mirror of
https://github.com/moltbot/moltbot.git
synced 2026-03-07 22:44:16 +00:00
7fab4d128a
* fix(security): redact sensitive data in OTEL log exports (CWE-532) The diagnostics-otel plugin exports ALL application logs to external OTLP collectors without filtering. This leaks API keys, tokens, and other sensitive data to third-party observability platforms. Changes: - Export redactSensitiveText from plugin-sdk for extension use - Apply redaction to log messages before OTEL export - Apply redaction to string attribute values - Add tests for API key and token redaction The existing redactSensitiveText function handles common patterns: - API keys (sk-*, ghp_*, gsk_*, AIza*, etc.) - Bearer tokens - PEM private keys - ENV-style assignments (KEY=value) - JSON credential fields Fixes #12542 * fix: also redact error/reason in trace spans Address Greptile feedback: - Redact evt.error in webhook.error span attributes and status - Redact evt.reason in message.processed span attributes - Redact evt.error in message.processed span status * fix: handle undefined evt.error in type guard * fix: redact session.state reason in OTEL metrics Addresses Greptile feedback - session.state reason field now goes through redactSensitiveText() like message.processed reason. * test(diagnostics-otel): update service context for stateDir API change * OTEL diagnostics: redact sensitive values before export * OTEL diagnostics tests: cover message, attribute, and session reason redaction * Changelog: note OTEL sensitive-data redaction fix * Changelog: move OTEL redaction entry to current unreleased --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org>