Extract redactSecrets to testable module (#20)

* Initial plan

* Extract redactSecrets function to separate module for testability

Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Co-authored-by: Jiaxiao Zhou <duibao55328@gmail.com>

Author: Copilot

src/cli.test.ts

@@ -1,4 +1,5 @@
 import { Command } from 'commander';
+import { redactSecrets } from './redact-secrets';
 import { parseDomains } from './cli';
 
 describe('cli', () => {
@@ -96,18 +97,6 @@ describe('cli', () => {
   });
 
   describe('secret redaction', () => {
-    const redactSecrets = (command: string): string => {
-      return command
-        // Redact Authorization: Bearer <token>
-        .replace(/(Authorization:\s*Bearer\s+)(\S+)/gi, '$1***REDACTED***')
-        // Redact Authorization: <token> (non-Bearer)
-        .replace(/(Authorization:\s+(?!Bearer\s))(\S+)/gi, '$1***REDACTED***')
-        // Redact tokens in environment variables
-        .replace(/(\w*(?:TOKEN|SECRET|PASSWORD|KEY|AUTH)\w*)=(\S+)/gi, '$1=***REDACTED***')
-        // Redact GitHub tokens (ghp_, gho_, ghu_, ghs_, ghr_)
-        .replace(/\b(gh[pousr]_[a-zA-Z0-9]{36,255})/g, '***REDACTED***');
-    };
-
     it('should redact Bearer tokens', () => {
       const command = 'curl -H "Authorization: Bearer ghp_1234567890abcdef" https://api.github.com';
       const result = redactSecrets(command);

src/cli.ts

@@ -19,6 +19,7 @@ import {
   cleanupHostIptables,
   cleanupFirewallNetwork,
 } from './host-iptables';
+import { redactSecrets } from './redact-secrets';
 
 /**
  * Parses a comma-separated list of domains into an array of trimmed, non-empty domain strings

src/redact-secrets.ts

@@ -0,0 +1,14 @@
+/**
+ * Redacts sensitive information from command strings
+ */
+export function redactSecrets(command: string): string {
+  return command
+    // Redact Authorization: Bearer <token>
+    .replace(/(Authorization:\s*Bearer\s+)(\S+)/gi, '$1***REDACTED***')
+    // Redact Authorization: <token> (non-Bearer)
+    .replace(/(Authorization:\s+(?!Bearer\s))(\S+)/gi, '$1***REDACTED***')
+    // Redact tokens in environment variables (TOKEN, SECRET, PASSWORD, KEY, API_KEY, etc)
+    .replace(/(\w*(?:TOKEN|SECRET|PASSWORD|KEY|AUTH)\w*)=(\S+)/gi, '$1=***REDACTED***')
+    // Redact GitHub tokens (ghp_, gho_, ghu_, ghs_, ghr_)
+    .replace(/\b(gh[pousr]_[a-zA-Z0-9]{36,255})/g, '***REDACTED***');
+}