fix(mt#1181): harden MCP bridge — debug coercion + sensitive-log redaction

[minsky-ai]

Summary

Two pre-existing hardening findings from minsky-reviewer on PR #732 (mt#1174), filed as mt#1181.

1. Debug flag string-truthy coercion

ctx.debug was populated via Boolean(args?.debug) from raw unvalidated MCP args. Boolean("false") is true, so a client serializing booleans as strings would unexpectedly enable debug mode. ctx.debug controls whether error stack traces are attached to MCP responses (response-formatters.ts:135,157), so the bug leaked internal paths / library versions over the wire.

Fix: explicit check accepting only real boolean true or the literal string "true":

debug: args?.debug === true || args?.debug === "true",

2. Sensitive parameter logging

Six log.debug calls in the bridge logged full args, filteredArgs, parameters, and context on every MCP invocation. Shared commands accept credentials (config_set github.token, ai.providers.*.apiKey, sessiondb.connectionString); at any consumer with debug logging enabled, those values shipped to log sinks verbatim.

Fix: redaction via a new shared util.

• src/utils/redaction.ts — SENSITIVE_KEY_PATTERNS (token, apiKey, password, secret, key, connectionString), isSensitiveKey, redact (recursive, immutable, circular-ref-safe via WeakSet)
• src/adapters/shared/commands/config/helpers.ts — consumes the shared pattern list (single source of truth)
• src/adapters/mcp/shared-command-integration.ts — every log.debug payload wrapped with redact() (six call sites: args, context, filteredArgs, parameters, bare parameters, bare context)

Changes (3 commits)

1. feat(mt#1181): add shared redaction util for sensitive keys — redaction.ts + 14 unit tests covering case-insensitive matching, nested objects, arrays, primitives, circular refs, immutability
2. refactor(mt#1181): consume shared redaction patterns in config helpers — config/helpers.ts imports SENSITIVE_KEY_PATTERNS
3. fix(mt#1181): harden debug flag coercion and redact sensitive logs in MCP bridge — bridge fixes + 5 new tests

Test plan

bun test --preload ./tests/setup.ts --timeout=15000 src/adapters/mcp src/utils
56 pass / 0 fail / 303 expect() calls

New mt#1181 tests cover: debug: "false" → ctx.debug === false; debug: true and debug: "true" → ctx.debug === true; sensitive keys (token, apiKey) redacted across all six log.debug sites; non-sensitive values pass through (regression guard).

Out of scope

• Line 161's args?.json handling — was intentionally deferred per spec; mt#1174 has since landed and hardcoded format: "json", making the original adjacent concern moot
• Broader logging architecture (no new log levels, no filter/sink config)
• Other MCP adapters

Attribution

Spec patched and first two commits dispatched via a Sonnet implementer subagent under Claude Code; subagent hit a usage limit mid-third-commit after landing the redaction util and config consumer. Main agent (Opus, Claude Code, 1M context) finished the remaining four log.debug redactions and authored the five mt#1181 test cases. PR description was authored by Opus to match the actually-shipped code (the subagent's earlier auto-generated description referenced an export name and key-pattern set that were not what landed).

[minsky-reviewer]

Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: unknown

---

Findings

[BLOCKING] src/utils/redaction.ts:18-28 — Overbroad “key” pattern causes excessive redaction, contradicting PR description

• Evidence: SENSITIVE_KEY_PATTERNS includes the literal "key" and is used via isSensitiveKey as a case-insensitive substring match.
• Failure mode: Any property name containing “key” anywhere (e.g., monkey, keyboard, turkey, whiskey, surveyKeyPath, keyPath, hotkey, LockKey) will be redacted to “[REDACTED]”, materially degrading observability and making logs far less useful.
• Spec mismatch: The PR description claims patterns like token/secret/password/*_key/*Key/apiKey/authorization. The implementation uses a generic substring "key", which is far broader than *_key or *Key and will redact non-credential fields.
• Impacted call sites: src/adapters/mcp/shared-command-integration.ts: start-of-handler args, context, filteredArgs, parameters, and “Parameters being passed” all pass through redact(), so the overbroad rule will propagate into all MCP debug logs.

[BLOCKING] src/adapters/shared/commands/config/helpers.ts:66-71 — Case sensitivity inconsistency leads to missed masking in config “effective values”

• Evidence: isSensitivePath uses SENSITIVE_KEY_PATTERNS.some((pattern) => path.includes(pattern)) without lowercasing path or pattern. In contrast, isSensitiveKey in redaction.ts does a case-insensitive comparison.
• Failure mode: Paths like "github.Token", "ai.providers.OpenAI.apiKEY", or "SESSIONDB.ConnectionString" will not be masked in effective values output, creating a regression in secrecy handling relative to redaction’s case-insensitive logic.
• System-level incoherence: Two different components now disagree on which keys are sensitive. Debug logs may be redacted while effective-values outputs are not (or vice versa), surprising operators.

[NON-BLOCKING] src/adapters/mcp/shared-command-integration.ts:186 — Debug coercion is too strict; may break existing clients

• Evidence: debug is set via args?.debug === true || args?.debug === "true".
• Failure mode: Clients that previously sent 1, "1", "True"/"TRUE", or other truthy variants will no longer enable debug. The added tests only cover true and "true".
• Recommendation: Consider normalizing string values case-insensitively and/or accepting 1/"1". If you intentionally narrowed semantics, update docs and changelog.

[NON-BLOCKING] src/utils/redaction.ts:40-75 — Shared-reference handling collapses duplicate references to “[Circular]”

• Evidence: A single WeakSet tracks visited objects and arrays. Re-visiting the same object (shared reference in an otherwise acyclic graph) will be treated as “circular” and collapsed to “[Circular]”.
• Failure mode: Logs lose structure and detail for shared objects even when no cycle exists, potentially obscuring useful info.
• Recommendation: Track a path stack or use a Map<object, clone> to preserve shared references while still breaking true cycles.

[NON-BLOCKING] src/adapters/mcp/shared-command-integration.ts:214-219, 235-236 — Inconsistent log meta shapes can hinder downstream log processing

• Evidence: Some debug calls wrap meta fields (e.g., { parameters: redact(parameters) }), others pass the redacted object directly (redact(parameters)). This changes the shape of the structured metadata between lines.
• Failure mode: If log processors or dashboards expect consistent keys, this inconsistency complicates analysis.
• Recommendation: Standardize on a uniform meta envelope across all calls.

