fix(cron): log and redact on secrets-redaction failure

If redact_sensitive_text() raises or fails to import, stdout/stderr
were silently left unredacted and could leak API keys or tokens into
cron job delivery messages and logs.

Replace bare  with a warning log and replace
both outputs with '[REDACTED - redaction failed]' to prevent leaks.

Root cause: silent exception swallow in _run_job_script()
Impact: potential secrets leak in cron job output delivery
This commit is contained in:
sprmn24 2026-05-14 22:28:43 +03:00 committed by Teknium
parent d3d768efb9
commit da4f15cddc

View file

@ -1648,8 +1648,10 @@ def _run_job_script(script_path: str) -> tuple[bool, str]:
from agent.redact import redact_sensitive_text
stdout = redact_sensitive_text(stdout)
stderr = redact_sensitive_text(stderr)
except Exception:
pass
except Exception as e:
logger.warning("Failed to redact sensitive text from output: %s", e)
stdout = "[REDACTED - redaction failed]"
stderr = "[REDACTED - redaction failed]"
if result.returncode != 0:
parts = [f"Script exited with code {result.returncode}"]