Phase 1.3.3: Mask credentials in all log output

operator_use/cli/start.py

@@ -58,6 +58,9 @@ def setup_logging(userdata_dir: Path, verbose: bool = False) -> None:
     logging.basicConfig(level=logging.WARNING, format=fmt, datefmt=datefmt, handlers=handlers)
     logging.getLogger("operator_use").setLevel(logging.INFO)
 
+    # Install credential masking so no secrets leak into log files or console
+    from operator_use.utils.log_filter import install_credential_masking
+    install_credential_masking()
 
 import operator_use
 from operator_use.agent import Agent

operator_use/tools/control_center.py

@@ -12,6 +12,7 @@
 import json
 import logging
 import os
+import subprocess
 import sys
 from typing import Optional
 
@@ -125,7 +126,7 @@ async def _do_restart(graceful_fn=None) -> None:
     ``os._exit(75)`` which skips cleanup but guarantees the process terminates.
     """
     global _requested_exit_code
-    os.system("cls" if os.name == "nt" else "clear")
+    subprocess.run(["cls"] if os.name == "nt" else ["clear"], check=False)
     frames = ["↑", "↗", "→", "↘", "↓", "↙", "←", "↖"]
     for i in range(20):
         sys.stdout.write(f"\r {frames[i % len(frames)]}  Restarting Operator...")

operator_use/utils/__init__.py

@@ -1,5 +1,15 @@
 """Utils module."""
 
 from operator_use.utils.helper import ensure_directory
+from operator_use.utils.log_filter import (
+    CredentialMaskingFilter,
+    install_credential_masking,
+    mask_credentials,
+)
 
-__all__ = ["ensure_directory"]
+__all__ = [
+    "CredentialMaskingFilter",
+    "ensure_directory",
+    "install_credential_masking",
+    "mask_credentials",
+]