[NON-BLOCKING] src/adapters/mcp/shared-command-integration.ts:185-236 — Performance/observability risk: redacting entire context (including DI container)

• Evidence: log.debug includes context: redact(context). The context contains container: config.container, which may be a large, complex, and potentially circular graph.
• Failure mode: Redaction will deep-walk large structures on hot paths, adding log overhead; also, logs will emit many “[Circular]” sentinels, reducing utility.
• Recommendation: Log a minimal, explicit subset of context (e.g., interface, format, debug, and a container identifier), not the entire container.

[NON-BLOCKING] Tests do not cover helpers.ts masking behavior after switching to SENSITIVE_KEY_PATTERNS

• Evidence: New tests cover redaction.ts and MCP bridge logging/coercion only. There are no tests asserting maskCredentialsInEffectiveValues() behavior with mixed-case key paths or that it still masks the intended keys after the refactor.
• Risk: Silent regression in config-related outputs.

Spec verification table

• Debug flag coercion hardened (true/"true"; "false" string) — Met as implemented and tested, but note stricter semantics than prior behavior.
• Sensitive parameter redaction in MCP logs — Met for the added call sites; however, the pattern set is overbroad as implemented and inconsistent across modules (see blocking findings).
• New tests: debug coercion and basic redaction behavior — Met.

Documentation impact

• Update logging/redaction policy to define the canonical sensitive key patterns and their matching rules (case sensitivity, word boundaries vs substrings, *_key conventions).
• Document the new debug flag semantics (only boolean true or the lowercase string "true" enables debug), including any backward-compatibility notes.
• Consider adding an ADR or architecture note on redaction usage guidelines (avoid logging entire containers; prefer whitelisting fields).

Conclusion

REQUEST_CHANGES

Blocking issues:

• Overbroad redaction pattern "key" contradicts the PR description and will excessively mask non-sensitive fields.
• Case-sensitivity mismatch in helpers.ts leads to inconsistent/missed masking in effective-values output.

Please address these before merge. The non-blocking items are recommendations to improve robustness, consistency, and performance.

[minsky-reviewer]

Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: unknown

---

Findings

[BLOCKING] src/utils/redaction.ts:19-27 — Over-broad redaction pattern “key”

• Evidence: SENSITIVE_KEY_PATTERNS includes the bare substring "key".
• Failure mode: isSensitiveKey performs case-insensitive substring matching over object keys. This will redact values for any key name that merely contains "key" anywhere (e.g., "hotkey", "monkey", "turkey", "keyboard", "whiskey"), and, more importantly, arbitrary business fields like "marketKey", "hockeyTeamKey", or internal IDs that happen to include "key". In MCP logs this can eliminate high-signal, non-secret diagnostics unexpectedly.
• Impact: Silent observability regression across all log sites now using redact(), and also any future consumer of SENSITIVE_KEY_PATTERNS (e.g., config helpers). This is not just conservative — it’s misleading and can hide values that are not credentials.
• Ask: Narrow the match rules to credential-like keys only. Typical sets: ["token","password","secret","apiKey","authorization","accessToken","clientSecret","privateKey","connectionString"] and match on exact keys or well-known suffix/prefix patterns (e.g., endsWith("Key"), equalsIgnoreCase("api_key")). At minimum, remove the plain "key" substring.

[BLOCKING] src/adapters/mcp/shared-command-integration.ts:186-193 and 235-236 — Serializing/redacting entire execution context (including container) risks huge payloads, performance hits, and leakage

• Evidence: log.debug([MCP] Created execution context: ${command.id}, { context: redact(context) }); and later log.debug([MCP] Context being passed:, { context: redact(context) });
• Failure mode: context.container is a DI container instance. redact(context) recursively walks objects/arrays, cloning properties. For container objects this can be:
  • Extremely large to traverse and serialize
  • Contain circular references (partially handled with "[Circular]" but still costly)
  • Hold non-serializable values or sensitive internal state not meant for logs
• Impact: Performance degradation and excessively noisy logs; potential to leak unexpected metadata before being replaced by "[Circular]" (getters may execute during Object.entries). This doubles up because the same redacted context is logged twice.
• Ask: Do not pass the DI container through redact/log at all. Log a minimal, whitelisted subset of context (e.g., { interface, format, debug }) and omit container entirely.

[NON-BLOCKING] src/adapters/mcp/shared-command-integration.ts:186 — Debug flag parsing is now overly strict/case-sensitive and may cause regressions

• Evidence: debug: args?.debug === true || args?.debug === "true"
• Failure mode: Former behavior accepted any truthy including "1", 1, "TRUE", "True", etc. The change only enables debug for boolean true or the exact lowercase string "true", silently ignoring "TRUE"/"True"/1/"1"/"yes".
• Impact: Behavior change not documented. If upstream MCP client sends "TRUE" or numeric 1 (common from UI switches or env var coercion), debug will no longer engage.
• Ask: Either document the new accepted values, or broaden parsing (e.g., typeof boolean OR string equalsIgnoreCase("true") OR "1"/"yes") and add tests for these cases.

[NON-BLOCKING] src/adapters/shared/commands/config/helpers.ts:66-69 — Case-sensitivity mismatch and drift risk between path redaction and key redaction

• Evidence: isSensitivePath uses SENSITIVE_KEY_PATTERNS.some((pattern) => path.includes(pattern)) which is case-sensitive; isSensitiveKey is case-insensitive.
• Failure mode: Effective values whose path uses different casing (e.g., "Github.Token", "AI.PROVIDERS.OPENAI.APIKEY") won’t be masked by the helpers even though the redaction util would consider them sensitive. Previously, the helper had the same case-sensitive literals, but now that a shared list exists, the inconsistency becomes more surprising.
• Ask: Normalize both sides to lowercase for path matching, or document that effectiveValues paths are always lowercased/kebabed. Consider aligning match semantics across both helpers.

[NON-BLOCKING] src/utils/redaction.ts:41-70 — Redaction walker may invoke getters and traverse non-plain instances

• Evidence: redactUnknown uses Object.entries on arbitrary objects, including class instances.
• Failure mode: Accessors/getters with side effects (or heavy computations) could be invoked during logging; non-plain objects could be expanded unexpectedly.
• Impact: Potential side effects and performance cost during logging. This is partially mitigated by WeakSet circular protection but not by avoiding getters.
• Ask: Consider restricting traversal to plain objects (Object.getPrototypeOf(obj) === Object.prototype) and shallowly represent others, or use a safe-stringify approach without invoking getters (e.g., serializing via a replacer that inspects own enumerable properties safely).

[NON-BLOCKING] Tests vs. runtime logging environment

• Evidence: src/adapters/mcp/shared-command-integration.test.ts spies on log.debug; logger implementation suppresses debug in HUMAN mode unless enableAgentLogs is true.
• Failure mode: The spy wraps log.debug method directly, so calls are still recorded in tests; however, this can mask real-world suppression behavior and could hide future regressions if the call sites change to use different logger methods or wrappers.
• Ask: Add an assertion that the method was called N times (already partially done) and consider a test that verifies redaction on error logs too, since error always routes through programLogger and is not suppressed in HUMAN mode.

