librechat-data-provider 0.8.302 → 0.8.400

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "librechat-data-provider",
-  "version": "0.8.302",
+  "version": "0.8.400",
   "description": "data services for librechat apps",
   "main": "dist/index.js",
   "module": "dist/index.es.js",

package/specs/mcp.spec.ts

@@ -0,0 +1,147 @@
+import { SSEOptionsSchema, MCPServerUserInputSchema } from '../src/mcp';
+
+describe('MCPServerUserInputSchema', () => {
+  describe('env variable exfiltration prevention', () => {
+    it('should confirm admin schema resolves env vars (attack vector baseline)', () => {
+      process.env.FAKE_SECRET = 'leaked-secret-value';
+      const adminResult = SSEOptionsSchema.safeParse({
+        type: 'sse',
+        url: 'http://attacker.com/?secret=${FAKE_SECRET}',
+      });
+      expect(adminResult.success).toBe(true);
+      if (adminResult.success) {
+        expect(adminResult.data.url).toContain('leaked-secret-value');
+      }
+      delete process.env.FAKE_SECRET;
+    });
+
+    it('should reject the same URL through user input schema', () => {
+      process.env.FAKE_SECRET = 'leaked-secret-value';
+      const userResult = MCPServerUserInputSchema.safeParse({
+        type: 'sse',
+        url: 'http://attacker.com/?secret=${FAKE_SECRET}',
+      });
+      expect(userResult.success).toBe(false);
+      delete process.env.FAKE_SECRET;
+    });
+  });
+
+  describe('env variable rejection', () => {
+    it('should reject SSE URLs containing env variable patterns', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'sse',
+        url: 'http://attacker.com/?secret=${FAKE_SECRET}',
+      });
+      expect(result.success).toBe(false);
+    });
+
+    it('should reject streamable-http URLs containing env variable patterns', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'streamable-http',
+        url: 'http://attacker.com/?jwt=${JWT_SECRET}',
+      });
+      expect(result.success).toBe(false);
+    });
+
+    it('should reject WebSocket URLs containing env variable patterns', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'websocket',
+        url: 'ws://attacker.com/?secret=${FAKE_SECRET}',
+      });
+      expect(result.success).toBe(false);
+    });
+  });
+
+  describe('protocol allowlisting', () => {
+    it('should reject file:// URLs for SSE', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'sse',
+        url: 'file:///etc/passwd',
+      });
+      expect(result.success).toBe(false);
+    });
+
+    it('should reject ftp:// URLs for streamable-http', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'streamable-http',
+        url: 'ftp://internal-server/data',
+      });
+      expect(result.success).toBe(false);
+    });
+
+    it('should reject http:// URLs for WebSocket', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'websocket',
+        url: 'http://example.com/ws',
+      });
+      expect(result.success).toBe(false);
+    });
+
+    it('should reject ws:// URLs for SSE', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'sse',
+        url: 'ws://example.com/sse',
+      });
+      expect(result.success).toBe(false);
+    });
+  });
+
+  describe('valid URL acceptance', () => {
+    it('should accept valid https:// SSE URLs', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'sse',
+        url: 'https://mcp-server.com/sse',
+      });
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.data.url).toBe('https://mcp-server.com/sse');
+      }
+    });
+
+    it('should accept valid http:// SSE URLs', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'sse',
+        url: 'http://mcp-server.com/sse',
+      });
+      expect(result.success).toBe(true);
+    });
+
+    it('should accept valid wss:// WebSocket URLs', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'websocket',
+        url: 'wss://mcp-server.com/ws',
+      });
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.data.url).toBe('wss://mcp-server.com/ws');
+      }
+    });
+
+    it('should accept valid ws:// WebSocket URLs', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'websocket',
+        url: 'ws://mcp-server.com/ws',
+      });
+      expect(result.success).toBe(true);
+    });
+
+    it('should accept valid https:// streamable-http URLs', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'streamable-http',
+        url: 'https://mcp-server.com/http',
+      });
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.data.url).toBe('https://mcp-server.com/http');
+      }
+    });
+
+    it('should accept valid http:// streamable-http URLs with "http" alias', () => {
+      const result = MCPServerUserInputSchema.safeParse({
+        type: 'http',
+        url: 'http://mcp-server.com/mcp',
+      });
+      expect(result.success).toBe(true);
+    });
+  });
+});

