hermes - 💡(How to fix) Fix Hardening: extend secret redaction to state.db persistence + add Google OAuth (ya29./1//) prefixes [3 pull requests]

<!-- Suggested title: Hardening: extend secret redaction to state.db persistence + add Google OAuth (ya29./1//) prefixes -->

Filed as a §3.2 hardening idea, not a vulnerability report — SECURITY.md is explicit that output redaction is a display heuristic, not a boundary, and that "redaction can always get smarter" as a regular issue/PR. This is a smarter-redaction proposal in that spirit; OS-level isolation (§2.2) remains the boundary.

Observation

security.redact_secrets is display/logging-scoped (RedactingFormatter); it doesn't run on the state.db persistence layer. append_message() in hermes_state.py writes content/tool_calls/reasoning straight through, and the FTS triggers index that content for substring search. So the persisted store is the least-redacted sink — which can surprise operators who read redact_secrets: true as broad coverage.

Two concrete, independently-useful gaps:

1. Only tool output is masked (at the tool boundary) — user & assistant turns persist verbatim. A secret a user pastes, or that the model echoes back, is stored raw.
2. Opaque Google OAuth tokens have no prefix pattern. agent/redact.py _PREFIX_PATTERNS covers AIza… (Google API keys), xai-, sk-, GitHub, Slack, etc. — but not ya29. (access) or 1// (refresh). They're only caught via _JSON_KEY_NAMES adjacency, so a bare token in tool output slips into both logs and the store.

Suggested improvements (smallest first)

• Add ya29. and 1// to _PREFIX_PATTERNS — one-liner; improves log + tool-output masking immediately. Happy to send this as a PR if it's a welcome starting point.
• Optionally run the redactor over message content on persist (at least over user/assistant turns), so redact_secrets coverage matches operator expectation.
• Optionally note in docs that redact_secrets is display-scoped, and that state.db is bounded only with sessions.auto_prune on (defaults off).

Acknowledged

Per §2.4 this is a heuristic, not containment — the ask is to make the heuristic cover more sinks, not to treat it as a boundary. The real boundary stays OS-level isolation.