P3: Add LoggingHandler with structured logging and sensitive data redaction

[jhosm]

Summary

• Adds AcdcLoggingOptions configuration (now a record with FrozenSet defaults) with configurable thresholds and 16 default sensitive field names
• Adds SensitiveDataRedactor for redacting headers, query parameters, and JSON body fields (case-insensitive matching via System.Text.Json)
• Adds LoggingHandler (DelegatingHandler) with structured request/response logging, slow request and large payload warnings, AsyncLocal reentrancy prevention, and per-request SkipLogging opt-out
• Adds comprehensive unit tests for both SensitiveDataRedactor (18 tests) and LoggingHandler (18 tests)

Review feedback addressed

• Converted AcdcLoggingOptions to record with FrozenSet for immutable defaults
• Protected HTTP pipeline from logging/redaction failures (try/catch with graceful degradation)
• Defensive copy of SensitiveFields in SensitiveDataRedactor with forced OrdinalIgnoreCase
• Added ArgumentNullException.ThrowIfNull() null guards in constructors
• OperationCanceledException now logged at Information level (not Error)
• Non-JSON bodies return placeholder [non-JSON body, redaction skipped] instead of leaking raw content
• Fixed repeated query parameter handling via GetValues()
• Added null-check for response.Content?.Headers.ContentLength
• Renamed IsLogging → _isLogging (naming convention)
• Fixed .GetAwaiter().GetResult() → proper await in reentrancy test
• Removed unused usings, added using var for disposables
• Added tests: AsyncLocal error recovery, concurrent request isolation, cancellation logging
• Improved reentrancy test with InnerLogger assertion
• Enhanced response header redaction test with sensitive header assertion

Test plan

• All 138 tests pass (existing P2 tests + updated P3 tests)
• Build succeeds with TreatWarningsAsErrors enabled (0 warnings)
• Verified case-insensitive redaction for all 16 default sensitive fields
• Verified reentrancy prevention with nested request test + inner logger assertion
• Verified per-request SkipLogging opt-out
• Verified slow request and large payload threshold boundary behavior
• Verified AsyncLocal resets after error
• Verified concurrent requests log independently
• Verified cancellation logged at Information, not Error
• Verified response headers with sensitive fields are redacted
• Verified non-JSON body returns placeholder instead of raw content

🤖 Generated with Claude Code

[Copilot]

Pull request overview

Adds structured HTTP request/response logging to the CSharpAcdc HTTP pipeline, including configurable thresholds and a reusable sensitive-data redactor to prevent leaking secrets in logs.

Changes:

• Introduces AcdcLoggingOptions for slow-request / large-payload thresholds and a default sensitive field set.
• Adds SensitiveDataRedactor to redact sensitive headers, query parameters, and JSON body fields.
• Adds LoggingHandler (DelegatingHandler) plus unit tests for both the handler and the redactor.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 13 comments.

Show a summary per file

File	Description
src/CSharpAcdc/Configuration/AcdcLoggingOptions.cs	Adds configuration for logging thresholds and default sensitive fields.
src/CSharpAcdc/Logging/SensitiveDataRedactor.cs	Implements header/query/JSON redaction logic.
src/CSharpAcdc/Handlers/LoggingHandler.cs	Adds request/response structured logging and warning logic.
tests/CSharpAcdc.Tests/Logging/SensitiveDataRedactorTests.cs	Adds unit tests covering redaction behaviors.
tests/CSharpAcdc.Tests/Handlers/LoggingHandlerTests.cs	Adds unit tests for logging, redaction, warnings, and reentrancy behavior.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Unused using NSubstitute; will produce CS8019 (unnecessary using directive) and can fail builds when warnings are treated as errors. Remove this using if it’s not needed.

Suggested change

using NSubstitute;

[Copilot]

This reentrancy test doesn’t currently validate whether the nested request was actually skipped: the inner request logs would go to innerLogger, but the assertions only inspect the outer _logger, so it would pass even if the reentrancy guard failed. Expose innerLogger to the test (e.g., via a field on NestedRequestHandler) and assert it has no entries (or explicitly assert expected counts).

Suggested change

	infoLogs.Should().NotContain(e => e.Message.Contains("/inner"));
	infoLogs.Should().NotContain(e => e.Message.Contains("/inner"));
	// Additionally ensure the nested handler's own logger did not record any entries
	nestedHandler.InnerLogger.Entries.Should().BeEmpty();

[Copilot]

Calling GetAsync(...).GetAwaiter().GetResult() from within a handler can deadlock under certain synchronization contexts and can also block threadpool threads unnecessarily. Make this override async and await the nested call instead.

[Copilot]

HttpUtility.ParseQueryString collapses repeated query keys (e.g., a=1&a=2) into a single comma-separated string via query[name], and this implementation will log it as a single value (and after escaping, it becomes 1%2C2). If preserving query shape matters for debugging, iterate query.GetValues(name) and emit one name=value pair per value while still redacting sensitive keys.

Suggested change

	redactedParts.Add(IsSensitive(name)
	? $"{Uri.EscapeDataString(name)}={Redacted}"
	: $"{Uri.EscapeDataString(name)}={Uri.EscapeDataString(query[name] ?? string.Empty)}");
	var values = query.GetValues(name);
	var escapedName = Uri.EscapeDataString(name);
	if (IsSensitive(name))
	{
	if (values is null || values.Length == 0)
	{
	redactedParts.Add($"{escapedName}={Redacted}");
	}
	else
	{
	foreach (var _ in values)
	{
	redactedParts.Add($"{escapedName}={Redacted}");
	}
	}
	}
	else
	{
	if (values is null || values.Length == 0)
	{
	redactedParts.Add($"{escapedName}=");
	}
	else
	{
	foreach (var value in values)
	{
	redactedParts.Add($"{escapedName}={Uri.EscapeDataString(value ?? string.Empty)}");
	}
	}
	}

[Copilot]

Private field naming deviates from the repository’s naming rules (private fields should be prefixed with '_' and camelCase). Rename this static field (e.g., to '_isLogging') to satisfy the analyzer rules in .editorconfig and avoid style warnings becoming build breaks under TreatWarningsAsErrors.

[Copilot]

Disposable 'HttpRequestMessage' is created but not disposed.

Suggested change

	var request = new HttpRequestMessage(HttpMethod.Get, "/test");
	using var request = new HttpRequestMessage(HttpMethod.Get, "/test");

[Copilot]

Disposable 'HttpRequestMessage' is created but not disposed.

Suggested change

	var request = new HttpRequestMessage(HttpMethod.Get, "/test");
	using var request = new HttpRequestMessage(HttpMethod.Get, "/test");

[Copilot]

Disposable 'StringContent' is created but not disposed.

Suggested change

	var content = new StringContent(new string('x', 200));
	using var content = new StringContent(new string('x', 200));

[Copilot]

Disposable 'HttpRequestMessage' is created but not disposed.

Suggested change

	var request = new HttpRequestMessage(HttpMethod.Get, "/silent");
	using var request = new HttpRequestMessage(HttpMethod.Get, "/silent");

[Copilot]

Disposable 'HttpResponseMessage' is created but not disposed.

[jhosm]

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

🤖 Generated with Claude Code

[jhosm]

Comprehensive PR Review -- P3: LoggingHandler

Five specialized review agents independently analyzed this PR. Below is the deduplicated, aggregated summary.

---

Critical Issues

1. AcdcLoggingOptions is a mutable class -- violates CLAUDE.md convention (3 agents converged)

CLAUDE.md states: "Use record types for DTOs and immutable config." AcdcLoggingOptions is configuration with public { get; set; } properties. All three properties can be mutated after construction, including replacing SensitiveFields with a case-sensitive set (breaking redaction). In a concurrent server context with pooled DelegatingHandler instances, this is both a convention violation and a thread-safety hazard.

CSharp-ACDC/src/CSharpAcdc/Configuration/AcdcLoggingOptions.cs

Lines 3 to 10 in f837f5f

	public class AcdcLoggingOptions
	{
	public TimeSpan SlowRequestThreshold { get; set; } = TimeSpan.FromSeconds(3);
	public long LargePayloadThreshold { get; set; } = 1_048_576; // 1 MiB
	public IReadOnlySet<string> SensitiveFields { get; set; } = new HashSet<string>(StringComparer.OrdinalIgnoreCase)
	{

Type design scores: Encapsulation 2/10, Invariant Expression 2/10, Enforcement 1/10.

Fix: Convert to record with init setters, or at minimum add IValidateOptions<T> validation and freeze SensitiveFields internally.

---

2. Unprotected redaction/logging can crash the HTTP pipeline (2 agents)

_redactor.RedactUrl(), _redactor.RedactHeaders(), and _logger.Log*() are all called without try/catch. If redaction throws (e.g., UriFormatException on malformed URI) or the logger throws (sink serialization failure), the user's HTTP request fails -- not because of a network problem, but because the logging infrastructure crashed. A logging handler should never take down the pipeline.

CSharp-ACDC/src/CSharpAcdc/Handlers/LoggingHandler.cs

Lines 47 to 54 in f837f5f

	var redactedUrl = _redactor.RedactUrl(request.RequestUri);
	var redactedHeaders = _redactor.RedactHeaders(request.Headers);
	_logger.LogInformation(
	"HTTP {Method} {Url} Headers: {Headers}",
	request.Method,
	redactedUrl,
	redactedHeaders);

Fix: Wrap pre-request and post-response logging blocks in try/catch that degrades gracefully.

---

3. Invalid JSON silently returned unredacted -- sensitive data leak risk (2 agents)

When RedactJsonBody fails to parse JSON, it silently returns the original body unredacted. A body with a minor JSON syntax error containing password, token, api_key fields will be logged in full with all secrets visible. No warning is emitted.

CSharp-ACDC/src/CSharpAcdc/Logging/SensitiveDataRedactor.cs

Lines 70 to 74 in f837f5f

	}
	catch (JsonException)
	{
	return body; // Not valid JSON — return as-is
	}

Fix: Either return [non-JSON body, redaction skipped] placeholder, or add ILogger to SensitiveDataRedactor and log a warning when redaction is skipped.

---

Important Issues

4. No defensive copy of SensitiveFields set (3 agents)

SensitiveDataRedactor stores a reference to options.SensitiveFields without copying. External code can cast IReadOnlySet<string> back to HashSet<string> and mutate it, or the AcdcLoggingOptions setter can replace it entirely. Under concurrency, this is a data race.

CSharp-ACDC/src/CSharpAcdc/Logging/SensitiveDataRedactor.cs

Lines 9 to 12 in f837f5f

	private const string Redacted = "[REDACTED]";
	private readonly IReadOnlySet<string> _sensitiveFields;
	public SensitiveDataRedactor(AcdcLoggingOptions options)

Fix: Defensively copy in constructor: _sensitiveFields = new HashSet<string>(options.SensitiveFields, StringComparer.OrdinalIgnoreCase).

---

5. Missing constructor null guards (2 agents)

Neither LoggingHandler nor SensitiveDataRedactor validate constructor parameters. new LoggingHandler(null!, ...) defers the NullReferenceException to the first request instead of failing fast at construction.

Fix: Add ArgumentNullException.ThrowIfNull() in constructors.

---

6. OperationCanceledException logged at Error level (2 agents)

The catch block in SendWithLoggingAsync catches all Exception types and logs at LogError. Deliberate cancellation is expected behavior, not an error -- it pollutes error monitoring with false positives.

CSharp-ACDC/src/CSharpAcdc/Handlers/LoggingHandler.cs

Lines 64 to 74 in f837f5f

	catch (Exception ex)
	{
	stopwatch.Stop();
	_logger.LogError(
	ex,
	"HTTP {Method} {Url} failed after {ElapsedMs}ms",
	request.Method,
	redactedUrl,
	stopwatch.ElapsedMilliseconds);
	throw;
	}

Fix: Add a separate catch (OperationCanceledException) that logs at Information/Debug level before the general catch (Exception).

