@link-assistant/hive-mind 1.64.2 → 1.64.3

package/CHANGELOG.md

@@ -1,5 +1,22 @@
 # @link-assistant/hive-mind
 
+## 1.64.3
+
+### Patch Changes
+
+- dd52682: Sanitize all user-facing output to prevent token leaks (#1745).
+  - All comment-posting paths (`postComment`, `editComment`, `postTrackedComment`) run bodies through `sanitizeOutput` (canonical name) / `sanitizeCommentBody` (active-token wrapper). `sanitizeLogContent` is preserved as a backward-compatible alias.
+  - `KNOWN_LOCAL_TOKEN_ENV_VARS` registry masks tokens by exact env value (Telegram, GitHub, Anthropic/Claude, OpenAI/Codex, Gemini/Google, Qwen/Dashscope, OpenCode, AgentCLI, HuggingFace).
+  - Three independent CLI flags: `--dangerously-skip-output-sanitization`, `--dangerously-skip-code-output-sanitization`, `--dangerously-skip-active-tokens-output-sanitization` — all default false; active-tokens skip stays separate so the broad skip flag still keeps active-token masking on.
+  - Process-wide sanitization counters (`getSanitizationStats`, `formatSanitizationSummary`) print a one-line summary at the end of each run with a hint to use `--dangerously-skip-output-sanitization` when masking blocks the user's workflow.
+  - `extractTokensFromUserContent` carve-out helper: tokens already present in user-provided content (issue body, non-bot comments, pre-existing code) are passed as `excludeTokens` so the sanitizer leaves them untouched while still masking active local tokens.
+  - Post-finish sweep (`runPostFinishSweep`) re-reads bot-authored PR comments and the PR description after the AI session completes and edits in place if a leak slipped past the live sanitizer.
+  - ESLint guardrail (`gh-rate-limit/require-sanitized-output`) flags raw `gh pr comment`, `gh issue comment`, `gh pr edit`, and `gh api .../comments` calls that bypass the sanitizer.
+  - Out-of-band Telegram leak DM with masked summaries when a known-local token is detected in an outbound comment.
+  - Hidden owner-only `/tokens` Telegram command lists configured tokens (always masked, private chat only).
+  - `maskToken` defaults to 3+3 characters per issue requirements.
+  - secretlint preset (best-of-breed) runs alongside our custom patterns; mismatch warnings surface gaps.
+
 ## 1.64.2
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-assistant/hive-mind",
-  "version": "1.64.2",
+  "version": "1.64.3",
   "description": "AI-powered issue solver and hive mind for collaborative problem solving",
   "main": "src/hive.mjs",
   "type": "module",

package/src/claude.lib.mjs

@@ -682,7 +682,18 @@ export const executeClaudeCommand = async params => {
     let interactiveHandler = null;
     if (argv.interactiveMode && owner && repo && prNumber) {
       await log('🔌 Interactive mode: Creating handler for real-time PR comments', { verbose: true });
-      interactiveHandler = createInteractiveHandler({ owner, repo, prNumber, $, log, verbose: argv.verbose });
+      interactiveHandler = createInteractiveHandler({
+        owner,
+        repo,
+        prNumber,
+        $,
+        log,
+        verbose: argv.verbose,
+        // Issue #1745: thread the three independent dangerous-skip flags through
+        // so the comment-posting path can honor them; flags default to false.
+        skipOutputSanitization: argv['dangerously-skip-output-sanitization'] === true,
+        skipActiveTokensOutputSanitization: argv['dangerously-skip-active-tokens-output-sanitization'] === true,
+      });
     } else if (argv.interactiveMode) {
       await log('⚠️ Interactive mode: Disabled - missing PR info (owner/repo/prNumber)', { verbose: true });
     }

package/src/codex.lib.mjs

@@ -792,7 +792,18 @@ export const executeCodexCommand = async params => {
       let interactiveHandler = null;
       if (argv.interactiveMode && owner && repo && prNumber) {
         await log('🔌 Interactive mode: Creating handler for real-time PR comments', { verbose: true });
-        interactiveHandler = createInteractiveHandler({ owner, repo, prNumber, $, log, verbose: argv.verbose });
+        interactiveHandler = createInteractiveHandler({
+          owner,
+          repo,
+          prNumber,
+          $,
+          log,
+          verbose: argv.verbose,
+          // Issue #1745: pass the three independent dangerous-skip flags so the
+          // comment-posting path can honor them. All default to false.
+          skipOutputSanitization: argv['dangerously-skip-output-sanitization'] === true,
+          skipActiveTokensOutputSanitization: argv['dangerously-skip-active-tokens-output-sanitization'] === true,
+        });
       } else if (argv.interactiveMode) {
         await log('⚠️ Interactive mode: Disabled - missing PR info (owner/repo/prNumber)', { verbose: true });
       }

package/src/github.lib.mjs

@@ -6,8 +6,8 @@ import { log, maskToken, cleanErrorMessage, isENOSPC, ghCmdRetry } from './lib.m
 import { reportError } from './sentry.lib.mjs';
 import { githubLimits, timeouts } from './config.lib.mjs';
 import { batchCheckPullRequestsForIssues as batchCheckPRs, batchCheckArchivedRepositories as batchCheckArchived } from './github.batch.lib.mjs';
-import { isSafeToken, isHexInSafeContext, getGitHubTokensFromFiles, getGitHubTokensFromCommand, sanitizeLogContent } from './token-sanitization.lib.mjs';
-export { isSafeToken, isHexInSafeContext, getGitHubTokensFromFiles, getGitHubTokensFromCommand, sanitizeLogContent }; // Re-export for backward compatibility
+import { isSafeToken, isHexInSafeContext, getGitHubTokensFromFiles, getGitHubTokensFromCommand, sanitizeOutput, sanitizeLogContent } from './token-sanitization.lib.mjs';
+export { isSafeToken, isHexInSafeContext, getGitHubTokensFromFiles, getGitHubTokensFromCommand, sanitizeOutput, sanitizeLogContent }; // Re-export for backward compatibility
 import { uploadLogWithGhUploadLog } from './log-upload.lib.mjs';
 import { formatResetTimeWithRelative } from './usage-limit.lib.mjs'; // See: https://github.com/link-assistant/hive-mind/issues/1236
 // Import model info helpers (Issue #1225)

package/src/interactive-mode.lib.mjs

@@ -38,6 +38,13 @@ import { CONFIG, createCollapsible, createRawJsonSection, escapeMarkdown, execFi
 // Use the session-started marker as the single source of truth for the
 // header string, keeping posting and filtering in lock-step.
 import { INTERACTIVE_SESSION_STARTED_MARKER, trackToolCommentId } from './tool-comments.lib.mjs';
+// Issue #1745: every comment body posted by the AI bridge MUST flow through
+// sanitizeCommentBody() before leaving the process. The leak in
+// xlab2016/space_db_private#20 happened because raw bash-tool stdout
+// (including TELEGRAM_BOT_TOKEN=...) was published verbatim. See
+// docs/case-studies/issue-1745/analysis.md for the full timeline.
+import { containsKnownToken, getAllKnownLocalTokens, sanitizeCommentBody } from './token-sanitization.lib.mjs';
+import { reportInteractiveLeak } from './telegram-leak-notifier.lib.mjs';
 
