[Bug] Session transcripts leak secrets (GitHub PAT, API tokens) to persisted logs
Bug Description
▎ Claude Code on Claude Opus 4.8 wrote two live secrets into session transcripts on 2026-06-26: (1) a GitHub PAT — agent ran pass show GH-YOLO/api-key 2>&1 | head -8 expecting a decrypt error, but gpg was unlocked so the live ghp_… printed to stdout (session 2a62aade, 16:46 UTC); (2) a Forgejo admin-scoped API token leaked via a Python urllib exception that serialized an Authorization header (session 0fc6339e, ~18:17 UTC). Both burned. Root class: secret read from pass reaches a persisted transcript channel (stdout / exception string). Highest-leverage fix: transcript-side secret redaction (mask ghp_/Authorization:[REDACTED] before writing transcript + sending to API) — would catch both regardless of model reasoning. Full report available.
Environment Info
- Platform: darwin
- Terminal: Apple_Terminal
- Version: 2.1.193
- Feedback ID: ff43311c-e778-4f6d-8450-41265c0eb4a4
Errors
[{"error":"Error: Streamable HTTP error: Error POSTing to endpoint: {\"id\":3,\"jsonrpc\":\"2.0\",\"result\":{\"content\":[{\"text\":\"Request had insufficient authentication scopes.\",\"type\":\"text\"}],\"isError\":true}}\r\n at send (/$bunfs/root/src/entrypoints/cli.js:1833:5998)\n at processTicksAndRejections (native:7:39)","timestamp":"2026-06-26T18:44:53.517Z"}]This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