package/specs/utils.spec.ts

@@ -1,4 +1,4 @@
-import { extractEnvVariable } from '../src/utils';
+import { extractEnvVariable, isSensitiveEnvVar } from '../src/utils';
 
 describe('Environment Variable Extraction', () => {
   const originalEnv = process.env;
@@ -7,7 +7,7 @@ describe('Environment Variable Extraction', () => {
     process.env = {
       ...originalEnv,
       TEST_API_KEY: 'test-api-key-value',
-      ANOTHER_SECRET: 'another-secret-value',
+      ANOTHER_VALUE: 'another-value',
     };
   });
 
@@ -55,7 +55,7 @@ describe('Environment Variable Extraction', () => {
   describe('extractEnvVariable function', () => {
     it('should extract environment variables from exact matches', () => {
       expect(extractEnvVariable('${TEST_API_KEY}')).toBe('test-api-key-value');
-      expect(extractEnvVariable('${ANOTHER_SECRET}')).toBe('another-secret-value');
+      expect(extractEnvVariable('${ANOTHER_VALUE}')).toBe('another-value');
     });
 
     it('should extract environment variables from strings with prefixes', () => {
@@ -82,7 +82,7 @@ describe('Environment Variable Extraction', () => {
   describe('extractEnvVariable', () => {
     it('should extract environment variable values', () => {
       expect(extractEnvVariable('${TEST_API_KEY}')).toBe('test-api-key-value');
-      expect(extractEnvVariable('${ANOTHER_SECRET}')).toBe('another-secret-value');
+      expect(extractEnvVariable('${ANOTHER_VALUE}')).toBe('another-value');
     });
 
     it('should return the original string if environment variable is not found', () => {
@@ -126,4 +126,71 @@ describe('Environment Variable Extraction', () => {
       );
     });
   });
+
+  describe('isSensitiveEnvVar', () => {
+    it('should flag infrastructure secrets', () => {
+      expect(isSensitiveEnvVar('JWT_SECRET')).toBe(true);
+      expect(isSensitiveEnvVar('JWT_REFRESH_SECRET')).toBe(true);
+      expect(isSensitiveEnvVar('CREDS_KEY')).toBe(true);
+      expect(isSensitiveEnvVar('CREDS_IV')).toBe(true);
+      expect(isSensitiveEnvVar('MEILI_MASTER_KEY')).toBe(true);
+      expect(isSensitiveEnvVar('MONGO_URI')).toBe(true);
+      expect(isSensitiveEnvVar('REDIS_URI')).toBe(true);
+      expect(isSensitiveEnvVar('REDIS_PASSWORD')).toBe(true);
+    });
+
+    it('should allow non-infrastructure vars through (including operator-configured secrets)', () => {
+      expect(isSensitiveEnvVar('OPENAI_API_KEY')).toBe(false);
+      expect(isSensitiveEnvVar('ANTHROPIC_API_KEY')).toBe(false);
+      expect(isSensitiveEnvVar('GOOGLE_KEY')).toBe(false);
+      expect(isSensitiveEnvVar('PROXY')).toBe(false);
+      expect(isSensitiveEnvVar('DEBUG_LOGGING')).toBe(false);
+      expect(isSensitiveEnvVar('DOMAIN_CLIENT')).toBe(false);
+      expect(isSensitiveEnvVar('APP_TITLE')).toBe(false);
+      expect(isSensitiveEnvVar('OPENID_CLIENT_SECRET')).toBe(false);
+      expect(isSensitiveEnvVar('DISCORD_CLIENT_SECRET')).toBe(false);
+      expect(isSensitiveEnvVar('MY_CUSTOM_SECRET')).toBe(false);
+    });
+  });
+
+  describe('extractEnvVariable sensitive var blocklist', () => {
+    beforeEach(() => {
+      process.env.JWT_SECRET = 'super-secret-jwt';
+      process.env.JWT_REFRESH_SECRET = 'super-secret-refresh';
+      process.env.CREDS_KEY = 'encryption-key';
+      process.env.CREDS_IV = 'encryption-iv';
+      process.env.MEILI_MASTER_KEY = 'meili-key';
+      process.env.MONGO_URI = 'mongodb://user:pass@host/db';
+      process.env.REDIS_URI = 'redis://:pass@host:6379';
+      process.env.REDIS_PASSWORD = 'redis-pass';
+      process.env.OPENAI_API_KEY = 'sk-legit-key';
+    });
+
+    it('should refuse to resolve sensitive vars (single-match path)', () => {
+      expect(extractEnvVariable('${JWT_SECRET}')).toBe('${JWT_SECRET}');
+      expect(extractEnvVariable('${JWT_REFRESH_SECRET}')).toBe('${JWT_REFRESH_SECRET}');
+      expect(extractEnvVariable('${CREDS_KEY}')).toBe('${CREDS_KEY}');
+      expect(extractEnvVariable('${CREDS_IV}')).toBe('${CREDS_IV}');
+      expect(extractEnvVariable('${MEILI_MASTER_KEY}')).toBe('${MEILI_MASTER_KEY}');
+      expect(extractEnvVariable('${MONGO_URI}')).toBe('${MONGO_URI}');
+      expect(extractEnvVariable('${REDIS_URI}')).toBe('${REDIS_URI}');
+      expect(extractEnvVariable('${REDIS_PASSWORD}')).toBe('${REDIS_PASSWORD}');
+    });
+
+    it('should refuse to resolve sensitive vars in composite strings (multi-match path)', () => {
+      expect(extractEnvVariable('key=${JWT_SECRET}&more')).toBe('key=${JWT_SECRET}&more');
+      expect(extractEnvVariable('db=${MONGO_URI}/extra')).toBe('db=${MONGO_URI}/extra');
+    });
+
+    it('should still resolve non-sensitive vars normally', () => {
+      expect(extractEnvVariable('${OPENAI_API_KEY}')).toBe('sk-legit-key');
+      expect(extractEnvVariable('Bearer ${OPENAI_API_KEY}')).toBe('Bearer sk-legit-key');
+    });
+
+    it('should resolve non-sensitive vars while blocking sensitive ones in the same string', () => {
+      expect(extractEnvVariable('key=${OPENAI_API_KEY}&secret=${JWT_SECRET}')).toBe(
+        'key=sk-legit-key&secret=${JWT_SECRET}',
+      );
+    });
+  });
 });

