/** * =============================================================================== * SECURE LOGGING UTILITIES * =============================================================================== * * Provides secure logging wrappers that automatically redact sensitive data. * Use these utilities in any code that handles PII, financial data, or * business-sensitive information. * * IMPORTANT: This module MUST be used in: * - Government/SAP/ERP adapters * - Payment processing * - User data handlers * - Authentication flows * - Any external API integration that returns sensitive data * * @example * ```typescript * import { createSecureLogger } from '../core/security/index.js'; * * const logger = createSecureLogger('SamAdapter'); * * // Safe debug - automatically redacts sensitive fields * logger.safeDebug('Processing entity', { * customerId: '12345', // Will be redacted * email: 'john@example.com', // Will be redacted * action: 'lookup' // Not sensitive, passed through * }); * * // Force redact everything * logger.safeDebug('Raw API response', responseData, { redactAll: true }); * ``` * * =============================================================================== */ import { Logger } from '../logging/index.js'; /** * Options for secure debug logging. */ export interface SafeDebugOptions { /** Redact ALL fields, not just detected sensitive ones */ redactAll?: boolean; /** Include hash prefixes for correlation across logs */ includeHashes?: boolean; /** Additional field names to treat as sensitive */ additionalSensitive?: string[]; /** Field names to explicitly allow through (whitelist) */ allowList?: string[]; } /** * A secure logger wrapper that provides safe logging methods. */ export declare class SecureLogger { private logger; constructor(module: string); /** * Log debug message (no auto-redaction). * Use safeDebug() if data might contain sensitive fields. */ debug(message: string, data?: Record): void; /** * Log info message (no auto-redaction). * Use safeInfo() if data might contain sensitive fields. */ info(message: string, data?: Record): void; /** * Log warning message (no auto-redaction). * Use safeWarn() if data might contain sensitive fields. */ warn(message: string, data?: Record, error?: Error): void; /** * Log error message (no auto-redaction). * Use safeError() if data might contain sensitive fields. */ error(message: string, error?: Error, data?: Record): void; /** * Safely log debug information with automatic redaction. * * @param message - Log message (will be scanned for sensitive patterns) * @param data - Optional data object (sensitive fields auto-redacted) * @param options - Redaction options * * @example * ```typescript * logger.safeDebug('User lookup', { userId: '123', email: 'test@example.com' }); * // Logs: "User lookup" { userId: { type: 'string', length: 3 }, email: '' } * ``` */ safeDebug(message: string, data?: Record, options?: SafeDebugOptions): void; /** * Safely log info with automatic redaction. */ safeInfo(message: string, data?: Record, options?: SafeDebugOptions): void; /** * Safely log warning with automatic redaction. */ safeWarn(message: string, data?: Record, error?: Error, options?: SafeDebugOptions): void; /** * Safely log error with automatic redaction. */ safeError(message: string, error?: Error, data?: Record, options?: SafeDebugOptions): void; /** * Log a single redacted value for debugging. * Use when you need to log a specific value safely. * * @example * ```typescript * logger.safeValue('customerId', rawCustomerId); * // Logs: { customerId: { type: 'string', length: 10, preview: 'cust***' } } * ``` */ safeValue(fieldName: string, value: unknown, includeHash?: boolean): void; /** * Create a child secure logger with extended module path. */ child(subModule: string): SecureLogger; /** * Access the underlying logger for non-sensitive operations. * CAUTION: Only use for data you've verified is not sensitive. */ get unsafe(): Logger; /** * Get the module name for this logger. */ private get module(); } /** * Create a secure logger instance. * * @param module - Module name for the logger * @returns SecureLogger instance with safe logging methods * * @example * ```typescript * import { createSecureLogger } from '../core/security/index.js'; * * const logger = createSecureLogger('PaymentProcessor'); * logger.safeDebug('Processing payment', { amount: 100, cardNumber: '4111...' }); * ``` */ export declare function createSecureLogger(module: string): SecureLogger; /** * Helper to safely log an entire payload that should be fully redacted. * Use when logging raw external API responses. * * @param logger - Logger instance * @param message - Log message * @param payload - Full payload to redact * * @example * ```typescript * safePayloadDebug(logger, 'SAM API response', apiResponse); * // Logs: "SAM API response" { payload: { type: 'object', length: 1234, count: 15 } } * ``` */ export declare function safePayloadDebug(logger: Logger | SecureLogger, message: string, payload: unknown): void; /** * Decorator-style wrapper to make an existing logger safe. * Use when you have an existing Logger but need to log sensitive operations. * * @param logger - Existing Logger instance * @param message - Log message * @param data - Data to log (will be auto-redacted) * @param options - Redaction options * * @example * ```typescript * import { safeDebug } from '../core/security/index.js'; * import { createLogger } from '../core/logging/index.js'; * * const logger = createLogger('MyModule'); * * // In a sensitive code path: * safeDebug(logger, 'Customer lookup result', customerData); * ``` */ export declare function safeDebug(logger: Logger, message: string, data?: Record, options?: SafeDebugOptions): void; /** * Check if logging data is safe (no sensitive fields detected). * Use for validation/testing. * * @param data - Data object to check * @returns Object with safety status and any detected sensitive fields */ export declare function checkLoggingSafety(data: Record): { isSafe: boolean; sensitiveFields: string[]; }; //# sourceMappingURL=secure-logging.d.ts.map