RubyGems - familia - Versions diffs - 2.0.0.pre4 → 2.0.0.pre5 - Mend

familia 2.0.0.pre4 → 2.0.0.pre5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (134) hide show

checksums.yaml +4 -4
data/.gitignore +3 -0
data/.rubocop_todo.yml +17 -17
data/CLAUDE.md +3 -3
data/Gemfile +5 -1
data/Gemfile.lock +18 -3
data/README.md +36 -157
data/TEST_COVERAGE.md +40 -0
data/docs/overview.md +359 -0
data/docs/wiki/API-Reference.md +270 -0
data/docs/wiki/Encrypted-Fields-Overview.md +64 -0
data/docs/wiki/Home.md +49 -0
data/docs/wiki/Implementation-Guide.md +183 -0
data/docs/wiki/Security-Model.md +143 -0
data/lib/familia/base.rb +18 -27
data/lib/familia/connection.rb +6 -5
data/lib/familia/{datatype → data_type}/commands.rb +2 -5
data/lib/familia/{datatype → data_type}/serialization.rb +8 -10
data/lib/familia/{datatype → data_type}/types/hashkey.rb +2 -2
data/lib/familia/{datatype → data_type}/types/list.rb +17 -18
data/lib/familia/{datatype → data_type}/types/sorted_set.rb +17 -17
data/lib/familia/{datatype → data_type}/types/string.rb +2 -1
data/lib/familia/{datatype → data_type}/types/unsorted_set.rb +17 -18
data/lib/familia/{datatype.rb → data_type.rb} +10 -12
data/lib/familia/encryption/manager.rb +102 -0
data/lib/familia/encryption/provider.rb +49 -0
data/lib/familia/encryption/providers/aes_gcm_provider.rb +103 -0
data/lib/familia/encryption/providers/secure_xchacha20_poly1305_provider.rb +184 -0
data/lib/familia/encryption/providers/xchacha20_poly1305_provider.rb +118 -0
data/lib/familia/encryption/registry.rb +50 -0
data/lib/familia/encryption.rb +178 -0
data/lib/familia/encryption_request_cache.rb +68 -0
data/lib/familia/features/encrypted_fields/encrypted_field_type.rb +153 -0
data/lib/familia/features/encrypted_fields.rb +28 -0
data/lib/familia/features/expiration.rb +107 -77
data/lib/familia/features/quantization.rb +5 -9
data/lib/familia/features/relatable_objects.rb +2 -4
data/lib/familia/features/safe_dump.rb +14 -17
data/lib/familia/features/transient_fields/redacted_string.rb +159 -0
data/lib/familia/features/transient_fields/single_use_redacted_string.rb +62 -0
data/lib/familia/features/transient_fields/transient_field_type.rb +139 -0
data/lib/familia/features/transient_fields.rb +47 -0
data/lib/familia/features.rb +40 -24
data/lib/familia/field_type.rb +270 -0
data/lib/familia/horreum/connection.rb +8 -11
data/lib/familia/horreum/{commands.rb → database_commands.rb} +7 -19
data/lib/familia/horreum/definition_methods.rb +453 -0
data/lib/familia/horreum/{class_methods.rb → management_methods.rb} +19 -243
data/lib/familia/horreum/serialization.rb +46 -18
data/lib/familia/horreum/settings.rb +10 -2
data/lib/familia/horreum/utils.rb +9 -10
data/lib/familia/horreum.rb +18 -10
data/lib/familia/logging.rb +14 -14
data/lib/familia/settings.rb +39 -3
data/lib/familia/utils.rb +45 -0
data/lib/familia/version.rb +1 -1
data/lib/familia.rb +2 -1
data/try/core/base_enhancements_try.rb +115 -0
data/try/core/connection_try.rb +0 -1
data/try/core/errors_try.rb +0 -1
data/try/core/familia_extended_try.rb +3 -4
data/try/core/familia_try.rb +0 -1
data/try/core/pools_try.rb +2 -2
data/try/core/secure_identifier_try.rb +0 -1
data/try/core/settings_try.rb +0 -1
data/try/core/utils_try.rb +0 -1
data/try/{datatypes → data_types}/boolean_try.rb +1 -2
data/try/{datatypes → data_types}/datatype_base_try.rb +2 -3
data/try/{datatypes → data_types}/hash_try.rb +1 -2
data/try/{datatypes → data_types}/list_try.rb +1 -2
