From ce1619051d1e043ae71786e01e752d4aa0263658 Mon Sep 17 00:00:00 2001
From: LC <64722907+lc6464@users.noreply.github.com>
Date: Tue, 24 Mar 2026 11:26:20 +0800
Subject: [PATCH] fix(chat): avoid full secret exposure for 7-char secrets
 (#1942)

- ensure at least 40% of the characters are masked for secrets of length 4 or more
- secrets with length <= 6 now show first and last char with mask
- secrets with length <= 12 now show first two and last two chars
- longer secrets show 3 prefix and 4 suffix
---
 web/frontend/src/components/secret-placeholder.ts | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/web/frontend/src/components/secret-placeholder.ts b/web/frontend/src/components/secret-placeholder.ts
index c6167d78e..88d4cb311 100644
--- a/web/frontend/src/components/secret-placeholder.ts
+++ b/web/frontend/src/components/secret-placeholder.ts
@@ -4,13 +4,20 @@ export function maskedSecretPlaceholder(value: unknown, fallback = ""): string {
     return fallback
   }
 
-  if (secret.length < 7) {
+  // ensure at least 40% of the characters are masked for secrets of length 4 or more
+  if (secret.length <= 6) {
     const first = secret[0]
     const last = secret[secret.length - 1]
     return `${first}***${last}`
   }
 
-  const prefix = secret.slice(0, Math.min(3, secret.length))
-  const suffix = secret.slice(-Math.min(4, secret.length))
-  return `${prefix}***${suffix}`
+  if (secret.length <= 12) {
+    const firstTwo = secret.slice(0, 2)
+    const lastTwo = secret.slice(-2)
+    return `${firstTwo}****${lastTwo}`
+  }
+
+  const prefix = secret.slice(0, 3)
+  const suffix = secret.slice(-4)
+  return `${prefix}*****${suffix}`
 }