Skip to content

fix(env): apply redactions for env vars with both tools=true and redact=true#8449

Merged
jdx merged 2 commits intomainfrom
fix/redact-with-tools
Mar 3, 2026
Merged

fix(env): apply redactions for env vars with both tools=true and redact=true#8449
jdx merged 2 commits intomainfrom
fix/redact-with-tools

Conversation

@jdx
Copy link
Copy Markdown
Owner

@jdx jdx commented Mar 3, 2026
edited by cursor Bot
Loading

Summary

  • When an env var has both tools = true and redact = true, the redact flag was silently ignored — the plaintext value appeared in task output
  • The root cause: env vars with tools = true are resolved in a separate code path (load_post_env), and that path collected redactions but never applied them to the global redactor
  • Added config.add_redactions() call after load_post_env returns in final_env

Fixes #8432

Test plan

  • Added e2e test case for redact = true + tools = true combination
  • Existing redaction e2e tests still pass (test_task_redactions, test_env_redacted_flags)

🤖 Generated with Claude Code

Note

Medium Risk
Touches secret-redaction behavior and output handling, so a mistake could reintroduce leaks or over-redact logs, but the change is small and covered by an added e2e test.

Overview
Fixes an issue where environment variables resolved via the tools-only pass (tools = true) were not having their redact = true values registered with the global redactor, allowing secrets to appear in mise run output.

Adds an e2e regression case covering the tools = true + redact = true combination, and updates the docs to clarify that redactions only work with non-raw task output modes (with CI-friendly MISE_TASK_OUTPUT examples).

Written by Cursor Bugbot for commit ad8919e. This will update automatically on new commits. Configure here.

@jdx @claude
fix(env): apply redactions for env vars with both tools=true and reda…
be7c085 
…ct=true

When an env var has both `tools = true` and `redact = true`, the
redaction was collected during load_post_env (the tools-only path)
but never applied to the global redactor. This caused the plaintext
value to appear in task output instead of [redacted].

Fixes #8432

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@gemini-code-assist
Copy link
Copy Markdown
Contributor

gemini-code-assist Bot commented Mar 3, 2026

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical security oversight where sensitive environment variables, intended for redaction and marked with "tools = true", were inadvertently exposed in task output. The changes ensure that all specified redactions are consistently applied across different environment variable loading paths, enhancing the security and privacy of task execution.

Highlights

  • Environment Variable Redaction Fix: Resolved an issue where environment variables with both "tools = true" and "redact = true" were not being properly redacted, leading to plaintext values appearing in task output.
  • Redaction Application Logic: Implemented a fix by ensuring that redactions collected from the "load_post_env" code path (used for "tools = true" env vars) are correctly applied to the global redactor.
  • New End-to-End Test: Added a new end-to-end test case specifically to validate the correct redaction behavior for environment variables configured with both "redact = true" and "tools = true".
Changelog
  • e2e/tasks/test_task_redactions
    • Added a new e2e test case to verify redaction of "tools=true" and "redact=true" environment variables.
  • src/toolset/toolset_env.rs
    • Ensured that redactions collected from "tools=true" environment variables are applied to the global configuration.
Activity
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps Bot commented Mar 3, 2026

Greptile Summary

Fixed a bug where env vars with both tools = true and redact = true were not being redacted in task output. The fix adds a call to config.add_redactions() in the final_env method after load_post_env returns, mirroring the existing pattern used for non-tools env vars in config.rs.

  • Applied redactions for tools-only env vars by calling config.add_redactions() after env resolution
  • Added e2e test case covering the tools=true + redact=true combination

Confidence Score: 5/5

  • Safe to merge - minimal, targeted fix with proper test coverage
  • The fix is a 6-line addition that follows existing patterns in the codebase, has clear test coverage for the specific bug scenario, and addresses the root cause without introducing new complexity or edge cases
  • No files require special attention

Important Files Changed

Filename Overview
src/toolset/toolset_env.rs Added 6 lines to apply redactions for env vars with tools=true after load_post_env returns - mirrors existing pattern from config.rs
e2e/tasks/test_task_redactions Added e2e test case for tools=true + redact=true combination to verify redactions work correctly

