@link-assistant/hive-mind 1.1.0 → 1.2.1

package/CHANGELOG.md

@@ -1,5 +1,74 @@
 # @link-assistant/hive-mind
 
+## 1.2.1
+
+### Patch Changes
+
+- 04cb3d2: Fix false positives in token masking for log sanitization
+  - Remove overly broad regex pattern that was matching legitimate identifiers like `browser_take_screenshot` and MCP tool names
+  - Add allowlist of safe token patterns (browser\_, mcp\_\_, function names with underscores, UUIDs)
+  - Add context-aware detection for 40-char hex strings to avoid masking git commit hashes and gist IDs
+  - Export new helper functions `isSafeToken` and `isHexInSafeContext` for testing
+  - Add comprehensive unit tests for false positive prevention
+
+## 1.2.0
+
+### Minor Changes
+
+- Add experimental --execute-tool-with-bun option to improve speed and memory usage
+
+  This feature adds the `--execute-tool-with-bun` option that allows users to execute the AI tool using `bunx claude` instead of `claude`, which may provide performance benefits in terms of speed and memory usage.
+
+  **Supported commands:**
+  - `solve` - Uses `bunx claude` when option is enabled
+  - `task` - Uses `bunx claude` when option is enabled
+  - `review` - Uses `bunx claude` when option is enabled
+  - `hive` - Passes the option through to the `solve` subprocess
+
+  **How It Works:**
+  When `--execute-tool-with-bun` is enabled, the `claudePath` variable is set to `'bunx claude'` instead of `'claude'` (or `CLAUDE_PATH` environment variable).
+
+  **Usage Examples:**
+
+  ```bash
+  # Use with solve command
+  solve https://github.com/owner/repo/issues/123 --execute-tool-with-bun
+
+  # Use with task command
+  task "implement feature X" --execute-tool-with-bun
+
+  # Use with review command
+  review https://github.com/owner/repo/pull/456 --execute-tool-with-bun
+
+  # Use with hive command (passes through to solve)
+  hive https://github.com/owner/repo --execute-tool-with-bun
+  ```
+
+  The option defaults to `false` to maintain backward compatibility.
+
+  Fixes #812
+
+  feat(hive): recheck issue conditions before processing queue items
+
+  Added `recheckIssueConditions()` function to validate issue state right before processing,
+  preventing wasted resources on issues that should be skipped due to changed conditions since queuing.
+
+  **Checks performed:**
+  - **Issue state**: Verifies the issue is still open
+  - **Open PRs**: Checks if issue has PRs (when `--skip-issues-with-prs` is enabled)
+  - **Repository status**: Confirms repository is not archived
+
+  **Benefits:**
+  - Prevents processing closed issues
+  - Avoids duplicate work when PRs already exist
+  - Stops work on newly archived repositories
+  - Saves AI model tokens and compute resources
+
+  **Performance impact:**
+  Minimal overhead per issue (~300-500ms for API calls), negligible compared to 5-15 minute solve time.
+
+  Fixes #810
+
 ## 1.1.0
 
 ### Minor Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-assistant/hive-mind",
-  "version": "1.1.0",
+  "version": "1.2.1",
   "description": "AI-powered issue solver and hive mind for collaborative problem solving",
   "main": "src/hive.mjs",
   "type": "module",
@@ -61,8 +61,11 @@
     "prettier": "^3.6.2"
   },
   "dependencies": {
+    "@secretlint/core": "^11.2.5",
+    "@secretlint/secretlint-rule-preset-recommend": "^11.2.5",
     "@sentry/node": "^10.15.0",
-    "@sentry/profiling-node": "^10.15.0"
+    "@sentry/profiling-node": "^10.15.0",
+    "secretlint": "^11.2.5"
   },
   "lint-staged": {
     "*.{js,mjs,json,md}": [

package/src/github.lib.mjs

@@ -5,9 +5,6 @@
 if (typeof globalThis.use === 'undefined') {
   globalThis.use = (await eval(await (await fetch('https://unpkg.com/use-m/use.js')).text())).use;
 }
-const fs = (await use('fs')).promises;
-const os = (await use('os')).default;
-const path = (await use('path')).default;
 // Use command-stream for consistent $ behavior
 const { $ } = await use('command-stream');
 // Import log and maskToken from general lib
@@ -16,6 +13,10 @@ import { reportError } from './sentry.lib.mjs';
 import { githubLimits, timeouts } from './config.lib.mjs';
 // Import batch operations from separate module
 import { batchCheckPullRequestsForIssues as batchCheckPRs, batchCheckArchivedRepositories as batchCheckArchived } from './github.batch.lib.mjs';
+// Import token sanitization from dedicated module (Issue #1037 fix)
+import { isSafeToken, isHexInSafeContext, getGitHubTokensFromFiles, getGitHubTokensFromCommand, sanitizeLogContent } from './token-sanitization.lib.mjs';
+// Re-export token sanitization functions for backward compatibility
+export { isSafeToken, isHexInSafeContext, getGitHubTokensFromFiles, getGitHubTokensFromCommand, sanitizeLogContent };
 // Import log upload function from separate module
 import { uploadLogWithGhUploadLog } from './log-upload.lib.mjs';
 
@@ -60,139 +61,8 @@ const buildCostInfoString = (totalCostUSD, anthropicTotalCostUSD, pricingInfo) =
 
