brandonwise 7fab4d128a fix(security): redact sensitive data in OTEL log exports (CWE-532) (#18182) ... * fix(security): redact sensitive data in OTEL log exports (CWE-532) The diagnostics-otel plugin exports ALL application logs to external OTLP collectors without filtering. This leaks API keys, tokens, and other sensitive data to third-party observability platforms. Changes: - Export redactSensitiveText from plugin-sdk for extension use - Apply redaction to log messages before OTEL export - Apply redaction to string attribute values - Add tests for API key and token redaction The existing redactSensitiveText function handles common patterns: - API keys (sk-*, ghp_*, gsk_*, AIza*, etc.) - Bearer tokens - PEM private keys - ENV-style assignments (KEY=value) - JSON credential fields Fixes #12542 * fix: also redact error/reason in trace spans Address Greptile feedback: - Redact evt.error in webhook.error span attributes and status - Redact evt.reason in message.processed span attributes - Redact evt.error in message.processed span status * fix: handle undefined evt.error in type guard * fix: redact session.state reason in OTEL metrics Addresses Greptile feedback - session.state reason field now goes through redactSensitiveText() like message.processed reason. * test(diagnostics-otel): update service context for stateDir API change * OTEL diagnostics: redact sensitive values before export * OTEL diagnostics tests: cover message, attribute, and session reason redaction * Changelog: note OTEL sensitive-data redaction fix * Changelog: move OTEL redaction entry to current unreleased --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org>		2026-02-23 01:35:32 -05:00
..
account-id.ts	perf(test): avoid plugin-sdk barrel imports	2026-02-14 12:42:19 +00:00
agent-media-payload.ts	refactor(plugin-sdk): add shared helper utilities	2026-02-15 19:37:40 +00:00
allow-from.test.ts	refactor(security): remove unused empty allowlist mode	2026-02-21 19:57:36 +01:00
allow-from.ts	refactor(security): remove unused empty allowlist mode	2026-02-21 19:57:36 +01:00
command-auth.ts	fix: enforce strict allowlist across pairing stores (#23017)	2026-02-22 00:00:23 +01:00
config-paths.ts	refactor(zalo): share outbound chunker	2026-02-15 01:15:43 +00:00
file-lock.ts	refactor: dedupe process-scoped lock maps	2026-02-17 00:45:02 +00:00
index.test.ts	…
index.ts	fix(security): redact sensitive data in OTEL log exports (CWE-532) (#18182)	2026-02-23 01:35:32 -05:00
json-store.ts	refactor(core): dedupe shared config and runtime helpers	2026-02-16 14:59:30 +00:00
onboarding.ts	style: align formatting with oxfmt 0.33	2026-02-18 01:34:35 +00:00
persistent-dedupe.test.ts	refactor(plugin-sdk): unify channel dedupe primitives	2026-02-22 10:46:34 +01:00
persistent-dedupe.ts	refactor(plugin-sdk): unify channel dedupe primitives	2026-02-22 10:46:34 +01:00
provider-auth-result.ts	refactor(plugin-sdk): add shared helper utilities	2026-02-15 19:37:40 +00:00
slack-message-actions.ts	style: align formatting with oxfmt 0.33	2026-02-18 01:34:35 +00:00
status-helpers.test.ts	test: cover plugin status helper branches	2026-02-19 15:09:19 +00:00
status-helpers.ts	refactor(plugin-sdk): add shared helper utilities	2026-02-15 19:37:40 +00:00
temp-path.test.ts	refactor(security): harden temp-path handling for inbound media	2026-02-19 14:06:37 +01:00
temp-path.ts	refactor(security): harden temp-path handling for inbound media	2026-02-19 14:06:37 +01:00
text-chunking.test.ts	refactor(shared): reuse outbound text chunking core	2026-02-19 07:01:54 +00:00
text-chunking.ts	refactor(shared): reuse outbound text chunking core	2026-02-19 07:01:54 +00:00
tool-send.ts	refactor(core): dedupe shared config and runtime helpers	2026-02-16 14:59:30 +00:00
webhook-path.ts	refactor(plugin-sdk): add shared helper utilities	2026-02-15 19:37:40 +00:00
webhook-targets.test.ts	test: dedupe channel and transport adapters	2026-02-21 21:44:01 +00:00
webhook-targets.ts	refactor(security): unify webhook auth matching paths	2026-02-21 11:52:34 +01:00