[Phase 1.3.3] Add credential masking in all log output #22
Description
Phase
Phase 1 — Critical Security | Track 1.3 — Authentication & Access | Priority: P1 HIGH
Vulnerability Details
CWE: CWE-532 — Insertion of Sensitive Information into Log File
API keys and tokens can appear in log output during initialization, error messages, and debug logging. No masking is applied.
Fix
Create a logging filter that masks known credential patterns:
- `sk-` (OpenAI), `gsk_` (Groq), `AIza` (Google), `nvapi-` (NVIDIA)
- `sk-or-v1-` (OpenRouter), `Bearer ` tokens
- Generic patterns: any string matching `[a-zA-Z0-9_-]{32,}` in key-value contexts
Apply as a Python logging filter attached to root logger.
Acceptance Criteria
- Logging filter created in `operator_use/utils/log_filter.py`
- Filter attached to root logger at startup
- All known provider key patterns masked
- Tests verify masking works for each pattern
- No real keys appear in any log level output
References
- CWE-532
- Design Doc:
docs/plans/2026-03-29-security-ai-guardrails-performance-design.md