feat: add env-aware client log policy and const lint fixes

2026-02-24 15:38:55 +09:00
parent 4ffe5110dd
commit aeb418fb9f
14 changed files with 701 additions and 47 deletions
--- a/README.md
+++ b/README.md
@@ -193,6 +193,22 @@ USERFRONT_URL=https://sso.example.com
 - `KRATOS_ALLOWED_RETURN_URLS_EXTRA`: 추가 허용 return URL (선택)
  - 빈값: `[]`
  - 다중값: `["https://a.example.com/callback","https://b.example.com/callback"]` 또는 `https://a.example.com/callback,https://b.example.com/callback`
 - `CLIENT_LOG_DEBUG`: 클라이언트 로그 디버그 모드 강제 (기본: 비운영 `true`, 운영 `false`)
  - 운영(`APP_ENV=production|prod`)에서 `true|1|on|yes` 설정 시 `INFO/DEBUG` 클라이언트 로그 수집 허용
  - 미설정(기본) 시 운영에서는 `WARN/ERROR`만 수집
 - `USERFRONT_DEBUG_LOG`: UserFront 측 디버그 로그 fallback 플래그
  - `CLIENT_LOG_DEBUG`가 없을 때만 UserFront에서 대체로 참조
 ### 클라이언트 로그 정책 (중요)
 - 기본 원칙: 운영 환경에서는 민감정보 보호를 우선하며, 과도한 로그 수집을 제한합니다.
 - 환경별 동작:
  - 비운영(`dev/local/stage` 등): 디버그 로그 허용 (`INFO/DEBUG/WARN/ERROR`)
  - 운영(`production/prod`) + `CLIENT_LOG_DEBUG` 미설정: `WARN/ERROR`만 수집
  - 운영(`production/prod`) + `CLIENT_LOG_DEBUG=true`: 디버그 로그 허용
 - 민감정보는 환경과 무관하게 마스킹합니다.
  - 예: `password`, `newPassword`, `token`, `authorization`, `cookie`, `sessionJwt`
  - 문자열 패턴(`token=...`, `authorization:...`, JSON body 내 민감 key)도 마스킹
 - 상세 정책 문서: `docs/client-log-policy.md`
 ### `.env` 작성 후 권장 점검
 ```bash
--- a/backend/cmd/server/main.go
+++ b/backend/cmd/server/main.go
@@ -277,6 +277,8 @@ func main() {
 	// 3. Initialize Fiber
 	appEnv := getEnv("APP_ENV", "dev")
 	clientLogDebugFlag := getEnv("CLIENT_LOG_DEBUG", "")
 	clientDebugEnabled := logger.ClientDebugEnabled(appEnv, clientLogDebugFlag)
 	app := fiber.New(fiber.Config{
 		AppName:               "Baron SSO Backend",
 		DisableStartupMessage: true,  // Clean logs
@@ -367,6 +369,10 @@ func main() {
 	} else {
 		slog.Info("🔒 API Docs disabled in production")
 	}
 	slog.Info("Client log policy configured",
 		"app_env", appEnv,
 		"client_debug_enabled", clientDebugEnabled,
 	)
 	// Routes
 	app.Get("/", func(c *fiber.Ctx) error {
@@ -630,12 +636,20 @@ func main() {
 		if err := c.BodyParser(&req); err != nil {
 			return c.SendStatus(fiber.StatusBadRequest)
 		}
 		if !logger.ShouldAcceptClientLog(appEnv, clientLogDebugFlag, req.Level) {
 			return c.SendStatus(fiber.StatusOK)
 		}
 		level := logger.NormalizeClientLogLevel(req.Level)
 		if level == slog.LevelInfo && logger.ShouldFilterNoisyClientInfo(appEnv, clientLogDebugFlag, req.Message) {
 			return c.SendStatus(fiber.StatusOK)
 		}
 		// Prepare attributes for flattening
 		attrs := []any{
 			slog.String("source", "client"),
 		}
-		for k, v := range req.Data {
+		sanitizedData := logger.SanitizeClientLogData(req.Data)
 		for k, v := range sanitizedData {
 			// Skip svc if it's already set by the global logger to avoid confusion,
 			// or keep it as client_svc
 			if k == "svc" {
@@ -644,30 +658,7 @@ func main() {
 				attrs = append(attrs, slog.Any(k, v))
 			}
 		}
-
+		slog.Log(c.Context(), level, logger.SanitizeClientLogMessage(req.Message), attrs...)
