fix(cli): hide secret env values in --help output

clap prints the current value of an arg's `env` var in --help by default,
which leaks secrets (e.g. `[env: WEBCLAW_API_KEY=wc_...]`) for anyone who
has them set. Add `hide_env_values = true` to every arg backed by a
credential-bearing env var so --help shows the variable name only.

Covers the CLI (WEBCLAW_API_KEY, SERPER_API_KEY, WEBCLAW_PROXY,
WEBCLAW_PROXY_FILE, WEBCLAW_WEBHOOK_URL, WEBCLAW_LLM_BASE_URL) and the
server (WEBCLAW_API_KEY).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Valerio 2026-07-02 12:31:59 +02:00
parent a869b0af69
commit fa54dae7ad
2 changed files with 7 additions and 7 deletions

View file

@ -57,7 +57,7 @@ struct Args {
/// `/v1/*` request must present `Authorization: Bearer <key>`.
/// When unset, the server runs in open mode (no auth) — only
/// safe on a local-bound interface or behind another auth layer.
#[arg(long, env = "WEBCLAW_API_KEY")]
#[arg(long, env = "WEBCLAW_API_KEY", hide_env_values = true)]
api_key: Option<String>,
/// Tracing filter. Env: RUST_LOG.