diff --git a/tests/agent/test_redact.py b/tests/agent/test_redact.py
index 6b7cfa586..83b1b4d1a 100644
--- a/tests/agent/test_redact.py
+++ b/tests/agent/test_redact.py
@@ -82,6 +82,38 @@ class TestEnvAssignments:
         result = redact_sensitive_text(text)
         assert result == text
 
+    def test_lowercase_python_variable_token_unchanged(self):
+        # Regression: #4367 — lowercase 'token' assignment must not be redacted
+        text = "before_tokens = response.usage.prompt_tokens"
+        result = redact_sensitive_text(text)
+        assert result == text
+
+    def test_lowercase_python_variable_api_key_unchanged(self):
+        # Regression: #4367 — lowercase 'api_key' must not be redacted
+        text = "api_key = config.get('api_key')"
+        result = redact_sensitive_text(text)
+        assert result == text
+
+    def test_typescript_await_token_unchanged(self):
+        # Regression: #4367 — 'await' keyword must not be redacted as a secret value
+        text = "const token = await getToken();"
+        result = redact_sensitive_text(text)
+        assert result == text
+
+    def test_typescript_await_secret_unchanged(self):
+        # Regression: #4367 — similar pattern with 'secret' variable
+        text = "const secret = await fetchSecret();"
+        result = redact_sensitive_text(text)
+        assert result == text
+
+    def test_export_whitespace_preserved(self):
+        # Regression: #4367 — whitespace before uppercase env var must be preserved
+        text = "export SECRET_TOKEN=mypassword"
+        result = redact_sensitive_text(text)
+        assert result.startswith("export ")
+        assert "SECRET_TOKEN=" in result
+        assert "mypassword" not in result
+
 
 class TestJsonFields:
     def test_json_api_key(self):