fix(config): redact resolved field in config snapshots

The newly added 'resolved' field contains secrets after ${ENV} substitution. This commit ensures redactConfigSnapshot also redacts the resolved field to prevent credential leaks in config.get responses.
2026-05-09 16:24:30 +00:00 · 2026-02-08 13:03:54 -03:00
parent 3189e2f11b
commit 2a9745c9a1
2 changed files with 15 additions and 0 deletions
--- a/src/config/redact-snapshot.ts
+++ b/src/config/redact-snapshot.ts
@@ -137,12 +137,15 @@ export function redactConfigSnapshot(snapshot: ConfigFileSnapshot): ConfigFileSn
  const redactedConfig = redactConfigObject(snapshot.config);
  const redactedRaw = snapshot.raw ? redactRawText(snapshot.raw, snapshot.config) : null;
  const redactedParsed = snapshot.parsed ? redactConfigObject(snapshot.parsed) : snapshot.parsed;
+  // Also redact the resolved config (contains values after ${ENV} substitution)
+  const redactedResolved = redactConfigObject(snapshot.resolved);

  return {
    ...snapshot,
    config: redactedConfig,
    raw: redactedRaw,
    parsed: redactedParsed,
+    resolved: redactedResolved,
  };
 }