Skip to content

fix(cache): hash env fingerprint values#455

Merged
wan9chi merged 1 commit into
mainfrom
codex/hash-env-fingerprints
Jun 14, 2026
Merged

fix(cache): hash env fingerprint values#455
wan9chi merged 1 commit into
mainfrom
codex/hash-env-fingerprints

Conversation

@wan9chi

@wan9chi wan9chi commented Jun 14, 2026

Copy link
Copy Markdown
Member

Motivation

Tracked env values currently become part of cache metadata, snapshots, and cache-miss diagnostics. Even when a variable name looks harmless, its value can still contain credentials, hostnames, tokens, or other context we should not persist or echo back. Hashing all tracked values makes the cache safer by default: cache keys still change when env values change, but stored cache data and user-facing miss details no longer reveal the values themselves.

Summary

  • hash every tracked env value in cache fingerprints as a fixed-size SHA-256 digest
  • keep spawned process env values raw while making cache miss details name-only
  • bump the cache schema directory to v14 and refresh the affected plan snapshot

wan9chi commented Jun 14, 2026

Copy link
Copy Markdown
Member Author

This stack of pull requests is managed by Graphite. Learn more about stacking.

@wan9chi wan9chi force-pushed the codex/hash-env-fingerprints branch from 9a0e929 to c6a8ad4 Compare June 14, 2026 06:16
@wan9chi wan9chi marked this pull request as ready for review June 14, 2026 06:20
@wan9chi wan9chi merged commit d2acaf1 into main Jun 14, 2026
20 checks passed
@wan9chi wan9chi deleted the codex/hash-env-fingerprints branch June 14, 2026 06:21
wan9chi added a commit that referenced this pull request Jun 14, 2026
## Motivation

Runner-served `getEnv` values can influence tool output even when the env is not declared in the task config. If cached tasks do not remember those reads, a later run can replay stale output after the served env value changes.

## Scope

Always record runner-aware `getEnv` reads in IPC reports, store SHA-256 hashes of their served values in the post-run fingerprint, validate those hashes during cache lookup, and render env-specific cache miss messages without exposing values. This follows the env hashing model from #455, bumps the cache schema for the new serialized fingerprint field, and raises a post-run fingerprint error instead of treating non-UTF-8 tracked env values as unset.

This PR intentionally does not add the `tracked` option or `getEnvs`; those are split into later PRs in the stack.

## Verification

- `cargo check -p vite_task`
- `cargo test -p vite_task_server --test integration`
- `cargo test -p vite_task_bin --test e2e_snapshots fetch_env_tracked_invalidates_on_change -- --ignored`
- `cargo test -p vite_task_bin --test e2e_snapshots fetch_env_tracks_with_explicit_inputs -- --ignored`
wan9chi added a commit that referenced this pull request Jun 14, 2026
## Motivation

Bulk env reads are only cache-safe if the cache remembers the entire matched env set. Without match-set fingerprinting, changing a matching env value, adding a new matching name, or removing one could replay stale output.

## Scope

Record every `getEnvs` match set in IPC reports, store SHA-256 hashes for the matched env values in the post-run fingerprint, validate changed/added/removed matches during cache lookup, and render env-specific miss messages without exposing values. This follows the env hashing model from #455 and raises a post-run fingerprint error instead of silently dropping non-UTF-8 matched env names or values.

This PR intentionally does not add the `tracked` option; every `getEnvs` request is fingerprinted here. The opt-out for both `getEnv` and `getEnvs` is split into the next PR. This PR also does not add the real Vite fixture.

## Verification

- `cargo check -p vite_task`
- `cargo test -p vite_task_server --test integration`
- `cargo test -p vite_task_bin --test e2e_snapshots fetch_envs_tracks_glob_match_set -- --ignored`
- `cargo clippy --locked --all-targets --all-features -- -D warnings`
fengmk2 added a commit to voidzero-dev/vite-plus that referenced this pull request Jul 2, 2026
Release vite-plus v0.2.2: the Vite+ Beta release.

**Vite+ is now in Beta**: stable and ready for production adoption,
fully open source under MIT. Read the announcement to see what Vite+ is
about and where it is headed: [Announcing Vite+
Beta](https://voidzero.dev/posts/announcing-vite-plus-beta).

On top of the Beta milestone, this release brings cross-version upgrades
via `vp migrate`, an official Docker toolchain image on GHCR,
zero-config runner-aware `vp build` caching, and PGP-verified managed
Node.js downloads.

