[codex] Add runtime lifecycle recovery and live issue visibility (#4419)

2026-06-16 10:50:38 +09:00 · 2026-04-24 15:50:32 -05:00 · 2026-04-24 15:50:32 -05:00 · 5a0c1979cf
commit 5a0c1979cf
parent 9a8d219949
121 changed files with 9625 additions and 2044 deletions
--- a/server/src/redaction.ts
+++ b/server/src/redaction.ts
@ -1,6 +1,16 @@
 const SECRET_PAYLOAD_KEY_RE =
  /(api[-_]?key|access[-_]?token|auth(?:_?token)?|authorization|bearer|secret|passwd|password|credential|jwt|private[-_]?key|cookie|connectionstring)/i;
 const JWT_VALUE_RE = /^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+(?:\.[A-Za-z0-9_-]+)?$/;
+const JWT_TEXT_RE = /\b[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}\.[A-Za-z0-9_-]{8,}(?:\.[A-Za-z0-9_-]{8,})?\b/g;
+const OPENAI_KEY_TEXT_RE = /\bsk-[A-Za-z0-9_-]{12,}\b/g;
+const GITHUB_TOKEN_TEXT_RE = /\bgh[pousr]_[A-Za-z0-9_]{20,}\b/g;
+const AUTHORIZATION_BEARER_TEXT_RE = /(\bAuthorization\s*:\s*Bearer\s+)[^\s"'`]+/gi;
+const ENV_SECRET_ASSIGNMENT_TEXT_RE =
+  /(\b[A-Za-z0-9_]*(?:TOKEN|KEY|SECRET|PASSWORD|PASSWD|AUTHORIZATION|JWT)[A-Za-z0-9_]*\s*=\s*)[^\s"'`]+/gi;
+const JSON_SECRET_FIELD_TEXT_RE =
+  /((?:"|')?(?:api[-_]?key|access[-_]?token|auth(?:_?token)?|authorization|bearer|secret|passwd|password|credential|jwt|private[-_]?key|cookie|connectionstring)(?:"|')?\s*:\s*(?:"|'))[^"'`\r\n]+((?:"|'))/gi;
+const ESCAPED_JSON_SECRET_FIELD_TEXT_RE =
+  /((?:\\")?(?:api[-_]?key|access[-_]?token|auth(?:_?token)?|authorization|bearer|secret|passwd|password|credential|jwt|private[-_]?key|cookie|connectionstring)(?:\\")?\s*:\s*(?:\\"))[^\\\r\n]+((?:\\"))/gi;
 export const REDACTED_EVENT_VALUE = "***REDACTED***";

 function isPlainObject(value: unknown): value is Record<string, unknown> {
@ -57,3 +67,14 @@ export function redactEventPayload(payload: Record<string, unknown> | null): Rec
  if (!isPlainObject(payload)) return payload;
  return sanitizeRecord(payload);
 }
+
+export function redactSensitiveText(input: string): string {
+  return input
+    .replace(AUTHORIZATION_BEARER_TEXT_RE, `$1${REDACTED_EVENT_VALUE}`)
+    .replace(JSON_SECRET_FIELD_TEXT_RE, `$1${REDACTED_EVENT_VALUE}$2`)
+    .replace(ESCAPED_JSON_SECRET_FIELD_TEXT_RE, `$1${REDACTED_EVENT_VALUE}$2`)
+    .replace(ENV_SECRET_ASSIGNMENT_TEXT_RE, `$1${REDACTED_EVENT_VALUE}`)
+    .replace(OPENAI_KEY_TEXT_RE, REDACTED_EVENT_VALUE)
+    .replace(GITHUB_TOKEN_TEXT_RE, REDACTED_EVENT_VALUE)
+    .replace(JWT_TEXT_RE, REDACTED_EVENT_VALUE);
+}