chore(schema): mark provider API keys as secret in .env.schema.json#1010
Merged
Lightheartdevs merged 1 commit intoLight-Heart-Labs:mainfrom Apr 27, 2026
Merged
Conversation
Five upstream-provider credentials (TARGET_API_KEY, ANTHROPIC_API_KEY, OPENAI_API_KEY, TOGETHER_API_KEY, LIVEKIT_API_KEY) were missing the "secret": true flag on their schema entries. Masking was working only via a name-pattern fallback in dream config show and dashboard-api _is_secret_field — the schema is the intended authoritative source. Flipping the schema to be authoritative makes the primary path route through schema intent rather than a regex accident, surviving any future rename that might break the pattern match. No runtime behavior change (both paths produce the same masked output today). Adds a parametric pytest locking in "secret": true on each of the five keys in the production schema as a regression guard. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Flip
"secret": trueon five provider API-key entries indream-server/.env.schema.json:TARGET_API_KEYANTHROPIC_API_KEYOPENAI_API_KEYTOGETHER_API_KEYLIVEKIT_API_KEYAdds a parametric pytest locking the flag in as a regression guard.
Why
These keys were already being masked in
dream config show(inline grep onkey=) and in the dashboard-apiGET /api/settings/envresponse (via_is_secret_fieldregex fallback onAPI_KEY). The schema is the intended authoritative source, and relying on name-pattern coincidence is fragile — any future rename that breaks the pattern would silently stop masking.No runtime behavior change: both the schema-authoritative path and the regex fallback produce the same masked output today. This just routes through the primary path.
How
"secret": trueas the third property on each of the five entries, matching the style of neighbors likeLIVEKIT_API_SECRETandOPENCLAW_TOKEN.test_production_schema_marks_provider_api_keys_secret) that loads the production schema (not a fixture) and asserts the flag on each of the five keys. Usespathlib.Path(__file__).resolve().parents[4]for cross-platform path resolution.Testing
jq . dream-server/.env.schema.json— parses cleanlypython3 -m pytest extensions/services/dashboard-api/tests/test_settings_env.py -v— 16/16 pass (11 pre-existing + 5 new parametric)make lint— cleandream config showcontinues to mask these 5 keys (unchanged behavior)Platform Impact
Schema is read by the dashboard-api container and
validate-env.sh(jq) identically on all three platforms.