Last reviewed commit: be7c085

@jdx @claude
docs(env): add note about redaction behavior with task output modes
ad8919e 
Explain that redactions require non-raw output modes, and recommend
using prefix or interleave output in CI for full logs with redactions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Mar 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request correctly addresses a bug where environment variables with both tools=true and redact=true were not being redacted. The fix involves applying the collected redactions from the tools=true code path to the global redactor. The added e2e test case effectively verifies this fix. The changes look good and are well-targeted.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 3, 2026

Hyperfine Performance

mise x -- echo

Command Mean [ms] Min [ms] Max [ms] Relative
mise-2026.3.1 x -- echo 25.2 ± 0.7 23.0 30.8 1.00
mise x -- echo 25.3 ± 0.7 23.8 34.2 1.00 ± 0.04

mise env

Command Mean [ms] Min [ms] Max [ms] Relative
mise-2026.3.1 env 24.5 ± 0.8 23.0 28.9 1.00
mise env 24.7 ± 0.9 22.8 35.8 1.01 ± 0.05

mise hook-env

Command Mean [ms] Min [ms] Max [ms] Relative
mise-2026.3.1 hook-env 25.1 ± 0.5 23.5 27.0 1.00
mise hook-env 25.3 ± 0.7 23.7 34.5 1.01 ± 0.04

mise ls

Command Mean [ms] Min [ms] Max [ms] Relative
mise-2026.3.1 ls 23.0 ± 0.7 21.8 25.1 1.00
mise ls 23.4 ± 0.9 22.1 34.8 1.01 ± 0.05

xtasks/test/perf

Command mise-2026.3.1 mise Variance
install (cached) 152ms 154ms -1%
ls (cached) 82ms 83ms -1%
bin-paths (cached) 87ms 86ms +1%
task-ls (cached) 821ms 818ms +0%

@jdx jdx merged commit af9423f into main Mar 3, 2026
36 checks passed
@jdx jdx deleted the fix/redact-with-tools branch March 3, 2026 16:03
@mise-en-dev mise-en-dev mentioned this pull request Mar 3, 2026
Merged
mise-en-dev added a commit that referenced this pull request Mar 4, 2026
@mise-en-dev
chore: release 2026.3.2 (#8447)
557f3e4 
### 🚀 Features

- add `--local` flag to `outdated` and `upgrade` commands by @malept in
[#8451](#8451)

### 🐛 Bug Fixes

- **(env)** apply redactions for env vars with both tools=true and
redact=true by @jdx in [#8449](#8449)
- **(prepare)** render tera templates in prepare.env values by @jdx in
[#8450](#8450)
- correct regex syntax in tar/zstd version check by @chadlwilson in
[#8453](#8453)

### 🚜 Refactor

- prevent double-iteration when parsing idiomatic version files by
@risu729 in [#8417](#8417)

### 🧪 Testing

- **(tasks)** stabilize assertions and shell compatibility by @mackwic
in [#8438](#8438)

### 📦 Registry

- add tinygo
([aqua:tinygo-org/tinygo](https://github.com/tinygo-org/tinygo)) by
@artemklevtsov in [#8446](#8446)

## 📦 Aqua Registry Updates

#### New Packages (1)

- [`kunobi-ninja/kunobi`](https://github.com/kunobi-ninja/kunobi)
@BrewTestBot BrewTestBot mentioned this pull request Mar 4, 2026
Merged
@jakedgy jakedgy mentioned this pull request Apr 7, 2026
Merged
4 tasks
jdx pushed a commit that referenced this pull request Apr 7, 2026
@jakedgy @claude
fix(env): include tools-only redactions in mise env --redacted (#8956)
7203b8b 
## Summary
- `mise env --redacted` only checked redactions from the non-tools env
resolution pass (`config.env_results()`), missing any env vars declared
with both `tools = true` and `redact = true`
- The tools-only pass (`final_env` / `load_post_env`) correctly collects
redactions, but `cli/env.rs` never queried them
- Added `ts.final_env()` call to also collect tools-only redactions when
building the `--redacted` filter

Follows up on #8449 which fixed redaction in task output but missed the
`mise env --redacted` display path.

## Test plan
- [x] Added e2e test for `--redacted` with `tools = true, redact = true`
(inline val)
- [x] Added e2e test for `--redacted` with `_.source = { tools = true,
redact = true }`
- [x] Existing `test_env_redacted_flags` tests still pass
- [x] Existing `test_task_redactions` tests still pass

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jdx