fix(security): securely authenticate git clone and redact log tokens

[tamilr0727-ux]

Description

Removes GitHub Personal Access Token (PAT) exposure from the repository cloning workflow in app/api/architecture/route.ts and prevents credential leakage through process arguments and application logs.

Problem

The architecture analysis route constructed clone URLs using embedded credentials:

https://username:${process.env.GITHUB_TOKEN}@github.com/${fullName}.git

This created two critical security risks:

Process Table Exposure

The token became part of the git clone command line, making it potentially visible through:

• ps aux
• Process monitoring tools
• Container host inspection
• Debugging and observability platforms

Log Exposure

When clone operations failed, the full repository URL was logged:

logger.error('Failed to clone repository', { repoUrl });

This could expose credentials through:

• Application logs
• Log aggregation platforms
• Monitoring systems
• Error reporting tools

Changes

Secure Repository Authentication

• Removed token embedding from repository URLs.
• Updated repository cloning workflow to use a safer authentication mechanism.
• Prevented credentials from being included in process arguments.

Logging Hardening

• Added sanitization before logging repository information.
• Ensured GitHub tokens are never written to logs.
• Replaced sensitive values with redacted placeholders where applicable.

Error Handling Improvements

• Preserved diagnostic information required for debugging.
• Removed exposure of authentication credentials from failure paths.
• Maintained existing error reporting behavior without leaking secrets.

Security Impact

Before

• GitHub PAT visible in process listings.
• GitHub PAT written to logs on clone failures.
• Potential credential exposure through monitoring and logging systems.

After

• No credentials embedded in clone URLs.
• No credentials exposed through application logs.
• Reduced attack surface for repository access tokens.

Test Coverage

Added tests covering:

1. Repository clone execution without token exposure in URLs.
2. Sanitized logging during clone failures.
3. Redaction of sensitive authentication values.
4. Error-path handling without credential leakage.
5. Preservation of expected clone and analysis behavior.

Validation

✅ All tests pass successfully.

✅ Clone operations continue to function correctly.

✅ GitHub tokens no longer appear in logged metadata.

✅ Credentials are not exposed through process arguments.

Impact

• Eliminates a critical credential-leak vulnerability.
• Improves compliance with secure credential-handling practices.
• Protects GitHub access tokens from accidental disclosure.
• Provides regression protection against future secret exposure issues.

Fixes #6185

Pillar

• 🎨 Pillar 1 — New Theme Design
• 📐 Pillar 2 — Geometric SVG Improvement
• 🕐 Pillar 3 — Timezone Logic Optimization
• 🛠️ Other (Bug fix, refactoring, docs)

Visual Preview

Can Check in the Files Changed Section

Checklist before requesting a review:

• I have read the CONTRIBUTING.md file.
• I have tested these changes locally (localhost:3000/api/streak?user=YOUR_USERNAME).
• I have run npm run format and npm run lint locally and resolved all errors (CI will fail otherwise).
• My commits follow the Conventional Commits format (e.g., feat(themes): ..., fix(calculate): ...).
• I have updated README.md if I added a new theme or URL parameter.
• I have started the repo.
• I have made sure that i have only one commit to merge in this PR.
• The SVG output matches the CommitPulse "premium quality" aesthetic standard (no raw elements, smooth animations, correct fonts).
• (Recommended) I joined the CommitPulse Discord community for contributor discussions, mentorship, and faster PR support.

[vercel]

@tamilr0727-ux is attempting to deploy a commit to the jhasourav07's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

📦 Next.js Bundle Size Report (Gzipped Sizes)

✨ No significant bundle size changes detected.

📊 Summary of Totals

Category	PR Size	Base Size	Difference
Total JS	3697.00 KB	3697.00 KB	0 B
Total CSS	296.58 KB	296.58 KB	0 B

[Aamod-Dev]

Thank you for addressing the GitHub PAT exposure in app/api/architecture/route.ts. Removing the token from the clone URL and sanitizing the logs is the right approach to prevent credential leakage. Adding tests in app/api/architecture/route.test.ts is also a great addition. Approved!