package/src/accessPermissions.ts

@@ -200,9 +200,9 @@ export type TUpdateResourcePermissionsResponse = z.infer<
  * Principal search request parameters
  */
 export type TPrincipalSearchParams = {
-  q: string; // search query (required)
-  limit?: number; // max results (1-50, default 10)
-  type?: PrincipalType.USER | PrincipalType.GROUP | PrincipalType.ROLE; // filter by type (optional)
+  q: string;
+  limit?: number;
+  types?: Array<PrincipalType.USER | PrincipalType.GROUP | PrincipalType.ROLE>;
 };
 
 /**
@@ -228,7 +228,7 @@ export type TPrincipalSearchResult = {
 export type TPrincipalSearchResponse = {
   query: string;
   limit: number;
-  type?: PrincipalType.USER | PrincipalType.GROUP | PrincipalType.ROLE;
+  types?: Array<PrincipalType.USER | PrincipalType.GROUP | PrincipalType.ROLE> | null;
   results: TPrincipalSearchResult[];
   count: number;
   sources: {

package/src/config.ts

@@ -1560,6 +1560,10 @@ export enum ErrorTypes {
    * No Base URL Provided.
    */
   NO_BASE_URL = 'no_base_url',
+  /**
+   * Base URL targets a restricted or invalid address (SSRF protection).
+   */
+  INVALID_BASE_URL = 'invalid_base_url',
   /**
    * Moderation error
    */
@@ -1736,7 +1740,7 @@ export enum TTSProviders {
 /** Enum for app-wide constants */
 export enum Constants {
   /** Key for the app's version. */
-  VERSION = 'v0.8.3',
+  VERSION = 'v0.8.4-rc1',
   /** Key for the Custom Config's version (librechat.yaml). */
   CONFIG_VERSION = '1.3.6',
   /** Standard value for the first message's `parentMessageId` value, to indicate no parent exists. */

package/src/data-service.ts

@@ -21,8 +21,8 @@ export function revokeAllUserKeys(): Promise<unknown> {
   return request.delete(endpoints.revokeAllUserKeys());
 }
 