 		// Map and log with correct level
 		var level slog.Level
 		switch req.Level {
 		case "SEVERE", "ERROR":
 			level = slog.LevelError
 		case "WARNING", "WARN":
 			level = slog.LevelWarn
 		default:
 			level = slog.LevelInfo
 		}
 		// Filter out noisy client navigation logs
 		if level == slog.LevelInfo {
 			msg := strings.ToLower(req.Message)
 			if strings.Contains(msg, "navigating to") ||
 				strings.Contains(msg, "going to") ||
 				strings.Contains(msg, "redirecting to") ||
 				strings.Contains(msg, "full paths for routes") {
 				return c.SendStatus(fiber.StatusOK)
 			}
 		}
 		slog.Log(c.Context(), level, req.Message, attrs...)
 		return c.SendStatus(fiber.StatusOK)
 	})
--- a/backend/internal/logger/client_log_policy.go
+++ b/backend/internal/logger/client_log_policy.go
@@ -0,0 +1,143 @@
 package logger
 import (
 	"log/slog"
 	"regexp"
 	"strings"
 )
 var sensitiveClientLogKeys = map[string]struct{}{
 	"password":         {},
 	"currentpassword":  {},
 	"newpassword":      {},
 	"oldpassword":      {},
 	"token":            {},
 	"accesstoken":      {},
 	"refreshtoken":     {},
 	"secret":           {},
 	"clientsecret":     {},
 	"authorization":    {},
 	"cookie":           {},
 	"setcookie":        {},
 	"verificationcode": {},
 	"code":             {},
 	"loginchallenge":   {},
 	"loginverifier":    {},
 	"sessionjwt":       {},
 	"accessjwt":        {},
 	"refreshjwt":       {},
 }
 var (
 	logJSONSensitivePattern = regexp.MustCompile(`(?i)"(password|currentpassword|newpassword|oldpassword|token|accesstoken|refreshtoken|secret|clientsecret|authorization|cookie|setcookie|verificationcode|code|loginchallenge|loginverifier|sessionjwt|accessjwt|refreshjwt)"\s*:\s*"[^"]*"`)
 	logKVPattern            = regexp.MustCompile(`(?i)\b(password|current_password|currentpassword|new_password|newpassword|old_password|oldpassword|token|access_token|accesstoken|refresh_token|refreshtoken|authorization|cookie|session_jwt|sessionjwt|access_jwt|accessjwt|refresh_jwt|refreshjwt)\b\s*[:=]\s*([^\s,;]+)`)
 )
 func IsProductionEnv(appEnv string) bool {
 	env := strings.ToLower(strings.TrimSpace(appEnv))
 	return env == "prod" || env == "production"
 }
 func parseBoolFlag(raw string) bool {
 	switch strings.ToLower(strings.TrimSpace(raw)) {
 	case "1", "true", "yes", "y", "on":
 		return true
 	default:
 		return false
 	}
 }
 func ClientDebugEnabled(appEnv, productionDebugFlag string) bool {
 	if !IsProductionEnv(appEnv) {
 		return true
 	}
 	return parseBoolFlag(productionDebugFlag)
 }
 func NormalizeClientLogLevel(level string) slog.Level {
 	switch strings.ToUpper(strings.TrimSpace(level)) {
 	case "SEVERE", "ERROR":
 		return slog.LevelError
 	case "WARNING", "WARN":
 		return slog.LevelWarn
 	case "DEBUG", "FINE", "TRACE":
 		return slog.LevelDebug
 	default:
 		return slog.LevelInfo
 	}
 }
 func ShouldAcceptClientLog(appEnv, productionDebugFlag, level string) bool {
 	if ClientDebugEnabled(appEnv, productionDebugFlag) {
 		return true
 	}
 	return NormalizeClientLogLevel(level) >= slog.LevelWarn
 }
 func ShouldFilterNoisyClientInfo(appEnv, productionDebugFlag, message string) bool {
 	if ClientDebugEnabled(appEnv, productionDebugFlag) {
 		return false
 	}
 	msg := strings.ToLower(message)
 	return strings.Contains(msg, "navigating to") ||
 		strings.Contains(msg, "going to") ||
 		strings.Contains(msg, "redirecting to") ||
 		strings.Contains(msg, "full paths for routes")
 }
 func SanitizeClientLogMessage(message string) string {
 	if strings.TrimSpace(message) == "" {
 		return message
 	}
 	sanitized := logJSONSensitivePattern.ReplaceAllStringFunc(message, func(segment string) string {
 		parts := strings.SplitN(segment, ":", 2)
 		if len(parts) != 2 {
 			return segment
 		}
 		return parts[0] + `:"*****"`
 	})
 	sanitized = logKVPattern.ReplaceAllString(sanitized, `$1=*****`)
 	return sanitized
 }
 func SanitizeClientLogData(data map[string]interface{}) map[string]interface{} {
 	if len(data) == 0 {
 		return data
 	}
 	out := make(map[string]interface{}, len(data))
 	for k, v := range data {
 		if isSensitiveClientLogKey(k) {
 			out[k] = "*****"
 			continue
 		}
 		out[k] = sanitizeClientLogValue(v)
 	}
 	return out
 }
