fix(security): keep credentials off argv and plaintext transports

- M7: ResolveToken accepts the token via the HF_TOKEN env var (so it need not appear in argv, where it's visible in ps/shell history); the HTTP client refuses to send a token / API key over plaintext http:// to a non-loopback host (use https://). Loopback http is still allowed for local dev. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-31 20:16:36 +01:00
parent c0ab087436
commit 4125a4c102
2 changed files with 45 additions and 4 deletions
--- a/internal/commands/auth.go
+++ b/internal/commands/auth.go
@@ -1,6 +1,9 @@
 package commands

 import (
+	"os"
+	"strings"
+
 	"git.hangman-lab.top/zhi/HarborForge.Cli/internal/mode"
 	"git.hangman-lab.top/zhi/HarborForge.Cli/internal/output"
 	"git.hangman-lab.top/zhi/HarborForge.Cli/internal/passmgr"
@@ -20,11 +23,16 @@ func ResolveToken(tokenFlag string) string {
 		}
 		return tok
 	}
-	// manual mode
-	if tokenFlag == "" {
-		output.Error("--token <token> required or execute this with pcexec")
+	// manual mode — prefer the explicit flag, else fall back to the HF_TOKEN
+	// env var so the token need not appear in argv (visible via `ps`/history).
+	if tokenFlag != "" {
+		return tokenFlag
 	}
-	return tokenFlag
+	if env := strings.TrimSpace(os.Getenv("HF_TOKEN")); env != "" {
+		return env
+	}
+	output.Error("--token <token> or HF_TOKEN env required, or execute this with pcexec")
+	return ""
 }

 // RejectTokenInPaddedCell checks if --token was passed in padded-cell mode