Issue Queue: issue-exec-20260106-160325 (#52)

* feat(security): Secure dashboard server by default ## Solution Summary - Solution-ID: SOL-DSC-002-1 - Issue-ID: DSC-002 ## Tasks Completed - [T1] JWT token manager (24h expiry, persisted secret/token) - [T2] API auth middleware + localhost token endpoint - [T3] Default bind 127.0.0.1, add --host with warning - [T4] Localhost-only CORS with credentials + Vary - [T5] SECURITY.md documentation + README link ## Verification - npm run build - npm test -- ccw/tests/token-manager.test.ts ccw/tests/middleware.test.ts ccw/tests/server-auth.integration.test.ts ccw/tests/server.test.ts ccw/tests/cors.test.ts * fix(security): Prevent command injection in Windows spawn() ## Solution Summary - **Solution-ID**: SOL-DSC-001-1 - **Issue-ID**: DSC-001 - **Risk/Impact/Complexity**: high/high/medium ## Tasks Completed - [T1] Create Windows shell escape utility - [T2] Escape cli-executor spawn() args on Windows - [T3] Add command injection regression tests ## Files Modified - ccw/src/utils/shell-escape.ts - ccw/src/tools/cli-executor.ts - ccw/tests/shell-escape.test.ts - ccw/tests/security/command-injection.test.ts ## Verification - npm run build - npm test -- ccw/tests/shell-escape.test.ts ccw/tests/security/command-injection.test.ts * fix(security): Harden path validation (DSC-005) ## Solution Summary - Solution-ID: SOL-DSC-005-1 - Issue-ID: DSC-005 ## Tasks Completed - T1: Refactor path validation to pre-resolution checking - T2: Implement allowlist-based path validation - T3: Add path validation to API routes - T4: Add path security regression tests ## Files Modified - ccw/src/utils/path-resolver.ts - ccw/src/utils/path-validator.ts - ccw/src/core/routes/graph-routes.ts - ccw/src/core/routes/files-routes.ts - ccw/src/core/routes/skills-routes.ts - ccw/tests/path-resolver.test.ts - ccw/tests/graph-routes.test.ts - ccw/tests/files-routes.test.ts - ccw/tests/skills-routes.test.ts - ccw/tests/security/path-traversal.test.ts ## Verification - npm run build - npm test -- path-resolver.test.ts - npm test -- path-validator.test.ts - npm test -- graph-routes.test.ts - npm test -- files-routes.test.ts - npm test -- skills-routes.test.ts - npm test -- ccw/tests/security/path-traversal.test.ts * fix(security): Prevent credential leakage (DSC-004) ## Solution Summary - Solution-ID: SOL-DSC-004-1 - Issue-ID: DSC-004 ## Tasks Completed - T1: Create credential handling security tests - T2: Add log sanitization tests - T3: Add env var leakage prevention tests - T4: Add secure storage tests ## Files Modified - ccw/src/config/litellm-api-config-manager.ts - ccw/src/core/routes/litellm-api-routes.ts - ccw/tests/security/credential-handling.test.ts ## Verification - npm run build - node --experimental-strip-types --test ccw/tests/security/credential-handling.test.ts * test(ranking): expand normalize_weights edge case coverage (ISS-1766920108814-0) ## Solution Summary - Solution-ID: SOL-20251228113607 - Issue-ID: ISS-1766920108814-0 ## Tasks Completed - T1: Fix NaN and invalid total handling in normalize_weights - T2: Add unit tests for NaN edge cases in normalize_weights ## Files Modified - codex-lens/tests/test_rrf_fusion.py ## Verification - python -m pytest codex-lens/tests/test_rrf_fusion.py::TestNormalizeBM25Score -v - python -m pytest codex-lens/tests/test_rrf_fusion.py -v -k normalize - python -m pytest codex-lens/tests/test_rrf_fusion.py::TestReciprocalRankFusion::test_weight_normalization codex-lens/tests/test_cli_hybrid_search.py::TestCLIHybridSearch::test_weights_normalization -v * feat(security): Add CSRF protection and tighten CORS (DSC-006) ## Solution Summary - Solution-ID: SOL-DSC-006-1 - Issue-ID: DSC-006 - Risk/Impact/Complexity: high/high/medium ## Tasks Completed - T1: Create