fix(security): remove args from setConfigValue log to prevent secrets leakage

sorlen008 · sorlen008 · commit 96a9412ede91 · 2026-04-05T08:29:58.000Z
Logging JSON.stringify(args) could expose config values (API keys, paths, secrets) in server-side logs that may be exfiltrated or accessed by unauthorized parties. Only the callerOrigin is now logged. Addresses coderabbitai review comment on PR #399. https://claude.ai/code/session_01UesrAy2NYmCpw7rqX71V5X
diff --git a/src/tools/config.ts b/src/tools/config.ts
@@ -164,7 +164,7 @@ export async function getConfig() {
  *   reach security-critical keys regardless of what it sends in the arguments.
  */
 export async function setConfigValue(args: unknown, callerOrigin: 'mcp' | 'ui' = 'mcp') {
-  console.error(`setConfigValue called with args: ${JSON.stringify(args)}, callerOrigin: ${callerOrigin}`);
+  console.error(`setConfigValue called with callerOrigin: ${callerOrigin}`);
   try {
     const parsed = SetConfigValueArgsSchema.safeParse(args);
     if (!parsed.success) {
