fix(integration): secret redaction and instance scope teardown hardening#593
Merged
Merged
Conversation
- Fail closed in redactSecretConfig when a plugin has no configSchema (mask every value instead of returning it verbatim), with a symmetric sentinel-aware restoreSecretConfig so a schemaless round-trip does not persist the mask. Previously runtime-stored secrets of a schemaless plugin leaked on GET /plugins. - Redact integration-instance config through the shared recursive redactSecretConfig so a secret nested in an object/array is masked (not just top-level fields), and restore masked secrets on instance PATCH via restoreSecretConfig instead of storing the '***' sentinel verbatim (which corrupted the stored credential). - Make instance scope teardown actually work for a wildcard/null sessionScope: disabling or deleting such an instance now retires the '*' activation once no other enabled instance still binds a wildcard, and a wildcard-to-concrete scope change tears the old '*' down. applyScopeBinding is now awaited; delete removes the row before teardown so the wildcard check is accurate.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Config-secret hygiene and instance lifecycle fixes in the plugin/integration layer.
Changes
redactSecretConfigreturned config verbatim when a plugin had noconfigSchema, leaking any runtime-stored secret onGET /plugins. It now masks every value;restoreSecretConfiggained a symmetric sentinel-aware path so a schemaless round-trip restores stored values instead of persisting the mask.redactSecretConfig, so a secret nested in an object/array is masked at any depth.update()stored the incoming config verbatim, so a dashboard round-trip persisted the***sentinel and corrupted the stored credential. It now restores masked secrets viarestoreSecretConfig.*/null-scope instance was a no-op, so the plugin kept firing on every session with stale config. Teardown now retires the*activation once no other enabled instance binds a wildcard, and a wildcard→concrete change tears down the old binding.applyScopeBindingis awaited; delete removes the row before teardown so the wildcard check is accurate.Verification
npm run build✓ ·npm test✓ (1857/1857, +5) · lint ✓. New tests: fail-closed no-schema redaction + round-trip, recursive nested masking, PATCH sentinel restore, and wildcard teardown (retires*when last wildcard removed, keeps it when another remains).