feat(security): add input validation and sensitive data redaction

- Add centralized input-sanitizer module with zod schemas
- Implement sensitive data redaction in logger (API keys, tokens, passwords)
- Add search command input validation to prevent SQL LIKE injection
- Add comprehensive security test suite (48 tests)

Security improvements:
- Path traversal prevention
- Shell metacharacter validation
- SQL identifier validation
- Table name allowlist

Closes: STA-187

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: jonathanpeterwu

src/cli/commands/search.ts

@@ -7,6 +7,22 @@ import { Command } from 'commander';
 import Database from 'better-sqlite3';
 import { join } from 'path';
 import { existsSync } from 'fs';
+import { z } from 'zod';
+
+// Input validation schemas
+const SearchQuerySchema = z
+  .string()
+  .min(1, 'Search query is required')
+  .max(500, 'Search query too long (max 500 characters)')
+  .transform((val) => {
+    // Escape SQL LIKE special characters to prevent injection
+    return val.replace(/[%_\\]/g, '\\$&');
+  });
+
+const LimitSchema = z
+  .string()
+  .transform((val) => parseInt(val, 10))
+  .pipe(z.number().int().min(1).max(100).default(20));
 
 export function createSearchCommand(): Command {
   const search = new Command('search')
@@ -16,7 +32,7 @@ export function createSearchCommand(): Command {
     .option('-t, --tasks', 'Search only tasks')
     .option('-c, --context', 'Search only context')
     .option('-l, --limit <n>', 'Limit results', '20')
-    .action(async (query, options) => {
+    .action(async (rawQuery, options) => {
       const projectRoot = process.cwd();
       const dbPath = join(projectRoot, '.stackmemory', 'context.db');
 
@@ -27,12 +43,28 @@ export function createSearchCommand(): Command {
         return;
       }
 
+      // Validate inputs
+      let query: string;
+      let limit: number;
+
+      try {
+        query = SearchQuerySchema.parse(rawQuery);
+        limit = LimitSchema.parse(options.limit);
+      } catch (error) {
+        if (error instanceof z.ZodError) {
+          console.error('❌ Invalid input:', error.errors[0].message);
+        } else {
+          console.error('❌ Invalid input');
+        }
+        return;
+      }
+
       const db = new Database(dbPath);
-      const limit = parseInt(options.limit);
       const searchTasks = !options.context || options.tasks;
       const searchContext = !options.tasks || options.context;
 
-      console.log(`\n🔍 Searching for "${query}"...\n`);
+      // Display the original query (not the escaped one) for user
+      console.log(`\n🔍 Searching for "${rawQuery}"...\n`);
 
       let totalResults = 0;
 

src/core/monitoring/logger.ts

@@ -1,21 +1,84 @@
 /**
  * Structured logging utility for StackMemory CLI
+ * Includes automatic sensitive data redaction for security
  */
 
 import * as fs from 'fs';
 import * as path from 'path';
-// Type-safe environment variable access
-function getEnv(key: string, defaultValue?: string): string {
-  const value = process.env[key];
-  if (value === undefined) {
-    if (defaultValue !== undefined) return defaultValue;
-    throw new Error(`Environment variable ${key} is required`);
+
+/**
+ * Sensitive data patterns that should be redacted from logs
+ */
+const SENSITIVE_PATTERNS = [
+  /\b(api[_-]?key|apikey)\s*[:=]\s*['"]?[\w-]+['"]?/gi,
+  /\b(secret|password|token|credential|auth)\s*[:=]\s*['"]?[\w-]+['"]?/gi,
+  /\b(lin_api_[\w]+)/gi,
+  /\b(lin_oauth_[\w]+)/gi,
+  /\b(sk-[\w]+)/gi,
+  /\b(npm_[\w]+)/gi,
+  /\b(ghp_[\w]+)/gi,
+  /\b(ghs_[\w]+)/gi,
+  /Bearer\s+[\w.-]+/gi,
+  /Basic\s+[\w=]+/gi,
+  /postgres(ql)?:\/\/[^@\s]+:[^@\s]+@/gi,
+];
+
+const SENSITIVE_FIELD_NAMES = [
+  'password',
+  'token',
+  'apikey',
+  'api_key',
+  'secret',
+  'credential',
+  'authorization',
+  'auth',
+  'accesstoken',
+  'access_token',
+  'refreshtoken',
+  'refresh_token',
+];
+
+/**
+ * Redact sensitive data from a string
+ */
+function redactString(input: string): string {
+  let result = input;
+  for (const pattern of SENSITIVE_PATTERNS) {
+    pattern.lastIndex = 0;
+    result = result.replace(pattern, '[REDACTED]');
   }
-  return value;
+  return result;
 }
 
-function getOptionalEnv(key: string): string | undefined {
-  return process.env[key];
+/**
+ * Recursively sanitize an object for logging
+ */
+function sanitizeForLogging(obj: unknown): unknown {
+  if (obj === null || obj === undefined) {
+    return obj;
+  }
+
+  if (typeof obj === 'string') {
+    return redactString(obj);
+  }
+
+  if (Array.isArray(obj)) {
+    return obj.map(sanitizeForLogging);
+  }
+
+  if (typeof obj === 'object') {
+    const sanitized: Record<string, unknown> = {};
+    for (const [key, value] of Object.entries(obj)) {
+      if (SENSITIVE_FIELD_NAMES.some((sf) => key.toLowerCase().includes(sf))) {
+        sanitized[key] = '[REDACTED]';
+      } else {
+        sanitized[key] = sanitizeForLogging(value);
+      }
+    }
+    return sanitized;
+  }
+
+  return obj;
 }
 
 export enum LogLevel {
@@ -103,7 +166,15 @@ export class Logger {
   }
 
   private writeLog(entry: LogEntry): void {
-    const logLine = JSON.stringify(entry) + '\n';
+    // Sanitize context and message to prevent logging sensitive data
+    const sanitizedEntry: LogEntry = {
+      ...entry,
+      message: redactString(entry.message),
+      context: entry.context
+        ? (sanitizeForLogging(entry.context) as Record<string, unknown>)
+        : undefined,
+    };
+    const logLine = JSON.stringify(sanitizedEntry) + '\n';
 
     // Always write to file if configured
     if (this.logFile) {