security: warn when MUSE_BIP39_PASSPHRASE env var is used as passphrase source

MUSE_BIP39_PASSPHRASE is visible to the process owner (and root) in /proc/pid/environ — less dangerous than the removed --passphrase flag (world-readable in ps) but still a meaningful exposure.

When the env var is consumed as the passphrase source, logger.warning fires on muse.cli.commands.auth naming the env var and recommending --passphrase-fd as the safer pipe-based alternative.

Warning is suppressed when: - the env var is not set (nothing to warn about) - --passphrase-fd is provided (env var is not consumed)

8 tests in test_passphrase_env_warn.py: fires for keygen/recover/rotate, names env var and --passphrase-fd, suppressed correctly in both silent cases, derivation result unchanged.

sha256:032ab53dcd3de86bedc0612e466cdc5e645e79c24e149907d476f4e123a3d410 sha

sha256:5e946ca6a85d4bbd868aa9e0e9789b9714596c93ac80a468deb871d834212485 parent

sha256:f2abf026f1d30d37f5fc5b6ebe8845fb7ccfb9dfe34df3d83b0d1130ae8f66c9 snapshot

← Older Oldest on task/passphrase-env-warn

All commits

Newer → Latest on task/passphrase-env-warn

0 comments

No comments yet. Be the first to start the discussion.

To add a comment, use the Muse CLI: muse hub commit comment sha256:032ab53dcd3de86bedc0612e466cdc5e645e79c24e149907d476f4e123a3d410 --body "your comment"

Provenance signed

AI Agent

claude-sonnet-4-6

Agent claude-code

Signature Cryptographically verified

Snapshot

ID sha256:f2abf026f1d30d37f5fc5b6ebe8845fb7ccfb9dfe34df3d83b0d1130ae8f66c9

Files 0

Browse tree at this commit →

Commit

SHA sha256:032ab53dcd3de86bedc0612e466cdc5e645e79c24e149907d476f4e123a3d410

Parent

sha256:5e946ca6a85d4bbd868aa9e0e9789b9714596c93ac80a468deb871d834212485

Branch task/passphrase-env-warn