---

7. .GetAwaiter().GetResult() blocking call in test (2 agents)

NestedRequestHandler.SendAsync uses .GetAwaiter().GetResult() which violates the "Async all the way" CLAUDE.md rule and risks deadlocks. While the synchronous call is deliberate for AsyncLocal testing, it needs a comment explaining why await is not used.

CSharp-ACDC/tests/CSharpAcdc.Tests/Handlers/LoggingHandlerTests.cs

Lines 367 to 370 in f837f5f

	// This should be skipped by reentrancy guard
	_ = innerClient.GetAsync("/inner", cancellationToken).GetAwaiter().GetResult();

---

8. Contradictory comment block in NestedRequestHandler (comment-analyzer)

Lines 343-350 contain a paragraph describing an abandoned approach, followed by "But for a proper test, we actually construct an inner pipeline:" -- contradicting the preceding text. This is a draft-then-revise artifact.

CSharp-ACDC/tests/CSharpAcdc.Tests/Handlers/LoggingHandlerTests.cs

Lines 343 to 350 in f837f5f

	// The reentrancy check happens in LoggingHandler. Since we're inside the
	// outer LoggingHandler's SendAsync, the AsyncLocal<bool> IsLogging is true.
	// We simulate the inner handler returning without actually nesting a second
	// LoggingHandler (which would require constructing one and calling it).
	// Instead, we validate that the flag is visible by checking it indirectly
	// through the test's log count.
	// But for a proper test, we actually construct an inner pipeline:

---

Test Coverage Gaps (Severity 7+)

Gap	Severity	Description
AsyncLocal reset after error	9/10	No test verifies IsLogging resets to false when base.SendAsync throws
SuppressLogging vs SkipLogging	8/10	Spec says SuppressLogging option, code uses SkipLogging -- naming mismatch
Custom fields replace vs merge	8/10	Setting custom SensitiveFields replaces all defaults, but no test verifies this behavior is intentional
Concurrent request isolation	7/10	No test verifies two parallel requests log independently without cross-contamination
Response header redaction	7/10	Response headers are redacted in code but no test asserts this

---

Strengths

• AsyncLocal<bool> reentrancy guard with try/finally is a thoughtful design choice
• No per-request state in instance fields -- correctly follows IHttpClientFactory handler pooling model
• ConfigureAwait(false) used consistently
• SensitiveDataRedactor.RedactJsonBody catch block is narrowly typed to JsonException
• Comprehensive default sensitive fields list (16 fields covering common secrets)
• ShouldSkip method provides clean per-request opt-out mechanism
• 33 tests covering both SensitiveDataRedactor and LoggingHandler

---

Type Design Summary

Type	Encapsulation	Invariant Expression	Usefulness	Enforcement
AcdcLoggingOptions	2/10	2/10	7/10	1/10
SensitiveDataRedactor	6/10	5/10	8/10	3/10
LoggingHandler	7/10	6/10	9/10	5/10

---

Recommended Action Plan

1. Harden AcdcLoggingOptions: Convert to record or add init setters + validation
2. Protect the pipeline: Wrap logging operations so they cannot crash HTTP requests
3. Defensive copy: Copy SensitiveFields in SensitiveDataRedactor constructor with forced OrdinalIgnoreCase
4. Add null guards: ArgumentNullException.ThrowIfNull() in constructors
5. Handle cancellation separately: Log OperationCanceledException at Information, not Error
6. Address JSON fallback: Either placeholder or log warning when body cannot be parsed for redaction
7. Add missing tests: AsyncLocal error recovery, concurrent isolation, response header redaction
8. Clean up comments: Remove contradictory NestedRequestHandler comment block

Generated by 5 specialized review agents (code-reviewer, test-analyzer, silent-failure-hunter, type-design-analyzer, comment-analyzer).

🤖 Generated with Claude Code

_{If this review was useful, please react with 👍. Otherwise, react with 👎.}