Harden redaction and add FATAL context to error exits

Replace createRedaction with redactField that warns and continues when
fields are missing instead of panicking. Add FATAL prefix with caller
file:line to checkError and command name to exitWithUsage for easier
debugging. Document sensitive field redaction policy in CLAUDE.md and
add test coverage table to README.

Author: norman-abramovitz

CLAUDE.md

@@ -89,6 +89,22 @@ make govulncheck    # dependency vulnerability check
 make verify         # all of the above
 ```
 
+## Sensitive Field Redaction
+
+The `showDiff` function in `cf_targets.go` redacts sensitive fields before
+displaying unified diffs. Currently redacted fields:
+
+- `AccessToken`
+- `RefreshToken`
+- `UAAOAuthClientSecret`
+
+These are replaced with `REDACTED sha256(...)` in the diff output via
+`createRedaction()`. When the CF CLI's `config.json` schema changes
+(e.g., new fields added in `cloudfoundry/cli` `util/configv3/json_config.go`
+or `cf/configuration/coreconfig/config_data.go`), check whether any new
+fields contain tokens, secrets, passwords, or credentials and add them
+to the redaction list in `showDiff`.
+
 ## OS Abstraction
 
 The `OS` interface in `cf_targets.go` wraps filesystem operations for

README.md

@@ -212,3 +212,14 @@ gmake clean
 > functionality is now covered by the Makefile:
 > - Development builds: `make build`
 > - Release builds: `make ci-release VERSION=x.y.z`
+
+## Test Coverage
+
+| Package | Coverage |
+|---------|----------|
+| `cf-targets-plugin` | 72.6% |
+| `internal/diff` | 83.3% |
+| `internal/diff/lcs` | 54.3% |
+| **Total** | **68.1%** |
+
+Last updated: 2026-03-05

cf_targets.go

@@ -8,6 +8,7 @@ import (
 	"flag"
 	"fmt"
 	"path/filepath"
+	"runtime"
 	"strconv"
 	"strings"
 
@@ -252,11 +253,19 @@ func (c *TargetsPlugin) Run(cliConnection plugin.CliConnection, args []string) {
 	}
 }
 
-func createRedaction(jsonMap map[string]interface{}, key string) string {
-	var valueAssertion interface{}
-	valueAssertion = jsonMap[key]
-	currentSum := sha256.Sum256([]byte(valueAssertion.(string)))
-	return fmt.Sprintf("REDACTED sha256(%x)", currentSum)
+func redactField(jsonMap map[string]interface{}, key string) {
+	val, ok := jsonMap[key]
+	if !ok {
+		fmt.Printf("Warning: expected field %q not found in config\n", key)
+		return
+	}
+	str, ok := val.(string)
+	if !ok {
+		fmt.Printf("Warning: field %q is not a string\n", key)
+		return
+	}
+	sum := sha256.Sum256([]byte(str))
+	jsonMap[key] = fmt.Sprintf("REDACTED sha256(%x)", sum)
 }
 
 func (c *TargetsPlugin) showDiff(targetPath string) {
@@ -273,14 +282,10 @@ func (c *TargetsPlugin) showDiff(targetPath string) {
 	err = json.Unmarshal(targetContent, &jsonDataTarget)
 	c.checkError(err)
 
-	jsonDataCurrent["AccessToken"] = createRedaction(jsonDataCurrent, "AccessToken")
-	jsonDataTarget["AccessToken"] = createRedaction(jsonDataTarget, "AccessToken")
-
-	jsonDataCurrent["RefreshToken"] = createRedaction(jsonDataCurrent, "RefreshToken")
-	jsonDataTarget["RefreshToken"] = createRedaction(jsonDataTarget, "RefreshToken")
-
-	jsonDataCurrent["UAAOAuthClientSecret"] = createRedaction(jsonDataCurrent, "UAAOAuthClientSecret")
-	jsonDataTarget["UAAOAuthClientSecret"] = createRedaction(jsonDataTarget, "UAAOAuthClientSecret")
+	for _, key := range []string{"AccessToken", "RefreshToken", "UAAOAuthClientSecret"} {
+		redactField(jsonDataCurrent, key)
+		redactField(jsonDataTarget, key)
+	}
 
 	current, err := json.MarshalIndent(jsonDataCurrent, "", " ")
 	c.checkError(err)
@@ -532,7 +537,8 @@ func (c *TargetsPlugin) targetPath(targetName string) string {
 
 func (c *TargetsPlugin) checkError(err error) {
 	if err != nil {
-		fmt.Println("Error:", err)
+		_, file, line, _ := runtime.Caller(1)
+		fmt.Printf("FATAL: %s:%d: %v\n", filepath.Base(file), line, err)
 		panic(1)
 	}
 }
@@ -542,6 +548,7 @@ func (c *TargetsPlugin) exitWithUsage(command string) {
 	for _, candidate := range metadata.Commands {
 		if candidate.Name == command {
 			fmt.Println("Usage: " + candidate.UsageDetails.Usage)
+			fmt.Printf("FATAL: invalid syntax for command %q\n", command)
 			panic(1)
 		}
 	}

cf_targets_test.go

@@ -232,7 +232,7 @@ var _ = Describe("TargetsPlugin", func() {
 			})
 			Expect(fakeOS.exitCalled).To(Equal(1))
 			Expect(fakeOS.exitCalledWithCode).To(Equal(1))
-			Expect(output).To(ContainSubstrings([]string{"Error:", "permission denied"}))
+			Expect(output).To(ContainSubstrings([]string{"FATAL:", "permission denied"}))
 		})
 	})
 
@@ -601,6 +601,28 @@ var _ = Describe("TargetsPlugin", func() {
 				Expect(line).NotTo(ContainSubstring("different-refresh"))
 			}
 		})
+
+		It("warns and continues when redacted fields are missing", func() {
+			// JSON without AccessToken, RefreshToken, or UAAOAuthClientSecret
+			minimalJSON := []byte(`{"Target": "https://api.example.com", "ColorEnabled": "true"}`)
+			otherJSON := []byte(`{"Target": "https://api.example.com", "ColorEnabled": "false"}`)
+
+			fakeOS.readfileShouldReturnMap = map[string][]byte{
+				targetsPlugin.currentPath:                minimalJSON,
+				targetsPlugin.targetPath("minimal"): otherJSON,
+			}
+
+			output := CaptureOutput(func() {
+				targetsPlugin.showDiff(targetsPlugin.targetPath("minimal"))
+			})
+			// Warnings for missing fields
+			Expect(output).To(ContainSubstrings([]string{"Warning:", "AccessToken"}))
+			Expect(output).To(ContainSubstrings([]string{"Warning:", "RefreshToken"}))
+			Expect(output).To(ContainSubstrings([]string{"Warning:", "UAAOAuthClientSecret"}))
+			// Diff still runs
+			Expect(output).To(ContainSubstrings([]string{"---", "Current"}))
+			Expect(output).To(ContainSubstrings([]string{"+++", "Target"}))
+		})
 	})
 
 	Describe("Configuration File Manipulation", func() {