fix(cr-mbx-feishu-encryptkey-config-redaction-bypass): apply security fix (#53414)

Generated by staged fix workflow.

src/plugin-sdk/secret-input-schema.ts

@@ -1,5 +1,6 @@
 import { z } from "zod";
 import { ENV_SECRET_REF_ID_RE } from "../config/types.secrets.js";
+import { sensitive } from "../config/zod-schema.sensitive.js";
 import {
   formatExecSecretRefIdValidationMessage,
   isValidExecSecretRefId,
@@ -7,16 +8,17 @@ import {
   SECRET_PROVIDER_ALIAS_PATTERN,
 } from "../secrets/ref-contract.js";
 
-/** Build the shared zod schema for secret inputs accepted by plugin auth/config surfaces. */
-export function buildSecretInputSchema() {
-  const providerSchema = z
-    .string()
-    .regex(
-      SECRET_PROVIDER_ALIAS_PATTERN,
-      'Secret reference provider must match /^[a-z][a-z0-9_-]{0,63}$/ (example: "default").',
-    );
+const providerSchema = z
+  .string()
+  .regex(
+    SECRET_PROVIDER_ALIAS_PATTERN,
+    'Secret reference provider must match /^[a-z][a-z0-9_-]{0,63}$/ (example: "default").',
+  );
 
-  return z.union([
+// Singleton registered with the sensitive registry so that mapSensitivePaths
+// marks every config field using this schema as sensitive (redacted).
+const secretInputSchema = z
+  .union([
     z.string(),
     z.discriminatedUnion("source", [
       z.object({
@@ -45,5 +47,10 @@ export function buildSecretInputSchema() {
         id: z.string().refine(isValidExecSecretRefId, formatExecSecretRefIdValidationMessage()),
       }),
     ]),
-  ]);
+  ])
+  .register(sensitive);
+
+/** Build the shared zod schema for secret inputs accepted by plugin auth/config surfaces. */
+export function buildSecretInputSchema() {
+  return secretInputSchema;
 }