Spaces:

riazmo
/

Design-System-Automation

Sleeping

riazmo Claude Opus 4.6 commited on Mar 7

Commit

412b593

1 Parent(s): 37d8fe2

security: stop exposing HF token in public UI

- Never pre-fill the token textbox with env variable value
- Show 'Token loaded from environment' as placeholder instead
- Internal inference still uses the env token

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Files changed (1) hide show

app.py +3 -3

app.py CHANGED Viewed

@@ -4503,11 +4503,11 @@ def create_ui():
                         elem_classes=["section-desc"])
             with gr.Row():
                 hf_token_input = gr.Textbox(
-                    label="HF Token", placeholder="hf_xxxx", type="password",
-                    scale=4, value=HF_TOKEN_FROM_ENV,
                 )
                 save_token_btn = gr.Button("💾 Save", scale=1)
-            token_status = gr.Markdown("✅ Token loaded" if HF_TOKEN_FROM_ENV else "⏳ Enter token")
             def save_token(token):
                 if token and len(token) > 10:

                         elem_classes=["section-desc"])
             with gr.Row():
                 hf_token_input = gr.Textbox(
+                    label="HF Token", placeholder="hf_xxxx" if not HF_TOKEN_FROM_ENV else "Token loaded from environment",
+                    type="password", scale=4, value="",
                 )
                 save_token_btn = gr.Button("💾 Save", scale=1)
+            token_status = gr.Markdown("✅ Token loaded from environment" if HF_TOKEN_FROM_ENV else "⏳ Enter token")
             def save_token(token):
                 if token and len(token) > 10: