From 3cf1c6df11b1869390cb0d050522629f85b9b953 Mon Sep 17 00:00:00 2001
From: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com>
Date: Tue, 12 May 2026 16:59:50 -0700
Subject: [PATCH] fix(security): redact common secret bearing key value
 patterns

Potential fix for code scanning alert: "Clear-text logging of sensitive information"

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 agent/src/server.py | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/agent/src/server.py b/agent/src/server.py
index 1dbca090..76715eef 100644
--- a/agent/src/server.py
+++ b/agent/src/server.py
@@ -12,6 +12,7 @@
 import contextlib as _ctx_for_debug
 import logging
 import os
+import re
 import threading
 import time as _time_for_debug
 import traceback
@@ -31,12 +32,27 @@
 
 
 def _redact_cached_credentials(text: str) -> str:
-    """Remove cached env secrets from debug text before stdout / CloudWatch."""
+    """Remove sensitive material from debug text before stdout / CloudWatch."""
     out = text
+
+    # 1) Redact exact cached secret values when present.
     for env_key in ("GITHUB_TOKEN", "LINEAR_API_TOKEN"):
         secret = os.environ.get(env_key) or ""
         if len(secret) >= 12:
             out = out.replace(secret, f"<{env_key}_REDACTED>")
+
+    # 2) Redact common secret-bearing key/value patterns.
+    secret_patterns = (
+        r"(?i)\b(github_token|linear_api_token|token|secret|api[_-]?key|password)\b\s*[:=]\s*([^\s,;]+)",
+        r"(?i)\b(authorization)\b\s*[:=]\s*(bearer\s+)?([^\s,;]+)",
+    )
+    for pattern in secret_patterns:
+        out = re.sub(
+            pattern,
+            lambda m: f"{m.group(1)}=<REDACTED>",
+            out,
+        )
+
     return out