security(tracker): sanitize provider probe error bodies before surfacing in DoctorReport

[Copilot]

DoctorReport provider probe failures were exposing raw provider error text (trimmed but unsanitized) in CheckDetail.Message. Some provider errors can echo sensitive request context (tokens, key fragments, request identifiers), creating downstream leak risk for logs/webhooks.

• What changed

  • Added sanitizeProviderError(msg string) in tracker_doctor.go.
  • Applied sanitization in probeProvider for non-auth failures before trimErrMsg(..., 80) is used to build the public message.
  • Kept existing auth-failure behavior unchanged ("invalid or expired API key").

• Sanitization coverage

  • Redacts bearer tokens (`******
  • Redacts API-key-like shapes (sk-ant-*, sk-*, AIza*).
  • Redacts common request ID patterns (request-id=..., req_...).

• Targeted test additions

  • Added unit test for direct sanitization redaction coverage.
  • Added probe-path test ensuring non-auth provider errors are sanitized before being returned.

if err != nil {
    msg := err.Error()
    if isAuthError(msg) {
        return false, "invalid or expired API key"
    }
    return false, trimErrMsg(sanitizeProviderError(msg), 80)
}

[Copilot]

Pull request overview

This PR reduces the risk of leaking sensitive credential material by sanitizing LLM provider probe error strings before they’re surfaced in DoctorReport check details/messages.

Changes:

• Sanitize non-auth provider probe error messages via sanitizeProviderError(...) before trimming and returning them.
• Add regex-based redaction rules for Bearer tokens, API-key-like strings, and request-id patterns.
• Add unit tests covering direct sanitization and the probe-path behavior.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
tracker_doctor.go	Applies sanitization to provider probe errors and introduces regex-based redaction rules.
tracker_doctor_test.go	Adds tests validating redaction and that probeProvider returns sanitized messages.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The Bearer-token sanitizer regex ends with a word-boundary (\b). If the token ends with '=' (common for base64/JWT padding), '\b' will not match and the token will remain unredacted. Consider replacing the trailing '\b' with a lookahead like (?=\s|$) (or otherwise anchoring on whitespace/end) so tokens ending in non-word characters are still sanitized, and add a unit test covering a Bearer token that ends with '='.

Suggested change

	{regexp.MustCompile(`(?i)\bBearer\s+[A-Za-z0-9._~+/=-]+\b`), "Bearer [REDACTED]"},
	{regexp.MustCompile(`(?i)\bBearer\s+[A-Za-z0-9._~+/=-]+(?=\s|$)`), "Bearer [REDACTED]"},

[Copilot]

This test failure message says "expected auth probe to fail", but the test is specifically asserting the non-auth error path is sanitized. Updating the message to reflect the actual expectation will make failures easier to interpret.

Suggested change

	t.Fatal("expected auth probe to fail")
	t.Fatal("expected non-auth probe to fail")

[Copilot]

PR description says Bearer tokens are redacted to "******", but the implementation replaces them with "Bearer [REDACTED]". Either align the description with the actual redaction format or adjust the replacement string so downstream users know what to expect.

[clintecker]

Superseded by merged #113, which added sanitizeProviderError in tracker_doctor.go (redacts sk-ant-, sk-, AIza*, bearer tokens) and applies it in probeProvider before any error text lands in CheckDetail.Message. Round-4 review also fixed sanitize-before-trim ordering to prevent partial-key leaks. Closes issue #106 via #113.