feat: scrub home-dir paths from user-facing CLI error messages#6
Merged
Conversation
A Playwright ENOENT, an LLM 5xx that echoes a cached path back, a parse error on a config file — every one of those could leak the user's home directory into a paste-able bug report. Not an exploit, but bad hygiene and fixable cheaply. Added `safeErrorMessage(err)` in cli.ts, exported for library reuse. Pipes every error through `scrubPath` (which replaces the home dir with `~` and normalizes backslashes to forward slashes) before user-facing output. Applied at the two places cli.ts converts errors to text: parse-time (parseArgs throws) and runtime (runAgent or runDoctor throws). Library users calling `runAgent` still get raw errors for debugging — the trust boundary is the CLI, not the library. 5 new test assertions (164 total, up from 159): Windows home dir scrubbed, Unix home dir scrubbed, non-Error values handled, non-path content preserved unchanged, backslashes normalized on Windows.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
A Playwright
ENOENTmessage, an LLM 5xx that echoes a cached path, a parse error on a config file — every one of those could leakC:\Users\alice\...or/home/alice/...into a bug report pasted to an issue. Not an exploit, but bad hygiene and fixable cheaply.Change
Added
safeErrorMessage(err)incli.ts. Pipes every user-facing error throughscrubPath(home dir →~, backslashes → forward slashes) before printing. Applied at the two CLI error paths: parse-time (parseArgsthrows) and runtime (runAgent/runDoctorthrows).Library consumers of
runAgentstill get raw errors — the trust boundary is the CLI, not the library.Test plan
npm run build— clean under strict: truenpm test— 164 pass (up from 159), 0 failtest/cli-errors.test.mjs: Windows home scrubbed, Unix home scrubbed, non-Error throws handled, non-path content preserved unchanged, backslashes normalized on Windows