bug: Vault secrets are persisted in plaintext in data files and workflow run logs

[stack72]

Summary

Vault secrets resolved via vault.get() CEL expressions are persisted in plaintext in two locations:

1. Data files — the command field in .swamp/data/ contains the resolved secret value (e.g., echo super-secret-value-12345 instead of the CEL template)
2. Workflow run logs — the resolved secret appears in plaintext in .swamp/workflow-runs/<workflow-id>/workflow-run-<run-id>.log

Reproduction

Data file leakage

1. Create a vault and store a secret:

   swamp vault create local_encryption test-vault
   swamp vault put test-vault SECRET_VALUE=super-secret-value-12345
   

2. Install a model that references the secret via CEL:

   # vault-echo model
   globalArguments:
     run: "echo ${{ vault.get('test-vault', 'SECRET_VALUE') }}"

3. Execute the model:

   swamp model method run vault-echo execute
   

4. Inspect persisted data:

   swamp data get vault-echo result --json
   

5. The content.command field contains echo super-secret-value-12345 — the raw secret.

Workflow log leakage

1. Same vault setup as above
2. Create a workflow that references the vault-echo model
3. Run the workflow:

   swamp workflow run vault-workflow
   

4. The resolved secret appears in plaintext in .swamp/workflow-runs/<id>/workflow-run-<id>.log

Expected behavior

• The command field in persisted data should contain the CEL template (echo ${{ vault.get('test-vault', 'SECRET_VALUE') }}), not the resolved value
• Workflow run logs should redact or mask resolved vault secrets

Impact

Any user or process with read access to the .swamp/ directory can extract vault secrets in plaintext, defeating the purpose of vault encryption.

References

• Related: security: validate version string in HttpSourceDownloader to prevent unexpected URL construction #413, fix: validate version string in HttpSourceDownloader #418

[stack72]

Implementation Plan

Root Cause

The two-phase expression evaluation correctly defers vault.get() resolution to runtime (never persisted as CEL templates). However, after runtime resolution, the resolved secret values flow into two persistence paths unredacted:

1. Data files — the shell model stores command: args.run (the fully-resolved command with secrets) in result attributes via writeResource(), which writes to .swamp/data/
2. Run log files — RunFileSink writes log records (including stdout/stderr from command execution) to .swamp/outputs/ and .swamp/workflow-runs/ without filtering

Proposed Fix: SecretRedactor

Create a SecretRedactor class that collects raw vault secret values during resolution and replaces them with *** at two infrastructure chokepoints:

1. Data writers (createResourceWriter / createFileWriterFactory in data_writer.ts) — all models (built-in and extension) use these to persist data, so redaction is automatic and transparent
2. RunFileSink — all log output flows through this sink, so log redaction is automatic for all models

No individual model (including extension models) needs to know about the redactor.

How it works

1. A SecretRedactor instance is created at the start of each model method run or workflow execution
2. During vault expression resolution (resolveVaultExpressions()), each raw secret value fetched from the vault is registered with the redactor via addSecret()
3. The redactor is passed to RunFileSink.register() — log lines are redacted before writing to disk
4. The redactor is passed through MethodContext to the data writer factories — resource data and file content are redacted before persistence
5. Secrets shorter than 3 characters are ignored to prevent false-positive redaction

Example

Given vault.get('prod', 'API_KEY') → sk-abc123xyz789:

Before (current behavior) — data file:

{ "command": "curl -H 'Authorization: Bearer sk-abc123xyz789' https://api.example.com" }

After (with fix) — data file:

{ "command": "curl -H 'Authorization: Bearer ***' https://api.example.com" }

Same redaction applies to stdout, stderr, and log files.

Extension model coverage

Extension models get automatic redaction without any code changes because redaction is applied inside the writeResource() and createFileWriter().writeText() infrastructure functions that all models use. If an extension model writes data containing a vault-derived value, the writer redacts it before persisting.

Files to change

File	Change
src/domain/secrets/secret_redactor.ts	New — SecretRedactor class
src/domain/secrets/mod.ts	New — barrel export
src/domain/expressions/model_resolver.ts	Accept optional SecretRedactor, register secrets during resolveVaultExpressions()
src/domain/expressions/expression_evaluation_service.ts	Thread SecretRedactor through resolveRuntimeExpressionsInDefinition() and resolveRuntimeExpressionsInData()
src/infrastructure/logging/run_file_sink.ts	Accept optional SecretRedactor per registered file, apply before writing
src/domain/models/model.ts	Add optional secretRedactor to MethodContext
src/domain/models/data_writer.ts	Accept SecretRedactor in createResourceWriter() and createFileWriterFactory(), apply automatically
src/domain/models/method_execution_service.ts	Pass context.secretRedactor to writer factory functions
src/cli/commands/model_method_run.ts	Create SecretRedactor, thread through resolution + execution
src/domain/workflows/execution_service.ts	Create SecretRedactor per workflow run, thread through steps

User-facing changes

None required. This fix is fully transparent:

• No new CLI flags or configuration needed
• No changes to workflow definitions or model definitions
• No changes to extension model code
• Vault secrets are automatically redacted from persisted data and logs
• The vault itself is unaffected — swamp vault get still returns the real secret
• Runtime execution still uses real secret values (only persistence is redacted)
• The --last-evaluated definition cache already stores raw ${{ vault.get() }} templates (unchanged)