 /**
  * Creates an interactive mode handler for processing Claude/Codex CLI events
@@ -52,7 +59,23 @@ import { INTERACTIVE_SESSION_STARTED_MARKER, trackToolCommentId } from './tool-c
  * @returns {Object} Handler object with event processing methods
  */
 export const createInteractiveHandler = options => {
-  const { owner, repo, prNumber, log, verbose = false, execFile: execFileFn } = options;
+  const {
+    owner,
+    repo,
+    prNumber,
+    log,
+    verbose = false,
+    execFile: execFileFn,
+    // Issue #1745: dangerous-skip flags. All default to false; passing them
+    // through lets the operator opt out of pattern-based sanitization (for
+    // controlled debugging in private repos) while keeping active-token
+    // masking on by default.
+    skipOutputSanitization = false,
+    skipActiveTokensOutputSanitization = false,
+    // Pre-existing user content carve-out (issue body / non-bot comments /
+    // pre-existing code). When provided, sanitizer leaves these tokens untouched.
+    excludeTokens = [],
+  } = options;
   // Use injected execFile for testability, or the real one by default
   const runGhApi = execFileFn || execFileAsync;
 
@@ -88,6 +111,71 @@ export const createInteractiveHandler = options => {
     editsFailed: 0,
   };
 
+  /**
+   * Sanitize a comment body and warn the chat owner when a known-local token
+   * was about to be published. Issue #1745. The returned string is what we
+   * actually send to GitHub.
+   *
+   * @param {string} body
+   * @returns {Promise<string>} sanitized body
+   * @private
+   */
+  const sanitizeAndWarn = async body => {
+    if (typeof body !== 'string' || body.length === 0) return body;
+
+    let knownTokens;
+    try {
+      knownTokens = await getAllKnownLocalTokens();
+    } catch (err) {
+      // Best-effort: if token lookup fails, fall back to regex/secretlint only.
+      knownTokens = [];
+      if (verbose) {
+        await log(`⚠️ Interactive mode: getAllKnownLocalTokens failed: ${err.message}`, { verbose: true });
+      }
+    }
+
+    let hits = [];
+    try {
+      hits = await containsKnownToken(body, knownTokens);
+    } catch {
+      hits = [];
+    }
+
+    let sanitized = body;
+    try {
+      sanitized = await sanitizeCommentBody(body, {
+        knownTokens,
+        skipOutputSanitization,
+        skipActiveTokensOutputSanitization,
+        excludeTokens,
+      });
+    } catch (err) {
+      await log(`⚠️ Interactive mode: sanitizeCommentBody failed: ${err.message} — falling back to raw body MASKED`);
+      // Fail closed: if sanitization fails entirely, drop the body to a safe
+      // placeholder rather than leaking. Better to lose detail than secrets.
+      sanitized = '[redacted: sanitization failed]';
+    }
+
+    if (hits.length > 0) {
+      await log(`🚨 Interactive mode: known-local token(s) detected in outbound comment — sanitizer masked them. Sources: ${hits.map(h => h.source).join(', ')}`);
+      try {
+        await reportInteractiveLeak({
+          owner,
+          repo,
+          prNumber,
+          tokenHits: hits,
+          log,
+        });
+      } catch (err) {
+        if (verbose) {
+          await log(`⚠️ Interactive mode: leak notifier failed: ${err.message}`, { verbose: true });
+        }
+      }
+    }
+
+    return sanitized;
+  };
+
   /**
    * Post a comment to the PR (with rate limiting)
    * @param {string} body - Comment body
@@ -104,12 +192,16 @@ export const createInteractiveHandler = options => {
       return null;
     }
 
+    // Issue #1745: sanitize BEFORE rate-limit queuing so queued bodies are
+    // also safe (the queue persists across reconnects).
+    const safeBody = await sanitizeAndWarn(body);
+
     const now = Date.now();
     const timeSinceLastComment = now - state.lastCommentTime;
 
     if (timeSinceLastComment < CONFIG.MIN_COMMENT_INTERVAL) {
       // Queue the comment for later with toolId/taskId for tracking
-      state.commentQueue.push({ body, toolId, taskId });
+      state.commentQueue.push({ body: safeBody, toolId, taskId });
       if (verbose) {
         await log(`📝 Interactive mode: Comment queued (${state.commentQueue.length} in queue)${toolId ? ` [tool: ${toolId}]` : ''}${taskId ? ` [task: ${taskId}]` : ''}`, { verbose: true });
       }
@@ -122,7 +214,7 @@ export const createInteractiveHandler = options => {
       // with complex markdown bodies containing backticks, quotes, etc.
       // See: https://github.com/link-assistant/hive-mind/issues/1458
       const apiUrl = `repos/${owner}/${repo}/issues/${prNumber}/comments`;
-      const jsonPayload = JSON.stringify({ body });
+      const jsonPayload = JSON.stringify({ body: safeBody });
       const { stdout } = await runGhApi('gh', ['api', apiUrl, '-X', 'POST', '--input', '-'], {
         input: jsonPayload,
         maxBuffer: 10 * 1024 * 1024, // 10MB
@@ -147,13 +239,13 @@ export const createInteractiveHandler = options => {
       trackToolCommentId(commentId);
 
       if (verbose) {
-        await log(`✅ Interactive mode: Comment posted${commentId ? ` (ID: ${commentId})` : ''} (body: ${body.length} chars)`, { verbose: true });
+        await log(`✅ Interactive mode: Comment posted${commentId ? ` (ID: ${commentId})` : ''} (body: ${safeBody.length} chars)`, { verbose: true });
       }
       return commentId;
     } catch (error) {
       state.commentsFailed++;
       // Issue #1472: Always log comment failures (not just verbose) — silent failures cause zero-comment bugs
-      await log(`⚠️ Interactive mode: Failed to post comment: ${error.message} (body: ${body.length} chars)`);
+      await log(`⚠️ Interactive mode: Failed to post comment: ${error.message} (body: ${safeBody.length} chars)`);
       return null;
     }
   };
@@ -173,25 +265,29 @@ export const createInteractiveHandler = options => {
       return false;
     }
 
+    // Issue #1745: sanitize before sending. editComment is the path that
+    // leaked TELEGRAM_BOT_TOKEN in xlab2016/space_db_private#20.
+    const safeBody = await sanitizeAndWarn(body);
+
     state.editsAttempted++;
     try {
       // Edit comment via gh api with stdin to avoid shell quoting issues
       // with complex markdown bodies containing backticks, quotes, etc.
       // See: https://github.com/link-assistant/hive-mind/issues/1458
       const apiUrl = `repos/${owner}/${repo}/issues/comments/${commentId}`;
-      const jsonPayload = JSON.stringify({ body });
+      const jsonPayload = JSON.stringify({ body: safeBody });
       await runGhApi('gh', ['api', apiUrl, '-X', 'PATCH', '--input', '-'], {
         input: jsonPayload,
         maxBuffer: 10 * 1024 * 1024, // 10MB
       });
       state.editsSucceeded++;
       if (verbose) {
-        await log(`✅ Interactive mode: Comment ${commentId} updated (body: ${body.length} chars, payload: ${jsonPayload.length} chars)`, { verbose: true });
+        await log(`✅ Interactive mode: Comment ${commentId} updated (body: ${safeBody.length} chars, payload: ${jsonPayload.length} chars)`, { verbose: true });
       }
       return true;
     } catch (error) {
       state.editsFailed++;
-      await log(`⚠️ Interactive mode: Failed to edit comment ${commentId}: ${error.message} (body: ${body.length} chars)`);
+      await log(`⚠️ Interactive mode: Failed to edit comment ${commentId}: ${error.message} (body: ${safeBody.length} chars)`);
       return false;
     }
   };

