fix: add AKIA and 0x private key redaction, preserve scan diagnostics

- redact_secrets now covers AWS AKIA keys and 0x-prefixed private keys,
  matching all patterns that scan_for_secrets detects
- file-action-issue.sh no longer suppresses stderr from scan_for_secrets,
  so blocked-issue diagnostics reach the caller's log

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

lib/file-action-issue.sh

@@ -17,7 +17,7 @@ file_action_issue() {
   FILED_ISSUE_NUM=""
 
   # Secret scan: reject issue bodies containing embedded secrets
-  if ! scan_for_secrets "$body" 2>/dev/null; then
+  if ! scan_for_secrets "$body"; then
     echo "file-action-issue: BLOCKED — issue body for '${formula_name}' contains potential secrets. Use env var references instead." >&2
     return 4
   fi

lib/secret-scan.sh

@@ -79,6 +79,12 @@ scan_for_secrets() {
 redact_secrets() {
   local text="${1:-$(cat)}"
 
+  # Replace AWS AKIA keys
+  text=$(printf '%s' "$text" | sed -E 's/AKIA[0-9A-Z]{16}/[REDACTED]/g')
+
+  # Replace Ethereum private keys (0x + 64 hex chars)
+  text=$(printf '%s' "$text" | sed -E 's/0x[0-9a-fA-F]{64}/[REDACTED]/g')
+
   # Replace long hex strings (32+ chars) not preceded by $ (env var refs)
   text=$(printf '%s' "$text" | sed -E 's/([^$]|^)([0-9a-fA-F]{32,})/\1[REDACTED]/g')