Reintroduce JWT masking with prefix-based patterns to avoid hostname collisions

[Claude]

The generic JWT pattern [A-Za-z0-9_-]{2,}\.[A-Za-z0-9_-]{2,}\.[A-Za-z0-9_-]{2,} was previously disabled in job-level instrumentation because it masked hostnames like api.example.com. This restores JWT masking using prefix-specific patterns that only match tokens in authentication contexts.

Changes

• Added two JWT masking patterns in actions/instrument/job/inject_and_init.sh:
  • (?i)bearer [A-Za-z0-9_-]{2,}\.[A-Za-z0-9_-]{2,}\.[A-Za-z0-9_-]{2,} - case-insensitive ******
  • jwt=[A-Za-z0-9_-]{2,}\.[A-Za-z0-9_-]{2,}\.[A-Za-z0-9_-]{2,} - jwt= prefix
• Applied to all OpenTelemetry Collector transform processor contexts:
  • Log attributes and body
  • Metric datapoint attributes
  • Span attributes and names

Behavior

Masks:

• `Authorization: ******
• `Authorization: bearer ****** (any casing)
• `Cookie: jwt=******

Does not mask:

• api.example.com
• my-service.prod.example.com
• Bare JWT tokens without prefix context

Original prompt

---

This section details on the original issue you should resolve

<issue_title>reintroduce jwt masking patter </issue_title>
<issue_description>Reintroduce masking pattern in job-level instrumentation, but without catching hostnames and other patterns accidentally. Do this by expanding the pattern with a prefix that hints that its indeed a jwt. These prefixes should be either "Bearer " (in any casing) or "jwt="</issue_description>

Comments on the Issue (you are @claude[agent] in this section)

• Fixes reintroduce jwt masking patter  #3147

[Copilot]

Pull request overview

Restores JWT masking in job-level OpenTelemetry transform rules without reintroducing the prior hostname-collision problem by matching only JWTs in explicit auth contexts (Bearer , jwt=).

Changes:

• Added prefix-scoped JWT regexes ((?i)bearer ... and jwt=...) to log attribute/body masking.
• Applied the same JWT masking patterns to metric datapoint attributes.
• Applied the same JWT masking patterns to span attributes and span names.

Comments suppressed due to low confidence (5)

actions/instrument/job/inject_and_init.sh:1

• The replacement currently rewrites the entire matched substring (including the bearer / jwt= prefix) to ***. That means strings like Authorization: bearer <jwt> will become Authorization: *** (and Cookie: jwt=<jwt> becomes Cookie: ***), which contradicts the PR description/behavior examples that claim the prefix remains (e.g., bearer ******, jwt=******). Consider using capturing groups and a replacement that preserves the prefix (e.g., capture the prefix and replace only the token portion).

#!/bin/bash

actions/instrument/job/inject_and_init.sh:1

• The replacement currently rewrites the entire matched substring (including the bearer / jwt= prefix) to ***. That means strings like Authorization: bearer <jwt> will become Authorization: *** (and Cookie: jwt=<jwt> becomes Cookie: ***), which contradicts the PR description/behavior examples that claim the prefix remains (e.g., bearer ******, jwt=******). Consider using capturing groups and a replacement that preserves the prefix (e.g., capture the prefix and replace only the token portion).

#!/bin/bash

actions/instrument/job/inject_and_init.sh:1

• Same as logs: these patterns replace the full bearer <jwt> / jwt=<jwt> with ***, dropping the prefix. If you want outputs like bearer *** and jwt=*** (as described in the PR), update the regex + replacement to preserve the prefix via a captured group.

#!/bin/bash

actions/instrument/job/inject_and_init.sh:1

• These trace/span rules also drop the bearer / jwt= prefix entirely by replacing the whole match with ***. If the intended behavior is to keep the prefix visible and only mask the token, adjust to a capture + replacement approach consistently for both span.attributes and span.name.

#!/bin/bash

actions/instrument/job/inject_and_init.sh:1

• These trace/span rules also drop the bearer / jwt= prefix entirely by replacing the whole match with ***. If the intended behavior is to keep the prefix visible and only mask the token, adjust to a capture + replacement approach consistently for both span.attributes and span.name.

#!/bin/bash