[Security]: Config API redaction does not cover browser.cdpUrl paths

[Ziy1-Tan]

Sub-issue of #64046

Maintainer requirements

• Scope: ensure all config response surfaces apply the same secret-redaction policy.
• Deliverable: unified redaction behavior for parsed/source/runtime style snapshots.
• Acceptance criteria: no plaintext secrets in read-scoped config responses; regression tests for provider keys, gateway tokens, URL tokens, and SecretRef variants.

Problem

browser.cdpUrl and browser.profiles.*.cdpUrl bypass all three redaction gates:

Redaction gate	Why cdpUrl is missed
Schema .register(sensitive)	Not registered (zod-schema.ts lines 360, 387)
Path-name pattern (/token$/i, /api.?key$/i, …)	cdpUrl doesn't match any suffix
URL-path match (.baseUrl, .httpUrl, mcp.servers.*.url)	.cdpUrl not listed in isSensitiveUrlConfigPath()

Result: config.get returns plaintext credentials in all five snapshot fields (raw, parsed, sourceConfig, runtimeConfig, resolved).

cdpUrl credential formats (from docs/tools/browser.md)

Format	Example
Query token	https://chrome.browserless.io?token=<secret>
HTTP Basic auth	https://user:pass@chrome.example.com

"Treat remote CDP URLs/tokens as secrets" — docs/tools/browser.md

Field coverage audit

Config path	Embeds credentials?	Covered?
models.providers.*.baseUrl	Yes	✅
mcp.servers.*.url	Yes	✅
gateway.auth.token / .password	Yes	✅
gateway.remote.token / .password	Yes	✅
cron.webhookToken	Yes	✅
skills.*.apiKey	Yes	✅
browser.cdpUrl	Yes	❌
browser.profiles.*.cdpUrl	Yes	❌

Related issues

• config.get returns unredacted API keys in sourceConfig and runtimeConfig #59793 — config.get returns unredacted API keys in sourceConfig / runtimeConfig
• [Bug]: remote CDP URLs bypass config redaction and leak credentials #53433 — remote CDP URLs bypass config redaction and leak credentials