Apply credential redaction to container logs

Previous fix only covered SDK client. Container-side logging in
git-service.ts still exposed credentials in error messages and logs.

Created shared utility in @repo/shared for consistent redaction.

Author: ghostwriternr

packages/sandbox-container/src/services/git-service.ts

@@ -1,6 +1,7 @@
 // Git Operations Service
 
 import type { Logger } from '@repo/shared';
+import { redactCredentials } from '@repo/shared';
 import type {
   GitErrorContext,
   ValidationFailedContext
@@ -52,7 +53,7 @@ export class GitService {
         return {
           success: false,
           error: {
-            message: `Invalid Git URL '${repoUrl}': ${urlValidation.errors.join(
+            message: `Invalid Git URL '${redactCredentials(repoUrl)}': ${urlValidation.errors.join(
               ', '
             )}`,
             code: ErrorCode.INVALID_GIT_URL,
@@ -115,7 +116,7 @@ export class GitService {
 
       if (result.exitCode !== 0) {
         this.logger.error('Git clone failed', undefined, {
-          repoUrl,
+          repoUrl: redactCredentials(repoUrl),
           targetDirectory,
           exitCode: result.exitCode,
           stderr: result.stderr
@@ -129,12 +130,12 @@ export class GitService {
         return {
           success: false,
           error: {
-            message: `Failed to clone repository '${repoUrl}': ${
+            message: `Failed to clone repository '${redactCredentials(repoUrl)}': ${
               result.stderr || `exit code ${result.exitCode}`
             }`,
             code: errorCode,
             details: {
-              repository: repoUrl,
+              repository: redactCredentials(repoUrl),
               targetDir: targetDirectory,
               exitCode: result.exitCode,
               stderr: result.stderr
@@ -190,16 +191,16 @@ export class GitService {
       this.logger.error(
         'Failed to clone repository',
         error instanceof Error ? error : undefined,
-        { repoUrl, options }
+        { repoUrl: redactCredentials(repoUrl), options }
       );
 
       return {
         success: false,
         error: {
-          message: `Failed to clone repository '${repoUrl}': ${errorMessage}`,
+          message: `Failed to clone repository '${redactCredentials(repoUrl)}': ${errorMessage}`,
           code: ErrorCode.GIT_CLONE_FAILED,
           details: {
-            repository: repoUrl,
+            repository: redactCredentials(repoUrl),
             targetDir: options.targetDir,
             stderr: errorMessage
           } satisfies GitErrorContext

packages/sandbox/src/clients/git-client.ts

@@ -1,4 +1,5 @@
 import type { GitCheckoutResult } from '@repo/shared';
+import { redactCredentials } from '@repo/shared';
 import { BaseHttpClient } from './base-client';
 import type { HttpClientOptions, SessionRequest } from './types';
 
@@ -58,7 +59,7 @@ export class GitClient extends BaseHttpClient {
         data
       );
 
-      const redactedUrl = this.redactCredentials(repoUrl);
+      const redactedUrl = redactCredentials(repoUrl);
       this.logSuccess(
         'Repository cloned',
         `${redactedUrl} (branch: ${response.branch}) -> ${response.targetDir}`
@@ -89,12 +90,4 @@ export class GitClient extends BaseHttpClient {
       return repoName.replace(/\.git$/, '') || 'repo';
     }
   }
-
-  /**
-   * Redact credentials from repository URLs for secure logging
-   */
-  private redactCredentials(repoUrl: string): string {
-    // Replace any credentials (username:password or token) between :// and @ with ******
-    return repoUrl.replace(/\/\/[^@]+@/, '//******@');
-  }
 }

packages/shared/src/index.ts

@@ -98,3 +98,5 @@ export type {
   WriteFileResult
 } from './types.js';
 export { isExecResult, isProcess, isProcessStatus } from './types.js';
+// Export URL functions
+export { redactCredentials } from './url.js';

packages/shared/src/url.ts

@@ -0,0 +1,21 @@
+/**
+ * Redact credentials from URLs for secure logging
+ *
+ * Replaces any credentials (username:password, tokens, etc.) embedded
+ * in URLs with ****** to prevent sensitive data exposure in logs.
+ *
+ * @param url - The URL that may contain credentials
+ * @returns URL with credentials redacted
+ *
+ * @example
+ * redactCredentials('https://token:[email protected]/repo.git')
+ * // Returns: 'https://******@github.com/repo.git'
+ *
+ * redactCredentials('https://github.com/repo.git')
+ * // Returns: 'https://github.com/repo.git' (unchanged)
+ */
+export function redactCredentials(url: string): string {
+  // Replace any credentials between :// and @ with ******
+  // Pattern matches: ://[anything]@ -> ://******@
+  return url.replace(/:\/\/([^@/]+)@/, '://******@');
+}

packages/shared/tests/url.test.ts

@@ -0,0 +1,22 @@
+import { describe, expect, it } from 'vitest';
+import { redactCredentials } from '../src/url';
+
+describe('redactCredentials', () => {
+  it('should redact credentials and preserve public URLs', () => {
+    // Credentials with username:password format
+    expect(redactCredentials('https://user:[email protected]/repo.git'))
+      .toBe('https://******@github.com/repo.git');
+
+    // Token without username (different format)
+    expect(redactCredentials('https://[email protected]/org/project.git'))
+      .toBe('https://******@github.com/org/project.git');
+
+    // Public URLs without credentials
+    expect(redactCredentials('https://github.com/facebook/react.git'))
+      .toBe('https://github.com/facebook/react.git');
+
+    // SSH URLs (different format, @ not after protocol)
+    expect(redactCredentials('[email protected]:user/repo.git'))
+      .toBe('[email protected]:user/repo.git');
+  });
+});