fix(server): redact secret-sourced env vars in run logs by provenance

resolveAdapterConfigForRuntime now returns a secretKeys set tracking which env vars came from secret_ref bindings. The onAdapterMeta callback uses this to redact them regardless of key name. Fixes #234 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-15 18:30:39 +09:00 · 2026-03-07 16:04:09 -08:00 · 2026-03-07 16:04:09 -08:00 · 977f5570be
commit 977f5570be
parent 63a876ca3c
3 changed files with 15 additions and 8 deletions
--- a/server/src/routes/agents.ts
+++ b/server/src/routes/agents.ts
@ -211,7 +211,7 @@ export function agentRoutes(db: Db) {
    adapterConfig: Record<string, unknown>,
  ) {
    if (adapterType !== "opencode_local") return;
-    const runtimeConfig = await secretsSvc.resolveAdapterConfigForRuntime(companyId, adapterConfig);
+    const { config: runtimeConfig } = await secretsSvc.resolveAdapterConfigForRuntime(companyId, adapterConfig);
    const runtimeEnv = asRecord(runtimeConfig.env) ?? {};
    try {
      await ensureOpenCodeModelConfiguredAndAvailable({
@ -386,7 +386,7 @@ export function agentRoutes(db: Db) {
        inputAdapterConfig,
        { strictMode: strictSecretsMode },
      );
-      const runtimeAdapterConfig = await secretsSvc.resolveAdapterConfigForRuntime(
+      const { config: runtimeAdapterConfig } = await secretsSvc.resolveAdapterConfigForRuntime(
        companyId,
        normalizedAdapterConfig,
      );
@ -1226,7 +1226,7 @@ export function agentRoutes(db: Db) {
    }

    const config = asRecord(agent.adapterConfig) ?? {};
-    const runtimeConfig = await secretsSvc.resolveAdapterConfigForRuntime(agent.companyId, config);
+    const { config: runtimeConfig } = await secretsSvc.resolveAdapterConfigForRuntime(agent.companyId, config);
    const result = await runClaudeLogin({
      runId: `claude-login-${randomUUID()}`,
      agent: {