 // Helper function to mask GitHub tokens (alias for backward compatibility)
 export const maskGitHubToken = maskToken;
-// Helper function to get GitHub tokens from local config files
-export const getGitHubTokensFromFiles = async () => {
-  const tokens = [];
-
-  try {
-    // Check ~/.config/gh/hosts.yml
-    const hostsFile = path.join(os.homedir(), '.config/gh/hosts.yml');
-    if (
-      await fs
-        .access(hostsFile)
-        .then(() => true)
-        .catch(() => false)
-    ) {
-      const hostsContent = await fs.readFile(hostsFile, 'utf8');
-
-      // Look for oauth_token and api_token patterns
-      const oauthMatches = hostsContent.match(/oauth_token:\s*([^\s\n]+)/g);
-      if (oauthMatches) {
-        for (const match of oauthMatches) {
-          const token = match.split(':')[1].trim();
-          if (token && !tokens.includes(token)) {
-            tokens.push(token);
-          }
-        }
-      }
-
-      const apiMatches = hostsContent.match(/api_token:\s*([^\s\n]+)/g);
-      if (apiMatches) {
-        for (const match of apiMatches) {
-          const token = match.split(':')[1].trim();
-          if (token && !tokens.includes(token)) {
-            tokens.push(token);
-          }
-        }
-      }
-    }
-  } catch (error) {
-    // File access errors are expected when config doesn't exist
-    if (global.verboseMode) {
-      reportError(error, {
-        context: 'github_token_file_access',
-        level: 'debug',
-      });
-    }
-  }
-
-  return tokens;
-};
-// Helper function to get GitHub tokens from gh command output
-export const getGitHubTokensFromCommand = async () => {
-  const { $ } = await use('command-stream');
-  const tokens = [];
-
-  try {
-    // Run gh auth status to get token info
-    const authResult = await $`gh auth status 2>&1`.catch(() => ({ stdout: '', stderr: '' }));
-    const authOutput = authResult.stdout?.toString() + authResult.stderr?.toString() || '';
-
-    // Look for token patterns in the output
-    const tokenPatterns = [/(?:token|oauth|api)[:\s]*([a-zA-Z0-9_]{20,})/gi, /gh[pou]_[a-zA-Z0-9_]{20,}/gi];
-
-    for (const pattern of tokenPatterns) {
-      const matches = authOutput.match(pattern);
-      if (matches) {
-        for (let match of matches) {
-          // Clean up the match
-          const token = match.replace(/^(?:token|oauth|api)[:\s]*/, '').trim();
-          if (token && token.length >= 20 && !tokens.includes(token)) {
-            tokens.push(token);
-          }
-        }
-      }
-    }
-  } catch (error) {
-    // Command errors are expected when gh is not configured
-    if (global.verboseMode) {
-      reportError(error, {
-        context: 'github_token_gh_auth',
-        level: 'debug',
-      });
-    }
-  }
-
-  return tokens;
-};
 // Escape ``` in logs for safe markdown embedding (replaces with \`\`\` to prevent code block closure)
 export const escapeCodeBlocksInLog = logContent => logContent.replace(/```/g, '\\`\\`\\`');
-// Helper function to sanitize log content by masking GitHub tokens
-export const sanitizeLogContent = async logContent => {
-  let sanitized = logContent;
-
-  try {
-    // Get tokens from both sources
-    const fileTokens = await getGitHubTokensFromFiles();
-    const commandTokens = await getGitHubTokensFromCommand();
-    const allTokens = [...new Set([...fileTokens, ...commandTokens])];
-
-    // Mask each token found
-    for (const token of allTokens) {
-      if (token && token.length >= 12) {
-        const maskedToken = maskToken(token);
-        // Use global replace to mask all occurrences
-        sanitized = sanitized.split(token).join(maskedToken);
-      }
-    }
-
-    // Also look for and mask common GitHub token patterns directly in the log
-    const tokenPatterns = [
-      /gh[pou]_[a-zA-Z0-9_]{20,}/g,
-      /(?:^|[\s:=])([a-f0-9]{40})(?=[\s\n]|$)/gm, // 40-char hex tokens (like personal access tokens)
-      /(?:^|[\s:=])([a-zA-Z0-9_]{20,})(?=[\s\n]|$)/gm, // General long tokens
-    ];
-
-    for (const pattern of tokenPatterns) {
-      sanitized = sanitized.replace(pattern, (match, token) => {
-        if (token && token.length >= 20) {
-          return match.replace(token, maskToken(token));
-        }
-        return match;
-      });
-    }
-
-    await log(`  🔒 Sanitized ${allTokens.length} detected GitHub tokens in log content`, { verbose: true });
-  } catch (error) {
-    reportError(error, {
-      context: 'sanitize_log_content',
-      level: 'warning',
-    });
-    await log(`  ⚠️  Warning: Could not fully sanitize log content: ${error.message}`, { verbose: true });
-  }
-
-  return sanitized;
-};
 // Helper function to check if a file exists in a GitHub branch
 export const checkFileInBranch = async (owner, repo, fileName, branchName) => {
   const { $ } = await use('command-stream');
@@ -1469,6 +1339,8 @@ export default {
   getGitHubTokensFromFiles,
   getGitHubTokensFromCommand,
   escapeCodeBlocksInLog,
+  isSafeToken,
+  isHexInSafeContext,
   sanitizeLogContent,
   checkFileInBranch,
   checkGitHubPermissions,

package/src/hive.config.lib.mjs

@@ -286,6 +286,11 @@ export const createYargsConfig = yargsInstance => {
       description: '[EXPERIMENTAL] Include guidance for managing REQUIREMENTS.md and ARCHITECTURE.md files. When enabled, agents will update these documentation files when changes affect requirements or architecture.',
       default: false,
     })
+    .option('execute-tool-with-bun', {
+      type: 'boolean',
+      description: 'Execute the AI tool using bunx (experimental, may improve speed and memory usage) - passed to solve command',
+      default: false,
+    })
     .parserConfiguration({
       'boolean-negation': true,
       'strip-dashed': false,

