@link-assistant/hive-mind 1.64.2 → 1.64.4

package/CHANGELOG.md

@@ -1,5 +1,28 @@
 # @link-assistant/hive-mind
 
+## 1.64.4
+
+### Patch Changes
+
+- 20f5898: Add `/stop <UUID>` and reply-to-message-with-UUID modes to the Telegram bot (#524). Sending `/stop <uuid>` (or replying with `/stop` to a message containing a UUID) forwards CTRL+C to the matching isolated `/solve` or `/hive` session via `$ --stop <uuid>` from link-foundation/start (link-foundation/start#112), so individual screen/tmux/docker sessions can be cancelled from Telegram. Mirrors the existing `/log` and `/terminal_watch` UUID-resolution pattern. Bare `/stop` retains its existing chat-pause behaviour (#1081).
+
+## 1.64.3
+
+### Patch Changes
+
+- dd52682: Sanitize all user-facing output to prevent token leaks (#1745).
+  - All comment-posting paths (`postComment`, `editComment`, `postTrackedComment`) run bodies through `sanitizeOutput` (canonical name) / `sanitizeCommentBody` (active-token wrapper). `sanitizeLogContent` is preserved as a backward-compatible alias.
+  - `KNOWN_LOCAL_TOKEN_ENV_VARS` registry masks tokens by exact env value (Telegram, GitHub, Anthropic/Claude, OpenAI/Codex, Gemini/Google, Qwen/Dashscope, OpenCode, AgentCLI, HuggingFace).
+  - Three independent CLI flags: `--dangerously-skip-output-sanitization`, `--dangerously-skip-code-output-sanitization`, `--dangerously-skip-active-tokens-output-sanitization` — all default false; active-tokens skip stays separate so the broad skip flag still keeps active-token masking on.
+  - Process-wide sanitization counters (`getSanitizationStats`, `formatSanitizationSummary`) print a one-line summary at the end of each run with a hint to use `--dangerously-skip-output-sanitization` when masking blocks the user's workflow.
+  - `extractTokensFromUserContent` carve-out helper: tokens already present in user-provided content (issue body, non-bot comments, pre-existing code) are passed as `excludeTokens` so the sanitizer leaves them untouched while still masking active local tokens.
+  - Post-finish sweep (`runPostFinishSweep`) re-reads bot-authored PR comments and the PR description after the AI session completes and edits in place if a leak slipped past the live sanitizer.
+  - ESLint guardrail (`gh-rate-limit/require-sanitized-output`) flags raw `gh pr comment`, `gh issue comment`, `gh pr edit`, and `gh api .../comments` calls that bypass the sanitizer.
+  - Out-of-band Telegram leak DM with masked summaries when a known-local token is detected in an outbound comment.
+  - Hidden owner-only `/tokens` Telegram command lists configured tokens (always masked, private chat only).
+  - `maskToken` defaults to 3+3 characters per issue requirements.
+  - secretlint preset (best-of-breed) runs alongside our custom patterns; mismatch warnings surface gaps.
+
 ## 1.64.2
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-assistant/hive-mind",
-  "version": "1.64.2",
+  "version": "1.64.4",
   "description": "AI-powered issue solver and hive mind for collaborative problem solving",
   "main": "src/hive.mjs",
   "type": "module",

package/src/claude.lib.mjs

@@ -682,7 +682,18 @@ export const executeClaudeCommand = async params => {
     let interactiveHandler = null;
     if (argv.interactiveMode && owner && repo && prNumber) {
       await log('🔌 Interactive mode: Creating handler for real-time PR comments', { verbose: true });
-      interactiveHandler = createInteractiveHandler({ owner, repo, prNumber, $, log, verbose: argv.verbose });
+      interactiveHandler = createInteractiveHandler({
+        owner,
+        repo,
+        prNumber,
+        $,
+        log,
+        verbose: argv.verbose,
+        // Issue #1745: thread the three independent dangerous-skip flags through
+        // so the comment-posting path can honor them; flags default to false.
+        skipOutputSanitization: argv['dangerously-skip-output-sanitization'] === true,
+        skipActiveTokensOutputSanitization: argv['dangerously-skip-active-tokens-output-sanitization'] === true,
+      });
     } else if (argv.interactiveMode) {
       await log('⚠️ Interactive mode: Disabled - missing PR info (owner/repo/prNumber)', { verbose: true });
     }

