familia 2.0.0.pre4 → 2.0.0.pre6

data/try/memory/memory_docker_ruby_dump.sh

@@ -0,0 +1,80 @@
+#!/bin/bash
+# try/edge_cases/docker_dump.sh
+
+# Usage: bash $0 <container_id>
+#
+# See example output at end.
+
+# Set CONTAINER_ID to $CONTAINER_ID or the first argument
+CONTAINER_ID=${CONTAINER_ID:-$1}
+
+if [ -z "$CONTAINER_ID" ]; then
+  echo "Usage: $0 <container_id>"
+  echo "Or set CONTAINER_ID environment variable"
+  exit 1
+fi
+
+# Create a script to dump all string-like patterns
+docker exec $CONTAINER_ID bash -c '
+  # Install required packages
+  apt-get update -qq && apt-get install -y -qq procps binutils
+
+  PID=$(pgrep -f ruby)
+
+  if [ -z "$PID" ]; then
+    echo "No Ruby process found"
+    exit 1
+  fi
+
+  echo "Dumping memory for Ruby process $PID"
+
+  # Check if maps file exists
+  if [ ! -f "/proc/$PID/maps" ]; then
+    echo "Cannot access memory maps for process $PID"
+    exit 1
+  fi
+
+  # Get memory regions
+  grep -E "rw-p|r--p" /proc/$PID/maps | while read line; do
+    start=$(echo $line | cut -d"-" -f1)
+    end=$(echo $line | cut -d" " -f1 | cut -d"-" -f2)
+
+    # Convert hex to decimal and dump
+    start_dec=$((16#$start))
+    end_dec=$((16#$end))
+    size=$((end_dec - start_dec))
+
+    # Skip if size is too large (> 10MB) to avoid hanging
+    if [ $size -gt 10485760 ]; then
+      continue
+    fi
+
+    dd if=/proc/$PID/mem bs=1 skip=$start_dec count=$size 2>/dev/null
+  done | strings | grep -i "secret\|api\|key\|token" | head -20
+'
+
+# Example Output:
+#
+#   $ SECRET=august7th2025
+#   $
+#   $ docker run --rm -d -p 3000:3000 \
+#     -e SECRET=$SECRET \
+#     -e REDIS_URL=redis://host.docker.internal:6379/0 \
+#     ghcr.io/onetimesecret/devtimesecret-lite:latest
+#
+#     abcd1234
+#
+#   $ bash try/edge_cases/docker_ruby_dump.sh abcd1234
+#   ...
+#   Dumping memory for Ruby process 60
+#   SECRET
+#   SECRET
+#   SECRET=august6th2025
+#     done | strings | grep -i "secret...
+#   SECRET=august6th2025
+#     done | strings | grep -i "secret...
+#   grep -i "secret\|api\|key|token"
+#     done | strings | grep -i "secret...
+#   SECRET=august6th2025
+#
+#   $ docker kill abcd1234

