Implemented unified secrets sanitization and env. redaction options (#15348)

packages/core/src/hooks/hookRunner.test.ts

@@ -7,12 +7,11 @@
 import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
 import { spawn, type ChildProcessWithoutNullStreams } from 'node:child_process';
 import { HookRunner } from './hookRunner.js';
-import { HookEventName, HookType } from './types.js';
+import { HookEventName, HookType, ConfigSource } from './types.js';
 import type { HookConfig } from './types.js';
 import type { HookInput } from './types.js';
 import type { Readable, Writable } from 'node:stream';
 import type { Config } from '../config/config.js';
-import { ConfigSource } from './types.js';
 
 // Mock type for the child_process spawn
 type MockChildProcessWithoutNullStreams = ChildProcessWithoutNullStreams & {
@@ -70,6 +69,9 @@ describe('HookRunner', () => {
 
     mockConfig = {
       isTrustedFolder: vi.fn().mockReturnValue(true),
+      sanitizationConfig: {
+        enableEnvironmentVariableRedaction: true,
+      },
     } as unknown as Config;
 
     hookRunner = new HookRunner(mockConfig);

packages/core/src/hooks/hookRunner.ts

@@ -18,6 +18,7 @@ import type {
 } from './types.js';
 import type { LLMRequest } from './hookTranslator.js';
 import { debugLogger } from '../utils/debugLogger.js';
+import { sanitizeEnvironment } from '../services/environmentSanitization.js';
 import {
   escapeShellArg,
   getShellConfiguration,
@@ -238,7 +239,7 @@ export class HookRunner {
 
       // Set up environment variables
       const env = {
-        ...process.env,
+        ...sanitizeEnvironment(process.env, this.config.sanitizationConfig),
         GEMINI_PROJECT_DIR: input.cwd,
         CLAUDE_PROJECT_DIR: input.cwd, // For compatibility
       };