 func sanitizeClientLogValue(v interface{}) interface{} {
 	switch val := v.(type) {
 	case map[string]interface{}:
 		return SanitizeClientLogData(val)
 	case []interface{}:
 		next := make([]interface{}, len(val))
 		for i := range val {
 			next[i] = sanitizeClientLogValue(val[i])
 		}
 		return next
 	case string:
 		return SanitizeClientLogMessage(val)
 	default:
 		return val
 	}
 }
 func isSensitiveClientLogKey(key string) bool {
 	normalized := strings.ToLower(strings.TrimSpace(key))
 	normalized = strings.ReplaceAll(normalized, "-", "")
 	normalized = strings.ReplaceAll(normalized, "_", "")
 	normalized = strings.ReplaceAll(normalized, ".", "")
 	normalized = strings.ReplaceAll(normalized, " ", "")
 	_, ok := sensitiveClientLogKeys[normalized]
 	return ok
 }
--- a/backend/internal/logger/client_log_policy_test.go
+++ b/backend/internal/logger/client_log_policy_test.go
@@ -0,0 +1,79 @@
 package logger
 import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func TestClientDebugEnabled(t *testing.T) {
 	t.Run("non production enables debug by default", func(t *testing.T) {
 		assert.True(t, ClientDebugEnabled("dev", ""))
 		assert.True(t, ClientDebugEnabled("local", "false"))
 	})
 	t.Run("production disables debug by default", func(t *testing.T) {
 		assert.False(t, ClientDebugEnabled("production", ""))
 		assert.False(t, ClientDebugEnabled("prod", "false"))
 	})
 	t.Run("production accepts explicit debug override", func(t *testing.T) {
 		assert.True(t, ClientDebugEnabled("production", "true"))
 		assert.True(t, ClientDebugEnabled("production", "1"))
 		assert.True(t, ClientDebugEnabled("prod", "on"))
 	})
 }
 func TestShouldAcceptClientLog(t *testing.T) {
 	assert.False(t, ShouldAcceptClientLog("production", "", "INFO"))
 	assert.False(t, ShouldAcceptClientLog("production", "", "DEBUG"))
 	assert.True(t, ShouldAcceptClientLog("production", "", "WARN"))
 	assert.True(t, ShouldAcceptClientLog("production", "", "ERROR"))
 	assert.True(t, ShouldAcceptClientLog("production", "true", "INFO"))
 	assert.True(t, ShouldAcceptClientLog("dev", "", "INFO"))
 }
 func TestShouldFilterNoisyClientInfo(t *testing.T) {
 	assert.True(t, ShouldFilterNoisyClientInfo("production", "", "Navigating to /ko/signin"))
 	assert.False(t, ShouldFilterNoisyClientInfo("production", "true", "Navigating to /ko/signin"))
 	assert.False(t, ShouldFilterNoisyClientInfo("dev", "", "Navigating to /ko/signin"))
 }
 func TestSanitizeClientLogData(t *testing.T) {
 	input := map[string]interface{}{
 		"token": "raw-token",
 		"safe":  "ok",
 		"nested": map[string]interface{}{
 			"new_password": "secret-1",
 			"path":         "/ko/profile",
 		},
 		"arr": []interface{}{
 			map[string]interface{}{"authorization": "Bearer abc"},
 			"token=abc123",
 		},
 	}
 	result := SanitizeClientLogData(input)
 	assert.Equal(t, "*****", result["token"])
 	assert.Equal(t, "ok", result["safe"])
 	nested := result["nested"].(map[string]interface{})
 	assert.Equal(t, "*****", nested["new_password"])
 	assert.Equal(t, "/ko/profile", nested["path"])
 	arr := result["arr"].([]interface{})
 	first := arr[0].(map[string]interface{})
 	assert.Equal(t, "*****", first["authorization"])
 	assert.Equal(t, "token=*****", arr[1])
 }
 func TestSanitizeClientLogMessage(t *testing.T) {
 	msg := `FLUTTER_ERROR token=abc123 payload={"password":"hello","safe":"ok"} authorization:BearerX`
 	sanitized := SanitizeClientLogMessage(msg)
 	assert.NotContains(t, sanitized, "abc123")
 	assert.NotContains(t, sanitized, `"password":"hello"`)
 	assert.Contains(t, sanitized, `"password":"*****"`)
 	assert.Contains(t, sanitized, "token=*****")
 	assert.Contains(t, sanitized, "authorization=*****")
 }
--- a/docs/AGENTS.md
+++ b/docs/AGENTS.md
@@ -48,10 +48,19 @@
 - 환경 변수 추가/변경 시
  - `.env.sample` 반영
  - 문서/가이드 갱신
  - 클라이언트 로그 정책 영향 확인 (`CLIENT_LOG_DEBUG`, `USERFRONT_DEBUG_LOG`)
 - 배포/운영 변경 시
  - `Makefile`/compose 실행 절차 영향 확인
  - 최소 Smoke 테스트 수행
  - 로그 수집 레벨이 운영 기본 정책(`WARN/ERROR`)을 유지하는지 확인
 ## 클라이언트 로그 정책
 - 상세 정책은 `docs/client-log-policy.md`를 기준으로 유지합니다.
 - 원칙:
  - 운영 기본값은 `WARN/ERROR`만 수집
  - 운영 디버그는 `CLIENT_LOG_DEBUG=true`로만 일시 허용
  - 민감정보 마스킹은 환경과 무관하게 항상 적용
 ## 테스트 참고
 - 테스트 계획 및 수동 실행 기준은 `docs/test-plan.md`를 따른다.
--- a/docs/client-log-policy.md
+++ b/docs/client-log-policy.md
@@ -0,0 +1,67 @@
 # Client Log Policy
 ## 1. 목적
 - 운영 환경에서 클라이언트 로그를 최소권한으로 수집하고, 민감정보 유출을 방지합니다.
 - 장애 분석이 필요한 경우에만 명시적 디버그 옵션으로 로그 레벨을 확장합니다.
 ## 2. 환경별 수집 정책
 ### 2.1 기준 변수
 - `APP_ENV`
 - `CLIENT_LOG_DEBUG`
 - (UserFront fallback) `USERFRONT_DEBUG_LOG`
 ### 2.2 동작 매트릭스
 - `APP_ENV != production|prod`
  - 클라이언트 로그: `DEBUG/INFO/WARN/ERROR` 수집 허용
 - `APP_ENV == production|prod` AND `CLIENT_LOG_DEBUG` 미설정
  - 클라이언트 로그: `WARN/ERROR`만 수집
  - `INFO` 네비게이션 노이즈 로그는 필터
 - `APP_ENV == production|prod` AND `CLIENT_LOG_DEBUG=true|1|on|yes`
  - 클라이언트 로그: `DEBUG/INFO/WARN/ERROR` 수집 허용
 ## 3. 민감정보 마스킹 규칙
 ### 3.1 Key 기반 마스킹
 아래 키는 값 전체를 `*****`로 치환합니다.
 - `password`, `currentPassword`, `newPassword`, `oldPassword`
 - `token`, `accessToken`, `refreshToken`
 - `secret`, `clientSecret`
 - `authorization`, `cookie`, `setCookie`
 - `verificationCode`, `code`
 - `loginChallenge`, `loginVerifier`
 - `sessionJwt`, `accessJwt`, `refreshJwt`
 ### 3.2 문자열 패턴 마스킹
 메시지 본문에서도 아래 패턴을 마스킹합니다.
 - `token=...`
 - `authorization:...` 또는 `authorization=...`
 - JSON 문자열 내 민감 key/value
 ## 4. 구현 위치
 - Backend
  - 정책/마스킹 로직: `backend/internal/logger/client_log_policy.go`
  - 수집 엔드포인트 적용: `backend/cmd/server/main.go` (`POST /api/v1/client-log`)
 - UserFront
  - 정책/마스킹 로직: `userfront/lib/core/services/log_policy.dart`
  - 로그 출력/전송 정책: `userfront/lib/core/services/logger_service.dart`
  - 전송 직전 마스킹: `userfront/lib/core/services/auth_proxy_service.dart`
 ## 5. 검증
 ### 5.1 Backend
 ```bash
 cd backend
 go test ./internal/logger -count=1
 go test ./cmd/server -count=1
 ```
 ### 5.2 UserFront
 ```bash
 cd userfront
 flutter test test/log_policy_test.dart
 ```
 ## 6. 운영 가이드
 - 운영에서 디버그 로그가 필요하면 `CLIENT_LOG_DEBUG=true`를 명시적으로 설정하고, 이슈 해결 후 즉시 원복합니다.
 - 운영에서도 민감정보 마스킹은 항상 강제되며 비활성화할 수 없습니다.
--- a/userfront/lib/core/services/auth_proxy_service.dart
+++ b/userfront/lib/core/services/auth_proxy_service.dart
@@ -4,6 +4,7 @@ import 'package:flutter_dotenv/flutter_dotenv.dart';
 import 'package:userfront/i18n.dart';
 import 'http_client.dart';
 import 'auth_token_store.dart';
 import 'log_policy.dart';
 class AuthProxyService {
  static String _envOrDefault(String key, String fallback) {
@@ -793,15 +794,29 @@ class AuthProxyService {
    if (!_canSendClientLog()) {
      return;
    }
    final appEnv = _envOrDefault('APP_ENV', 'dev');
    final productionDebugFlag = _envOrDefault(
      'CLIENT_LOG_DEBUG',
      _envOrDefault('USERFRONT_DEBUG_LOG', ''),
    );
    if (!LogPolicy.shouldRelayClientLog(
      level: level,
      appEnv: appEnv,
      productionDebugFlag: productionDebugFlag,
    )) {
      return;
    }
    final url = Uri.parse('$_baseUrl/api/v1/client-log');
    final sanitizedMessage = LogPolicy.sanitizeMessage(message);
    final sanitizedData = data == null ? null : LogPolicy.sanitizeData(data);
    try {
      await http.post(
        url,
        headers: {'Content-Type': 'application/json'},
        body: jsonEncode({
          'level': level,
-          'message': message,
+          'message': sanitizedMessage,
-          if (data != null) 'data': data,
+          if (sanitizedData != null) 'data': sanitizedData,
        }),
      );
      _recordClientLogSuccess();
--- a/userfront/lib/core/services/log_policy.dart
+++ b/userfront/lib/core/services/log_policy.dart
@@ -0,0 +1,123 @@
 class LogPolicy {
  static const Set<String> _sensitiveKeys = {
    'password',
    'currentpassword',
    'newpassword',
    'oldpassword',
    'token',
    'accesstoken',
    'refreshtoken',
    'secret',
    'clientsecret',
    'authorization',
    'cookie',
    'setcookie',
    'verificationcode',
    'code',
    'loginchallenge',
    'loginverifier',
    'sessionjwt',
    'accessjwt',
    'refreshjwt',
  };
  static bool isProductionEnv(String? appEnv) {
    final env = (appEnv ?? '').trim().toLowerCase();
    return env == 'prod' || env == 'production';
  }
  static bool parseBoolFlag(String? raw) {
    final value = (raw ?? '').trim().toLowerCase();
    return value == '1' ||
        value == 'true' ||
        value == 'yes' ||
        value == 'y' ||
        value == 'on';
  }
  static bool debugEnabled({
    required String? appEnv,
    required String? productionDebugFlag,
  }) {
    if (!isProductionEnv(appEnv)) {
      return true;
    }
    return parseBoolFlag(productionDebugFlag);
  }
  static bool shouldRelayClientLog({
    required String level,