### Highlights

- **`vp migrate` upgrades existing Vite+ projects across versions**:
previous release notes told users not to run `vp migrate` for upgrades.
It now runs from the global CLI when the local one is older, re-pins
`vite-plus` and the `vite` -> `@voidzero-dev/vite-plus-core` alias
across dependencies, overrides/resolutions, and catalogs in every
workspace package, aligns `vitest` / `@vitest/*` by actual usage, and
defaults to a version-only upgrade (pass `--full` to also run the
first-time setup bucket: hooks, editor, agent files, lint migration)
([#1891](#1891)), by
@fengmk2
- **Official Vite+ Docker toolchain image**:
`ghcr.io/voidzero-dev/vite-plus` bundles `vp` plus a native build
toolchain on `debian:bookworm-slim` (amd64/arm64, non-root). Since `vp`
provisions the exact Node.js from `.node-version`, one image builds any
project, and a documented multi-stage build copies the resolved Node.js
into a small vp-free runtime stage
([#1944](#1944)), by
@fengmk2
- **Zero-config `vp build` caching via runner-aware Vite**: Vite reports
its inputs, outputs, and tracked env reads to the `vp` runner over the
new `@voidzero-dev/vite-task-client` IPC
([vite#22453](vitejs/vite#22453)), so `vp build`
caches correctly with no hand-written cache config: outputs are tracked
and restored automatically, and a changed `VITE_*` env var invalidates
the cache and is named in the cache-miss message
([#1774](#1774)), by
@wan9chi
- **PGP-verified Node.js downloads**: installing a managed Node.js now
verifies the release's clearsigned `SHASUMS256.txt.asc` against the
vendored Node.js release keyring (pure Rust, no `gpg` required) before
trusting any checksum, so a tampered archive is rejected before install;
unsigned sources (musl builds, custom mirrors) fall back to
checksum-only verification
([#1848](#1848)), by
@fengmk2

### Features

- `vp check`: a `check` block in `vite.config.ts` (`check.fmt` /
`check.lint`) can make plain `vp check` skip formatting or linting by
default, mirroring `--no-fmt` / `--no-lint`; standalone `vp fmt` / `vp
lint` and git hooks are unaffected, and a `note:` line keeps the
config-based skip discoverable
([#1981](#1981)), by
@fengmk2
- `vp env list-remote`: highlight installed versions (color, or a `*`
prefix when piped) and label the project-resolved `current` and global
`default` versions; `--json` gains `installed` / `current` / `default`
fields ([#1907](#1907)),
by @semimikoh
- `vpr` ships as a `vite-plus` package bin, so the `vp run` shorthand
works on clean installs without global PATH shims (Vercel build image,
generic CI runners)
([#1988](#1988)), by
@kvnwolf
- Vite Task: `dependsOn` can select tasks from dependency packages, e.g.
`dependsOn: [{ "task": "build", "from": "dependencies" }]`
([vite-task#479](voidzero-dev/vite-task#479)),
by @wan9chi
- Vite Task: a task's `env` / `untrackedEnv` glob patterns support `!`
negation (e.g. `["VITE_*", "!VITE_SECRET"]`)
([vite-task#425](voidzero-dev/vite-task#425)),
and an env-caused cache miss now names the variable inline, e.g. `cache
miss: env 'NODE_ENV' changed`
([vite-task#438](voidzero-dev/vite-task#438)),
by @wan9chi
- Upgrade upstream dependencies: vite `8.0.16 -> 8.1.2`, rolldown `1.1.1
-> 1.1.4`, oxlint `1.70.0 -> 1.72.0`, oxfmt `0.55.0 -> 0.57.0`,
oxlint-tsgolint `0.23.0 -> 0.24.0`, and the oxc toolchain `0.136.0 ->
0.138.0` ([#1924](#1924),
[#1989](#1989),
[#2000](#2000),
[#2009](#2009)), by
@voidzero-guard[bot]

