fix(logger): redact sensitive fields in structured logging

[tamilr0727-ux]

Description

Adds sensitive-data redaction to lib/logger.ts to prevent accidental exposure of credentials, PII, and security-sensitive metadata in structured logs.

Problem

The existing logger serialized context objects directly using JSON.stringify(ctx) without filtering sensitive fields.

As a result, log entries could contain:

• Authentication tokens
• API keys and secrets
• Session identifiers
• Email addresses and usernames
• Authorization headers and cookies
• Repository URLs containing embedded credentials
• Error objects containing sensitive request information

When logs are forwarded to centralized logging systems, this information becomes accessible to anyone with log access and may create compliance and security risks.

Changes

Added Redaction Layer

Implemented recursive sanitization of structured logging metadata before serialization.

Protected sensitive fields including:

• token
• key
• secret
• password
• authorization
• cookie
• email

Sensitive values are replaced with:

[REDACTED]

Recursive Object Protection

• Nested objects are recursively inspected.
• Deeply nested sensitive properties are redacted.
• Non-sensitive metadata remains intact for debugging purposes.

Logger Hardening

• All structured log output now passes through the redaction layer before serialization.
• Existing logging behavior and log formats remain unchanged apart from sensitive-value masking.

Security Impact

Before

Potential exposure of:

• Personal information
• Session identifiers
• Authentication credentials
• Embedded repository credentials
• Internal infrastructure details

After

• Sensitive values are automatically masked.
• Logs remain useful for debugging without exposing secrets.
• Reduced risk of credential leakage through log aggregation systems.

Test Coverage

Added tests validating:

1. Top-level sensitive field redaction.
2. Nested object redaction behavior.
3. Preservation of non-sensitive values.
4. Multiple sensitive keys within the same payload.
5. Safe handling of empty and malformed contexts.

Validation

✅ All tests pass successfully.

✅ Existing logger functionality remains intact.

✅ Sensitive values are consistently replaced with [REDACTED].

Impact

• Improves production security posture.
• Reduces risk of credential and PII leakage.
• Supports compliance requirements around log hygiene.
• Provides regression protection against future logging-related security issues.

Fixes #6183

Pillar

• 🎨 Pillar 1 — New Theme Design
• 📐 Pillar 2 — Geometric SVG Improvement
• 🕐 Pillar 3 — Timezone Logic Optimization
• 🛠️ Other (Bug fix, refactoring, docs)

Visual Preview

Can Check in the files Changed Section

Checklist before requesting a review:

• I have read the CONTRIBUTING.md file.
• I have tested these changes locally (localhost:3000/api/streak?user=YOUR_USERNAME).
• I have run npm run format and npm run lint locally and resolved all errors (CI will fail otherwise).
• My commits follow the Conventional Commits format (e.g., feat(themes): ..., fix(calculate): ...).
• I have updated README.md if I added a new theme or URL parameter.
• I have started the repo.
• I have made sure that i have only one commit to merge in this PR.
• The SVG output matches the CommitPulse "premium quality" aesthetic standard (no raw elements, smooth animations, correct fonts).
• (Recommended) I joined the CommitPulse Discord community for contributor discussions, mentorship, and faster PR support.

[vercel]

@tamilr0727-ux is attempting to deploy a commit to the jhasourav07's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

📦 Next.js Bundle Size Report (Gzipped Sizes)

Asset	PR Size	Base Size	Difference	Status
static/chunks/app/(root)/dashboard/error-[hash].js	1.37 KB	1.22 KB	+0.15 KB (+12.43%)	🔴 Regression

📊 Summary of Totals

Category	PR Size	Base Size	Difference
Total JS	3697.25 KB	3697.00 KB	+0.25 KB (+0.01%)
Total CSS	296.58 KB	296.58 KB	0 B

[Aamod-Dev]

Thank you for adding this crucial layer of defense to our logging system. Recursively sanitizing sensitive fields like tokens and passwords before JSON.stringify serialization in lib/logger.ts prevents accidental credentials exposure in log aggregation systems. The test cases covering nested structures and multiple fields ensure this works exactly as intended. Approved!

[github-actions]

🎉 Congratulations @tamilr0727-ux! Your PR has been successfully merged. 🚀

Thank you for contributing to CommitPulse. Your work helps us build a better tool for the community.

⚠️ Important for GSSoC Contributors:
You are strictly advised to join our Discord Server as it is mandatory for all GSSoC participants. All important announcements, point claims, and community discussions happen there.

Keep building! 💻✨