Spec verification table

• No explicit task spec provided. Using PR description as intent.

Criteria from PR description:

1. Debug flag coercion: only true boolean or "true" string should enable debug

• Met in code: src/adapters/mcp/shared-command-integration.ts:189
• Tests: src/adapters/mcp/shared-command-integration.test.ts:406-430 include "false" string false, boolean true true, "true" string true.

2. Sensitive parameter redaction across relevant logs

• Met in code: redact() applied at all six sites described:
  • args at start (line ~177)
  • context creation log (line ~191)
  • processing args log (line ~199)
  • converted parameters log (line ~218)
  • “Parameters being passed” (line ~235)
  • “Context being passed” (line ~236)
• Tests: src/adapters/mcp/shared-command-integration.test.ts:432-462 and src/utils/redaction.test.ts validate redaction basics.

3. Redaction helper centralization and reuse

• Met: src/utils/redaction.ts added; isSensitiveKey + SENSITIVE_KEY_PATTERNS exported and used by helpers.ts (import at top).

Documentation impact

• Requires updates:
  • Logging and diagnostics: document that MCP bridge now redacts sensitive keys; enumerate the patterns used and any known over-redaction caveats (especially if "key" remains).
  • Debug flag handling: clarify accepted values (boolean true, "true" literal as implemented) and note the behavior change from previous loose truthiness.
  • Config helpers: note shared SENSITIVE_KEY_PATTERNS use and whether matching is case-sensitive for effective value paths.

Event

REQUEST_CHANGES

Rationale: Over-broad redaction via plain "key" substring will unnecessarily redact benign fields system-wide, and logging the entire execution context (including the DI container) is a high-risk performance and information-leak concern. These are material behavior/observability regressions that should be addressed before merge. Non-blocking items are recommendations to improve robustness and consistency.

[minsky-reviewer]

Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: unknown

---

Findings

[BLOCKING] src/adapters/shared/commands/config/helpers.ts:11-18, 64-80 — “Single source of truth” not actually applied consistently

• The PR description states that config helpers now “consume the shared pattern list (single source of truth).” While maskCredentialsInEffectiveValues() was updated to use SENSITIVE_KEY_REGEX (lines 64-80), maskCredentials() (lines 18-61) still hard-codes specific fields (ai.providers.*.apiKey, github.token, sessiondb.connectionString) and does not use the shared matcher. This yields inconsistent behavior between two masking utilities in the same file and contradicts the “single source of truth” claim.
• Impact: Secrets covered by SENSITIVE_KEY_REGEX but not explicitly enumerated in maskCredentials() (e.g., fields like authorization, credential, or snake_case *_key fields) will be inconsistently masked depending on which helper a caller uses.
• Request: Either update maskCredentials() to use SENSITIVE_KEY_REGEX (or share the same underlying masking function) or scope the PR description/inline comments to clarify that only maskCredentialsInEffectiveValues() consumes the regex.

[BLOCKING] src/utils/redaction.ts:19-42, 53-68 — Scope expansion and potential false positives not documented or tested

• The introduced SENSITIVE_KEY_PATTERNS includes “authorization” and “credential” (lines 25-26) which were not listed in the PR description’s summary of patterns and broaden the redaction surface area beyond the enumerated set (token, apiKey, password, secret, connectionString). Substring matching in SENSITIVE_KEY_REGEX (lines 53-68) will match any segment containing these substrings.
• Concrete example: A benign configuration value “credentialStatus: 'valid'” or “authorizationMode: 'Bearer'” will now be redacted even though it is not a secret value. This is a silent behavior change and may reduce the utility of logs/config displays for operators.
• Tests do not cover these additions or potential false-positive scenarios. The redaction.test.ts suite explicitly guards against earlier “key” false positives but does not exercise “authorization”/“credential” behavior.
• Request: Document this expansion clearly and add tests demonstrating intended behavior for “authorization”/“credential” keys, including both secret-bearing values (e.g., Authorization headers) and non-secret uses (e.g., enums/flags). If overbroad, constrain matching (e.g., require exact segment names or suffixs) or move these patterns behind a deliberate list with justification.

[BLOCKING] src/adapters/mcp/shared-command-integration.ts:186-197, 228-236 — Excessive object traversal and log bloat from redact(context) including container

• The bridge now logs redact(context) twice: once after creating context (lines 186-191) and again just before execution (lines 231-236). The context contains container: config.container (line 183), which is likely a large DI container graph with complex/circular references.
• The redact() implementation is a deep recursive traversal of the entire object graph with WeakSet-based cycle handling. On large containers this will be:
  • Expensive (CPU/memory) per command invocation
  • Extremely noisy in logs (entire object tree serialized), replacing cycles with “[Circular]”
• Before the PR, the code logged { context } directly; that likely delegated serialization to the logger, which may be shallower. Now we guarantee a deep walk at call time.
• Request: Stop logging the container entirely (e.g., construct a lean log-safe context view), or shallow-copy and omit container before redaction, e.g., const { container, ...safeCtx } = context; log.safeCtx = redact(safeCtx). This reduces cost and noise while achieving redaction goals.

[NON-BLOCKING] src/utils/redaction.ts:66-68 — Regex construction is substring-based without segment anchoring

• SENSITIVE_KEY_REGEX uses a big alternation of lowered substrings plus a trailing _key$ alternative. With substring matches, segments like tokenBucket or secretSauce will match. That may be intentional, but it’s not documented explicitly in code comments or tests.
• Suggestion: Add tests that clarify intended behavior for “tokenBucket”, “secretSauce”, etc., or anchor patterns to full-segment matches if over-redaction is a concern.

[NON-BLOCKING] src/adapters/shared/commands/config/helpers.ts:82-101 — Inconsistent masking sentinel formats

• maskCredentialsInEffectiveValues() returns “[MASKED]” for non-string values (line 99) whereas string secrets use “******************** (configured)” (line 95). Meanwhile maskCredentials() always uses “******************** (configured)”. This inconsistency can complicate downstream consumers that expect consistent redaction markers.
• Suggestion: Align on one sentinel policy across helpers (or document the difference).

[NON-BLOCKING] tests/test plan mismatch — Added test directory not covered in the provided test command

• PR’s test plan cites running “bun test … src/adapters/mcp src/utils”. But a new test lives at src/adapters/shared/commands/config/helpers.test.ts and is not covered by that command. If CI runs all tests, fine; otherwise the stated command omits this suite.
• Suggestion: Update the test plan command to include src/adapters/shared or run the repo root to ensure the new tests are exercised.

