Python: Potential fix for code scanning alert no. 48: Clear-text logging of sensitive information

[moonbox3]

Potential fix for https://github.com/microsoft/agent-framework/security/code-scanning/48

In general, to fix clear-text logging of sensitive information, avoid logging the full sensitive value. Instead, either omit it entirely from logs or log only a non-sensitive snippet or a redacted/masked version. The code already has a log_value flag meant precisely to control this behavior; the correct fix is to ensure that this flag is respected consistently in all logging paths.

Concretely, in _try_powerfx_eval, the except block currently always logs the full value when safe_mode is True (since that’s the default path) and conditionally logs a snippet only when log_value is False. To preserve current observability while protecting sensitive values, we can: (1) compute a value_repr string that is either the full value or a truncated snippet depending on log_value, and (2) always use value_repr in the log message instead of value directly. This way, callers like ApiKeyConnection that pass log_value=False will never cause the full API key to be logged, regardless of _safe_mode_context. The change is local to _try_powerfx_eval in python/packages/declarative/agent_framework_declarative/_models.py; no new imports or helpers are required.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[markwallace-microsoft]

Python Test Coverage Report •

File	Stmts	Miss	Cover	Missing
TOTAL	16250	1982	87%

report-only-changed-files is enabled. No files were changed during this commit :)

Python Unit Test Overview

Tests	Skipped	Failures	Errors	Time
3742	221 💤	0 ❌	0 🔥	1m 7s ⏱️