fix(security): truncate session IDs in all log calls in session.go

[Copilot]

session.go was logging full session IDs (which are the raw API keys per spec §7.1) via log.Printf and logSession.Printf, violating the spec's "no plaintext API key logging" requirement. Every other file in the server package already uses auth.TruncateSessionID() for this purpose.

Changes

• internal/server/session.go: Added internal/auth import and wrapped all sessionID arguments in log calls with auth.TruncateSessionID() — covering both standard log.Printf calls and logSession.Printf debug logger calls.

// Before
log.Printf("Session validated for ID: %s", sessionID)

// After
log.Printf("Session validated for ID: %s", auth.TruncateSessionID(sessionID))

auth.TruncateSessionID returns only the first 8 characters, consistent with the pattern in http_helpers.go and sdk_logging.go.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• example.com
  • Triggering command: /tmp/go-build725754765/b334/launcher.test /tmp/go-build725754765/b334/launcher.test -test.testlogfile=/tmp/go-build725754765/b334/testlog.txt -test.paniconexit0 -test.timeout=10m0s 4072�� om/!burnt!sushi/toml@v1.6.0/deco-c=4 om/!burnt!sushi/toml@v1.6.0/depr-nolocalimports x_amd64/vet (dns block)
• invalid-host-that-does-not-exist-12345.com
  • Triggering command: /tmp/go-build725754765/b319/config.test /tmp/go-build725754765/b319/config.test -test.testlogfile=/tmp/go-build725754765/b319/testlog.txt -test.paniconexit0 -test.timeout=10m0s 64/s�� ternal/engine/wazevo/ssa/basic_block.go ternal/engine/wazevo/ssa/basic_block_sort.go x_amd64/compile (dns block)
• nonexistent.local
  • Triggering command: /tmp/go-build725754765/b334/launcher.test /tmp/go-build725754765/b334/launcher.test -test.testlogfile=/tmp/go-build725754765/b334/testlog.txt -test.paniconexit0 -test.timeout=10m0s 4072�� om/!burnt!sushi/toml@v1.6.0/deco-c=4 om/!burnt!sushi/toml@v1.6.0/depr-nolocalimports x_amd64/vet (dns block)
• slow.example.com
  • Triggering command: /tmp/go-build725754765/b334/launcher.test /tmp/go-build725754765/b334/launcher.test -test.testlogfile=/tmp/go-build725754765/b334/testlog.txt -test.paniconexit0 -test.timeout=10m0s 4072�� om/!burnt!sushi/toml@v1.6.0/deco-c=4 om/!burnt!sushi/toml@v1.6.0/depr-nolocalimports x_amd64/vet (dns block)
• this-host-does-not-exist-12345.com
  • Triggering command: /tmp/go-build725754765/b343/mcp.test /tmp/go-build725754765/b343/mcp.test -test.testlogfile=/tmp/go-build725754765/b343/testlog.txt -test.paniconexit0 -test.timeout=10m0s -o /mcp/connection.go /mcp/errors.go x_amd64/vet -p strings lcache/go/1.25.8/x64=/_/GOROOT x_amd64/vet -I g_.a 4072538/b151/ x_amd64/vet -o ernal/middleware--version lcache/go/1.25.8/x64=/_/GOROOT x_amd64/vet (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Pull request overview

This PR addresses a security issue in the server session handling by redacting session IDs (raw API keys per spec) in log output, aligning session.go with the rest of the server package’s safe-logging pattern.

Changes:

• Imported internal/auth in internal/server/session.go.
• Wrapped sessionID arguments in log.Printf / logSession.Printf calls with auth.TruncateSessionID().

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

sessionDir includes the raw sessionID (API key), so logUnified.Printf("Created session directory: %s", sessionDir) still logs the full secret via the path. Consider logging payloadDir separately and the session via auth.TruncateSessionID(sessionID) (and apply the same redaction to the "Session directory already exists" log in this function) so no log line can reconstruct the full session ID.