[NON-BLOCKING] src/utils/redaction.ts:19-42 — SENSITIVE_KEY_PATTERNS is “readonly” by type only

• The array is not frozen at runtime, so accidental mutation elsewhere could alter behavior.
• Suggestion: Object.freeze([...]) to enforce immutability at runtime.

Spec Verification

• 1. Debug flag string-truthy coercion fixed
  • Met. src/adapters/mcp/shared-command-integration.ts:181-184 sets debug: args?.debug === true || args?.debug === "true". Tests added in src/adapters/mcp/shared-command-integration.test.ts confirm behavior for "false", true, and "true".
• 2. Sensitive parameter logging redaction
  • Partially Met.
    • Met: All six log.debug call sites in the MCP bridge now wrap arguments with redact() (src/adapters/mcp/shared-command-integration.ts:177-179, 189-191, 197-201, 218-222, 231-236). Tests assert token/apiKey redaction.
    • Not Met: The change introduces deep traversal of context including container; this significantly expands logging surface and has performance/observability side effects not addressed in the spec. Also, redaction patterns expanded beyond those enumerated in the PR description without tests or docs.

Documentation Impact

• Yes. Update:
  • Logging and redaction policy docs to include the expanded sensitive keys (“authorization”, “credential”) and the fact that redaction uses substring segment matching plus a generic “_key” suffix.
  • Developer guidance for logging contexts: recommend omitting DI containers or other large graphs from debug logs to avoid performance issues.
  • Config helpers: clarify which helpers consume the shared redaction semantics and align or document differences in mask sentinel formats.

Conclusion

REQUEST_CHANGES

• Align config helpers to actually use the shared redaction matcher consistently (or adjust claims).
• Revisit and document the expanded redaction patterns; add tests covering “authorization/credential” and potential false positives.
• Avoid logging the DI container by excluding it from the redacted context or creating a slim, log-safe context object to reduce traversal cost and log noise.

[minsky-reviewer]

Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: unknown

---

Findings

[BLOCKING] src/utils/redaction.ts:20-43 — Over-broad substring matching will redact benign keys

• Evidence: The regex intentionally does “substring match” for entries like "secret" and "token". For example, isSensitiveKey("secretary") will return true because "secret" is a substring (line ~63 builds a pattern with unanchored substrings). This will over-redact non-credential fields such as “secretaryEmail”, “tokenize”, etc.
• Failure mode: Excessive redaction degrades observability and can hide non-sensitive diagnostics. It can also alter UX for config masking where previously only specific paths were masked.
• Requested change: Tighten matching for generic words such as "secret" and "token" to word-boundary-anchored forms or more precise suffix/prefix rules (e.g., exact keys or *_token, token, access_token, etc.), consistent with how you handled “authorization” and “credential” exact matches. Add tests for false positives like "secretary", "tokenize", "monkeyWrench" (with “key” already addressed) to lock in behavior.

[BLOCKING] src/utils/redaction.ts:57-74 and helpers.ts:16-21 — Hyphenated credential keys (e.g., "x-api-key") are not recognized

• Evidence: SENSITIVE_KEY_REGEX is constructed from lowercased substrings and an "_key$" suffix. Keys like "x-api-key" (common header style) will not match:
  • "apiKey" substring won’t match "x-api-key" because of the hyphen (line ~63 pattern uses "apikey" as substring).
  • "_key$" only matches snake_case suffix, not hyphenated.
• Failure mode: Secrets present in hyphenated keys (e.g., HTTP headers map) will leak in logs because redact() doesn’t catch them.
• Requested change: Extend SENSITIVE_KEY_REGEX (and corresponding tests) to cover hyphenated forms like "-key$" and well-known header names (e.g., "x-api-key", "x-amz-access-key", "authorization" already covered, consider “proxy-authorization”, “x-auth-token”). Consider normalizing separators ([-_]) before matching or using a more general key-tokenization approach.

[BLOCKING] src/adapters/shared/commands/config/helpers.ts:43-57 — Behavior change: maskCredentials returns the original object by reference when showSecrets=true

• Evidence: When showSecrets is true, maskCredentials now returns config directly (line ~54), whereas the old implementation always deep-cloned before masking. Callers that were safely mutating the returned object could now inadvertently mutate the original config under showSecrets=true.
• Failure mode: Hidden side effects and state corruption if consumers assume the return is a safe copy in all cases.
• Requested change: Preserve previous immutability semantics by always returning a deep clone (or at least a clone when showSecrets=true), or document and audit all call sites to ensure they do not mutate the return value.

[NON-BLOCKING] src/utils/redaction.ts:82-111 — Shared-reference handling mislabels DAGs as “[Circular]”

• Evidence: The visited WeakSet is used to return "[Circular]" for any already-seen object/array (lines ~88-110) without distinguishing actual cycles from shared references. If the same child object is referenced from two different parents (a DAG but not a cycle), the second occurrence will become "[Circular]" even though it is not a loop.
• Impact: Loss of fidelity in logs/diagnostics for structures with shared object identity, making debugging harder.
• Suggestion: Track active recursion stack separately from a seen-set, or only mark as circular when the recursion re-enters the current stack (true cycle). Add tests with a DAG (no cycle) to verify both references are redacted normally.

[NON-BLOCKING] src/adapters/mcp/shared-command-integration.ts:186 — Debug coercion is now stricter; potential backward-compat break

• Evidence: Debug flag changed from Boolean(args?.debug) to args?.debug === true || args?.debug === "true" (line ~186). Values like 1, "1", "True" will now evaluate to false.
• Impact: Clients that previously relied on truthy coercion (e.g., sending 1) will no longer activate debug mode. This is likely intended, but it’s a behavioral change that should be called out.
• Suggestion: Document the accepted forms and/or consider a minimal normalization (case-insensitive "true", maybe 1) if backwards compatibility is desired. Add a test for "True" to lock a decision either way.

[NON-BLOCKING] src/adapters/shared/commands/config/helpers.ts:63-84 — Path redaction now uses broad substring matching on segments

• Evidence: isSensitivePath splits by dots and uses SENSITIVE_KEY_REGEX on each segment with substring matching (line ~76). This means paths like "github.tokenExpiration" will be redacted because the segment contains "token".
• Impact: Over-redaction in config effective values, potentially hiding non-secret data (e.g., expiration timestamps, status fields).
• Suggestion: Align path-segment rules with refined key matching from SENSITIVE_KEY_REGEX once tightened (see first finding); consider exact-key matches or well-known suffixes (e.g., token, access_token) rather than any occurrence of “token”.

