Apply client-side header redaction to CLI event output commands#84
Merged
Conversation
Issue #79: events show, latest, and tail --headers now apply redactHeadersForDisplay before human and --json output, matching events stream behavior. Adds unit and integration tests with raw sensitive headers to verify defense-in-depth redaction. Co-authored-by: Kazuno Fukuda <codemountains@gmail.com>
Co-authored-by: Kazuno Fukuda <codemountains@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #79
Context
Security review finding P6:
events streamalready redacts sensitive headers client-side viaredactHeadersForDisplay, butevents show,events latest, andevents tail --headersprinted headers directly from API responses. This created a defense-in-depth gap and inconsistent operator experience.Changes
redactEventDetailForDisplay()inapps/cli/src/presentation/output/events.tsand apply it inprintEventDetail,printEventHeaders, and--jsonoutput paths forevents showandevents latest.rawSensitiveEventDetailtest fixture with unredacted sensitive headers (includingx-barestash-secret).apps/cli/src/presentation/output/events.test.tsand integration tests inapps/cli/src/presentation/commands/events.test.tscovering human and JSON output for show, latest, and tail.Documentation and contracts
Check anything affected by this PR:
requirements/barestash.spec.mdrequirements/barestash-cli-design.spec.mddocs/Behavior now matches the existing CLI design spec and
apps/cli/AGENTS.mdsecurity rules; no spec updates required.Security and data handling
Verification
Skipped checks or residual risk:
just checkwas not run becausejustis unavailable without the Nix dev shell daemon in this environment; monorepopnpm testand CLI typecheck were run instead.Review notes
redactHeadersForDisplayhelper, same asevents stream(transformStreamPayload).x-barestash-secretandx-barestash-bootstrap-tokenare filtered out entirely (not shown as[REDACTED]).eventobject before printing; body content is unchanged.