feat(cli): add sensitive flag annotation to DocFlag#3457
Conversation
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Repository UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (6)
📝 WalkthroughWalkthroughThis PR introduces infrastructure to mark CLI flag values as sensitive secrets across KAS key management commands. It adds a ChangesSensitive CLI Flags for KAS Key Commands
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request enhances the CLI security by introducing a mechanism to mark specific flags as sensitive. By adding a 'Sensitive' annotation to the documentation metadata, the system can now automatically propagate these settings to the underlying pflag configuration, ensuring that sensitive information like cryptographic keys is properly handled and protected from being exposed in logs or process listings. Highlights
New Features🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. A flag is marked with secret care, / To keep the keys from public air. / With annotations set in place, / No sensitive data leaves a trace. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a mechanism to mark sensitive CLI flags (like cryptographic keys) using documentation metadata, ensuring they are annotated for secure handling in logs. Feedback focuses on ensuring MarkSensitiveFlags is called after all flags are registered, correcting an encoding description in the documentation from base64 to hex, and enhancing security by panicking on annotation failures instead of ignoring them.
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
alkalescent
force-pushed
the
DSPX-2900/sensitive-flag-annotations
branch
from
4ab0dce to
73ed6f4
Compare
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@otdfctl/docs/man/policy/kas-registry/key/rotate.md`:
- Line 34: The docs show the `wrapping-key` example value in
policy/kas-registry/key/rotate.md still using a base64-like string
(`YWVzIGtleQ==`) while the field description requires hex-encoded AES key;
update the example under the `wrapping-key` entry to a valid hex-encoded AES key
(e.g., 32-byte key = 64 hex chars for AES-256) so the example matches the
description and will work in `mode: local` usage of the rotation command.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: ab5958cc-b230-4237-98c9-674673e36fb6
📒 Files selected for processing (6)
otdfctl/cmd/policy/kasKeys.gootdfctl/docs/man/policy/kas-registry/key/create.mdotdfctl/docs/man/policy/kas-registry/key/import.mdotdfctl/docs/man/policy/kas-registry/key/rotate.mdotdfctl/pkg/man/docflags.gootdfctl/pkg/man/docflags_test.go
Add a `sensitive` field to DocFlag and a MarkSensitiveFlags method that propagates the annotation to pflag, enabling downstream tools (e.g. MCP servers) to redact sensitive values from logs without hardcoding flag names. Signed-off-by: Krish Suchak <ksuchak@virtru.com> Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
Move MarkSensitiveFlags() after injectLabelFlags() so annotations run after all flags are registered. Fix pre-existing "base64" → "hex" typo in rotate.md wrapping-key description. Signed-off-by: Krish Suchak <ksuchak@virtru.com> Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
alkalescent
force-pushed
the
DSPX-2900/sensitive-flag-annotations
branch
from
73ed6f4 to
78a77b5
Compare
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
|
🤖 I have created a release *beep* *boop* --- ## [0.32.0](opentdf/platform@otdfctl/v0.31.0...otdfctl/v0.32.0) (2026-05-19) ### Features * **cli:** Add better unit testing. ([opentdf#3378](opentdf#3378)) ([3ad33dc](opentdf@3ad33dc)) * **cli:** Add interactive review for prune plans ([opentdf#3421](opentdf#3421)) ([c11680b](opentdf@c11680b)) * **cli:** Add prune confirmation. ([opentdf#3469](opentdf#3469)) ([c6d47ec](opentdf@c6d47ec)) * **cli:** Add prune planner. ([opentdf#3411](opentdf#3411)) ([3e294e6](opentdf@3e294e6)) * **cli:** Add prune summary information ([opentdf#3456](opentdf#3456)) ([c900c53](opentdf@c900c53)) * **cli:** add sensitive flag annotation to DocFlag ([opentdf#3457](opentdf#3457)) ([98f48d2](opentdf@98f48d2)) * **cli:** Confirm and execute pruning of legacy objects ([opentdf#3458](opentdf#3458)) ([24c09dd](opentdf@24c09dd)) * **cli:** Print report on failure ([opentdf#3365](opentdf#3365)) ([05a4473](opentdf@05a4473)) * **cli:** Sort parameters. ([opentdf#3478](opentdf#3478)) ([73ad878](opentdf@73ad878)) * **policy:** Add FQN to RegisteredResourceValues ([opentdf#3446](opentdf#3446)) ([3199583](opentdf@3199583)) * **policy:** Add resource mapping group FQNs ([opentdf#3447](opentdf#3447)) ([6a0b3c6](opentdf@6a0b3c6)) ### Bug Fixes * **cli:** Prune was not classifying multi-namespaced RRs properly. ([opentdf#3488](opentdf#3488)) ([eae8645](opentdf@eae8645)) * **cli:** support json profile output ([opentdf#3448](opentdf#3448)) ([61f194c](opentdf@61f194c)) * **deps:** bump github.com/opentdf/platform/lib/identifier from 0.3.0 to 0.4.0 in /otdfctl ([opentdf#3367](opentdf#3367)) ([aa23179](opentdf@aa23179)) * **deps:** bump github.com/opentdf/platform/protocol/go from 0.27.0 to 0.28.0 in /otdfctl ([opentdf#3419](opentdf#3419)) ([c80374f](opentdf@c80374f)) * **deps:** bump github.com/opentdf/platform/sdk from 0.16.0 to 0.17.0 in /otdfctl ([opentdf#3397](opentdf#3397)) ([bb9fcd6](opentdf@bb9fcd6)) * **deps:** bump go.opentelemetry.io/otel from 1.40.0 to 1.41.0 in /otdfctl ([opentdf#3400](opentdf#3400)) ([5631c37](opentdf@5631c37)) * **deps:** bump module protocol/go to v0.30.0 throughout ([opentdf#3459](opentdf#3459)) ([8eaa502](opentdf@8eaa502)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com> Co-authored-by: Chris Reed <87077975+c-r33d@users.noreply.github.com>
2 participants
Proposed Changes
Sensitive boolfield toDocFlagstruct with YAML supportMarkSensitiveFlags()method that propagates sensitive annotations to pflag viaSetAnnotationwrapping-keyandprivate-key-pemas sensitive in KAS key create/import/rotate man docsMarkSensitiveFlags()in KAS key command setupChecklist
Testing Instructions
Run
go test ./otdfctl/pkg/man/... -race -count=1Summary by CodeRabbit
New Features
--wrapping-keyand--private-key-pemflags as sensitive inputs, ensuring the CLI framework handles secret material appropriately.Documentation