-export function deleteUser(): Promise<s.TPreset> {
-  return request.delete(endpoints.deleteUser());
+export function deleteUser(payload?: t.TDeleteUserRequest): Promise<unknown> {
+  return request.deleteWithOptions(endpoints.deleteUser(), { data: payload });
 }
 
 export type FavoriteItem = {
@@ -970,8 +970,8 @@ export function updateFeedback(
 }
 
 // 2FA
-export function enableTwoFactor(): Promise<t.TEnable2FAResponse> {
-  return request.get(endpoints.enableTwoFactor());
+export function enableTwoFactor(payload?: t.TEnable2FARequest): Promise<t.TEnable2FAResponse> {
+  return request.post(endpoints.enableTwoFactor(), payload);
 }
 
 export function verifyTwoFactor(payload: t.TVerify2FARequest): Promise<t.TVerify2FAResponse> {
@@ -986,8 +986,10 @@ export function disableTwoFactor(payload?: t.TDisable2FARequest): Promise<t.TDis
   return request.post(endpoints.disableTwoFactor(), payload);
 }
 
-export function regenerateBackupCodes(): Promise<t.TRegenerateBackupCodesResponse> {
-  return request.post(endpoints.regenerateBackupCodes());
+export function regenerateBackupCodes(
+  payload?: t.TRegenerateBackupCodesRequest,
+): Promise<t.TRegenerateBackupCodesResponse> {
+  return request.post(endpoints.regenerateBackupCodes(), payload);
 }
 
 export function verifyTwoFactorTemp(

package/src/file-config.spec.ts

@@ -1,15 +1,52 @@
 import type { FileConfig } from './types/files';
 import {
   fileConfig as baseFileConfig,
+  documentParserMimeTypes,
   getEndpointFileConfig,
-  mergeFileConfig,
   applicationMimeTypes,
   defaultOCRMimeTypes,
-  documentParserMimeTypes,
   supportedMimeTypes,
+  mergeFileConfig,
+  inferMimeType,
+  textMimeTypes,
 } from './file-config';
 import { EModelEndpoint } from './schemas';
 
+describe('inferMimeType', () => {
+  it('should normalize text/x-python-script to text/x-python', () => {
+    expect(inferMimeType('test.py', 'text/x-python-script')).toBe('text/x-python');
+  });
+
+  it('should return a type that matches textMimeTypes after normalization', () => {
+    const normalized = inferMimeType('test.py', 'text/x-python-script');
+    expect(textMimeTypes.test(normalized)).toBe(true);
+  });
+
+  it('should pass through standard browser types unchanged', () => {
+    expect(inferMimeType('test.py', 'text/x-python')).toBe('text/x-python');
+    expect(inferMimeType('doc.pdf', 'application/pdf')).toBe('application/pdf');
+  });
+
+  it('should infer from extension when browser type is empty', () => {
+    expect(inferMimeType('test.py', '')).toBe('text/x-python');
+    expect(inferMimeType('code.js', '')).toBe('text/javascript');
+    expect(inferMimeType('photo.heic', '')).toBe('image/heic');
+  });
+
+  it('should return empty string for unknown extension with no browser type', () => {
+    expect(inferMimeType('file.xyz', '')).toBe('');
+  });
+
+  it('should produce a type accepted by checkType after normalizing text/x-python-script', () => {
+    const normalized = inferMimeType('test.py', 'text/x-python-script');
+    expect(baseFileConfig.checkType(normalized)).toBe(true);
+  });
+
+  it('should reject raw text/x-python-script without normalization', () => {
+    expect(baseFileConfig.checkType('text/x-python-script')).toBe(false);
+  });
+});
+
 describe('applicationMimeTypes', () => {
   const odfTypes = [
     'application/vnd.oasis.opendocument.text',

package/src/file-config.ts

@@ -357,15 +357,21 @@ export const imageTypeMapping: { [key: string]: string } = {
   heif: 'image/heif',
 };
 
