feat(secrets): env feedback, providesEnv push guard, config perms#28
Merged
Conversation
… config perms - executor: warn on stderr when a declared node/service env var resolves to nothing (process.env + nearest .env), instead of dropping it silently and failing opaquely deep inside the container (D1/D2) - push: refuse to push a workflow whose providesEnv holds a secret-looking value (providesEnv is committed and sent to the remote in clear); --force overrides. Secrets belong in a node's env (names only) (S5) - remote config: warn when the config file holding the API key cannot be locked down (chmod/icacls), instead of swallowing the failure silently (S6) build with cc
Merged
enixCode
added a commit
that referenced
this pull request
Jun 4, 2026
- npm was stuck at 0.6.0: v0.7.0 was never tagged so the 0.7.0 bump never published. This ships the current main (0.7.0 + the secrets hardening from #28) to npm as 0.8.0, so `npm install light-process` gets the real version - lock-step: package.json + instrumentation.ts SERVICE_VERSION + telemetry.ts TRACER_VERSION all to 0.8.0 build with cc
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Lot 1a of the secrets hardening program (non-breaking).
executeWorkflownow warns (stderr) when a declared node/serviceenvvar resolves to nothing (neitherprocess.envnor the nearest.env), naming the var and the source consulted. Before, it was dropped silently and the container failed opaquely.light pushrefuses to push when aprovidesEnvvalue looks like a secret (known key prefixes or long high-entropy tokens).providesEnvis committed and sent to the remote in clear; secrets belong inenv(names only).--forceoverrides. Conservative heuristic (static config / model names are not flagged).~/.light/config.json(holds the API key) cannot be locked down via chmod/icacls, instead of swallowing the failure.Note: S1 (container stdout can echo secrets) is intentionally left to documentation - it is the node author's responsibility, not something light-* can scrub reliably.
build with cc