fix(security): Keep short agent token prefixes in logs

Restore the existing short token-prefix logging behavior for agent auth failures while keeping the optional bearer-path rate-limit fix. Update tests and docs so the replacement branch reflects the intended logging policy. Co-Authored-By: Claude <noreply@anthropic.com>
2026-03-07 23:43:32 +05:30
parent fb8a932923
commit 46bc9a02c6
4 changed files with 20 additions and 8 deletions
--- a/docs/reference/authentication.md
+++ b/docs/reference/authentication.md
@@ -36,4 +36,4 @@ Autonomous agents primarily authenticate via an `X-Agent-Token` header. On share
 Security notes:

 - Agent auth is rate-limited to **20 requests per 60 seconds per IP**. Exceeding this returns `429 Too Many Requests`.
- Authentication failure logs never include token material.
+- Authentication failure logs may include a short token prefix for debugging, but never the full token.