### Fixes & Enhancements

- Windows: `vp run` no longer hangs CI when a `node_modules/.bin` `.cmd`
shim is routed through PowerShell; the npm/pnpm/yarn `.ps1` wrappers
read stdin and block forever on a non-TTY pipe, so the PowerShell
rewrite is now skipped when stdin is not an interactive terminal
([vite-task#491](voidzero-dev/vite-task#491),
via [#1973](#1973)), by
@fengmk2
- Vite Task: the task cache is stored in a per-schema-version directory
(e.g. `node_modules/.vite/task-cache/v13/`), so switching between
branches that pin different Vite+ versions no longer fails with
`Unrecognized database version`
([vite-task#433](voidzero-dev/vite-task#433)),
by @fengmk2
- Vite Task: env values in cache fingerprints are stored only as SHA-256
digests and env cache-miss details report names without values
([vite-task#455](voidzero-dev/vite-task#455));
prefix env assignments like `PATH=... command` now affect executable
lookup during planning
([vite-task#440](voidzero-dev/vite-task#440));
`package.json` / `pnpm-workspace.yaml` files with a UTF-8 BOM parse
correctly
([vite-task#424](voidzero-dev/vite-task#424)),
by @wan9chi
- `vp upgrade`: run the pinned pnpm with a managed Node.js LTS directly
instead of re-entering `vp install`, so an incompatible
session/project/system runtime can no longer make pnpm skip optional
native binaries and leave the upgraded CLI broken
([#1900](#1900)), by
@liangmiQwQ
- Global package installs: each install writes to an immutable
`packages/<name>#<uuid>` prefix that is activated via metadata after npm
succeeds, so an interrupted reinstall can no longer leave the active
package unavailable
([#1906](#1906)), and
stale interrupted-install directories are swept with file-lock
protection for concurrent installs
([#1945](#1945)), by
@liangmiQwQ
- `lazyPlugins()`: skip plugin factories only while config metadata is
being resolved instead of keying off `VP_COMMAND`, so builds spawned
under `vp run` / `vp exec` keep the user's plugins and `vp format` no
longer loads them
([#1939](#1939)), by
@fengmk2
- `vp migrate` (pnpm): add a direct `vite` devDep aliased to the core
override wherever `vite-plus` is depended on, so vitest's `vite` peer
binds to `@voidzero-dev/vite-plus-core` instead of pulling in a second
upstream vite that broke the `vp test` cache
([#1933](#1933)), by
@fengmk2
- `vp pack`: bundle `@tsdown/exe` and `@tsdown/css` into core so `--exe`
and CSS bundling work without a resolvable top-level `tsdown`; the
native `lightningcss` becomes an optional peer loaded lazily with an
actionable error
([#1919](#1919)), by
@fengmk2
- `vp env`: invalidate stale shim resolve cache entries when the
project's Node.js version source changes
([#1951](#1951)), by
@jong-kyung
- Node shim: when the project declares npm via `packageManager` /
`devEngines.packageManager`, child processes spawned from `node` resolve
the managed npm instead of the Node-bundled one
([#1938](#1938)); `vp env
which` reports bins linked by an intercepted `npm install -g` (e.g.
`tsc`) instead of "not found"
([#1968](#1968)); bins
with uppercase names (e.g. `vitePlus`) dispatch correctly
([#1963](#1963)), by
@liangmiQwQ
- `vp-setup`: pass the configured npm registry to the inner pnpm install
so setup works behind custom registries
([#1795](#1795)), by
@daflyinbed
- Native binding: declare the platform packages' true ABI floor
`engines.node >=20.0.0` so engine-strict package managers (pnpm) no
longer skip the optional native dependency and fail with `Cannot find
native binding` when a consumer's Node floor lands in a product-policy
gap ([#1993](#1993)), by
@fengmk2
- `vp create`: run `git init` without creating an initial commit, so
commitlint-configured templates no longer reject the hardcoded message
and template placeholders are not baked into history
([#2008](#2008)), by
@forehalo
- `vp staged --debug`: inline the bundled lint-staged version so debug
logging no longer crashes reading a `package.json` that does not exist
in the bundle
([#1925](#1925)), by
@rokuosan
- Installer: retry downloads truncated mid-body in
`HttpClient::get_bytes` (the platform-tarball path for `vp upgrade` and
the standalone installer)
([#1940](#1940)), and
clean up the temp dir when a package-manager install fails instead of
leaking `.tmpXXXX` directories
([#1949](#1949)), by
@shulaoda
- Windows/msys: normalize backslashes in the `env.fish` fallback path
([#1954](#1954)), by
@Aalivexy
- `install.ps1`: detect the missing VC++ runtime (`0xC0000135`) and
print VC++ Redistributable guidance instead of a generic failure;
interactive `irm | iex` installs keep the shell open
([#1962](#1962)), by
@cheezone
- `vp migrate`: preserve comments, key order, and trailing commas in
existing `.vscode` / `.zed` JSONC configs by patching the original text
instead of re-serializing it
([#1956](#1956)), by
@fengmk2
- Migration: link the git hook warning to the migration guide
([#1902](#1902)), by
@naokihaba
- `vp info` / `vp view`: use package-manager-native commands (`pnpm
view`, `bun info`, `yarn npm info`) instead of routing every lookup
through `npm view`
([#1895](#1895)), by
@jong-kyung
- Correct overused `ErrorConfig` error types across the codebase
([#1934](#1934)), by
@liangmiQwQ

