Skip to content

fix(config): mask wandb_api_key in config set output#66

Merged
rgao-coreweave merged 3 commits into
mainfrom
fix/config-set-wandb-api-key-leak
May 29, 2026
Merged

fix(config): mask wandb_api_key in config set output#66
rgao-coreweave merged 3 commits into
mainfrom
fix/config-set-wandb-api-key-leak

Conversation

@rgao-coreweave
Copy link
Copy Markdown
Contributor

@rgao-coreweave rgao-coreweave commented May 29, 2026

Summary

  • weave-claude-code config set wandb_api_key <value> echoed the full secret to stdout, leaking it into terminal scrollback, CI logs, and tool transcripts (including this PR's discovery transcript). config show and status already masked the same value to first-4-chars + …; only set was missed when wandb_api_key was added as a writable key in chore: add SPDX headers to build/release scripts #61 / commit 9250dd2.
  • Extracted a single maskSecret helper and routed config show, config set, and status through it so the mask format lives in one place.
  • config get wandb_api_key is intentionally left un-masked — it's the programmatic retrieval path (the weave-install skill's migration uses KEY=$(weave-claude-code config get wandb_api_key)).
  • cmdInstall's interactive prompt already masks correctly (value.slice(0, 4)…) and is unchanged here — folding it into maskSecret would be a non-essential, currently-untested refactor.

Test plan

  • New tests/config-set-masks-secrets.test.ts exercises four behaviors:
    1. config set wandb_api_key: stdout does NOT contain the full secret
    2. config set wandb_api_key: stdout DOES contain the wand… masked prefix
    3. config set wandb_api_key: full secret IS persisted to settings.json (display-only fix — guards against accidentally masking the on-disk value)
    4. config set weave_project: non-sensitive value is still echoed in full (guards against over-masking)
  • TDD: confirmed the two leak tests failed against pre-fix code with the exact message stdout leaked the full secret: ✓ Set wandb_api_key = <full secret>, then passed after the fix.
  • Full suite: 19/19 passing (npm test).
  • Build clean: tsc no errors.

🤖 Generated with Claude Code

@rgao-coreweave @claude
fix(config): mask wandb_api_key in config set output
5802762 
`config set wandb_api_key <value>` echoed the full secret to stdout,
leaking it into terminal scrollback, CI logs, and tool transcripts
whenever the install/migration flow ran. `config show` and `status`
already masked to first-4-chars + ellipsis; only `set` was missed
when `wandb_api_key` was added as a writable key.

Extracted a single `maskSecret` helper used by all three call sites so
the mask format lives in one place. `config get wandb_api_key` is
intentionally left un-masked — it's the programmatic retrieval path
(eg. the migration in the weave-install skill).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@w-b-hivemind
Copy link
Copy Markdown

w-b-hivemind Bot commented May 29, 2026
edited
Loading

HiveMind Sessions

1 session · 13m · $5.94

Session Agent Duration Tokens Cost Lines
Install and Configure Weave Plugin PR
9f6fa9b8-d7f0-43a0-8ebf-1685300fb256		 claude 13m 47.9K $5.94 +167 -95
Total 13m 47.9K $5.94 +167 -95

View all sessions in HiveMind →

Run claude --resume 9f6fa9b8-d7f0-43a0-8ebf-1685300fb256 to pickup where you left off.

@rgao-coreweave @claude
test: consolidate config-set mask tests, trim comments
23ca623 
Four tests of the same `config set` call (three on wandb_api_key, one on
weave_project) collapse into one walking both branches of the mask-or-not
decision: one CLI spawn for the secret path, one for the plain path.

Also drops the maskSecret docstring (name is self-evident) and the
test file's seven-line header in favor of a two-line "what + why".

9/9 passing (was 12/12 — the four merged into one and the suite wrapper went away).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@rgao-coreweave rgao-coreweave requested a review from a team May 29, 2026 01:59
drtangible
drtangible reviewed May 29, 2026
View reviewed changes
Comment thread src/cli.ts
@rgao-coreweave @claude
refactor(cli): route cmdInstall mask calls through maskSecret
ddd0108 
Addresses review feedback on #66 — two remaining `value.slice(0, 4)}…`
sites in cmdInstall (env-var notice and post-prompt echo) now go through
the same helper as config show/set and status. Audited the rest of the
codebase: no other call sites log secrets.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@rgao-coreweave rgao-coreweave requested review from a team and drtangible May 29, 2026 16:45
drtangible
drtangible approved these changes May 29, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@drtangible drtangible left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 👍 👍

@rgao-coreweave
Copy link
Copy Markdown
Contributor Author

rgao-coreweave commented May 29, 2026

👍 👍 👍

thank you!

Merging in

@rgao-coreweave rgao-coreweave merged commit 7376ca7 into main May 29, 2026
4 checks passed
@github-actions github-actions Bot locked and limited conversation to collaborators May 29, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@drtangible drtangible drtangible approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rgao-coreweave @drtangible