    required String? appEnv,
    required String? productionDebugFlag,
  }) {
    if (debugEnabled(
      appEnv: appEnv,
      productionDebugFlag: productionDebugFlag,
    )) {
      return true;
    }
    final normalized = level.trim().toUpperCase();
    return normalized == 'SEVERE' ||
        normalized == 'ERROR' ||
        normalized == 'WARNING' ||
        normalized == 'WARN';
  }
  static String sanitizeMessage(String message) {
    if (message.trim().isEmpty) {
      return message;
    }
    var sanitized = message.replaceAllMapped(
      RegExp(
        r'"(password|currentpassword|newpassword|oldpassword|token|accesstoken|refreshtoken|secret|clientsecret|authorization|cookie|setcookie|verificationcode|code|loginchallenge|loginverifier|sessionjwt|accessjwt|refreshjwt)"\s*:\s*"[^"]*"',
        caseSensitive: false,
      ),
      (match) {
        final key = match.group(1) ?? 'sensitive';
        return '"$key":"*****"';
      },
    );
    sanitized = sanitized.replaceAllMapped(
      RegExp(
        r'\b(password|current_password|currentpassword|new_password|newpassword|old_password|oldpassword|token|access_token|accesstoken|refresh_token|refreshtoken|authorization|cookie|session_jwt|sessionjwt|access_jwt|accessjwt|refresh_jwt|refreshjwt)\b\s*[:=]\s*([^\s,;]+)',
        caseSensitive: false,
      ),
      (match) {
        final key = match.group(1) ?? 'sensitive';
        return '$key=*****';
      },
    );
    return sanitized;
  }
  static Map<String, dynamic> sanitizeData(Map<String, dynamic> input) {
    final output = <String, dynamic>{};
    for (final entry in input.entries) {
      if (_isSensitiveKey(entry.key)) {
        output[entry.key] = '*****';
      } else {
        output[entry.key] = _sanitizeValue(entry.value);
      }
    }
    return output;
  }
  static dynamic _sanitizeValue(dynamic value) {
    if (value is Map<String, dynamic>) {
      return sanitizeData(value);
    }
    if (value is List) {
      return value.map(_sanitizeValue).toList(growable: false);
    }
    if (value is String) {
      return sanitizeMessage(value);
    }
    return value;
  }
  static bool _isSensitiveKey(String key) {
    var normalized = key.trim().toLowerCase();
    normalized = normalized.replaceAll(RegExp(r'[-_.\s]'), '');
    return _sensitiveKeys.contains(normalized);
  }
 }
--- a/userfront/lib/core/services/logger_service.dart
+++ b/userfront/lib/core/services/logger_service.dart
@@ -1,8 +1,10 @@
 import 'dart:convert';
 import 'package:flutter/foundation.dart';
 import 'package:flutter_dotenv/flutter_dotenv.dart';
 import 'package:logging/logging.dart' as std_log;
 import 'package:logger/logger.dart' as pretty_log;
 import 'auth_proxy_service.dart';
 import 'log_policy.dart';
 /// Global Logger Service for Baron SSO Frontend
 class LoggerService {
@@ -10,8 +12,20 @@ class LoggerService {
  factory LoggerService() => _instance;
  late final pretty_log.Logger _prettyLogger;
  late final String _appEnv;
  late final String _productionDebugFlag;
  LoggerService._internal() {
    _appEnv = _envOrDefault('APP_ENV', 'dev');
    _productionDebugFlag = _envOrDefault(
      'CLIENT_LOG_DEBUG',
      _envOrDefault('USERFRONT_DEBUG_LOG', ''),
    );
    final debugEnabled = LogPolicy.debugEnabled(
      appEnv: _appEnv,
      productionDebugFlag: _productionDebugFlag,
    );
    // 1. Initialize Pretty Logger for Dev
    _prettyLogger = pretty_log.Logger(
      printer: pretty_log.PrettyPrinter(
@@ -25,9 +39,9 @@ class LoggerService {
    );
    // 2. Configure Standard Logger (logging package)
-    std_log.Logger.root.level = kReleaseMode
+    std_log.Logger.root.level = debugEnabled
-        ? std_log.Level.WARNING
+        ? std_log.Level.ALL
-        : std_log.Level.ALL;
+        : std_log.Level.WARNING;
    std_log.Logger.root.onRecord.listen((record) {
      if (kReleaseMode) {
@@ -40,6 +54,17 @@ class LoggerService {
    });
  }
  static String _envOrDefault(String key, String fallback) {
    if (!dotenv.isInitialized) {
      return fallback;
    }
    final value = dotenv.env[key];
    if (value == null || value.trim().isEmpty) {
      return fallback;
    }
    return value;
  }
  /// Initialize the logger. Call this in main.dart
  static void init() {
    // Accessing the instance triggers the constructor
@@ -64,10 +89,11 @@ class LoggerService {
  }
  void _logJson(std_log.LogRecord record) {
    final sanitizedMessage = LogPolicy.sanitizeMessage(record.message);
