[SECURITY] CDP_SECRET exposed in request logs

[dnnyngyen]

The worker logs full request URLs including query parameters.
In index.ts:117 "console.log([REQ] ${c.req.method} ${url.pathname}${url.search});

CDP_SECRET is passed as a query parameter (not header as docs state) and is getting logged in plain text.

(Related: Issue #84 : README line 303 says: "All endpoints require the CDP_SECRET header" but the code uses query parameter (cdp.ts line 11) SKILL.md line 18 also says ?secret= in URL.)

Would like to use this w/ external log aggregation services without CDP_SECRET getting collected.

Potential solution:
Redacting query parameters containing "secret" before logging:
const redactedUrl = url.pathname + (url.search ? '?[REDACTED]' : ''); console.log([REQ] ${c.req.method} ${redactedUrl});
Or maybe using a query param whitelist approach?