From adccc86ca9d0810c8c51930b7bc0b19199d1094e Mon Sep 17 00:00:00 2001
From: Greyforge Admin <admin@greyforge.tech>
Date: Tue, 19 May 2026 23:10:02 -0400
Subject: [PATCH] Mask login tokens with UTF-8 safe slicing

---
 src/cortex-login/src/utils.rs | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/src/cortex-login/src/utils.rs b/src/cortex-login/src/utils.rs
index d6d9d562a..cf78b620a 100644
--- a/src/cortex-login/src/utils.rs
+++ b/src/cortex-login/src/utils.rs
@@ -5,11 +5,13 @@ use std::path::Path;
 
 /// Mask an API key for safe display.
 pub fn safe_format_key(key: &str) -> String {
-    if key.len() <= 13 {
+    let char_count = key.chars().count();
+    if char_count <= 13 {
         return "***".to_string();
     }
-    let prefix = &key[..8];
-    let suffix = &key[key.len() - 5..];
+
+    let prefix: String = key.chars().take(8).collect();
+    let suffix: String = key.chars().skip(char_count - 5).collect();
     format!("{prefix}***{suffix}")
 }
 
@@ -46,4 +48,16 @@ mod tests {
         let key = "sk-proj-12345";
         assert_eq!(safe_format_key(key), "***");
     }
+
+    #[test]
+    fn test_safe_format_key_non_ascii_boundary() {
+        let key = "aaaaaaaéaaaaa";
+        assert_eq!(safe_format_key(key), "***");
+    }
+
+    #[test]
+    fn test_safe_format_key_long_non_ascii() {
+        let key = "sk-proj-ééééééé-token";
+        assert_eq!(safe_format_key(key), "sk-proj-***token");
+    }
 }