package/src/codex.lib.mjs

@@ -792,7 +792,18 @@ export const executeCodexCommand = async params => {
       let interactiveHandler = null;
       if (argv.interactiveMode && owner && repo && prNumber) {
         await log('🔌 Interactive mode: Creating handler for real-time PR comments', { verbose: true });
-        interactiveHandler = createInteractiveHandler({ owner, repo, prNumber, $, log, verbose: argv.verbose });
+        interactiveHandler = createInteractiveHandler({
+          owner,
+          repo,
+          prNumber,
+          $,
+          log,
+          verbose: argv.verbose,
+          // Issue #1745: pass the three independent dangerous-skip flags so the
+          // comment-posting path can honor them. All default to false.
+          skipOutputSanitization: argv['dangerously-skip-output-sanitization'] === true,
+          skipActiveTokensOutputSanitization: argv['dangerously-skip-active-tokens-output-sanitization'] === true,
+        });
       } else if (argv.interactiveMode) {
         await log('⚠️ Interactive mode: Disabled - missing PR info (owner/repo/prNumber)', { verbose: true });
       }

package/src/github.lib.mjs

@@ -6,8 +6,8 @@ import { log, maskToken, cleanErrorMessage, isENOSPC, ghCmdRetry } from './lib.m
 import { reportError } from './sentry.lib.mjs';
 import { githubLimits, timeouts } from './config.lib.mjs';
 import { batchCheckPullRequestsForIssues as batchCheckPRs, batchCheckArchivedRepositories as batchCheckArchived } from './github.batch.lib.mjs';
-import { isSafeToken, isHexInSafeContext, getGitHubTokensFromFiles, getGitHubTokensFromCommand, sanitizeLogContent } from './token-sanitization.lib.mjs';
-export { isSafeToken, isHexInSafeContext, getGitHubTokensFromFiles, getGitHubTokensFromCommand, sanitizeLogContent }; // Re-export for backward compatibility
+import { isSafeToken, isHexInSafeContext, getGitHubTokensFromFiles, getGitHubTokensFromCommand, sanitizeOutput, sanitizeLogContent } from './token-sanitization.lib.mjs';
+export { isSafeToken, isHexInSafeContext, getGitHubTokensFromFiles, getGitHubTokensFromCommand, sanitizeOutput, sanitizeLogContent }; // Re-export for backward compatibility
 import { uploadLogWithGhUploadLog } from './log-upload.lib.mjs';
 import { formatResetTimeWithRelative } from './usage-limit.lib.mjs'; // See: https://github.com/link-assistant/hive-mind/issues/1236
 // Import model info helpers (Issue #1225)

package/src/interactive-mode.lib.mjs

@@ -38,6 +38,13 @@ import { CONFIG, createCollapsible, createRawJsonSection, escapeMarkdown, execFi
 // Use the session-started marker as the single source of truth for the
 // header string, keeping posting and filtering in lock-step.
 import { INTERACTIVE_SESSION_STARTED_MARKER, trackToolCommentId } from './tool-comments.lib.mjs';
+// Issue #1745: every comment body posted by the AI bridge MUST flow through
+// sanitizeCommentBody() before leaving the process. The leak in
+// xlab2016/space_db_private#20 happened because raw bash-tool stdout
+// (including TELEGRAM_BOT_TOKEN=...) was published verbatim. See
+// docs/case-studies/issue-1745/analysis.md for the full timeline.
+import { containsKnownToken, getAllKnownLocalTokens, sanitizeCommentBody } from './token-sanitization.lib.mjs';
+import { reportInteractiveLeak } from './telegram-leak-notifier.lib.mjs';
 
