Fix session-scoped API key redaction handling

[matdev83]

Summary

• treat API key redaction toggles from the set/unset commands as session-scoped state instead of mutating global application settings
• add per-session storage for the redaction flag and ensure the request processor skips redaction only when a session disables it
• cover the updated behavior with unit tests for the set and unset commands

Testing

• python -m pytest --override-ini addopts='' tests/unit/commands/test_unit_set_command.py tests/unit/commands/test_unit_unset_command.py
• python -m pytest --override-ini addopts='' (fails: missing optional test dependencies such as pytest_asyncio, respx, pytest_httpx, pytest_mock, hypothesis)

---

https://chatgpt.com/codex/tasks/task_e_68e7950a4cc0833399dd13d6f271c20d

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting

• @codex fix this CI failure
• @codex address that feedback

[chatgpt-codex-connector]

Wire redaction flag into command path actually used

This change stores the redaction preference on the session by updating SetCommand._handle_redact_api_keys_in_prompts, but the command pipeline executed at runtime uses SetCommandHandler/UnsetCommandHandler (in src/core/commands/handlers) rather than these domain command classes. Because those handlers still never call with_redact_api_keys_in_prompts, the new session field is never set and the RequestProcessor check added in this commit will always see the default value and continue redacting. The set/unset CLI commands therefore cannot disable redaction per session. Hook the handler used by NewCommandService into this state or update it to write the session flag.

Useful? React with 👍 / 👎.

[matdev83]

Review Result: REJECTED

Critical Issues Found

❌ Test Failure: The PR breaks existing functionality with a failing test:

• fails because API key redaction is not working correctly

❌ Implementation Bug: In , the code is looking for the wrong attribute name:

But according to the PR changes, the new field name should be , not .

Root Cause

The PR introduces a new session-level field but fails to update the request processor to check for this new field name correctly. This creates a mismatch where:

1. The session state has the new field
2. The request processor still looks for the old field
3. This causes session-level redaction controls to not work properly

Required Changes

1. Fix the attribute name in line 356:

2. Update any tests that reference the old method name to use the new one

3. Ensure all references to the old field are updated consistently

Recommendation

Please fix the attribute name mismatch and ensure all tests pass before resubmitting. The concept of session-scoped API key redaction is sound, but the implementation has a critical bug that needs to be addressed.

Status: BLOCKED - Changes requested

[matdev83]

Closing due to critical implementation bug identified in review. The attribute name mismatch between session state and request processor needs to be fixed before this can be merged.