package/src/hive.mjs

@@ -110,6 +110,8 @@ if (isDirectExecution) {
     const { tryFetchIssuesWithGraphQL } = graphqlLib;
     const solutionDraftsLib = await import('./list-solution-drafts.lib.mjs');
     const { listSolutionDrafts } = solutionDraftsLib;
+    const recheckLib = await import('./hive.recheck.lib.mjs');
+    const { recheckIssueConditions } = recheckLib;
     const commandName = process.argv[1] ? process.argv[1].split('/').pop() : '';
     const isLocalScript = commandName.endsWith('.mjs');
     const solveCommand = isLocalScript ? './solve.mjs' : 'solve';
@@ -713,6 +715,16 @@ if (isDirectExecution) {
 
         await log(`\n👷 Worker ${workerId} processing: ${issueUrl}`);
 
+        // Recheck conditions before processing to avoid wasted work
+        const recheckResult = await recheckIssueConditions(issueUrl, argv);
+        if (!recheckResult.shouldProcess) {
+          await log(`   ⏭️  Skipping issue: ${recheckResult.reason}`);
+          issueQueue.markCompleted(issueUrl);
+          const stats = issueQueue.getStats();
+          await log(`   📊 Queue: ${stats.queued} waiting, ${stats.processing} processing, ${stats.completed} completed, ${stats.failed} failed`);
+          continue;
+        }
+
         // Track if this issue failed
         let issueFailed = false;
 
@@ -756,6 +768,7 @@ if (isDirectExecution) {
             if (argv.promptIssueReporting) args.push('--prompt-issue-reporting');
             if (argv.promptCaseStudies) args.push('--prompt-case-studies');
             if (argv.promptPlaywrightMcp !== undefined) args.push(argv.promptPlaywrightMcp ? '--prompt-playwright-mcp' : '--no-prompt-playwright-mcp');
+            if (argv.executeToolWithBun) args.push('--execute-tool-with-bun');
             // Log the actual command being executed so users can investigate/reproduce
             await log(`   📋 Command: ${solveCommand} ${args.join(' ')}`);
 

package/src/hive.recheck.lib.mjs

@@ -0,0 +1,86 @@
+#!/usr/bin/env node
+// Library for rechecking issue conditions in hive queue processing
+
+import { log, cleanErrorMessage } from './lib.mjs';
+import { batchCheckPullRequestsForIssues, batchCheckArchivedRepositories } from './github.lib.mjs';
+import { reportError } from './sentry.lib.mjs';
+
+/**
+ * Recheck conditions for an issue right before processing
+ * This ensures the issue should still be processed even if conditions changed since queuing
+ * @param {string} issueUrl - The URL of the issue to check
+ * @param {Object} argv - Command line arguments with configuration
+ * @returns {Promise<{shouldProcess: boolean, reason?: string}>}
+ */
+export async function recheckIssueConditions(issueUrl, argv) {
+  try {
+    // Extract owner, repo, and issue number from URL
+    const urlMatch = issueUrl.match(/github\.com\/([^/]+)\/([^/]+)\/issues\/(\d+)/);
+    if (!urlMatch) {
+      await log(`      ⚠️  Could not parse issue URL: ${issueUrl}`, { verbose: true });
+      return { shouldProcess: true }; // Process anyway if we can't parse
+    }
+
+    const [, owner, repo, issueNumber] = urlMatch;
+    const issueNum = parseInt(issueNumber);
+
+    await log(`      🔍 Rechecking conditions for issue #${issueNum}...`, { verbose: true });
+
+    // Check 1: Verify issue is still open
+    try {
+      const { execSync } = await import('child_process');
+      const issueState = execSync(`gh api repos/${owner}/${repo}/issues/${issueNum} --jq .state`, {
+        encoding: 'utf8',
+      }).trim();
+
+      if (issueState === 'closed') {
+        return {
+          shouldProcess: false,
+          reason: 'Issue is now closed',
+        };
+      }
+      await log(`      ✅ Issue is still open`, { verbose: true });
+    } catch (error) {
+      await log(`      ⚠️  Could not check issue state: ${cleanErrorMessage(error)}`, { verbose: true });
+      // Continue checking other conditions
+    }
+
+    // Check 2: If skipIssuesWithPrs is enabled, verify issue still has no open PRs
+    if (argv.skipIssuesWithPrs) {
+      const prResults = await batchCheckPullRequestsForIssues(owner, repo, [issueNum]);
+      const prInfo = prResults[issueNum];
+
+      if (prInfo && prInfo.openPRCount > 0) {
+        return {
+          shouldProcess: false,
+          reason: `Issue now has ${prInfo.openPRCount} open PR${prInfo.openPRCount > 1 ? 's' : ''}`,
+        };
+      }
+      await log(`      ✅ Issue still has no open PRs`, { verbose: true });
+    }
+
+    // Check 3: Verify repository is not archived
+    const archivedStatusMap = await batchCheckArchivedRepositories([{ owner, name: repo }]);
+    const repoKey = `${owner}/${repo}`;
+
+    if (archivedStatusMap[repoKey] === true) {
+      return {
+        shouldProcess: false,
+        reason: 'Repository is now archived',
+      };
+    }
+    await log(`      ✅ Repository is not archived`, { verbose: true });
+
+    await log(`      ✅ All conditions passed, proceeding with processing`, { verbose: true });
+    return { shouldProcess: true };
+  } catch (error) {
+    reportError(error, {
+      context: 'recheck_issue_conditions',
+      issueUrl,
+      operation: 'recheck_conditions',
+    });
+    await log(`      ⚠️  Error rechecking conditions: ${cleanErrorMessage(error)}`, { level: 'warning' });
+    // On error, allow processing to continue (fail open)
+    return { shouldProcess: true };
+  }
+}

package/src/review.mjs

@@ -19,14 +19,15 @@ if (earlyArgs.includes('--help') || earlyArgs.includes('-h')) {
   // Show help and exit
   console.log('Usage: review.mjs <pr-url> [options]');
   console.log('\nOptions:');
-  console.log('  --version          Show version number');
-  console.log('  --help, -h         Show help');
-  console.log('  --resume, -r       Resume from a previous session ID');
-  console.log('  --dry-run, -n      Prepare everything but do not execute Claude');
-  console.log('  --model, -m        Model to use (opus, sonnet, or full model ID) [default: opus]');
-  console.log('  --focus, -f        Focus areas for review [default: all]');
-  console.log('  --approve          If review passes, approve the PR');
-  console.log('  --verbose, -v      Enable verbose logging');
+  console.log('  --version               Show version number');
+  console.log('  --help, -h              Show help');
+  console.log('  --resume, -r            Resume from a previous session ID');
+  console.log('  --dry-run, -n           Prepare everything but do not execute Claude');
+  console.log('  --model, -m             Model to use (opus, sonnet, or full model ID) [default: opus]');
+  console.log('  --focus, -f             Focus areas for review [default: all]');
+  console.log('  --approve               If review passes, approve the PR');
+  console.log('  --verbose, -v           Enable verbose logging');
+  console.log('  --execute-tool-with-bun Execute the AI tool using bunx (experimental) [default: false]');
   process.exit(0);
 }
 
@@ -91,6 +92,11 @@ const argv = yargs()
     alias: 'v',
     default: false,
   })
+  .option('execute-tool-with-bun', {
+    type: 'boolean',
+    description: 'Execute the AI tool using bunx (experimental, may improve speed and memory usage)',
+    default: false,
+  })
   .demandCommand(1, 'The GitHub pull request URL is required')
   .parserConfiguration({
     'boolean-negation': true,
@@ -126,7 +132,9 @@ if (!prUrl.match(/^https:\/\/github\.com\/[^/]+\/[^/]+\/pull\/\d+$/)) {
   process.exit(1);
 }
 
-const claudePath = process.env.CLAUDE_PATH || 'claude';
+// Determine claude command path based on --execute-tool-with-bun option
+// When enabled, uses 'bunx claude' which may improve speed and memory usage
+const claudePath = argv.executeToolWithBun ? 'bunx claude' : process.env.CLAUDE_PATH || 'claude';
 
 // Extract repository and PR number from URL
 const urlParts = prUrl.split('/');

package/src/solve.config.lib.mjs

@@ -253,6 +253,11 @@ export const createYargsConfig = yargsInstance => {
         choices: ['claude', 'opencode', 'codex', 'agent'],
         default: 'claude',
       })
+      .option('execute-tool-with-bun', {
+        type: 'boolean',
+        description: 'Execute the AI tool using bunx (experimental, may improve speed and memory usage)',
+        default: false,
+      })
       .option('enable-workspaces', {
         type: 'boolean',
         description: 'Use separate workspace directory structure with repository/ and tmp/ folders. Works with all tools (claude, opencode, codex, agent). Experimental feature.',

package/src/solve.mjs

@@ -236,7 +236,7 @@ if (argv.verbose) {
   await log(`   Is Issue URL: ${!!isIssueUrl}`, { verbose: true });
   await log(`   Is PR URL: ${!!isPrUrl}`, { verbose: true });
 }
-const claudePath = process.env.CLAUDE_PATH || 'claude';
+const claudePath = argv.executeToolWithBun ? 'bunx claude' : process.env.CLAUDE_PATH || 'claude';
 // Note: owner, repo, and urlNumber are already extracted from validateGitHubUrl() above
 // The parseUrlComponents() call was removed as it had a bug with hash fragments (#issuecomment-xyz)
 // and the validation result already provides these values correctly parsed

package/src/task.mjs

@@ -124,6 +124,11 @@ const argv = yargs()
     default: 'text',
     choices: ['text', 'json'],
   })
+  .option('execute-tool-with-bun', {
+    type: 'boolean',
+    description: 'Execute the AI tool using bunx (experimental, may improve speed and memory usage)',
+    default: false,
+  })
   .check(argv => {
     if (!argv['task-description'] && !argv._[0]) {
       throw new Error('Please provide a task description');
@@ -186,7 +191,7 @@ await log(formatAligned('💡', 'Clarify mode:', argv.clarify ? 'enabled' : 'dis
 await log(formatAligned('🔍', 'Decompose mode:', argv.decompose ? 'enabled' : 'disabled'));
 await log(formatAligned('📄', 'Output format:', argv.outputFormat));
 
-const claudePath = process.env.CLAUDE_PATH || 'claude';
+const claudePath = argv.executeToolWithBun ? 'bunx claude' : process.env.CLAUDE_PATH || 'claude';
 