 /**
  * Creates an interactive mode handler for processing Claude/Codex CLI events
@@ -52,7 +59,23 @@ import { INTERACTIVE_SESSION_STARTED_MARKER, trackToolCommentId } from './tool-c
  * @returns {Object} Handler object with event processing methods
  */
 export const createInteractiveHandler = options => {
-  const { owner, repo, prNumber, log, verbose = false, execFile: execFileFn } = options;
+  const {
+    owner,
+    repo,
+    prNumber,
+    log,
+    verbose = false,
+    execFile: execFileFn,
+    // Issue #1745: dangerous-skip flags. All default to false; passing them
+    // through lets the operator opt out of pattern-based sanitization (for
+    // controlled debugging in private repos) while keeping active-token
+    // masking on by default.
+    skipOutputSanitization = false,
+    skipActiveTokensOutputSanitization = false,
+    // Pre-existing user content carve-out (issue body / non-bot comments /
+    // pre-existing code). When provided, sanitizer leaves these tokens untouched.
+    excludeTokens = [],
+  } = options;
   // Use injected execFile for testability, or the real one by default
   const runGhApi = execFileFn || execFileAsync;
 
@@ -88,6 +111,71 @@ export const createInteractiveHandler = options => {
     editsFailed: 0,
   };
 
+  /**
+   * Sanitize a comment body and warn the chat owner when a known-local token
+   * was about to be published. Issue #1745. The returned string is what we
+   * actually send to GitHub.
+   *
+   * @param {string} body
+   * @returns {Promise<string>} sanitized body
+   * @private
+   */
+  const sanitizeAndWarn = async body => {
+    if (typeof body !== 'string' || body.length === 0) return body;
+
+    let knownTokens;
+    try {
+      knownTokens = await getAllKnownLocalTokens();
+    } catch (err) {
+      // Best-effort: if token lookup fails, fall back to regex/secretlint only.
+      knownTokens = [];
+      if (verbose) {
+        await log(`⚠️ Interactive mode: getAllKnownLocalTokens failed: ${err.message}`, { verbose: true });
+      }
+    }
+
+    let hits = [];
+    try {
+      hits = await containsKnownToken(body, knownTokens);
+    } catch {
+      hits = [];
+    }
+
+    let sanitized = body;
+    try {
+      sanitized = await sanitizeCommentBody(body, {
+        knownTokens,
+        skipOutputSanitization,
+        skipActiveTokensOutputSanitization,
+        excludeTokens,
+      });
+    } catch (err) {
+      await log(`⚠️ Interactive mode: sanitizeCommentBody failed: ${err.message} — falling back to raw body MASKED`);
+      // Fail closed: if sanitization fails entirely, drop the body to a safe
+      // placeholder rather than leaking. Better to lose detail than secrets.
+      sanitized = '[redacted: sanitization failed]';
+    }
+
+    if (hits.length > 0) {
+      await log(`🚨 Interactive mode: known-local token(s) detected in outbound comment — sanitizer masked them. Sources: ${hits.map(h => h.source).join(', ')}`);
+      try {
+        await reportInteractiveLeak({
+          owner,
+          repo,
+          prNumber,
+          tokenHits: hits,
+          log,
+        });
+      } catch (err) {
+        if (verbose) {
+          await log(`⚠️ Interactive mode: leak notifier failed: ${err.message}`, { verbose: true });
+        }
+      }
+    }
+
+    return sanitized;
+  };
+
   /**
    * Post a comment to the PR (with rate limiting)
    * @param {string} body - Comment body
@@ -104,12 +192,16 @@ export const createInteractiveHandler = options => {
       return null;
     }
 
+    // Issue #1745: sanitize BEFORE rate-limit queuing so queued bodies are
+    // also safe (the queue persists across reconnects).
+    const safeBody = await sanitizeAndWarn(body);
+
     const now = Date.now();
     const timeSinceLastComment = now - state.lastCommentTime;
 
     if (timeSinceLastComment < CONFIG.MIN_COMMENT_INTERVAL) {
       // Queue the comment for later with toolId/taskId for tracking
-      state.commentQueue.push({ body, toolId, taskId });
+      state.commentQueue.push({ body: safeBody, toolId, taskId });
       if (verbose) {
         await log(`📝 Interactive mode: Comment queued (${state.commentQueue.length} in queue)${toolId ? ` [tool: ${toolId}]` : ''}${taskId ? ` [task: ${taskId}]` : ''}`, { verbose: true });
       }
@@ -122,7 +214,7 @@ export const createInteractiveHandler = options => {
       // with complex markdown bodies containing backticks, quotes, etc.
       // See: https://github.com/link-assistant/hive-mind/issues/1458
       const apiUrl = `repos/${owner}/${repo}/issues/${prNumber}/comments`;
-      const jsonPayload = JSON.stringify({ body });
+      const jsonPayload = JSON.stringify({ body: safeBody });
       const { stdout } = await runGhApi('gh', ['api', apiUrl, '-X', 'POST', '--input', '-'], {
         input: jsonPayload,
         maxBuffer: 10 * 1024 * 1024, // 10MB
@@ -147,13 +239,13 @@ export const createInteractiveHandler = options => {
       trackToolCommentId(commentId);
 
       if (verbose) {
-        await log(`✅ Interactive mode: Comment posted${commentId ? ` (ID: ${commentId})` : ''} (body: ${body.length} chars)`, { verbose: true });
+        await log(`✅ Interactive mode: Comment posted${commentId ? ` (ID: ${commentId})` : ''} (body: ${safeBody.length} chars)`, { verbose: true });
       }
       return commentId;
     } catch (error) {
       state.commentsFailed++;
       // Issue #1472: Always log comment failures (not just verbose) — silent failures cause zero-comment bugs
-      await log(`⚠️ Interactive mode: Failed to post comment: ${error.message} (body: ${body.length} chars)`);
+      await log(`⚠️ Interactive mode: Failed to post comment: ${error.message} (body: ${safeBody.length} chars)`);
       return null;
     }
   };
@@ -173,25 +265,29 @@ export const createInteractiveHandler = options => {
       return false;
     }
 
+    // Issue #1745: sanitize before sending. editComment is the path that
+    // leaked TELEGRAM_BOT_TOKEN in xlab2016/space_db_private#20.
+    const safeBody = await sanitizeAndWarn(body);
+
     state.editsAttempted++;
     try {
       // Edit comment via gh api with stdin to avoid shell quoting issues
       // with complex markdown bodies containing backticks, quotes, etc.
       // See: https://github.com/link-assistant/hive-mind/issues/1458
       const apiUrl = `repos/${owner}/${repo}/issues/comments/${commentId}`;
-      const jsonPayload = JSON.stringify({ body });
+      const jsonPayload = JSON.stringify({ body: safeBody });
       await runGhApi('gh', ['api', apiUrl, '-X', 'PATCH', '--input', '-'], {
         input: jsonPayload,
         maxBuffer: 10 * 1024 * 1024, // 10MB
       });
       state.editsSucceeded++;
       if (verbose) {
-        await log(`✅ Interactive mode: Comment ${commentId} updated (body: ${body.length} chars, payload: ${jsonPayload.length} chars)`, { verbose: true });
+        await log(`✅ Interactive mode: Comment ${commentId} updated (body: ${safeBody.length} chars, payload: ${jsonPayload.length} chars)`, { verbose: true });
       }
       return true;
     } catch (error) {
       state.editsFailed++;
-      await log(`⚠️ Interactive mode: Failed to edit comment ${commentId}: ${error.message} (body: ${body.length} chars)`);
+      await log(`⚠️ Interactive mode: Failed to edit comment ${commentId}: ${error.message} (body: ${safeBody.length} chars)`);
       return false;
     }
   };

package/src/isolation-runner.lib.mjs

@@ -255,6 +255,55 @@ export async function querySessionStatus(sessionId, verbose = false) {
   }
 }
 
+/**
+ * Ask the `$` CLI to gracefully stop an isolated session by sending CTRL+C.
+ *
+ * Wraps `$ --stop <uuid>` from start-command (link-foundation/start#112).
+ * Works for any isolation backend (screen, tmux, docker, …) — `$` knows the
+ * backend it launched with and forwards the interrupt accordingly.
+ *
+ * @param {string} sessionId - UUID of the session to stop
+ * @param {boolean} [verbose] - Enable verbose logging
+ * @returns {Promise<{success: boolean, output: string, error: string|null}>}
+ */
+export async function stopIsolatedSession(sessionId, verbose = false) {
+  const binPath = await findStartCommandBinary();
+  if (!binPath) {
+    if (verbose) {
+      console.log('[VERBOSE] isolation-runner: Cannot stop session - $ binary not found');
+    }
+    return {
+      success: false,
+      output: '',
+      error: '`$` (start-command) binary not found on PATH. Install link-foundation/start to use /stop <UUID>.',
+    };
+  }
+
+  try {
+    const result = await $({ mirror: false })`${binPath} --stop ${sessionId}`;
+    const stdout = result.stdout?.toString() || '';
+    const stderr = result.stderr?.toString() || '';
+    if (verbose) {
+      console.log(`[VERBOSE] isolation-runner: $ --stop ${sessionId} stdout: ${stdout.substring(0, 300)}`);
+      if (stderr) {
+        console.log(`[VERBOSE] isolation-runner: $ --stop ${sessionId} stderr: ${stderr.substring(0, 300)}`);
+      }
+    }
+    return { success: true, output: stdout || stderr, error: null };
+  } catch (error) {
+    const stderr = error?.stderr?.toString?.() || '';
+    const stdout = error?.stdout?.toString?.() || '';
+    if (verbose) {
+      console.log(`[VERBOSE] isolation-runner: $ --stop ${sessionId} failed: ${error.message}`);
+    }
+    return {
+      success: false,
+      output: stdout,
+      error: stderr.trim() || error?.message || String(error),
+    };
+  }
+}
+
 /**
  * Check if a screen session exists via `screen -ls`.
  * Used as a fallback when `$ --status` fails to find or correctly track

package/src/lib.mjs

@@ -334,12 +334,12 @@ export const setupStdioLogInterceptor = () => {
  * @param {string} token - Token to mask
  * @param {Object} options - Masking options
  * @param {number} [options.minLength=12] - Minimum length to mask
- * @param {number} [options.startChars=5] - Number of characters to show at start
- * @param {number} [options.endChars=5] - Number of characters to show at end
+ * @param {number} [options.startChars=3] - Number of characters to show at start
+ * @param {number} [options.endChars=3] - Number of characters to show at end
  * @returns {string} Masked token
  */
 export const maskToken = (token, options = {}) => {
-  const { minLength = 12, startChars = 5, endChars = 5 } = options;
+  const { minLength = 12, startChars = 3, endChars = 3 } = options;
 
   if (!token || token.length < minLength) {
     return token; // Don't mask very short strings

