Greptile Summary

This PR closes a security gap where the Feishu encryptKey credential was not being redacted in config snapshots, using a defense-in-depth approach that adds both pattern-based and schema-based detection.

• Pattern fix (schema.hints.ts): Adds /encrypt.?key/i to SENSITIVE_PATTERNS, so any config path ending in encryptKey or encrypt_key is caught by name, matching the same style as /api.?key/i.
• Schema registry fix (secret-input-schema.ts): Converts buildSecretInputSchema() from a factory returning a new z.union(...) instance per call to a module-level singleton registered with the sensitive Zod registry. This is the correct approach because mapSensitivePaths uses reference equality (sensitive.has(currentSchema)) to detect registered schemas — returning the same registered instance on every call is required for schema-level detection to work. The isUnwrappable/unwrap() loop in mapSensitivePaths correctly unwraps .optional() wrappers added by callers before reaching the registered union.
• Test coverage: The unit test for the registry path uses field names that don't match any SENSITIVE_PATTERNS rule, cleanly isolating the schema-based detection. The integration test adds encryptKey to the Feishu config block and asserts end-to-end redaction.
• The fix applies globally to all plugins that use buildSecretInputSchema(), not just Feishu — confirmed by tracing the export chain through secret-input.ts → secret-input-schema.ts.

Confidence Score: 5/5

• Safe to merge — minimal, targeted security fix with correct implementation and solid test coverage at both the unit and integration levels.
• Both redaction layers (pattern match and schema registry) are correctly implemented. The singleton refactor is the right design choice for registry-based detection. The Feishu config schema already typed encryptKey with buildSecretInputSchema(), so the registry fix lands exactly where it needs to. No regressions are expected; the change is strictly additive from a security posture perspective.
• No files require special attention.

_{Reviews (1): Last reviewed commit: "fix(cr-mbx-feishu-encryptkey-config-reda..." | Re-trigger Greptile}