val isMasked = b1 and B1_FLAG_MASK != 0
    if (isMasked == isClient) {
      // Masked payloads must be read on the server. Unmasked payloads must be read on the client.
      throw ProtocolException(
        if (isClient) {
          "Server-sent frames must not be masked."
        } else {
          "Client-sent frames must be masked."
        },
      )
    }

     * will have their values replaced with "********".
     *
     * @param key The key name to check
     * @param value The value to potentially mask
     * @return The masked value if the key matches a sensitive pattern, otherwise the original value
     */
    public static String maskSensitiveValue(final String key, final String value) {
        if (key == null || value == null) {

        .isEqualTo("Client-sent frames must be masked.")
    }
  }

  @Test fun serverSentFramesMustNotBeMasked() {
    data.write("8180".decodeHex())
    assertFailsWith<ProtocolException> {
      clientReader.processNextFrame()
    }.also { expected ->
      assertThat(expected.message)
        .isEqualTo("Server-sent frames must not be masked.")
    }
  }

  @Test fun controlFramePayloadMax() {

        }

        // Log command template with masked password for security
        if (logger.isDebugEnabled()) {
            final String commandStr = stream(commands).get(stream -> stream.map(s -> {
                if ("$PASSWORD".equals(s)) {
                    return "***MASKED***";
                }
                if ("$USERNAME".equals(s)) {
                    return username;

        assertEquals("********", SystemUtil.maskSensitiveValue("private_config", "internal"));
    }

    @Test
    public void test_maskSensitiveValue_safeValues() {
        // These should NOT be masked
        assertEquals("localhost:9200", SystemUtil.maskSensitiveValue("HOST", "localhost:9200"));
        assertEquals("8080", SystemUtil.maskSensitiveValue("PORT", "8080"));

    }

    /**
     * Masks email addresses in the input string for privacy protection.
     *
     * @param value the string that may contain email addresses
     * @return string with email addresses replaced by masked pattern
     */
    public static String maskEmail(final String value) {
        if (value == null) {
            return StringUtil.EMPTY;
        }

- Added `/sys/devices/virtual/powercap` to default masked paths. It avoids the potential security risk that the ability to read these files may offer a power-based sidechannel attack against any workloads running on the same kernel. ([#125970](https://github.com/kubernetes/kubernetes/pull/125970), [@carlory](https://github.com/carlory))

- Extended resources backed by DRA feature allowed cluster operator to specify `extendedResourceName` in `DeviceClass`, and application operator to continue using extended resources in pod's requests to request for DRA devices matching the DeviceClass.
  

- Fixed a bug in kube-proxy nftables mode (GA as of 1.33) that fails to determine if traffic originates from a local source on the node. The issue was caused by using the wrong meta `iif` instead of `iifname` for name based matches. ([#134117](https://github.com/kubernetes/kubernetes/pull/134117),...

### Other (Cleanup or Flake)

- Masked off access to Linux thermal interrupt info in `/proc` and `/sys`. ([#132986](https://github.com/kubernetes/kubernetes/pull/132986), [@saschagrunert](https://github.com/saschagrunert)) [SIG Node]

## Dependencies

### Added