Merge pull request #40 from spectacular-voyage/next/v0.2.13

Next/v0.2.13

Author: djradon

.coderabbit.yaml

@@ -3,5 +3,12 @@ reviews:
     - "!documentation/notes/conv.*"
     - "!documentation/notes/cancelled.*"
     - "!documentation/notes/completed.*"
+  path_instructions:
+    - path: "documentation/notes/**.md"
+      instructions: |
+        This directory is a Dendron vault. YAML frontmatter commonly includes an `updated` field managed automatically by Dendron.
+        Do not flag existing or changed numeric `updated` values as manually edited timestamps, stale metadata, or cleanup opportunities.
+        Only comment on frontmatter if it is malformed YAML, missing required delimiters, or a change breaks Dendron note conventions.
+        For internal note links, prefer Dendron wikilinks like [[dev.general-guidance]] without a `.md` extension.
   auto_review:
-    enabled: true
+    enabled: true

README.md

@@ -84,6 +84,27 @@ You can also trigger recording from the "Sessions" page in the web UI.
 - `::stop`: stop all active recordings
 - `::stop-<alias>`: stop one workspace output
 
+## Secrets Redaction
+
+By default, Kato scans every captured conversation for things that look like
+credentials — vendor API keys (AWS, GitHub, Slack, OpenAI, Anthropic, …), PEM
+private keys, JWTs, and `password=`/`api_key=`-style assignments — and
+replaces them with `[REDACTED:<rule-id>]` placeholders before anything is
+written to twins, recordings, exports, or shown in the web UI. Each redaction
+is recorded in the security audit log (rule and count only, never the secret).
+
+Note: the AI tool's own transcript files still contain the original text;
+Kato only controls what lands in Kato-created files.
+
+Configure via `secretsPolicy` in `~/.kato/shared/kato-shared-config.yaml`:
+
+```yaml
+secretsPolicy:
+  mode: redact            # redact (default) | detect (log only) | off
+  disabledRules: []       # rule ids to skip, e.g. [jwt]
+  allowlist: []           # literal substrings or /regex/ to never redact
+```
+
 ## Local Web
 
 From the web UI, you can start and stop recordings, and manage your Kato data and configuration. 

apps/cli/deno.json

@@ -1,10 +1,10 @@
 {
-  "version": "0.2.12",
+  "version": "0.2.13",
   "imports": {
     "@std/assert": "jsr:@std/assert@1",
     "@std/cli": "jsr:@std/cli@1",
     "@std/path": "jsr:@std/path@1",
-    "@std/yaml": "jsr:@std/yaml@1",
+    "@std/yaml": "jsr:@std/yaml@^1.1.1",
     "@kato/shared": "../../shared/src/mod.ts",
     "@kato/runtime": "../runtime/src/mod.ts"
   },

apps/cli/deno.lock

@@ -2,6 +2,7 @@ import type { DaemonCliCommandContext } from "./context.ts";
 import { isStatusSnapshotStale } from "@kato/runtime";
 import { runStartCommand } from "./start.ts";
 import { runStopCommand } from "./stop.ts";
+import { runWebRestartCommand } from "./web.ts";
 
 const DEFAULT_STOP_WAIT_TIMEOUT_MS = 10_000;
 const DEFAULT_STOP_WAIT_POLL_INTERVAL_MS = 100;
@@ -60,6 +61,7 @@ export async function runRestartCommand(
     });
 
     await runStartCommand(ctx);
+    await restartWebIfConfigured(ctx);
     return;
   }
 
@@ -78,4 +80,14 @@ export async function runRestartCommand(
     previousPid: snapshot.daemonPid,
     restartMode: "stop-then-start",
   });
+  await restartWebIfConfigured(ctx);
+}
+
+async function restartWebIfConfigured(
+  ctx: DaemonCliCommandContext,
+): Promise<void> {
+  if (!ctx.webConfig) {
+    return;
+  }
+  await runWebRestartCommand(ctx);
 }

apps/cli/src/commands/restart.ts

@@ -565,7 +565,8 @@ export async function runDaemonCli(
     }
   }
 
-  const commandShouldTryLoadingWebConfig = intent.command.name === "status" ||
+  const commandShouldTryLoadingWebConfig = intent.command.name === "restart" ||
+    intent.command.name === "status" ||
     intent.command.name === "web-start" ||
     intent.command.name === "web-restart" ||
     intent.command.name === "web-status";

apps/cli/src/router.ts

@@ -19,7 +19,7 @@ const GLOBAL_USAGE_BODY = [
   "Commands:",
   "  init                  Create default global config files if missing",
   "  start                 Start daemon in detached background mode",
-  "  restart               Stop then start daemon (start only if not running)",
+  "  restart               Stop then start daemon and configured web app",
   "  stop                  Queue daemon stop request (or reset stale status)",
   "  status [--json] [--all] [--live]",
   "                        Show daemon status",
@@ -55,6 +55,7 @@ const COMMAND_USAGE_BODY: Record<DaemonCliCommandName, string> = {
     "Usage: kato restart",
     "",
     "Stops daemon and starts it again. If daemon is not running, starts it.",
+    "Also restarts Kato Web when web config exists; unconfigured web is skipped.",
     "Uses global ~/.kato by default; set KATO_RUNTIME_DIR to an absolute path (or ~/...) to use another runtime root.",
   ].join("\n"),
   stop: [

apps/cli/src/usage.ts

@@ -1,10 +1,10 @@
 {
-  "version": "0.2.12",
+  "version": "0.2.13",
   "imports": {
     "@std/assert": "jsr:@std/assert@1",
     "@std/cli": "jsr:@std/cli@1",
     "@std/path": "jsr:@std/path@1",
-    "@std/yaml": "jsr:@std/yaml@1",
+    "@std/yaml": "jsr:@std/yaml@^1.1.1",
     "@kato/shared": "../../shared/src/mod.ts"
   },
   "fmt": {

apps/daemon/deno.json

@@ -6,6 +6,7 @@ export {
   createDefaultRuntimeConfig,
   createDefaultRuntimeLoggingConfig,
   createDefaultRuntimeMarkdownFrontmatterConfig,
+  createDefaultSecretsPolicyConfig,
   createDefaultSharedBehaviorConfig,
   createDefaultUserConfig,
   type EnsureCliConfigResult,