package/src/post-finish-sanitization-sweep.lib.mjs

@@ -0,0 +1,201 @@
+#!/usr/bin/env node
+/**
+ * Issue #1745 — post-finish sanitization sweep.
+ *
+ * Comment #4364642786 requirement: "after AI finishes whatever the content
+ * was ... we should by default go and mask the token by editing comments,
+ * pull requests".
+ *
+ * This module re-reads bot-authored comments and the PR description after the
+ * AI session finishes, runs the body through `sanitizeOutput`, and edits the
+ * comment / PR in place if a difference is detected. It is intentionally
+ * conservative:
+ *
+ *   - We only touch content authored by the running gh user (the bot).
+ *   - We never touch issue bodies (those belong to the human).
+ *   - History rewriting (force-pushing to delete commits) is NOT performed
+ *     here. The risk to a shared branch is too high; that step requires the
+ *     operator to opt in explicitly via a future flag, and is documented in
+ *     docs/case-studies/issue-1745/analysis.md.
+ *
+ * @module post-finish-sanitization-sweep
+ */
+
+import { sanitizeOutput, getSanitizationStats } from './token-sanitization.lib.mjs';
+import { wrapDollarWithGhRetry as _wrapDollarWithGhRetry } from './github-rate-limit.lib.mjs'; // rate-limit marker (#1726): caller passes $ already wrapped through wrapDollarWithGhRetry
+
+/**
+ * Determine the bot's gh login name. The function returns null on any error
+ * so the sweep degrades gracefully when offline / unauthenticated.
+ *
+ * @param {Function} $
+ * @returns {Promise<string|null>}
+ */
+const detectBotLogin = async $ => {
+  try {
+    const result = await $`gh api user --jq .login`;
+    if (result && result.code === 0 && result.stdout) {
+      const login = result.stdout.toString().trim();
+      return login || null;
+    }
+  } catch {
+    /* swallow */
+  }
+  return null;
+};
+
+/**
+ * Sanitize bot-authored PR conversation comments (the issuecomment endpoint).
+ *
+ * @param {Object} args
+ * @param {Function} args.$ command-stream helper
+ * @param {string}   args.owner
+ * @param {string}   args.repo
+ * @param {number|string} args.prNumber
+ * @param {string}   args.botLogin
+ * @param {Function} [args.log]
+ * @param {Object}   [args.sanitizationOptions] forwarded to sanitizeOutput
+ * @returns {Promise<{scanned:number, edited:number, errors:number}>}
+ */
+export const sweepPrConversationComments = async ({ $, owner, repo, prNumber, botLogin, log = async () => {}, sanitizationOptions = {} }) => {
+  const stats = { scanned: 0, edited: 0, errors: 0 };
+  let response;
+  try {
+    response = await $`gh api repos/${owner}/${repo}/issues/${prNumber}/comments --paginate`;
+  } catch (err) {
+    await log(`⚠️ post-finish sweep: failed to list comments: ${err.message || err}`);
+    stats.errors++;
+    return stats;
+  }
+  if (!response || response.code !== 0) {
+    stats.errors++;
+    return stats;
+  }
+  let comments;
+  try {
+    comments = JSON.parse(response.stdout.toString());
+  } catch {
+    stats.errors++;
+    return stats;
+  }
+  if (!Array.isArray(comments)) return stats;
+
+  for (const c of comments) {
+    if (!c || !c.user || c.user.login !== botLogin) continue;
+    if (typeof c.body !== 'string' || c.body.length === 0) continue;
+    stats.scanned++;
+    let sanitized;
+    try {
+      sanitized = await sanitizeOutput(c.body, sanitizationOptions);
+    } catch (err) {
+      await log(`⚠️ post-finish sweep: sanitize comment ${c.id} failed: ${err.message || err}`);
+      stats.errors++;
+      continue;
+    }
+    if (sanitized === c.body) continue;
+    try {
+      const payload = JSON.stringify({ body: sanitized });
