From e4897092909f43d453b24046f6dc49489d9327b1 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 27 Apr 2026 17:57:05 +0000
Subject: [PATCH 1/3] Initial plan


From 30bfdb902332e193bc165c966abe1b215e1ff30b Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 27 Apr 2026 17:59:46 +0000
Subject: [PATCH 2/3] Plan: fix CodeQL clear-text storage alert in
 plugin_parser.py

Agent-Logs-Url: https://github.com/microsoft/apm/sessions/e20e0e96-4aa6-4cbf-a9fb-048be0898dbd

Co-authored-by: sergio-sisternes-epam <207026618+sergio-sisternes-epam@users.noreply.github.com>
---
 uv.lock | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/uv.lock b/uv.lock
index f50405677..8116b2828 100644
--- a/uv.lock
+++ b/uv.lock
@@ -179,7 +179,7 @@ wheels = [
 
 [[package]]
 name = "apm-cli"
-version = "0.9.4"
+version = "0.10.0"
 source = { editable = "." }
 dependencies = [
     { name = "click" },

From 976355e07c27bf7dbcc0e714e707ecdc7d40ba22 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 27 Apr 2026 18:00:54 +0000
Subject: [PATCH 3/3] fix: rename `token` to `placeholder` in
 _substitute_plugin_root to resolve CodeQL
 py/clear-text-storage-sensitive-data alert

The variable named `token` stored the template string "${CLAUDE_PLUGIN_ROOT}"
(a placeholder marker, not a secret). CodeQL's heuristic flagged the variable
name as sensitive data. Renaming to `placeholder` eliminates the false positive
with zero behavioral change.

Agent-Logs-Url: https://github.com/microsoft/apm/sessions/e20e0e96-4aa6-4cbf-a9fb-048be0898dbd

Co-authored-by: sergio-sisternes-epam <207026618+sergio-sisternes-epam@users.noreply.github.com>
---
 src/apm_cli/deps/plugin_parser.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/apm_cli/deps/plugin_parser.py b/src/apm_cli/deps/plugin_parser.py
index 8f9c37cac..7814cd1d3 100644
--- a/src/apm_cli/deps/plugin_parser.py
+++ b/src/apm_cli/deps/plugin_parser.py
@@ -276,14 +276,14 @@ def _substitute_plugin_root(
     servers: Dict[str, Any], abs_root: str, logger: logging.Logger
 ) -> Dict[str, Any]:
     """Replace ``${CLAUDE_PLUGIN_ROOT}`` in server config string values."""
-    token = "${CLAUDE_PLUGIN_ROOT}"
+    placeholder = "${CLAUDE_PLUGIN_ROOT}"
     substituted = False
 
     def _walk(obj: Any) -> Any:
         nonlocal substituted
-        if isinstance(obj, str) and token in obj:
+        if isinstance(obj, str) and placeholder in obj:
             substituted = True
-            return obj.replace(token, abs_root)
+            return obj.replace(placeholder, abs_root)
         if isinstance(obj, dict):
             return {k: _walk(v) for k, v in obj.items()}
         if isinstance(obj, list):