### Refactor

- `vite_install`: centralize Yarn v1/berry branching with
`is_yarn_berry`
([#1897](#1897)), by
@jong-kyung

### Docs

- Document Vite Task automatic tracking (fs tracking and cache-reporting
tools), reusing the task cache with GitHub Actions cache, and
`dependsOn: [{ task, from: "dependencies" }]`
([#1992](#1992)), by
@wan9chi
- Rewrite the "Upgrading Vite+" guide: preview builds install through
the registry bridge as ordinary `0.0.0-commit.<sha>` npm versions, and
`vp migrate` is the recommended way to upgrade a project or move it onto
a preview build
([#1965](#1965)), by
@fengmk2
- Describe how to switch back to the release version from nightly
([#1887](#1887)), by
@situ2001
- Clarify Git hook tool migration
([#1901](#1901)), by
@naokihaba
- Add a global installation explanation
([#1915](#1915)), update
the `vp env` help output
([#1969](#1969)), and add
liangmiQwQ as a team member
([#1911](#1911)), by
@liangmiQwQ
- Fix package manager command examples
([#1937](#1937)) and the
`dependsOn` guide link
([#1883](#1883)), by
@jong-kyung
- Remove Fathom analytics from the uninstall docs
([#1946](#1946)), by
@mdong1909
- Center the README logo and fix its size
([#1878](#1878)), by @hyf0

### Chore

- Prevent Vite beta upgrades in the upstream-deps script
([#1879](#1879)),
stabilize flaky network-dependent tests
([#1923](#1923)), and bump
the ecosystem-ci bun-vite-template to the oxlint jsx-a11y fix
([#1898](#1898)), by
@fengmk2
- Pin snap-test install fixtures to a published `vite-plus` version so
release-branch CI can pass before the new version is published
([#2017](#2017)), by
@fengmk2
- Update the deprecated `VITE_PLUS_` env var prefixes to `VP_` in the
RFCs ([#1984](#1984)), by
@liangmiQwQ
- CI: skip full CI for docs-only PRs
([#1991](#1991)) and for
the docs deploy config
([#2015](#2015)), by
@wan9chi
- Update GitHub Actions
([#1904](#1904),
[#1977](#1977)),
claude-code-action to v1.0.158
([#1979](#1979)), and pnpm
to v10.34.4
([#1996](#1996)), by
@renovate[bot]
- Update oxc-project/security-action to v1.0.8
([#1918](#1918)), by
@fengmk2
- Refresh trusted stack stats on the docs homepage
([#1913](#1913),
[#1982](#1982)), by
@voidzero-guard[bot]

### Bundled Versions

| Tool | Version | Source |
| --- | --- | --- |
| vite | `8.1.2` |
[`ba31193`](vitejs/vite@ba31193)
|
| rolldown | `1.1.4` |
[`6cbd233`](rolldown/rolldown@6cbd233)
|
| tsdown | `0.22.3` | [npm](https://npmx.dev/package/tsdown/v/0.22.3) |
| vitest | `4.1.9` | [npm](https://npmx.dev/package/vitest/v/4.1.9) |
| oxlint | `1.72.0` | [npm](https://npmx.dev/package/oxlint/v/1.72.0) |
| oxlint-tsgolint | `0.24.0` |
[npm](https://npmx.dev/package/oxlint-tsgolint/v/0.24.0) |
| oxfmt | `0.57.0` | [npm](https://npmx.dev/package/oxfmt/v/0.57.0) |

### Upgrade

```bash
vp upgrade
```

New to Vite+? Start with the [Beta
announcement](https://voidzero.dev/posts/announcing-vite-plus-beta),
then create a project with `vp create` or bring an existing one over
with `vp migrate`.

### New Contributors

Welcome to our new contributors @rokuosan, @Aalivexy, @cheezone,
@daflyinbed, @forehalo, @kvnwolf! 🎉

**Full Changelog**:
v0.2.1...v0.2.2

---

Merging this PR will trigger the release workflow.

---------

Co-authored-by: voidzero-guard[bot] <278573678+voidzero-guard[bot]@users.noreply.github.com>
Co-authored-by: MK <fengmk2@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant