fix(dream-cli): close jq-less Git Bash leak for N8N_USER / LANGFUSE_INIT_USER_EMAIL

Maintainer audit on PR #994 (Lightheartdevs, 2026-04-28) flagged that
schema-driven secret detection in `_cmd_config_load_secret_schema`
ONLY fires when `jq` is on PATH. In Git Bash on Windows, `jq` is not
installed by default, so the helper silently leaves
`_cmd_config_schema_loaded=0` and `dream config show` falls through
to the keyword regex `*secret*|*password*|*pass*|*token*|*key*|*salt*|*bearer*`
— which doesn't cover the user/email-suffixed names recently flagged
as secret in `.env.schema.json`. `N8N_USER` and `LANGFUSE_INIT_USER_EMAIL`
print in clear.

Two-layer fix:

1. Add a Python3 fallback to `_cmd_config_load_secret_schema`. If `jq`
   is absent, parse `.env.schema.json` via a heredoc'd `python3` and
   extract `secret == True` keys. The installer guarantees Python 3,
   and Git Bash on Windows usually has it via `winget install Python`.
   Schema-driven masking now works without jq.

2. Extend the keyword fallback regex to include `*user*|*email*` so
   the truly-no-jq-no-python case still masks the new schema secrets.
   Light over-mask risk on operational keys like USER_HOME but
   `cat .env` remains the unmasked escape hatch — `dream config show`
   defaults to over-mask on purpose.

New regression `tests/test-dream-config-secret-mask.sh` (7 cases,
wired into `make test`) exercises all three PATH conditions:

- jq+python3 both present → schema-driven jq path
- jq absent, python3 present → python fallback
- neither present → keyword regex fallback

Each case asserts `N8N_USER=***` and `LANGFUSE_INIT_USER_EMAIL=***`
appear in stdout AND that the actual sensitive values do NOT leak.
A sanity case verifies non-secret `DREAM_VERSION` is shown in clear.

The PATH conditions are simulated by symlinking selected binaries into
a tempdir, then running dream-cli with `PATH="$tempdir"`. shellcheck
clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: yasinBursali

dream-server/Makefile

@@ -33,6 +33,9 @@ test: ## Run unit and contract tests
 	@echo "=== Overlay/plist contracts ==="
 	@bash tests/contracts/test-overlay-map-coherence.sh
 	@bash tests/contracts/test-plist-log-paths.sh
+	@echo ""
+	@echo "=== dream config show secret-mask matrix ==="
+	@bash tests/test-dream-config-secret-mask.sh
 
 bats: ## Run BATS unit tests for shell libraries
 	@echo "=== BATS unit tests ==="

dream-server/dream-cli

@@ -1188,10 +1188,39 @@ _cmd_config_load_secret_schema() {
     local _schema_path="$INSTALL_DIR/.env.schema.json"
     _cmd_config_secret_keys=()
     _cmd_config_schema_loaded=0
-    if [[ -f "$_schema_path" ]] && command -v jq >/dev/null 2>&1; then
+    [[ -f "$_schema_path" ]] || return 0
+
+    # Prefer jq when available — fast, single-process, schema-typed.
+    if command -v jq >/dev/null 2>&1; then
         mapfile -t _cmd_config_secret_keys < <(jq -r '.properties | to_entries[] | select(.value.secret == true) | .key' "$_schema_path" 2>/dev/null)
         _cmd_config_schema_loaded=1
+        return 0
     fi
+
+    # python3 fallback for environments without jq (Git Bash on Windows
+    # is the common one). The installer guarantees python3, so this
+    # path closes the gap where N8N_USER / LANGFUSE_INIT_USER_EMAIL etc.
+    # would otherwise leak through the keyword fallback.
+    if command -v python3 >/dev/null 2>&1; then
+        mapfile -t _cmd_config_secret_keys < <(python3 - "$_schema_path" <<'PYEOF' 2>/dev/null
+import json, sys
+try:
+    with open(sys.argv[1]) as f:
+        data = json.load(f)
+except (OSError, json.JSONDecodeError):
+    sys.exit(0)
+for key, spec in (data.get("properties") or {}).items():
+    if isinstance(spec, dict) and spec.get("secret") is True:
+        print(key)
+PYEOF
+)
+        _cmd_config_schema_loaded=1
+        return 0
+    fi
+
+    # Neither jq nor python3 — leave _cmd_config_schema_loaded=0 so
+    # _cmd_config_is_secret falls through to the keyword regex (which
+    # covers user/email keys explicitly to avoid leaks in this case).
 }
 
