feat(cosh): add secret redaction for model output and tool results

[kongche-jbw]

Description

Add a secret redaction layer to prevent sensitive credentials from being displayed in the terminal. Introduces secretRedactor.ts with pattern-based detection for common key formats (OpenAI sk-, Anthropic ant-, Alibaba Cloud LTAI/accessKeySecret, Bearer tokens, generic apiKey/password fields, and environment variable assignments).

The redaction is applied at two interception points:

1. Streamed model output (useGeminiStream.ts): each stream chunk is accumulated into a raw turn buffer and redacted against the full buffer, fixing a streaming-split vulnerability where a secret spanning multiple chunks could partially leak.
2. Tool execution results (coreToolScheduler.ts): llmContent, returnDisplay (string and ANSI variants) are redacted before further processing.

A Secret Protection rule is also added to the system prompt to instruct the model to refuse revealing secrets at the source.

Related Issue

fixes #83
closes #83

Type of Change

• New feature (non-breaking change that adds functionality)
• Bug fix (non-breaking change that fixes an issue)

Scope

• cosh (copilot-shell)

Checklist

• I have read the Contributing Guide
• My code follows the project's code style
• I have added tests that prove my fix is effective or that my feature works
• I have updated the documentation accordingly
• For cosh: Lint passes, type check passes, and tests pass
• For agent-sec-core (Rust): cargo clippy -- -D warnings and cargo fmt --check pass
• For agent-sec-core (Python): Ruff format and pytest pass
• For os-skills: Skill directory structure is valid and shell scripts pass syntax check
• Lock files are up to date (package-lock.json / Cargo.lock)

Testing

# Unit tests for redaction patterns
cd src/copilot-shell/packages/core
npx vitest run src/utils/secretRedactor.test.ts

# Snapshot tests for system prompt
npx vitest run src/core/prompts.test.ts

# Manual test: ask the model to output a secret key pattern
# e.g. "请帮我 cat xxx.settiing.json"
# Expected terminal output: sk-********************

[kongche-jbw]

[samchu-zsl]

Thanks for the fix. I have a remaining concern.

Since secrets are redacted from the LLM's stream output, could this affect tool calls? Say, if I'm installing Claude Code and provide an API key, would that key be redacted before the write tool is called?

[kongche-jbw]

The redaction is purely a terminal display concern — it never mutates tool parameters or blocks writes.

[samchu-zsl]

All concerns addressed. LGTM. Thanks!