Research — Secret Redaction Hardening & Snapshot Data Integrity (Spec 120)

This document records the design choices for the reduced Spec 120 scope after removing the pre-go-live legacy-data remediation workflow.

Decisions

Decision: Introduce one shared secret-classification service that evaluates protected fields by exact field name plus canonical path, and reuse it across snapshot protection, audit sanitization, verification sanitization, and ops failure sanitization.
Rationale: The current codebase had multiple substring-based sanitizers. Spec 120 requires one authority so safe configuration fields like passwordMinimumLength remain visible while true secrets stay protected.

Decision: Represent protected locations as source-bucketed RFC 6901 JSON Pointers, stored under secret_fingerprints buckets: snapshot, assignments, and scope_tags.
Rationale: JSON Pointer is deterministic, array-safe, and avoids ambiguity between object keys and numeric list indexes.

Decision: Make VersionService::captureVersion() the sole write-time owner of protected snapshot generation.
Rationale: VersionService is the final PolicyVersion persistence boundary. Removing duplicate masking from PolicyCaptureOrchestrator eliminates double-redaction and ensures dedupe/version creation decisions use the same protected result.

Decision: Persist protected values as [REDACTED], store the ruleset marker in policy_versions.redaction_version, and store path-keyed HMAC digests in policy_versions.secret_fingerprints.
Rationale: The placeholder preserves JSON shape for downstream consumers, while dedicated columns keep the change signal and contract version out of generic metadata.

Decision: Use HMAC-SHA256 with a signing key derived from the app key and the stable workspace_id, then hash the tuple (source_bucket, json_pointer, normalized_secret_value).
Rationale: This satisfies the workspace-isolation requirement while keeping fingerprints deterministic inside one workspace and non-correlatable across workspaces.

Decision: Apply the protected contract consistently to all persisted protected payload buckets: snapshot, assignments, and scope_tags. Version identity must incorporate both the visible protected payload and the fingerprint map so secret-only changes create a new PolicyVersion.
Rationale: If dedupe ignores secret_fingerprints, secret-only changes still collapse into one version and FR-120-007 fails.

Decision: Protected-value messaging remains text-first on existing viewers and export surfaces. The product explains that protected values were intentionally hidden, but it does not ship a dedicated historical-data remediation workflow.
Rationale: Production starts with fresh compliant data, so the feature only needs to explain current protected behavior, not historical repair.

Decision: Replace substring-match regression expectations with a corpus-based test matrix covering safe fields, true secrets, secret-only version changes, audit/verification readability, and notification/export behavior.
Rationale: The existing suite proved the old broken behavior. Phase 1 needs tests that lock in exact/path-based classification and block new broad substring redactors.

PolicySnapshotRedactor previously used broad regex patterns and was invoked both in PolicyCaptureOrchestrator and VersionService.
AuditContextSanitizer, VerificationReportSanitizer, and RunFailureSanitizer all contained substring-based protection logic.
policy_versions already stores immutable snapshot evidence consumed by drift, compare, and restore flows.
Pre-go-live data is disposable for this product rollout, so no supported legacy-data remediation workflow is required in this feature.