Security: API key logged in plaintext to cache-trace diagnostic file

[Kaspre]

Summary

When diagnostics.cacheTrace.enabled is true, the cache trace writer logs the full LLM client options object to cache-trace.jsonl. This object includes apiKey in plaintext.

The createCacheTrace function passes payload.options through redactImageDataForDiagnostics(), which strips image data but does not redact credentials. The apiKey, token, password, and secretKey fields are written verbatim to disk on every LLM call.

Impact

• API keys (e.g., sk-ant-*) are written in plaintext to a local JSONL file
• The trace file may be rotated, archived, backed up, or synced to external storage
• Any process or user with read access to the workspace can extract the key

Steps to reproduce

1. Set diagnostics.cacheTrace.enabled: true in config
2. Make any LLM call (send a message, run an agent, etc.)
3. Read cache-trace.jsonl in the workspace logs directory
4. Observe .options.apiKey contains the full API key

Expected behavior

Credentials should be redacted before writing to the trace file. At minimum, apiKey, token, password, and secretKey should be stripped or masked from payload.options.

Suggested fix

In the createCacheTrace function, after calling redactImageDataForDiagnostics(payload.options), delete credential fields from the result before assigning to event.options:

if (payload.options) {
  const redacted = redactImageDataForDiagnostics(payload.options);
  if (redacted && typeof redacted === "object") {
    delete redacted.apiKey;
    delete redacted.token;
    delete redacted.password;
    delete redacted.secretKey;
  }
  event.options = redacted;
}

Location

src/diagnostics/cache-trace.ts — createCacheTrace function, recordStage closure, the line handling payload.options.

[Hollychou924]

Security analysis: credential redaction gap in cache-trace diagnostics

The reporter's analysis is correct. redactImageDataForDiagnostics() strips image blobs but doesn't handle credential fields — apiKey, token, etc. pass through untouched.

Scope of exposure

Beyond apiKey, the options object typically contains everything passed to the underlying LLM client constructor:

• apiKey — LLM provider key (e.g. sk-ant-..., sk-...)
• baseURL — may reveal internal proxy endpoints
• defaultHeaders — can contain Authorization headers with bearer tokens
• token / secretKey / password — alternative credential field names used by different providers

Recommended fix

The reporter's patch is the right approach. I'd expand the field list slightly:

const CREDENTIAL_FIELDS = ['apiKey', 'token', 'password', 'secretKey', 'authorization', 'bearerToken', 'accessToken'] as const;

if (payload.options) {
  const redacted = { ...redactImageDataForDiagnostics(payload.options) };
  for (const field of CREDENTIAL_FIELDS) {
    if (field in redacted) {
      (redacted as Record<string, unknown>)[field] = '[REDACTED]';
    }
  }
  event.options = redacted;
}

Using '[REDACTED]' instead of delete preserves the key presence in the trace (useful for debugging: you can see that an apiKey was present, just not its value).

Additional consideration: defaultHeaders

if (redacted.defaultHeaders && typeof redacted.defaultHeaders === 'object') {
  const headers = { ...redacted.defaultHeaders as Record<string, string> };
  for (const h of Object.keys(headers)) {
    if (/auth|token|key|secret/i.test(h)) {
      headers[h] = '[REDACTED]';
    }
  }
  redacted.defaultHeaders = headers;
}

Risk note

This only affects users who explicitly enable diagnostics.cacheTrace.enabled: true — it's not on by default. But anyone using it for debugging is likely to share the trace file, which is exactly when credential exposure is highest risk.

[martingarramon]

Confirmed by tracing the source on main.

The path is: wrapStreamFn in cache-trace.ts:247 passes the full options object to recordStage("stream:context"). At line 204-205, recordStage runs redactImageDataForDiagnostics() on it — but that function (payload-redaction.ts:19-25) only strips image data (objects matching type === "image" or image MIME types). It does not touch apiKey, token, password, secretKey, or any other credential fields.

So any credential in the LLM client options object gets written verbatim to cache-trace.jsonl on every call.

A fix could extend redactImageDataForDiagnostics (or add a separate pass) to strip known credential fields before writing. Happy to submit a PR if this approach is confirmed.

[hydro13]

Fixed in fb6588c
api keys and credentials are now stripped from cache-trace output before writing to disk. apiKey, token, password and secretKey fields get removed while keeping safe stuff like tokenCount intact. thanks for catching this and the detailed writeup!