🛡️ Sentinel: [security improvement] Mask sensitive parameters in audit logs

[sl4m3]

🚨 Severity: MEDIUM
💡 Vulnerability: Insufficient logging of security events (Exposing sensitive data in logs). The AuditLogger.log_access method logs all parameters passed to tools in plaintext, which could expose sensitive data like API keys, passwords, or tokens to the audit log files.
🎯 Impact: If a tool is executed with sensitive credentials, these credentials would be written in plaintext to the audit logs, potentially exposing them to unauthorized users with log access.
🔧 Fix: Updated the sanitized_params dictionary comprehension in src/ledgermind/server/audit.py to mask any parameter values where the key contains sensitive keywords (e.g., 'key', 'password', 'secret', 'token', 'auth'). Added a critical learning to .jules/sentinel.md.
✅ Verification: Verified syntax correctness with py_compile. The audit logger will now output "MASKED" for sensitive parameters instead of plaintext values.

---

PR created automatically by Jules for task 9050847888250041083 started by @sl4m3

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.