data/try/{datatypes → data_types}/set_try.rb +1 -2
data/try/{datatypes → data_types}/sorted_set_try.rb +1 -2
data/try/{datatypes → data_types}/string_try.rb +1 -2
data/try/debugging/README.md +32 -0
data/try/debugging/cache_behavior_tracer.rb +91 -0
data/try/debugging/encryption_method_tracer.rb +138 -0
data/try/debugging/provider_diagnostics.rb +110 -0
data/try/edge_cases/hash_symbolization_try.rb +0 -1
data/try/edge_cases/json_serialization_try.rb +0 -1
data/try/edge_cases/reserved_keywords_try.rb +42 -11
data/try/encryption/config_persistence_try.rb +192 -0
data/try/encryption/encryption_core_try.rb +328 -0
data/try/encryption/instance_variable_scope_try.rb +31 -0
data/try/encryption/module_loading_try.rb +28 -0
data/try/encryption/providers/aes_gcm_provider_try.rb +178 -0
data/try/encryption/providers/xchacha20_poly1305_provider_try.rb +169 -0
data/try/encryption/roundtrip_validation_try.rb +28 -0
data/try/encryption/secure_memory_handling_try.rb +125 -0
data/try/features/encrypted_fields_core_try.rb +117 -0
data/try/features/encrypted_fields_integration_try.rb +220 -0
data/try/features/encrypted_fields_no_cache_security_try.rb +205 -0
data/try/features/encrypted_fields_security_try.rb +370 -0
data/try/features/encryption_fields/aad_protection_try.rb +53 -0
data/try/features/encryption_fields/context_isolation_try.rb +120 -0
data/try/features/encryption_fields/error_conditions_try.rb +116 -0
data/try/features/encryption_fields/fresh_key_derivation_try.rb +122 -0
data/try/features/encryption_fields/fresh_key_try.rb +163 -0
data/try/features/encryption_fields/key_rotation_try.rb +117 -0
data/try/features/encryption_fields/memory_security_try.rb +37 -0
data/try/features/encryption_fields/missing_current_key_version_try.rb +23 -0
data/try/features/encryption_fields/nonce_uniqueness_try.rb +54 -0
data/try/features/encryption_fields/thread_safety_try.rb +199 -0
data/try/features/expiration_try.rb +0 -1
data/try/features/feature_dependencies_try.rb +159 -0
data/try/features/quantization_try.rb +0 -1
data/try/features/real_feature_integration_try.rb +148 -0
data/try/features/relatable_objects_try.rb +0 -1
data/try/features/safe_dump_advanced_try.rb +0 -1
data/try/features/safe_dump_try.rb +0 -1
data/try/features/transient_fields/redacted_string_try.rb +248 -0
data/try/features/transient_fields/refresh_reset_try.rb +164 -0
data/try/features/transient_fields/simple_refresh_test.rb +50 -0
data/try/features/transient_fields/single_use_redacted_string_try.rb +310 -0
data/try/features/transient_fields_core_try.rb +181 -0
data/try/features/transient_fields_integration_try.rb +260 -0
data/try/helpers/test_helpers.rb +42 -0
data/try/horreum/base_try.rb +157 -3
data/try/horreum/enhanced_conflict_handling_try.rb +176 -0
data/try/horreum/field_categories_try.rb +118 -0
data/try/horreum/field_definition_try.rb +96 -0
data/try/horreum/initialization_try.rb +0 -1
data/try/horreum/relations_try.rb +0 -1
data/try/horreum/serialization_persistent_fields_try.rb +165 -0
data/try/horreum/serialization_try.rb +2 -3
data/try/memory/memory_basic_test.rb +73 -0
data/try/memory/memory_detailed_test.rb +121 -0
data/try/memory/memory_docker_ruby_dump.sh +80 -0
data/try/memory/memory_search_for_string.rb +83 -0
data/try/memory/test_actual_redactedstring_protection.rb +38 -0
data/try/models/customer_safe_dump_try.rb +0 -1
data/try/models/customer_try.rb +0 -1
data/try/models/datatype_base_try.rb +1 -2
data/try/models/familia_object_try.rb +0 -1
metadata +85 -18

