diff --git a/extensions/qa-matrix/src/runners/contract/scenario-runtime-e2ee.ts b/extensions/qa-matrix/src/runners/contract/scenario-runtime-e2ee.ts index d36bad1e646..ec05cccecc6 100644 --- a/extensions/qa-matrix/src/runners/contract/scenario-runtime-e2ee.ts +++ b/extensions/qa-matrix/src/runners/contract/scenario-runtime-e2ee.ts @@ -1382,7 +1382,11 @@ export async function runMatrixQaE2eeCliSelfVerificationScenario( session.kill(); } } finally { - await cli.dispose(); + try { + await cli.dispose(); + } finally { + await owner.deleteOwnDevices([cliDevice.deviceId]).catch(() => undefined); + } } }, ); diff --git a/extensions/qa-matrix/src/runners/contract/scenarios.test.ts b/extensions/qa-matrix/src/runners/contract/scenarios.test.ts index f3a8c93b2fa..51ccbacb9dc 100644 --- a/extensions/qa-matrix/src/runners/contract/scenarios.test.ts +++ b/extensions/qa-matrix/src/runners/contract/scenarios.test.ts @@ -3151,7 +3151,7 @@ describe("matrix live qa scenarios", () => { await expect(readdir(String(cliEnv?.OPENCLAW_STATE_DIR))).rejects.toThrow(); expect(acceptVerification).toHaveBeenCalledWith("owner-request"); expect(confirmVerificationSas).toHaveBeenCalledWith("owner-request"); - expect(deleteOwnDevices).not.toHaveBeenCalled(); + expect(deleteOwnDevices).toHaveBeenCalledWith(["CLIDEVICE"]); const [cliRunDir] = await readdir(path.join(outputDir, "cli-self-verification")); const cliArtifactDir = path.join(outputDir, "cli-self-verification", cliRunDir ?? ""); await expect(stat(cliArtifactDir)).resolves.toMatchObject({ mode: expect.any(Number) }); diff --git a/src/logging/redact.test.ts b/src/logging/redact.test.ts index dd24e150d44..df5e74dc3a4 100644 --- a/src/logging/redact.test.ts +++ b/src/logging/redact.test.ts @@ -18,6 +18,21 @@ describe("redactSensitiveText", () => { expect(output).toBe("OPENAI_API_KEY=sk-123…cdef"); }); + it("masks env assignments after punctuation delimiters", () => { + expect( + redactSensitiveText("(OPENAI_API_KEY=sk-1234567890abcdef)", { + mode: "tools", + patterns: defaults, + }), + ).toBe("(OPENAI_API_KEY=sk-123…cdef)"); + expect( + redactSensitiveText("[MATRIX_ACCESS_TOKEN=abcdef1234567890ghij]", { + mode: "tools", + patterns: defaults, + }), + ).toBe("[MATRIX_ACCESS_TOKEN=abcdef…ghij]"); + }); + it("masks CLI flags", () => { const input = "curl --token abcdef1234567890ghij https://api.test"; const output = redactSensitiveText(input, { diff --git a/src/logging/redact.ts b/src/logging/redact.ts index bd27a23beed..08cb799dcea 100644 --- a/src/logging/redact.ts +++ b/src/logging/redact.ts @@ -15,7 +15,7 @@ const DEFAULT_REDACT_KEEP_END = 4; const DEFAULT_REDACT_PATTERNS: string[] = [ // ENV-style assignments. - String.raw`(?:^|\s)\b[A-Z0-9_]*(?:KEY|TOKEN|SECRET|PASSWORD|PASSWD)\b\s*[=:]\s*(["']?)([^\s"'\\]+)\1`, + String.raw`(?:^|[\s([{,;])\b[A-Z0-9_]*(?:KEY|TOKEN|SECRET|PASSWORD|PASSWD)\b\s*[=:]\s*(["']?)([^\s"'\\)\]\},;]+)\1`, // JSON fields. String.raw`"(?:apiKey|token|secret|password|passwd|accessToken|refreshToken|access_token|refresh_token)"\s*:\s*"([^"]+)"`, // URL query parameters.