Skip to content

feat: Add --redact to mask execs that stdout/err secrets #159

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Lingnik wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: Add --redact to mask execs that stdout/err secrets #159

Lingnik wants to merge 1 commit into from

Conversation

@Lingnik
Copy link

@Lingnik Lingnik commented Oct 22, 2025

Like how op run -- foo redacts secrets it's aware of.

Because sometimes you want Claude Code to have access to your AWS account, but not the keys.

@Lingnik Lingnik requested a review from mbevc1 as a code owner October 22, 2025 22:40
@github-actions github-actions bot added the documentation Improvements or additions to documentation label Oct 22, 2025
mbevc1
mbevc1 reviewed Oct 23, 2025
View reviewed changes
vault/config.go
SSORegistrationScopes string `ini:"sso_registration_scopes,omitempty"`
}

// AwsVaultSection is an [aws-vault] section of the config file
Copy link

@mbevc1 mbevc1 Oct 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest we minimise introducing changes to AWS config file, and if you could please align it with existing approach used for other options - combo of CLI argument and ENV variable? I think this would avoid adding cutom things, which might affect other parsers.

mbevc1
mbevc1 reviewed Oct 23, 2025
View reviewed changes
cli/exec.go
BoolVar(&input.UseStdout)

cmd.Flag("redact", "Redact AWS credentials from subprocess output").
BoolVar(&input.RedactSecrets)
Copy link

@mbevc1 mbevc1 Oct 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should default to false

mbevc1
mbevc1 reviewed Oct 23, 2025
View reviewed changes
cli/exec.go
Comment on lines +253 to +254
// When redaction is disabled, try doExecSyscall first for better performance
err = doExecSyscall(input.Command, input.Args, cmdEnv) // will not return if exec syscall succeeds
Copy link

@mbevc1 mbevc1 Oct 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we perhaps leave the existing handling path here for backwards compatibility?

@mbevc1 mbevc1 added enhancement New feature or request feat labels Oct 23, 2025
@mbevc1
Copy link

mbevc1 commented Oct 23, 2025

Thanks for your contribution, I've left few suggestions and questions.

@mbevc1 mbevc1 changed the title Add --redact to mask execs that stdout/err secrets feat: Add --redact to mask execs that stdout/err secrets Oct 31, 2025
@mbevc1
Copy link

mbevc1 commented Nov 8, 2025

@Lingnik does the feedback make sense?

@mbevc1
Copy link

mbevc1 commented Dec 15, 2025

Hi @Lingnik , are you still working on this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mbevc1 mbevc1 mbevc1 left review comments

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation enhancement New feature or request feat

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Lingnik @mbevc1