fix(sdk): redact x-api-key in debug-log header dumps

[saddlepaddle]

Summary

The Stainless template's request-detail log redactor masks Authorization, Cookie, Set-Cookie, and api_key (underscore — petstore's auth header). When we shipped `@superset_sh/sdk` we changed the auth scheme in `client.ts:authHeaders` to use `x-api-key` (dash) for `sk_live_…` keys, but didn't update the redaction list to match.

Net effect: any caller running with `logLevel: 'debug'` or `SUPERSET_LOG=debug` had their raw API key written into the debug logs alongside every request. Adding `x-api-key` to the redaction list patches it.

Bumps the SDK to `0.0.1-alpha.7`.

Test plan

• Bun typecheck passes (it does locally)
• Sherif passes (it does locally)
• CI green
• Republish `@superset_sh/sdk@0.0.1-alpha.7` after merge

Caught by greptile + cubic + coderabbit on #3937, follow-up since that PR was already merged.

---

Summary by cubic

Redacts the x-api-key header in SDK debug request logs to prevent API key leakage when debug logging is enabled. Bumps @superset/sdk to 0.0.1-alpha.7.

^{Written for commit caa3c0f. Summary will update on new commits.}

Summary by CodeRabbit

• Chores

  • Bumped SDK package version to 0.0.1-alpha.7, with updates reflected across package configuration and internal version constants

• Bug Fixes

  • Improved request logging security by implementing proper redaction of API key headers, ensuring they are masked consistently with other sensitive authentication headers to prevent credential exposure in request logs

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ef819ea3-fc08-45be-947e-160c1f3ad0dd

📥 Commits

Reviewing files that changed from the base of the PR and between a0b605e and caa3c0f.

📒 Files selected for processing (3)

• packages/sdk/package.json
• packages/sdk/src/internal/utils/log.ts
• packages/sdk/src/version.ts

---

📝 Walkthrough

Walkthrough

The SDK version is bumped from 0.0.1-alpha.6 to 0.0.1-alpha.7 across package metadata and the version constant. Additionally, the request logging formatter now redacts values of the "x-api-key" header alongside other sensitive headers.

Changes

Cohort / File(s)	Summary
Version Updates packages/sdk/package.json, packages/sdk/src/version.ts	Version string updated from 0.0.1-alpha.6 to 0.0.1-alpha.7 in both the package manifest and exported version constant.
Logging Enhancement packages/sdk/src/internal/utils/log.ts	Added "x-api-key" to the set of sensitive header names that are redacted to "***" in request logs.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A hop, skip, and alpha we go,
Seven's the number that's starting to show,
With secrets kept safe in the logs that we weave,
The x-api-key now hides up its sleeve!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description provides context, explains the security issue, outlines the fix, includes a test plan, and provides version bump info, but does not follow the provided template structure.	Consider restructuring the description to match the template with explicit sections: Description, Related Issues, Type of Change, Testing, and Additional Notes for consistency.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title accurately summarizes the main change: adding x-api-key redaction to debug-log headers, which is the core functional improvement.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sdk-log-redaction

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 6/8 reviews remaining, refill in 13 minutes and 6 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR fixes a credential-leak in the SDK's debug logger by adding x-api-key to the header-redaction list in formatRequestDetails. Before this fix, any caller with logLevel: 'debug' would have their raw sk_live_… key written to logs on every request, because client.ts uses the x-api-key header (not the legacy api_key / authorization headers that were already redacted). The version is bumped to 0.0.1-alpha.7 in both package.json and version.ts.

Confidence Score: 5/5

Safe to merge — minimal, targeted fix with no functional regressions.

The change is a single-line addition to the redaction list that directly matches the header name used in client.ts. All three modified files are consistent (log fix + coordinated version bump in both package.json and version.ts). No logic is altered; the only behavioural change is that x-api-key values are now masked to *** in debug output, which is the intended fix.

No files require special attention.

Important Files Changed

Filename	Overview
packages/sdk/src/internal/utils/log.ts	Adds x-api-key to the header redaction list in formatRequestDetails, closing the security gap where the actual auth header used by client.ts was not masked in debug logs.
packages/sdk/package.json	Version bump from 0.0.1-alpha.6 to 0.0.1-alpha.7 to publish the security fix.
packages/sdk/src/version.ts	Version constant updated to match package.json bump to 0.0.1-alpha.7.

Sequence Diagram

sequenceDiagram
    participant Caller
    participant Client as client.ts
    participant Logger as log.ts (formatRequestDetails)
    participant Log as Debug Log

    Caller->>Client: makeRequest(options)
    Client->>Client: authHeaders() → { "x-api-key": "sk_live_..." }
    Client->>Logger: formatRequestDetails({ headers })
    Note over Logger: Redact sensitive headers:<br/>api_key, x-api-key ✅ (new),<br/>authorization, cookie, set-cookie
    Logger-->>Client: headers with "x-api-key": "***"
    Client->>Log: debug("request", { headers: { "x-api-key": "***" } })

Loading

_{Reviews (1): Last reviewed commit: "fix(sdk): redact x-api-key in debug-log ..." | Re-trigger Greptile}

[cubic-dev-ai]

No issues found across 3 files

[github-actions]

🧹 Preview Cleanup Complete

The following preview resources have been cleaned up:

• ✅ Neon database branch

Thank you for your contribution! 🎉