chore(core): redact sensitive flag values from exec command logs

[nicktrn]

The Exec helper in @trigger.dev/core logs command args at debug level (and in its output/error metadata). For commands that take a credential directly on the command line - --password, --token, --secret, etc. - that value is logged verbatim, so turning on debug logging can surface secrets in log sinks.

This masks the value of known credential-bearing flags (both --flag value and --flag=value forms) before the args are logged. The executed command is untouched - only the logged copy is redacted. Added a small unit test for the redaction helper.

[changeset-bot]

🦋 Changeset detected

Latest commit: 54ad582

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 28 packages

Name	Type
@trigger.dev/core	Patch
@trigger.dev/build	Patch
trigger.dev	Patch
@trigger.dev/plugins	Patch
@trigger.dev/python	Patch
@trigger.dev/redis-worker	Patch
@trigger.dev/schema-to-json	Patch
@trigger.dev/sdk	Patch
@internal/cache	Patch
@internal/clickhouse	Patch
@internal/llm-model-catalog	Patch
@trigger.dev/rbac	Patch
@internal/redis	Patch
@internal/replication	Patch
@internal/run-engine	Patch
@internal/run-store	Patch
@internal/schedule-engine	Patch
@trigger.dev/sso	Patch
@internal/testcontainers	Patch
@internal/tracing	Patch
@internal/tsql	Patch
@internal/zod-worker	Patch
@internal/dashboard-agent	Patch
@internal/sdk-compat-tests	Patch
@trigger.dev/react-hooks	Patch
@trigger.dev/rsc	Patch
@trigger.dev/database	Patch
@trigger.dev/otlp-importer	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 60f247a7-b318-475d-bb0c-f18283327985

📥 Commits

Reviewing files that changed from the base of the PR and between c882ca6 and 7d948f8.

📒 Files selected for processing (1)

• packages/core/src/v3/apps/exec.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/core/src/v3/apps/exec.ts

📜 Recent review details

⏰ Context from checks skipped due to timeout. (33)

• GitHub Check: internal / 🧪 Unit Tests: Internal (2, 12)
• GitHub Check: internal / 🧪 Unit Tests: Internal (3, 12)
• GitHub Check: internal / 🧪 Unit Tests: Internal (5, 12)
• GitHub Check: internal / 🧪 Unit Tests: Internal (8, 12)
• GitHub Check: internal / 🧪 Unit Tests: Internal (7, 12)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (3, 10)
• GitHub Check: internal / 🧪 Unit Tests: Internal (11, 12)
• GitHub Check: internal / 🧪 Unit Tests: Internal (12, 12)
• GitHub Check: internal / 🧪 Unit Tests: Internal (6, 12)
• GitHub Check: internal / 🧪 Unit Tests: Internal (4, 12)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (1, 10)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (2, 10)
• GitHub Check: e2e / 🧪 CLI v3 tests (blacksmith-4vcpu-ubuntu-2404 - pnpm)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (10, 10)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (5, 10)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (8, 10)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (4, 10)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (9, 10)
• GitHub Check: sdk-compat / Node.js 22.12 (blacksmith-4vcpu-ubuntu-2404)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (7, 10)
• GitHub Check: webapp / 🧪 Unit Tests: Webapp (6, 10)
• GitHub Check: e2e / 🧪 CLI v3 tests (blacksmith-4vcpu-ubuntu-2404 - npm)
• GitHub Check: sdk-compat / Cloudflare Workers
• GitHub Check: e2e / 🧪 CLI v3 tests (blacksmith-4vcpu-windows-2025 - pnpm)
• GitHub Check: packages / 🧪 Unit Tests: Packages (3, 3)
• GitHub Check: packages / 🧪 Unit Tests: Packages (2, 3)
• GitHub Check: sdk-compat / Deno Runtime
• GitHub Check: packages / 🧪 Unit Tests: Packages (1, 3)
• GitHub Check: sdk-compat / Bun Runtime
• GitHub Check: e2e-webapp / 🧪 E2E Tests: Webapp
• GitHub Check: typecheck / typecheck
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Build and publish previews

---

Walkthrough

A new exported function redactArgsForLogging is added to packages/core/src/v3/apps/exec.ts. It redacts values for credential-bearing long flags in both separate-argument and inline --flag=value forms. Exec.x uses the redacted arrays for debug output and later metadata while still executing the command with the original arguments. Vitest tests cover the helper, and a changeset entry is included.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description explains the change, but it omits required template sections like Closes #issue, checklist, Testing, Changelog, and Screenshots.	Add the missing template sections, including Closes #issue, checklist items, testing steps, changelog, and screenshots placeholders.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: redacting sensitive exec command flag values from logs.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/redact-exec-arg-logging

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[pkg-pr-new]

Open in StackBlitz

@trigger.dev/build

npm i https://pkg.pr.new/@trigger.dev/build@54ad582

trigger.dev

npm i https://pkg.pr.new/trigger.dev@54ad582

@trigger.dev/core

npm i https://pkg.pr.new/@trigger.dev/core@54ad582

@trigger.dev/python

npm i https://pkg.pr.new/@trigger.dev/python@54ad582

@trigger.dev/react-hooks

npm i https://pkg.pr.new/@trigger.dev/react-hooks@54ad582

@trigger.dev/redis-worker

npm i https://pkg.pr.new/@trigger.dev/redis-worker@54ad582

@trigger.dev/rsc

npm i https://pkg.pr.new/@trigger.dev/rsc@54ad582

@trigger.dev/schema-to-json

npm i https://pkg.pr.new/@trigger.dev/schema-to-json@54ad582

@trigger.dev/sdk

npm i https://pkg.pr.new/@trigger.dev/sdk@54ad582

commit: 54ad582