fix: Expand sanitizeURL secrets redactions

[YooLCD]

Expand sanitizeURL to cover access_token and token

Only client_secret was being redacted. access_token and token are equally
sensitive and can appear in query parameters, leaking into error logs via url.Error.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.74%. Comparing base (f293a76) to head (3b41c36).
⚠️ Report is 4 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4126      +/-   ##
==========================================
+ Coverage   93.72%   93.74%   +0.02%     
==========================================
  Files         211      211              
  Lines       19621    19685      +64     
==========================================
+ Hits        18389    18453      +64     
  Misses       1034     1034              
  Partials      198      198              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[gmlewis]

This looks great, @YooLCD... thank you!
Awaiting second LGTM+Approval from any other contributor to this repo before merging.

cc: @stevehipwell - @alexandear - @zyfy29 - @Not-Dhananjay-Mishra - @munlicode

[stevehipwell]

@YooLCD you've just overwritten the changes in your first commit with your second commit!?

[YooLCD]

@YooLCD you've just overwritten the changes in your first commit with your second commit!?

Sorry, that was my mistake. Restored in the latest commit.

[stevehipwell]

I'm not sure I follow why this code is required? The existing code was working correctly as the standard library handles setting req.GetBody. I can't see any value in adding this code to make it "explicit"?

[YooLCD]

Thanks for catching this. Dropping the GetBody change as the standard library already handles it correctly.

[stevehipwell]

@YooLCD why did you make the change in the first place?

[YooLCD]

I incorrectly assumed the body would be empty on retry. After investigation, Go's http.Client handles it correctly via GetBody. Sorry for the noise.

[alexandear]

@YooLCD why did you make the change in the first place?

Because this PR was made by an AI agent, and it sometimes hallucinates.

[stevehipwell]

Because this PR was made by an AI agent, and it sometimes hallucinates.

@alexandear I wasn't sure if that was a question we were permitted to ask.

[gmlewis]

Please update the PR description accordingly.

[YooLCD]

Updated the PR description to reflect the remaining change only.
I also want to sincerely apologize for the confusion caused by the GetBody change — I submitted it without sufficient verification and it turned out to be unnecessary. I'm sorry for the noise.

[gmlewis]

Thank you, @alexandear and @stevehipwell for performing a deep analysis of this PR which I unfortunately neglected to do.

Previously, I relied perhaps too heavily on users reporting issues and providing solutions, often assuming these were factual accounts of problems they encountered.

In the age of AI, it is becoming increasingly apparent that agents can generate incredibly well-written descriptions of issues and accompanying solutions. This makes it challenging to distinguish genuine problems from convincing AI-generated ones.

[gmlewis]

@stevehipwell and @alexandear - are all your concerns addressed and this can be merged?

[gmlewis]

Thank you, all!
LGTM.
Merging.