package/src/lib.mjs

@@ -334,12 +334,12 @@ export const setupStdioLogInterceptor = () => {
  * @param {string} token - Token to mask
  * @param {Object} options - Masking options
  * @param {number} [options.minLength=12] - Minimum length to mask
- * @param {number} [options.startChars=5] - Number of characters to show at start
- * @param {number} [options.endChars=5] - Number of characters to show at end
+ * @param {number} [options.startChars=3] - Number of characters to show at start
+ * @param {number} [options.endChars=3] - Number of characters to show at end
  * @returns {string} Masked token
  */
 export const maskToken = (token, options = {}) => {
-  const { minLength = 12, startChars = 5, endChars = 5 } = options;
+  const { minLength = 12, startChars = 3, endChars = 3 } = options;
 
   if (!token || token.length < minLength) {
     return token; // Don't mask very short strings

package/src/post-finish-sanitization-sweep.lib.mjs

@@ -0,0 +1,201 @@
+#!/usr/bin/env node
+/**
+ * Issue #1745 — post-finish sanitization sweep.
+ *
+ * Comment #4364642786 requirement: "after AI finishes whatever the content
+ * was ... we should by default go and mask the token by editing comments,
+ * pull requests".
+ *
+ * This module re-reads bot-authored comments and the PR description after the
+ * AI session finishes, runs the body through `sanitizeOutput`, and edits the
+ * comment / PR in place if a difference is detected. It is intentionally
+ * conservative:
+ *
+ *   - We only touch content authored by the running gh user (the bot).
+ *   - We never touch issue bodies (those belong to the human).
+ *   - History rewriting (force-pushing to delete commits) is NOT performed
+ *     here. The risk to a shared branch is too high; that step requires the
+ *     operator to opt in explicitly via a future flag, and is documented in
+ *     docs/case-studies/issue-1745/analysis.md.
+ *
+ * @module post-finish-sanitization-sweep
+ */
+
+import { sanitizeOutput, getSanitizationStats } from './token-sanitization.lib.mjs';
+import { wrapDollarWithGhRetry as _wrapDollarWithGhRetry } from './github-rate-limit.lib.mjs'; // rate-limit marker (#1726): caller passes $ already wrapped through wrapDollarWithGhRetry
+
+/**
+ * Determine the bot's gh login name. The function returns null on any error
+ * so the sweep degrades gracefully when offline / unauthenticated.
+ *
+ * @param {Function} $
+ * @returns {Promise<string|null>}
+ */
+const detectBotLogin = async $ => {
+  try {
+    const result = await $`gh api user --jq .login`;
+    if (result && result.code === 0 && result.stdout) {
+      const login = result.stdout.toString().trim();
+      return login || null;
+    }
+  } catch {
+    /* swallow */
+  }
+  return null;
+};
+
+/**
+ * Sanitize bot-authored PR conversation comments (the issuecomment endpoint).
+ *
+ * @param {Object} args
+ * @param {Function} args.$ command-stream helper
+ * @param {string}   args.owner
+ * @param {string}   args.repo
+ * @param {number|string} args.prNumber
+ * @param {string}   args.botLogin
+ * @param {Function} [args.log]
+ * @param {Object}   [args.sanitizationOptions] forwarded to sanitizeOutput
+ * @returns {Promise<{scanned:number, edited:number, errors:number}>}
+ */
+export const sweepPrConversationComments = async ({ $, owner, repo, prNumber, botLogin, log = async () => {}, sanitizationOptions = {} }) => {
+  const stats = { scanned: 0, edited: 0, errors: 0 };
+  let response;
+  try {
+    response = await $`gh api repos/${owner}/${repo}/issues/${prNumber}/comments --paginate`;
+  } catch (err) {
+    await log(`⚠️ post-finish sweep: failed to list comments: ${err.message || err}`);
+    stats.errors++;
+    return stats;
+  }
+  if (!response || response.code !== 0) {
+    stats.errors++;
+    return stats;
+  }
+  let comments;
+  try {
+    comments = JSON.parse(response.stdout.toString());
+  } catch {
+    stats.errors++;
+    return stats;
+  }
+  if (!Array.isArray(comments)) return stats;
+
+  for (const c of comments) {
+    if (!c || !c.user || c.user.login !== botLogin) continue;
+    if (typeof c.body !== 'string' || c.body.length === 0) continue;
+    stats.scanned++;
+    let sanitized;
+    try {
+      sanitized = await sanitizeOutput(c.body, sanitizationOptions);
+    } catch (err) {
+      await log(`⚠️ post-finish sweep: sanitize comment ${c.id} failed: ${err.message || err}`);
+      stats.errors++;
+      continue;
+    }
+    if (sanitized === c.body) continue;
+    try {
+      const payload = JSON.stringify({ body: sanitized });
+      const edit = await $({ stdin: payload })`gh api repos/${owner}/${repo}/issues/comments/${c.id} -X PATCH --input -`;
+      if (edit && edit.code === 0) {
+        stats.edited++;
+        await log(`🔒 post-finish sweep: edited comment ${c.id} to mask leaked token(s)`);
+      } else {
+        stats.errors++;
+      }
+    } catch (err) {
+      await log(`⚠️ post-finish sweep: edit comment ${c.id} failed: ${err.message || err}`);
+      stats.errors++;
+    }
+  }
+  return stats;
+};
+
+/**
+ * Sanitize the PR description if needed.
+ *
+ * @param {Object} args
+ * @returns {Promise<{scanned:number, edited:number, errors:number}>}
+ */
+export const sweepPrDescription = async ({ $, owner, repo, prNumber, log = async () => {}, sanitizationOptions = {} }) => {
+  const stats = { scanned: 0, edited: 0, errors: 0 };
+  let response;
+  try {
+    response = await $`gh api repos/${owner}/${repo}/pulls/${prNumber}`;
+  } catch (err) {
+    await log(`⚠️ post-finish sweep: failed to fetch PR ${prNumber}: ${err.message || err}`);
+    stats.errors++;
+    return stats;
+  }
+  if (!response || response.code !== 0) {
+    stats.errors++;
+    return stats;
+  }
+  let pr;
+  try {
+    pr = JSON.parse(response.stdout.toString());
+  } catch {
+    stats.errors++;
+    return stats;
+  }
+  const body = typeof pr.body === 'string' ? pr.body : '';
+  if (body.length === 0) return stats;
+  stats.scanned++;
+  let sanitized;
+  try {
+    sanitized = await sanitizeOutput(body, sanitizationOptions);
+  } catch (err) {
+    await log(`⚠️ post-finish sweep: sanitize PR body failed: ${err.message || err}`);
+    stats.errors++;
+    return stats;
+  }
+  if (sanitized === body) return stats;
+  try {
+    const payload = JSON.stringify({ body: sanitized });
+    const edit = await $({ stdin: payload })`gh api repos/${owner}/${repo}/pulls/${prNumber} -X PATCH --input -`;
+    if (edit && edit.code === 0) {
+      stats.edited++;
+      await log('🔒 post-finish sweep: edited PR description to mask leaked token(s)');
+    } else {
+      stats.errors++;
+    }
+  } catch (err) {
+    await log(`⚠️ post-finish sweep: edit PR body failed: ${err.message || err}`);
+    stats.errors++;
+  }
+  return stats;
+};
+
+/**
+ * Run the full post-finish sweep: bot-authored PR comments + PR description.
+ * Idempotent and safe to call multiple times.
+ *
+ * @param {Object} args
+ * @returns {Promise<{comments:Object, prBody:Object, totalEdited:number, sanitizationStatsBefore:Object, sanitizationStatsAfter:Object}>}
+ */
+export const runPostFinishSweep = async ({ $, owner, repo, prNumber, log = async () => {}, sanitizationOptions = {}, botLogin: providedBotLogin }) => {
+  const sanitizationStatsBefore = getSanitizationStats();
+  const botLogin = providedBotLogin || (await detectBotLogin($));
+  const result = {
+    comments: { scanned: 0, edited: 0, errors: 0, skipped: !botLogin },
+    prBody: { scanned: 0, edited: 0, errors: 0 },
+    totalEdited: 0,
+    sanitizationStatsBefore,
+    sanitizationStatsAfter: sanitizationStatsBefore,
+  };
+  if (!owner || !repo || !prNumber) return result;
+  if (botLogin) {
+    result.comments = await sweepPrConversationComments({ $, owner, repo, prNumber, botLogin, log, sanitizationOptions });
+  } else {
+    await log('⚠️ post-finish sweep: could not determine bot login; skipping comment sweep.');
+  }
+  result.prBody = await sweepPrDescription({ $, owner, repo, prNumber, log, sanitizationOptions });
+  result.totalEdited = result.comments.edited + result.prBody.edited;
+  result.sanitizationStatsAfter = getSanitizationStats();
+  return result;
+};
+
+export default {
+  sweepPrConversationComments,
+  sweepPrDescription,
+  runPostFinishSweep,
+};