data/try/horreum/field_categories_try.rb ADDED Viewed

@@ -0,0 +1,118 @@
+# try/horreum/field_categories_try.rb
+require_relative '../helpers/test_helpers'
+Familia.debug = false
+# Define test class with various field categories
+class FieldCategoryTest < Familia::Horreum
+  identifier_field :id
+  field :id
+  field :name                           # default category (:field)
+  field :email, category: :encrypted    # encrypted category
+  field :tryouts_cache_data, category: :transient # transient category
+  field :description, category: :persistent # explicit persistent category
+  field :settings, category: nil        # nil category (defaults to :field)
+end
+# Test class with multiple transient fields
+class MultiTransientTest < Familia::Horreum
+  identifier_field :id
+  field :id
+  field :permanent_data
+  field :temp1, category: :transient
+  field :temp2, category: :transient
+  field :temp3, category: :transient
+end
+# Field categories work with field aliasing
+class AliasedCategoryTest < Familia::Horreum
+  identifier_field :id
+  field :id
+  field :internal_temp, as: :temp, category: :transient
+  field :internal_perm, as: :perm, category: :persistent
+end
+# Test edge case with all transient fields
+class AllTransientTest < Familia::Horreum
+  identifier_field :id
+  field :id
+  field :temp1, category: :transient
+  field :temp2, category: :transient
+end
+## Field types are stored correctly
+@test_obj = FieldCategoryTest.new(id: 'test123')
+FieldCategoryTest.field_types.size
+#=> 6
+## Default category field has correct category
+FieldCategoryTest.field_types[:name].category
+#=> :field
+## Encrypted category field has correct category
+FieldCategoryTest.field_types[:email].category
+#=> :encrypted
+## Transient category field has correct category
+FieldCategoryTest.field_types[:tryouts_cache_data].category
+#=> :transient
+## Explicit persistent category field has correct category
+FieldCategoryTest.field_types[:description].category
+#=> :persistent
+## Nil category field defaults to :field
+FieldCategoryTest.field_types[:settings].category
+#=> :field
+## persistent_fields excludes transient fields
+FieldCategoryTest.persistent_fields
+#=> [:id, :name, :email, :description, :settings]
+## persistent_fields includes encrypted and persistent fields
+FieldCategoryTest.persistent_fields.include?(:email)
+#=> true
+## persistent_fields includes default category fields
+FieldCategoryTest.persistent_fields.include?(:name)
+#=> true
+## persistent_fields excludes transient fields
+FieldCategoryTest.persistent_fields.include?(:tryouts_cache_data)
+#=> false
+## Field definitions map provides backward compatibility
+FieldCategoryTest.field_method_map[:name]
+#=> :name
+## Field definitions map works for all fields
+FieldCategoryTest.field_method_map[:email]
+#=> :email
+## Multiple transient fields are handled correctly
+MultiTransientTest.persistent_fields
+#=> [:id, :permanent_data]
+## Aliased transient field is excluded from persistent_fields
+AliasedCategoryTest.persistent_fields.include?(:internal_temp)
+#=> false
+## Aliased persistent field is included in persistent_fields
+AliasedCategoryTest.persistent_fields.include?(:internal_perm)
+#=> true
+## Field type stores original field name, not alias
+AliasedCategoryTest.field_types[:internal_temp].name
+#=> :internal_temp
+## Field type stores alias as method name
+AliasedCategoryTest.field_types[:internal_temp].method_name
+#=> :temp
+## persistent_fields with mostly transient fields
+AllTransientTest.persistent_fields
+#=> [:id]
+@test_obj.destroy! rescue nil
+@test_obj = nil

