Summary

redact_sensitive() in compression_guidelines.rs covers common secret prefixes (sk-, AKIA, ghp_, etc.) and filesystem paths, but does NOT cover JWT Bearer tokens.

Pattern gap

A compressed context or failure reason containing Authorization: Bearer eyJhbGciOiJSUzI1NiJ9... would not be redacted before SQLite insert, leaking the JWT into compression_failure_pairs.

Suggested fix

Add a Bearer pattern to SECRET_RE (after Bearer \S+) and consider adding a Base64 JWT pattern (eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+).

Priority

Low — only affects users with JWT tokens in tool outputs + ACON enabled. Mitigated by 100-row cap + local-only storage.