fix: redact sensitive tokens in tool summaries

2026-01-06 00:41:12 +01:00
parent 2ec9d75ac2
commit 8be168b180
10 changed files with 277 additions and 4 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,7 @@
 - Onboarding: resolve CLI entrypoint when running via `npx` so gateway daemon install works without a build step.
 - Linux: auto-attempt lingering during onboarding (try without sudo, fallback to sudo) and prompt on install/restart to keep the gateway alive after logout/idle. Thanks @tobiasbischoff for PR #237.
 - TUI: migrate key handling to the updated pi-tui Key matcher API.
+- Logging: redact sensitive tokens in verbose tool summaries by default (configurable patterns).
 - macOS: prefer gateway config reads/writes in local mode (fall back to disk if the gateway is unavailable).
 - macOS: local gateway now connects via tailnet IP when bind mode is `tailnet`/`auto`.
 - macOS: Connections settings now use a custom sidebar to avoid toolbar toggle issues, with rounded styling and full-width row hit targets.
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -141,6 +141,9 @@ Metadata written by CLI wizards (`onboard`, `configure`, `doctor`, `update`).
 - Console output can be tuned separately via:
  - `logging.consoleLevel` (defaults to `info`, bumps to `debug` when `--verbose`)
  - `logging.consoleStyle` (`pretty` | `compact` | `json`)
+- Tool summaries can be redacted to avoid leaking secrets:
+  - `logging.redactSensitive` (`off` | `tools`, default: `tools`)
+  - `logging.redactPatterns` (array of regex strings; overrides defaults)

 ```json5
 {
@@ -148,7 +151,13 @@ Metadata written by CLI wizards (`onboard`, `configure`, `doctor`, `update`).
    level: "info",
    file: "/tmp/clawdbot/clawdbot.log",
    consoleLevel: "info",
-    consoleStyle: "pretty"
+    consoleStyle: "pretty",
+    redactSensitive: "tools",
+    redactPatterns: [
+      // Example: override defaults with your own rules.
+      "\\bTOKEN\\b\\s*[=:]\\s*([\"']?)([^\\s\"']+)\\1",
+      "/\\bsk-[A-Za-z0-9_-]{8,}\\b/gi"
+    ]
  }
 }
 ```
--- a/docs/logging.md
+++ b/docs/logging.md
@@ -42,6 +42,17 @@ You can tune console verbosity independently via:
 - `logging.consoleLevel` (default `info`)
 - `logging.consoleStyle` (`pretty` | `compact` | `json`)

+## Tool summary redaction
+
+Verbose tool summaries (e.g. `🛠️ bash: ...`) can mask sensitive tokens before they hit the
+console stream. This is **tools-only** and does not alter file logs.
+
+- `logging.redactSensitive`: `off` | `tools` (default: `tools`)
+- `logging.redactPatterns`: array of regex strings (overrides defaults)
+  - Use raw regex strings (auto `gi`), or `/pattern/flags` if you need custom flags.
+  - Matches are masked by keeping the first 6 + last 4 chars (length >= 18), otherwise `***`.
+  - Defaults cover common key assignments, CLI flags, JSON fields, bearer headers, PEM blocks, and popular token prefixes.
+
 ## Gateway WebSocket logs

 The gateway prints WebSocket protocol logs in two modes:
--- a/src/agents/tool-display.ts
+++ b/src/agents/tool-display.ts
@@ -1,4 +1,5 @@
 import fs from "node:fs";
+import { redactToolDetail } from "../logging/redact.js";
 import { shortenHomeInString } from "../utils.js";

 type ToolDisplayActionSpec = {
@@ -193,7 +194,7 @@ export function resolveToolDisplay(params: {
 export function formatToolDetail(display: ToolDisplay): string | undefined {
  const parts: string[] = [];
  if (display.verb) parts.push(display.verb);
-  if (display.detail) parts.push(display.detail);
+  if (display.detail) parts.push(redactToolDetail(display.detail));
  if (parts.length === 0) return undefined;
  return parts.join(" · ");
 }
--- a/src/config/defaults.ts
+++ b/src/config/defaults.ts
@@ -142,6 +142,19 @@ export function applyModelAliasDefaults(cfg: ClawdbotConfig): ClawdbotConfig {
  };
 }

