refactor: unify redactHeaderValue and MaskSecret funcs

Author: evgeniy-scherbina

intercept/apidump/apidump.go

@@ -14,6 +14,7 @@ import (
 
 	"cdr.dev/slog/v3"
 
+	"github.com/coder/aibridge/utils"
 	"github.com/coder/quartz"
 	"github.com/google/uuid"
 	"github.com/tidwall/pretty"
@@ -186,7 +187,7 @@ func (d *dumper) writeRedactedHeaders(w io.Writer, headers http.Header, sensitiv
 			}
 
 			if isSensitive {
-				value = redactHeaderValue(value)
+				value = utils.MaskSecret(value)
 			}
 			_, err := fmt.Fprintf(w, "%s: %s\r\n", key, value)
 			if err != nil {

intercept/apidump/apidump_test.go

@@ -73,7 +73,7 @@ func TestBridgedMiddleware_RedactsSensitiveRequestHeaders(t *testing.T) {
 	// Verify sensitive headers ARE present but redacted
 	require.Contains(t, content, "Authorization: Bear...2345")
 	require.Contains(t, content, "X-Api-Key: secr...alue")
-	require.Contains(t, content, "Cookie: sess...c123") // "session=abc123" is 14 chars, so first 4 + last 4
+	require.Contains(t, content, "Cookie: se...23") // "session=abc123" is 14 chars, reveal=2
 
 	// Verify the full secret values are NOT present
 	require.NotContains(t, content, "sk-secret-key-12345")
@@ -133,8 +133,8 @@ func TestBridgedMiddleware_RedactsSensitiveResponseHeaders(t *testing.T) {
 	// Verify sensitive headers are present but redacted
 	require.Contains(t, content, "Set-Cookie: sess...cure")
 	// Note: Go canonicalizes WWW-Authenticate to Www-Authenticate
-	// "Bearer realm=\"api\"" = 18 chars, first 4 = "Bear", last 4 = "api\""
-	require.Contains(t, content, "Www-Authenticate: Bear...api\"")
+	// "Bearer realm=\"api\"" = 18 chars, reveal=2, first 2 = "Be", last 2 = "i\""
+	require.Contains(t, content, "Www-Authenticate: Be...i\"")
 
 	// Verify full secret values are NOT present
 	require.NotContains(t, content, "secret123")

intercept/apidump/headers.go

@@ -18,17 +18,3 @@ var sensitiveResponseHeaders = map[string]struct{}{
 	"Www-Authenticate":   {},
 	"Proxy-Authenticate": {},
 }
-
-// redactHeaderValue redacts a sensitive header value, showing only partial content.
-// For values >= 8 bytes: shows first 4 and last 4 bytes with "..." in between.
-// For values < 8 bytes: shows first and last byte with "..." in between.
-func redactHeaderValue(value string) string {
-	if len(value) >= 8 {
-		return value[:4] + "..." + value[len(value)-4:]
-	}
-	if len(value) >= 2 {
-		return value[:1] + "..." + value[len(value)-1:]
-	}
-	// Single character or empty - just return as-is
-	return value
-}

intercept/apidump/headers_test.go

@@ -12,60 +12,6 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func TestRedactHeaderValue(t *testing.T) {
-	t.Parallel()
-
-	tests := []struct {
-		name     string
-		input    string
-		expected string
-	}{
-		{
-			name:     "empty string",
-			input:    "",
-			expected: "",
-		},
-		{
-			name:     "single char",
-			input:    "a",
-			expected: "a",
-		},
-		{
-			name:     "two chars",
-			input:    "ab",
-			expected: "a...b",
-		},
-		{
-			name:     "seven chars",
-			input:    "abcdefg",
-			expected: "a...g",
-		},
-		{
-			name:     "eight chars - threshold",
-			input:    "abcdefgh",
-			expected: "abcd...efgh",
-		},
-		{
-			name:     "long value",
-			input:    "Bearer sk-secret-key-12345",
-			expected: "Bear...2345",
-		},
-		{
-			name:     "realistic api key",
-			input:    "sk-proj-abc123xyz789",
-			expected: "sk-p...z789",
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-			result := redactHeaderValue(tc.input)
-			require.Equal(t, tc.expected, result)
-		})
-	}
-}
-
 func TestSensitiveHeaderLists(t *testing.T) {
 	t.Parallel()
 
@@ -140,7 +86,7 @@ func TestWriteRedactedHeaders(t *testing.T) {
 			name:      "sensitive header redacted",
 			headers:   http.Header{"Set-Cookie": {"session=abcdefghij"}},
 			sensitive: sensitiveResponseHeaders,
-			expected:  "Set-Cookie: sess...ghij\r\n",
+			expected:  "Set-Cookie: se...ij\r\n",
 		},
 		{
 			name: "multi-value header",