security: sanitize error messages to prevent path disclosure

[bug-ops]

Related to #391

Summary

Error messages include absolute file paths and internal details, aiding attackers in reconnaissance by revealing directory structure and usernames.

Severity

Low — Information leakage only (no direct exploitation).

Locations

// vault.rs:105
AgeVaultError::KeyRead(e) => format!("failed to read key file: {e}")
// → may leak key_path if e includes it

// shell.rs:221
ToolError::SandboxViolation { path }
// → returns canonical path to user

// config/mod.rs:26
.context("failed to read config file")
// → path appears in error chain

Risk

Path disclosure can help attackers:

• Map internal directory structure
• Identify usernames (e.g., /home/victim/.zeph/key.txt)
• Find writable directories

Recommendation

Sanitize errors before returning to channels:

// In channel error handler
fn sanitize_error(e: &Error) -> String {
    let msg = e.to_string();
    // Strip absolute paths
    PATH_REGEX.replace_all(&msg, "[PATH]").to_string()
}

// Or use error context without details
.context("failed to read config file") // good
.with_context(|| format!("failed to read {path}")) // bad

Add test:

#[test]
fn error_messages_no_paths() {
    let err = Config::load(Path::new("/secret/config.toml")).unwrap_err();
    let msg = err.to_string();
    assert!(!msg.contains("/secret"));
}

References

• CWE-209 (Generation of Error Message Containing Sensitive Information)
• Security audit: .local/audit/security-audit.md (SEC-7)