[NON-BLOCKING] src/adapters/mcp/shared-command-integration.ts:238, 241 — Logging meta shape changed at two sites

• Evidence: Previously logged "Parameters being passed:" with raw parameters object as the second argument; now passes redact(parameters) (line ~238). Different sites log with and without a wrapping object { parameters: ... }.
• Impact: If logger expects consistent meta object shapes for structured ingestion, this inconsistency can complicate downstream parsing.
• Suggestion: Standardize meta shape across all log.debug calls (e.g., always { parameters: ..., context: ... }), even after redaction.

[NON-BLOCKING] src/utils/redaction.ts and tests — Missing keys: bearer tokens in unconventional keys

• Evidence: Tests cover "authorization", "authorizationHeader", but not common variants like "auth", "auth-token", "bearer", "x-auth-token".
• Impact: Potential leaks if these variants appear in args/context/parameters.
• Suggestion: Add well-known variants to the pattern list (carefully to avoid over-match), and corresponding tests.

[PRE-EXISTING] src/adapters/mcp/shared-command-integration.ts: top-level logs — Non-redacted logs for categories/overrides

• Evidence: “Registering shared commands with MCP” logs categories and override keys without redaction. While unlikely to include secrets, override specs/descriptions could, in theory, contain sensitive info if misused.
• Note: Non-blocking; consider applying redact consistently to all structured meta as a defense-in-depth measure.

Spec verification table

• Debug flag string-truthy coercion hardened (accept only true or "true"): Met (shared-command-integration.ts:186; tests added).
• Sensitive parameter logging redacted at all six MCP bridge debug sites: Met (six log.debug sites wrap redact() or use safeCtx; tests verify leakage absence and regression).
• Shared redaction util with tests: Met (src/utils/redaction.ts and src/utils/redaction.test.ts).
• Config helpers consume shared sensitive key patterns: Met (helpers.ts imports SENSITIVE_KEY_REGEX; tests added).

Documentation impact

• The behavior of debug flag coercion changed; update adapter/MCP bridge docs and any client protocol docs to specify accepted debug forms.
• Config masking semantics broadened significantly from path-specific rules to pattern-based redaction; update config command docs to note which keys get masked, including case-insensitive and segment-based behavior.
• Add architecture notes for the redaction utility, including limits (hyphenated keys, shared-reference “[Circular]” behavior) and guidance for contributors adding new sensitive key patterns.

Conclusion

REQUEST_CHANGES

The redaction semantics are over-broad in key areas (“secret”/“token” substring redaction) and under-broad in others (hyphenated keys like “x-api-key”), risking both loss of observability and missed redactions. Additionally, maskCredentials now returns the original object when showSecrets=true, introducing a hidden mutability hazard. Please address the blocking items and consider the non-blocking suggestions to tighten correctness and reduce regression risk.

[minsky-reviewer]

Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: unknown

---

Findings

[BLOCKING] src/utils/redaction.ts:126-134 — Overbroad catch-all will redact benign keys ending in “-key” or “_key”

• Evidence: The SENSITIVE_KEY_REGEX includes the pattern "[-_]key$" (lines ~126-134), which flags any key segment that ends with “-key” or “_key” as sensitive.
• Failure mode: This will silently redact non-secret fields such as “public-key”, “primary-key”, “ssh-known-hosts-key” or other metadata/header names that end with “-key” but are not credentials. Notably, camelCase “publicKey” is not matched (as intended), but “public_key” and “public-key” will be redacted, creating inconsistent behavior across casing styles and potentially obscuring non-sensitive logs and config displays.
• Impact: Excessive redaction degrades observability and can make debugging harder. It also creates inconsistent treatment between camelCase and kebab/snake-case for the same concept.
• Request: Narrow the catch-all to exclude “public[-]key”, “primary[-]key”, or better: remove the generic suffix and rely on explicit variants (apiKey, accessKey, privateKey, secretKey, etc.). Alternatively, only apply the suffix rule when the full key path segment also matches a whitelisted credential prefix (e.g., “access[-]key”, “secret[-]key”), which you already enumerate.

[BLOCKING] src/adapters/shared/commands/config/helpers.ts:32-41, 54-61 — Behavior change: structuredClone on showSecrets=true can throw on non-cloneable config

• Evidence: maskCredentials now returns structuredClone(config) when showSecrets is true (lines ~32-41), whereas before it returned the original reference (or JSON-cloned structure). structuredClone throws a DataCloneError on functions, symbols, or other non-structured-cloneable values.
• Failure mode: If config contains any non-serializable/cloneable values (e.g., Dates with custom prototypes may be fine; but functions, class instances with methods, BigInt in some runtimes, etc.), this will throw where it previously did not, causing unexpected failures in codepaths that request showSecrets=true.
• Impact: This is a silent behavior change outside the PR’s stated goal (hardening logs/coercion). It could break consumers that rely on maskCredentials(showSecrets=true) to obtain the original object for read-only display or mutation-in-place.
• Request: Either (a) revert to returning the original reference when showSecrets=true (documenting that callers must not mutate it), (b) use a safer deep-copy mechanism with try/catch and a fallback (e.g., JSON clone) or lodash.cloneDeep that tolerates functions by reference, or (c) document the new throwing behavior and add tests covering non-cloneable shapes.

[NON-BLOCKING] src/adapters/shared/commands/config/helpers.ts:69-88 — Asymmetry: effectiveValues returns original reference when showSecrets=true (no deep clone)

• Evidence: maskCredentialsInEffectiveValues returns effectiveValues as-is when showSecrets is true (lines ~69-74), unlike maskCredentials which now deep-clones when showSecrets is true.
• Concern: Mixed behaviors increase footguns for callers expecting a consistent “safe-to-mutate” return. If you keep the new deep-clone in maskCredentials, consider mirroring it for effectiveValues (or explicitly document the asymmetry).

[NON-BLOCKING] src/adapters/mcp/shared-command-integration.ts:197-198 — Strict “true” string handling may surprise integrators

• Evidence: debug is set via args?.debug === true || args?.debug === "true" (line ~197). Previously, Boolean("false") was true; this change fixes that. However, it also rejects common serializations such as "True", "TRUE", 1, or "1".
• Concern: If upstream MCP clients send non-literal representations (e.g., "True"), debug will be silently disabled without any guidance.
• Suggestion: Either accept common truthy string variants case-insensitively ("true" -> lowercased), or log a one-time warning when a non-boolean, non-"true" value is provided.