CSRF token generation system - T2: Add CSRF token endpoints - T3: Implement CSRF validation middleware - T4: Restrict CORS to trusted origins - T5: Add CSRF security tests ## Files Modified - ccw/src/core/auth/csrf-manager.ts - ccw/src/core/auth/csrf-middleware.ts - ccw/src/core/routes/auth-routes.ts - ccw/src/core/server.ts - ccw/tests/csrf-manager.test.ts - ccw/tests/auth-routes.test.ts - ccw/tests/csrf-middleware.test.ts - ccw/tests/security/csrf.test.ts ## Verification - npm run build - node --experimental-strip-types --test ccw/tests/csrf-manager.test.ts - node --experimental-strip-types --test ccw/tests/auth-routes.test.ts - node --experimental-strip-types --test ccw/tests/csrf-middleware.test.ts - node --experimental-strip-types --test ccw/tests/cors.test.ts - node --experimental-strip-types --test ccw/tests/security/csrf.test.ts * fix(cli-executor): prevent stale SIGKILL timeouts ## Solution Summary - Solution-ID: SOL-DSC-007-1 - Issue-ID: DSC-007 - Risk/Impact/Complexity: low/low/low ## Tasks Completed - [T1] Store timeout handle in killCurrentCliProcess ## Files Modified - ccw/src/tools/cli-executor.ts - ccw/tests/cli-executor-kill.test.ts ## Verification - node --experimental-strip-types --test ccw/tests/cli-executor-kill.test.ts * fix(cli-executor): enhance merge validation guards ## Solution Summary - Solution-ID: SOL-DSC-008-1 - Issue-ID: DSC-008 - Risk/Impact/Complexity: low/low/low ## Tasks Completed - [T1] Enhance sourceConversations array validation ## Files Modified - ccw/src/tools/cli-executor.ts - ccw/tests/cli-executor-merge-validation.test.ts ## Verification - node --experimental-strip-types --test ccw/tests/cli-executor-merge-validation.test.ts * refactor(core): remove @ts-nocheck from core routes ## Solution Summary - Solution-ID: SOL-DSC-003-1 - Issue-ID: DSC-003 - Queue-ID: QUE-20260106-164500 - Item-ID: S-9 ## Tasks Completed - T1: Create shared RouteContext type definition - T2: Remove @ts-nocheck from small route files - T3: Remove @ts-nocheck from medium route files - T4: Remove @ts-nocheck from large route files - T5: Remove @ts-nocheck from remaining core files ## Files Modified - ccw/src/core/dashboard-generator-patch.ts - ccw/src/core/dashboard-generator.ts - ccw/src/core/routes/ccw-routes.ts - ccw/src/core/routes/claude-routes.ts - ccw/src/core/routes/cli-routes.ts - ccw/src/core/routes/codexlens-routes.ts - ccw/src/core/routes/discovery-routes.ts - ccw/src/core/routes/files-routes.ts - ccw/src/core/routes/graph-routes.ts - ccw/src/core/routes/help-routes.ts - ccw/src/core/routes/hooks-routes.ts - ccw/src/core/routes/issue-routes.ts - ccw/src/core/routes/litellm-api-routes.ts - ccw/src/core/routes/litellm-routes.ts - ccw/src/core/routes/mcp-routes.ts - ccw/src/core/routes/mcp-routes.ts.backup - ccw/src/core/routes/mcp-templates-db.ts - ccw/src/core/routes/nav-status-routes.ts - ccw/src/core/routes/rules-routes.ts - ccw/src/core/routes/session-routes.ts - ccw/src/core/routes/skills-routes.ts - ccw/src/core/routes/status-routes.ts - ccw/src/core/routes/system-routes.ts - ccw/src/core/routes/types.ts - ccw/src/core/server.ts - ccw/src/core/websocket.ts ## Verification - npm run build - npm test * refactor: split cli-executor and codexlens routes into modules ## Solution Summary - Solution-ID: SOL-DSC-012-1 - Issue-ID: DSC-012 - Risk/Impact/Complexity: medium/medium/high ## Tasks Completed - [T1] Extract execution orchestration from cli-executor.ts (Refactor ccw/src/tools) - [T2] Extract route handlers from codexlens-routes.ts (Refactor ccw/src/core/routes) - [T3] Extract prompt concatenation logic from cli-executor (Refactor ccw/src/tools) - [T4] Document refactored module architecture (Docs) ## Files Modified - ccw/src/tools/cli-executor.ts - ccw/src/tools/cli-executor-core.ts - ccw/src/tools/cli-executor-utils.ts - ccw/src/tools/cli-executor-state.ts - ccw/src/tools/cli-prompt-builder.ts - ccw/src/tools/README.md - ccw/src/core/routes/codexlens-routes.ts - ccw/src/core/routes/codexlens/config-handlers.ts - ccw/src/core/routes/codexlens/index-handlers.ts - ccw/src/core/routes/codexlens/semantic-handlers.ts - ccw/src/core/routes/codexlens/watcher-handlers.ts - ccw/src/core/routes/codexlens/utils.ts - ccw/src/core/routes/codexlens/README.md ## Verification - npm run build - npm test * test(issue): Add comprehensive issue command tests ## Solution Summary - **Solution-ID**: SOL-DSC-009-1 - **Issue-ID**: DSC-009 - **Risk/Impact/Complexity**: low/high/medium ## Tasks Completed - [T1] Create issue command test file structure: Create isolated test harness - [T2] Add JSONL read/write operation tests: Verify JSONL correctness and errors - [T3] Add issue lifecycle tests: Verify status transitions and timestamps - [T4] Add solution binding tests: Verify binding flows and error cases - [T5] Add queue formation tests: Verify queue creation, IDs, and DAG behavior - [T6] Add queue execution tests: Verify next/done/retry and status sync ## Files Modified - ccw/src/commands/issue.ts - ccw/tests/issue-command.test.ts ## Verification - node --experimental-strip-types --test ccw/tests/issue-command.test.ts * test(routes): Add integration tests for route modules ## Solution Summary - Solution-ID: SOL-DSC-010-1 - Issue-ID: DSC-010 - Queue-ID: QUE-20260106-164500 ## Tasks Completed - [T1] Add tests for ccw-routes.ts - [T2] Add tests for files-routes.ts - [T3] Add tests for claude-routes.ts (includes Windows path fix for create) - [T4] Add tests for issue-routes.ts - [T5] Add tests for help-routes.ts (avoid hanging watchers) - [T6] Add tests for nav-status-routes.ts - [T7] Add tests for hooks/graph/rules/skills/litellm-api routes ## Files Modified - ccw/src/core/routes/claude-routes.ts - ccw/src/core/routes/help-routes.ts - ccw/tests/integration/ccw-routes.test.ts - ccw/tests/integration/claude-routes.test.ts - ccw/tests/integration/files-routes.test.ts - ccw/tests/integration/issue-routes.test.ts - ccw/tests/integration/help-routes.test.ts - ccw/tests/integration/nav-status-routes.test.ts - ccw/tests/integration/hooks-routes.test.ts - ccw/tests/integration/graph-routes.test.ts - ccw/tests/integration/rules-routes.test.ts - ccw/tests/integration/skills-routes.test.ts - ccw/tests/integration/litellm-api-routes.test.ts ## Verification - node --experimental-strip-types --test ccw/tests/integration/ccw-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/files-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/claude-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/issue-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/help-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/nav-status-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/hooks-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/graph-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/rules-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/skills-routes.test.ts - node --experimental-strip-types --test ccw/tests/integration/litellm-api-routes.test.ts * refactor(core): Switch cache and lite scanning to async fs ## Solution Summary - Solution-ID: SOL-DSC-013-1 - Issue-ID: DSC-013 - Queue-ID: QUE-20260106-164500 ## Tasks Completed - [T1] Convert cache-manager.ts to async file operations - [T2] Convert lite-scanner.ts to async file operations - [T3] Update cache-manager call sites to await async API - [T4] Update lite-scanner call sites to await async API ## Files Modified - ccw/src/core/cache-manager.ts - ccw/src/core/lite-scanner.ts - ccw/src/core/data-aggregator.ts ## Verification - npm run build - npm test * fix(exec): Add timeout protection for execSync ## Solution Summary - Solution-ID: SOL-DSC-014-1 - Issue-ID: DSC-014 - Queue-ID: QUE-20260106-164500 ## Tasks Completed - [T1] Add timeout to execSync calls in python-utils.ts - [T2] Add timeout to execSync calls in detect-changed-modules.ts - [T3] Add timeout to execSync calls in claude-freshness.ts - [T4] Add timeout to execSync calls in issue.ts - [T5] Consolidate execSync timeout constants and audit coverage ## Files Modified - ccw/src/utils/exec-constants.ts - ccw/src/utils/python-utils.ts - ccw/src/tools/detect-changed-modules.ts - ccw/src/core/claude-freshness.ts - ccw/src/commands/issue.ts - ccw/src/tools/smart-search.ts - ccw/src/tools/codex-lens.ts - ccw/src/core/routes/codexlens/config-handlers.ts ## Verification - npm run build - npm test - node --experimental-strip-types --test ccw/tests/issue-command.test.ts * feat(cli): Add progress spinner with elapsed time for long-running operations ## Solution Summary - Solution-ID: SOL-DSC-015-1 - Issue-ID: DSC-015 - Queue-Item: S-15 - Risk/Impact/Complexity: low/medium/low ## Tasks Completed - [T1] Add progress spinner to CLI execution: Update ccw/src/commands/cli.ts ## Files Modified - ccw/src/commands/cli.ts - ccw/tests/cli-command.test.ts ## Verification - node --experimental-strip-types --test ccw/tests/cli-command.test.ts - node --experimental-strip-types --test ccw/tests/cli-executor-kill.test.ts - node --experimental-strip-types --test ccw/tests/cli-executor-merge-validation.test.ts * fix(cli): Move full output hint immediately after truncation notice ## Solution Summary - Solution-ID: SOL-DSC-016-1 - Issue-ID: DSC-016 - Queue-Item: S-16 - Risk/Impact/Complexity: low/high/low ## Tasks Completed - [T1] Relocate output hint after truncation: Update ccw/src/commands/cli.ts ## Files Modified - ccw/src/commands/cli.ts - ccw/tests/cli-command.test.ts ## Verification - npm run build - node --experimental-strip-types --test ccw/tests/cli-command.test.ts * feat(cli): Add confirmation prompts for destructive operations ## Solution Summary - Solution-ID: SOL-DSC-017-1 - Issue-ID: DSC-017 - Queue-Item: S-17 - Risk/Impact/Complexity: low/high/low ## Tasks Completed - [T1] Add confirmation to storage clean operations: Update ccw/src/commands/cli.ts - [T2] Add confirmation to issue queue delete: Update ccw/src/commands/issue.ts ## Files Modified - ccw/src/commands/cli.ts - ccw/src/commands/issue.ts - ccw/tests/cli-command.test.ts - ccw/tests/issue-command.test.ts ## Verification - npm run build - node --experimental-strip-types --test ccw/tests/cli-command.test.ts - node --experimental-strip-types --test ccw/tests/issue-command.test.ts * feat(cli): Improve multi-line prompt guidance ## Solution Summary - Solution-ID: SOL-DSC-018-1 - Issue-ID: DSC-018 - Queue-Item: S-18 - Risk/Impact/Complexity: low/medium/low ## Tasks Completed - [T1] Update CLI help to emphasize --file option: Update ccw/src/commands/cli.ts - [T2] Add inline hint for multi-line detection: Update ccw/src/commands/cli.ts ## Files Modified - ccw/src/commands/cli.ts - ccw/tests/cli-command.test.ts ## Verification - npm run build - node --experimental-strip-types --test ccw/tests/cli-command.test.ts --------- Co-authored-by: catlog22 <catlog22@github.com>
2026-02-12 02:37:45 +08:00 · 2026-01-07 22:35:46 +08:00
parent fae2f7e279
commit 09d99abee6
100 changed files with 14300 additions and 6456 deletions
--- a/ccw/tests/security/credential-handling.test.ts
+++ b/ccw/tests/security/credential-handling.test.ts
@@ -0,0 +1,447 @@
+/**
+ * Security tests for credential handling (DSC-004).
+ *
+ * Notes:
+ * - Targets runtime implementation shipped in `ccw/dist`.
+ * - Uses an isolated CCW data directory (CCW_DATA_DIR) to avoid touching real user config.
