@f5xc-salesdemos/xcsh 18.19.0 → 18.19.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/CHANGELOG.md +1 -0
  2. package/package.json +7 -7
  3. package/src/config/resolve-config-value.ts +18 -2
  4. package/src/internal-urls/build-info.generated.ts +8 -8
package/CHANGELOG.md CHANGED
@@ -8,6 +8,7 @@
8
8
  ### Fixed
9
9
 
10
10
  - Fixed gutter width propagation in the fallback tool renderer: `#formatToolExecution()` now receives the actual available width at render-time and uses it for line truncation instead of a hardcoded 80-column limit. On narrow terminals (<82 cols) this prevents content wider than the gutter-adjusted viewport; on wide terminals it allows longer output lines. ([#117](https://github.com/f5xc-salesdemos/xcsh/issues/117))
11
+ - Fixed `resolveConfigValue` returning literal env var names (e.g. `"LITELLM_API_KEY"`) as API keys when the env var is unset, causing 401 errors on first launch. The resolver now rejects unresolved `ALL_CAPS_WITH_UNDERSCORES` patterns, matching the existing guard in `resolveYamlApiKeyConfig`. ([#241](https://github.com/f5xc-salesdemos/xcsh/issues/241))
11
12
 
12
13
 
13
14
  ### Changed
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "type": "module",
3
3
  "name": "@f5xc-salesdemos/xcsh",
4
- "version": "18.19.0",
4
+ "version": "18.19.2",
5
5
  "description": "Coding agent CLI with read, bash, edit, write tools and session management",
6
6
  "homepage": "https://github.com/f5xc-salesdemos/xcsh",
7
7
  "author": "Can Boluk",
@@ -47,12 +47,12 @@
47
47
  "dependencies": {
48
48
  "@agentclientprotocol/sdk": "0.16.1",
49
49
  "@mozilla/readability": "^0.6",
50
- "@f5xc-salesdemos/xcsh-stats": "18.19.0",
51
- "@f5xc-salesdemos/pi-agent-core": "18.19.0",
52
- "@f5xc-salesdemos/pi-ai": "18.19.0",
53
- "@f5xc-salesdemos/pi-natives": "18.19.0",
54
- "@f5xc-salesdemos/pi-tui": "18.19.0",
55
- "@f5xc-salesdemos/pi-utils": "18.19.0",
50
+ "@f5xc-salesdemos/xcsh-stats": "18.19.2",
51
+ "@f5xc-salesdemos/pi-agent-core": "18.19.2",
52
+ "@f5xc-salesdemos/pi-ai": "18.19.2",
53
+ "@f5xc-salesdemos/pi-natives": "18.19.2",
54
+ "@f5xc-salesdemos/pi-tui": "18.19.2",
55
+ "@f5xc-salesdemos/pi-utils": "18.19.2",
56
56
  "@sinclair/typebox": "^0.34",
57
57
  "@xterm/headless": "^6.0",
58
58
  "ajv": "^8.18",
package/src/config/resolve-config-value.ts CHANGED
@@ -6,6 +6,14 @@
6
6
 
7
7
  import { executeShell } from "@f5xc-salesdemos/pi-natives";
8
8
 
9
+ /**
10
+ * Matches strings that look like environment variable names: ALL_CAPS_WITH_UNDERSCORES.
11
+ * Used to prevent sending literal env var names (e.g. "LITELLM_API_KEY") as Bearer
12
+ * tokens when the env var is unset. Same pattern as resolveYamlApiKeyConfig in
13
+ * model-registry.ts.
14
+ */
15
+ const ENV_VAR_NAME_RE = /^[A-Z][A-Z0-9]*(?:_[A-Z][A-Z0-9]*)+$/;
16
+
9
17
  /** Cache for successful shell command results (persists for process lifetime). */
10
18
  const commandResultCache = new Map<string, string>();
11
19
 
@@ -15,14 +23,22 @@ const commandInFlight = new Map<string, Promise<string | undefined>>();
15
23
  /**
16
24
  * Resolve a config value (API key, header value, etc.) to an actual value.
17
25
  * - If starts with "!", executes the rest as a shell command and uses stdout (cached)
18
- * - Otherwise checks environment variable first, then treats as literal (not cached)
26
+ * - Otherwise checks environment variable first
27
+ * - If the env var is unset and the config string looks like an env var name
28
+ * (ALL_CAPS_WITH_UNDERSCORES), returns undefined to prevent leaking literal
29
+ * names as Bearer tokens (see issue #241)
30
+ * - Otherwise treats the config string as a literal value
19
31
  */
20
32
  export async function resolveConfigValue(config: string): Promise<string | undefined> {
21
33
  if (config.startsWith("!")) {
22
34
  return await executeCommand(config);
23
35
  }
24
36
  const envValue = process.env[config];
25
- return envValue || config;
37
+ if (envValue) return envValue;
38
+ // Reject unresolved env var names to prevent sending literal names as API keys.
39
+ // Actual literal API keys (sk-ant-..., UUIDs, etc.) won't match this pattern.
40
+ if (ENV_VAR_NAME_RE.test(config)) return undefined;
41
+ return config;
26
42
  }
27
43
 
28
44
  async function executeCommand(commandConfig: string): Promise<string | undefined> {
package/src/internal-urls/build-info.generated.ts CHANGED
@@ -17,17 +17,17 @@ export interface BuildInfo {
17
17
  }
18
18
 
19
19
  export const BUILD_INFO: BuildInfo = {
20
- "version": "18.19.0",
21
- "commit": "fe4ea3cc7fa01646c63e42957272bbf427c1e9e8",
22
- "shortCommit": "fe4ea3c",
20
+ "version": "18.19.2",
21
+ "commit": "aadf3b16536d2269c1e1ff2ee1aefa406c1f4ecc",
22
+ "shortCommit": "aadf3b1",
23
23
  "branch": "main",
24
- "tag": "v18.19.0",
25
- "commitDate": "2026-04-27T07:01:24Z",
26
- "buildDate": "2026-04-27T07:23:45.386Z",
24
+ "tag": "v18.19.2",
25
+ "commitDate": "2026-04-27T21:44:40Z",
26
+ "buildDate": "2026-04-27T22:06:55.819Z",
27
27
  "dirty": false,
28
28
  "prNumber": "",
29
29
  "repoUrl": "https://github.com/f5xc-salesdemos/xcsh",
30
30
  "repoSlug": "f5xc-salesdemos/xcsh",
31
- "commitUrl": "https://github.com/f5xc-salesdemos/xcsh/commit/fe4ea3cc7fa01646c63e42957272bbf427c1e9e8",
32
- "releaseUrl": "https://github.com/f5xc-salesdemos/xcsh/releases/tag/v18.19.0"
31
+ "commitUrl": "https://github.com/f5xc-salesdemos/xcsh/commit/aadf3b16536d2269c1e1ff2ee1aefa406c1f4ecc",
32
+ "releaseUrl": "https://github.com/f5xc-salesdemos/xcsh/releases/tag/v18.19.2"
33
33
  };