 _cmd_config_is_secret() {
@@ -1201,11 +1230,17 @@ _cmd_config_is_secret() {
             [[ "$_k" == "$_s" ]] && return 0
         done
         # Fall through to keyword match — defense in depth against schema gaps
-        # and against malformed schemas where jq returns zero secret keys.
+        # and against malformed schemas where jq/python returns zero secret keys.
     fi
     _kl="${_k,,}"
+    # `*user*` and `*email*` cover N8N_USER, LANGFUSE_INIT_USER_EMAIL, etc.
+    # in environments where neither jq nor python3 was available to read
+    # `.env.schema.json` (Git Bash without jq). Risks light over-masking
+    # on operational keys like USER_HOME, but `cat .env` remains the
+    # escape hatch — `dream config show` defaults to over-mask on
+    # purpose.
     case "$_kl" in
-        *secret*|*password*|*pass*|*token*|*key*|*salt*|*bearer*) return 0 ;;
+        *secret*|*password*|*pass*|*token*|*key*|*salt*|*bearer*|*user*|*email*) return 0 ;;
     esac
     return 1
 }

dream-server/tests/test-dream-config-secret-mask.sh

@@ -0,0 +1,173 @@
+#!/usr/bin/env bash
+# ============================================================================
+# Regression: `dream config show` masks `N8N_USER` and
+# `LANGFUSE_INIT_USER_EMAIL` even in environments without `jq`.
+# ============================================================================
+# Audit follow-up on PR #994 (Lightheartdevs, 2026-04-28):
+#
+#   "Schema-driven secret masking is useful, but the CLI only learns
+#    the schema secret flags through `jq`. In Git Bash without `jq`,
+#    newly marked user/email fields such as `N8N_USER` and
+#    `LANGFUSE_INIT_USER_EMAIL` can still print in clear. Please either
+#    make schema parsing available without `jq` for this command or
+#    extend the fallback mask to cover the new schema secrets."
+#
+# Both fixes are now in place: a Python fallback parser when `jq` is
+# absent, plus `*user*` / `*email*` keyword fallback when neither is
+# present. This test exercises all three PATH configurations.
+# ============================================================================
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+ROOT_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"
+DREAM_CLI="$ROOT_DIR/dream-cli"
+
+GREEN='\033[0;32m'
+RED='\033[0;31m'
+NC='\033[0m'
+
+PASSED=0
+FAILED=0
+
+pass() { echo -e "  ${GREEN}✓ PASS${NC} $1"; PASSED=$((PASSED + 1)); }
+fail() { echo -e "  ${RED}✗ FAIL${NC} $1"; FAILED=$((FAILED + 1)); }
+
+echo ""
+echo "╔═══════════════════════════════════════════════╗"
+echo "║   dream config show — secret masking matrix   ║"
+echo "╚═══════════════════════════════════════════════╝"
+echo ""
+
+if [[ ! -x "$DREAM_CLI" ]]; then
+    fail "dream-cli not found at $DREAM_CLI"
+    echo ""; echo "Result: $PASSED passed, $FAILED failed"; exit 1
+fi
+
+# Scaffold a hermetic install dir. The schema marks N8N_USER and
+# LANGFUSE_INIT_USER_EMAIL as secret:true; .env contains values that
+# must NEVER appear in `dream config show` output.
+TEMP_DIR=$(mktemp -d)
+trap 'rm -rf "$TEMP_DIR"' EXIT
+
+INSTALL_SCAFFOLD="$TEMP_DIR/install"
+mkdir -p "$INSTALL_SCAFFOLD"
+# check_install requires either docker-compose.base.yml or docker-compose.yml
+touch "$INSTALL_SCAFFOLD/docker-compose.base.yml"
+
+cat > "$INSTALL_SCAFFOLD/.env" <<'EOF'
+# Test fixture
+N8N_USER=actual-admin-username
+LANGFUSE_INIT_USER_EMAIL=admin@example.test
+DREAM_VERSION=2.0.0-test
+HOST_RAM_GB=32
+EOF
+
+cat > "$INSTALL_SCAFFOLD/.env.schema.json" <<'EOF'
+{
+  "properties": {
+    "N8N_USER": {"type": "string", "secret": true},
+    "LANGFUSE_INIT_USER_EMAIL": {"type": "string", "secret": true},
+    "DREAM_VERSION": {"type": "string"},
+    "HOST_RAM_GB": {"type": "string"}
+  }
+}
+EOF
+
+# Sentinel values whose appearance in stdout would prove a leak.
+SECRET_USER='actual-admin-username'
+SECRET_EMAIL='admin@example.test'
+
+run_dream_config_show() {
+    # Invokes dream-cli with a controlled PATH to simulate environments
+    # with/without jq + python3. NO_COLOR=1 keeps output ASCII.
+    local _path="$1"
+    local _label="$2"
+    local _output
+    _output=$(NO_COLOR=1 PATH="$_path" DREAM_HOME="$INSTALL_SCAFFOLD" \
+        "$BASH" "$DREAM_CLI" config show 2>&1)
+    echo "$_output"
+}
+
+# Discover real paths to bash, sed, awk, mktemp, etc. so the CLI runs.
+# We strip jq and/or python3 from PATH by listing only their needed
+# siblings. The simplest approach: build a path that excludes a
+# specific binary by symlinking required binaries into a tempdir.
+build_pathdir_excluding() {
+    # build_pathdir_excluding "<exclude1> <exclude2> ..."
+    local _excludes="$1"
+    local _pdir="$TEMP_DIR/pathdir-$RANDOM"
+    mkdir -p "$_pdir"
+    local _bin
+    # Tools dream-cli (the section we exercise) actually uses.
+    for _bin in bash sh ls cat grep sed awk tr cut sort head tail \
+                printf echo mkdir rm tee dirname basename pwd command \
+                python3 jq find env; do
+        local _real
+        _real="$(command -v "$_bin" 2>/dev/null || true)"
+        [[ -z "$_real" ]] && continue
+        # Skip excluded names.
+        case " $_excludes " in *" $_bin "*) continue ;; esac
+        ln -s "$_real" "$_pdir/$_bin"
+    done
+    echo "$_pdir"
+}
+
+# --- Case 1: jq + python3 both present (schema-driven path) ---
+PATH_FULL=$(build_pathdir_excluding "")
+out1=$(run_dream_config_show "$PATH_FULL" "full")
+if grep -q "N8N_USER=\\*\\*\\*" <<<"$out1" && ! grep -qF "$SECRET_USER" <<<"$out1"; then
+    pass "with jq+python3: N8N_USER masked, value not leaked"
+else
+    fail "with jq+python3: N8N_USER not masked correctly"
+    echo "  --- output ---"; awk '{print "  " $0}' <<<"$out1"
+fi
+if grep -q "LANGFUSE_INIT_USER_EMAIL=\\*\\*\\*" <<<"$out1" && ! grep -qF "$SECRET_EMAIL" <<<"$out1"; then
+    pass "with jq+python3: LANGFUSE_INIT_USER_EMAIL masked, value not leaked"
+else
+    fail "with jq+python3: LANGFUSE_INIT_USER_EMAIL not masked correctly"
+    echo "  --- output ---"; awk '{print "  " $0}' <<<"$out1"
+fi
+
+# --- Case 2: no jq, python3 present (Git-Bash-without-jq simulation) ---
+PATH_NO_JQ=$(build_pathdir_excluding "jq")
+out2=$(run_dream_config_show "$PATH_NO_JQ" "no-jq")
+if grep -q "N8N_USER=\\*\\*\\*" <<<"$out2" && ! grep -qF "$SECRET_USER" <<<"$out2"; then
+    pass "without jq: N8N_USER masked via python3 fallback"
+else
+    fail "without jq: N8N_USER LEAKED — Git Bash regression"
+    echo "  --- output ---"; awk '{print "  " $0}' <<<"$out2"
+fi
+if grep -q "LANGFUSE_INIT_USER_EMAIL=\\*\\*\\*" <<<"$out2" && ! grep -qF "$SECRET_EMAIL" <<<"$out2"; then
+    pass "without jq: LANGFUSE_INIT_USER_EMAIL masked via python3 fallback"
+else
+    fail "without jq: LANGFUSE_INIT_USER_EMAIL LEAKED — Git Bash regression"
+    echo "  --- output ---"; awk '{print "  " $0}' <<<"$out2"
+fi
+
+# --- Case 3: neither jq nor python3 (keyword-fallback only) ---
+PATH_NO_TOOLS=$(build_pathdir_excluding "jq python3")
+out3=$(run_dream_config_show "$PATH_NO_TOOLS" "no-tools")
+if grep -q "N8N_USER=\\*\\*\\*" <<<"$out3" && ! grep -qF "$SECRET_USER" <<<"$out3"; then
+    pass "without jq+python3: N8N_USER masked via *user* keyword"
+else
+    fail "without jq+python3: N8N_USER LEAKED — keyword fallback gap"
+    echo "  --- output ---"; awk '{print "  " $0}' <<<"$out3"
+fi
+if grep -q "LANGFUSE_INIT_USER_EMAIL=\\*\\*\\*" <<<"$out3" && ! grep -qF "$SECRET_EMAIL" <<<"$out3"; then
+    pass "without jq+python3: LANGFUSE_INIT_USER_EMAIL masked via *user*/*email* keyword"
+else
+    fail "without jq+python3: LANGFUSE_INIT_USER_EMAIL LEAKED — keyword fallback gap"
+    echo "  --- output ---"; awk '{print "  " $0}' <<<"$out3"
+fi
+
+# --- Sanity: non-secret keys are NOT masked (no over-mask regression) ---
+if grep -q "DREAM_VERSION=2.0.0-test" <<<"$out1"; then
+    pass "non-secret DREAM_VERSION shown in clear (no over-mask)"
+else
+    fail "non-secret DREAM_VERSION incorrectly masked or missing"
+fi
+
+echo ""
+echo "Result: $PASSED passed, $FAILED failed"
+[[ $FAILED -eq 0 ]]