package/src/solve.config.lib.mjs

@@ -115,6 +115,21 @@ export const SOLVE_OPTION_DEFINITIONS = {
     description: 'Upload the solution draft log file to the Pull Request on completion (⚠️ WARNING: May expose sensitive data)',
     default: false,
   },
+  'dangerously-skip-output-sanitization': {
+    type: 'boolean',
+    description: 'DANGEROUS: skip pattern-based sanitization of generated output. Active local token masking stays enabled unless --dangerously-skip-active-tokens-output-sanitization is also set.',
+    default: false,
+  },
+  'dangerously-skip-code-output-sanitization': {
+    type: 'boolean',
+    description: 'DANGEROUS: allow generated code/file output to keep pattern-matched token-looking strings. Active local token masking stays enabled unless explicitly disabled.',
+    default: false,
+  },
+  'dangerously-skip-active-tokens-output-sanitization': {
+    type: 'boolean',
+    description: 'DANGEROUS: skip masking known active local tokens in output. This is separate from other sanitization skip flags and should only be used for controlled debugging.',
+    default: false,
+  },
   'auto-close-pull-request-on-fail': {
     type: 'boolean',
     description: 'Automatically close the pull request if execution fails',

package/src/solve.results.lib.mjs

@@ -28,6 +28,14 @@ import { safeExit } from './exit-handler.lib.mjs';
 const githubLib = await import('./github.lib.mjs');
 const { sanitizeLogContent, attachLogToGitHub } = githubLib;
 
+// Issue #1745: process-wide sanitization counters used to print a one-line
+// "we masked N secrets" summary at the end of each run.
+const { formatSanitizationSummary } = await import('./token-sanitization.lib.mjs');
+// Issue #1745: post-finish retroactive sanitization of bot-authored PR
+// comments and the PR description. Runs by default; can be skipped via
+// --dangerously-skip-output-sanitization.
+const { runPostFinishSweep } = await import('./post-finish-sanitization-sweep.lib.mjs');
+
 // Import continuation functions (session resumption, PR detection)
 const autoContinue = await import('./solve.auto-continue.lib.mjs');
 const { autoContinueWhenLimitResets } = autoContinue;
@@ -556,6 +564,17 @@ export const cleanupClaudeFile = async (tempDir, branchName, claudeCommitHash =
 export const showSessionSummary = async (sessionId, limitReached, argv, issueUrl, tempDir, shouldAttachLogs = false) => {
   await log('\n=== Session Summary ===');
 
+  // Issue #1745: report how many tokens were masked during this run, with the
+  // "use --dangerously-skip-output-sanitization to skip" hint when > 0.
+  try {
+    const sanitizationSummary = formatSanitizationSummary();
+    if (sanitizationSummary) {
+      await log(sanitizationSummary);
+    }
+  } catch {
+    /* never fail the summary because of this */
+  }
+
   if (sessionId) {
     await log(`✅ Session ID: ${sessionId}`);
     // Always use absolute path for log file display
@@ -622,6 +641,39 @@ export const showSessionSummary = async (sessionId, limitReached, argv, issueUrl
     const logFilePath = path.resolve(getLogFile());
     await log(`📁 Log file available: ${logFilePath}`);
   }
+
+  // Issue #1745: post-finish retroactive sanitization sweep. Re-reads
+  // bot-authored PR comments and the PR description, runs them through
+  // sanitizeOutput, and edits in place if a leak slipped past the live
+  // sanitizer. Honors --dangerously-skip-output-sanitization and the related
+  // active-tokens flag.
+  try {
+    const owner = argv.owner;
+    const repo = argv.repo;
+    const prNumber = argv.prNumber;
+    const skipOutputSanitization = argv['dangerously-skip-output-sanitization'] === true;
+    const skipActiveTokensOutputSanitization = argv['dangerously-skip-active-tokens-output-sanitization'] === true;
+    if (owner && repo && prNumber && !skipOutputSanitization) {
+      const sweepResult = await runPostFinishSweep({
+        $,
+        owner,
+        repo,
+        prNumber,
+        log,
+        sanitizationOptions: {
+          warnOnMismatch: false,
+          skipActiveTokensOutputSanitization,
+        },
+      });
+      if (sweepResult.totalEdited > 0) {
+        await log(`🔒 Post-finish sweep: edited ${sweepResult.totalEdited} bot-authored item(s) to mask leaked tokens.`);
+        const followup = formatSanitizationSummary(sweepResult.sanitizationStatsAfter);
+        if (followup) await log(followup);
+      }
+    }
+  } catch (sweepErr) {
+    await log(`⚠️ Post-finish sanitization sweep failed: ${sweepErr.message || sweepErr}`);
+  }
 };
 
 // Verify results by searching for new PRs and comments

package/src/telegram-bot.mjs

@@ -1109,6 +1109,46 @@ registerStartStopCommands(bot, sharedCommandOpts);
 await registerLogCommand(bot, sharedCommandOpts);
 await registerTerminalWatchCommand(bot, sharedCommandOpts);
 
+// Issue #1745: hidden /tokens command for chat owners (private DMs only,
+// undocumented, masked output). Lets operators audit which local tokens are
+// live in the bot's environment so they can search for accidental leaks.
+const { registerTokensCommand } = await import('./telegram-tokens-command.lib.mjs');
+registerTokensCommand(bot, { ...sharedCommandOpts, allowedChats });
+
+// Issue #1745: register the leak-warning DM hook. The interactive bridge
+// fires reportInteractiveLeak() whenever it has to mask a known-local token
+// in an outbound PR comment. We DM every operator (chat creator) of every
+// allowlisted chat so at least one of them sees it quickly.
+const { registerLeakNotifier } = await import('./telegram-leak-notifier.lib.mjs');
+registerLeakNotifier(async ({ owner, repo, prNumber, tokenHits = [] }) => {
+  if (!allowedChats || allowedChats.length === 0) return;
+  const where = prNumber ? `${owner}/${repo}#${prNumber}` : `${owner}/${repo}`;
+  const sources = tokenHits.length ? tokenHits.map(h => `${h.name} (${h.source})`).join(', ') : 'unknown';
+  const text = `🚨 *Token-leak event*\n\nA known local token was about to be published in *${where}* and was masked by the sanitizer just in time.\n\nTokens detected: ${sources}\n\nRotate the affected secret(s) now and check public surfaces (GitHub comments, gists, Slack) for any prior copies.`;
+  for (const chatId of allowedChats) {
+    try {
+      const member = await bot.telegram.getChatMember(chatId, chatId).catch(() => null);
+      // For groups, getChatMember(chatId, chatId) returns the chat itself; we
+      // really want the creator. Fall back to getChatAdministrators.
+      let ownerUserId = null;
+      if (member && member.status === 'creator' && member.user?.id) {
+        ownerUserId = member.user.id;
+      } else {
+        const admins = await bot.telegram.getChatAdministrators(chatId).catch(() => []);
+        const creator = (admins || []).find(a => a.status === 'creator');
+        if (creator && creator.user?.id) ownerUserId = creator.user.id;
+      }
+      if (ownerUserId) {
+        await bot.telegram.sendMessage(ownerUserId, text, { parse_mode: 'Markdown' }).catch(err => {
+          console.warn(`[telegram-leak-notifier] DM to user ${ownerUserId} (chat ${chatId}) failed: ${err.message}`);
+        });
+      }
+    } catch (err) {
+      console.warn(`[telegram-leak-notifier] could not notify owner of chat ${chatId}: ${err.message}`);
+    }
+  }
+});
+
 // Add message listener for verbose debugging
 if (VERBOSE) {
   bot.on('message', (ctx, next) => {

package/src/telegram-leak-notifier.lib.mjs

@@ -0,0 +1,79 @@
+#!/usr/bin/env node
+/**
+ * Telegram leak-notifier (Issue #1745)
+ *
+ * The interactive AI bridge calls `reportInteractiveLeak()` whenever it
+ * detects that a comment body it was about to publish contained a
+ * known-local token. The sanitizer masks the token before it goes out, but
+ * we still want the chat owner who started the session to know — quickly,
+ * out-of-band — so they can rotate the token immediately.
+ *
+ * The Telegram bot calls `registerLeakNotifier()` on startup with a callback
+ * that knows how to DM the chat owner. We keep this contract intentionally
+ * small (callback-based, no direct telegraf import) so:
+ *
+ *   1. interactive-mode.lib.mjs doesn't have to depend on telegraf at all
+ *      (avoids a heavy import in the AI subprocess).
+ *   2. Tests can register a no-op (or assertion-collecting) notifier.
+ *   3. solve.mjs running outside the Telegram bot process degrades gracefully
+ *      to a console warning.
+ *
+ * @see docs/case-studies/issue-1745/analysis.md
+ * @module telegram-leak-notifier
+ */
+
+let registeredNotifier = null;
+
+/**
+ * Telegram bot calls this once during startup so the AI bridge has a way
+ * to send out-of-band leak warnings.
+ *
+ * @param {Function} notifier  async ({ owner, repo, prNumber, tokenHits }) => void
+ */
+export const registerLeakNotifier = notifier => {
+  registeredNotifier = typeof notifier === 'function' ? notifier : null;
+};
+
+/** Test hook — clear the registered notifier between tests. */
+export const clearLeakNotifierForTests = () => {
+  registeredNotifier = null;
+};
+
+/**
+ * Issue #1745 — fired by interactive-mode.lib.mjs when it had to mask a
+ * known-local token in an outbound comment.
+ *
+ * Always succeeds. If no notifier is registered (we're running outside the
+ * Telegram bot process) it falls back to a structured console warning.
+ *
+ * @param {Object} params
+ * @param {string} params.owner       repo owner
+ * @param {string} params.repo        repo name
+ * @param {number} [params.prNumber]  pull-request number, when applicable
+ * @param {Array<{name: string, source: string}>} [params.tokenHits]
+ *   list of token identifiers (NEVER the values) that were detected.
+ * @param {Function} [params.log]     async logger from interactive-mode
+ */
+export const reportInteractiveLeak = async ({ owner, repo, prNumber, tokenHits = [], log } = {}) => {
+  const fallbackLog = log || (async msg => console.warn(msg));
+
+  const summary = tokenHits.length ? tokenHits.map(h => `${h.name} (${h.source})`).join(', ') : 'unknown';
+
+  const where = prNumber ? `${owner}/${repo}#${prNumber}` : `${owner}/${repo}`;
+
+  await fallbackLog(`🚨 Token-leak event: ${summary} found in outbound comment for ${where} (sanitizer masked it).`);
+
+  if (registeredNotifier) {
+    try {
+      await registeredNotifier({ owner, repo, prNumber, tokenHits });
+    } catch (err) {
+      await fallbackLog(`⚠️ Telegram leak notifier threw: ${err.message}`);
+    }
+  }
+};
+
+export default {
+  registerLeakNotifier,
+  reportInteractiveLeak,
+  clearLeakNotifierForTests,
+};

package/src/telegram-tokens-command.lib.mjs

@@ -0,0 +1,151 @@
+#!/usr/bin/env node
+/**
+ * Telegram /tokens command — hidden, owner-only, private-chat only.
+ *
+ * Lists every known LOCAL token the bot can see (env vars + GitHub CLI
+ * tokens), already masked via `maskToken` (3-char prefix/suffix per
+ * issue #1745). Useful for spot-checking which secrets are live in the
+ * bot's environment so the operator can search for them in public places
+ * before they become a leak.
+ *
+ * Privacy / safety guarantees:
+ *
+ *  - Hidden command. Not advertised in /help. Not part of the BotFather
+ *    command list.
+ *  - Private-chat only. Never echoes tokens (even masked) into a group chat.
+ *  - Authenticated. The user must own (`status === 'creator'`) at least one
+ *    chat that is on the allowlist — i.e. they're an actual operator of
+ *    this bot, not a random DMer.
+ *  - Output is always masked. We never print raw values.
+ *
+ * @see https://github.com/link-assistant/hive-mind/issues/1745
+ * @module telegram-tokens-command
+ */
+
+import { getAllKnownLocalTokens } from './token-sanitization.lib.mjs';
+import { maskToken } from './lib.mjs';
+
+/**
+ * Resolve allowed chat IDs into an array of numeric IDs the user could own.
+ * Accepts:
+ *   - Array<number|string>
+ *   - Function returning Array<number|string>
+ *   - undefined / null  (treated as "any" — useful in private bot deployments)
+ *
+ * @param {Array|Function|null|undefined} allowedChats
+ * @returns {Array<string>}  numeric chat IDs as strings
+ */
+const resolveAllowedChatIds = allowedChats => {
+  if (!allowedChats) return [];
+  const raw = typeof allowedChats === 'function' ? allowedChats() : allowedChats;
+  if (!Array.isArray(raw)) return [];
+  return raw.map(v => String(v)).filter(Boolean);
+};
+
+/**
+ * Returns true if `userId` is the creator of any chat in `allowedChatIds`.
+ * Returns true unconditionally when `allowedChatIds` is empty (private
+ * deployment — no allowlist means any DM is fine).
+ */
+const isOperatorOfAnyAllowedChat = async ({ telegram, userId, allowedChatIds }) => {
+  if (!allowedChatIds || allowedChatIds.length === 0) {
+    return true;
+  }
+  for (const chatId of allowedChatIds) {
+    try {
+      const member = await telegram.getChatMember(chatId, userId);
+      if (member && member.status === 'creator') {
+        return true;
+      }
+    } catch {
+      // Bot may have been removed from the chat; skip and try the next one.
+    }
+  }
+  return false;
+};
+
+/**
+ * Format the token list for display. Each line: `name (source): masked`.
+ * The masked form is `first-3 *** last-3` per maskToken's new default.
+ */
+export const formatTokenList = tokens => {
+  if (!tokens || tokens.length === 0) {
+    return 'No known local tokens found in this bot process.';
+  }
+  const lines = tokens.map(t => {
+    const masked = maskToken(t.value);
+    return `• ${t.name} (${t.source}): \`${masked}\``;
+  });
+  return ['🔐 *Active local tokens (masked):*', '', ...lines, '', '_Use this list to search public places (GitHub, Slack, etc.) for accidentally leaked tokens before they become a problem. Tokens are masked with first 3 + last 3 characters per issue #1745._'].join('\n');
+};
+
+/**
+ * Registers the hidden /tokens command on the bot.
+ *
+ * @param {Object} bot - Telegraf bot
+ * @param {Object} options
+ * @param {boolean} [options.VERBOSE]
+ * @param {Function} [options.isOldMessage]
+ * @param {Array|Function} [options.allowedChats] — used for owner-of-allowed-chat check
+ * @param {Function} [options.fetchTokens] — test override for getAllKnownLocalTokens
+ */
+export const registerTokensCommand = (bot, options = {}) => {
+  const { VERBOSE = false, isOldMessage, allowedChats } = options;
+  const fetchTokens = options.fetchTokens || getAllKnownLocalTokens;
+
+  bot.command('tokens', async ctx => {
+    if (isOldMessage && isOldMessage(ctx)) {
+      VERBOSE && console.log('[VERBOSE] /tokens ignored: old message');
+      return;
+    }
+
+    const chat = ctx.chat;
+    if (!chat || !ctx.from) return;
+
+    // Step 1: private-chat only. Silently no-op in groups so the command stays
+    // truly hidden — a curious group member never gets a hint that it exists.
+    if (chat.type !== 'private') {
+      VERBOSE && console.log(`[VERBOSE] /tokens ignored: chat type ${chat.type} (private only)`);
+      return;
+    }
+
+    // Step 2: authenticate by ownership of an allowlisted chat.
+    const allowedChatIds = resolveAllowedChatIds(allowedChats);
+    let isOperator = false;
+    try {
+      isOperator = await isOperatorOfAnyAllowedChat({
+        telegram: ctx.telegram,
+        userId: ctx.from.id,
+        allowedChatIds,
+      });
+    } catch (err) {
+      VERBOSE && console.error('[VERBOSE] /tokens auth check failed:', err);
+      isOperator = false;
+    }
+
+    if (!isOperator) {
+      VERBOSE && console.log(`[VERBOSE] /tokens denied: user ${ctx.from.id} is not creator of any allowed chat`);
+      // Reply with a generic "unknown command"-shaped message so the command
+      // stays undiscoverable to non-operators.
+      return;
+    }
+
+    // Step 3: gather and emit.
+    let tokens;
+    try {
+      tokens = await fetchTokens();
+    } catch (err) {
+      VERBOSE && console.error('[VERBOSE] /tokens: fetchTokens failed:', err);
+      await ctx.reply('❌ Failed to gather local tokens.');
+      return;
+    }
+
+    const message = formatTokenList(tokens);
+    await ctx.reply(message, { parse_mode: 'Markdown' });
+  });
+};
+
+export default {
+  registerTokensCommand,
+  formatTokenList,
+};

package/src/token-sanitization.lib.mjs

@@ -28,6 +28,61 @@ const getFsModule = async () => (await import('fs')).promises;
 let secretlintCore = null;
 let secretlintConfig = null;
 
+// Issue #1745: process-wide counters for how many tokens were masked. The
+// final-summary path (solve.mjs / hive.mjs) reads these to print a one-line
+// "we masked N secrets — pass --dangerously-skip-output-sanitization to skip"
+// note when N > 0. Counters are intentionally simple (numbers, not arrays of
+// values) so we never accidentally retain raw tokens for any longer than the
+// masking pass itself.
+const sanitizationStats = {
+  totalMasked: 0,
+  knownTokenMasks: 0,
+  patternMasks: 0,
+  hexMasks: 0,
+  excluded: 0,
+};
+
+/**
+ * Read process-wide sanitization counters. Pure read; never mutates.
+ * @returns {{totalMasked:number, knownTokenMasks:number, patternMasks:number, hexMasks:number, excluded:number}}
+ */
+export const getSanitizationStats = () => ({ ...sanitizationStats });
+
+/**
+ * Reset process-wide counters. Tests use this between cases. Production code
+ * has no reason to reset mid-run.
+ */
+export const resetSanitizationStats = () => {
+  sanitizationStats.totalMasked = 0;
+  sanitizationStats.knownTokenMasks = 0;
+  sanitizationStats.patternMasks = 0;
+  sanitizationStats.hexMasks = 0;
+  sanitizationStats.excluded = 0;
+};
+
+/**
+ * Format a one-line operator-facing summary describing how many tokens were
+ * masked during this run, plus the dangerously-skip note required by the
+ * issue when the count is > 0. Returns an empty string if nothing was masked,
+ * so the caller can simply check truthiness before logging.
+ *
+ * @param {Object} [stats] override stats (defaults to module counters)
+ * @returns {string}
+ */
+export const formatSanitizationSummary = (stats = sanitizationStats) => {
+  const { totalMasked = 0, knownTokenMasks = 0, patternMasks = 0, hexMasks = 0, excluded = 0 } = stats;
+  if (totalMasked <= 0 && excluded <= 0) return '';
+  const breakdown = [`known-local: ${knownTokenMasks}`, `pattern: ${patternMasks}`, `hex: ${hexMasks}`].join(', ');
+  const lines = [`🔒 Output sanitization: masked ${totalMasked} token(s) (${breakdown}) before publishing.`];
+  if (excluded > 0) {
+    lines.push(`   ↳ left ${excluded} pre-existing token(s) untouched (user-provided content carve-out).`);
+  }
+  if (totalMasked > 0) {
+    lines.push('   ↳ Pass --dangerously-skip-output-sanitization if this blocks your workflow (active local tokens stay masked unless --dangerously-skip-active-tokens-output-sanitization is also set).');
+  }
+  return lines.join('\n');
+};
+
 /**
  * Initialize secretlint modules lazily
  * @returns {Promise<boolean>} True if secretlint is available
@@ -399,20 +454,25 @@ const compareDetectionResults = async (secretlintSecrets, customSecrets) => {
 };
 
 /**
- * Sanitize log content by masking sensitive tokens while avoiding false positives
+ * Sanitize arbitrary outbound output by masking sensitive tokens while avoiding false positives
  * Uses DUAL APPROACH: Both secretlint AND custom patterns run independently
  *
  * If only secretlint detects a secret (but our custom patterns miss it),
  * a warning is logged so we can improve our patterns.
  *
- * @param {string} logContent - The log content to sanitize
+ * @param {string} output - The output to sanitize
  * @param {Object} options - Optional configuration
  * @param {boolean} options.warnOnMismatch - Log warnings when detection approaches differ (default: true in verbose mode)
- * @returns {Promise<string>} Sanitized log content with tokens masked
+ * @param {boolean} options.skipOutputSanitization - Skip pattern-based output sanitization. Does not skip known active-token masking.
+ * @param {boolean} options.skipActiveTokensOutputSanitization - Also skip known active-token masking. Dangerous; intended only for explicit debugging.
+ * @param {Array<string>} options.excludeTokens - Issue #1745 carve-out: token VALUES that were already in user-provided content (issue body, non-bot comments, pre-existing code). These will be left untouched and counted in `excluded` stats so we don't shock users by mangling tokens they typed themselves.
+ * @returns {Promise<string>} Sanitized output with tokens masked
  */
-export const sanitizeLogContent = async (logContent, options = {}) => {
-  let sanitized = logContent;
-  const { warnOnMismatch = global.verboseMode } = options;
+export const sanitizeOutput = async (output, options = {}) => {
+  let sanitized = output;
+  const { warnOnMismatch = global.verboseMode, skipOutputSanitization = false, skipActiveTokensOutputSanitization = false, excludeTokens = [] } = options;
+  const excludedSet = new Set((excludeTokens || []).filter(t => typeof t === 'string' && t.length > 0));
+  const isExcluded = token => excludedSet.has(token);
 