data/try/horreum/field_definition_try.rb ADDED Viewed

@@ -0,0 +1,96 @@
+# try/horreum/field_definition_try.rb
+require_relative '../helpers/test_helpers'
+Familia.debug = false
+# Create a custom field type for testing with category support
+class TestFieldType < Familia::FieldType
+  def initialize(name, category: :field, **kwargs)
+    super(name, **kwargs)
+    @category = category
+  end
+  def category
+    @category || :field
+  end
+  def persistent?
+    category != :transient
+  end
+  def transient?
+    !persistent?
+  end
+end
+# Setup a test field type (replacing the old FieldDefinition)
+@field_type = TestFieldType.new(
+  :email,
+  as: :email,
+  fast_method: :email!,
+  on_conflict: :raise,
+  category: :encrypted
+)
+## FieldType holds field name correctly
+@field_type.name
+#=> :email
+## FieldType holds method name correctly
+@field_type.method_name
+#=> :email
+## FieldType holds fast method name correctly
+@field_type.fast_method_name
+#=> :email!
+## FieldType holds conflict strategy correctly
+@field_type.on_conflict
+#=> :raise
+## FieldType holds category correctly
+@field_type.category
+#=> :encrypted
+## FieldType returns generated methods list
+@field_type.generated_methods
+#=> [:email, :email!]
+## FieldType with nil category defaults to :field
+@basic_field = TestFieldType.new(
+  :name,
+  as: :name,
+  fast_method: :name!,
+  on_conflict: :skip,
+  category: nil
+)
+@basic_field.category
+#=> :field
+## FieldType persistent? returns true for non-transient fields
+@field_type.persistent?
+#=> true
+## FieldType persistent? returns false for transient fields
+@transient_field = TestFieldType.new(
+  :temp_data,
+  as: :temp_data,
+  fast_method: :temp_data!,
+  on_conflict: :raise,
+  category: :transient
+)
+@transient_field.persistent?
+#=> false
+## FieldType to_s includes all attributes
+@field_type.to_s
+#=~>/#<.*TestFieldType name=email method_name=email fast_method_name=email! on_conflict=raise category=encrypted>/
+## FieldType inspect is same as to_s
+@field_type.inspect
+#=~>/#<.*TestFieldType name=email method_name=email fast_method_name=email! on_conflict=raise category=encrypted>/
+@field_type = nil
+@basic_field = nil
+@transient_field = nil

data/try/horreum/initialization_try.rb CHANGED Viewed

@@ -1,6 +1,5 @@
 # try/horreum/initialization_try.rb
-require_relative '../../lib/familia'
 require_relative '../helpers/test_helpers'
 Familia.debug = false

data/try/horreum/relations_try.rb CHANGED Viewed

@@ -1,7 +1,6 @@
 # try/horreum/relations_try.rb
 # Test Horreum Database type relations functionality
-require_relative '../../lib/familia'
 require_relative '../helpers/test_helpers'
 Familia.debug = false

