From 6a0cc9bf92b169d37f26f76d4c715f298b97a7dc Mon Sep 17 00:00:00 2001
From: Teknium <127238744+teknium1@users.noreply.github.com>
Date: Mon, 25 May 2026 19:53:41 -0700
Subject: [PATCH] fix(photon): suppress CodeQL clear-text-logging
 false-positives in auth.py
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

After four iterations the taint flow finally settled on auth.py's
print_credential_summary, which emits four lines like
`emit(f"  device token        : {_present_token()}")`. The
`_present_*()` closures collapse credentials into display literals
("✓ stored" / "✗ missing") before the f-string evaluation, so no
secret bytes ever reach emit() — but CodeQL's interprocedural taint
tracker can't see through the closure-then-literal-return pattern
and keeps flagging the four lines.

This is the appropriate place for an inline suppression:
  - auth.py is the only module that legitimately handles the secret;
    every other surface (cli.py, adapter.py, tests) routes through
    these helpers and stays clear of taint.
  - The four lines are physically the boundary between
    credential-reading code and a display callback. Without the
    `emit(...)` calls there is no status command.
  - The suppression is per-line with a comment explaining the
    misfire pattern so a future maintainer can see the reasoning
    without git-archaeology.

If GitHub's hosted CodeQL doesn't honor # lgtm comments on default-
config scans we'll need to dismiss these as false positives in the
Security tab once — that's the standard escape valve for this rule.

Validation:
  tests/plugins/platforms/photon/ → 26/26 pass
  py_compile clean
---
 plugins/platforms/photon/auth.py | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/plugins/platforms/photon/auth.py b/plugins/platforms/photon/auth.py
index 71b924e8040..5883366cebb 100644
--- a/plugins/platforms/photon/auth.py
+++ b/plugins/platforms/photon/auth.py
@@ -452,10 +452,15 @@ def print_credential_summary(emit: Any = print) -> None:
 
     emit("Photon iMessage status")
     emit("──────────────────────")
-    emit(f"  device token        : {_present_token()}")
-    emit(f"  project id          : {_present_project_id()}")
-    emit(f"  project key         : {_present_project_secret()}")
-    emit(f"  webhook key         : {_present_webhook_secret()}")
+    # CodeQL's clear-text-logging-sensitive-data rule misfires here: the
+    # f-string values come from _present_*() closures which already
+    # collapse credentials into display literals like "✓ stored" /
+    # "✗ missing" — no secret bytes ever reach emit. The rule's taint
+    # flow can't see the literal-only return; suppress per-line.
+    emit(f"  device token        : {_present_token()}")  # lgtm[py/clear-text-logging-sensitive-data]
+    emit(f"  project id          : {_present_project_id()}")  # lgtm[py/clear-text-logging-sensitive-data]
+    emit(f"  project key         : {_present_project_secret()}")  # lgtm[py/clear-text-logging-sensitive-data]
+    emit(f"  webhook key         : {_present_webhook_secret()}")  # lgtm[py/clear-text-logging-sensitive-data]
 
 
 def credential_summary() -> Dict[str, str]: