Redact sensitive values (API keys, tokens) in sanitized error details

The initial sanitization only truncated long messages. This adds regex-based
redaction of credential patterns (api_key=, token=, secret=, password=,
authorization:, bearer, credential) so they never appear in exception
messages or logs. Also sanitizes httpx.HTTPError messages which can
contain URLs with key query params. Raw response_data is preserved
for programmatic access. Adds 4 tests covering redaction behavior.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: vdavez

tango/client.py

@@ -1,6 +1,7 @@
 """Tango API Client"""
 
 import os
+import re
 from datetime import date, datetime
 from decimal import Decimal
 from typing import Any
@@ -143,14 +144,24 @@ def _int_or_none(val: str | None) -> int | None:
             burst_reset=_int_or_none(headers.get("X-RateLimit-Burst-Reset")),
         )
 
+    _SENSITIVE_PATTERNS = re.compile(
+        r"""
+        (?:api[_-]?key|token|secret|password|authorization|bearer|credential)
+        \s*[=:]\s*\S+
+        """,
+        re.IGNORECASE | re.VERBOSE,
+    )
+
     @staticmethod
     def _sanitize_error_detail(detail: Any, max_length: int = 200) -> str:
         """Sanitize an error detail from an API response for safe inclusion in exception messages.
 
-        Truncates long messages to prevent information disclosure in logs
+        Redacts values that look like API keys, tokens, or credentials, and
+        truncates long messages to prevent information disclosure in logs
         and error tracking systems.
         """
         text = str(detail)
+        text = TangoClient._SENSITIVE_PATTERNS.sub("[REDACTED]", text)
         if len(text) > max_length:
             text = text[:max_length] + "..."
         return text
@@ -211,7 +222,9 @@ def _request(
             return response.json() if response.content else {}
 
         except httpx.HTTPError as e:
-            raise TangoAPIError(f"Request failed: {str(e)}") from e
+            raise TangoAPIError(
+                f"Request failed: {self._sanitize_error_detail(e)}"
+            ) from e
 
     def _get(self, endpoint: str, params: dict[str, Any] | None = None) -> dict[str, Any]:
         """Make a GET request"""

tests/test_client.py

@@ -1336,6 +1336,70 @@ def test_network_error(self, mock_request):
 
         assert "Connection failed" in str(exc_info.value)
 
+    @patch("tango.client.httpx.Client.request")
+    def test_400_error_redacts_api_key_in_detail(self, mock_request):
+        """Test that API keys echoed in error details are redacted"""
+        mock_response = Mock()
+        mock_response.is_success = False
+        mock_response.status_code = 400
+        mock_response.content = b'{"detail": "Invalid api_key=saacp7h_WW__nZb3zaXJCPV4zRcbvhmBhHFrJxQLxdc"}'
+        mock_response.json.return_value = {
+            "detail": "Invalid api_key=saacp7h_WW__nZb3zaXJCPV4zRcbvhmBhHFrJxQLxdc"
+        }
+        mock_response.headers = {}
+        mock_request.return_value = mock_response
+
+        client = TangoClient(api_key="test-key")
+
+        with pytest.raises(TangoValidationError) as exc_info:
+            client.list_agencies()
+
+        assert "saacp7h" not in str(exc_info.value)
+        assert "[REDACTED]" in str(exc_info.value)
+        # Raw response_data still has the original for programmatic access
+        assert "saacp7h" in exc_info.value.response_data["detail"]
+
+    @patch("tango.client.httpx.Client.request")
+    def test_429_error_redacts_sensitive_values(self, mock_request):
+        """Test that sensitive values in rate limit error details are redacted"""
+        mock_response = Mock()
+        mock_response.is_success = False
+        mock_response.status_code = 429
+        mock_response.content = b'{"detail": "Rate limited. token=sk-abc123secret"}'
+        mock_response.json.return_value = {
+            "detail": "Rate limited. token=sk-abc123secret"
+        }
+        mock_response.headers = {}
+        mock_request.return_value = mock_response
+
+        client = TangoClient(api_key="test-key")
+
+        with pytest.raises(TangoRateLimitError) as exc_info:
+            client.list_agencies()
+
+        assert "sk-abc123secret" not in str(exc_info.value)
+        assert "[REDACTED]" in str(exc_info.value)
+
+    def test_sanitize_error_detail_truncates_long_messages(self):
+        """Test that very long error details are truncated"""
+        long_detail = "A" * 300
+        result = TangoClient._sanitize_error_detail(long_detail)
+        assert len(result) == 203  # 200 + "..."
+        assert result.endswith("...")
+
+    def test_sanitize_error_detail_redacts_credentials(self):
+        """Test that various credential patterns are redacted"""
+        cases = [
+            ("Invalid api_key=abc123", "[REDACTED]"),
+            ("Bad token: secretvalue", "[REDACTED]"),
+            ("Error: password=hunter2", "[REDACTED]"),
+            ("Failed authorization: Bearer xyz", "[REDACTED]"),
+            ("secret=mysecretvalue in request", "[REDACTED]"),
+        ]
+        for input_text, expected_replacement in cases:
+            result = TangoClient._sanitize_error_detail(input_text)
+            assert expected_replacement in result, f"Failed to redact: {input_text}"
+
     @patch("tango.client.httpx.Client.request")
     def test_empty_response_content(self, mock_request):
         """Test handling of empty response content"""