Security improvements:
- Create redaction utility to prevent PII leakage in logs
- Redact sensitive fields: privateKey, tokens, passwords, metadata, payloads
- Redact user IDs: convert to "user-***"
- Redact instance IDs: convert to "instance-***"
- Support recursive redaction for nested objects and arrays
Changes:
- Add redact.util.ts with redaction functions
- Add comprehensive test coverage for redaction
- Support for:
- Sensitive field detection (privateKey, token, etc.)
- User ID redaction (userId, remoteUserId, localUserId, user.id)
- Instance ID redaction (instanceId, remoteInstanceId, instance.id)
- Nested object and array redaction
- Primitive and null/undefined handling
Next steps:
- Apply redactSensitiveData() to all logger calls in federation services
- Use debug level for detailed logs with sensitive data
Part of M7.1 Remediation Sprint P1 security fixes.
Refs #287
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Jason Woltje
e151d09531