sneak/secret
1
0
Fork 1
Code Issues 1 Pull Requests 2 Actions Packages Projects Releases Wiki Activity

Audit: missing user warnings for anomalous conditions #19

New Issue
Closed
opened 2026-02-20 09:01:46 +01:00 by clawbot · 0 comments
clawbot commented 2026-02-20 09:01:46 +01:00
Collaborator
Copy Link

Following the addition of secret.Warn() in PR #17, this audit identifies all places where anomalous conditions are silently swallowed or only logged via Debug() when the user should be warned.

Findings

1. internal/secret/helpers.go:DetermineStateDir() — silent config dir fallback

When os.UserConfigDir() fails, the code silently falls back to ~/.config. The user has no idea their config dir resolution failed.

2. internal/cli/info_helper.go:gatherVaultStats() — silent skips on read errors

Lines 30, 45: errors reading secrets dir and versions dir are silently continued. If vault data is corrupt or unreadable, the user gets incomplete stats with no indication.

3. internal/cli/unlockers.go:UnlockersList() — silent skips with FIXME comments

Lines 273, 280, 295, 301: Multiple continue statements skip unlockers when vault dir, file listing, metadata read, or metadata parse fails. Two are marked // FIXME this error needs to be handled. User sees incomplete unlocker list with no warning.

4. internal/cli/unlockers.go:checkUnlockerExists() — silent skips

Lines 607, 621, 626: errors reading/parsing unlocker metadata are silently continued during duplicate checking.

5. internal/cli/completions.go:getUnlockerIDsCompletionFunc() — silent skips

Lines 73, 87, 92: errors reading unlocker dirs and metadata silently continued during tab completion.

6. internal/cli/version.go:ListVersions() — Debug instead of Warn on metadata load failure

Line 167: When version metadata fails to load, only Debug() is called. The user sees an "error" status in the table but no explanation of what went wrong.

7. internal/cli/secrets.go — Debug instead of Warn on file close error

Line 510: Failed to close file only logged via Debug(). File close errors can indicate data loss.

8. internal/secret/version.go:GenerateVersionName() — silent skip on malformed version dir

Line 104: When a version directory name cannot be parsed (malformed serial), it is silently skipped. This could mask filesystem corruption.

9. internal/cli/unlockers.go:UnlockersList() — fallback ID generation without warning

Line 325: When an unlocker instance cannot be created, a fallback ID is generated silently. User sees a potentially wrong ID.

All of these should use secret.Warn() to inform the user something unexpected happened.

Following the addition of `secret.Warn()` in PR #17, this audit identifies all places where anomalous conditions are silently swallowed or only logged via `Debug()` when the user should be warned. ## Findings ### 1. `internal/secret/helpers.go:DetermineStateDir()` — silent config dir fallback When `os.UserConfigDir()` fails, the code silently falls back to `~/.config`. The user has no idea their config dir resolution failed. ### 2. `internal/cli/info_helper.go:gatherVaultStats()` — silent skips on read errors Lines 30, 45: errors reading secrets dir and versions dir are silently `continue`d. If vault data is corrupt or unreadable, the user gets incomplete stats with no indication. ### 3. `internal/cli/unlockers.go:UnlockersList()` — silent skips with FIXME comments Lines 273, 280, 295, 301: Multiple `continue` statements skip unlockers when vault dir, file listing, metadata read, or metadata parse fails. Two are marked `// FIXME this error needs to be handled`. User sees incomplete unlocker list with no warning. ### 4. `internal/cli/unlockers.go:checkUnlockerExists()` — silent skips Lines 607, 621, 626: errors reading/parsing unlocker metadata are silently `continue`d during duplicate checking. ### 5. `internal/cli/completions.go:getUnlockerIDsCompletionFunc()` — silent skips Lines 73, 87, 92: errors reading unlocker dirs and metadata silently `continue`d during tab completion. ### 6. `internal/cli/version.go:ListVersions()` — Debug instead of Warn on metadata load failure Line 167: When version metadata fails to load, only `Debug()` is called. The user sees an "error" status in the table but no explanation of what went wrong. ### 7. `internal/cli/secrets.go` — Debug instead of Warn on file close error Line 510: `Failed to close file` only logged via `Debug()`. File close errors can indicate data loss. ### 8. `internal/secret/version.go:GenerateVersionName()` — silent skip on malformed version dir Line 104: When a version directory name cannot be parsed (malformed serial), it is silently skipped. This could mask filesystem corruption. ### 9. `internal/cli/unlockers.go:UnlockersList()` — fallback ID generation without warning Line 325: When an unlocker instance cannot be created, a fallback ID is generated silently. User sees a potentially wrong ID. All of these should use `secret.Warn()` to inform the user something unexpected happened.
sneak closed this issue 2026-02-20 09:22:30 +01:00
clawbot self-assigned this 2026-02-20 09:23:58 +01:00
clawbot added the
needs-checks
 label 2026-02-20 09:23:58 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
merge-ready

   
merge-ready

   
needs-checks

   
needs-checks

   
needs-rebase

   
needs-rebase

   
needs-review

   
needs-review

   
needs-rework

   
needs-rework
No Label
merge-ready
merge-ready
needs-checks
needs-checks
needs-rebase
needs-rebase
needs-review
needs-review
needs-rework
needs-rework
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
clawbot
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/secret#19
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?