 // Helper function to execute Claude command
 const executeClaude = (prompt, model) => {

package/src/token-sanitization.lib.mjs

@@ -0,0 +1,563 @@
+#!/usr/bin/env node
+/**
+ * Token sanitization utilities for log content
+ * Dual approach: Uses both secretlint AND custom patterns for comprehensive coverage
+ *
+ * Architecture:
+ * 1. Custom patterns (our logic) - patterns we define and maintain
+ * 2. Secretlint patterns - battle-tested community patterns
+ *
+ * Both approaches run independently, and if only one detects a secret,
+ * a warning is logged (especially when secretlint finds something our logic misses).
+ * This helps us improve our custom patterns over time.
+ *
+ * @module token-sanitization
+ */
+
+// Import shared utility from lib.mjs
+import { maskToken, log } from './lib.mjs';
+import { reportError } from './sentry.lib.mjs';
+
+// Dynamic imports for runtime dependencies
+const getOsModule = async () => (await import('os')).default;
+const getPathModule = async () => (await import('path')).default;
+const getFsModule = async () => (await import('fs')).promises;
+
+// Lazy-loaded secretlint modules (initialized on first use)
+let secretlintCore = null;
+let secretlintConfig = null;
+
+/**
+ * Initialize secretlint modules lazily
+ * @returns {Promise<boolean>} True if secretlint is available
+ */
+const initSecretlint = async () => {
+  if (secretlintConfig !== null) {
+    return secretlintConfig !== false;
+  }
+
+  try {
+    const [core, preset] = await Promise.all([import('@secretlint/core'), import('@secretlint/secretlint-rule-preset-recommend')]);
+
+    secretlintCore = core;
+    secretlintConfig = {
+      rules: [
+        {
+          id: '@secretlint/secretlint-rule-preset-recommend',
+          rule: preset.creator,
+        },
+      ],
+    };
+
+    return true;
+  } catch (error) {
+    // secretlint not available - fall back to custom patterns only
+    if (global.verboseMode) {
+      await log(`  ⚠️  Secretlint not available, using fallback patterns: ${error.message}`, { verbose: true });
+    }
+    secretlintConfig = false;
+    return false;
+  }
+};
+
+/**
+ * Patterns that indicate a string is NOT a sensitive token (false positive patterns)
+ * These are used to prevent masking legitimate identifiers
+ */
+const SAFE_TOKEN_PATTERNS = [
+  // MCP tool names (Playwright, etc.)
+  /^mcp__[a-z_]+$/i,
+  // Browser/Playwright tool names
+  /^browser_[a-z_]+$/i,
+  // Common function/tool name patterns with underscores
+  /^[a-z]+_[a-z]+_[a-z_]+$/i,
+  // UUID patterns (not sensitive)
+  /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i,
+];
+
+/**
+ * Context patterns that indicate the surrounding text is NOT a sensitive context
+ * These patterns help identify when a 40-char hex string is just a git commit hash
+ */
+const SAFE_CONTEXT_PATTERNS = [
+  // Git commands containing commit hashes
+  /\bgh\s+gist\s+view\b/i,
+  /\bgit\s+(log|show|diff|cherry-pick|revert|checkout|reset)\b/i,
+  /\bgit\s+commit\s+-m\b/i,
+  // Commit SHA in common git output contexts
+  /\bcommit\s+[a-f0-9]{7,40}\b/i,
+  /\bSHA\s*:\s*[a-f0-9]{7,40}\b/i,
+  // Git log output format
+  /^commit\s+[a-f0-9]{40}/m,
+  // Short commit hashes in various contexts
+  /\b[a-f0-9]{7,40}\s+Author:/i,
+];
+
+// Note: Custom token patterns are now defined in detectSecretsWithCustomPatterns()
+// with named patterns for tracking and comparison with secretlint results.
+
+/**
+ * Check if a token matches any safe pattern (not a sensitive token)
+ * @param {string} token - The token to check
+ * @returns {boolean} True if the token is safe and should NOT be masked
+ */
+export const isSafeToken = token => {
+  if (!token) return false;
+  return SAFE_TOKEN_PATTERNS.some(pattern => pattern.test(token));
+};
+
+/**
+ * Check if a 40-char hex string appears in a safe context (like git commands)
+ * @param {string} content - The full content to search
+ * @param {string} hexString - The 40-char hex string found
+ * @param {number} position - The position where the hex string was found
+ * @returns {boolean} True if the hex string is in a safe context
+ */
+export const isHexInSafeContext = (content, hexString, position) => {
+  // Get surrounding context (100 chars before and after)
+  const contextStart = Math.max(0, position - 100);
+  const contextEnd = Math.min(content.length, position + hexString.length + 100);
+  const context = content.substring(contextStart, contextEnd);
+
+  // Check if any safe context pattern matches
+  return SAFE_CONTEXT_PATTERNS.some(pattern => pattern.test(context));
+};
+
+/**
+ * Get GitHub tokens from local config files
+ * @returns {Promise<string[]>} Array of tokens found
+ */
+export const getGitHubTokensFromFiles = async () => {
+  const os = await getOsModule();
+  const path = await getPathModule();
+  const fs = await getFsModule();
+  const tokens = [];
+
+  try {
+    // Check ~/.config/gh/hosts.yml
+    const hostsFile = path.join(os.homedir(), '.config/gh/hosts.yml');
+    if (
+      await fs
+        .access(hostsFile)
+        .then(() => true)
+        .catch(() => false)
+    ) {