   // Statistics for dual approach
   const stats = {
@@ -424,20 +484,34 @@ export const sanitizeLogContent = async (logContent, options = {}) => {
   };
 
   try {
-    // Step 1: Get known tokens from files and commands
-    const fileTokens = await getGitHubTokensFromFiles();
-    const commandTokens = await getGitHubTokensFromCommand();
-    const allKnownTokens = [...new Set([...fileTokens, ...commandTokens])];
-
-    // Mask known tokens first
-    for (const token of allKnownTokens) {
-      if (token && token.length >= 12) {
-        const maskedToken = maskToken(token);
-        sanitized = sanitized.split(token).join(maskedToken);
-        stats.knownTokens++;
+    if (!skipActiveTokensOutputSanitization) {
+      // Step 1: Get known tokens from files and commands
+      const fileTokens = await getGitHubTokensFromFiles();
+      const commandTokens = await getGitHubTokensFromCommand();
+      const allKnownTokens = [...new Set([...fileTokens, ...commandTokens])];
+
+      // Mask known tokens first
+      for (const token of allKnownTokens) {
+        if (token && token.length >= 12) {
+          if (isExcluded(token)) {
+            sanitizationStats.excluded++;
+            continue;
+          }
+          if (sanitized.includes(token)) {
+            const maskedToken = maskToken(token);
+            sanitized = sanitized.split(token).join(maskedToken);
+            stats.knownTokens++;
+            sanitizationStats.knownTokenMasks++;
+            sanitizationStats.totalMasked++;
+          }
+        }
       }
     }
 
+    if (skipOutputSanitization) {
+      return sanitized;
+    }
+
     // Step 2: DUAL APPROACH - Run both detection methods independently
     const [secretlintSecrets, customSecrets] = await Promise.all([detectSecretsWithSecretlint(sanitized), Promise.resolve(detectSecretsWithCustomPatterns(sanitized))]);
 
@@ -491,8 +565,14 @@ export const sanitizeLogContent = async (logContent, options = {}) => {
       // Verify the token is still in the content at the expected position
       const currentToken = sanitized.substring(start, end);
       if (currentToken === token) {
+        if (isExcluded(token)) {
+          sanitizationStats.excluded++;
+          continue;
+        }
         const masked = maskToken(token);
         sanitized = sanitized.substring(0, start) + masked + sanitized.substring(end);
+        sanitizationStats.patternMasks++;
+        sanitizationStats.totalMasked++;
       }
     }
 
@@ -516,13 +596,21 @@ export const sanitizeLogContent = async (logContent, options = {}) => {
 
       // Only mask if NOT in a safe git/gist context
       if (!isHexInSafeContext(tempContent, token, position)) {
+        if (isExcluded(token)) {
+          sanitizationStats.excluded++;
+          continue;
+        }
         hexReplacements.push({ token, masked: maskToken(token) });
       }
     }
 
     // Second pass: apply replacements
     for (const { token, masked } of hexReplacements) {
-      sanitized = sanitized.split(token).join(masked);
+      if (sanitized.includes(token)) {
+        sanitized = sanitized.split(token).join(masked);
+        sanitizationStats.hexMasks++;
+        sanitizationStats.totalMasked++;
+      }
     }
 
     // Summary logging
@@ -558,14 +646,263 @@ export const sanitizeLogContent = async (logContent, options = {}) => {
 // Export detection functions for testing and visibility
 export { detectSecretsWithSecretlint, detectSecretsWithCustomPatterns, compareDetectionResults };
 
