fix(triggers): mark shared block-level API keys user-only to protect trigger secrets

waleedlatif1 · waleedlatif1 · commit f5af963dd419 · 2026-06-26T18:42:09.000-07:00
The trigger credential fields (RevenueCat/Rootly apiKey, Twilio authToken) are
user-only, but the same-id tool-level block fields were not, so the stored
secret stayed reachable as an LLM-visible block parameter. Mark those block
credential fields paramVisibility 'user-only' too (matching instantly.ts) so the
secret is user-only on every path. accountSid is an identifier, not a secret, so
it is left as-is.
diff --git a/apps/sim/blocks/blocks/revenuecat.ts b/apps/sim/blocks/blocks/revenuecat.ts
@@ -41,6 +41,7 @@ export const RevenueCatBlock: BlockConfig<RevenueCatResponse> = {
       title: 'API Key',
       type: 'short-input',
       password: true,
+      paramVisibility: 'user-only',
       placeholder: 'Enter your RevenueCat API key',
       required: true,
     },
diff --git a/apps/sim/blocks/blocks/rootly.ts b/apps/sim/blocks/blocks/rootly.ts
@@ -1650,6 +1650,7 @@ export const RootlyBlock: BlockConfig<RootlyResponse> = {
       type: 'short-input',
       placeholder: 'Enter your Rootly API key',
       password: true,
+      paramVisibility: 'user-only',
       required: true,
     },
 
diff --git a/apps/sim/blocks/blocks/twilio.ts b/apps/sim/blocks/blocks/twilio.ts
@@ -44,6 +44,7 @@ export const TwilioSMSBlock: BlockConfig<TwilioSMSBlockOutput> = {
       type: 'short-input',
       placeholder: 'Your Twilio Auth Token',
       password: true,
+      paramVisibility: 'user-only',
       required: true,
     },
     {

Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,7 @@ export const TwilioSMSBlock: BlockConfig<TwilioSMSBlockOutput> = {`
`44`	`44`	`type: 'short-input',`
`45`	`45`	`placeholder: 'Your Twilio Auth Token',`
`46`	`46`	`password: true,`
	`47`	`+ paramVisibility: 'user-only',`
`47`	`48`	`required: true,`
`48`	`49`	`},`
`49`	`50`	`{`