Context
PR #2605 adds SkillMiner in crates/zeph-skills/src/miner.rs. The github_token: String field stores the GitHub API token as a plain String for the lifetime of the struct. It is never logged or serialized, but defense-in-depth would wrap it in secrecy::Secret<String> with zeroize::Zeroize on drop.
Proposed change
- Add
secrecy crate to zeph-skills (already a workspace dep via zeph-core)
- Change
github_token: String → github_token: Secret<String>
- Unwrap with
.expose_secret() only at the HTTP header construction site
Files
crates/zeph-skills/src/miner.rscrates/zeph-skills/src/bin/miner.rs
Context
PR #2605 adds
SkillMinerincrates/zeph-skills/src/miner.rs. Thegithub_token: Stringfield stores the GitHub API token as a plainStringfor the lifetime of the struct. It is never logged or serialized, but defense-in-depth would wrap it insecrecy::Secret<String>withzeroize::Zeroizeon drop.Proposed change
secrecycrate tozeph-skills(already a workspace dep via zeph-core)github_token: String→github_token: Secret<String>.expose_secret()only at the HTTP header construction siteFiles
crates/zeph-skills/src/miner.rscrates/zeph-skills/src/bin/miner.rs