Fix prompt div e14a0

[roto31]

Description

Brief description of changes

Type of Change

• Bug fix
• New feature
• Documentation update
• Performance improvement
• Code refactoring
• Distribution update

Testing

• Tested on macOS
• Tested on Windows
• Tested on Linux
• Tested in containers (Docker/Kubernetes)

Checklist

• Code follows project style guidelines
• Self-review completed
• Comments added for complex code
• Documentation updated
• No new warnings generated
• Tests pass (if applicable)
• Install scripts tested (if applicable)

Related Issues

Closes #(issue number)

Screenshots (if applicable)

Add screenshots to help explain your changes.

Additional Notes

Any additional information that reviewers should know.

In general, to fix clear-text logging of sensitive information, avoid including any data derived from secrets in log messages. Log only high-level, non-sensitive information (e.g., that a secret is misconfigured) and, if necessary, generic identifiers that are not tainted by secret-handling flows.

For this specific case, the minimal, behavior-preserving fix is to change the per-secret warning so it no longer interpolates the secret value (which CodeQL taints) into the message. Instead, we can log only the derived environment variable name, or even a fully generic message. The core functionality here is to tell users to use environment variables instead of config-file secrets; that can be achieved by logging the recommended environment variable names alone.

Concretely:

• In Config._warn_secrets_in_config, keep building secrets_found the same way.
• Keep the initial high-level warning at lines 268–271 as-is.
• Change the loop at lines 272–274 so that:
  • We no longer include secret in the formatted log string.
  • We only mention the environment variable name to set, e.g. " - Set STREAMTV_{env_var} environment variable".
• This removes tainted data from the log sink while preserving the user guidance.

No new methods or imports are required.