You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix(deploy): redact interpolated secret values in RemoteExecutionFailed summaries (#3205)
env.clear values interpolated from ${SECRET} tokens in .kamal/secrets ride
`docker run ... -e KEY=value`, so a nonzero remote exit surfaced the raw
secret in the Wheels.Deploy.RemoteExecutionFailed message and CI logs
(deferred from #3008).
SshClient.$raiseRemoteFailure (the byte-identical FakeSshPool mirror too) now
scrubs every occurrence of each registered secret value to [REDACTED] BEFORE
the 200-char trim, so a value on the boundary can't leak a partial fragment.
Empty and trivially short (<4 char) values are skipped so unrelated command
text is never mangled. $setSecretValues registers the resolver's values;
DeployAppCli/DeployMainCli wire it from ConfigLoader.secretResolver().all()
after each load, ahead of any dispatch.
Covered via FakeSshPool (redaction, multi-occurrence, no-secret, empty/short,
boundary), a SshClient mirror-parity spec (runs without sshd), and an
end-to-end DeployAppCli integration test (config -> resolver -> failed run).
Fixes#3159
Signed-off-by: Peter Amiri <petera@pai.com>
Co-authored-by: Peter Amiri <petera@pai.com>
-`wheels deploy`: resolved secret values are now redacted (`[REDACTED]`) from `Wheels.Deploy.RemoteExecutionFailed` command summaries before the message is thrown. `env.clear` values interpolated from `${SECRET}` tokens in `.kamal/secrets` ride `docker run ... -e KEY=value`, so a nonzero remote exit previously surfaced the raw secret in the exception message and CI logs. Every occurrence is scrubbed (a value may appear in multiple `-e` flags), redaction happens before the 200-char trim so a value on the boundary can't leak a partial fragment, and empty/trivially short values are skipped so unrelated command text is never mangled (deferred from #3008; [#3159](https://github.com/wheels-dev/wheels/issues/3159))
0 commit comments