diff --git a/src/commands/local-vault/__tests__/parseArgs.test.ts b/src/commands/local-vault/__tests__/parseArgs.test.ts index 1075bbd3a..5830ed572 100644 --- a/src/commands/local-vault/__tests__/parseArgs.test.ts +++ b/src/commands/local-vault/__tests__/parseArgs.test.ts @@ -52,6 +52,14 @@ describe('parseLocalVaultArgs', () => { }) }) + test('get with --reveal before key → reveal=true, key correctly resolved', () => { + expect(parseLocalVaultArgs('get --reveal MY_KEY')).toEqual({ + action: 'get', + key: 'MY_KEY', + reveal: true, + }) + }) + test('get without key → invalid', () => { const result = parseLocalVaultArgs('get') expect(result.action).toBe('invalid') diff --git a/src/commands/local-vault/parseArgs.ts b/src/commands/local-vault/parseArgs.ts index e76066ece..4cdd360f1 100644 --- a/src/commands/local-vault/parseArgs.ts +++ b/src/commands/local-vault/parseArgs.ts @@ -89,7 +89,11 @@ export function parseLocalVaultArgs(args: string): LocalVaultArgs { // ── get ─────────────────────────────────────────────────────────────────── if (subCmd === 'get') { - const key = tokens[1] + // Strip flags before extracting the key so that `get --reveal MY_KEY` + // correctly resolves MY_KEY as the key rather than --reveal. + const flags = ['--reveal'] + const argsWithoutFlags = tokens.filter(t => !flags.includes(t)) + const key = argsWithoutFlags[1] // argsWithoutFlags[0] is 'get' if (!key) { return { action: 'invalid', reason: `get requires a key name. ${USAGE}` } } diff --git a/src/commands/share/index.ts b/src/commands/share/index.ts index 7a263560f..2e634b965 100644 --- a/src/commands/share/index.ts +++ b/src/commands/share/index.ts @@ -57,7 +57,7 @@ const SECRET_PATTERNS: Array<{ pattern: RegExp; replacement: string }> = [ replacement: '[REDACTED_ANTHROPIC_KEY]', }, { - pattern: /\b(sk-[A-Za-z0-9]{20,})/g, + pattern: /\b(sk-[A-Za-z0-9_-]{20,})/g, replacement: '[REDACTED_API_KEY]', }, // Bearer / Authorization tokens diff --git a/src/utils/settings/permissionValidation.ts b/src/utils/settings/permissionValidation.ts index 76d6c1a36..2c00025b3 100644 --- a/src/utils/settings/permissionValidation.ts +++ b/src/utils/settings/permissionValidation.ts @@ -315,7 +315,7 @@ export function validatePermissionRule( parsed.toolName === 'VaultHttpFetch' && behavior === 'deny' && parsed.ruleContent !== undefined && - !/^[A-Za-z0-9._-]{1,128}@(?:\*|(?:\[[A-Fa-f0-9:]+\]|[A-Za-z0-9.-]{1,253})(?::\d{1,5})?)$/.test( + !/^[A-Za-z0-9._-]{1,128}@(?:\*|(?:\[[A-Fa-f0-9:]+\]|[A-Za-z0-9.-]{1,253})(?::(?:[1-9]\d{0,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5]))?)$/.test( parsed.ruleContent, ) ) { @@ -367,7 +367,7 @@ export function validatePermissionRule( if ( parsed.toolName === 'VaultHttpFetch' && parsed.ruleContent !== undefined && - !/^[A-Za-z0-9._-]{1,128}@(?:\*|(?:\[[A-Fa-f0-9:]+\]|[A-Za-z0-9.-]{1,253})(?::\d{1,5})?)$/.test( + !/^[A-Za-z0-9._-]{1,128}@(?:\*|(?:\[[A-Fa-f0-9:]+\]|[A-Za-z0-9.-]{1,253})(?::(?:[1-9]\d{0,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5]))?)$/.test( parsed.ruleContent, ) ) {