+ */
+
+import { after, afterEach, before, beforeEach, describe, it, mock } from 'node:test';
+import assert from 'node:assert/strict';
+import http from 'node:http';
+import { mkdtempSync, mkdirSync, readFileSync, readdirSync, rmSync, statSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import path from 'node:path';
+
+const CCW_HOME = mkdtempSync(path.join(tmpdir(), 'ccw-credential-tests-home-'));
+const PROJECT_ROOT = mkdtempSync(path.join(tmpdir(), 'ccw-credential-tests-project-'));
+const CONFIG_DIR = path.join(CCW_HOME, 'config');
+const CONFIG_PATH = path.join(CONFIG_DIR, 'litellm-api-config.json');
+
+const originalEnv = {
+  CCW_DATA_DIR: process.env.CCW_DATA_DIR,
+  TEST_API_KEY: process.env.TEST_API_KEY,
+};
+
+process.env.CCW_DATA_DIR = CCW_HOME;
+
+const configManagerUrl = new URL('../../dist/config/litellm-api-config-manager.js', import.meta.url);
+configManagerUrl.searchParams.set('t', String(Date.now()));
+
+const litellmRoutesUrl = new URL('../../dist/core/routes/litellm-api-routes.js', import.meta.url);
+litellmRoutesUrl.searchParams.set('t', String(Date.now()));
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+let mod: any;
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+let routes: any;
+
+type JsonResponse = { status: number; json: any; text: string };
+
+async function requestJson(baseUrl: string, method: string, reqPath: string, body?: unknown): Promise<JsonResponse> {
+  const url = new URL(reqPath, baseUrl);
+  const payload = body === undefined ? null : Buffer.from(JSON.stringify(body), 'utf8');
+
+  return new Promise((resolve, reject) => {
+    const req = http.request(
+      url,
+      {
+        method,
+        headers: {
+          Accept: 'application/json',
+          ...(payload ? { 'Content-Type': 'application/json', 'Content-Length': String(payload.length) } : {}),
+        },
+      },
+      (res) => {
+        let responseBody = '';
+        res.on('data', (chunk) => {
+          responseBody += chunk.toString();
+        });
+        res.on('end', () => {
+          let json: any = null;
+          try {
+            json = responseBody ? JSON.parse(responseBody) : null;
+          } catch {
+            json = null;
+          }
+          resolve({ status: res.statusCode || 0, json, text: responseBody });
+        });
+      },
+    );
+    req.on('error', reject);
+    if (payload) req.write(payload);
+    req.end();
+  });
+}
+
+function handlePostRequest(
+  req: http.IncomingMessage,
+  res: http.ServerResponse,
+  handler: (body: unknown) => Promise<any>,
+): void {
+  let body = '';
+  req.on('data', (chunk) => {
+    body += chunk.toString();
+  });
+  req.on('end', async () => {
+    try {
+      const parsed = body ? JSON.parse(body) : {};
+      const result = await handler(parsed);
+
+      if (result?.error) {
+        res.writeHead(result.status || 500, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: result.error }));
+      } else {
+        res.writeHead(200, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify(result));
+      }
+    } catch (err: any) {
+      res.writeHead(500, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: err?.message || String(err) }));
+    }
+  });
+}
+
+async function createServer(initialPath: string): Promise<{ server: http.Server; baseUrl: string }> {
+  const server = http.createServer(async (req, res) => {
+    const url = new URL(req.url || '/', 'http://localhost');
+    const pathname = url.pathname;
+
+    const ctx = {
+      pathname,
+      url,
+      req,
+      res,
+      initialPath,
+      handlePostRequest,
+      broadcastToClients() {},
+    };
+
+    try {
+      const handled = await routes.handleLiteLLMApiRoutes(ctx);
+      if (!handled) {
+        res.writeHead(404, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Not Found' }));
+      }
+    } catch (err: any) {
+      res.writeHead(500, { 'Content-Type': 'application/json' });
+      res.end(JSON.stringify({ error: err?.message || String(err) }));
+    }
+  });
+