data/try/horreum/serialization_persistent_fields_try.rb ADDED Viewed

@@ -0,0 +1,165 @@
+# try/horreum/serialization_persistent_fields_try.rb
+require_relative '../helpers/test_helpers'
+Familia.debug = false
+# Test class with mixed field categories for serialization
+class SerializationCategoryTest < Familia::Horreum
+  identifier_field :id
+  field :id
+  field :name                           # persistent by default
+  field :email, category: :encrypted    # persistent, encrypted category
+  field :tryouts_cache_data, category: :transient # should be excluded from serialization
+  field :description, category: :persistent # explicitly persistent
+  field :temp_settings, category: :transient # should be excluded
+  field :metadata, category: :persistent # explicitly persistent
+end
+# Class with all transient fields
+class AllTransientSerializationTest < Familia::Horreum
+  identifier_field :id
+  field :id
+  field :temp1, category: :transient
+  field :temp2, category: :transient
+end
+# Mixed categories with aliased fields
+class AliasedSerializationTest < Familia::Horreum
+  identifier_field :id
+  field :id
+  field :internal_name, as: :display_name, category: :persistent
+  field :temp_cache, as: :cache, category: :transient
+  field :user_data, as: :data, category: :encrypted
+end
+# Setup test instance with all field types
+@serialization_test = SerializationCategoryTest.new(
+  id: 'serialize_test_1',
+  name: 'Test User',
+  email: 'test@example.com',
+  tryouts_cache_data: 'temporary_cache_value',
+  description: 'A test user description',
+  temp_settings: { theme: 'dark', cache: true },
+  metadata: { version: 1, last_login: '2025-01-01' }
+)
+@all_transient = AllTransientSerializationTest.new(
+  id: 'transient_test_1',
+  temp1: 'value1',
+  temp2: 'value2'
+)
+@aliased_test = AliasedSerializationTest.new(
+  id: 'aliased_test_1',
+  display_name: 'Display Name',
+  cache: 'cache_value',
+  data: { key: 'value' }
+)
+## to_h excludes transient fields
+@hash_result = @serialization_test.to_h
+@hash_result.keys.sort
+#=> [:description, :email, :id, :metadata, :name]
+## to_h includes all persistent fields
+@hash_result.key?(:name)
+#=> true
+## to_h includes encrypted persistent fields
+@hash_result.key?(:email)
+#=> true
+## to_h includes explicitly persistent fields
+@hash_result.key?(:description)
+#=> true
+## to_h excludes transient fields from serialization
+@hash_result.key?(:tryouts_cache_data)
+#=> false
+## to_h excludes all transient fields
+@hash_result.key?(:temp_settings)
+#=> false
+## to_h serializes complex values correctly
+@hash_result[:metadata]
+#=:> String
+## to_a excludes transient fields
+@array_result = @serialization_test.to_a
+@array_result.size
+#=> 5
+## to_a maintains field order for persistent fields only
+SerializationCategoryTest.persistent_fields
+#=> [:id, :name, :email, :description, :metadata]
+## Save operation only persists persistent fields
+@serialization_test.save
+#=> true
+## Refresh loads only persistent fields
+@serialization_test.refresh!
+@serialization_test.name
+#=> "Test User"
+## Transient field values are not persisted in redis
+@serialization_test.tryouts_cache_data
+#=> nil
+## When refreshed, transient fields do not retain their in-memory values
+@serialization_test.refresh!
+@serialization_test.tryouts_cache_data  # Should still be in memory but not from redis
+#=> nil
+## Field definitions are preserved during serialization
+SerializationCategoryTest.field_types[:tryouts_cache_data].category
+#=> :transient
+## Persistent fields filtering works correctly
+SerializationCategoryTest.persistent_fields.include?(:tryouts_cache_data)
+#=> false
+## All persistent fields are included in persistent_fields
+SerializationCategoryTest.persistent_fields.include?(:email)
+#=> true
+## to_h with only id field when all others are transient
+@all_transient.to_h
+#=> { id: "transient_test_1" }
+## to_a with only id field when all others are transient
+@all_transient.to_a
+#=> ["transient_test_1"]
+## Aliased fields serialization uses original field names
+@aliased_hash = @aliased_test.to_h
+@aliased_hash.keys.sort
+#=> [:id, :internal_name, :user_data]
+## Aliased transient fields are excluded
+@aliased_hash.key?(:temp_cache)
+#=> false
+## Serialization works with accessor methods through aliases
+@aliased_test.display_name = 'Updated Name'
+@aliased_test.to_h[:internal_name]
+#=> "Updated Name"
+## Clear fields respects field method map
+@serialization_test.clear_fields!
+@serialization_test.name
+#=> nil
+## Clear fields affects aliased methods correctly
+@aliased_test.clear_fields!
+@aliased_test.display_name
+#=> nil
+@serialization_test.destroy! rescue nil
+@all_transient.destroy! rescue nil
+@aliased_test.destroy! rescue nil
+@serialization_test = nil
+@all_transient = nil
+@aliased_test = nil

data/try/horreum/serialization_try.rb CHANGED Viewed

@@ -1,11 +1,10 @@
 # try/horreum/serialization_try.rb
-require_relative '../../lib/familia'
 require_relative '../helpers/test_helpers'
 Familia.debug = false
-@identifier = 'tryouts-28@onetimesecret.com'
+@identifier = 'tryouts-28@onetimesecret.dev'
 @customer = Customer.new @identifier
 ## Basic save functionality works
@@ -23,7 +22,7 @@ Familia.debug = false
 ## to_h includes the custid field (using symbol keys)
 @customer.to_h[:custid]
-#=> "tryouts-28@onetimesecret.com"
+#=> "tryouts-28@onetimesecret.dev"
 ## to_a returns field array in definition order
 @customer.to_a.class