data/try/memory/memory_search_for_string.rb

@@ -0,0 +1,83 @@
+# try/edge_cases/search_memory_for_string_try.rb
+
+require 'objspace'
+
+require_relative '../helpers/test_helpers'
+
+# Enable object space tracking
+ObjectSpace.trace_object_allocations_start
+
+def search_memory_for_string(target)
+  found_locations = []
+
+  ObjectSpace.each_object(String) do |str|
+    begin
+      if str.include?(target)
+        found_locations << {
+          value: str[0..100], # First 100 chars
+          object_id: str.object_id,
+          source: ObjectSpace.allocation_sourcefile(str),
+          line: ObjectSpace.allocation_sourceline(str),
+          frozen: str.frozen?
+        }
+      end
+    rescue => e
+      # Some strings might not be accessible
+    end
+  end
+
+  found_locations
+end
+
+# Test scenario
+secret = "SUPER_SECRET_API_KEY_12345"
+puts "Testing with secret: #{secret}"
+
+# Create RedactedString
+redacted = RedactedString.new(secret)
+puts "Created RedactedString"
+
+# Force GC to see if copies persist
+GC.start(full_mark: true, immediate_sweep: true)
+
+# Search memory
+puts "\n=== Memory search BEFORE expose ==="
+found = search_memory_for_string("SUPER_SECRET_API_KEY")
+found.each do |location|
+  puts "Found at object_id: #{location[:object_id]}"
+  puts "  Value: #{location[:value]}"
+  puts "  Source: #{location[:source]}:#{location[:line]}"
+  puts "  Frozen: #{location[:frozen]}"
+end
+
+# Use expose
+redacted.expose do |plain|
+  puts "\nInside expose block, plain = [REDACTED for display]"
+
+  # Search during expose
+  puts "\n=== Memory search DURING expose ==="
+  found = search_memory_for_string("SUPER_SECRET_API_KEY")
+  puts "Found #{found.size} instances"
+end
+
+# After expose
+GC.start(full_mark: true, immediate_sweep: true)
+puts "\n=== Memory search AFTER expose ==="
+found = search_memory_for_string("SUPER_SECRET_API_KEY")
+found.each do |location|
+  puts "Found at object_id: #{location[:object_id]}"
+  puts "  Value: #{location[:value]}"
+end
+
+# Also check with marshal dump
+puts "\n=== Checking Marshal dump ==="
+begin
+  marshaled = Marshal.dump(ObjectSpace.each_object.to_a)
+  if marshaled.include?("SUPER_SECRET_API_KEY")
+    puts "❌ Secret found in Marshal dump!"
+  else
+    puts "✅ Secret not found in Marshal dump"
+  end
+rescue => e
+  puts "Marshal failed: #{e}"
+end

data/try/memory/test_actual_redactedstring_protection.rb

@@ -0,0 +1,38 @@
+# try/memory/test_actual_redactedstring_protection.rb
+
+require_relative '../helpers/test_helpers'
+
+# Test 1: Does it prevent logging leaks?
+secret = "API_KEY_12345"
+redacted = RedactedString.new(secret)
+
+puts "Logging test:"
+puts "Normal string logs as: #{secret}"  # Shows: API_KEY_12345
+puts "Redacted string logs as: #{redacted}"  # Shows: [REDACTED]
+puts "✅ Logging protection works!\n\n"
+
+# Test 2: Does it prevent exception leaks?
+begin
+  raise StandardError, "Error with secret: #{redacted}"
+rescue => e
+  puts "Exception message: #{e.message}"
+  puts "✅ Exception protection works!\n\n" if e.message.include?("[REDACTED]")
+end
+
+# Test 3: Does it prevent debug leaks?
+require 'pp'
+data = {
+  user: "john",
+  token: redacted
+}
+puts "Debug output:"
+pp data  # Will show token: [REDACTED]
+puts "✅ Debug protection works!\n\n"
+
+# Test 4: Real-world usage pattern
+redacted.expose do |token|
+  # Simulate API call
+  puts "Making API call with token (simulated)"
+  # HTTParty.get("https://api.example.com", headers: { "Authorization" => token })
+end
+puts "After API call, trying to access: #{redacted}"  # Still shows [REDACTED]

data/try/models/customer_safe_dump_try.rb

@@ -1,6 +1,5 @@
 # try/models/customer_safedump_try.rb
 
-require_relative '../../lib/familia'
 require_relative '../helpers/test_helpers'
 
 # Setup
@@ -46,7 +45,7 @@ require_relative '../helpers/test_helpers'
 @customer.secrets_created.increment
 @safe_dump = @customer.safe_dump
 @safe_dump[:secrets_created]
-#=> "1"
+#=> 1
 