operator_use/utils/log_filter.py

@@ -0,0 +1,109 @@
+"""Credential masking for log output -- prevents secrets leaking into logs."""
+
+import logging
+import re
+
+
+# Patterns that match common credential formats in log strings.
+# Order matters: more specific patterns should come before general ones.
+_MASK_PATTERNS: list[tuple[re.Pattern[str], str]] = [
+    # URL DSN credentials: scheme://user:password@host or scheme://:password@host
+    (
+        re.compile(r"(://[^:@/\s]*:)[^@\s]+(@)"),
+        r"\1***REDACTED***\2",
+    ),
+    # JWT-like strings (three base64url segments separated by dots)
+    (
+        re.compile(r"eyJ[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+"),
+        "***JWT_REDACTED***",
+    ),
+    # Bearer token header values
+    (
+        re.compile(r"(Bearer\s+)[A-Za-z0-9\-._~+/]+=*", re.IGNORECASE),
+        r"\1***REDACTED***",
+    ),
+    # Provider-specific credential patterns
+    (re.compile(r"gsk_[A-Za-z0-9]{8,}", re.IGNORECASE), "gsk_***REDACTED***"),
+    (re.compile(r"AIza[A-Za-z0-9\-_]{8,}"), "AIza***REDACTED***"),
+    (re.compile(r"nvapi-[A-Za-z0-9\-_]{8,}", re.IGNORECASE), "nvapi-***REDACTED***"),
+    # API keys / tokens with common prefixes (sk-, pk-, api-, token-, key-)
+    # Allows multi-segment keys like sk-proj-abc12345678
+    # \b guards the word start; (?=...\d) requires at least one digit in the suffix
+    # to avoid matching infrastructure words like "api-gateway-endpoint"
+    (
+        re.compile(
+            r"\b(sk|pk|api|token|key)[-_](?=[A-Za-z0-9\-_]*\d)[A-Za-z0-9\-_]{8,}",
+            re.IGNORECASE,
+        ),
+        r"\1-***REDACTED***",
+    ),
+    # Authorization / x-api-key / x-auth-token headers
+    (
+        re.compile(
+            r"(authorization|x-api-key|x-auth-token)\s*[:=]\s*\S+", re.IGNORECASE
+        ),
+        r"\1: ***REDACTED***",
+    ),
+    # password= / secret= / token= / api_key= patterns in query strings or log lines
+    (
+        re.compile(
+            r"(password|secret|passwd|pwd|token|api_key|apikey)\s*[=:]\s*\S+",
+            re.IGNORECASE,
+        ),
+        r"\1=***REDACTED***",
+    ),
+    # Generic high-entropy secrets: key=value or key: value where value is 32+ alphanum chars
+    (
+        re.compile(r"(\b\w+\b\s*[=:]\s*)([A-Za-z0-9_\-]{32,})"),
+        r"\1***REDACTED***",
+    ),
+]
+
+
+def mask_credentials(text: str) -> str:
+    """Apply all credential masking patterns to a string."""
+    for pattern, replacement in _MASK_PATTERNS:
+        text = pattern.sub(replacement, text)
+    return text
+
+
+class CredentialMaskingFilter(logging.Filter):
+    """Logging filter that redacts credential patterns from all log records.
+
+    Uses record.getMessage() to render the final formatted message before masking,
+    then clears record.args so the formatter does not re-apply %-style substitution.
+    This avoids TypeError when log args include numeric placeholders (%d, %.2f).
+    """
+
+    def filter(self, record: logging.LogRecord) -> bool:
+        # Render the message with its args first to preserve type semantics,
+        # then mask the rendered string. Clear args so the handler formatter
+        # does not re-format (which would re-expose the original values).
+        rendered = record.getMessage()
+        record.msg = mask_credentials(rendered)
+        record.args = ()
+        return True
+
+
+def install_credential_masking() -> None:
+    """Install credential masking on the root logger and all current handlers.
+
+    Attaches CredentialMaskingFilter both to the root logger and to every
+    handler on the root logger, ensuring records emitted via named loggers
+    (logging.getLogger(__name__)) are masked regardless of propagation path.
+
+    Must be called *after* all handlers have been added to the root logger
+    (e.g. at the end of setup_logging()). Handlers added after this call
+    will not automatically receive the filter.
+    """
+    root_logger = logging.getLogger()
+    filter_instance = CredentialMaskingFilter()
+
+    # Add to root logger filters (catches records at the logger level)
+    if not any(isinstance(f, CredentialMaskingFilter) for f in root_logger.filters):
+        root_logger.addFilter(filter_instance)
+
+    # Also add to every handler on the root logger for belt-and-suspenders coverage
+    for handler in root_logger.handlers:
+        if not any(isinstance(f, CredentialMaskingFilter) for f in handler.filters):
+            handler.addFilter(CredentialMaskingFilter())

tests/test_agent.py

@@ -186,7 +186,7 @@ async def test_agent_run_with_tool_call_then_text(tmp_path):
 
     # Register a simple echo tool
     from pydantic import BaseModel
-    from operator_use.tools.service import Tool
+    from operator_use.agent.tools.service import Tool
 
     class EchoParams(BaseModel):
         message: str

tests/test_browser_plugin.py

@@ -24,9 +24,9 @@ def test_enabled_plugin_returns_system_prompt():
     prompt = plugin.get_system_prompt()
     assert prompt is SYSTEM_PROMPT
     assert "browser" in prompt.lower()
-    assert "<perception>" in prompt
-    assert "<tool_use>" in prompt
-    assert "<execution_principles>" in prompt
+    # Prompt is plain Markdown — assert on actual content, not old XML tags
+    assert "browser_task" in prompt
+    assert "Chrome" in prompt
 
