fix: redact sensitive tokens in tool summaries

src/logging/redact.test.ts

@@ -0,0 +1,99 @@
+import { describe, expect, it } from "vitest";
+
+import { getDefaultRedactPatterns, redactSensitiveText } from "./redact.js";
+
+const defaults = getDefaultRedactPatterns();
+
+describe("redactSensitiveText", () => {
+  it("masks env assignments while keeping the key", () => {
+    const input = "OPENAI_API_KEY=sk-1234567890abcdef";
+    const output = redactSensitiveText(input, {
+      mode: "tools",
+      patterns: defaults,
+    });
+    expect(output).toBe("OPENAI_API_KEY=sk-123…cdef");
+  });
+
+  it("masks CLI flags", () => {
+    const input = "curl --token abcdef1234567890ghij https://api.test";
+    const output = redactSensitiveText(input, {
+      mode: "tools",
+      patterns: defaults,
+    });
+    expect(output).toBe("curl --token abcdef…ghij https://api.test");
+  });
+
+  it("masks JSON fields", () => {
+    const input = '{"token":"abcdef1234567890ghij"}';
+    const output = redactSensitiveText(input, {
+      mode: "tools",
+      patterns: defaults,
+    });
+    expect(output).toBe('{"token":"abcdef…ghij"}');
+  });
+
+  it("masks bearer tokens", () => {
+    const input = "Authorization: Bearer abcdef1234567890ghij";
+    const output = redactSensitiveText(input, {
+      mode: "tools",
+      patterns: defaults,
+    });
+    expect(output).toBe("Authorization: Bearer abcdef…ghij");
+  });
+
+  it("masks Telegram-style tokens", () => {
+    const input = "123456:ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef";
+    const output = redactSensitiveText(input, {
+      mode: "tools",
+      patterns: defaults,
+    });
+    expect(output).toBe("123456…cdef");
+  });
+
+  it("redacts short tokens fully", () => {
+    const input = "TOKEN=shortvalue";
+    const output = redactSensitiveText(input, {
+      mode: "tools",
+      patterns: defaults,
+    });
+    expect(output).toBe("TOKEN=***");
+  });
+
+  it("redacts private key blocks", () => {
+    const input = [
+      "-----BEGIN PRIVATE KEY-----",
+      "ABCDEF1234567890",
+      "ZYXWVUT987654321",
+      "-----END PRIVATE KEY-----",
+    ].join("\n");
+    const output = redactSensitiveText(input, {
+      mode: "tools",
+      patterns: defaults,
+    });
+    expect(output).toBe(
+      [
+        "-----BEGIN PRIVATE KEY-----",
+        "…redacted…",
+        "-----END PRIVATE KEY-----",
+      ].join("\n"),
+    );
+  });
+
+  it("honors custom patterns with flags", () => {
+    const input = "token=abcdef1234567890ghij";
+    const output = redactSensitiveText(input, {
+      mode: "tools",
+      patterns: ["/token=([A-Za-z0-9]+)/i"],
+    });
+    expect(output).toBe("token=abcdef…ghij");
+  });
+
+  it("skips redaction when mode is off", () => {
+    const input = "OPENAI_API_KEY=sk-1234567890abcdef";
+    const output = redactSensitiveText(input, {
+      mode: "off",
+      patterns: defaults,
+    });
+    expect(output).toBe(input);
+  });
+});