fix(security): redact sensitive session IDs in marathonctl output

Addresses CodeQL cleartext-logging alerts (#1, #2, #3) by implementing session ID redaction for CLI output. Changes: - Extract marathonctl into standalone crate (crates/marathonctl) - Add session ID redaction showing only first 8 characters by default - Add --show-sensitive/-s flag for full session IDs when debugging - Implement beautiful ratatui-based UI module with inline viewport - Add .envrc to .gitignore for secure token management - Document GitHub token setup in CONTRIBUTING.md The CLI now provides a secure-by-default experience while maintaining debugging capabilities through explicit opt-in flags. Session IDs are redacted to format "abc-def-..." unless --show-sensitive is specified. UI module provides easy-to-use builder APIs (ui::table, ui::grid, ui::list) that render beautiful terminal output without hijacking the terminal. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-07 13:05:16 +00:00
parent 7292aa54e6
commit 25550e2165
8 changed files with 589 additions and 34 deletions
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -94,6 +94,47 @@ cargo nextest run -- --nocapture
 cargo doc --open
 ```

+### Environment Variables with `.envrc`
+
+Marathon uses [direnv](https://direnv.net/) for managing environment variables. This is particularly useful for storing sensitive tokens like GitHub Personal Access Tokens (PAT).
+
+#### Setup
+
+1. **Install direnv** (if not already installed):
+   ```bash
+   # macOS
+   brew install direnv
+
+   # Add to your shell profile (~/.zshrc or ~/.bashrc)
+   eval "$(direnv hook zsh)"  # or bash
+   ```
+
+2. **Create `.envrc` file** in the project root:
+   ```bash
+   # The .envrc file is already gitignored for security
+   export GH_TOKEN=your_github_personal_access_token
+   ```
+
+3. **Allow direnv** to load the file:
+   ```bash
+   direnv allow .
+   ```
+
+#### GitHub Token Setup
+
+For working with security scanning alerts and other GitHub features:
+
+1. Create a Personal Access Token at https://github.com/settings/tokens
+2. Select the following scopes:
+   - ✅ `repo` (full control)
+   - ✅ `security_events` (read security events)
+3. Add the token to your `.envrc` file:
+   ```bash
+   export GH_TOKEN=github_pat_YOUR_TOKEN_HERE
+   ```
+
+The `.envrc` file is automatically ignored by git, so your tokens won't be committed.
+
 ## How to Contribute

 ### Types of Contributions