+      const hostsContent = await fs.readFile(hostsFile, 'utf8');
+
+      // Look for oauth_token and api_token patterns
+      const oauthMatches = hostsContent.match(/oauth_token:\s*([^\s\n]+)/g);
+      if (oauthMatches) {
+        for (const match of oauthMatches) {
+          const token = match.split(':')[1].trim();
+          if (token && !tokens.includes(token)) {
+            tokens.push(token);
+          }
+        }
+      }
+
+      const apiMatches = hostsContent.match(/api_token:\s*([^\s\n]+)/g);
+      if (apiMatches) {
+        for (const match of apiMatches) {
+          const token = match.split(':')[1].trim();
+          if (token && !tokens.includes(token)) {
+            tokens.push(token);
+          }
+        }
+      }
+    }
+  } catch (error) {
+    // File access errors are expected when config doesn't exist
+    if (global.verboseMode) {
+      reportError(error, {
+        context: 'github_token_file_access',
+        level: 'debug',
+      });
+    }
+  }
+
+  return tokens;
+};
+
+/**
+ * Get GitHub tokens from gh command output
+ * @returns {Promise<string[]>} Array of tokens found
+ */
+export const getGitHubTokensFromCommand = async () => {
+  if (typeof globalThis.use === 'undefined') {
+    globalThis.use = (await eval(await (await fetch('https://unpkg.com/use-m/use.js')).text())).use;
+  }
+  const { $ } = await globalThis.use('command-stream');
+  const tokens = [];
+
+  try {
+    // Run gh auth status to get token info
+    const authResult = await $`gh auth status 2>&1`.catch(() => ({ stdout: '', stderr: '' }));
+    const authOutput = authResult.stdout?.toString() + authResult.stderr?.toString() || '';
+
+    // Look for token patterns in the output
+    const tokenPatterns = [/(?:token|oauth|api)[:\s]*([a-zA-Z0-9_]{20,})/gi, /gh[pou]_[a-zA-Z0-9_]{20,}/gi];
+
+    for (const pattern of tokenPatterns) {
+      const matches = authOutput.match(pattern);
+      if (matches) {
+        for (let match of matches) {
+          // Clean up the match
+          const token = match.replace(/^(?:token|oauth|api)[:\s]*/, '').trim();
+          if (token && token.length >= 20 && !tokens.includes(token)) {
+            tokens.push(token);
+          }
+        }
+      }
+    }
+  } catch (error) {
+    // Command errors are expected when gh is not configured
+    if (global.verboseMode) {
+      reportError(error, {
+        context: 'github_token_gh_auth',
+        level: 'debug',
+      });
+    }
+  }
+
+  return tokens;
+};
+
+/**
+ * Use secretlint to detect secrets in content
+ * @param {string} content - Content to scan
+ * @returns {Promise<Array<{start: number, end: number, token: string, ruleId: string}>>} Array of detected secrets with rule info
+ */
+const detectSecretsWithSecretlint = async content => {
+  const secrets = [];
+
+  const available = await initSecretlint();
+  if (!available || !secretlintCore || !secretlintConfig) {
+    return secrets;
+  }
+
+  try {
+    const result = await secretlintCore.lintSource({
+      source: {
+        filePath: '/virtual/content.txt',
+        content: content,
+        contentType: 'text',
+      },
+      options: {
+        config: secretlintConfig,
+        maskSecrets: false, // We need raw positions to mask ourselves
+      },
+    });
+
+    for (const message of result.messages) {
+      if (message.range && message.range.length === 2) {
+        const [start, end] = message.range;
+        const token = content.substring(start, end);
+        secrets.push({
+          start,
+          end,
+          token,
+          ruleId: message.ruleId || 'unknown',
+          source: 'secretlint',
+        });
+      }
+    }
+  } catch (error) {
+    if (global.verboseMode) {
+      await log(`  ⚠️  Secretlint detection error: ${error.message}`, { verbose: true });
+    }
+  }
+
+  return secrets;
+};
+
+/**
+ * Use custom patterns to detect secrets in content
+ * @param {string} content - Content to scan
+ * @returns {Array<{start: number, end: number, token: string, patternName: string}>} Array of detected secrets with pattern info
+ */
+const detectSecretsWithCustomPatterns = content => {
+  const secrets = [];
+
+  // Named custom patterns for tracking what detected what
+  const namedPatterns = [
+    // OpenAI patterns
+    { name: 'openai-project', pattern: /\bsk-(?:proj-|svcacct-|admin-)?[A-Za-z0-9_-]*T3BlbkFJ[A-Za-z0-9_-]+/g },
+
+    // Anthropic patterns
+    { name: 'anthropic-claude', pattern: /\bsk-ant-(?:api\d{2}-)?[A-Za-z0-9_-]{20,}/g },
+
+    // GitHub patterns
+    { name: 'github-pat', pattern: /\bgithub_pat_[a-zA-Z0-9_]{20,}/g },
+    { name: 'github-server', pattern: /\bghs_[a-zA-Z0-9_]{20,}/g },
+    { name: 'github-refresh', pattern: /\bghr_[a-zA-Z0-9_]{20,}/g },
+    { name: 'github-ghp', pattern: /\bghp_[a-zA-Z0-9_]{20,}/g },
+    { name: 'github-gho', pattern: /\bgho_[a-zA-Z0-9_]{20,}/g },
+    { name: 'github-ghu', pattern: /\bghu_[a-zA-Z0-9_]{20,}/g },
+
+    // AWS patterns
+    { name: 'aws-key', pattern: /\b(?:A3T[A-Z0-9]|AKIA|AGPA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}\b/g },
+
+    // Stripe patterns