 ## Safe dump includes correct active status when verified and not reset requested
 @safe_dump[:active]

data/try/models/customer_try.rb

@@ -1,7 +1,6 @@
 # try/models/customer_try.rb
 
 # Customer Tryouts
-require_relative '../../lib/familia'
 require_relative '../helpers/test_helpers'
 
 # Setup
@@ -44,7 +43,7 @@ Customer.find_by_id(ident).planid
 @customer.secrets_created.delete!
 @customer.secrets_created.increment
 @customer.secrets_created.value
-#=> '1'
+#=> 1
 
 ## Customer can add custom domain via add method
 @customer.custom_domains.add(@now, 'example.org')

data/try/models/datatype_base_try.rb

@@ -1,8 +1,7 @@
-# try/datatypes/datatype_base_try.rb
+# try/data_types/data_type_base_try.rb
 
 # Test DataType base functionality
 
-require_relative '../../lib/familia'
 require_relative '../helpers/test_helpers'
 
 Familia.debug = false

data/try/models/familia_object_try.rb

@@ -1,6 +1,5 @@
 # try/models/familia_object_try.rb
 
-require_relative '../../lib/familia'
 require_relative '../helpers/test_helpers'
 
 Familia.debug = false

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: familia
 version: !ruby/object:Gem::Version
-  version: 2.0.0.pre4
+  version: 2.0.0.pre6
 platform: ruby
 authors:
 - Delano Mandelbaum
@@ -134,33 +134,68 @@ files:
 - README.md
 - bin/irb
 - docs/connection_pooling.md
+- docs/overview.md
+- docs/wiki/API-Reference.md
+- docs/wiki/Connection-Pooling-Guide.md
+- docs/wiki/Encrypted-Fields-Overview.md
+- docs/wiki/Expiration-Feature-Guide.md
+- docs/wiki/Feature-System-Guide.md
+- docs/wiki/Features-System-Developer-Guide.md
+- docs/wiki/Field-System-Guide.md
+- docs/wiki/Home.md
+- docs/wiki/Implementation-Guide.md
+- docs/wiki/Quantization-Feature-Guide.md
+- docs/wiki/RelatableObjects-Guide.md
+- docs/wiki/Security-Model.md
+- docs/wiki/Transient-Fields-Guide.md
 - familia.gemspec
 - lib/familia.rb
 - lib/familia/base.rb
 - lib/familia/connection.rb
 - lib/familia/core_ext.rb
-- lib/familia/datatype.rb
-- lib/familia/datatype/commands.rb
-- lib/familia/datatype/serialization.rb
-- lib/familia/datatype/types/hashkey.rb
-- lib/familia/datatype/types/list.rb
-- lib/familia/datatype/types/sorted_set.rb
-- lib/familia/datatype/types/string.rb
-- lib/familia/datatype/types/unsorted_set.rb
+- lib/familia/data_type.rb
+- lib/familia/data_type/commands.rb
+- lib/familia/data_type/serialization.rb
+- lib/familia/data_type/types/counter.rb
+- lib/familia/data_type/types/hashkey.rb
+- lib/familia/data_type/types/list.rb
+- lib/familia/data_type/types/lock.rb
+- lib/familia/data_type/types/sorted_set.rb
+- lib/familia/data_type/types/string.rb
+- lib/familia/data_type/types/unsorted_set.rb
+- lib/familia/encryption.rb
+- lib/familia/encryption/encrypted_data.rb
+- lib/familia/encryption/manager.rb
+- lib/familia/encryption/provider.rb
+- lib/familia/encryption/providers/aes_gcm_provider.rb
+- lib/familia/encryption/providers/secure_xchacha20_poly1305_provider.rb
+- lib/familia/encryption/providers/xchacha20_poly1305_provider.rb
+- lib/familia/encryption/registry.rb
+- lib/familia/encryption_request_cache.rb
 - lib/familia/errors.rb
 - lib/familia/features.rb
+- lib/familia/features/encrypted_fields.rb
+- lib/familia/features/encrypted_fields/concealed_string.rb
