fix: Finish credential redaction that was merged unfinished (#13073)

* Squash * Removed unused files Not mine, someone merged that stuff in earlier. * fix: patch redaction regressions and schema breakages --------- Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-05-06 14:01:35 +00:00 · 2026-02-13 16:19:21 +01:00
parent faec6ccb1d
commit 96318641d8
18 changed files with 1641 additions and 1291 deletions
--- a/src/config/zod-schema.providers-core.ts
+++ b/src/config/zod-schema.providers-core.ts
@@ -20,6 +20,7 @@ import {
  RetryConfigSchema,
  requireOpenAllowFrom,
 } from "./zod-schema.core.js";
+import { sensitive } from "./zod-schema.sensitive.js";

 const ToolPolicyBySenderSchema = z.record(z.string(), ToolPolicySchema).optional();

@@ -97,7 +98,7 @@ export const TelegramAccountSchemaBase = z
    customCommands: z.array(TelegramCustomCommandSchema).optional(),
    configWrites: z.boolean().optional(),
    dmPolicy: DmPolicySchema.optional().default("pairing"),
-    botToken: z.string().optional(),
+    botToken: z.string().optional().register(sensitive),
    tokenFile: z.string().optional(),
    replyToMode: ReplyToModeSchema.optional(),
    groups: z.record(z.string(), TelegramGroupSchema.optional()).optional(),
@@ -124,7 +125,7 @@ export const TelegramAccountSchemaBase = z
      .optional(),
    proxy: z.string().optional(),
    webhookUrl: z.string().optional(),
-    webhookSecret: z.string().optional(),
+    webhookSecret: z.string().optional().register(sensitive),
    webhookPath: z.string().optional(),
    actions: z
      .object({
@@ -263,7 +264,7 @@ export const DiscordAccountSchema = z
    enabled: z.boolean().optional(),
    commands: ProviderCommandsSchema,
    configWrites: z.boolean().optional(),
-    token: z.string().optional(),
+    token: z.string().optional().register(sensitive),
    allowBots: z.boolean().optional(),
    groupPolicy: GroupPolicySchema.optional().default("allowlist"),
    historyLimit: z.number().int().min(0).optional(),
@@ -324,7 +325,7 @@ export const DiscordAccountSchema = z
    pluralkit: z
      .object({
        enabled: z.boolean().optional(),
-        token: z.string().optional(),
+        token: z.string().optional().register(sensitive),
      })
      .strict()
      .optional(),
@@ -463,16 +464,16 @@ export const SlackAccountSchema = z
  .object({
    name: z.string().optional(),
    mode: z.enum(["socket", "http"]).optional(),
-    signingSecret: z.string().optional(),
+    signingSecret: z.string().optional().register(sensitive),
    webhookPath: z.string().optional(),
    capabilities: z.array(z.string()).optional(),
    markdown: MarkdownConfigSchema,
    enabled: z.boolean().optional(),
    commands: ProviderCommandsSchema,
    configWrites: z.boolean().optional(),
-    botToken: z.string().optional(),
-    appToken: z.string().optional(),
-    userToken: z.string().optional(),
+    botToken: z.string().optional().register(sensitive),
+    appToken: z.string().optional().register(sensitive),
+    userToken: z.string().optional().register(sensitive),
    userTokenReadOnly: z.boolean().optional().default(true),
    allowBots: z.boolean().optional(),
    requireMention: z.boolean().optional(),
@@ -521,7 +522,7 @@ export const SlackAccountSchema = z

 export const SlackConfigSchema = SlackAccountSchema.extend({
  mode: z.enum(["socket", "http"]).optional().default("socket"),
-  signingSecret: z.string().optional(),
+  signingSecret: z.string().optional().register(sensitive),
  webhookPath: z.string().optional().default("/slack/events"),
  accounts: z.record(z.string(), SlackAccountSchema.optional()).optional(),
 }).superRefine((value, ctx) => {
@@ -641,7 +642,7 @@ export const IrcNickServSchema = z
  .object({
    enabled: z.boolean().optional(),
    service: z.string().optional(),
-    password: z.string().optional(),
+    password: z.string().optional().register(sensitive),
    passwordFile: z.string().optional(),
    register: z.boolean().optional(),
    registerEmail: z.string().optional(),
@@ -661,7 +662,7 @@ export const IrcAccountSchemaBase = z
    nick: z.string().optional(),
    username: z.string().optional(),
    realname: z.string().optional(),
-    password: z.string().optional(),
+    password: z.string().optional().register(sensitive),
    passwordFile: z.string().optional(),
    nickserv: IrcNickServSchema.optional(),
    channels: z.array(z.string()).optional(),
@@ -822,7 +823,7 @@ export const BlueBubblesAccountSchemaBase = z
    configWrites: z.boolean().optional(),
    enabled: z.boolean().optional(),
    serverUrl: z.string().optional(),
-    password: z.string().optional(),
+    password: z.string().optional().register(sensitive),
    webhookPath: z.string().optional(),
    dmPolicy: DmPolicySchema.optional().default("pairing"),
    allowFrom: z.array(BlueBubblesAllowFromEntry).optional(),
@@ -893,7 +894,7 @@ export const MSTeamsConfigSchema = z
    markdown: MarkdownConfigSchema,
    configWrites: z.boolean().optional(),
    appId: z.string().optional(),
-    appPassword: z.string().optional(),
+    appPassword: z.string().optional().register(sensitive),
    tenantId: z.string().optional(),
    webhook: z
      .object({