thirteenth version

internal/logging/logging.go

@@ -34,6 +34,12 @@ type SDKLogger struct {
 	Logger *slog.Logger
 }
 
+type NoopSDKLogger struct{}
+
+func NewSDKLogger(logger *slog.Logger) SDKLogger {
+	return SDKLogger{Logger: logger}
+}
+
 func (l SDKLogger) Infof(template string, args ...any) {
 	if l.Logger != nil {
 		l.Logger.Info(RedactString(template), "args", redactArgs(args))
@@ -52,6 +58,10 @@ func (l SDKLogger) Fatalf(template string, args ...any) {
 	}
 }
 
+func (NoopSDKLogger) Infof(string, ...any)  {}
+func (NoopSDKLogger) Errorf(string, ...any) {}
+func (NoopSDKLogger) Fatalf(string, ...any) {}
+
 var sensitiveStringPatterns = []*regexp.Regexp{
 	regexp.MustCompile(`(?i)((?:account[_-]?id|token)\s*[:=]\s*)("[^"]+"|'[^']+'|[^\s,}]+)`),
 	regexp.MustCompile(`(?i)("(?:accountID|accountId|account_id|token)"\s*:\s*)("[^"]*"|null)`),

internal/logging/logging_test.go

@@ -34,3 +34,26 @@ func TestSlogRedactsSensitiveAccountIDAttributes(t *testing.T) {
 		t.Fatalf("log did not redact account ids: %s", got)
 	}
 }
+
+func TestSDKLoggerRedactsTemplateAndArgs(t *testing.T) {
+	var buf bytes.Buffer
+	logger := New("info", &buf)
+	sdk := NewSDKLogger(logger)
+	sdk.Infof("token=plain-token account_id=plain-account", "accountID=arg-account", `{"token":"json-token"}`)
+	got := buf.String()
+	for _, secret := range []string{"plain-token", "plain-account", "arg-account", "json-token"} {
+		if strings.Contains(got, secret) {
+			t.Fatalf("SDK log leaked %q: %s", secret, got)
+		}
+	}
+	if !strings.Contains(got, "[REDACTED]") {
+		t.Fatalf("SDK log did not redact sensitive data: %s", got)
+	}
+}
+
+func TestSDKLoggerNilIsNoop(t *testing.T) {
+	sdk := NewSDKLogger(nil)
+	sdk.Infof("token=plain-token")
+	sdk.Errorf("account_id=plain-account")
+	sdk.Fatalf("token=plain-token")
+}