Skip to content

fix: prevent plaintext key leak in vault.json and IPC broadcast#6

Merged
easyvibecoding merged 1 commit intomainfrom
fix/pattern-plaintext-leak
Mar 18, 2026
Merged

fix: prevent plaintext key leak in vault.json and IPC broadcast#6
easyvibecoding merged 1 commit intomainfrom
fix/pattern-plaintext-leak

Conversation

@easyvibecoding
Copy link
Copy Markdown
Owner

@easyvibecoding easyvibecoding commented Mar 18, 2026

  • Security fix: Pattern field in vault.json stored literal API key values, leaking plaintext via pattern_cache_sync IPC
    broadcast. Now stores structural regex (e.g. AKIA[0-9A-Z]{16}) instead.
  • Auto-capture: Added auto-click copy buttons for AWS Secret Access Key and AI Studio key creation flow.
  • Dedup: Replaced Keychain-based dedup (caused auth prompts) with SHA-256 valueHash in vault.json.
  • Cleanup: Removed seedTestKeysIfNeeded() — Active Key Capture handles key storage.

Changes

File What
capture-patterns.ts New getPatternRegexSource() helper
masker.ts Payload carries pattern, remove isAlreadyStoredKey, AWS/AI Studio auto-click
IPCServer.swift Use extension pattern, fallback deriveStructuralPattern(), Keychain-free dedup
VaultManager.swift New isDuplicateKey() via valueHash
KeyEntry.swift Add valueHash field + computeHash()
AppState.swift Remove seed test keys

Test plan

  • AWS: Access Key ID captured via DOM scan, pattern = AKIA[0-9A-Z]{16}
  • AWS: Secret Access Key auto-captured via copy button click
  • AI Studio: Key auto-captured via copy button click on creation
  • AI Studio: No false "fail to copy" on page load
  • AI Studio: Delete then re-create correctly triggers capture
  • Vault.json contains no plaintext keys
  • Duplicate keys rejected without Keychain auth prompt
  • Chrome Extension + Swift Core build clean

🤖 Generated with Claude Code

@easyvibecoding @claude
fix: prevent plaintext key leak in vault.json and IPC broadcast
b4f3ff9 
Pattern field in vault.json stored the literal API key value (regex-escaped
but identical for alphanumeric keys). This leaked plaintext via
pattern_cache_sync IPC broadcast to all connected extensions.

Changes:
- Extension sends structural regex from CAPTURE_PATTERNS instead of rawValue
- Core uses extension-provided pattern, with fallback derivation from key
  structure (prefix + char class + length)
- Remove isAlreadyStoredKey() which false-positived on structural patterns
- Add Keychain-free dedup via SHA-256 valueHash in vault.json
- Auto-click copy buttons for AWS Secret Key and AI Studio key capture
- Remove seedTestKeysIfNeeded() — Active Key Capture handles storage

Security: vault.json and IPC now contain "AKIA[0-9A-Z]{16}" instead of
the actual key value. Plaintext only flows Keychain → ClipboardEngine.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@easyvibecoding easyvibecoding merged commit 849d8b5 into main Mar 18, 2026
2 checks passed
@easyvibecoding easyvibecoding deleted the fix/pattern-plaintext-leak branch March 18, 2026 11:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@easyvibecoding