+export function applyLoggingDefaults(cfg: ClawdbotConfig): ClawdbotConfig {
+  const logging = cfg.logging;
+  if (!logging) return cfg;
+  if (logging.redactSensitive) return cfg;
+  return {
+    ...cfg,
+    logging: {
+      ...logging,
+      redactSensitive: "tools",
+    },
+  };
+}
+
 export function resetSessionDefaultsWarningForTests() {
  defaultWarnState = { warned: false };
 }
--- a/src/config/io.ts
+++ b/src/config/io.ts
@@ -10,6 +10,7 @@ import {
 } from "../infra/shell-env.js";
 import {
  applyIdentityDefaults,
+  applyLoggingDefaults,
  applyModelAliasDefaults,
  applySessionDefaults,
  applyTalkApiKey,
@@ -115,7 +116,9 @@ export function createConfigIO(overrides: ConfigIoDeps = {}) {
      }
      const cfg = applyModelAliasDefaults(
        applySessionDefaults(
-          applyIdentityDefaults(validated.data as ClawdbotConfig),
+          applyLoggingDefaults(
+            applyIdentityDefaults(validated.data as ClawdbotConfig),
+          ),
        ),
      );

@@ -201,7 +204,9 @@ export function createConfigIO(overrides: ConfigIoDeps = {}) {
        parsed: parsedRes.parsed,
        valid: true,
        config: applyTalkApiKey(
-          applyModelAliasDefaults(applySessionDefaults(validated.config)),
+          applyModelAliasDefaults(
+            applySessionDefaults(applyLoggingDefaults(validated.config)),
+          ),
        ),
        issues: [],
        legacyIssues,
--- a/src/config/types.ts
+++ b/src/config/types.ts
@@ -44,6 +44,10 @@ export type LoggingConfig = {
    | "debug"
    | "trace";
  consoleStyle?: "pretty" | "compact" | "json";
+  /** Redact sensitive tokens in tool summaries. Default: "tools". */
+  redactSensitive?: "off" | "tools";
+  /** Regex patterns used to redact sensitive tokens (defaults apply when unset). */
+  redactPatterns?: string[];
 };