[NON-BLOCKING] src/utils/redaction.ts and src/adapters/shared/commands/config/helpers.ts — Sentinel inconsistency across redactors

• Evidence: redact() uses "[REDACTED]" (redaction.ts lines ~166-210), while maskCredentials/maskCredentialsInEffectiveValues use "******************** (configured)" for strings and "[MASKED]" for non-strings (helpers.ts lines ~24-41 and ~92-104).
• Concern: Having three sentinel styles can confuse operators skimming logs vs. CLI outputs vs. effective config. This is not wrong, but consider harmonizing or documenting the rationale for different sentinels per surface.

[NON-BLOCKING] src/utils/redaction.ts:71-76, 80-84 — Inconsistent handling of “publicKey”

• Evidence: Explicit patterns include privateKey/accessKey/etc. camelCase (lines ~71-76), but not publicKey. With the generic suffix "[-_]key$" (line ~133), snake/kebab "public_key"/"public-key" will be redacted but camelCase "publicKey" will not.
• Concern: This inconsistency increases surprise. If public keys are considered non-sensitive, the suffix catch-all should not redact “public_key”/“public-key”. If they are considered sensitive in some contexts, then camelCase “publicKey” should also be redacted for consistency.

[NON-BLOCKING] src/utils/redaction.ts:1-211 — SENSITIVE_KEY_PATTERNS is unused in logic

• Evidence: The code only uses SENSITIVE_KEY_REGEX and isSensitiveKey; SENSITIVE_KEY_PATTERNS is exported and referenced in tests but not consumed in matching.
• Concern: Two “sources of truth” (const list and a constructed regex) can drift apart. Consider either generating the regex purely from the export (patterns + explicit exact list) or documenting that SENSITIVE_KEY_PATTERNS is for external consumer alignment only, and updating tests/comments to avoid implying it drives redaction.

Spec verification

No formal task spec was provided; using the PR description as intent:

1. Debug flag string-truthy coercion hardened to only true or "true"

• Met: src/adapters/mcp/shared-command-integration.ts sets debug via strict check; tests cover "false", true, "true".

2. Sensitive parameter logging redacted across all MCP bridge debug logs

• Met: All debug log payload sites for args, filteredArgs, parameters, and context switched to redact() or omit container. Tests spy on logger and assert secrets aren’t present while non-sensitive values pass through.

3. Shared redaction util: recursive, immutable, circular-ref safe; case-insensitive; patterns include token, apiKey, password, secret, key, connectionString

• Partially Met: Implementation is recursive, immutable, and circular-safe. Case-insensitive matching via lowercasing and regex. However:
  • The “key” criteria is implemented as a catch-all suffix "[-_]key$" (and explicit compound words), which can over-redact non-secrets (see Blocking finding). The PR description states patterns include “key”, but the code intentionally omits bare “key” in SENSITIVE_KEY_PATTERNS and handles it via regex suffix. This is a divergence between the prose and implementation details.
  • Inconsistency in treating “public-key” vs “publicKey” as noted.

4. Config helpers consume shared pattern list as single source of truth

• Not Met: helpers.ts imports isSensitiveKey, not SENSITIVE_KEY_PATTERNS. Tests target behavior via isSensitiveKey, which is good, but the PR description claims the pattern list is consumed as the single source of truth. That’s inaccurate; the regex is the real source of truth. Documentation should be corrected or code changed to truly consume a centralized pattern definition.

Documentation impact

• Update the security/logging docs to describe:
  • Exact semantics of debug flag parsing in MCP (only boolean true and the string "true" are accepted).
  • Redaction behavior and the list of sensitive keys, especially clarifying the suffix rule and any exclusions (e.g., public keys).
• Update developer docs for config helpers to note:
  • maskCredentials(showSecrets=true) now deep-clones via structuredClone and may throw on non-cloneable values; contrast with maskCredentialsInEffectiveValues which returns a reference as-is. Either align or document the asymmetry.
• Correct PR description or internal docs that claim helpers consume the “pattern list”; currently they consume isSensitiveKey/regex semantics, not the list constant.

Conclusion

REQUEST_CHANGES

Blocking items:

• Narrow the overbroad "[-_]key$" regex catch-all to avoid redacting benign keys like “public-key”/“public_key” or remove it and rely on explicit credential-key variants. Ensure consistent behavior across casing styles if “publicKey” variants are intentionally non-sensitive.
• Revisit maskCredentials(showSecrets=true) structuredClone behavior to avoid introducing throw paths on non-cloneable configs, or document and test the new behavior. Additionally, consider aligning cloning behavior with maskCredentialsInEffectiveValues for consistency.

Non-blocking items include sentinel consistency, documentation accuracy about pattern consumption, and potential UX improvements for debug flag parsing.

[minsky-reviewer]

Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: unknown

---

Findings

[BLOCKING] src/utils/redaction.ts:84-114 — Overbroad matching due to lowercasing destroys camelCase boundaries

• The matching approach lowercases the key then uses patterns like (?:^|[-_a-z])token$ to approximate “word/segment” boundaries. Because you’ve lost camelCase signal by lowercasing, allowing any preceding lowercase letter means any key that simply ends with “token” (e.g., "mytoken", "custompassword", "dbconnectionstring") will match and be redacted, even when it’s not a credential field. This contradicts the stated design intent (“whole words/segments” and preventing substring over-match) and is a silent behavior change that can over-redact benign fields.
• Concrete example: isSensitiveKey("mytoken") will return true because "mytoken".toLowerCase() matches the pattern (the preceding character to "token" is a lowercase letter, which your regex explicitly accepts).
• Impact: false positives in redaction across app logs and config masking; hard-to-diagnose loss of observability.
• Suggested fix direction: do not lowercase before testing when you need camelCase transitions; use a case-insensitive regex with explicit boundaries:
  • For camelCase: use lookbehind for [a-z] followed by Token|Secret|Password|… or use a two-pass approach (evaluate case-sensitive camelCase rules before lowercasing).
  • For segment boundaries: for snake/kebab, allow (?:^|[-_.]) boundaries; for exact keys, use ^…$ anchors.

[BLOCKING] src/utils/redaction.ts:136-171 and 175-199 — WeakSet-based “circular” handling mislabels repeated references as circular

• redactUnknown marks an array/object as visited as soon as it’s encountered, and returns "[Circular]" when the same object/array is seen again. This conflates shared references with true cycles: a non-circular repeated reference will be rendered as "[Circular]". That is semantically incorrect and can degrade diagnostics by collapsing legitimate repeated structures.
• Example scenario:
  const shared = { token: "x" };
  const obj = { a: shared, b: shared };
  redact(obj) will yield { a: { token: "[REDACTED]" }, b: "[Circular]" } even though no cycle exists.
• Impact: lossy, surprising redaction output where repeated references appear as circular; could break consumers that rely on both branches being objects.
• Suggested fix direction: Only mark as circular when you’re about to recurse into an object that’s on the current recursion stack, not merely seen-before. Track the path stack instead of a global visited set; or store a map of seen objects→clones and re-use the same cloned reference to preserve shape.