+    { name: 'stripe', pattern: /\b(?:sk_live_|sk_test_|pk_live_|pk_test_)[a-zA-Z0-9]{20,}/g },
+
+    // SendGrid patterns
+    { name: 'sendgrid', pattern: /\bSG\.[a-zA-Z0-9_-]{15,}\.[a-zA-Z0-9_-]{30,}/g },
+
+    // Twilio patterns
+    { name: 'twilio', pattern: /\bSK[a-f0-9]{32}\b/g },
+
+    // Mailchimp patterns
+    { name: 'mailchimp', pattern: /\b[a-f0-9]{32}-us[0-9]{1,2}\b/g },
+
+    // Square patterns
+    { name: 'square', pattern: /\bsq0(?:atp|csp)-[a-zA-Z0-9_-]{22,}/g },
+
+    // Databricks patterns
+    { name: 'databricks', pattern: /\bdapi[a-f0-9]{32}\b/g },
+
+    // PyPI patterns
+    { name: 'pypi', pattern: /\bpypi-[A-Za-z0-9_-]{50,}/g },
+
+    // Discord patterns
+    { name: 'discord', pattern: /\b[MN][A-Za-z0-9_-]{23,}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{20,}/g },
+
+    // Telegram patterns
+    { name: 'telegram', pattern: /\b[0-9]{8,10}:[a-zA-Z0-9_-]{30,}/g },
+
+    // Google / Gemini patterns
+    { name: 'google-gemini', pattern: /\bAIza[0-9A-Za-z_-]{32,40}\b/g },
+
+    // HuggingFace patterns
+    { name: 'huggingface', pattern: /\bhf_[a-zA-Z0-9]{30,}/g },
+
+    // Slack patterns (not all covered by secretlint preset)
+    { name: 'slack-xoxb', pattern: /\bxoxb-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{20,}/g },
+    { name: 'slack-xoxp', pattern: /\bxoxp-[0-9]{10,}-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{20,}/g },
+
+    // npm patterns
+    { name: 'npm', pattern: /\bnpm_[a-zA-Z0-9]{30,}/g },
+
+    // Shopify patterns
+    { name: 'shopify', pattern: /\bshpat_[a-f0-9]{32}\b/g },
+  ];
+
+  for (const { name, pattern } of namedPatterns) {
+    pattern.lastIndex = 0;
+    let match;
+    while ((match = pattern.exec(content)) !== null) {
+      const token = match[0];
+      // Skip if already masked (contains consecutive asterisks)
+      if (/\*{3,}/.test(token)) {
+        continue;
+      }
+      secrets.push({
+        start: match.index,
+        end: match.index + token.length,
+        token,
+        patternName: name,
+        source: 'custom',
+      });
+    }
+  }
+
+  return secrets;
+};
+
+/**
+ * Compare detection results from both approaches and log warnings
+ * @param {Array} secretlintSecrets - Secrets detected by secretlint
+ * @param {Array} customSecrets - Secrets detected by custom patterns
+ * @returns {Promise<{secretlintOnly: Array, customOnly: Array, both: Array}>}
+ */
+const compareDetectionResults = async (secretlintSecrets, customSecrets) => {
+  const secretlintOnly = [];
+  const customOnly = [];
+  const both = [];
+
+  // Create sets for easier comparison (normalize tokens)
+  const secretlintTokens = new Map(secretlintSecrets.map(s => [s.token, s]));
+  const customTokens = new Map(customSecrets.map(s => [s.token, s]));
+
+  // Find secretlint-only detections (our custom patterns missed these)
+  for (const [token, secret] of secretlintTokens) {
+    if (!customTokens.has(token)) {
+      secretlintOnly.push(secret);
+    } else {
+      both.push({ ...secret, customPattern: customTokens.get(token).patternName });
+    }
+  }
+
+  // Find custom-only detections (secretlint missed these)
+  for (const [token, secret] of customTokens) {
+    if (!secretlintTokens.has(token)) {
+      customOnly.push(secret);
+    }
+  }
+
+  return { secretlintOnly, customOnly, both };
+};
+
+/**
+ * Sanitize log content by masking sensitive tokens while avoiding false positives
+ * Uses DUAL APPROACH: Both secretlint AND custom patterns run independently
+ *
+ * If only secretlint detects a secret (but our custom patterns miss it),
+ * a warning is logged so we can improve our patterns.
+ *
+ * @param {string} logContent - The log content to sanitize
+ * @param {Object} options - Optional configuration
+ * @param {boolean} options.warnOnMismatch - Log warnings when detection approaches differ (default: true in verbose mode)
+ * @returns {Promise<string>} Sanitized log content with tokens masked
+ */
+export const sanitizeLogContent = async (logContent, options = {}) => {
+  let sanitized = logContent;
+  const { warnOnMismatch = global.verboseMode } = options;
+
+  // Statistics for dual approach
+  const stats = {
+    knownTokens: 0,
+    secretlintDetections: 0,
+    customDetections: 0,
+    secretlintOnlyWarnings: [],
+    customOnlyDetections: [],
+  };
+
+  try {
+    // Step 1: Get known tokens from files and commands
+    const fileTokens = await getGitHubTokensFromFiles();
+    const commandTokens = await getGitHubTokensFromCommand();
+    const allKnownTokens = [...new Set([...fileTokens, ...commandTokens])];
+
+    // Mask known tokens first
+    for (const token of allKnownTokens) {
+      if (token && token.length >= 12) {
+        const maskedToken = maskToken(token);
+        sanitized = sanitized.split(token).join(maskedToken);
+        stats.knownTokens++;
+      }
+    }
+
+    // Step 2: DUAL APPROACH - Run both detection methods independently
+    const [secretlintSecrets, customSecrets] = await Promise.all([detectSecretsWithSecretlint(sanitized), Promise.resolve(detectSecretsWithCustomPatterns(sanitized))]);
+
+    // Compare results to find discrepancies
