Fix create_default_sanitizer to only collect #-prefixed secret values

Replaces extract_values() with _collect_hash_values() so that non-sensitive
metadata fields (oauthVersion, id, created, etc.) are skipped. Previously,
short values like "2.0" were added to sensitive_values, causing URL path
corruption in cassettes (e.g. api.xro/2.0 → api.xro/REDACTED).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: matyas-jirat-keboola

src/keboola/vcr/sanitizers.py

@@ -789,17 +789,21 @@ def create_default_sanitizer(secrets: dict[str, Any]) -> DefaultSanitizer:
     """
     Create a default sanitizer from secrets.
 
-    Extracts all string values from the secrets dict and returns a
-    DefaultSanitizer that handles OAuth bodies, JSON responses, headers,
-    and URL parameters automatically.
+    Collects only values under #-prefixed keys (Keboola's encrypted-field
+    convention) and returns a DefaultSanitizer that handles OAuth bodies,
+    JSON responses, headers, and URL parameters automatically.
+
+    Non-sensitive metadata fields (oauthVersion, id, created, etc.) are
+    intentionally skipped to avoid corrupting URL paths in cassettes.
 
     Args:
         secrets: Dictionary of secret values to redact
 
     Returns:
         A DefaultSanitizer with extracted secret values
     """
-    secret_values = extract_values(secrets, [])
+    secret_values: list[str] = []
+    _collect_hash_values(secrets, secret_values)
     return DefaultSanitizer(sensitive_values=secret_values)