data/try/memory/memory_basic_test.rb ADDED Viewed

@@ -0,0 +1,73 @@
+# try/edge_cases/memory_try.rb
+require 'tempfile'
+require 'json'
+require_relative '../helpers/test_helpers'
+class MemorySecurityTester
+  def self.test_redacted_string
+    results = {
+      timestamp: Time.now,
+      tests: []
+    }
+    # Test 1: Basic string search
+    secret = "SENSITIVE_#{rand(999999)}"
+    redacted = RedactedString.new(secret)
+    # Dump all strings to file
+    Tempfile.create('strings') do |f|
+      ObjectSpace.each_object(String) do |str|
+        f.puts str.inspect rescue nil
+      end
+      f.flush
+      # Check if secret appears
+      f.rewind
+      content = f.read
+      results[:tests] << {
+        name: "Basic string search",
+        passed: !content.include?(secret),
+        details: content.include?(secret) ? "Found secret in object space" : "Secret not found"
+      }
+    end
+    # Test 2: Memory after GC
+    redacted.clear!
+    GC.start(full_mark: true, immediate_sweep: true)
+    sleep 0.1
+    found = false
+    ObjectSpace.each_object(String) do |str|
+      found = true if str.include?(secret) rescue false
+    end
+    results[:tests] << {
+      name: "After clear and GC",
+      passed: !found,
+      details: found ? "Secret persists after clear" : "Secret cleared"
+    }
+    # Test 3: Check /proc/self/mem directly
+    begin
+      mem_content = File.read("/proc/self/mem", 1024*1024*10) rescue ""
+      results[:tests] << {
+        name: "Direct memory read",
+        passed: !mem_content.include?(secret),
+        details: mem_content.include?(secret) ? "Found in /proc/self/mem" : "Not in readable memory"
+      }
+    rescue => e
+      results[:tests] << {
+        name: "Direct memory read",
+        passed: nil,
+        details: "Could not read: #{e}"
+      }
+    end
+    puts JSON.pretty_generate(results)
+  end
+end
+# Run the test
+MemorySecurityTester.test_redacted_string

data/try/memory/memory_detailed_test.rb ADDED Viewed

@@ -0,0 +1,121 @@
+# try/edge_cases/memory_detailed_test_try.rb
+require 'objspace'
+require 'json'
+require_relative '../helpers/test_helpers'
+class DetailedMemoryTester
+  def self.test_with_details
+    ObjectSpace.trace_object_allocations_start
+    secret = "SENSITIVE_#{rand(999999)}_DATA"
+    puts "Testing with secret: #{secret}"
+    puts "Secret object_id: #{secret.object_id}"
+    puts "Secret frozen?: #{secret.frozen?}\n\n"
+    # Track all string copies
+    tracker = {}
+    # Before creating RedactedString
+    find_secret_copies(secret, "BEFORE RedactedString creation", tracker)
+    # Create RedactedString
+    redacted = RedactedString.new(secret)
+    find_secret_copies(secret, "AFTER RedactedString creation", tracker)
+    # Use expose block
+    exposed_value = nil
+    redacted.expose do |plain|
+      exposed_value = plain.object_id
+      find_secret_copies(secret, "DURING expose block", tracker)
+    end
+    find_secret_copies(secret, "AFTER expose block", tracker)
+    # Clear and GC
+    redacted.clear!
+    original_secret = secret
+    secret = nil  # Remove our reference
+    GC.start(full_mark: true, immediate_sweep: true)
+    find_secret_copies(original_secret, "AFTER clear! and GC", tracker)
+    # Final report
+    puts "\n" + "="*60
+    puts "FINAL ANALYSIS"
+    puts "="*60
+    remaining_copies = []
+    ObjectSpace.each_object(String) do |str|
+      begin
+        if str.include?(original_secret)
+          remaining_copies << {
+            object_id: str.object_id,
+            size: str.bytesize,
+            encoding: str.encoding.name,
+            frozen: str.frozen?,
+            tainted: (str.tainted? rescue "N/A"),
+            value_preview: str[0..50]
+          }
+        end
+      rescue => e
+        # Skip strings that can't be accessed
+      end
+    end
+    if remaining_copies.empty?
+      puts "✅ SUCCESS: No copies found in memory!"
+    else
+      puts "❌ FAILURE: #{remaining_copies.size} copies still in memory:"
+      remaining_copies.each do |copy|
+        puts "\n  Object ID: #{copy[:object_id]}"
+        puts "  Size: #{copy[:size]} bytes"
+        puts "  Frozen: #{copy[:frozen]}"
+        puts "  Encoding: #{copy[:encoding]}"
+      end
+    end
+    # Show memory stats
+    puts "\n" + "="*60
+    puts "MEMORY STATISTICS"
+    puts "="*60
+    puts "Total strings in ObjectSpace: #{ObjectSpace.each_object(String).count}"
+    puts "GC count: #{GC.count}"
+    puts "GC stat: #{GC.stat[:heap_live_slots]} live slots"
+    tracker
+  end
+  private
+  def self.find_secret_copies(secret, phase, tracker)
+    copies = []
+    ObjectSpace.each_object(String) do |str|
+      begin
+        if str.include?(secret)
+          copies << {
+            object_id: str.object_id,
+            frozen: str.frozen?,
+            source: ObjectSpace.allocation_sourcefile(str),
+            line: ObjectSpace.allocation_sourceline(str)
+          }
+        end
+      rescue => e
+        # Some strings might not be accessible
+      end
+    end
+    tracker[phase] = copies
+    puts "#{phase}: Found #{copies.size} copies"
+    copies.each do |copy|
+      source_info = copy[:source] ? "#{copy[:source]}:#{copy[:line]}" : "unknown source"
+      puts "  - Object #{copy[:object_id]} (frozen: #{copy[:frozen]}) from #{source_info}"
+    end
+    puts ""
+  end
+end
+# Run the detailed test
+DetailedMemoryTester.test_with_details

