Summary
Runner error messages and verbose CLI output can leak API keys and other secrets when commands fail. Add auto-redaction of known secret patterns (nvapi-*, bearer tokens, etc.) from all CLI output.
Identified during review of #390.
Scope
- Add a
redact() helper to bin/lib/runner.js that masks known secret patterns
- Apply to all
run() and runCapture() error output
- Apply to any verbose/debug logging that includes command strings
- Tests: verify known patterns are masked, verify non-secret strings are untouched
Summary
Runner error messages and verbose CLI output can leak API keys and other secrets when commands fail. Add auto-redaction of known secret patterns (nvapi-*, bearer tokens, etc.) from all CLI output.
Identified during review of #390.
Scope
redact()helper tobin/lib/runner.jsthat masks known secret patternsrun()andrunCapture()error output