Module redact 

Mask sensitive arguments before they reach the audit log.

The default redaction list mirrors what shows up in agent workflows: passwords, tokens, API keys, secrets. The match is case-insensitive on the flag name (e.g. --token=…) and on the immediate-prior arg (e.g. vs_act 2 fill PASSWORD_VALUE redacts the value because the previous arg is fill of a password-like target — but for v1 we only redact based on flag names; positional secrets are the agent’s responsibility unless they pass --unsafe-log (M5).

For now: any flag whose name matches the regex (?i)password| token|secret|key|auth has its value replaced with ***.

Functions

redact_args

Render the request args for the audit log, redacting sensitive flag values. Returns a single string — the wire-form of args minus the primitive name — suitable for args_redacted.

redact_string

Redact a single free-form string (used for vs_inspect eval expressions in args_redacted). Replaces inline bearer ... / token = ... style secrets with ***. Matching is intentionally loose so casually-pasted credentials don’t survive the audit log.