data/try/memory/memory_docker_ruby_dump.sh ADDED Viewed

@@ -0,0 +1,80 @@
+#!/bin/bash
+# try/edge_cases/docker_dump.sh
+# Usage: bash $0 <container_id>
+#
+# See example output at end.
+# Set CONTAINER_ID to $CONTAINER_ID or the first argument
+CONTAINER_ID=${CONTAINER_ID:-$1}
+if [ -z "$CONTAINER_ID" ]; then
+  echo "Usage: $0 <container_id>"
+  echo "Or set CONTAINER_ID environment variable"
+  exit 1
+fi
+# Create a script to dump all string-like patterns
+docker exec $CONTAINER_ID bash -c '
+  # Install required packages
+  apt-get update -qq && apt-get install -y -qq procps binutils
+  PID=$(pgrep -f ruby)
+  if [ -z "$PID" ]; then
+    echo "No Ruby process found"
+    exit 1
+  fi
+  echo "Dumping memory for Ruby process $PID"
+  # Check if maps file exists
+  if [ ! -f "/proc/$PID/maps" ]; then
+    echo "Cannot access memory maps for process $PID"
+    exit 1
+  fi
+  # Get memory regions
+  grep -E "rw-p|r--p" /proc/$PID/maps | while read line; do
+    start=$(echo $line | cut -d"-" -f1)
+    end=$(echo $line | cut -d" " -f1 | cut -d"-" -f2)
+    # Convert hex to decimal and dump
+    start_dec=$((16#$start))
+    end_dec=$((16#$end))
+    size=$((end_dec - start_dec))
+    # Skip if size is too large (> 10MB) to avoid hanging
+    if [ $size -gt 10485760 ]; then
+      continue
+    fi
+    dd if=/proc/$PID/mem bs=1 skip=$start_dec count=$size 2>/dev/null
+  done | strings | grep -i "secret\|api\|key\|token" | head -20
+'
+# Example Output:
+#
+#   $ SECRET=august7th2025
+#   $
+#   $ docker run --rm -d -p 3000:3000 \
+#     -e SECRET=$SECRET \
+#     -e REDIS_URL=redis://host.docker.internal:6379/0 \
+#     ghcr.io/onetimesecret/devtimesecret-lite:latest
+#
+#     abcd1234
+#
+#   $ bash try/edge_cases/docker_ruby_dump.sh abcd1234
+#   ...
+#   Dumping memory for Ruby process 60
+#   SECRET
+#   SECRET
+#   SECRET=august6th2025
+#     done | strings | grep -i "secret...
+#   SECRET=august6th2025
+#     done | strings | grep -i "secret...
+#   grep -i "secret\|api\|key|token"
+#     done | strings | grep -i "secret...
+#   SECRET=august6th2025
+#
+#   $ docker kill abcd1234