Add a commitment-based zk redaction layer: pipe tool data by reference#146
Open
lekt9 wants to merge 2 commits into
Open
Add a commitment-based zk redaction layer: pipe tool data by reference#146lekt9 wants to merge 2 commits into
lekt9 wants to merge 2 commits into
Conversation
Adds forge_app::redaction: a salted SHA-256 hash commitment (binding + hiding) and a Handle (commitment + non-revealing label) so a sensitive tool result can be piped by reference through a content-addressed vault without the raw bytes entering the model's context. referenced_commitments recovers handles from a later tool call's arguments so the executor can resolve them before the tool runs (data flows tool -> vault -> tool). In-module unit tests plus an integration test (runs independently of the crate's unit-test build). Orchestrator wiring and predicate (zero-knowledge proof) layers are follow-ups; this is the commit/reveal foundation. Co-Authored-By: blackfloofie-a codegraff agent <[email protected]> Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
Adds RedactionVault (seal/open/resolve/resolve_json), an Arc-backed session store: seal a value behind a salted commitment, then resolve its handle back to the real bytes. Wires resolution into ToolRegistry::call_inner AFTER the arguments are logged (so logs keep handles, never secrets) and before dispatch, so a sealed credential/value referenced in a later tool call pipes by reference instead of through the model. Integration tests cover credential reuse and JSON-structure-preserving resolution. The seal source (which values get sealed -- a secrets provider or sensitive tool results) is the deliberate next wire; predicate (zero-knowledge proof) verification is a further layer. Co-Authored-By: blackfloofie-a codegraff agent <[email protected]> Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds a commitment-based redaction layer so sensitive tool data can be piped
by reference through the agent — the model carries a content-addressed
handle, never the raw bytes, and the executor swaps the handle back to the
real value right before a tool runs (data flows tool → vault → tool).
This is "pointer not payload" as a privacy primitive: the address is revealed,
the value stays hidden.
How
forge_app::redaction(new module):Commitment— a saltedsha256(nonce ‖ data). Binding (no other valuematches) and hiding (the nonce defeats guessing a low-entropy secret), so
it can be shown to the model without revealing the data.
Handle—zkref:sha256:<digest>#<label>; the label is non-sensitive(e.g.
bytes=30). This is all the model ever sees.RedactionVault— anArc-backed session store:seal(data, label) → Handle,open(commitment) → bytes(re-verifies binding),resolve(text)/resolve_json(value)swap known handles for their plaintext, leaving unknownhandles and JSON structure intact.
Wiring:
ToolRegistry::call_innerresolves handles in a tool call'sarguments after the args are logged (so logs keep handles, never secrets)
and before dispatch — covering every built-in and MCP tool generically.
Tested
Integration tests (run independently of the crate's unit-test build):
recovered commitment still verifies against the bytes;
resolve_jsonpreserves structure and leaves unknown handles untouched.Honest scope (follow-ups)
provider, or sensitive tool results) — is a deliberate policy decision left
as the next wire; resolution is the consumer half and is live now.
revealing it) needs a proof system; this PR ships the commit/reveal
foundation underneath it.
Built on codegraff's existing
sha2/dashmapprimitives.