[NON-BLOCKING] src/adapters/shared/commands/config/helpers.ts:19-35 — showSecrets=true now deep-clones instead of returning original

• Behavior change: previously maskCredentials returned the original object when showSecrets=true; now it JSON-clones. This can be good for avoiding accidental mutation but may be a breaking change for callers relying on referential identity or non-JSON-safe values (Dates, Maps, undefined, functions) which will be altered or dropped by JSON cloning.
• If intentional, document this in code comments and changelog, and consider structuredClone with guarded fallbacks if you need to preserve more types. Otherwise, revert to passthrough.

[NON-BLOCKING] src/adapters/mcp/shared-command-integration.ts:221-224 — Log shape changed subtly for parameters/context

• The log “Converted parameters” uses { parameters: redact(parameters) } whereas “Parameters being passed:” logs redact(parameters) as the second arg directly, and “Context being passed:” nests { context: redact(safeCtx) }. If any log parsers or tools downstream rely on consistent shapes/keys across these messages, this introduces inconsistency. Consider standardizing on { parameters: … } and { context: … } at all call sites.

[NON-BLOCKING] src/utils/redaction.ts vs tests — Public constant SENSITIVE_KEY_PATTERNS is not actually the matching source of truth

• The PR description asserts a single source of truth via the pattern list; in reality, all matching routes through SENSITIVE_KEY_REGEX, and the list is only checked in tests. This is fine functionally, but the description suggests the list drives behavior. Either:
  • Use SENSITIVE_KEY_PATTERNS to programmatically derive SENSITIVE_KEY_REGEX (documented), or
  • Update PR/docs to clarify that SENSITIVE_KEY_REGEX is the source of truth.

[NON-BLOCKING] Tests lack a guard against the false-positive suffixes discussed above

• No tests cover keys like “mytoken”, “custompassword” or “dbconnectionstring” which would currently be over-redacted due to the lowercasing + suffix match allowance. Add regression tests to make the intended behavior explicit and prevent future regressions.

Spec verification

No explicit task spec file was provided. Based on PR description:

• Debug coercion: Met

  • shared-command-integration.ts:186 sets debug: args?.debug === true || args?.debug === "true"
  • Tests in shared-command-integration.test.ts verify "false" string is not truthy and "true"/true enable debug.

• Sensitive redaction for MCP logs: Partially Met with caveats

  • All debug log payloads for args, filteredArgs, parameters and context are passed through redact(); DI container omitted from logged context.
  • However, redact() has the overbroad matching and repeated-reference mislabeling issues above, which can cause excessive redaction and misleading “[Circular]” in non-circular repeats.

• Shared redaction util + config helpers alignment: Partially Met

  • helpers.ts uses isSensitiveKey from redaction.ts (good alignment).
  • Behavior changes in maskCredentials(showSecrets=true) and path matching rely on the regex semantics noted above; no explicit spec text, but this is a behavior change worth calling out.

Documentation impact

• Logging/redaction behavior has changed materially. Update:
  • Logging and Security/Privacy notes: which keys get redacted, known exclusions (e.g., public-key), and caveats around header-style keys.
  • Config helpers: clarify that maskCredentials(showSecrets=true) now returns a deep clone via JSON serialization (and the implications for non-JSON-safe values).
  • MCP debug flag semantics: now strictly accepts true or "true" only.
• If any ops dashboards or log pipeline parsers assume previous log field shapes, document the shape changes and advise on updates.

Event

REQUEST_CHANGES

The redaction regex approach is currently over-permissive due to lowercasing and accepting any preceding lowercase letter, which will cause false positives (“mytoken”, “custompassword”, etc.). Additionally, the circular detection treats repeated references as circular, collapsing structure and potentially breaking downstream assumptions. Please address these two blocking issues, and consider the non-blocking items above before merging.

[minsky-reviewer]

Independent adversarial review (Chinese-wall)
Reviewer: minsky-reviewer[bot] via openai:gpt-5
Tier: unknown

---

Findings

[BLOCKING] src/utils/redaction.ts: lines ~56–101 — CamelCase secret/password/connectionString keys are no longer redacted

• Evidence: The new SENSITIVE_KEY_REGEX deliberately dropped generic camelCase boundary matching for generic words (“token”, “password”, “secret”, “connectionString”). GENERIC_WORDS only match exact keys or separator-bounded suffixes: (?:^|[-_])password$. COMPOUND_CAMEL whitelists some …Key and …Token variants, but there is no coverage for common camelCase suffixes like clientSecret, dbPassword, or dbConnectionString.
• Failure mode: Keys such as clientSecret, userPassword, dbPassword, dbConnectionString, oauthClientSecret, etc. will not match and will be logged in cleartext. This is a regression relative to the prior substring includes()-based masking and is inconsistent with typical configuration naming conventions.
• Repro scenario:
  • redact({ clientSecret: "s3cr3t" }) will return { clientSecret: "s3cr3t" } (not “[REDACTED]”).
  • maskCredentialsInEffectiveValues({ "ai.providers.vendor.clientSecret": { value: "s3cr3t", ... } }, false) will not mask the value, since isSensitivePath splits on “.” and passes “clientSecret” to isSensitiveKey, which returns false under the current regex.
• Impact: Leaks credentials to logs at multiple sites in src/adapters/mcp/shared-command-integration.ts where redact() is applied to args/parameters/context, as well as config displays via helpers.maskCredentials/maskCredentialsInEffectiveValues.

[BLOCKING] src/adapters/shared/commands/config/helpers.ts:15–41 — maskCredentials(showSecrets=true) now deep-clones via JSON, altering prior behavior and potentially corrupting types

• Evidence: Previously maskCredentials returned config directly when showSecrets was true; now it returns JSON.parse(JSON.stringify(config)).
• Failure mode:
  • Lossy cloning: Date, Map, Set, RegExp, class instances, and other non-JSON-safe values will be stringified/dropped, changing runtime semantics for any downstream code that uses the returned object (even for display).
  • Reference identity change: Callers that relied on object identity (e.g., to detect in-place mutations or to compare references) will now see a different object.
• Context: The comment acknowledges avoiding structuredClone due to DataCloneError but does not document the breaking nature. There is no test validating behavior with non-JSON types, and existing code may rely on the previous identity-preserving path for showSecrets=true.
• Ask: Either revert to returning the original object for showSecrets=true (documenting mutability expectations) or switch to a safe deep clone that preserves types, with explicit documentation of the behavior change.

