P0-1: mask secret env vars in deployment detail UI#88
Merged
Conversation
…fence-in-depth)
Defence-in-depth layer 2 for the plaintext credentials exposure. The API
(layer 1) now redacts credential-bearing env var values server-side.
The dashboard provides a second layer: any non-vault env var whose
uppercased key matches the secret heuristic (contains SECRET/PASSWORD/
PASSWD/PWD/TOKEN/_KEY/APIKEY or ends with URL/URI/DSN) is displayed as
bullets (••••••••) by default.
Changes:
- Add isSensitiveEnvKey() helper mirroring the API-side key heuristic
- Add ENV_VAR_MASK_DISPLAY and ENV_VAR_REDACTED_SENTINEL constants
- Replace plaintext {v} + title={v} render with masked display + reveal toggle
- Server-redacted values ("***") show a disabled reveal button with tooltip
explaining the value is only available via API/CLI
- Vault refs (vault://...) are explicitly left unmasked — they carry no
embedded credentials and need to be readable for debugging
- Remove the full-value title={v} tooltip for sensitive rows to prevent
over-the-shoulder leaks even without clicking reveal
Tests:
- 3 new tests: masks-by-default, reveal-on-click, vault-refs-unmasked
- Pre-existing failures: 4 PricingPage tests (unrelated, pre-existing on main)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Masks secret-keyed env vars (
••••••••+ per-row reveal toggle) in the DeployDetailPage Env-vars tab; removes the full-valuetitletooltip for sensitive rows. Defence-in-depth pair to the API-side redaction (api c569500, already live).Part of P0-1 from the 2026-05-16 bug-hunt. 43 tests across api+web; tsc clean.
🤖 Generated with Claude Code