    final logData = {
      'time': record.time.toUtc().toIso8601String(), // Use UTC for consistency
      'level': record.level.name,
-      'msg': record.message,
+      'msg': sanitizedMessage,
      'svc': 'baron-userfront',
      if (record.error != null) 'error': record.error.toString(),
      if (record.stackTrace != null) 'stack': record.stackTrace.toString(),
@@ -77,10 +103,14 @@ class LoggerService {
    debugPrint(jsonEncode(logData));
    // 2. Relay to Backend (Docker Terminal)
-    if (record.level >= std_log.Level.WARNING) {
+    if (LogPolicy.shouldRelayClientLog(
      level: record.level.name,
      appEnv: _appEnv,
      productionDebugFlag: _productionDebugFlag,
    )) {
      AuthProxyService.sendLog(
        record.level.name,
-        record.message,
+        sanitizedMessage,
        data: {
          'client_time': record.time.toUtc().toIso8601String(),
          'logger': record.loggerName,
--- a/userfront/lib/features/auth/presentation/forgot_password_screen.dart
+++ b/userfront/lib/features/auth/presentation/forgot_password_screen.dart
@@ -98,7 +98,10 @@ class _ForgotPasswordScreenState extends State<ForgotPasswordScreen> {
            children: [
              Text(
                tr('ui.userfront.forgot.heading'),
-                style: TextStyle(fontSize: 28, fontWeight: FontWeight.bold),
+                style: const TextStyle(
                  fontSize: 28,
                  fontWeight: FontWeight.bold,
                ),
                textAlign: TextAlign.center,
              ),
              if (_drySendEnabled) ...[
--- a/userfront/lib/features/auth/presentation/login_success_screen.dart
+++ b/userfront/lib/features/auth/presentation/login_success_screen.dart
@@ -23,7 +23,10 @@ class LoginSuccessScreen extends StatelessWidget {
              const SizedBox(height: 24),
              Text(
                tr('ui.userfront.login_success.title'),
-                style: TextStyle(fontSize: 32, fontWeight: FontWeight.bold),
+                style: const TextStyle(
                  fontSize: 32,
                  fontWeight: FontWeight.bold,
                ),
              ),
              const SizedBox(height: 16),
              Text(
--- a/userfront/lib/features/auth/presentation/reset_password_screen.dart
+++ b/userfront/lib/features/auth/presentation/reset_password_screen.dart
@@ -178,7 +178,7 @@ class _ResetPasswordScreenState extends State<ResetPasswordScreen> {
                    children: [
                      Text(
                        tr('ui.userfront.reset.subtitle'),
-                        style: TextStyle(
+                        style: const TextStyle(
                          fontSize: 28,
                          fontWeight: FontWeight.bold,
                        ),
--- a/userfront/lib/features/profile/presentation/pages/profile_page.dart
+++ b/userfront/lib/features/profile/presentation/pages/profile_page.dart
@@ -1,6 +1,7 @@
 import 'package:flutter/material.dart';
 import 'package:flutter_riverpod/flutter_riverpod.dart';
 import 'package:go_router/go_router.dart';
 import 'package:logging/logging.dart';
 import 'package:userfront/i18n.dart';
 import '../../../../core/notifiers/auth_notifier.dart';
 import '../../../../core/i18n/locale_utils.dart';
@@ -22,6 +23,7 @@ class _ProfilePageState extends ConsumerState<ProfilePage> {
  static const _surface = Colors.white;
  static const _border = Color(0xFFE5E7EB);
  static const _subtle = Color(0xFFF7F8FA);
  static final _log = Logger('ProfilePage');
  UserProfile? _cachedProfile;
  String? _editingField;
@@ -65,6 +67,22 @@ class _ProfilePageState extends ConsumerState<ProfilePage> {
    _phoneCodeFocus.addListener(_onPhoneCodeFocusChange);
  }
  void _debugLog(
    String event, {
    String? field,
    String? reason,
    bool? changed,
    bool? hasFocus,
  }) {
    final parts = <String>['event=$event'];
    if (field != null) parts.add('field=$field');
    if (reason != null) parts.add('reason=$reason');
    if (changed != null) parts.add('changed=$changed');
    if (hasFocus != null) parts.add('hasFocus=$hasFocus');
    if (_editingField != null) parts.add('editing=$_editingField');
    _log.fine(parts.join(' '));
  }
  void _onNameFocusChange() {
    if (!mounted) return;
    if (!_nameFocus.hasFocus && _nameTouched) {
@@ -77,6 +95,11 @@ class _ProfilePageState extends ConsumerState<ProfilePage> {
  void _onDepartmentFocusChange() {