 
 # ---------------------------------------------------------------------------
@@ -38,7 +38,7 @@ def test_disabled_plugin_registers_no_tools():
     plugin = BrowserPlugin(enabled=False)
     registry = ToolRegistry()
     plugin.register_tools(registry)
-    assert registry.get("browser") is None
+    assert registry.get("browser_task") is None
 
 
 def test_enabled_plugin_registers_browser_tool():
@@ -47,7 +47,7 @@ def test_enabled_plugin_registers_browser_tool():
     plugin.browser = MagicMock()
     registry = ToolRegistry()
     plugin.register_tools(registry)
-    assert registry.get("browser") is not None
+    assert registry.get("browser_task") is not None
 
 
 def test_unregister_tools_removes_browser_tool():
@@ -57,11 +57,11 @@ def test_unregister_tools_removes_browser_tool():
     registry = ToolRegistry()
     plugin.register_tools(registry)
     plugin.unregister_tools(registry)
-    assert registry.get("browser") is None
+    assert registry.get("browser_task") is None
 
 
 # ---------------------------------------------------------------------------
-# register_hooks — BEFORE_LLM_CALL gated on _enabled
+# register_hooks — hooks NOT registered to main agent (subagent arch)
 # ---------------------------------------------------------------------------
 
 
@@ -72,20 +72,20 @@ def test_disabled_plugin_registers_no_hooks():
     assert plugin._state_hook not in hooks._handlers[HookEvent.BEFORE_LLM_CALL]
 
 
-def test_enabled_plugin_registers_state_hook():
+def test_enabled_plugin_does_not_register_state_hook_to_main_agent():
+    """Hooks are intentionally not wired to main agent — subagent manages its own state."""
     plugin = BrowserPlugin(enabled=False)
     plugin._enabled = True
     hooks = Hooks()
     plugin.register_hooks(hooks)
-    assert plugin._state_hook in hooks._handlers[HookEvent.BEFORE_LLM_CALL]
+    assert plugin._state_hook not in hooks._handlers[HookEvent.BEFORE_LLM_CALL]
 
 
-def test_unregister_hooks_removes_state_hook():
+def test_unregister_hooks_is_safe_noop():
     plugin = BrowserPlugin(enabled=False)
-    plugin._enabled = True
     hooks = Hooks()
     plugin.register_hooks(hooks)
-    plugin.unregister_hooks(hooks)
+    plugin.unregister_hooks(hooks)  # must not raise
     assert plugin._state_hook not in hooks._handlers[HookEvent.BEFORE_LLM_CALL]
 
 
@@ -99,7 +99,7 @@ def test_disabled_plugin_does_not_inject_prompt():
     context = MagicMock()
     plugin.attach_prompt(context)
     context.register_plugin_prompt.assert_not_called()
-    assert plugin._context is context  # reference still stored
+    assert plugin._context is context
 
 
 def test_enabled_plugin_injects_prompt():
@@ -125,7 +125,8 @@ def test_detach_prompt_removes_injected_prompt():
 
 
 @pytest.mark.asyncio
-async def test_enable_registers_hooks_and_injects_prompt():
+async def test_enable_injects_prompt_no_hooks():
+    """enable() registers tools and injects prompt — hooks NOT wired to main agent."""
     plugin = BrowserPlugin(enabled=False)
     hooks = Hooks()
     plugin.register_hooks(hooks)
@@ -135,12 +136,12 @@ async def test_enable_registers_hooks_and_injects_prompt():
     await plugin.enable()
 
     assert plugin._enabled is True
-    assert plugin._state_hook in hooks._handlers[HookEvent.BEFORE_LLM_CALL]
+    assert plugin._state_hook not in hooks._handlers[HookEvent.BEFORE_LLM_CALL]
     context.register_plugin_prompt.assert_called_once_with(SYSTEM_PROMPT)
 
 
 @pytest.mark.asyncio
-async def test_disable_unregisters_hooks_and_removes_prompt():
+async def test_disable_removes_prompt():
     plugin = BrowserPlugin(enabled=False)
     plugin._enabled = True
     hooks = Hooks()
@@ -178,7 +179,7 @@ async def test_enable_then_disable_leaves_no_hooks():
 async def test_state_hook_skips_when_no_browser_client():
     plugin = BrowserPlugin(enabled=False)
     plugin.browser = MagicMock()
-    plugin.browser._client = None  # no active session
+    plugin.browser._client = None
 
     ctx = MagicMock()
     ctx.messages = []