+  await new Promise<void>((resolve) => server.listen(0, () => resolve()));
+  const addr = server.address();
+  const port = typeof addr === 'object' && addr ? addr.port : 0;
+  return { server, baseUrl: `http://127.0.0.1:${port}` };
+}
+
+function loadMaskApiKey(): (apiKey: string) => string {
+  const filePath = new URL('../../src/templates/dashboard-js/views/api-settings.js', import.meta.url);
+  const source = readFileSync(filePath, 'utf8');
+
+  const match = source.match(/function\s+maskApiKey\(apiKey\)\s*\{[\s\S]*?\r?\n\}/);
+  if (!match) {
+    throw new Error('maskApiKey function not found in api-settings.js');
+  }
+
+  // eslint-disable-next-line no-new-func
+  const fn = new Function(`${match[0]}; return maskApiKey;`) as () => (apiKey: string) => string;
+  return fn();
+}
+
+describe('security: credential handling', async () => {
+  const maskApiKey = loadMaskApiKey();
+
+  function listFilesRecursive(dirPath: string): string[] {
+    const results: string[] = [];
+    const entries = readdirSync(dirPath, { withFileTypes: true });
+    for (const entry of entries) {
+      const fullPath = path.join(dirPath, entry.name);
+      if (entry.isDirectory()) results.push(...listFilesRecursive(fullPath));
+      else if (entry.isFile()) results.push(fullPath);
+    }
+    return results;
+  }
+
+  before(async () => {
+    mod = await import(configManagerUrl.href);
+    routes = await import(litellmRoutesUrl.href);
+  });
+
+  beforeEach(() => {
+    process.env.TEST_API_KEY = originalEnv.TEST_API_KEY;
+    rmSync(CONFIG_PATH, { force: true });
+  });
+
+  afterEach(() => {
+    mock.restoreAll();
+  });
+
+  after(() => {
+    process.env.CCW_DATA_DIR = originalEnv.CCW_DATA_DIR;
+    process.env.TEST_API_KEY = originalEnv.TEST_API_KEY;
+    rmSync(CCW_HOME, { recursive: true, force: true });
+    rmSync(PROJECT_ROOT, { recursive: true, force: true });
+  });
+
+  it('resolveEnvVar returns input unchanged when not ${ENV_VAR}', () => {
+    assert.equal(mod.resolveEnvVar('sk-test-1234'), 'sk-test-1234');
+    assert.equal(mod.resolveEnvVar(''), '');
+  });
+
+  it('resolveEnvVar resolves ${ENV_VAR} syntax', () => {
+    process.env.TEST_API_KEY = 'sk-test-resolved';
+    assert.equal(mod.resolveEnvVar('${TEST_API_KEY}'), 'sk-test-resolved');
+  });
+
+  it('resolveEnvVar returns empty string when env var is missing', () => {
+    delete process.env.TEST_API_KEY;
+    assert.equal(mod.resolveEnvVar('${TEST_API_KEY}'), '');
+  });
+
+  it('getProviderWithResolvedEnvVars returns provider with resolvedApiKey', () => {
+    process.env.TEST_API_KEY = 'sk-test-resolved';
+
+    const provider = mod.addProvider(PROJECT_ROOT, {
+      name: 'Test Provider',
+      type: 'openai',
+      apiKey: '${TEST_API_KEY}',
+      apiBase: undefined,
+      enabled: true,
+    });
+
+    const resolved = mod.getProviderWithResolvedEnvVars(PROJECT_ROOT, provider.id);
+    assert.ok(resolved);
+    assert.equal(resolved.id, provider.id);
+    assert.equal(resolved.resolvedApiKey, 'sk-test-resolved');
+  });
+
+  it('resolveEnvVar does not log resolved credential values', () => {
+    const secret = 'sk-test-secret-1234567890';
+    process.env.TEST_API_KEY = secret;
+
+    const calls: string[] = [];
+    mock.method(console, 'log', (...args: unknown[]) => calls.push(args.map(String).join(' ')));
+    mock.method(console, 'error', (...args: unknown[]) => calls.push(args.map(String).join(' ')));
+
+    assert.equal(mod.resolveEnvVar('${TEST_API_KEY}'), secret);
+    assert.equal(calls.some((line) => line.includes(secret)), false);
+  });
+
+  it('getProviderWithResolvedEnvVars does not log resolved credential values', () => {
+    const secret = 'sk-test-secret-abcdef123456';
+    process.env.TEST_API_KEY = secret;
+
+    const calls: string[] = [];
+    mock.method(console, 'log', (...args: unknown[]) => calls.push(args.map(String).join(' ')));
+    mock.method(console, 'error', (...args: unknown[]) => calls.push(args.map(String).join(' ')));
+
+    const provider = mod.addProvider(PROJECT_ROOT, {
