From a537b650b5a490ce93542ad644cadf4805bff8a5 Mon Sep 17 00:00:00 2001
From: John Lee <johnteee@gmail.com>
Date: Mon, 1 Jun 2026 17:35:14 +0800
Subject: [PATCH] Potential fix for code scanning alert no. 24: Clear-text
 logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 teaagent/cli/_handlers/_mcp_trust.py | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/teaagent/cli/_handlers/_mcp_trust.py b/teaagent/cli/_handlers/_mcp_trust.py
index 087c23ea..a9980c34 100644
--- a/teaagent/cli/_handlers/_mcp_trust.py
+++ b/teaagent/cli/_handlers/_mcp_trust.py
@@ -14,6 +14,19 @@
 )
 
 
+def _strip_sensitive_fields(value: Any) -> Any:
+    if isinstance(value, dict):
+        sanitized: dict[str, Any] = {}
+        for key, item in value.items():
+            if isinstance(key, str) and key.strip().lower() == 'trusted':
+                continue
+            sanitized[key] = _strip_sensitive_fields(item)
+        return sanitized
+    if isinstance(value, list):
+        return [_strip_sensitive_fields(item) for item in value]
+    return value
+
+
 def _redact_sensitive(value: Any) -> Any:
     def _is_sensitive_key(key: Any) -> bool:
         if not isinstance(key, str):
@@ -45,7 +58,10 @@ def _is_sensitive_key(key: Any) -> bool:
 def _print_json(value: Any) -> None:
     print(
         json.dumps(
-            _redact_sensitive(value), ensure_ascii=False, indent=2, sort_keys=True
+            _redact_sensitive(_strip_sensitive_fields(value)),
+            ensure_ascii=False,
+            indent=2,
+            sort_keys=True,
         )
     )