[BLOCKING] src/utils/redaction.ts and helpers.ts — SENSITIVE_KEY_PATTERNS declared “single source of truth” but not actually used to drive matching

• Evidence: PR description claims “config helpers consume the shared pattern list (single source of truth)”. The code imports isSensitiveKey in helpers.ts and never references SENSITIVE_KEY_PATTERNS. In redaction.ts, SENSITIVE_KEY_PATTERNS is exported but SENSITIVE_KEY_REGEX is built from separate hard-coded lists (GENERIC_WORDS, COMPOUND_CAMEL, COMPOUND_SEP, etc.), not from SENSITIVE_KEY_PATTERNS.
• Failure mode: Documentation/code drift. Adding/removing patterns in SENSITIVE_KEY_PATTERNS will not affect isSensitiveKey or helpers’ masking, defeating the “single source of truth” claim. Reviewers and maintainers could be misled by tests checking SENSITIVE_KEY_PATTERNS content.
• Ask: Either wire SENSITIVE_KEY_PATTERNS into the actual matching logic or correct the docs/tests and remove the unused constant to avoid confusion.

[BLOCKING] Test plan mismatch — helpers.test.ts not included in the stated test invocation

• Evidence: PR description’s test command: bun test --preload ./tests/setup.ts --timeout=15000 src/adapters/mcp src/utils
• helpers.test.ts resides at src/adapters/shared/commands/config/helpers.test.ts, which is not under src/adapters/mcp nor src/utils.
• Failure mode: Those new tests will not be executed if contributors follow the stated test plan, potentially masking regressions in masking behavior.
• Ask: Update the documented test command (and any CI config if applicable) to include src/adapters/shared (or run the full test suite) so helpers.test.ts is exercised.

[NON-BLOCKING] Silent performance regression risk: redact() is executed even when debug logs are disabled

• Evidence: src/adapters/mcp/shared-command-integration.ts:177, 197, 213, 228–231 — redact(args|filteredArgs|parameters|safeCtx) is computed unconditionally and passed to log.debug. If the logger only filters by level inside the log.debug call, redact() still pays a full traversal/allocation cost on every invocation.
• Impact: For large args/parameters or high-throughput environments, this can add measurable overhead with no effect when debug is disabled.
• Suggestion: Guard redaction behind a logger.isLevelEnabled('debug') or equivalent, or lazily evaluate/redact within the logger’s formatting only when emitting.

[NON-BLOCKING] Debug coercion accepts only true and "true"; rejects "True", "1", 1, etc. — potential compatibility break

• Evidence: src/adapters/mcp/shared-command-integration.ts:186 sets debug: args?.debug === true || args?.debug === "true".
• Impact: MCP clients that previously serialized truthy variants differently (e.g., "True", 1) will now fail to enable debug. If the ecosystem expects case-insensitive strings, this is a breaking change.
• Suggestion: Consider normalizing string booleans case-insensitively and/or documenting the accepted forms in the MCP bridge contract.

[NON-BLOCKING] helpers.maskCredentialsInEffectiveValues returns original reference for showSecrets=true, unlike maskCredentials which now deep-clones

• Evidence: helpers.ts:66–72 returns effectiveValues directly when showSecrets is true, while maskCredentials() deep-clones the config in the same branch.
• Impact: Inconsistent semantics across similar APIs increase surprise and mutation hazards.
• Suggestion: Align the behavior (either both clone or both preserve reference) and document it.

[NON-BLOCKING] Overly specific COMPOUND_CAMEL list omits other likely credentials

• Evidence: redaction.ts: COMPOUND_CAMEL includes many …Token and …Key forms but omits plausible combinations like clientSecret, consumerSecret, sharedSecret, apiSecret, webhookSecret, serviceAccountKey (camelCase), etc.
• Impact: Even aside from the generic camelCase issue (BLOCKING above), the current whitelist likely misses many realistic credential names.
• Suggestion: Broaden detection to include camelCase suffix-boundary matches for generic words (e.g., /(?:^|[^a-z])password$/i applied with a transform that preserves camelCase boundaries), or add explicit entries for common variants.

[NON-BLOCKING] Logging context omission: only “container” is stripped; other heavy objects can still bloat logs

• Evidence: shared-command-integration.ts:190–197 removes container from logged context, but other fields (e.g., huge validatedCtx, long parameter payloads) may still be logged.
• Suggestion: Consider limiting size/depth in redact() or adding safe stringification with max depth/length to avoid log explosions.

Spec verification table

• Harden debug flag string-truthy coercion to avoid Boolean("false") pitfall
  • Met: ctx.debug is set to args?.debug === true || args?.debug === "true". Tests cover "false", true, and "true".
• Sensitive parameter logging — redact sensitive values across all bridge log.debug sites
  • Partially met: redact() is applied at all six cited log.debug sites; tests verify token/apiKey masking and container omission. However, due to redaction gaps (camelCase sensitive keys), many realistic secrets will not be redacted. Therefore Not Met for the real-world intent of “sensitive-log redaction.”
• Shared redaction util with unit tests
  • Met: src/utils/redaction.ts added with extensive tests.
• Config helpers consume shared pattern list
  • Not Met: helpers.ts uses isSensitiveKey, but SENSITIVE_KEY_PATTERNS is not the driver of isSensitiveKey. The PR description’s “single source of truth” claim is inaccurate.

Documentation impact

• Yes. The following updates are required:
  • Developer docs for logging/redaction should describe what key patterns are considered sensitive, including limitations (especially current camelCase omissions) or, after fixes, the revised rules.
  • MCP bridge contract docs should define accepted debug coercion inputs. If intentionally restricted to boolean true and string "true", this should be clearly stated.
  • Config command docs should mention the change in maskCredentials behavior for showSecrets=true (returned object identity and potential type loss if JSON clone is retained).

Event: REQUEST_CHANGES

Rationale: The new redaction approach introduces critical blind spots for widely used camelCase credentials (clientSecret, dbPassword, dbConnectionString, etc.), risking leakage of secrets despite the PR’s stated goal. There is also a behavior change in maskCredentials(showSecrets=true) that may corrupt types and break reference identity unexpectedly. Additionally, the “single source of truth” claim in the description doesn’t match the code. Please address these before merging.

Dismissing R1 CHANGES_REQUESTED. Substantive blockers addressed across 4 follow-up commits (35d0865, bb1d7ee, b05c216, d6dbdbb): regex-anchoring (no more key/secret/token substring overbreadth), case-insensitive helpers, hyphenated-key support, redaction patterns expanded with whole-segment anchoring for authorization/credential, container omitted from logged context, maskCredentials deep-clone restored. Reviews R2–R7 (state: COMMENTED) are non-blocking; later rounds (R6→R7) goalpost-shifted on mutually exclusive boundary semantics. 120 unit tests pass.