+      const edit = await $({ stdin: payload })`gh api repos/${owner}/${repo}/issues/comments/${c.id} -X PATCH --input -`;
+      if (edit && edit.code === 0) {
+        stats.edited++;
+        await log(`🔒 post-finish sweep: edited comment ${c.id} to mask leaked token(s)`);
+      } else {
+        stats.errors++;
+      }
+    } catch (err) {
+      await log(`⚠️ post-finish sweep: edit comment ${c.id} failed: ${err.message || err}`);
+      stats.errors++;
+    }
+  }
+  return stats;
+};
+
+/**
+ * Sanitize the PR description if needed.
+ *
+ * @param {Object} args
+ * @returns {Promise<{scanned:number, edited:number, errors:number}>}
+ */
+export const sweepPrDescription = async ({ $, owner, repo, prNumber, log = async () => {}, sanitizationOptions = {} }) => {
+  const stats = { scanned: 0, edited: 0, errors: 0 };
+  let response;
+  try {
+    response = await $`gh api repos/${owner}/${repo}/pulls/${prNumber}`;
+  } catch (err) {
+    await log(`⚠️ post-finish sweep: failed to fetch PR ${prNumber}: ${err.message || err}`);
+    stats.errors++;
+    return stats;
+  }
+  if (!response || response.code !== 0) {
+    stats.errors++;
+    return stats;
+  }
+  let pr;
+  try {
+    pr = JSON.parse(response.stdout.toString());
+  } catch {
+    stats.errors++;
+    return stats;
+  }
+  const body = typeof pr.body === 'string' ? pr.body : '';
+  if (body.length === 0) return stats;
+  stats.scanned++;
+  let sanitized;
+  try {
+    sanitized = await sanitizeOutput(body, sanitizationOptions);
+  } catch (err) {
+    await log(`⚠️ post-finish sweep: sanitize PR body failed: ${err.message || err}`);
+    stats.errors++;
+    return stats;
+  }
+  if (sanitized === body) return stats;
+  try {
+    const payload = JSON.stringify({ body: sanitized });
+    const edit = await $({ stdin: payload })`gh api repos/${owner}/${repo}/pulls/${prNumber} -X PATCH --input -`;
+    if (edit && edit.code === 0) {
+      stats.edited++;
+      await log('🔒 post-finish sweep: edited PR description to mask leaked token(s)');
+    } else {
+      stats.errors++;
+    }
+  } catch (err) {
+    await log(`⚠️ post-finish sweep: edit PR body failed: ${err.message || err}`);
+    stats.errors++;
+  }
+  return stats;
+};
+
+/**
+ * Run the full post-finish sweep: bot-authored PR comments + PR description.
+ * Idempotent and safe to call multiple times.
+ *
+ * @param {Object} args
+ * @returns {Promise<{comments:Object, prBody:Object, totalEdited:number, sanitizationStatsBefore:Object, sanitizationStatsAfter:Object}>}
+ */
+export const runPostFinishSweep = async ({ $, owner, repo, prNumber, log = async () => {}, sanitizationOptions = {}, botLogin: providedBotLogin }) => {
+  const sanitizationStatsBefore = getSanitizationStats();
+  const botLogin = providedBotLogin || (await detectBotLogin($));
+  const result = {
+    comments: { scanned: 0, edited: 0, errors: 0, skipped: !botLogin },
+    prBody: { scanned: 0, edited: 0, errors: 0 },
+    totalEdited: 0,
+    sanitizationStatsBefore,
+    sanitizationStatsAfter: sanitizationStatsBefore,
+  };
+  if (!owner || !repo || !prNumber) return result;
+  if (botLogin) {
+    result.comments = await sweepPrConversationComments({ $, owner, repo, prNumber, botLogin, log, sanitizationOptions });
+  } else {
+    await log('⚠️ post-finish sweep: could not determine bot login; skipping comment sweep.');
+  }
+  result.prBody = await sweepPrDescription({ $, owner, repo, prNumber, log, sanitizationOptions });
+  result.totalEdited = result.comments.edited + result.prBody.edited;
+  result.sanitizationStatsAfter = getSanitizationStats();
+  return result;
+};
+
+export default {
+  sweepPrConversationComments,
+  sweepPrDescription,
+  runPostFinishSweep,
+};

