Harden secret masking using regex or core.setSecret

`maskSensitiveInfo()` in src/security/security.ts uses `String.prototype.replaceAll` to scrub tokens, which can miss edge cases when secrets contain regex‑like substrings or overlaps. Switch to an escaped‑regex approach (escapeRegExp) or leverage `core.setSecret()` for reliable masking in logs.