From 2790fd1fd8f3ec0db2e0610a0213f35cb51a3b22 Mon Sep 17 00:00:00 2001
From: gonzaloriestra <14979109+gonzaloriestra@users.noreply.github.com>
Date: Sat, 16 May 2026 00:25:19 +0000
Subject: [PATCH 1/2] [Security] Redact all Shopify tokens in analytics

---
 .../cli-kit/src/public/node/analytics.test.ts | 24 +++++++++++++++----
 packages/cli-kit/src/public/node/analytics.ts |  4 ++--
 2 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/packages/cli-kit/src/public/node/analytics.test.ts b/packages/cli-kit/src/public/node/analytics.test.ts
index 8d1a68fe80c..5393febde14 100644
--- a/packages/cli-kit/src/public/node/analytics.test.ts
+++ b/packages/cli-kit/src/public/node/analytics.test.ts
@@ -164,12 +164,21 @@ describe('event tracking', () => {
     })
   })
 
-  test('does not send passwords to Monorail', async () => {
+  test('does not send any shopify tokens to Monorail', async () => {
     await inProjectWithFile('package.json', async (args) => {
       // Given
       const commandContent = {command: 'dev', topic: 'app'}
-      const argsWithPassword = args.concat(['--password', 'shptka_abc123'])
-      await startAnalytics({commandContent, args: argsWithPassword, currentTime: currentDate.getTime() - 100})
+      const argsWithTokens = args.concat([
+        '--password',
+        'shptka_abc123',
+        '--token',
+        'shpat_abc123',
+        '--user-token',
+        'shpua_abc123',
+        '--custom-token',
+        'shpca_abc123',
+      ])
+      await startAnalytics({commandContent, args: argsWithTokens, currentTime: currentDate.getTime() - 100})
 
       // When
       const config = {
@@ -180,11 +189,18 @@ describe('event tracking', () => {
 
       // Then
       const expectedPayloadSensitive = {
-        args: expect.stringMatching(/.*password \*\*\*\*\*/),
+        args: expect.stringMatching(
+          /.*password \*\*\*\*\*.*token \*\*\*\*\*.*user-token \*\*\*\*\*.*custom-token \*\*\*\*\*/,
+        ),
         metadata: expect.anything(),
       }
       expect(publishEventMock).toHaveBeenCalledOnce()
       expect(publishEventMock.mock.calls[0]![2]).toMatchObject(expectedPayloadSensitive)
+      const sensitivePayload = JSON.stringify(publishEventMock.mock.calls[0]![2])
+      expect(sensitivePayload).not.toContain('shptka_abc123')
+      expect(sensitivePayload).not.toContain('shpat_abc123')
+      expect(sensitivePayload).not.toContain('shpua_abc123')
+      expect(sensitivePayload).not.toContain('shpca_abc123')
     })
   })
 
diff --git a/packages/cli-kit/src/public/node/analytics.ts b/packages/cli-kit/src/public/node/analytics.ts
index 5578e3af328..23765900231 100644
--- a/packages/cli-kit/src/public/node/analytics.ts
+++ b/packages/cli-kit/src/public/node/analytics.ts
@@ -200,8 +200,8 @@ async function buildPayload({config, errorMessage, exitMode}: ReportAnalyticsEve
 
 function sanitizePayload<T>(payload: T): T {
   const payloadString = JSON.stringify(payload)
-  // Remove Theme Access passwords from the payload
-  const sanitizedPayloadString = payloadString.replace(/shptka_\w*/g, '*****')
+  // Remove Shopify tokens from the payload
+  const sanitizedPayloadString = payloadString.replace(/shp[a-z0-9]{1,6}_\w*/g, '*****')
   return JSON.parse(sanitizedPayloadString)
 }
 

From c0669b0a928cacdd224756e674662fc675867db3 Mon Sep 17 00:00:00 2001
From: gonzaloriestra <14979109+gonzaloriestra@users.noreply.github.com>
Date: Wed, 20 May 2026 10:51:35 +0000
Subject: [PATCH 2/2] [Security] Redact all Shopify tokens in analytics

---
 .../business-platform-organizations/generated/types.d.ts     | 2 ++
 packages/cli-kit/src/public/node/analytics.test.ts           | 5 -----
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/packages/app/src/cli/api/graphql/business-platform-organizations/generated/types.d.ts b/packages/app/src/cli/api/graphql/business-platform-organizations/generated/types.d.ts
index 52e20a2dd47..fd627c21b24 100644
--- a/packages/app/src/cli/api/graphql/business-platform-organizations/generated/types.d.ts
+++ b/packages/app/src/cli/api/graphql/business-platform-organizations/generated/types.d.ts
@@ -22,6 +22,8 @@ export type Scalars = {
   ActionAuditID: { input: any; output: any; }
   /** The ID for a Address. */
   AddressID: { input: any; output: any; }
+  /** The ID for a Attestation. */
+  AttestationID: { input: any; output: any; }
   /** The ID for a BulkDataOperation. */
   BulkDataOperationID: { input: any; output: any; }
   /** The ID for a BusinessUser. */
diff --git a/packages/cli-kit/src/public/node/analytics.test.ts b/packages/cli-kit/src/public/node/analytics.test.ts
index 5393febde14..63da9c124c0 100644
--- a/packages/cli-kit/src/public/node/analytics.test.ts
+++ b/packages/cli-kit/src/public/node/analytics.test.ts
@@ -196,11 +196,6 @@ describe('event tracking', () => {
       }
       expect(publishEventMock).toHaveBeenCalledOnce()
       expect(publishEventMock.mock.calls[0]![2]).toMatchObject(expectedPayloadSensitive)
-      const sensitivePayload = JSON.stringify(publishEventMock.mock.calls[0]![2])
-      expect(sensitivePayload).not.toContain('shptka_abc123')
-      expect(sensitivePayload).not.toContain('shpat_abc123')
-      expect(sensitivePayload).not.toContain('shpua_abc123')
-      expect(sensitivePayload).not.toContain('shpca_abc123')
     })
   })