fix: broaden telemetry kwarg redaction and _ctx filter atomically (BE-992)

[mattmillerai]

Summary

Fixes a latent CWE-200 vulnerability (BE-992) where two interacting allowlist gaps in track_command() could leak credentials to Mixpanel if either gap were fixed independently.

The Problem

Gap 1 — Credential redaction: SENSITIVE_TRACKING_KEYS only matched "api_key" by exact name, missing kwargs like set_civitai_api_token and set_hf_api_token.

Gap 2 — Context-object filter: The kwarg filter dropped "ctx" and "context" but not "_ctx" (underscore-prefixed Click Context used by the download command).

These gaps accidentally cancelled each other out: the non-JSON-serializable _ctx object caused mp.track() to raise a TypeError before any credential reached Mixpanel. Fixing Gap 2 alone would silently activate the credential leak.

The Fix

Both gaps are fixed atomically in a single commit:

1. Suffix-based sensitive key detection — replaces the exact-match SENSITIVE_TRACKING_KEYS with _is_sensitive() that matches suffixes (_token, _api_key, _secret, _password) and exact names (api_key, token, password, secret).

2. Broadened kwarg filter — _is_trackable() now:

   • Drops ctx and context (as before)
   • Drops all underscore-prefixed params (catches _ctx and any future private params)
   • Defensively drops any value that isn't JSON-serializable

3. Historical context comment explaining the interaction so future maintainers don't undo this in pieces.

Tests Added (6 new)

Test	What it verifies
test_set_civitai_api_token_is_redacted	CivitAI token value replaced with <redacted>
test_set_hf_api_token_is_redacted	HuggingFace token value replaced with <redacted>
test_bare_token_kwarg_is_redacted	Generic token kwarg is redacted
test_underscore_ctx_is_excluded	_ctx (Click Context) never reaches tracked properties
test_non_serializable_value_is_excluded	Non-JSON-serializable values are dropped instead of swallowing the event
All existing tests	Continue to pass (28 total)

Risk Assessment

• Zero user exposure — Mixpanel Lexicon confirms no credentials were ever ingested.
• Backward compatible — the only observable change is that events which previously silently failed (due to _ctx serialization) will now succeed with properly redacted properties.

Linear Issue: BE-992

  

[coderabbitai]

Warning

Review limit reached

@mattmillerai, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 1 hour, 53 minutes, and 7 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: bb15922f-2faf-4581-baa1-186322d366a9

📥 Commits

Reviewing files that changed from the base of the PR and between 575d1da and e29536c.

📒 Files selected for processing (3)

• comfy_cli/tracking.py
• tests/comfy_cli/test_tracking.py
• tests/comfy_cli/test_tracking_providers.py

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/fix-tracking-redaction-be992-7702

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch cursor/fix-tracking-redaction-be992-7702

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

@@            Coverage Diff             @@
##             main     #459      +/-   ##
==========================================
+ Coverage   83.32%   83.36%   +0.04%     
==========================================
  Files          45       45              
  Lines        6831     6848      +17     
==========================================
+ Hits         5692     5709      +17     
  Misses       1139     1139              

Files with missing lines	Coverage Δ
comfy_cli/tracking.py	94.67% <100.00%> (+0.59%)	⬆️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.