Reduce credential exposure in bucket mounting

Remove credentials from MountInfo to minimize sensitive data
in Durable Object memory. Password file provides sufficient
access for s3fs without retaining credentials.

Remove endpoint URL from mount debug log to prevent account
ID exposure in production logs.

Author: ghostwriternr

packages/sandbox/src/sandbox.ts

@@ -261,7 +261,6 @@ export class Sandbox<Env = unknown> extends Container<Env> implements ISandbox {
       mountPath,
       endpoint: options.endpoint,
       provider,
-      credentials,
       passwordFilePath,
       mounted: false
     });
@@ -289,7 +288,6 @@ export class Sandbox<Env = unknown> extends Container<Env> implements ISandbox {
         mountPath,
         endpoint: options.endpoint,
         provider,
-        credentials,
         passwordFilePath,
         mounted: true
       });
@@ -463,7 +461,9 @@ export class Sandbox<Env = unknown> extends Container<Env> implements ISandbox {
     const optionsStr = shellEscape(s3fsArgs.join(','));
     const mountCmd = `s3fs ${shellEscape(bucket)} ${shellEscape(mountPath)} -o ${optionsStr}`;
 
-    this.logger.debug(`Executing mount command: ${mountCmd}`, {
+    this.logger.debug('Executing s3fs mount', {
+      bucket,
+      mountPath,
       provider,
       resolvedOptions
     });

packages/sandbox/src/storage-mount/types.ts

@@ -2,7 +2,7 @@
  * Internal bucket mounting types
  */
 
-import type { BucketCredentials, BucketProvider } from '@repo/shared';
+import type { BucketProvider } from '@repo/shared';
 
 /**
  * Internal tracking information for active mounts
@@ -12,7 +12,6 @@ export interface MountInfo {
   mountPath: string;
   endpoint: string;
   provider: BucketProvider | null;
-  credentials: BucketCredentials;
   passwordFilePath: string;
   mounted: boolean;
 }