hzhang 4125a4c102 fix(security): keep credentials off argv and plaintext transports ...

- M7: ResolveToken accepts the token via the HF_TOKEN env var (so it need
  not appear in argv, where it's visible in ps/shell history); the HTTP
  client refuses to send a token / API key over plaintext http:// to a
  non-loopback host (use https://). Loopback http is still allowed for
  local dev.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-05-31 20:16:36 +01:00

1.4 KiB

Raw Blame History

View Raw