    if (!mounted) return;
    _debugLog(
      'department_focus_change',
      field: 'department',
      hasFocus: _departmentFocus.hasFocus,
    );
    if (!_departmentFocus.hasFocus && _departmentTouched) {
      final profile = ref.read(profileProvider).value ?? _cachedProfile;
      if (profile != null) _autoSaveIfEditing(profile, 'department');
@@ -180,6 +203,7 @@ class _ProfilePageState extends ConsumerState<ProfilePage> {
  }
  void _startEditing(String field, UserProfile profile) {
    _debugLog('start_editing', field: field);
    setState(() {
      _editingField = field;
      if (field == 'name') {
@@ -356,12 +380,25 @@ class _ProfilePageState extends ConsumerState<ProfilePage> {
  void _autoSaveIfEditing(UserProfile profile, String field) {
    if (_editingField != field) return;
    if (_skipAutoSaveField == field) {
      _debugLog('autosave_skip', field: field, reason: 'skip_flag');
      _skipAutoSaveField = null;
      return;
    }
-    if (_isVerifying) return;
+    if (_isVerifying) {
-    if (_isSavingField) return;
+      _debugLog('autosave_skip', field: field, reason: 'verifying');
      return;
    }
    if (_isSavingField) {
      _debugLog('autosave_skip', field: field, reason: 'saving_in_flight');
      return;
    }
    if (!_hasFieldChanged(profile, field)) {
      _debugLog(
        'autosave_skip',
        field: field,
        reason: 'unchanged',
        changed: false,
      );
      setState(() {
        if (field == 'phone') {
          _resetPhoneState();
@@ -375,6 +412,7 @@ class _ProfilePageState extends ConsumerState<ProfilePage> {
      });
      return;
    }
    _debugLog('autosave_trigger', field: field, changed: true);
    _saveField(profile);
  }
@@ -412,25 +450,33 @@ class _ProfilePageState extends ConsumerState<ProfilePage> {
  Future<void> _saveField(UserProfile profile) async {
    if (_editingField == null) return;
-    if (_isSavingField) return;
+    if (_isSavingField) {
      _debugLog('save_skip', reason: 'saving_in_flight');
      return;
    }
    final currentField = _editingField!;
-    final nextName = _editingField == 'name'
+    final nextName = currentField == 'name'
        ? _nameController!.text.trim()
        : profile.name;
-    final nextPhone = _editingField == 'phone'
+    final nextPhone = currentField == 'phone'
        ? _phoneController!.text.trim()
        : profile.phone;
-    final nextDepartment = _editingField == 'department'
+    final nextDepartment = currentField == 'department'
        ? _departmentController!.text.trim()
        : profile.department;
-    if (_editingField == 'name' && nextName.isEmpty) {
+    _debugLog('save_attempt', field: currentField);
    if (currentField == 'name' && nextName.isEmpty) {
      _debugLog('save_skip', field: currentField, reason: 'empty_name');
      ScaffoldMessenger.of(context).showSnackBar(
        SnackBar(content: Text(tr('msg.userfront.profile.name_required'))),
      );
      return;
    }
-    if (_editingField == 'department' && nextDepartment.isEmpty) {
+    if (currentField == 'department' && nextDepartment.isEmpty) {
      _debugLog('save_skip', field: currentField, reason: 'empty_department');
      ScaffoldMessenger.of(context).showSnackBar(
        SnackBar(
          content: Text(tr('msg.userfront.profile.department_required')),
@@ -438,14 +484,20 @@ class _ProfilePageState extends ConsumerState<ProfilePage> {
      );
      return;
    }
-    if (_editingField == 'phone') {
+    if (currentField == 'phone') {
      if (nextPhone.isEmpty) {
        _debugLog('save_skip', field: currentField, reason: 'empty_phone');
        ScaffoldMessenger.of(context).showSnackBar(
          SnackBar(content: Text(tr('msg.userfront.profile.phone_required'))),
        );
        return;
      }
      if (_isPhoneChanged && !_isPhoneVerified) {
        _debugLog(
          'save_skip',
          field: currentField,
          reason: 'phone_not_verified',
        );
        ScaffoldMessenger.of(context).showSnackBar(
          SnackBar(
            content: Text(tr('msg.userfront.profile.phone_verify_required')),
@@ -455,7 +507,13 @@ class _ProfilePageState extends ConsumerState<ProfilePage> {
      }
    }
-    if (!_hasFieldChanged(profile, _editingField!)) {
+    if (!_hasFieldChanged(profile, currentField)) {
      _debugLog(
        'save_skip',
        field: currentField,
        reason: 'unchanged',
        changed: false,
      );