+      name: 'Test Provider',
+      type: 'openai',
+      apiKey: '${TEST_API_KEY}',
+      apiBase: undefined,
+      enabled: true,
+    });
+
+    const resolved = mod.getProviderWithResolvedEnvVars(PROJECT_ROOT, provider.id);
+    assert.ok(resolved);
+    assert.equal(resolved.resolvedApiKey, secret);
+    assert.equal(calls.some((line) => line.includes(secret)), false);
+  });
+
+  it('loadLiteLLMApiConfig logs parse errors without leaking credentials', () => {
+    const secret = 'sk-test-secret-in-file-1234';
+    mkdirSync(CONFIG_DIR, { recursive: true });
+    writeFileSync(CONFIG_PATH, `{\"providers\":[{\"apiKey\":\"${secret}\"`, 'utf8');
+
+    const calls: string[] = [];
+    mock.method(console, 'error', (...args: unknown[]) => calls.push(args.map(String).join(' ')));
+
+    const config = mod.loadLiteLLMApiConfig(PROJECT_ROOT);
+    assert.equal(Array.isArray(config.providers), true);
+    assert.equal(config.providers.length, 0);
+    assert.equal(calls.length > 0, true);
+    assert.equal(calls.some((line) => line.includes(secret)), false);
+  });
+
+  it('loadLiteLLMApiConfig stack traces do not include raw credentials', () => {
+    const secret = 'sk-test-secret-stack-9999';
+    mkdirSync(CONFIG_DIR, { recursive: true });
+    writeFileSync(CONFIG_PATH, `{\"providers\":[{\"apiKey\":\"${secret}\"`, 'utf8');
+
+    const errorArgs: unknown[][] = [];
+    mock.method(console, 'error', (...args: unknown[]) => errorArgs.push(args));
+
+    mod.loadLiteLLMApiConfig(PROJECT_ROOT);
+
+    const errorObj = errorArgs.flat().find((arg) => arg instanceof Error) as Error | undefined;
+    assert.ok(errorObj);
+    assert.equal(String(errorObj.stack ?? '').includes(secret), false);
+  });
+
+  it('maskApiKey hides raw keys but keeps env var references readable', () => {
+    assert.equal(maskApiKey(''), '');
+    assert.equal(maskApiKey('${TEST_API_KEY}'), '${TEST_API_KEY}');
+    assert.equal(maskApiKey('short'), '***');
+    assert.equal(maskApiKey('sk-test-1234567890'), 'sk-t...7890');
+  });
+
+  it('getProviderWithResolvedEnvVars is safe to stringify (no env var syntax or resolved secrets)', () => {
+    const secret = 'sk-test-secret-json-0000';
+    process.env.TEST_API_KEY = secret;
+
+    const provider = mod.addProvider(PROJECT_ROOT, {
+      name: 'Test Provider',
+      type: 'openai',
+      apiKey: '${TEST_API_KEY}',
+      apiBase: undefined,
+      enabled: true,
+    });
+
+    const resolved = mod.getProviderWithResolvedEnvVars(PROJECT_ROOT, provider.id);
+    assert.ok(resolved);
+
+    const payload = JSON.stringify(resolved);
+    assert.equal(payload.includes(secret), false);
+    assert.equal(payload.includes('${TEST_API_KEY}'), false);
+    assert.equal(payload.includes('resolvedApiKey'), false);
+  });
+
+  it('API responses do not expose env var syntax for provider apiKey', async () => {
+    process.env.TEST_API_KEY = 'sk-test-secret-api-1111';
+
+    mod.addProvider(PROJECT_ROOT, {
+      name: 'Test Provider',
+      type: 'openai',
+      apiKey: '${TEST_API_KEY}',
+      apiBase: undefined,
+      enabled: true,
+    });
+
+    const { server, baseUrl } = await createServer(PROJECT_ROOT);
+    try {
+      const res = await requestJson(baseUrl, 'GET', '/api/litellm-api/providers');
+      assert.equal(res.status, 200);
+      assert.ok(res.json?.providers);
+
+      assert.equal(res.text.includes('${TEST_API_KEY}'), false);
+      assert.equal(res.text.includes('${'), false);
+    } finally {
+      await new Promise<void>((resolve) => server.close(() => resolve()));
+    }
+  });
+
+  it('API responses do not expose resolved secrets in generated rotation endpoints', async () => {
+    const secret = 'sk-test-secret-rotation-2222';
+    process.env.TEST_API_KEY = secret;
+
+    const provider = mod.addProvider(PROJECT_ROOT, {
+      name: 'Embed Provider',
+      type: 'openai',
+      apiKey: '${TEST_API_KEY}',
+      apiBase: undefined,
+      enabled: true,
+    });
+
+    // Ensure provider has an enabled embedding model.
