Summary
The -R flag is currently used to ensure the tokens are not logged. Today, however, logs can still include values that users may be uncomfortable posting publicly, such as Azure Artifacts feed URLs. While these values are not secrets, they can still reveal tenant, org, or environment details and often cause users to hesitate when sharing logs.
Proposed change
Expand the existing -R redaction behavior to also redact Azure Artifacts feed URLs. Redaction should be best‑effort and clearly indicated (e.g. <REDACTED_FEED_URL>), while preserving enough context to keep logs useful for troubleshooting.
Non‑goals
No change to logging behavior when -R is not specified
No claim that these values are secrets - this is about debugging usability and confidence, not security severity
Summary
The -R flag is currently used to ensure the tokens are not logged. Today, however, logs can still include values that users may be uncomfortable posting publicly, such as Azure Artifacts feed URLs. While these values are not secrets, they can still reveal tenant, org, or environment details and often cause users to hesitate when sharing logs.
Proposed change
Expand the existing -R redaction behavior to also redact Azure Artifacts feed URLs. Redaction should be best‑effort and clearly indicated (e.g. <REDACTED_FEED_URL>), while preserving enough context to keep logs useful for troubleshooting.
Non‑goals
No change to logging behavior when -R is not specified
No claim that these values are secrets - this is about debugging usability and confidence, not security severity