From 2032fac227e1c53a508630f7f5b5796772c300e7 Mon Sep 17 00:00:00 2001
From: adlee-was-taken <aaron.daniel.lee@gmail.com>
Date: Sun, 5 Apr 2026 11:44:14 -0400
Subject: [PATCH] fix(cli): redact security.recovery_passphrase_hash in
 show_cmd

Adjacent secret leak in show_cmd noticed during Task 3 code review.
SecurityConfig has two sensitive fields and the redaction block only
covered pin_hash. vigilar config show would print the recovery
passphrase hash verbatim whenever one was configured.

One-line fix; same redaction pattern as the surrounding secrets.
Part of issue #2.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 vigilar/cli/cmd_config.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/vigilar/cli/cmd_config.py b/vigilar/cli/cmd_config.py
index 907f8da..b78bfba 100644
--- a/vigilar/cli/cmd_config.py
+++ b/vigilar/cli/cmd_config.py
@@ -49,6 +49,8 @@ def show_cmd(config_path: str | None) -> None:
             data["web"]["password_hash"] = "***"
         if data.get("security", {}).get("pin_hash"):
             data["security"]["pin_hash"] = "***"
+        if data.get("security", {}).get("recovery_passphrase_hash"):
+            data["security"]["recovery_passphrase_hash"] = "***"
         if data.get("alerts", {}).get("webhook", {}).get("secret"):
             data["alerts"]["webhook"]["secret"] = "***"
         click.echo(json.dumps(data, indent=2))