You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix(security): keep auth credentials out of tracked config.json
'config --set auth.value TOKEN' previously wrote the secret into the
git-tracked config.json. Now:
- core/config.py: load order is defaults -> config.json ->
config.local.json (gitignored overlay) -> env vars
APIPROBER_AUTH_VALUE / APIPROBER_AUTH_TYPE (highest precedence,
never written to disk)
- new set_config_value() routes secret keys (auth.value) to
config.local.json and writes only the raw user file instead of the
fully merged defaults (no more config drift in the tracked file)
- cmd_config masks the secret on the console and recommends the env
var; numeric type conversion now also handles negative integers
- .gitignore: add config.local.json
- README: new 'Credential Handling' section, project structure updated
Adds regression tests (secret routing, overlay, env precedence,
no-drift writes).
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
0 commit comments