fix(cli): gate test env vars with #[cfg(debug_assertions)] (audit B3)

RELICARIO_TEST_PASSPHRASE and friends were checked in production code, exposing the passphrase via /proc/<pid>/environ and shell history. Now only compiled into debug binaries via cfg(debug_assertions) helper functions. Release builds compile the helpers to return None, so the env var names are absent from the release binary (verified via strings). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-05-02 01:46:13 -04:00
parent 628e2bd636
commit 2739eb4194
2 changed files with 43 additions and 111 deletions
--- a/crates/relicario-cli/src/session.rs
+++ b/crates/relicario-cli/src/session.rs
@@ -39,7 +39,7 @@ impl UnlockedVault {
            .with_context(|| format!("failed to read reference image {}", image_path.display()))?;
        let image_secret = Zeroizing::new(imgsecret::extract(&image_bytes)?);

-        let passphrase = if let Ok(p) = std::env::var("RELICARIO_TEST_PASSPHRASE") {
+        let passphrase = if let Some(p) = crate::test_passphrase_override() {
            Zeroizing::new(p)
        } else {
            Zeroizing::new(