#18182: fix(security): redact sensitive data in OTEL log exports (CWE-532)

## Summary The diagnostics-otel plugin exports application logs to external OTLP collectors without any PII filtering or secret redaction. API keys, tokens, session IDs, and potentially sensitive conversation content are all exported unredacted. **CVSS 7.5** | **CWE-532: Insertion of Sensitive Information into Log File** Fixes #12542 ## Changes - Export `redactSensitiveText` from `plugin-sdk` for extension use - Apply redaction to log messages before OTEL export - Apply redaction to string attribute values - Add 2 tests verifying API key and token redaction ## How it works The existing `redactSensitiveText` function (from `src/logging/redact.ts`) handles common sensitive patterns: - API keys (`sk-*`, `ghp_*`, `gsk_*`, `AIza*`, `pplx-*`, etc.) - Bearer tokens - PEM private keys - ENV-style assignments (`API_KEY=value`) - JSON credential fields Sensitive values are masked to show partial prefix/suffix with `…` in the middle, preserving debuggability while protecting secrets. ## Testing ``` pnpm test extensions/diagnostics-otel/src/service.test.ts # 3/3 passing ``` <!-- greptile_comment --> <h3>Greptile Summary</h3> Addresses CWE-532 by redacting sensitive data (API keys, tokens, credentials) before exporting logs and trace spans to external OTEL collectors. The implementation applies the existing `redactSensitiveText` function (now exported from plugin-sdk) to log messages, log attributes, and error/reason fields in trace spans. Test coverage includes verification of API key and GitHub token redaction in both log messages and attributes. <h3>Confidence Score: 4/5</h3> - This PR is safe to merge with one minor fix needed for complete coverage - The security fix is well-implemented with comprehensive redaction patterns and good test coverage. The redaction function handles common sensitive patterns (API keys, tokens, PEM keys, etc.) and is applied consistently to log messages, attributes, and most trace span fields. However, there's one gap where `session.state` reason field is not redacted (line 541), while similar fields in other events are properly redacted. Once this is fixed, the PR will provide complete protection against CWE-532 - extensions/diagnostics-otel/src/service.ts:541 needs the `session.state` reason field redacted for consistency _{Last reviewed commit: 7dfd722} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->