Merge pull request #1010 from yasinBursali/chore/schema-secret-flip

Lightheartdevs · web-flow · commit b3473d6cf745 · 2026-04-27T19:59:41.000-04:00
chore(schema): mark provider API keys as secret in .env.schema.json
diff --git a/dream-server/.env.schema.json b/dream-server/.env.schema.json
@@ -54,19 +54,23 @@
     },
     "TARGET_API_KEY": {
       "type": "string",
-      "description": "API key for Privacy Shield upstream target (set to LITELLM_KEY in lemonade mode)"
+      "description": "API key for Privacy Shield upstream target (set to LITELLM_KEY in lemonade mode)",
+      "secret": true
     },
     "ANTHROPIC_API_KEY": {
       "type": "string",
-      "description": "Anthropic API key (cloud/hybrid modes)"
+      "description": "Anthropic API key (cloud/hybrid modes)",
+      "secret": true
     },
     "OPENAI_API_KEY": {
       "type": "string",
-      "description": "OpenAI API key (cloud/hybrid modes)"
+      "description": "OpenAI API key (cloud/hybrid modes)",
+      "secret": true
     },
     "TOGETHER_API_KEY": {
       "type": "string",
-      "description": "Together AI API key (optional)"
+      "description": "Together AI API key (optional)",
+      "secret": true
     },
     "WEBUI_SECRET": {
       "type": "string",
@@ -407,7 +411,8 @@
     },
     "LIVEKIT_API_KEY": {
       "type": "string",
-      "description": "LiveKit API key"
+      "description": "LiveKit API key",
+      "secret": true
     },
     "LIVEKIT_API_SECRET": {
       "type": "string",
diff --git a/dream-server/extensions/services/dashboard-api/tests/test_settings_env.py b/dream-server/extensions/services/dashboard-api/tests/test_settings_env.py
@@ -309,3 +309,32 @@ def test_render_env_preserves_extras_with_empty_values():
     rendered = _render_env_from_values(values)
     assert "TENSOR_SPLIT=" in rendered
     assert "GPU_UUID=GPU-abc123" in rendered
+
+
+# --- Production schema secret-flag coverage ---
+
+
+@pytest.mark.parametrize(
+    "key",
+    [
+        "TARGET_API_KEY",
+        "ANTHROPIC_API_KEY",
+        "OPENAI_API_KEY",
+        "TOGETHER_API_KEY",
+        "LIVEKIT_API_KEY",
+    ],
+)
+def test_production_schema_marks_provider_api_keys_secret(key):
+    """Credential API keys in the production schema must carry ``secret: true``.
+
+    Regression guard: without the explicit flag, masking in both
+    ``dream config show`` and ``GET /api/settings/env`` falls back to a
+    name-pattern match. The schema should be the authoritative source.
+    """
+    import pathlib
+
+    schema_path = pathlib.Path(__file__).resolve().parents[4] / ".env.schema.json"
+    schema = json.loads(schema_path.read_text(encoding="utf-8"))
+    entry = schema["properties"].get(key)
+    assert entry is not None, f"schema missing entry for {key}"
+    assert entry.get("secret") is True, f"{key} must have 'secret': true in .env.schema.json"
