#23391: Logging: redact runtime secrets from skill env/apiKey in logs and transcripts

## Summary - add runtime secret registry for redaction literals sourced from config, env, and credential files - apply runtime literal redaction in `redactSensitiveText` alongside existing regex masking - redact tool-result text blocks before transcript persistence in `installSessionToolResultGuard` - add regression coverage for runtime secret collection, literal redaction, and transcript persistence redaction ## Testing - pnpm test src/logging/redact.test.ts src/logging/secret-registry.test.ts - pnpm test:e2e src/agents/session-tool-result-guard.e2e.test.ts <!-- greptile_comment --> <h3>Greptile Summary</h3> Adds a runtime secret registry that collects sensitive values from config (gateway auth, skill `apiKey`/`env`), process environment variables, and credential files on disk, then applies literal string replacement alongside existing regex-based redaction in `redactSensitiveText`. Tool result text blocks are now redacted before transcript persistence via `redactToolResultText` in the session-tool-result guard. - `collectConfigSecrets` collects **all** skill `env` values without filtering by key name — non-sensitive env vars (e.g. `DATABASE_HOST`, `LOG_LEVEL`) will be registered as secrets and redacted from tool output - `SENSITIVE_KEY_RE` matches bare `"access"` and `"refresh"` substrings, which is broader than `ENV_SENSITIVE_KEY_RE` and may over-collect from credential JSON files with keys like `accessLevel` or `refreshInterval` - `redactSensitiveText` now always calls `resolveConfigRedaction()` even when options are provided, changing the API contract for callers passing partial options (they now get config-derived values merged in as fallbacks) <h3>Confidence Score: 3/5</h3> - Functional but with over-collection risks that could cause unexpected redaction of non-sensitive strings in tool output - The core redaction and caching logic is sound, and the integration into the session-tool-result-guard is well-structured. However, the skill env value collection is unfiltered (collects all values regardless of key), and the SENSITIVE_KEY_RE regex is broader than its ENV counterpart, both of which could cause false-positive redaction of common strings in tool output. These are not crash bugs but could degrade tool output readability in production. - Pay close attention to `src/logging/secret-registry.ts` (over-collection of skill env values and broad regex matching) and `src/logging/redact.ts` (always-call config resolution changing API behavior) _{Last reviewed commit: 30f15b2} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->