Servers store the input parameters in disk, even if they are sensitive

[LMacchi]

If I run a task using mco:

$ mco tasks run my_tasks::sleep_with_pwd_ruby -I server123 --duration=5 --password=kitten123

A new dir is created in the target server, server123:

/opt/puppetlabs/mcollective/tasks-spool # ls d2cbca244f7259be9923669793949ca8
choria.json  exitcode  files  stderr  stdout  wrapper_pid  wrapper_stderr  wrapper_stdin  wrapper_stdout

And the password, even tho it is marked as sensitive in the metadata, is stored in 2 files:

/opt/puppetlabs/mcollective/tasks-spool # cat d2cbca244f7259be9923669793949ca8/wrapper_stdin | jq
{
  "executable": "/opt/puppetlabs/mcollective/tasks-spool/d2cbca244f7259be9923669793949ca8/files/my_tasks/tasks/sleep_with_pwd_ruby.rb",
  "arguments": [],
  "input": "{\"duration\":5,\"password\":\"kitten123\"}",
  "stdout": "/opt/puppetlabs/mcollective/tasks-spool/d2cbca244f7259be9923669793949ca8/stdout",
  "stderr": "/opt/puppetlabs/mcollective/tasks-spool/d2cbca244f7259be9923669793949ca8/stderr",
  "exitcode": "/opt/puppetlabs/mcollective/tasks-spool/d2cbca244f7259be9923669793949ca8/exitcode"
}
/opt/puppetlabs/mcollective/tasks-spool # cat d2cbca244f7259be9923669793949ca8/choria.json | jq
{
  "start_time": 1752186428,
  "caller": "choria=me.mcollective",
  "task": "my_tasks::sleep_with_pwd_ruby",
  "request": {
    "executable": "/opt/puppetlabs/mcollective/tasks-spool/d2cbca244f7259be9923669793949ca8/files/my_tasks/tasks/sleep_with_pwd_ruby.rb",
    "arguments": [],
    "input": "{\"duration\":5,\"password\":\"kitten123\"}",
    "stdout": "/opt/puppetlabs/mcollective/tasks-spool/d2cbca244f7259be9923669793949ca8/stdout",
    "stderr": "/opt/puppetlabs/mcollective/tasks-spool/d2cbca244f7259be9923669793949ca8/stderr",
    "exitcode": "/opt/puppetlabs/mcollective/tasks-spool/d2cbca244f7259be9923669793949ca8/exitcode"
  }
}

If I remove choria.json completely, I lose the ability to get the task status with mco tasks status, so my proposed solution is to, after task execution, change ['request']['input'] to {} in choria.json and remove wrapper_stdin.

I'm open to more complex ideas like editing only if the sensitive flag is set to true in the metadata file, but I haven't been able to figure out how to do that or if it's even possible.

[ripienaar]

I believe if you remove this the task wont be able to run at all, this json is passed to the wrapper right?

Sensitive or not isn't really a thing the wrapper support and this is just how Puppet works - PE does the same (the wrapper is the one PE uses)

[LMacchi]

PE never stores inputs, I actually checked. Associated MR: puppetlabs/pxp-agent#742

/opt/puppetlabs/pxp-agent # tree
.
├── modules
│   └── pxp-module-puppet
├── spool
│   └── 4692
│       ├── exitcode
│       ├── metadata
│       ├── pid
│       ├── stderr
│       └── stdout
└── tasks-cache
    └── af88f2f06d3ead9a147bb2264d8f62032656e8ddeb02faf9df77138faba72ba1
        └── sleep_with_pwd.sh

/opt/puppetlabs/pxp-agent # cat spool/4693/metadata | jq
{
  "requester": "pcp://puppet-server:8143/server",
  "module": "task",
  "action": "run",
  "request_params": "{}",
  "transaction_id": "4693",
  "request_id": "b468915c-e9d0-41b9-babf-bb9d057ff1df",
  "notify_outcome": true,
  "start": "2025-07-10T16:58:49.334241Z",
  "status": "success",
  "end": "2025-07-10T16:59:19.343953Z",
  "results_are_valid": true,
  "results": {
    "exitcode": 0,
    "stdout": "sleeping for 30 seconds...\ndone!\n"
  }
}

I am attempting to delete/edit inputs after the task already started executing -- so during the start of the task they're still available.