      setState(() {
        if (_editingField == 'phone') {
          _resetPhoneState();
@@ -468,6 +526,7 @@ class _ProfilePageState extends ConsumerState<ProfilePage> {
    }
    _isSavingField = true;
    _debugLog('save_dispatch', field: currentField, changed: true);
    try {
      await ref
@@ -479,7 +538,7 @@ class _ProfilePageState extends ConsumerState<ProfilePage> {
          );
      if (mounted) {
        setState(() {
-          if (_editingField == 'phone') {
+          if (currentField == 'phone') {
            _initialPhone = nextPhone;
            _resetPhoneState();
          }
@@ -487,11 +546,13 @@ class _ProfilePageState extends ConsumerState<ProfilePage> {
          _nameTouched = false;
          _departmentTouched = false;
        });
        _debugLog('save_success', field: currentField);
        ScaffoldMessenger.of(context).showSnackBar(
          SnackBar(content: Text(tr('msg.userfront.profile.update_success'))),
        );
      }
    } catch (e) {
      _debugLog('save_failed', field: currentField, reason: e.toString());
      if (mounted) {
        ScaffoldMessenger.of(context).showSnackBar(
          SnackBar(
--- a/userfront/test/log_policy_test.dart
+++ b/userfront/test/log_policy_test.dart
@@ -0,0 +1,114 @@
 import 'package:flutter_test/flutter_test.dart';
 import 'package:userfront/core/services/log_policy.dart';
 void main() {
  group('LogPolicy.debugEnabled', () {
    test('non production enables debug by default', () {
      expect(
        LogPolicy.debugEnabled(appEnv: 'dev', productionDebugFlag: null),
        isTrue,
      );
      expect(
        LogPolicy.debugEnabled(appEnv: 'staging', productionDebugFlag: 'false'),
        isTrue,
      );
    });
    test('production disables debug unless explicitly enabled', () {
      expect(
        LogPolicy.debugEnabled(appEnv: 'production', productionDebugFlag: ''),
        isFalse,
      );
      expect(
        LogPolicy.debugEnabled(
          appEnv: 'production',
          productionDebugFlag: 'true',
        ),
        isTrue,
      );
      expect(
        LogPolicy.debugEnabled(appEnv: 'prod', productionDebugFlag: '1'),
        isTrue,
      );
    });
  });
  group('LogPolicy.shouldRelayClientLog', () {
    test('production default forwards only warning or higher', () {
      expect(
        LogPolicy.shouldRelayClientLog(
          level: 'INFO',
          appEnv: 'production',
          productionDebugFlag: '',
        ),
        isFalse,
      );
      expect(
        LogPolicy.shouldRelayClientLog(
          level: 'WARNING',
          appEnv: 'production',
          productionDebugFlag: '',
        ),
        isTrue,
      );
      expect(
        LogPolicy.shouldRelayClientLog(
          level: 'ERROR',
          appEnv: 'production',
          productionDebugFlag: '',
        ),
        isTrue,
      );
    });
    test('production debug option forwards info logs', () {
      expect(
        LogPolicy.shouldRelayClientLog(
          level: 'INFO',
          appEnv: 'production',
          productionDebugFlag: 'true',
        ),
        isTrue,
      );
    });
  });
  group('LogPolicy.sanitize', () {
    test('sanitizes sensitive message patterns', () {
      const message =
          'token=abc123 payload={"password":"hello","safe":"ok"} authorization:BearerXYZ';
      final sanitized = LogPolicy.sanitizeMessage(message);
      expect(sanitized, isNot(contains('abc123')));
      expect(sanitized, contains('token=*****'));
      expect(sanitized, contains('"password":"*****"'));
      expect(sanitized, contains('authorization=*****'));
    });
    test('sanitizes nested sensitive keys', () {
      final data = <String, dynamic>{
        'token': 'tok',
        'ok': 'value',
        'nested': {'new_password': 'pw', 'safe': 'x'},
        'arr': [
          {'authorization': 'Bearer secret'},
          'cookie=session=raw',
        ],
      };
      final sanitized = LogPolicy.sanitizeData(data);
      expect(sanitized['token'], '*****');
      expect(sanitized['ok'], 'value');
      expect(
        (sanitized['nested'] as Map<String, dynamic>)['new_password'],
        '*****',
      );
      expect((sanitized['nested'] as Map<String, dynamic>)['safe'], 'x');
      expect(
        ((sanitized['arr'] as List).first
            as Map<String, dynamic>)['authorization'],
        '*****',
      );
      expect((sanitized['arr'] as List)[1], 'cookie=*****');
    });
  });
 }