sec(trace): redaction bypass via non-standard secret passing patterns

[chaliy]

Summary

The trace event redaction in trace.rs only handles specific well-known patterns for secret passing (e.g., -H Authorization:, --user, KEY=value with known suffixes). Secrets passed via non-standard patterns are not redacted in trace output when TraceMode::Redacted is enabled.

Threat category: TM-LOG (Logging Security) — extends TM-LOG-001
Severity: Low
Component: crates/bashkit/src/trace.rs, redact_argv() function

Root Cause

The redact_argv() function uses a hardcoded list of patterns:

1. -H/--header flags (standalone or concatenated)
2. --user/-u flags
3. Headers matching SECRET_HEADERS list
4. KEY=value with known SECRET_SUFFIXES (_KEY, _TOKEN, _SECRET, _PASSWORD, _CREDENTIAL)
5. URLs with user:pass@host pattern

These miss common secret-passing patterns:

• --token VALUE (many CLI tools)
• --api-key VALUE
• --password VALUE
• -p PASSWORD (mysql, ssh, etc.)
• --secret VALUE
• Base64-encoded credentials as positional args
• Secrets in JSON body arguments (-d '{"password":"..."}')

Steps to Reproduce

# These secrets are NOT redacted in Redacted trace mode:
curl https://api.example.com --token sk-secret-123
http POST https://api.com token==secret123
echo '{"password":"s3cr3t"}' | curl -d @- https://api.com

Impact

• Secret exposure in logs: When trace mode is Redacted, users expect secrets to be scrubbed. Non-standard patterns leak through.
• False sense of security: The Redacted mode name implies comprehensive redaction.
• AI agent context: Tool output containing trace events could expose credentials to LLMs.

Acceptance Criteria

• Add --token, --api-key, --password, --secret, -p to the redacted flag patterns
• Consider redacting any argument that looks like a high-entropy secret (e.g., sk-*, ghp_*, base64-like strings)
• Add test cases for the new patterns
• Document limitations of trace redaction (cannot catch all patterns) in docstring
• Consider redacting JSON body content that contains keys matching secret patterns