Refactor stdio masking to reuse LogMaskHelper infrastructure and respect --log-mask level

[Copilot]

The stdio masking implementation (StdIoMaskHelper) duplicated pattern management logic from LogMaskHelper, didn't respect the configured --log-mask sensitivity level, and had design issues in MaskingPrintStream causing infinite recursion.

Consolidate masking logic

• Extended LogMaskHelper with stdio-specific methods: registerStdioPattern(), registerStdioValue(), maskStdio()
• Added dedicated stdioPatternReplacer field for global stdio masking (separate from log message type-specific replacers)
• Refactored StdIoMaskHelper to delegate all pattern/value management to LogMaskHelper
• Focused stdio patterns on user-provided data (bearer tokens, passwords, API keys) rather than HTTP protocol traffic

Implement conditional masking

• All stdio registration methods now check isMaskingNeeded(LogSensitivityLevel) before registering patterns
• Respects configured --log-mask level from CLI options
• Registered user values use LogSensitivityLevel.high for maximum protection

Fix MaskingPrintStream design

• Eliminated unnecessary ByteArrayOutputStream in constructor
• Created inner MaskingOutputStream class that delegates writes directly to original stream's write method
• Fixed infinite recursion by avoiding call chains that loop back through wrapped stream
• Enabled auto-flush to prevent partial writes

public final class MaskingPrintStream extends PrintStream {
    public MaskingPrintStream(PrintStream delegate, Function<String, String> masker) {
        super(new MaskingOutputStream(delegate, masker), true);
    }
    
    private static final class MaskingOutputStream extends OutputStream {
        @Override
        public void write(byte[] buf, int off, int len) {
            var text = new String(buf, off, len, charset);
            var masked = masker.apply(text);
            var maskedBytes = masked.getBytes(charset);
            delegate.write(maskedBytes, 0, maskedBytes.length);
        }
    }
}

Compatibility verification

• Installation order preserved: AnsiConsole wraps System.out/err first, then masking wraps AnsiConsole streams
• OutputHelper properly restores MaskingPrintStream in finally blocks when temporarily replacing streams
• PrintStream synchronization prevents concurrent write corruption

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• example.com
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -Dorg.gradle.internal.worker.tmpdir=/home/REDACTED/work/fcli/fcli/fcli-core/fcli-common/build/tmp/test/work @/home/REDACTED/.gradle/.tmp/gradle-worker-classpath15342279616463471151txt -Xmx512m -Dfile.encoding=UTF-8 -Duser.country -Duser.language=en -Duser.variant -ea worker.org.gradle.process.internal.worker.GradleWorkerMain 'Gradle Test Executor 4' (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)