+- lib/familia/features/encrypted_fields/encrypted_field_type.rb
 - lib/familia/features/expiration.rb
 - lib/familia/features/quantization.rb
 - lib/familia/features/relatable_objects.rb
 - lib/familia/features/safe_dump.rb
+- lib/familia/features/transient_fields.rb
+- lib/familia/features/transient_fields/redacted_string.rb
+- lib/familia/features/transient_fields/single_use_redacted_string.rb
+- lib/familia/features/transient_fields/transient_field_type.rb
+- lib/familia/field_type.rb
 - lib/familia/horreum.rb
-- lib/familia/horreum/class_methods.rb
-- lib/familia/horreum/commands.rb
-- lib/familia/horreum/connection.rb
-- lib/familia/horreum/related_fields_management.rb
-- lib/familia/horreum/serialization.rb
-- lib/familia/horreum/settings.rb
-- lib/familia/horreum/utils.rb
+- lib/familia/horreum/core.rb
+- lib/familia/horreum/core/connection.rb
+- lib/familia/horreum/core/database_commands.rb
+- lib/familia/horreum/core/serialization.rb
+- lib/familia/horreum/core/utils.rb
+- lib/familia/horreum/shared/settings.rb
+- lib/familia/horreum/subclass/definition.rb
+- lib/familia/horreum/subclass/management.rb
+- lib/familia/horreum/subclass/related_fields_management.rb
 - lib/familia/logging.rb
 - lib/familia/multi_result.rb
 - lib/familia/refinements.rb
@@ -170,24 +205,55 @@ files:
 - lib/familia/version.rb
 - lib/middleware/database_middleware.rb
 - try/configuration/scenarios_try.rb
+- try/core/base_enhancements_try.rb
 - try/core/connection_try.rb
+- try/core/create_method_try.rb
+- try/core/database_consistency_try.rb
 - try/core/errors_try.rb
 - try/core/extensions_try.rb
 - try/core/familia_extended_try.rb
 - try/core/familia_try.rb
 - try/core/middleware_try.rb
+- try/core/persistence_operations_try.rb
 - try/core/pools_try.rb
 - try/core/secure_identifier_try.rb
 - try/core/settings_try.rb
 - try/core/tools_try.rb
 - try/core/utils_try.rb
-- try/datatypes/boolean_try.rb
-- try/datatypes/datatype_base_try.rb
-- try/datatypes/hash_try.rb
-- try/datatypes/list_try.rb
-- try/datatypes/set_try.rb
-- try/datatypes/sorted_set_try.rb
-- try/datatypes/string_try.rb
+- try/data_types/boolean_try.rb
+- try/data_types/counter_try.rb
+- try/data_types/datatype_base_try.rb
+- try/data_types/hash_try.rb
+- try/data_types/list_try.rb
+- try/data_types/lock_try.rb
+- try/data_types/set_try.rb
+- try/data_types/sorted_set_try.rb
+- try/data_types/string_try.rb
+- try/debugging/README.md
+- try/debugging/cache_behavior_tracer.rb
+- try/debugging/debug_aad_process.rb
+- try/debugging/debug_concealed_internal.rb
+- try/debugging/debug_concealed_reveal.rb
+- try/debugging/debug_context_aad.rb
+- try/debugging/debug_context_simple.rb
+- try/debugging/debug_cross_context.rb
+- try/debugging/debug_database_load.rb
+- try/debugging/debug_encrypted_json_check.rb
+- try/debugging/debug_encrypted_json_step_by_step.rb
+- try/debugging/debug_exists_lifecycle.rb
+- try/debugging/debug_field_decrypt.rb
+- try/debugging/debug_fresh_cross_context.rb
+- try/debugging/debug_load_path.rb
+- try/debugging/debug_method_definition.rb
+- try/debugging/debug_method_resolution.rb
+- try/debugging/debug_minimal.rb
+- try/debugging/debug_provider.rb
+- try/debugging/debug_secure_behavior.rb
