Logging Guidelines

The Rule

Always use the logger with an object as the second parameter:

typescript

logger.debug('[Component] Message', { headers, body, config });

The object is auto-sanitized - sensitive fields are automatically redacted.

Why This Matters

Security: Prevents accidental exposure of secrets in logs
Consistency: Structured logs are easier to search and analyze
Safety: Red team test content may contain harmful/sensitive data

Correct Usage

typescript

import logger from './logger';

// Good - context object is auto-sanitized
logger.debug('[Provider]: Making API request', {
  url: 'https://api.example.com',
  method: 'POST',
  headers: { Authorization: 'Bearer secret-token' },
  body: { apiKey: 'secret-key', data: 'value' },
});
// Output: Authorization and apiKey are [REDACTED]

logger.error('Request failed', {
  headers: response.headers,
  body: errorResponse,
});

Anti-Pattern

typescript

// WRONG - exposes secrets, bypasses sanitization
logger.debug(`Config: ${JSON.stringify(config)}`);
logger.debug(`Calling ${url} with headers: ${JSON.stringify(headers)}`);

Manual Sanitization

For non-logging contexts:

typescript

import { sanitizeObject } from './util/sanitizer';

const sanitizedConfig = sanitizeObject(providerConfig, {
  context: 'provider config',
});

What Gets Sanitized

Field names containing (case-insensitive, works with -, _, camelCase):

Category	Fields
Passwords	`password`, `passwd`, `pwd`, `passphrase`
API Keys	`apiKey`, `api_key`, `token`, `accessToken`, `refreshToken`, `bearerToken`
Secrets	`secret`, `clientSecret`, `webhookSecret`
Headers	`authorization`, `cookie`, `x-api-key`, `x-auth-token`
Certificates	`privateKey`, `certificatePassword`, `keystorePassword`
Signatures	`signature`, `sig`, `signingKey`

See src/util/sanitizer.ts for the complete list.