starred/App-Store-Connect-CLI

Fork 0

mirror of https://github.com/rudrankriyam/App-Store-Connect-CLI.git synced 2026-04-25 07:35:48 +03:00

[GH-ISSUE #520] Auth output hygiene: redact credential identifiers in auth status and doctor #143

New issue

Closed

opened 2026-02-26 21:33:45 +03:00 by kerem · 3 comments

kerem commented

2026-02-26 21:33:45 +03:00

Owner

Originally created by @rudrankriyam on GitHub (Feb 14, 2026).
Original GitHub issue: https://github.com/rudrankriyam/App-Store-Connect-CLI/issues/520

Summary

Auth diagnostics currently print credential-identifying environment values directly (not secret key material, but still sensitive metadata), including ASC_KEY_ID and ASC_ISSUER_ID.

Why this matters

These commands are often run in CI/support contexts where stdout/stderr are persisted. Exposing credential identifiers in logs increases leakage risk and operational noise.

Affected locations

internal/cli/auth/auth.go
- auth status prints Environment credentials detected (ASC_KEY_ID: ...)
internal/auth/doctor.go
- inspectEnvironment emits ASC_KEY_ID is set (<value>) and ASC_ISSUER_ID is set (<value>)

Expected behavior

Do not print raw key/issuer identifiers.
Emit redacted/presence-only messages, e.g.:
- ASC_KEY_ID is set
- Environment credentials detected (ASC_KEY_ID present)

Reproduction

export ASC_BYPASS_KEYCHAIN=1
export ASC_KEY_ID=ABC123SECRET
export ASC_ISSUER_ID=issuer-uuid
asc auth status
asc auth doctor

Current output includes raw values.

Detailed implementation plan

Replace value-echoing with presence-only or masked output.
Keep diagnostics useful (which vars are set, completeness checks) without exposing raw values.
Add tests for output redaction behavior in auth command tests and doctor tests.
Review nearby auth logs/messages for similar metadata disclosure patterns.

Acceptance criteria

auth status and auth doctor no longer print raw ASC_KEY_ID/ASC_ISSUER_ID values.
Completeness/validation messaging remains actionable.
Regression tests prevent future unredacted output.

cc @cursor please implement this end-to-end.

Originally created by @rudrankriyam on GitHub (Feb 14, 2026). Original GitHub issue: https://github.com/rudrankriyam/App-Store-Connect-CLI/issues/520 ## Summary Auth diagnostics currently print credential-identifying environment values directly (not secret key material, but still sensitive metadata), including `ASC_KEY_ID` and `ASC_ISSUER_ID`. ## Why this matters These commands are often run in CI/support contexts where stdout/stderr are persisted. Exposing credential identifiers in logs increases leakage risk and operational noise. ## Affected locations - `internal/cli/auth/auth.go` - `auth status` prints `Environment credentials detected (ASC_KEY_ID: ...)` - `internal/auth/doctor.go` - `inspectEnvironment` emits `ASC_KEY_ID is set (<value>)` and `ASC_ISSUER_ID is set (<value>)` ## Expected behavior - Do not print raw key/issuer identifiers. - Emit redacted/presence-only messages, e.g.: - `ASC_KEY_ID is set` - `Environment credentials detected (ASC_KEY_ID present)` ## Reproduction ```bash export ASC_BYPASS_KEYCHAIN=1 export ASC_KEY_ID=ABC123SECRET export ASC_ISSUER_ID=issuer-uuid asc auth status asc auth doctor ``` Current output includes raw values. ## Detailed implementation plan - [ ] Replace value-echoing with presence-only or masked output. - [ ] Keep diagnostics useful (which vars are set, completeness checks) without exposing raw values. - [ ] Add tests for output redaction behavior in `auth` command tests and doctor tests. - [ ] Review nearby auth logs/messages for similar metadata disclosure patterns. ## Acceptance criteria - [ ] `auth status` and `auth doctor` no longer print raw `ASC_KEY_ID`/`ASC_ISSUER_ID` values. - [ ] Completeness/validation messaging remains actionable. - [ ] Regression tests prevent future unredacted output. cc @cursor please implement this end-to-end.

kerem

2026-02-26 21:33:45 +03:00

closed this issue
added the
bug
label

kerem commented

2026-02-26 21:33:46 +03:00

Author

Owner

@rudrankriyam commented on GitHub (Feb 14, 2026):

@cursor please implement this issue end-to-end using the checklist and acceptance criteria.

@rudrankriyam commented on GitHub (Feb 14, 2026): @cursor please implement this issue end-to-end using the checklist and acceptance criteria.

kerem commented

2026-02-26 21:33:46 +03:00

Author

Owner

@cursor[bot] commented on GitHub (Feb 14, 2026):

Implemented end-to-end on cursor/auth-output-hygiene-adda and pushed as commit 6440c56.