+    const { secretlintOnly, customOnly } = await compareDetectionResults(secretlintSecrets, customSecrets);
+
+    // Log warnings for secretlint-only detections (our patterns should catch these)
+    if (warnOnMismatch && secretlintOnly.length > 0) {
+      stats.secretlintOnlyWarnings = secretlintOnly;
+      await log(`  ⚠️  PATTERN GAP: Secretlint found ${secretlintOnly.length} secret(s) that our custom patterns missed:`, { verbose: true });
+      for (const secret of secretlintOnly) {
+        // Show truncated token and rule that detected it
+        const truncated = secret.token.length > 20 ? `${secret.token.substring(0, 10)}...${secret.token.substring(secret.token.length - 5)}` : secret.token;
+        await log(`      • Rule: ${secret.ruleId}, Token preview: ${truncated}`, { verbose: true });
+      }
+      await log(`      Consider adding custom patterns for these secret types to improve our detection.`, { verbose: true });
+    }
+
+    // Log info about custom-only detections (we catch things secretlint doesn't)
+    if (warnOnMismatch && customOnly.length > 0) {
+      stats.customOnlyDetections = customOnly;
+      await log(`  ℹ️  CUSTOM ADVANTAGE: Our patterns found ${customOnly.length} secret(s) that secretlint missed:`, { verbose: true });
+      for (const secret of customOnly) {
+        await log(`      • Pattern: ${secret.patternName}`, { verbose: true });
+      }
+    }
+
+    // Step 3: Merge all unique secrets from both sources for masking
+    const allSecrets = new Map();
+
+    // Add secretlint detections
+    for (const secret of secretlintSecrets) {
+      const key = `${secret.start}-${secret.end}`;
+      allSecrets.set(key, secret);
+      stats.secretlintDetections++;
+    }
+
+    // Add custom detections (won't duplicate if same position)
+    for (const secret of customSecrets) {
+      const key = `${secret.start}-${secret.end}`;
+      if (!allSecrets.has(key)) {
+        allSecrets.set(key, secret);
+      }
+      stats.customDetections++;
+    }
+
+    // Apply all detections (from end to start to preserve positions)
+    const sortedSecrets = [...allSecrets.values()].sort((a, b) => b.start - a.start);
+    for (const secret of sortedSecrets) {
+      const { start, end, token } = secret;
+      // Verify the token is still in the content at the expected position
+      const currentToken = sanitized.substring(start, end);
+      if (currentToken === token) {
+        const masked = maskToken(token);
+        sanitized = sanitized.substring(0, start) + masked + sanitized.substring(end);
+      }
+    }
+
+    // Step 4: Handle 40-char hex tokens specially - only mask if NOT in safe context
+    // These could be GitHub tokens OR git commit hashes/gist IDs
+    const hexPattern = /(?:^|[\s:=])([a-f0-9]{40})(?=[\s\n]|$)/gm;
+    let hexMatch;
+    const hexReplacements = [];
+
+    // First pass: find all matches and determine which to mask
+    const tempContent = sanitized;
+    hexPattern.lastIndex = 0;
+    while ((hexMatch = hexPattern.exec(tempContent)) !== null) {
+      const token = hexMatch[1];
+      const position = hexMatch.index;
+
+      // Skip if already masked
+      if (/\*{3,}/.test(token)) {
+        continue;
+      }
+
+      // Only mask if NOT in a safe git/gist context
+      if (!isHexInSafeContext(tempContent, token, position)) {
+        hexReplacements.push({ token, masked: maskToken(token) });
+      }
+    }
+
+    // Second pass: apply replacements
+    for (const { token, masked } of hexReplacements) {
+      sanitized = sanitized.split(token).join(masked);
+    }
+
+    // Summary logging
+    const totalMasked = allSecrets.size + hexReplacements.length + stats.knownTokens;
+    if (global.verboseMode && totalMasked > 0) {
+      await log(`  🔒 Sanitized ${totalMasked} secrets using dual approach:`, { verbose: true });
+      await log(`      • Known tokens: ${stats.knownTokens}`, { verbose: true });
+      await log(`      • Secretlint: ${stats.secretlintDetections} detections`, { verbose: true });
+      await log(`      • Custom patterns: ${stats.customDetections} detections`, { verbose: true });
+      await log(`      • Hex tokens: ${hexReplacements.length}`, { verbose: true });
+      if (stats.secretlintOnlyWarnings.length > 0) {
+        await log(`      ⚠️  Pattern gaps to address: ${stats.secretlintOnlyWarnings.length}`, { verbose: true });
+      }
+    }
+  } catch (error) {
+    reportError(error, {
+      context: 'sanitize_log_content',
+      level: 'warning',
+    });
+    await log(`  ⚠️  Warning: Could not fully sanitize log content: ${error.message}`, { verbose: true });
+  }
+
+  return sanitized;
+};
+
+// Export detection functions for testing and visibility
+export { detectSecretsWithSecretlint, detectSecretsWithCustomPatterns, compareDetectionResults };
+
+// Default export for convenience
+export default {
+  isSafeToken,
+  isHexInSafeContext,
+  getGitHubTokensFromFiles,
+  getGitHubTokensFromCommand,
+  sanitizeLogContent,
+  detectSecretsWithSecretlint,
+  detectSecretsWithCustomPatterns,
+  compareDetectionResults,
+};