security(cli): redact log content at upload time in debug share (Hermes v0.13 parity)

[subinium]

Background

Hermes v0.13 (#19318, @GodsBoy) — hermes debug share uploaded logs to a paste service for support handoff, but redaction ran only at write
time. If redaction was off when the log was written (which v0.12 made default), the uploaded content contained raw secrets.

Current state in CrowClaw

• No crowclaw debug share command exists today; bug reports are handled out-of-band.
• However, packages/cli/src/index.ts and the dashboard expose transcript download — same risk surface.

Scope

• New: packages/cli/src/commands/debug-share.ts (or extend the dashboard export path)
• Modified: redaction pipeline to support an "at upload" pass independent of "at write" config
• Tests: tests/debug-share-redact.test.ts

Implementation sketch

1. Implement crowclaw debug share [session-id] [--days N] — bundles transcript + config + recent audit log
2. Run redactPII + credential redaction unconditionally at bundle time, regardless of runtime redaction config
3. Upload to a configurable paste endpoint (default: print-to-stdout + clipboard, no auto-upload)
4. Dashboard transcript export goes through the same redaction pass

Acceptance criteria

• Upload payload never contains secrets even when runtime redaction is off
• Default behavior is local print (no network upload) — opt-in for paste service
• Test: synthetic API key in transcript is [REDACTED] in the bundle output

Effort

S — small CLI surface; reuses redaction primitives.

Effect

Preempts the "I shared my logs for support and pasted my key" failure. Even if CrowClaw's redaction default lands as ON (sibling issue), the
upload path needs its own guarantee.

Source

Hermes #19318 · CrowClaw current: no debug-share command yet; packages/cli/src/index.ts