Gabor Körber
087429d275
Implement Goals 1–3 and 5 from the reveal-layer security brain goal.
fermata now detects, redacts, and scans for secrets in AI agent tool
output, filling the ecosystem gap where no coding agent filters secrets
post-read.
New core/secrets/ module:
- config.rs: .botsecrets TOML format with hierarchical merge and ~40
built-in key patterns
- parser.rs: multi-format secret file parser (.env, TOML, YAML, JSON,
Python assignments, Java properties)
- manifest.rs: file discovery + parsing → known-secrets set
- redactor.rs: Aho-Corasick multi-pattern replacement with 4 styles
- scanner.rs: RegexSet heuristic detection with 35 gitleaks-derived
patterns (MIT) and Shannon entropy filtering
- patterns.rs: curated rules for AWS, GitHub, Stripe, Slack, JWT, etc.
Hook integration:
- fermata hook --event post-tool-use reads tool output, runs redactor +
scanner, returns updatedToolOutput for Claude Code
- Backward compatible: --event pre-tool-use (default) unchanged
- Fail-open: errors produce {} and exit 0
Library API:
- Redactor::new(manifest, style).redact(text) → RedactedText
- Scanner::new(config).scan(text) → Vec<Finding>
- Compiles without CLI feature for embedding in other crates
195 tests (130 new), all passing.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2.9 KiB
2.9 KiB
Package: dirigent_fermata
Harness-agnostic policy gate and secret filtering engine for AI coding agents.
Quick Facts
- Type: Library + binary (
fermata) - Main Entry:
src/lib.rs,src/bin/fermata.rs - Dependencies:
ignore,toml,regex,globset,serde,clap(cli feature),aho-corasick,serde_yaml - Status: v0.2 — policy gate + secret filtering engine
Layering
Three concentric layers; nothing inner imports from anything outer.
core/— harness-unaware, transport-unaware, sync. Types (Op,Decision),.botignorewalker,botignore.tomlparser,Policy::check/check_command, path extraction. Sync, no tokio.core/secrets/— the secret filtering engine:config.rs—.botsecretsTOML parser and hierarchical resolution (user, project, local override).manifest.rs— discovers secret-containing files from.botsecretspatterns and loads their content for redaction.parser.rs— multi-format secret file parser (.env, TOML, YAML, JSON). Extracts key-value pairs where the value is a secret.patterns.rs— built-in key name patterns (~30 universal patterns like*_KEY,*_SECRET,*_PASSWORD) and gitleaks-derived regex patterns for heuristic scanning.redactor.rs—Redactorbuilds an Aho-Corasick automaton from known secret values and replaces them in arbitrary text. Sub-millisecond performance.scanner.rs—Scannerapplies heuristic regex patterns to detect secrets not covered by the known-value manifest (entropy-based and format-based detection).
harness/—HarnessAdaptertrait over a normalizedToolCall(PreToolUse) andPostToolUsePayload(PostToolUse). Each adapter (Claude, future Codex, etc.) lives in its own submodule, feature-gated. PostToolUse enables output redaction viaupdatedToolOutputbefore content enters the LLM context.bin/fermata.rs— only place whereclap, stdio, and exit codes appear.
Release Model
Developed in this monorepo; planned to be exported as a standalone repo in the future for advertising / external distribution. Development stays here. See docs/tools/fermata.md.
Dependency Direction
dirigent_tools depends on dirigent_fermata, never the reverse. Fermata must remain usable as a standalone hook/MCP without dragging in the in-process ACP tool runtime.
Out of scope (v0.2)
Codex / Gemini hook adapters, MCP server mode, readonly_only Bash mode, audit log, filesystem watcher, context taint tracking. Each is a future task with its own plan.
See also
docs/tools/fermata.md— Dirigent integration plandocs/workpad/brainstorm/fermata.md— canonical product specdocs/architecture/fermata-security-philosophy.md— security philosophy and the reveal triangle.botsecretsformat:core/secrets/config.rs— the.gitignoreof AI agent secret protection