security: enhance log redaction and implement permanent audit scanners (v1.26.0)

- Implemented TokenRedactingFilter in main.py to mask JWT tokens, RTSP credentials, and API keys in live stdout logs.
- Added apply_security_logging() to lifespan to ensure security filters persist during Uvicorn reloads.
- Synchronized SECURITY.md and AGENTS.md with new log security standards and mandatory rebuild rules.

Author: root

SECURITY.md

@@ -76,10 +76,11 @@ VibeNVR's code includes specific mitigations against common attack vectors:
 4. **Secure Subprocess Execution**:
    - All internal calls to video tools (`ffmpeg`, `ffprobe`) are performed using **list-based arguments** (the secure default in Python's `subprocess.run`), effectively preventing any shell injection vulnerabilities via malicious camera URLs or paths.
 4. **Advanced Log & GUI Masking**:
-   - The logging infrastructure (`backend/routers/logs.py`) and the custom `TokenRedactingFilter` in `main.py` automatically mask stdout logs for:
-     - **RTSP Credentials**: `rtsp://user:***@host`
-     - **Sensitive JSON fields**: `"password": "***"`, `"token": "***"`, etc.
-     - **Headers**: `X-API-Key=REDACTED`, `Bearer REDACTED`.
+    - The logging infrastructure (`backend/routers/logs.py`) and the custom `TokenRedactingFilter` in `main.py` automatically mask stdout logs for:
+      - **RTSP Credentials**: `rtsp://user:***@host`
+      - **Sensitive JSON fields**: `"password": "***"`, `"token": "***"`, etc.
+      - **Headers & Parameters**: `X-API-Key=REDACTED`, `Bearer REDACTED`, `token=REDACTED`.
+    - **Perpetual Security Audit**: Mandatory runtime scans are performed during the CI/CD and security audit workflows to ensure that sensitive strings never leak into the application's stdout.
    - **RTSP URL Redaction (GUI Level)**: Starting from **v1.25.3**, the frontend configuration interface implements dynamic URL masking. RTSP and Sub-Stream URLs are displayed without plain-text passwords (redacted as `********`). If a user pastes a full URL containing a password, it is automatically extracted to the secure separate fields and redacted in real-time.
 5. **Privacy Masking & Motion Zones**: 
     - **Privacy Masks** are applied at the Engine level immediately after frame decoding. They are "burned" into the video frames *before* they reach the recording or motion analysis modules, ensuring that sensitive data is never persisted or processed if masked.

backend/main.py

@@ -34,35 +34,60 @@ def filter(self, record):
         # Redact token from the message itself
         if isinstance(record.msg, str):
             if "token=" in record.msg:
+                # Standard query param
                 record.msg = re.sub(r"token=[^&\s]*", "token=REDACTED", record.msg)
             if "X-API-Key" in record.msg:
                 record.msg = re.sub(r"X-API-Key[^\s]*[:=]\s*['\"]?[^'\"]+['\"]?", "X-API-Key: REDACTED", record.msg)
+            if "Authorization" in record.msg:
+                record.msg = re.sub(r"Authorization[:=]\s*Bearer\s+[\w\-\.]+", "Authorization: Bearer REDACTED", record.msg)
 
         # Redact token from uvicorn access log arguments (client, method, path, etc)
         if hasattr(record, "args") and record.args:
             new_args = list(record.args)
             for i, arg in enumerate(new_args):
                 if isinstance(arg, str):
                     if "token=" in arg:
+                        # Catch both "?token=..." and "token=..."
                         new_args[i] = re.sub(r"token=[^&\s]*", "token=REDACTED", arg)
-                    # Redact sensitive credentials in URLs
+                    # Redact sensitive credentials in URLs (e.g. RTSP)
                     if "://" in arg and "@" in arg:
                         new_args[i] = re.sub(r"://[^@]+@", r"://***@", arg)
             record.args = tuple(new_args)
         return True
 
-# Apply the filter to uvicorn access logs
-# Apply the filter to uvicorn access logs
-uvicorn_access_logger = logging.getLogger("uvicorn.access")
-uvicorn_access_logger.addFilter(TokenRedactingFilter())
+def apply_security_logging():
+    """
+    Forcefully apply TokenRedactingFilter to all relevant loggers and their handlers.
+    This is necessary because Uvicorn can reset logging config during startup or reloads.
+    """
+    redact_filter = TokenRedactingFilter()
+    
+    # Target loggers: root, uvicorn, and its sub-loggers
+    target_loggers = ["", "uvicorn", "uvicorn.access", "uvicorn.error", "websockets", "fastapi"]
+    
+    for name in target_loggers:
+        logger = logging.getLogger(name)
+        # 1. Add to logger (for propagation filtering)
+        if not any(isinstance(f, TokenRedactingFilter) for f in logger.filters):
+            logger.addFilter(redact_filter)
+        
+        # 2. Add to all existing handlers (the most robust way)
+        for handler in logger.handlers:
+            if not any(isinstance(f, TokenRedactingFilter) for f in handler.filters):
+                handler.addFilter(redact_filter)
+
+# Initial application on import
+apply_security_logging()
 
 # Configure timestamp for uvicorn access logs
 # Uvicorn's default formatter doesn't include time
 console_formatter = logging.Formatter("%(asctime)s - %(levelname)s - %(message)s", datefmt="%Y-%m-%d %H:%M:%S")
 
 # Apply formatter to all handlers of uvicorn.access
-if uvicorn_access_logger.hasHandlers():
-    for handler in uvicorn_access_logger.handlers:
+# Apply formatter to all handlers of uvicorn.access (Initial best effort)
+access_logger = logging.getLogger("uvicorn.access")
+if access_logger.hasHandlers():
+    for handler in access_logger.handlers:
         handler.setFormatter(console_formatter)
 else:
     # If no handlers yet (likely), add one or rely on uvicorn's default being added later?
@@ -139,6 +164,9 @@ async def lifespan(app: FastAPI):
     except Exception as e:
         print(f"Log setup warning: {e}")
 
+    # Re-apply security logging inside lifespan to catch process-level resets/reloads
+    apply_security_logging()
+
     retry_count = 0
     while True:
         try: