[Phase 1.3.3] Add credential masking in all log output

## Phase
`Phase 1 — Critical Security` | Track 1.3 — Authentication & Access | Priority: **P1 HIGH**

## Vulnerability Details
**CWE:** [CWE-532 — Insertion of Sensitive Information into Log File](https://cwe.mitre.org/data/definitions/532.html)

API keys and tokens can appear in log output during initialization, error messages, and debug logging. No masking is applied.

## Fix
Create a logging filter that masks known credential patterns:
- \`sk-\` (OpenAI), \`gsk_\` (Groq), \`AIza\` (Google), \`nvapi-\` (NVIDIA)
- \`sk-or-v1-\` (OpenRouter), \`Bearer \` tokens
- Generic patterns: any string matching \`[a-zA-Z0-9_-]{32,}\` in key-value contexts

Apply as a Python logging filter attached to root logger.

## Acceptance Criteria
- [ ] Logging filter created in \`operator_use/utils/log_filter.py\`
- [ ] Filter attached to root logger at startup
- [ ] All known provider key patterns masked
- [ ] Tests verify masking works for each pattern
- [ ] No real keys appear in any log level output

## References
- [CWE-532](https://cwe.mitre.org/data/definitions/532.html)
- Design Doc: `docs/plans/2026-03-29-security-ai-guardrails-performance-design.md`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Phase 1.3.3] Add credential masking in all log output #22

Phase

Vulnerability Details

Fix

Acceptance Criteria

References

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

[Phase 1.3.3] Add credential masking in all log output #22

Description

Phase

Vulnerability Details

Fix

Acceptance Criteria

References

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions