Skip to content

Apply client-side header redaction to CLI event output commands#84

Merged
codemountains merged 2 commits into
mainfrom
cursor/header-redaction-cli-events-1d1e
Jul 11, 2026
Merged

Apply client-side header redaction to CLI event output commands#84
codemountains merged 2 commits into
mainfrom
cursor/header-redaction-cli-events-1d1e

Conversation

@codemountains

Copy link
Copy Markdown
Owner

Closes #79

Context

Security review finding P6: events stream already redacts sensitive headers client-side via redactHeadersForDisplay, but events show, events latest, and events tail --headers printed headers directly from API responses. This created a defense-in-depth gap and inconsistent operator experience.

Changes

  • Add redactEventDetailForDisplay() in apps/cli/src/presentation/output/events.ts and apply it in printEventDetail, printEventHeaders, and --json output paths for events show and events latest.
  • Add rawSensitiveEventDetail test fixture with unredacted sensitive headers (including x-barestash-secret).
  • Add unit tests in apps/cli/src/presentation/output/events.test.ts and integration tests in apps/cli/src/presentation/commands/events.test.ts covering human and JSON output for show, latest, and tail.

Documentation and contracts

Check anything affected by this PR:

  • Product scope, MVP, or positioning in requirements/barestash.spec.md
  • CLI commands, flags, output, auth, tokens, endpoints, or events in requirements/barestash-cli-design.spec.md
  • Technical design, operations, topology, or runbooks in docs/
  • README or onboarding guidance
  • Public API, event schema, JSON/JSONL output, or streaming behavior
  • No documentation or public contract changes

Behavior now matches the existing CLI design spec and apps/cli/AGENTS.md security rules; no spec updates required.

Security and data handling

  • This PR does not include tokens, credentials, private endpoint URLs, captured raw payloads, or user data.
  • Raw payloads, headers, logs, errors, and fixtures are redacted or intentionally safe.
  • Token secrets are not exposed outside creation-time flows.
  • Destructive or remote side effects are documented and require explicit user intent.
  • Not applicable.

Verification

pnpm --filter @barestash/cli test   # 78 passed
pnpm --filter @barestash/cli typecheck
pnpm test                           # 219 passed (monorepo)

Skipped checks or residual risk:

  • just check was not run because just is unavailable without the Nix dev shell daemon in this environment; monorepo pnpm test and CLI typecheck were run instead.

Review notes

  • Redaction uses the shared redactHeadersForDisplay helper, same as events stream (transformStreamPayload).
  • x-barestash-secret and x-barestash-bootstrap-token are filtered out entirely (not shown as [REDACTED]).
  • JSON output for show/latest now redacts the event object before printing; body content is unchanged.
Open in Web Open in Cursor 

cursoragent and others added 2 commits July 11, 2026 08:56
Issue #79: events show, latest, and tail --headers now apply
redactHeadersForDisplay before human and --json output, matching
events stream behavior. Adds unit and integration tests with raw
sensitive headers to verify defense-in-depth redaction.

Co-authored-by: Kazuno Fukuda <codemountains@gmail.com>
Co-authored-by: Kazuno Fukuda <codemountains@gmail.com>
@codemountains codemountains marked this pull request as ready for review July 11, 2026 09:06
@codemountains codemountains merged commit 015499b into main Jul 11, 2026
3 checks passed
@codemountains codemountains deleted the cursor/header-redaction-cli-events-1d1e branch July 11, 2026 09:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Security P6] Apply header redaction consistently across all CLI event output commands

2 participants