+/** Normalizes non-standard MIME types that browsers may report to their canonical forms */
+export const mimeTypeAliases: Readonly<Record<string, string>> = {
+  'text/x-python-script': 'text/x-python',
+};
+
 /**
- * Infers the MIME type from a file's extension when the browser doesn't recognize it
- * @param fileName - The name of the file including extension
- * @param currentType - The current MIME type reported by the browser (may be empty)
- * @returns The inferred MIME type if browser didn't provide one, otherwise the original type
+ * Infers the MIME type from a file's extension when the browser doesn't recognize it,
+ * and normalizes known non-standard MIME type aliases to their canonical forms.
+ * @param fileName - The file name including its extension
+ * @param currentType - The MIME type reported by the browser (may be empty string)
+ * @returns The normalized or inferred MIME type; empty string if unresolvable
  */
 export function inferMimeType(fileName: string, currentType: string): string {
   if (currentType) {
-    return currentType;
+    return mimeTypeAliases[currentType] ?? currentType;
   }
 
   const extension = fileName.split('.').pop()?.toLowerCase() ?? '';

package/src/mcp.ts

@@ -223,6 +223,23 @@ const omitServerManagedFields = <T extends z.ZodObject<z.ZodRawShape>>(schema: T
     oauth_headers: true,
   });
 
+const envVarPattern = /\$\{[^}]+\}/;
+const isWsProtocol = (val: string): boolean => /^wss?:/i.test(val);
+const isHttpProtocol = (val: string): boolean => /^https?:/i.test(val);
+
+/**
+ * Builds a URL schema for user input that rejects ${VAR} env variable patterns
+ * and validates protocol constraints without resolving environment variables.
+ */
+const userUrlSchema = (protocolCheck: (val: string) => boolean, message: string) =>
+  z
+    .string()
+    .refine((val) => !envVarPattern.test(val), {
+      message: 'Environment variable references are not allowed in URLs',
+    })
+    .pipe(z.string().url())
+    .refine(protocolCheck, { message });
+
 /**
  * MCP Server configuration that comes from UI/API input only.
  * Omits server-managed fields like startup, timeout, customUserVars, etc.
@@ -232,11 +249,23 @@ const omitServerManagedFields = <T extends z.ZodObject<z.ZodRawShape>>(schema: T
  * Stdio allows arbitrary command execution and should only be configured
  * by administrators via the YAML config file (librechat.yaml).
  * Only remote transports (SSE, HTTP, WebSocket) are allowed via the API.
+ *
+ * SECURITY: URL fields use userUrlSchema instead of the admin schemas'
+ * extractEnvVariable transform to prevent env variable exfiltration
+ * through user-controlled URLs (e.g. http://attacker.com/?k=${JWT_SECRET}).
+ * Protocol checks use positive allowlists (http(s) / ws(s)) to block
+ * file://, ftp://, javascript:, and other non-network schemes.
  */
 export const MCPServerUserInputSchema = z.union([
-  omitServerManagedFields(WebSocketOptionsSchema),
-  omitServerManagedFields(SSEOptionsSchema),
-  omitServerManagedFields(StreamableHTTPOptionsSchema),
+  omitServerManagedFields(WebSocketOptionsSchema).extend({
+    url: userUrlSchema(isWsProtocol, 'WebSocket URL must use ws:// or wss://'),
+  }),
+  omitServerManagedFields(SSEOptionsSchema).extend({
+    url: userUrlSchema(isHttpProtocol, 'SSE URL must use http:// or https://'),
+  }),
+  omitServerManagedFields(StreamableHTTPOptionsSchema).extend({
+    url: userUrlSchema(isHttpProtocol, 'Streamable HTTP URL must use http:// or https://'),
+  }),
 ]);
 
 export type MCPServerUserInput = z.infer<typeof MCPServerUserInputSchema>;

package/src/types.ts

@@ -425,28 +425,29 @@ export type TLoginResponse = {
   tempToken?: string;
 };
 
+/** Shared payload for any operation that requires OTP or backup-code verification. */
+export type TOTPVerificationPayload = {
+  token?: string;
+  backupCode?: string;
+};
+
+export type TEnable2FARequest = TOTPVerificationPayload;
+
 export type TEnable2FAResponse = {
   otpauthUrl: string;
   backupCodes: string[];
   message?: string;
 };
 