 export type WebReconnectConfig = {
--- a/src/config/zod-schema.ts
+++ b/src/config/zod-schema.ts
@@ -330,6 +330,8 @@ export const ClawdbotSchema = z.object({
      consoleStyle: z
        .union([z.literal("pretty"), z.literal("compact"), z.literal("json")])
        .optional(),
+      redactSensitive: z.union([z.literal("off"), z.literal("tools")]).optional(),
+      redactPatterns: z.array(z.string()).optional(),
    })
    .optional(),
  browser: z
--- a/src/logging/redact.test.ts
+++ b/src/logging/redact.test.ts
@@ -0,0 +1,99 @@
+import { describe, expect, it } from "vitest";
+
+import { getDefaultRedactPatterns, redactSensitiveText } from "./redact.js";
+
+const defaults = getDefaultRedactPatterns();
+
+describe("redactSensitiveText", () => {
+  it("masks env assignments while keeping the key", () => {
+    const input = "OPENAI_API_KEY=sk-1234567890abcdef";
+    const output = redactSensitiveText(input, {
+      mode: "tools",
+      patterns: defaults,
+    });
+    expect(output).toBe("OPENAI_API_KEY=sk-123…cdef");
+  });
+
+  it("masks CLI flags", () => {
+    const input = "curl --token abcdef1234567890ghij https://api.test";
+    const output = redactSensitiveText(input, {
+      mode: "tools",
+      patterns: defaults,
+    });
+    expect(output).toBe("curl --token abcdef…ghij https://api.test");
+  });
+
+  it("masks JSON fields", () => {
+    const input = '{"token":"abcdef1234567890ghij"}';
+    const output = redactSensitiveText(input, {
+      mode: "tools",
+      patterns: defaults,
+    });
+    expect(output).toBe('{"token":"abcdef…ghij"}');
+  });
+
+  it("masks bearer tokens", () => {
+    const input = "Authorization: Bearer abcdef1234567890ghij";
+    const output = redactSensitiveText(input, {
+      mode: "tools",
+      patterns: defaults,
+    });
+    expect(output).toBe("Authorization: Bearer abcdef…ghij");
+  });
+
+  it("masks Telegram-style tokens", () => {
+    const input = "123456:ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef";
+    const output = redactSensitiveText(input, {
+      mode: "tools",
+      patterns: defaults,
+    });
+    expect(output).toBe("123456…cdef");
+  });
+
+  it("redacts short tokens fully", () => {
+    const input = "TOKEN=shortvalue";
+    const output = redactSensitiveText(input, {
+      mode: "tools",
+      patterns: defaults,
+    });
+    expect(output).toBe("TOKEN=***");
+  });
+
+  it("redacts private key blocks", () => {
+    const input = [
+      "-----BEGIN PRIVATE KEY-----",
+      "ABCDEF1234567890",
+      "ZYXWVUT987654321",
+      "-----END PRIVATE KEY-----",
+    ].join("\n");
+    const output = redactSensitiveText(input, {
+      mode: "tools",
+      patterns: defaults,
+    });
+    expect(output).toBe(
+      [
+        "-----BEGIN PRIVATE KEY-----",
+        "…redacted…",
+        "-----END PRIVATE KEY-----",
+      ].join("\n"),
+    );
+  });
+
+  it("honors custom patterns with flags", () => {
+    const input = "token=abcdef1234567890ghij";
+    const output = redactSensitiveText(input, {
+      mode: "tools",
+      patterns: ["/token=([A-Za-z0-9]+)/i"],
+    });
+    expect(output).toBe("token=abcdef…ghij");
+  });
+
+  it("skips redaction when mode is off", () => {
+    const input = "OPENAI_API_KEY=sk-1234567890abcdef";
+    const output = redactSensitiveText(input, {
+      mode: "off",
+      patterns: defaults,
+    });
+    expect(output).toBe(input);
+  });
+});
--- a/src/logging/redact.ts
+++ b/src/logging/redact.ts
@@ -0,0 +1,128 @@
+import { loadConfig } from "../config/config.js";
+import type { LoggingConfig } from "../config/types.js";
+
+export type RedactSensitiveMode = "off" | "tools";
+
+const DEFAULT_REDACT_MODE: RedactSensitiveMode = "tools";
+const DEFAULT_REDACT_MIN_LENGTH = 18;
+const DEFAULT_REDACT_KEEP_START = 6;
+const DEFAULT_REDACT_KEEP_END = 4;
+
+const DEFAULT_REDACT_PATTERNS: string[] = [
+  // ENV-style assignments.
