fix(sandbox): redact sensitive structured log values

[cluster2600]

Summary

Follow-up to #595. Redact obvious secret-bearing structured log values in the sandbox log push path before they are sent to the gateway.

• redact fields with secret-like names such as authorization, api_key, *_token, *_secret, and *_password
• redact values that look like credentials, including Bearer ..., sk-..., and openshell:resolve:...
• preserve ordinary operational fields such as l7_target and token_count
• add unit coverage for field-name matching, value-prefix matching, quoted debug strings, and benign values

Rationale

The current sandbox log push layer forwards structured tracing fields verbatim. That is usually fine for the existing events, but it means a future instrumentation change could accidentally forward credential material to the gateway. This change keeps the behaviour conservative and localised: only obvious secret-shaped structured fields are redacted, while the primary log message remains untouched.

flowchart LR
    A["Sandbox tracing event"] --> B{"Structured field?"}
    B -->|"no"| C["Keep message unchanged"]
    B -->|"yes"| D{"Sensitive name or value?"}
    D -->|"yes"| E["Replace with [REDACTED]"]
    D -->|"no"| F["Keep original value"]
    C --> G["PushSandboxLogs RPC"]
    E --> G
    F --> G

Loading

Changes

File	Change
crates/openshell-sandbox/src/log_push.rs	Add a small sanitiser for structured field values; apply it in both record_str and record_debug; add 5 unit tests

Test Plan

• cargo test -p openshell-sandbox log_push::tests