fix(network): zeroize bot-auth seed material on drop
aec3d60 
Use explicit Drop-based zeroization for BotAuthConfig seed bytes, keep Debug redaction, and add a regression test verifying seed bytes are wiped after drop. Update threat-model and request-signing specs for TM-CRY-001 and keep bot-auth feature wired to zeroize.
@chaliy chaliy changed the title Zeroize BotAuth seed on drop, redact debug output, and update docs/tests fix(network): zeroize bot-auth seed on drop and harden secret handling Apr 9, 2026
@chaliy chaliy merged commit 8d77304 into main Apr 11, 2026
27 checks passed
@chaliy chaliy deleted the 2026-04-09-process-and-ship-issue-1177 branch April 11, 2026 01:53
chaliy added a commit that referenced this pull request Apr 11, 2026
@chaliy
fix(ssh): replace derived Debug with manual impls that redact credent…
061e270 
…ials

Closes #1189 — SshConfig and SshTarget derived Debug, leaking passwords
and private keys into logs, error messages, and LLM context.
BotAuthConfig was already fixed in #1195.
@chaliy chaliy mentioned this pull request Apr 11, 2026
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

sec(bot-auth): Ed25519 private key held in memory without zeroization

1 participant

@chaliy