Potential fix for code scanning alert no. 3: Clear-text logging of sensitive information

[Edvin N (nissessenap)]

Potential fix for https://github.com/annotell/kognic-auth-python/security/code-scanning/3

In general, to fix clear-text logging of sensitive data, you should avoid logging secrets at all, or log only non-sensitive metadata (for example, that credentials were successfully loaded, or the presence/absence of a client ID, but never the secret itself). When output is needed for debugging, you can either omit the sensitive fields or replace them with redacted placeholders.

In this file, the only problematic behavior is in the __main__ block:

104: if __name__ == "__main__":
105:     credentials = get_credentials_from_env()
106:     print(credentials)

The single best way to fix this without altering existing functional behavior elsewhere is to stop printing the credentials tuple directly. Instead, we can:

• Keep the call to get_credentials_from_env() so that any side effects or validation still occur.
• Print a safe, non-sensitive message indicating whether credentials were found, and optionally only show non-secret parts (e.g., a client ID) or even just a success message.
• Ensure that the secret (client_secret) is never included in the output.

A minimal, backward-compatible pattern is:

if __name__ == "__main__":
    client_id, client_secret = get_credentials_from_env()
    print(f"Loaded credentials for client_id={client_id!r}")

This preserves the ability to verify that environment variables are wired correctly (client ID visible) while not exposing the secret. No new imports or helper functions are needed, and all changes are localized to the __main__ block in src/kognic/auth/credentials_parser.py.

---

Suggested fixes powered by Copilot Autofix. Review carefully before merging.