From 964fabe3b379d4e0f4d015e8bb10fdc00095191f Mon Sep 17 00:00:00 2001
From: Gustavo Madeira Santana <gumadeiras@gmail.com>
Date: Sun, 15 Feb 2026 10:22:15 -0500
Subject: [PATCH] refactor(config): split sensitive path matching helpers

---
 src/config/schema.hints.test.ts | 20 ++++++++++++++++----
 src/config/schema.hints.ts      | 15 ++++++++++-----
 2 files changed, 26 insertions(+), 9 deletions(-)

diff --git a/src/config/schema.hints.test.ts b/src/config/schema.hints.test.ts
index b44bcfeb227..42476a566e6 100644
--- a/src/config/schema.hints.test.ts
+++ b/src/config/schema.hints.test.ts
@@ -8,10 +8,22 @@ const { mapSensitivePaths } = __test__;
 
 describe("isSensitiveConfigPath", () => {
   it("matches whitelist suffixes case-insensitively", () => {
-    expect(isSensitiveConfigPath("maxTokens")).toBe(false);
-    expect(isSensitiveConfigPath("MAXTOKENS")).toBe(false);
-    expect(isSensitiveConfigPath("channels.irc.nickserv.passwordFile")).toBe(false);
-    expect(isSensitiveConfigPath("channels.irc.nickserv.PASSWORDFILE")).toBe(false);
+    const whitelistedPaths = [
+      "maxTokens",
+      "maxOutputTokens",
+      "maxInputTokens",
+      "maxCompletionTokens",
+      "contextTokens",
+      "totalTokens",
+      "tokenCount",
+      "tokenLimit",
+      "tokenBudget",
+      "channels.irc.nickserv.passwordFile",
+    ];
+    for (const path of whitelistedPaths) {
+      expect(isSensitiveConfigPath(path)).toBe(false);
+      expect(isSensitiveConfigPath(path.toUpperCase())).toBe(false);
+    }
   });
 
   it("keeps true sensitive keys redacted", () => {
diff --git a/src/config/schema.hints.ts b/src/config/schema.hints.ts
index 214678821be..14c917bd986 100644
--- a/src/config/schema.hints.ts
+++ b/src/config/schema.hints.ts
@@ -109,12 +109,17 @@ const NORMALIZED_SENSITIVE_KEY_WHITELIST_SUFFIXES = SENSITIVE_KEY_WHITELIST_SUFF
 
 const SENSITIVE_PATTERNS = [/token$/i, /password/i, /secret/i, /api.?key/i];
 
-export function isSensitiveConfigPath(path: string): boolean {
+function isWhitelistedSensitivePath(path: string): boolean {
   const lowerPath = path.toLowerCase();
-  const whitelisted = NORMALIZED_SENSITIVE_KEY_WHITELIST_SUFFIXES.some((suffix) =>
-    lowerPath.endsWith(suffix),
-  );
-  return !whitelisted && SENSITIVE_PATTERNS.some((pattern) => pattern.test(path));
+  return NORMALIZED_SENSITIVE_KEY_WHITELIST_SUFFIXES.some((suffix) => lowerPath.endsWith(suffix));
+}
+
+function matchesSensitivePattern(path: string): boolean {
+  return SENSITIVE_PATTERNS.some((pattern) => pattern.test(path));
+}
+
+export function isSensitiveConfigPath(path: string): boolean {
+  return !isWhitelistedSensitivePath(path) && matchesSensitivePattern(path);
 }
 
 export function buildBaseHints(): ConfigUiHints {