+- try/debugging/debug_string_class.rb
+- try/debugging/debug_test.rb
+- try/debugging/debug_test_design.rb
+- try/debugging/encryption_method_tracer.rb
+- try/debugging/provider_diagnostics.rb
 - try/edge_cases/empty_identifiers_try.rb
 - try/edge_cases/hash_symbolization_try.rb
 - try/edge_cases/json_serialization_try.rb
@@ -195,20 +261,62 @@ files:
 - try/edge_cases/reserved_keywords_try.rb
 - try/edge_cases/string_coercion_try.rb
 - try/edge_cases/ttl_side_effects_try.rb
+- try/encryption/config_persistence_try.rb
+- try/encryption/encryption_core_try.rb
+- try/encryption/instance_variable_scope_try.rb
+- try/encryption/module_loading_try.rb
+- try/encryption/providers/aes_gcm_provider_try.rb
+- try/encryption/providers/xchacha20_poly1305_provider_try.rb
+- try/encryption/roundtrip_validation_try.rb
+- try/encryption/secure_memory_handling_try.rb
+- try/features/encrypted_fields_core_try.rb
+- try/features/encrypted_fields_integration_try.rb
+- try/features/encrypted_fields_no_cache_security_try.rb
+- try/features/encrypted_fields_security_try.rb
+- try/features/encryption_fields/aad_protection_try.rb
+- try/features/encryption_fields/concealed_string_core_try.rb
+- try/features/encryption_fields/context_isolation_try.rb
+- try/features/encryption_fields/error_conditions_try.rb
+- try/features/encryption_fields/fresh_key_derivation_try.rb
+- try/features/encryption_fields/fresh_key_try.rb
+- try/features/encryption_fields/key_rotation_try.rb
+- try/features/encryption_fields/memory_security_try.rb
+- try/features/encryption_fields/missing_current_key_version_try.rb
+- try/features/encryption_fields/nonce_uniqueness_try.rb
+- try/features/encryption_fields/secure_by_default_behavior_try.rb
+- try/features/encryption_fields/thread_safety_try.rb
+- try/features/encryption_fields/universal_serialization_safety_try.rb
 - try/features/expiration_try.rb
+- try/features/feature_dependencies_try.rb
 - try/features/quantization_try.rb
+- try/features/real_feature_integration_try.rb
 - try/features/relatable_objects_try.rb
 - try/features/safe_dump_advanced_try.rb
 - try/features/safe_dump_try.rb
+- try/features/transient_fields/redacted_string_try.rb
+- try/features/transient_fields/refresh_reset_try.rb
+- try/features/transient_fields/simple_refresh_test.rb
+- try/features/transient_fields/single_use_redacted_string_try.rb
+- try/features/transient_fields_core_try.rb
+- try/features/transient_fields_integration_try.rb
 - try/helpers/test_helpers.rb
 - try/horreum/base_try.rb
 - try/horreum/class_methods_try.rb
 - try/horreum/commands_try.rb
+- try/horreum/enhanced_conflict_handling_try.rb
+- try/horreum/field_categories_try.rb
+- try/horreum/field_definition_try.rb
 - try/horreum/initialization_try.rb
 - try/horreum/relations_try.rb
+- try/horreum/serialization_persistent_fields_try.rb
 - try/horreum/serialization_try.rb
 - try/horreum/settings_try.rb
 - try/integration/cross_component_try.rb
+- try/memory/memory_basic_test.rb
+- try/memory/memory_detailed_test.rb
+- try/memory/memory_docker_ruby_dump.sh
+- try/memory/memory_search_for_string.rb
+- try/memory/test_actual_redactedstring_protection.rb
 - try/models/customer_safe_dump_try.rb
 - try/models/customer_try.rb
 - try/models/datatype_base_try.rb