fix: redact sensitive credentials from command logs

Use the existing redact_text_secrets utility to redact sensitive environment
variables and credentials (API keys, tokens, etc.) from logged command
output. This prevents credentials from appearing in logs when passed to
subprocesses via environment variables or command-line arguments.

Changes:
- Import redact_text_secrets from openhands.sdk.utils.redact
- Apply redaction to all logged commands in execute_command()
- Leverages existing comprehensive secret detection patterns:
  - API keys from major providers (OpenAI, Anthropic, HuggingFace, etc.)
  - Bearer tokens and session tokens
  - Database and service credentials
  - URL query parameters with sensitive values

Security Impact:
- Credentials (LMNR_PROJECT_API_KEY, API keys, tokens) no longer appear
  in logger output for commands like "docker run", "python", etc.
- Prevents leaks to Datadog, CloudWatch, and other log aggregators
- Maintains command structure for debugging (shows "KEY=<redacted>")

Example:
  Before: "$ docker run -e LMNR_PROJECT_API_KEY=sk-... -e RUNTIME_API_KEY=..."
  After:  "$ docker run -e LMNR_PROJECT_API_KEY=<redacted> -e RUNTIME_API_KEY=<redacted>"

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

Author: Debug Agent

openhands-sdk/openhands/sdk/utils/command.py

@@ -6,6 +6,7 @@
 from collections.abc import Mapping
 
 from openhands.sdk.logger import get_logger
+from openhands.sdk.utils.redact import redact_text_secrets
 
 
 logger = get_logger(__name__)
@@ -61,11 +62,14 @@ def execute_command(
     if isinstance(cmd, str):
         cmd_to_run = cmd
         use_shell = True
-        logger.info("$ %s", cmd)
+        cmd_str = cmd
     else:
         cmd_to_run = cmd
         use_shell = False
-        logger.info("$ %s", " ".join(shlex.quote(c) for c in cmd))
+        cmd_str = " ".join(shlex.quote(c) for c in cmd)
+
+    # Log the command with sensitive values redacted
+    logger.info("$ %s", redact_text_secrets(cmd_str))
 
     proc = subprocess.Popen(
         cmd_to_run,