-export type TVerify2FARequest = {
-  token?: string;
-  backupCode?: string;
-};
+export type TVerify2FARequest = TOTPVerificationPayload;
 
 export type TVerify2FAResponse = {
   message: string;
 };
 
-/**
- * For verifying 2FA during login with a temporary token.
- */
-export type TVerify2FATempRequest = {
+/** For verifying 2FA during login with a temporary token. */
+export type TVerify2FATempRequest = TOTPVerificationPayload & {
   tempToken: string;
-  token?: string;
-  backupCode?: string;
 };
 
 export type TVerify2FATempResponse = {
@@ -455,30 +456,22 @@ export type TVerify2FATempResponse = {
   message?: string;
 };
 
-/**
- * Request for disabling 2FA.
- */
-export type TDisable2FARequest = {
-  token?: string;
-  backupCode?: string;
-};
+export type TDisable2FARequest = TOTPVerificationPayload;
 
-/**
- * Response from disabling 2FA.
- */
 export type TDisable2FAResponse = {
   message: string;
 };
 
-/**
- * Response from regenerating backup codes.
- */
+export type TRegenerateBackupCodesRequest = TOTPVerificationPayload;
+
 export type TRegenerateBackupCodesResponse = {
-  message: string;
+  message?: string;
   backupCodes: string[];
-  backupCodesHash: string[];
+  backupCodesHash: TBackupCode[];
 };
 
+export type TDeleteUserRequest = TOTPVerificationPayload;
+
 export type TRequestPasswordReset = {
   email: string;
 };

package/src/utils.ts

@@ -1,5 +1,29 @@
 export const envVarRegex = /^\${(.+)}$/;
 
+/**
+ * Infrastructure env vars that must never be resolved via placeholder expansion.
+ * These are internal secrets whose exposure would compromise the system —
+ * they have no legitimate reason to appear in outbound headers, MCP env/args, or OAuth config.
+ *
+ * Intentionally excludes API keys (operators reference them in config) and
+ * OAuth/session secrets (referenced in MCP OAuth config via processMCPEnv).
+ */
+const SENSITIVE_ENV_VARS = new Set([
+  'JWT_SECRET',
+  'JWT_REFRESH_SECRET',
+  'CREDS_KEY',
+  'CREDS_IV',
+  'MEILI_MASTER_KEY',
+  'MONGO_URI',
+  'REDIS_URI',
+  'REDIS_PASSWORD',
+]);
+
+/** Returns true when `varName` refers to an infrastructure secret that must not leak. */
+export function isSensitiveEnvVar(varName: string): boolean {
+  return SENSITIVE_ENV_VARS.has(varName);
+}
+
 /** Extracts the environment variable name from a template literal string */
 export function extractVariableName(value: string): string | null {
   if (!value) {
@@ -16,21 +40,20 @@ export function extractEnvVariable(value: string) {
     return value;
   }
 
-  // Trim the input
   const trimmed = value.trim();
 
-  // Special case: if it's just a single environment variable
   const singleMatch = trimmed.match(envVarRegex);
   if (singleMatch) {
     const varName = singleMatch[1];
+    if (isSensitiveEnvVar(varName)) {
+      return trimmed;
+    }
     return process.env[varName] || trimmed;
   }
 
-  // For multiple variables, process them using a regex loop
   const regex = /\${([^}]+)}/g;
   let result = trimmed;
 
-  // First collect all matches and their positions
   const matches = [];
   let match;
   while ((match = regex.exec(trimmed)) !== null) {
@@ -41,12 +64,12 @@ export function extractEnvVariable(value: string) {
     });
   }
 
-  // Process matches in reverse order to avoid position shifts
   for (let i = matches.length - 1; i >= 0; i--) {
     const { fullMatch, varName, index } = matches[i];
+    if (isSensitiveEnvVar(varName)) {
+      continue;
+    }
     const envValue = process.env[varName] || fullMatch;
-
-    // Replace at exact position
     result = result.substring(0, index) + envValue + result.substring(index + fullMatch.length);
   }