From 035deb008b8609af100f26d584bf53ed41f48769 Mon Sep 17 00:00:00 2001
From: William Valentin <william.valentin.info@gmail.com>
Date: Sun, 15 Feb 2026 18:02:14 -0800
Subject: [PATCH] feat(cli): redact access_token in config output

---
 src/cli/shared.test.ts | 10 ++++++++++
 src/cli/shared.ts      |  2 +-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/cli/shared.test.ts b/src/cli/shared.test.ts
index 3a3ba54..420bc76 100644
--- a/src/cli/shared.test.ts
+++ b/src/cli/shared.test.ts
@@ -131,6 +131,16 @@ models:
       const models = redacted.models as Record<string, Record<string, unknown>>;
       expect(models.default.api_key).toBe('***');
     });
+
+    it('redacts access_token (matrix)', () => {
+      const config = {
+        matrix: { homeserver_url: 'https://matrix.example.org', access_token: 'mx-secret' },
+        models: { default: { provider: 'anthropic', model: 'claude' } },
+      };
+      const redacted = redactSecrets(config);
+      const matrix = redacted.matrix as Record<string, unknown>;
+      expect(matrix.access_token).toBe('***');
+    });
   });
 
   describe('getDataDir', () => {
diff --git a/src/cli/shared.ts b/src/cli/shared.ts
index f8230a4..d90deaa 100644
--- a/src/cli/shared.ts
+++ b/src/cli/shared.ts
@@ -74,7 +74,7 @@ export function loadConfigSafe(configPath?: string): { config?: Config; error?:
 
 /** Deep-clone config and replace sensitive fields with '***'. */
 export function redactSecrets(config: Record<string, unknown>): Record<string, unknown> {
-  const sensitiveKeys = ['bot_token', 'api_key', 'auth_token'];
+  const sensitiveKeys = ['bot_token', 'api_key', 'auth_token', 'access_token'];
 
   function redact(obj: unknown): unknown {
     if (obj === null || obj === undefined) {return obj;}