I changed auth status to stop echoing ASC_KEY_ID values and now print a presence-only message:
- Environment credentials detected (ASC_KEY_ID present)...
I changed internal/auth/doctor.go environment inspection to use presence-only diagnostics (<VAR> is set) instead of printing raw env values for ASC_KEY_ID / ASC_ISSUER_ID (and other env vars in that section).
I added regression coverage to prevent reintroduction:
- internal/cli/cmdtest/commands_test.go (TestAuthStatusShowsEnvPreference) now asserts no ENVKEY/ENVISS leakage.
- internal/cli/cmdtest/auth_doctor_test.go adds TestAuthDoctorTextRedactsCredentialIdentifiers.
- internal/auth/doctor_test.go adds TestDoctorEnvironmentRedactsCredentialIdentifiers.
I also scanned nearby auth code paths for similar unredacted patterns and found no remaining ASC_KEY_ID/ASC_ISSUER_ID value-echo diagnostics.

Validation I ran:

RED phase (before fix): new tests failed with leaked values (confirmed expected failure mode).
GREEN phase (after fix): targeted tests passed:
- go test ./internal/cli/cmdtest -run 'TestAuthStatusShowsEnvPreference|TestAuthDoctorTextRedactsCredentialIdentifiers'
- go test ./internal/auth -run TestDoctorEnvironmentRedactsCredentialIdentifiers
Repo checks:
- make format (after installing tools), make lint, make test all pass.
Black-box CLI check with built binary:
- go build -o /tmp/asc .
- Ran /tmp/asc auth status and /tmp/asc auth doctor with:
  ASC_BYPASS_KEYCHAIN=1 ASC_KEY_ID=ABC123SECRET ASC_ISSUER_ID=issuer-uuid ...
- Exit code 0, output showed presence-only messages, and leak scan found no secret identifiers.

@cursor[bot] commented on GitHub (Feb 14, 2026): Implemented end-to-end on `cursor/auth-output-hygiene-adda` and pushed as commit `6440c56`. - I changed `auth status` to stop echoing `ASC_KEY_ID` values and now print a presence-only message: - `Environment credentials detected (ASC_KEY_ID present)...` - I changed `internal/auth/doctor.go` environment inspection to use presence-only diagnostics (`<VAR> is set`) instead of printing raw env values for `ASC_KEY_ID` / `ASC_ISSUER_ID` (and other env vars in that section). - I added regression coverage to prevent reintroduction: - `internal/cli/cmdtest/commands_test.go` (`TestAuthStatusShowsEnvPreference`) now asserts no `ENVKEY`/`ENVISS` leakage. - `internal/cli/cmdtest/auth_doctor_test.go` adds `TestAuthDoctorTextRedactsCredentialIdentifiers`. - `internal/auth/doctor_test.go` adds `TestDoctorEnvironmentRedactsCredentialIdentifiers`. - I also scanned nearby auth code paths for similar unredacted patterns and found no remaining `ASC_KEY_ID`/`ASC_ISSUER_ID` value-echo diagnostics. Validation I ran: - RED phase (before fix): new tests failed with leaked values (confirmed expected failure mode). - GREEN phase (after fix): targeted tests passed: - `go test ./internal/cli/cmdtest -run 'TestAuthStatusShowsEnvPreference|TestAuthDoctorTextRedactsCredentialIdentifiers'` - `go test ./internal/auth -run TestDoctorEnvironmentRedactsCredentialIdentifiers` - Repo checks: - `make format` (after installing tools), `make lint`, `make test` all pass. - Black-box CLI check with built binary: - `go build -o /tmp/asc .` - Ran `/tmp/asc auth status` and `/tmp/asc auth doctor` with: `ASC_BYPASS_KEYCHAIN=1 ASC_KEY_ID=ABC123SECRET ASC_ISSUER_ID=issuer-uuid ...` - Exit code `0`, output showed presence-only messages, and leak scan found no secret identifiers. <p><a href="https://github.com/rudrankriyam/App-Store-Connect-CLI/pull/527"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/view-pr-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/view-pr-light.png"><img alt="View PR" width="86" height="28" src="https://cursor.com/assets/images/view-pr-light.png"></picture></a></p> <p><a href="https://cursor.com/background-agent?bcId=bc-645f417d-4d9c-45e3-bf6f-73239a7dca8f"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> <a href="https://cursor.com/agents?id=bc-645f417d-4d9c-45e3-bf6f-73239a7dca8f"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a></p>

kerem commented

2026-02-26 21:33:46 +03:00

Author

Owner

@rudrankriyam commented on GitHub (Feb 14, 2026):

Fixed in #527 (merged to main), with follow-up in #533.

@rudrankriyam commented on GitHub (Feb 14, 2026): Fixed in #527 (merged to main), with follow-up in #533.

kerem referenced this issue

2026-02-26 21:34:35 +03:00

[PR #143] [CLOSED] Bypass-keychain config resolution #326