fix: faithfully round-trip multi-line secret values (CAP-55)#231
Merged
Conversation
Multi-line secret values (PEM private keys, certs, service-account JSON)
were truncated to their first line across several paths. Reported by
Daniel Zoghalchali (Latchkey) while migrating an RSA private key.
Root causes and fixes:
- Deploy blob: encryptEnvBlob serialized vars as `KEY=value\n` lines and
decryptSecretsBlob re-parsed them by splitting on newlines. A multi-line
PEM both truncated at the first line and minted phantom env vars from
continuation lines containing `=`. Switched to JSON; decryptSecretsBlob
auto-detects JSON vs the legacy line format (leading `{`) so a newer
`capy run` still decrypts blobs minted by an older `capy deploy`.
- `capy edit` TUI: pasted newlines were filtered out, so a multi-line
paste collapsed to one line. Enabled bracketed paste and append pasted
content verbatim; multi-line buffers/values render on one row via a ↵
marker (length-preserving) so the single-row table stays intact.
- `capy decrypt` / dev decrypt wrote `.env.{branch}.decrypted` as bare
`KEY=value`, truncating a decrypted PEM on re-read. Now reuse
exportCommand.dotenvEscape so the output is faithfully re-readable.
- fileManager value snippet collapsed to a single line so the encrypted
.env line is always one physical line for any multi-line value.
Adds regression coverage with a real multi-line RSA PEM fixture: deploy
round-trip + no-phantom-keys + legacy backward-compat, local encrypted
.env round-trip, quoted-.env import, decrypt re-read, and paste
normalization. Full suite green.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Multi-line secret values — PEM/RSA private keys, certs, service-account JSON — were truncated to their first line across several paths. Reported by Daniel Zoghalchali (Latchkey) while migrating an RSA private key; common in the regulated / on-prem ICP.
Linear: CAP-55
Root causes & fixes
capy deploy→capy run)KEY=value\n; decrypt split on newlines → truncated and minted phantom env vars from continuation lines containing=decryptSecretsBlobauto-detects JSON vs legacy line format (leading{) for backward compatcapy editTUI paste↵marker so the single-row table stays intactcapy decrypt/ dev decrypt.env.{branch}.decryptedas bareKEY=value→ truncated on re-readexportCommand.dotenvEscape.envsnippet.envline.envimport already round-trips quoted multi-line values (dotenv); raw unquoted multi-line in.envtruncates by dotenv's own design — the ergonomic entry iscapy editpaste.Backward compatibility
decryptSecretsBlobstill decodes the legacyKEY=value\nformat, so a newercapy rundecrypts aSECRETS_BLOBminted by an oldercapy deploy. Covered by a test.Tests
Adds a real 2048-bit RSA PEM fixture and 20 regression tests: deploy round-trip + no-phantom-keys + legacy decode, local encrypted-
.envround-trip (incl. leading-newline /=values), quoted-.envimport, decrypt re-read, and paste/render normalization. Full suite green (414 pass), typecheck clean.Not covered by automated tests
The bracketed-paste terminal plumbing (
ESC[?2004h, marker accumulation) needs a real terminal — verified the content-transformation helpers in unit tests; the TTY wiring is a manual check.