You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix: Stop embedding Portkey API key in committed config and tighten file perms
The setup/mcp wizards offered "share with the team" destinations they
labeled commit-safe (.mcp.json "ok to commit", .claude/settings.json
"committed to git") but wrote the live workspace API key into them in
plaintext. Every fs.writeFileSync also omitted a mode, so secret-bearing
home-dir files (~/.claude/settings.json, shell rc, ~/.codex/config.toml)
landed world-readable at 0644.
For git-committed scopes the config now references ${PORTKEY_API_KEY}
(expanded from the environment at read time, matching how the Codex
paths already worked) instead of the literal key; the real secret is
persisted to the user's shell rc. All secret-bearing writes now use a
writeFileSecure helper that creates files at 0600 and chmods existing
ones. UI hints and post-write banners updated to reflect that committed
files no longer contain a secret, and the README documents the
PORTKEY_API_KEY env-var workflow.
Adds regression tests for the env-var reference and 0600 permissions.
Copy file name to clipboardExpand all lines: README.md
+8Lines changed: 8 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -39,6 +39,14 @@ npx portkey mcp add
39
39
40
40
Config goes mainly into your shell profile and/or `.claude/` (the wizard explains each choice). Open a **new terminal** (or `source` your profile) after setup, then run `claude` as usual.
41
41
42
+
> **Shared / committed config (`PORTKEY_API_KEY`).** When you choose a git-tracked destination — `mcp add` → **Repo file (.mcp.json)** or `setup` → **Project (shared)** (`.claude/settings.json`) — the CLI **never** writes your key into the committed file. It writes the reference `"${PORTKEY_API_KEY}"` (Claude Code expands it from the environment at read time) and stores the real key in your shell profile (owner-only, `0600`). Each teammate just exports their own `PORTKEY_API_KEY`:
43
+
>
44
+
> ```bash
45
+
>export PORTKEY_API_KEY="pk-..."# add to ~/.zshrc, ~/.bashrc, or CI secrets
46
+
>```
47
+
>
48
+
> All files the CLI writes that hold a secret (shell profile, `~/.claude/settings.json`, `~/.codex/config.toml`) are created with `0600` permissions.
0 commit comments