[Security] cookies command returns full cookie jar without redaction #670
Description
Summary
The cookies read command in browse/src/read-commands.ts:300 returns the full cookie jar verbatim via JSON.stringify(cookies, null, 2). The storage command in the same file (line 316) goes out of its way to redact sensitive values matching token/key/password patterns. This inconsistency leaks session cookies and auth material to any caller that can invoke browse read commands.
Related
#18 (closed) fixed sensitive value leaks in type and cookie commands but missed the cookies read command.
Fix
PR #664 applies the same pattern-based redaction to cookie values (sensitive name patterns + known token prefixes like eyJ, sk-, ghp_, etc.). Regex constants are exported for test coverage.
Found via sqry AST-based semantic code graph analysis.