+    mod.updateProvider(PROJECT_ROOT, provider.id, {
+      embeddingModels: [{
+        id: 'emb-1',
+        name: 'text-embedding-test',
+        type: 'embedding',
+        series: 'Test',
+        enabled: true,
+      }],
+    });
+
+    // Configure legacy rotation directly in the config file (avoid auto-sync side effects).
+    mkdirSync(CONFIG_DIR, { recursive: true });
+    const config = mod.loadLiteLLMApiConfig(PROJECT_ROOT);
+    config.codexlensEmbeddingRotation = {
+      enabled: true,
+      strategy: 'round_robin',
+      defaultCooldown: 60,
+      targetModel: 'text-embedding-test',
+      providers: [{
+        providerId: provider.id,
+        modelId: 'emb-1',
+        useAllKeys: true,
+        weight: 1.0,
+        maxConcurrentPerKey: 4,
+        enabled: true,
+      }],
+    };
+    writeFileSync(CONFIG_PATH, JSON.stringify(config, null, 2), 'utf8');
+
+    const { server, baseUrl } = await createServer(PROJECT_ROOT);
+    try {
+      const res = await requestJson(baseUrl, 'GET', '/api/litellm-api/codexlens/rotation/endpoints');
+      assert.equal(res.status, 200);
+      assert.ok(res.json?.endpoints);
+
+      assert.equal(res.text.includes(secret), false);
+      assert.equal(res.text.includes('${TEST_API_KEY}'), false);
+      assert.equal(res.text.includes('${'), false);
+    } finally {
+      await new Promise<void>((resolve) => server.close(() => resolve()));
+    }
+  });
+
+  it('stores env var references without persisting resolved secrets when available', () => {
+    const secret = 'sk-test-secret-storage-3333';
+    process.env.TEST_API_KEY = secret;
+
+    mod.addProvider(PROJECT_ROOT, {
+      name: 'Stored Provider',
+      type: 'openai',
+      apiKey: '${TEST_API_KEY}',
+      apiBase: undefined,
+      enabled: true,
+    });
+
+    const content = readFileSync(CONFIG_PATH, 'utf8');
+    assert.equal(content.includes('${TEST_API_KEY}'), true);
+    assert.equal(content.includes(secret), false);
+  });
+
+  it('does not write resolved secrets into ancillary files under CCW_DATA_DIR', () => {
+    const secret = 'sk-test-secret-storage-scan-4444';
+    process.env.TEST_API_KEY = secret;
+
+    mod.addProvider(PROJECT_ROOT, {
+      name: 'Stored Provider',
+      type: 'openai',
+      apiKey: '${TEST_API_KEY}',
+      apiBase: undefined,
+      enabled: true,
+    });
+
+    const files = listFilesRecursive(CCW_HOME);
+    assert.ok(files.length > 0);
+
+    for (const filePath of files) {
+      const content = readFileSync(filePath, 'utf8');
+      assert.equal(content.includes(secret), false);
+    }
+  });
+
+  it('writes config file with restrictive permissions where supported', () => {
+    mod.addProvider(PROJECT_ROOT, {
+      name: 'Perms Provider',
+      type: 'openai',
+      apiKey: 'sk-test-raw-key',
+      apiBase: undefined,
+      enabled: true,
+    });
+
+    const stat = statSync(CONFIG_PATH);
+    assert.equal(stat.isFile(), true);
+
+    if (process.platform === 'win32') return;
+
+    // Require no permissions for group/others (0600).
+    const mode = stat.mode & 0o777;
+    assert.equal(mode & 0o077, 0);
+  });
+});