package/src/solve.config.lib.mjs

@@ -115,6 +115,21 @@ export const SOLVE_OPTION_DEFINITIONS = {
     description: 'Upload the solution draft log file to the Pull Request on completion (⚠️ WARNING: May expose sensitive data)',
     default: false,
   },
+  'dangerously-skip-output-sanitization': {
+    type: 'boolean',
+    description: 'DANGEROUS: skip pattern-based sanitization of generated output. Active local token masking stays enabled unless --dangerously-skip-active-tokens-output-sanitization is also set.',
+    default: false,
+  },
+  'dangerously-skip-code-output-sanitization': {
+    type: 'boolean',
+    description: 'DANGEROUS: allow generated code/file output to keep pattern-matched token-looking strings. Active local token masking stays enabled unless explicitly disabled.',
+    default: false,
+  },
+  'dangerously-skip-active-tokens-output-sanitization': {
+    type: 'boolean',
+    description: 'DANGEROUS: skip masking known active local tokens in output. This is separate from other sanitization skip flags and should only be used for controlled debugging.',
+    default: false,
+  },
   'auto-close-pull-request-on-fail': {
     type: 'boolean',
     description: 'Automatically close the pull request if execution fails',

package/src/solve.results.lib.mjs

@@ -28,6 +28,14 @@ import { safeExit } from './exit-handler.lib.mjs';
 const githubLib = await import('./github.lib.mjs');
 const { sanitizeLogContent, attachLogToGitHub } = githubLib;
 
+// Issue #1745: process-wide sanitization counters used to print a one-line
+// "we masked N secrets" summary at the end of each run.
+const { formatSanitizationSummary } = await import('./token-sanitization.lib.mjs');
+// Issue #1745: post-finish retroactive sanitization of bot-authored PR
+// comments and the PR description. Runs by default; can be skipped via
+// --dangerously-skip-output-sanitization.
+const { runPostFinishSweep } = await import('./post-finish-sanitization-sweep.lib.mjs');
+
 // Import continuation functions (session resumption, PR detection)
 const autoContinue = await import('./solve.auto-continue.lib.mjs');
 const { autoContinueWhenLimitResets } = autoContinue;
@@ -556,6 +564,17 @@ export const cleanupClaudeFile = async (tempDir, branchName, claudeCommitHash =
 export const showSessionSummary = async (sessionId, limitReached, argv, issueUrl, tempDir, shouldAttachLogs = false) => {
   await log('\n=== Session Summary ===');
 
+  // Issue #1745: report how many tokens were masked during this run, with the
+  // "use --dangerously-skip-output-sanitization to skip" hint when > 0.
+  try {
+    const sanitizationSummary = formatSanitizationSummary();
+    if (sanitizationSummary) {
+      await log(sanitizationSummary);
+    }
+  } catch {
+    /* never fail the summary because of this */
+  }
+
   if (sessionId) {
     await log(`✅ Session ID: ${sessionId}`);
     // Always use absolute path for log file display
@@ -622,6 +641,39 @@ export const showSessionSummary = async (sessionId, limitReached, argv, issueUrl
     const logFilePath = path.resolve(getLogFile());
     await log(`📁 Log file available: ${logFilePath}`);
   }
+
+  // Issue #1745: post-finish retroactive sanitization sweep. Re-reads
+  // bot-authored PR comments and the PR description, runs them through
+  // sanitizeOutput, and edits in place if a leak slipped past the live
+  // sanitizer. Honors --dangerously-skip-output-sanitization and the related
+  // active-tokens flag.
+  try {
+    const owner = argv.owner;
+    const repo = argv.repo;
+    const prNumber = argv.prNumber;
+    const skipOutputSanitization = argv['dangerously-skip-output-sanitization'] === true;
+    const skipActiveTokensOutputSanitization = argv['dangerously-skip-active-tokens-output-sanitization'] === true;
+    if (owner && repo && prNumber && !skipOutputSanitization) {
+      const sweepResult = await runPostFinishSweep({
+        $,
+        owner,
+        repo,
+        prNumber,
+        log,
+        sanitizationOptions: {
+          warnOnMismatch: false,
+          skipActiveTokensOutputSanitization,
+        },
+      });
+      if (sweepResult.totalEdited > 0) {
+        await log(`🔒 Post-finish sweep: edited ${sweepResult.totalEdited} bot-authored item(s) to mask leaked tokens.`);
+        const followup = formatSanitizationSummary(sweepResult.sanitizationStatsAfter);
+        if (followup) await log(followup);
+      }
+    }
+  } catch (sweepErr) {
+    await log(`⚠️ Post-finish sanitization sweep failed: ${sweepErr.message || sweepErr}`);
+  }
 };
 
 // Verify results by searching for new PRs and comments