feat: add superstruct.sensitive#577
Open
ccharly wants to merge 10 commits into
Open
Conversation
…e other incompatible one from @metamask/superstruct
ccharly
commented
Jun 25, 2026
Comment on lines
+153
to
+158
| { | ||
| name: '@metamask/superstruct', | ||
| importNames: ['object'], | ||
| message: | ||
| "Import object() from '@metamask/keyring-utils' instead — it supports exactOptional() and sensitive() field redaction.", | ||
| }, |
Contributor
Author
There was a problem hiding this comment.
This forces us to use our own object type that supports our exactOptional AND also allows us to use the new sensitive decorator.
ccharly
commented
Jun 25, 2026
Comment on lines
+159
to
+164
| { | ||
| name: '@metamask/superstruct', | ||
| importNames: ['exactOptional'], | ||
| message: | ||
| "Import exactOptional() from '@metamask/keyring-utils' instead — mixing superstruct's exactOptional with keyring-utils' object() breaks ExactOptionalize and makes optional fields appear required.", | ||
| }, |
Contributor
Author
There was a problem hiding this comment.
Same here, we cannot use the exactOptional from the main repo (that works slightly differently from ours)
ccharly
commented
Jun 25, 2026
| * The private key of the exported account. | ||
| */ | ||
| privateKey: string(), | ||
| privateKey: sensitive(string()), |
Contributor
Author
There was a problem hiding this comment.
Since it's marked as sensitive AND that we use our object struct, this field will never be display in validation/error messages from superstruct.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adding a new
superstruct"decorator" to mark a field as "sensitive" this way, it never gets logged by mistake insuperstructerror messages.Also, redacting the value whenever we try to use it using struct internal/validations.
Lastly, to enable the last point (nested
sensitivefields), we have to use our customobject, so we now have an eslint rule to force us to use this object (at least in thekeyring-apifor now).Note
Medium Risk
Changes validation error shaping for schemas that carry private keys; behavior is security-hardening but touches secret-handling paths and many keyring-api structs.
Overview
Adds
sensitive()in@metamask/keyring-utilsso superstruct validation failures replace secret field values with***in error message,StructError.value, and branch metadata. The packageobject()is extended to scrubsensitive()sibling keys from parent objects in failure branches (including nested siblings), andtype()casting is tightened without changing behavior.@metamask/keyring-apinow importsobject()/exactOptional()from keyring-utils instead of@metamask/superstruct, andPrivateKeyExportedAccountStruct.privateKeyusessensitive(string()). New tests cover export-account redaction; ESLintno-restricted-importsblocks raw superstructobject/exactOptionalunderpackages/keyring-api.Reviewed by Cursor Bugbot for commit 8cc422c. Bugbot is set up for automated code reviews on this repo. Configure here.