+  String.raw`\b[A-Z0-9_]*(?:KEY|TOKEN|SECRET|PASSWORD|PASSWD)\b\s*[=:]\s*(["']?)([^\s"'\\]+)\1`,
+  // JSON fields.
+  String.raw`"(?:apiKey|token|secret|password|passwd|accessToken|refreshToken)"\s*:\s*"([^"]+)"`,
+  // CLI flags.
+  String.raw`--(?:api[-_]?key|token|secret|password|passwd)\s+(["']?)([^\s"']+)\1`,
+  // Authorization headers.
+  String.raw`Authorization\s*[:=]\s*Bearer\s+([A-Za-z0-9._\-+=]+)`,
+  String.raw`\bBearer\s+([A-Za-z0-9._\-+=]{18,})\b`,
+  // PEM blocks.
+  String.raw`-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]+?-----END [A-Z ]*PRIVATE KEY-----`,
+  // Common token prefixes.
+  String.raw`\b(sk-[A-Za-z0-9_-]{8,})\b`,
+  String.raw`\b(ghp_[A-Za-z0-9]{20,})\b`,
+  String.raw`\b(github_pat_[A-Za-z0-9_]{20,})\b`,
+  String.raw`\b(xox[baprs]-[A-Za-z0-9-]{10,})\b`,
+  String.raw`\b(xapp-[A-Za-z0-9-]{10,})\b`,
+  String.raw`\b(gsk_[A-Za-z0-9_-]{10,})\b`,
+  String.raw`\b(AIza[0-9A-Za-z\-_]{20,})\b`,
+  String.raw`\b(pplx-[A-Za-z0-9_-]{10,})\b`,
+  String.raw`\b(npm_[A-Za-z0-9]{10,})\b`,
+  String.raw`\b(\d{6,}:[A-Za-z0-9_-]{20,})\b`,
+];
+
+type RedactOptions = {
+  mode?: RedactSensitiveMode;
+  patterns?: string[];
+};
+
+function normalizeMode(value?: string): RedactSensitiveMode {
+  return value === "off" ? "off" : DEFAULT_REDACT_MODE;
+}
+
+function parsePattern(raw: string): RegExp | null {
+  if (!raw.trim()) return null;
+  const match = raw.match(/^\/(.+)\/([gimsuy]*)$/);
+  try {
+    if (match) {
+      const flags = match[2].includes("g") ? match[2] : `${match[2]}g`;
+      return new RegExp(match[1], flags);
+    }
+    return new RegExp(raw, "gi");
+  } catch {
+    return null;
+  }
+}
+
+function resolvePatterns(value?: string[]): RegExp[] {
+  const source = value?.length ? value : DEFAULT_REDACT_PATTERNS;
+  return source.map(parsePattern).filter((re): re is RegExp => Boolean(re));
+}
+
+function maskToken(token: string): string {
+  if (token.length < DEFAULT_REDACT_MIN_LENGTH) return "***";
+  const start = token.slice(0, DEFAULT_REDACT_KEEP_START);
+  const end = token.slice(-DEFAULT_REDACT_KEEP_END);
+  return `${start}…${end}`;
+}
+
+function redactPemBlock(block: string): string {
+  const lines = block.split(/\r?\n/).filter(Boolean);
+  if (lines.length < 2) return "***";
+  return `${lines[0]}\n…redacted…\n${lines[lines.length - 1]}`;
+}
+
+function redactMatch(match: string, groups: string[]): string {
+  if (match.includes("PRIVATE KEY-----")) return redactPemBlock(match);
+  const token =
+    groups
+      .filter((value) => typeof value === "string" && value.length > 0)
+      .at(-1) ?? match;
+  const masked = maskToken(token);
+  if (token === match) return masked;
+  return match.replace(token, masked);
+}
+
+function redactText(text: string, patterns: RegExp[]): string {
+  let next = text;
+  for (const pattern of patterns) {
+    next = next.replace(
+      pattern,
+      (...args: string[]) =>
+        redactMatch(args[0], args.slice(1, args.length - 2)),
+    );
+  }
+  return next;
+}
+
+function resolveConfigRedaction(): RedactOptions {
+  const cfg = loadConfig().logging;
+  return {
+    mode: normalizeMode(cfg?.redactSensitive),
+    patterns: cfg?.redactPatterns,
+  };
+}
+
+export function redactSensitiveText(
+  text: string,
+  options?: RedactOptions,
+): string {
+  if (!text) return text;
+  const resolved = options ?? resolveConfigRedaction();
+  if (normalizeMode(resolved.mode) === "off") return text;
+  const patterns = resolvePatterns(resolved.patterns);
+  if (!patterns.length) return text;
+  return redactText(text, patterns);
+}
+
+export function redactToolDetail(detail: string): string {
+  const resolved = resolveConfigRedaction();
+  if (normalizeMode(resolved.mode) !== "tools") return detail;
+  return redactSensitiveText(detail, resolved);
+}
+
+export function getDefaultRedactPatterns(): string[] {
+  return [...DEFAULT_REDACT_PATTERNS];
+}