Skip to content

fix(gastown): stop logging town config secrets#3649

Open
evanjacobson wants to merge 3 commits into
mainfrom
improvement/gastown-town-config-shape
Open

fix(gastown): stop logging town config secrets#3649
evanjacobson wants to merge 3 commits into
mainfrom
improvement/gastown-town-config-shape

Conversation

@evanjacobson
Copy link
Copy Markdown
Contributor

@evanjacobson evanjacobson commented Jun 1, 2026
edited
Loading

Summary

Cloudflare request logs could expose credential-bearing town config because the container control plane sent full config through X-Town-Config headers. This keeps startup/config-sync behavior intact while moving secrets and custom env vars onto non-header paths.

Details
  • Sanitizes X-Town-Config to carry only non-secret town context.
  • Sends config-derived env vars through request bodies or persisted container env vars instead.
  • Centralizes reserved env-key filtering so user custom env vars cannot override Gastown control-plane credentials across start, merge, sync, and restart paths.
  • Follows the existing TownDO/container split: TownDO builds container payloads, while the container control server applies runtime env updates.

Verification

No manual verification; this is a backend-only container config propagation change with no UI or visual behavior.

Visual Changes

N/A

Reviewer Notes

Focus areas: secret-bearing fields should stay out of headers, and model hot-swap/start/merge paths should continue receiving credentials through body/env-var paths.

kilo-code-bot[bot]
kilo-code-bot Bot reviewed Jun 1, 2026
View reviewed changes
Comment thread services/gastown/container/src/control-server.ts
Comment thread services/gastown/container/src/control-server.ts
@kilo-code-bot
Copy link
Copy Markdown
Contributor

kilo-code-bot Bot commented Jun 1, 2026
edited
Loading

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Executive Summary

All three new commits cleanly resolve both pre-existing warnings: GASTOWN_API_URL is now preserved on absent sync payloads via CONFIG_SYNC_ENV_KEYS_PRESERVE_WHEN_ABSENT, and the dual reserved-key set divergence is eliminated by centralizing key definitions in env-keys.ts.

Resolved Issues (previously open)
File Issue Status
services/gastown/container/src/control-server.ts GASTOWN_API_URL could be deleted if absent from /sync-config body FixedCONFIG_SYNC_ENV_KEYS_PRESERVE_WHEN_ABSENT guard added at line 82
services/gastown/container/src/control-server.ts Dual reserved-key sets (RESERVED_ENV_KEYS vs RESERVED_CONTAINER_ENV_KEYS) diverging silently Fixed — both now re-export the same RESERVED_ENV_KEYS from env-keys.ts
Incremental Review (commits since bf16ab1)

Commits reviewed: 8925f76, d0f3719, 7383558

  • services/gastown/container/src/env-keys.ts — new, no issues. Centralizes RESERVED_ENV_KEYS and CONFIG_SYNC_ENV_KEYS as single source of truth.
  • services/gastown/container/src/control-server.ts — both pre-existing warnings resolved. syncTownConfigToProcessEnv logic is correct: reserved-but-not-sync-keyed values are skipped; custom keys are tracked and cleaned up; GASTOWN_API_URL is preserved on absent payload.
  • services/gastown/container/src/control-server.test.ts — new, no issues. Correctly validates GASTOWN_API_URL preservation behavior.
  • services/gastown/src/dos/town/config.ts — no issues. buildContainerConfig correctly strips all secrets/env_vars from the header payload. buildContainerEnvVars correctly assembles the full secret-bearing body payload. getContainerCustomEnvVars correctly filters reserved keys.
  • services/gastown/src/dos/town/config.test.ts — no issues. Three new test cases cover secret exclusion from X-Town-Config, env var availability outside the header path, and reserved key set alignment between sender and receiver.
  • services/gastown/src/dos/Town.do.ts — no issues. Sends secrets in request body, not header.
  • services/gastown/src/dos/town/container-dispatch.ts — no issues. getContainerCustomEnvVars replaces inline spread that previously bypassed reserved-key filtering.
  • services/gastown/container/src/agent-runner.ts — comment update only, no issues.
  • services/gastown/container/src/process-manager.ts — comment update only, no issues.
Files Reviewed (10 files)
  • services/gastown/container/src/env-keys.ts — new, no issues
  • services/gastown/container/src/control-server.ts — 2 pre-existing warnings resolved
  • services/gastown/container/src/control-server.test.ts — new, no issues
  • services/gastown/src/dos/town/config.ts — no issues
  • services/gastown/src/dos/town/config.test.ts — no issues
  • services/gastown/src/dos/Town.do.ts — no issues
  • services/gastown/src/dos/town/container-dispatch.ts — no issues
  • services/gastown/container/src/agent-runner.ts — no issues
  • services/gastown/container/src/process-manager.ts — no issues
  • services/gastown/container/src/startup-error.ts — carried forward, no issues

Reviewed by claude-sonnet-4.6 · 986,157 tokens

Review guidance: REVIEW.md from base branch main

@evanjacobson evanjacobson changed the title fix(gastown): stop logging town config secrets fix(gastown): harden container startup config Jun 1, 2026
@evanjacobson evanjacobson force-pushed the improvement/gastown-town-config-shape branch from bf16ab1 to 8925f76 Compare June 1, 2026 19:09
@evanjacobson evanjacobson changed the title fix(gastown): harden container startup config fix(gastown): stop logging town config secrets Jun 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kilo-code-bot kilo-code-bot[bot] kilo-code-bot[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@evanjacobson