Potential fix for code scanning alert no. 2: Clear-text logging of sensitive information

[BENZOOgataga]

Potential fix for https://github.com/Altitude-Interactive/CorpSim/security/code-scanning/2

To fix the problem, we should stop logging the raw enabledBy value (which may come from environment variables) in clear text. Instead, we can either omit it from logs or replace it with a non-sensitive, generic description or a redacted representation, while leaving the actual enabledBy value intact in the state/payload for internal use.

The least intrusive change is to modify printState(state, source) so that it does not output the exact state.enabledBy. For example, we can log that an actor is present without showing who it is, or we can explicitly mark it as redacted. This avoids changing how enabledBy is computed (resolveActor), stored (buildPayload, sanitizeState), or written to the file/API; only the logging behavior changes.

Concretely, in scripts/maintenance.mjs:

• Locate printState(state, source) (around lines 376–386).
• Replace the console.log(\Enabled by: ${state.enabledBy}`);line with a safer message that does not interpolate the value, such asconsole.log("Enabled by: [redacted]");orconsole.log("Enabled by: (hidden)");`.
• Keep the if (state.enabledBy) conditional so we only log this line when the field is present.

No additional imports or helper methods are required.

---

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[greptile-apps]

No reviewable files after applying ignore patterns.

[Copilot]

Copilot wasn't able to review any files in this pull request.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.