feat: per-item leak-detection opt-out via @sensitive={preventLeaks=false}#783
Conversation
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
varlock-docs-mcp | 42010ea | Jun 15 2026, 04:57 AM |
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
varlock-website | 0bc883b | Commit Preview URL Branch Preview URL |
Jun 15 2026, 06:06 PM |
…lse} Secrets that legitimately leave the system (e.g. an API endpoint that returns a secret to another service) can opt out of runtime leak detection while still being redacted in logs, via the @sensitive options form. Adds standalone object ({key=value}) and array ([a, b, c]) literals to the env-spec grammar, usable as decorator values and function-call arguments (including nested). () remains reserved for function calls. Standalone literals as item values and multi-line literals are intentionally not enabled yet.
Lets the object options form toggle sensitivity itself (defaulting to true), including dynamically via a function — e.g. @sensitive={enabled=forEnv(production), preventLeaks=false}. Restores dynamic sensitivity control that was otherwise unavailable once using the {...} form.
theoephraim
force-pushed
the
sensitive-prevent-leaks-opt-out
branch
from
42010ea to
f22d068
Compare
…dvisories All vulnerable instances are transitive, so overrides are the only deterministic fix. vite bounded <8 to stay on the 7.x line used by astro/cloudflare. esbuild override already present.
|
The changes in this PR will be included in the next version bump.
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
commit: |
2 participants
What
Lets a user opt a single secret out of runtime leak detection while keeping it sensitive everywhere else. Motivating case: an API endpoint that legitimately returns a secret to another system — today that trips varlock's response leak scanner.
# @sensitive={preventLeaks=false} TOKEN_FORWARDED_TO_PARTNER=The opt-out is leak-detection only — the value is still redacted in logs. Leak detection and log redaction previously shared one secrets map; this decouples them per-secret (the scanner skips opted-out entries, redaction still masks them).
The
@sensitive={...}options formenabledtrueenabled=forEnv(production));{enabled=false}≡@sensitive=false.preventLeakstruefalse, excluded from the response leak scanner (still redacted in logs).How it flows
@sensitive={…}parses to an object literal.config-item.ts) → readsenabled(→ sensitivity) andpreventLeaksonto the item; rejects invalid uses (@public={…}, unknown option, non-boolean, array literal, bare@sensitive(…)).env-graph.ts) → emitspreventLeaks: falseonly when opted out.runtime/env.ts) →scanForLeaksskips opted-out secrets;redactSensitiveConfigstill masks them.New syntax:
{}/[]literalsCarrying options on
@sensitiverequired a value syntax. We chose distinct brackets —{key=value}objects and[a, b, c]arrays — keeping()reserved for function calls. Rationale (mainstream langs keep objects in{}not(); Lisp's all-()was walked back by Clojure; ML-family records already use{k=v}). Usable as decorator values and function-call args, including nested (fn(retry={count=3})).Guidance on when to use literals vs. not (don't wrap a function's own named args) is documented in the env-spec reference and a grammar
DESIGN NOTE.Deliberately deferred (documented)
FOO={…}) — gated on object/array value handling (coercion/validation/redaction-of-objects), not a blocker but its own change.Tests
forEnv)enabled; rejection cases.All green: varlock +
@env-spec/parsersuites, typecheck, lint. Changeset included (minorfor both packages).