From f44e587971a02f18d9ec5332772503a4339be115 Mon Sep 17 00:00:00 2001
From: Dan Richards <dan.richards@runware.ai>
Date: Tue, 23 Jun 2026 13:20:51 +0100
Subject: [PATCH] fix(config): prevent config set from persisting env-only API
 key to disk

config.Get() merges RUNWARE_API_KEY from the environment before saving,
silently writing an ephemeral key to ~/.runware/config.yaml. Switch to
config.FileConfig() (file-only read) to mirror the pattern already used
by config reset. Adds TestSetDoesNotPersistEnvAPIKey regression test.

Fixes RUN-10950

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
---
 internal/cmd/config/config_test.go | 27 +++++++++++++++++++++++++++
 internal/cmd/config/set.go         |  5 ++++-
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/internal/cmd/config/config_test.go b/internal/cmd/config/config_test.go
index 5790f77..ef70c67 100644
--- a/internal/cmd/config/config_test.go
+++ b/internal/cmd/config/config_test.go
@@ -95,6 +95,33 @@ func TestResetDoesNotPersistEnvAPIKey(t *testing.T) {
 	}
 }
 
+// TestSetDoesNotPersistEnvAPIKey verifies that an API key supplied only via
+// RUNWARE_API_KEY is not written into the config file by `config set`.
+func TestSetDoesNotPersistEnvAPIKey(t *testing.T) {
+	t.Setenv("HOME", t.TempDir())
+	t.Setenv("RUNWARE_API_KEY", "env-only-secret")
+	if err := config.Init(); err != nil {
+		t.Fatalf("config.Init() error: %v", err)
+	}
+
+	if err := config.Save(&config.Config{Defaults: config.Defaults{}}); err != nil {
+		t.Fatalf("Save() error: %v", err)
+	}
+
+	cmd := newSetCmd(log.New(io.Discard))
+	if err := cmd.RunE(cmd, []string{"format", "json"}); err != nil {
+		t.Fatalf("set RunE error: %v", err)
+	}
+
+	onDisk, err := config.FileConfig()
+	if err != nil {
+		t.Fatalf("FileConfig() error: %v", err)
+	}
+	if onDisk.APIKey != "" {
+		t.Errorf("api_key written to file = %q, want empty (env key must not be persisted)", onDisk.APIKey)
+	}
+}
+
 func TestApplyConfigValue_KnownKeys(t *testing.T) {
 	tests := []struct {
 		key   string
diff --git a/internal/cmd/config/set.go b/internal/cmd/config/set.go
index b1fae5d..ea15d57 100644
--- a/internal/cmd/config/set.go
+++ b/internal/cmd/config/set.go
@@ -51,7 +51,10 @@ func newSetCmd(logger *log.Logger) *cobra.Command {
 				return err
 			}
 
-			cfg := config.Get()
+			cfg, err := config.FileConfig()
+			if err != nil {
+				return fmt.Errorf("failed to read config: %w", err)
+			}
 			if err := applyConfigValue(cfg, key, value); err != nil {
 				return err
 			}