+/**
+ * Backward-compatible alias for older log-specific call sites.
+ * New output paths should call sanitizeOutput().
+ */
+export const sanitizeLogContent = sanitizeOutput;
+
+// ============================================================================
+// Issue #1745 — known-local-token registry
+// ============================================================================
+// We mask all known LOCAL tokens (env vars + tokens we discovered via gh/etc.)
+// even when our regex/secretlint patterns miss them. This is the
+// "defense-in-depth" layer for the leak documented in case-studies/issue-1745.
+// ============================================================================
+
+/**
+ * Names of environment variables that hold local tokens. Order is irrelevant
+ * but we list AI-CLI tools first since those are the most common leak vectors
+ * (claude, codex, opencode, gemini, qwen + telegram + gh).
+ *
+ * Adding a name here means: any process.env value at this key will be masked
+ * in every comment body / log line the bridge emits.
+ */
+export const KNOWN_LOCAL_TOKEN_ENV_VARS = Object.freeze([
+  // Telegram bridge
+  'TELEGRAM_BOT_TOKEN',
+  'TELEGRAM_OWNER_CHAT_ID',
+  // GitHub CLI / API
+  'GH_TOKEN',
+  'GITHUB_TOKEN',
+  'GITHUB_PAT',
+  // Claude / Anthropic
+  'ANTHROPIC_API_KEY',
+  'CLAUDE_API_KEY',
+  'CLAUDE_CODE_OAUTH_TOKEN',
+  // OpenAI / Codex
+  'OPENAI_API_KEY',
+  'CODEX_API_KEY',
+  // Open-source agent CLIs
+  'OPENCODE_API_KEY',
+  'AGENT_CLI_TOKEN',
+  // Google Gemini / Qwen
+  'GEMINI_API_KEY',
+  'GOOGLE_API_KEY',
+  'QWEN_API_KEY',
+  'DASHSCOPE_API_KEY',
+  // Misc
+  'HUGGINGFACE_TOKEN',
+  'HF_TOKEN',
+]);
+
+/**
+ * Read every known local-token env var that is currently set.
+ *
+ * @returns {Array<{name: string, value: string}>} entries with non-empty values
+ */
+export const getEnvironmentTokens = () => {
+  const out = [];
+  for (const name of KNOWN_LOCAL_TOKEN_ENV_VARS) {
+    const value = process.env[name];
+    if (typeof value === 'string' && value.length >= 12) {
+      out.push({ name, value });
+    }
+  }
+  return out;
+};
+
+/**
+ * Build the union of every known-local token: env vars + GitHub tokens we
+ * already discover via `gh auth status` / hosts.yml (existing helpers).
+ *
+ * Each entry is `{ source, name, value }` where `source` is 'env' | 'gh-files'
+ * | 'gh-command'. The `name` field is human-readable for debug logs but is
+ * NEVER printed alongside the token to avoid creating a secondary leak.
+ *
+ * @returns {Promise<Array<{source: string, name: string, value: string}>>}
+ */
+export const getAllKnownLocalTokens = async () => {
+  const tokens = [];
+
+  for (const { name, value } of getEnvironmentTokens()) {
+    tokens.push({ source: 'env', name, value });
+  }
+
+  try {
+    const fileTokens = await getGitHubTokensFromFiles();
+    for (const value of fileTokens) {
+      tokens.push({ source: 'gh-files', name: 'github', value });
+    }
+  } catch {
+    /* swallow — best-effort */
+  }
+
+  try {
+    const commandTokens = await getGitHubTokensFromCommand();
+    for (const value of commandTokens) {
+      tokens.push({ source: 'gh-command', name: 'github', value });
+    }
+  } catch {
+    /* swallow — best-effort */
+  }
+
+  // Deduplicate by exact value
+  const seen = new Set();
+  return tokens.filter(({ value }) => {
+    if (seen.has(value)) return false;
+    seen.add(value);
+    return true;
+  });
+};
+
+/**
+ * Test whether `text` contains any known-local token verbatim.
+ * Used to decide whether to fire the Telegram leak-warning DM.
+ *
+ * @param {string} text
+ * @param {Array<{value: string, name?: string, source?: string}>} [tokens]
+ *   Pre-fetched token list (if you already called getAllKnownLocalTokens).
+ *   Pass an explicit list to avoid re-running `gh auth status` per check.
+ * @returns {Promise<Array<{name: string, source: string}>>} list of token
+ *   identifiers that were found in the text (NOT the values themselves).
+ */
+export const containsKnownToken = async (text, tokens) => {
+  if (typeof text !== 'string' || text.length === 0) return [];
+  const list = tokens || (await getAllKnownLocalTokens());
+  const hits = [];
+  for (const t of list) {
+    if (t.value && text.includes(t.value)) {
+      hits.push({ name: t.name, source: t.source });
+    }
+  }
+  return hits;
+};
+
+/**
+ * Mask every known-local token inside `body` and then run `sanitizeOutput`
+ * for the regex/secretlint sweep. This is the wrapper that comment-posting
+ * paths must call before publishing anything to GitHub.
+ *
+ * Env-token masking runs FIRST so that even if our regex misses the shape
+ * (custom token formats from new AI tools, etc.) the local secret never
+ * leaves the process. The regex/secretlint pass then catches anything else.
+ *
+ * @param {string} body
+ * @param {Object} [options]
+ * @param {Array<{value: string}>} [options.knownTokens] pre-fetched token list
+ * @returns {Promise<string>} sanitized body
+ */
+export const sanitizeCommentBody = async (body, options = {}) => {
+  if (typeof body !== 'string' || body.length === 0) return body;
+
+  let sanitized = body;
+  const excludedSet = new Set((options.excludeTokens || []).filter(t => typeof t === 'string' && t.length > 0));
+
+  // Pass 1: mask known-local tokens verbatim. This is the defense-in-depth
+  // layer that closes the gap from issue #1745.
+  if (!options.skipActiveTokensOutputSanitization) {
+    const knownTokens = options.knownTokens || (await getAllKnownLocalTokens());
+    for (const { value } of knownTokens) {
+      if (value && value.length >= 12 && sanitized.includes(value)) {
+        if (excludedSet.has(value)) {
+          sanitizationStats.excluded++;
+          continue;
+        }
+        sanitized = sanitized.split(value).join(maskToken(value));
+        sanitizationStats.knownTokenMasks++;
+        sanitizationStats.totalMasked++;
+      }
+    }
+  }
+
+  // Pass 2: regex + secretlint sweep for anything else.
+  sanitized = await sanitizeOutput(sanitized, {
+    warnOnMismatch: false,
+    skipOutputSanitization: options.skipOutputSanitization,
+    skipActiveTokensOutputSanitization: true,
+    excludeTokens: options.excludeTokens || [],
+  });
+
+  return sanitized;
+};
+
+/**
+ * Issue #1745 user-content carve-out helper.
+ *
+ * Comment #4364642786: "if issue description/comment/pull request comment from
+ * other users than our bot, contained access token, meaning access token was
+ * explicitly given, or access token was existing in code before, we don't
+ * touch it. That is not our responsibility by default."
+ *
+ * Given concatenated user-provided text (issue body, non-bot issue/PR
+ * comments, original code), this helper returns the token-shaped strings
+ * already present in that text. Callers pass this list as `excludeTokens`
+ * to `sanitizeOutput` / `sanitizeCommentBody` so the sanitizer leaves those
+ * tokens untouched.
+ *
+ * Active local tokens (env vars, gh CLI tokens) are NEVER returned even if
+ * they appear in user-provided content — the user couldn't have intended for
+ * us to leak our own bot tokens, so the carve-out doesn't apply to them.
+ *
+ * @param {string} text concatenated user-provided text
+ * @param {Object} [options]
+ * @param {Array<{value: string}>} [options.knownTokens] active local tokens to
+ *   filter out of the carve-out (so the bot's own tokens still get masked
+ *   even if the user pasted one verbatim).
+ * @returns {Promise<Array<string>>} token VALUES to exclude from sanitization
+ */
+export const extractTokensFromUserContent = async (text, options = {}) => {
+  if (typeof text !== 'string' || text.length === 0) return [];
+
+  const customSecrets = detectSecretsWithCustomPatterns(text);
+  const secretlintSecrets = await detectSecretsWithSecretlint(text);
+
+  const tokens = new Set();
+  for (const s of [...customSecrets, ...secretlintSecrets]) {
+    if (s.token && s.token.length >= 12) {
+      tokens.add(s.token);
+    }
+  }
+
+  // 40-char hex in user-provided text — only exclude when not in a safe
+  // git/gist context. We're conservative here: the carve-out only applies
+  // to things our regex would otherwise mask.
+  const hexPattern = /(?:^|[\s:=])([a-f0-9]{40})(?=[\s\n]|$)/gm;
+  hexPattern.lastIndex = 0;
+  let m;
+  while ((m = hexPattern.exec(text)) !== null) {
+    const token = m[1];
+    if (!isHexInSafeContext(text, token, m.index)) {
+      tokens.add(token);
+    }
+  }
+
+  // Filter out our own active local tokens. The user pasting our token in
+  // their issue body doesn't mean we should leak it — that's still our bot's
+  // secret and it stays masked.
+  const knownActive = new Set((options.knownTokens || []).map(t => t.value).filter(Boolean));
+  return [...tokens].filter(value => !knownActive.has(value));
+};
+
 // Default export for convenience
 export default {
   isSafeToken,
   isHexInSafeContext,
   getGitHubTokensFromFiles,
   getGitHubTokensFromCommand,
+  sanitizeOutput,
   sanitizeLogContent,
   detectSecretsWithSecretlint,
   detectSecretsWithCustomPatterns,
   compareDetectionResults,
+  getEnvironmentTokens,
+  getAllKnownLocalTokens,
+  containsKnownToken,
+  sanitizeCommentBody,
+  getSanitizationStats,
+  resetSanitizationStats,
+  formatSanitizationSummary,
+  extractTokensFromUserContent,
+  KNOWN_LOCAL_TOKEN_ENV_VARS,
 };

package/src/tool-comments.lib.mjs

@@ -198,7 +198,7 @@ export const resetTrackedToolCommentIds = () => {
  * @param {string} options.body
  * @returns {Promise<{ok: boolean, commentId: string|null, stderr?: string}>}
  */
-export const postTrackedComment = async ({ $, owner, repo, targetNumber, body }) => {
+export const postTrackedComment = async ({ $, owner, repo, targetNumber, body, sanitizationOptions }) => {
   if (!$) {
     throw new Error('postTrackedComment requires a command-stream $ helper');
   }
@@ -208,7 +208,11 @@ export const postTrackedComment = async ({ $, owner, repo, targetNumber, body })
   // We use the /issues/<n>/comments endpoint because it works identically
   // for both PRs and issues (a PR is an issue at this endpoint).
   const apiPath = `repos/${owner}/${repo}/issues/${targetNumber}/comments`;
-  const payload = JSON.stringify({ body });
+  const { sanitizeOutput } = await import('./token-sanitization.lib.mjs');
+  // Issue #1745: caller may pass dangerous-skip flags + carve-out tokens.
+  // Defaults preserve fail-closed behavior: full sanitization.
+  const sanitizedBody = await sanitizeOutput(body, sanitizationOptions || {});
+  const payload = JSON.stringify({ body: sanitizedBody });
 
   // command-stream's options key is `stdin`, not `input` — unknown keys are
   // silently ignored, which previously left stdin inherited from the parent