Problem
--debug can leak credentials or sensitive API data to stderr. It only redacts the Authorization request header, while generated CLIs can use API keys in arbitrary headers and servers may return sensitive headers or bodies.
Evidence
pkg/runtime/debug.go redacts only headers equal to Authorization.pkg/runtime/auth.go supports API key auth with a configurable header, defaulting to X-API-Key.pkg/runtime/debug.go prints all response headers and dumps text response bodies up to 4096 bytes.SECURITY.md explicitly lists token/host secret leakage via logs as in scope.
Expected behavior
Debug logging should have a central redaction policy. At minimum, redact request and response headers such as authorization, cookie, set-cookie, x-api-key, and names containing token/key/secret. Response body dumping should be conservative or clearly gated when content may contain secrets.
Verification
make test currently passes; existing tests cover JSON body logging and binary skipping but do not cover API-key header or response-header redaction.
Problem
--debugcan leak credentials or sensitive API data to stderr. It only redacts theAuthorizationrequest header, while generated CLIs can use API keys in arbitrary headers and servers may return sensitive headers or bodies.Evidence
pkg/runtime/debug.goredacts only headers equal toAuthorization.pkg/runtime/auth.gosupports API key auth with a configurable header, defaulting toX-API-Key.pkg/runtime/debug.goprints all response headers and dumps text response bodies up to 4096 bytes.SECURITY.mdexplicitly lists token/host secret leakage via logs as in scope.Expected behavior
Debug logging should have a central redaction policy. At minimum, redact request and response headers such as
authorization,cookie,set-cookie,x-api-key, and names containing token/key/secret. Response body dumping should be conservative or clearly gated when content may contain secrets.Verification
make testcurrently passes; existing tests cover JSON body logging and binary skipping but do not cover API-key header or response-header redaction.