Enforce secret scanning before memory write or sync

[romgenie]

Local source: coven-code/issues/11-enforce-secret-scanning-before-memory-write-or-sync.md

Summary

Coven Code has a secret scanner for team memory content, but it must be enforced before any memory is persisted or synchronized in hosted mode.

Current Evidence

• team_memory_sync.rs defines scan_for_secrets.
• Searches show scan_for_secrets is used in tests, but not enforced in push, scan_local_files, or SessionMemoryExtractor::persist.
• TeamMemorySync::scan_local_files reads markdown files and adds them to upload entries without secret scanning.

Problem

Memory can accidentally include API keys, tokens, private keys, or incident details. A hosted reviewer must not persist or sync secrets into shared memory stores.

Proposed Design

Add secret scanning at every memory boundary:

• Before auto-extracted memory candidate creation.
• Before durable memory write.
• Before team memory sync upload.
• Before settings/user memory sync upload.

If secrets are detected:

• Block the write/sync by default.
• Record only labels and reason codes, not secret values.
• Emit a redaction-required candidate for operator review.

Acceptance Criteria

• scan_for_secrets is called before team memory upload.
• scan_for_secrets is called before session memory persistence in hosted mode.
• Tests verify secret-like content blocks memory writes.
• Tests verify logs do not include matched secret values.
• Documentation explains override policy for false positives.

Implementation Notes

The scanner should return structured labels only. Avoid storing or logging the matched text.