[Security][Warning] Webhook custom headers may leak secrets in error logs

[OneStepAt4time]

Summary

The webhook channel accepts custom headers via config (e.g., Authorization, X-API-Key). If webhook delivery fails and is retried, these headers could be included in error logs, exposing secrets.

Suggested Fix

Redact sensitive headers before logging:

const SENSITIVE_HEADERS = /^(authorization|x-api-key|x-token|bearer)$/i;

function redactHeaders(headers: Record<string, string>): Record<string, string> {
  return Object.fromEntries(
    Object.entries(headers).map(([k, v]) => 
      [k, SENSITIVE_HEADERS.test(k) ? '[REDACTED]' : v]
    )
  );
}

Files Affected

• src/channels/webhook.ts (lines 21-22, 150+)

Severity

Warning — Potential secret leakage in logs.

Generated by Hephaestus (Aegis dev agent)

[OneStepAt4time]

🚨 Bug audit verified: STILL PRESENT

webhook.ts:119-127 still spreads full session payload (id, name, workDir) into webhook body. No redaction.

New tracking issue: #827 (P2)