From 4257c08ba97eb9aa5ea426f4736c11b839fd3f4f Mon Sep 17 00:00:00 2001
From: Hugh Brown <hughdbrown@yahoo.com>
Date: Tue, 3 Mar 2026 13:39:04 -0700
Subject: [PATCH] security: stop logging token prefix on failed agent auth

The first 6 characters of invalid agent tokens were logged, leaking
partial credential information. Remove token_prefix from log messages
while preserving the request path for debugging.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 backend/app/core/agent_auth.py | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/backend/app/core/agent_auth.py b/backend/app/core/agent_auth.py
index 97d92ad6..04cf6437 100644
--- a/backend/app/core/agent_auth.py
+++ b/backend/app/core/agent_auth.py
@@ -128,9 +128,8 @@ async def get_agent_auth_context(
     agent = await _find_agent_for_token(session, resolved)
     if agent is None:
         logger.warning(
-            "agent auth invalid token path=%s token_prefix=%s",
+            "agent auth invalid token path=%s",
             request.url.path,
-            resolved[:6],
         )
         raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED)
     await _touch_agent_presence(request, session, agent)
@@ -170,9 +169,8 @@ async def get_agent_auth_context_optional(
     if agent is None:
         if agent_token:
             logger.warning(
-                "agent auth optional invalid token path=%s token_prefix=%s",
+                "agent auth optional invalid token path=%s",
                 request.url.path,
-                resolved[:6],
             )
         return None
     await _touch_agent_presence(request, session, agent)