docs: sync planning and code review docs to main

adriannoes · adriannoes · commit b394921a8397 · 2026-01-28T22:29:42.000-03:00
- v1.0.0: add integration test plan for sanitization (Task 1.1.6), Sprint P1 DoD - v0.5.0: task list, roadmap, S4/S5 detailed tasks - code-review: sprint-s4-code-review, sprint-s5-code-review (recommendation #2 documented for v1.0.0) - prd: v1-roadmap updates
diff --git a/.cursor/dev-planning/tasks/v1.0.0/tasks-v1.0.0-roadmap.md b/.cursor/dev-planning/tasks/v1.0.0/tasks-v1.0.0-roadmap.md
@@ -26,7 +26,8 @@
 
 - [ ] 1.1 Implement log sanitization
   - Issue: [#12](https://github.com/adriannoes/asap-protocol/issues/12)
-  - Goal: Redact tokens/secrets from logs, add debug mode
+  - Goal: Redact tokens/secrets from logs, add debug mode, integration tests for production scenarios
+  - Note: v0.5.0 delivered basic sanitization (unit tests); v1.0.0 adds debug mode + E2E validation
   - Details: [Security Detailed - Task 1.1](./tasks-v1.0.0-security-detailed.md#task-11-implement-log-sanitization)
 
 - [ ] 1.2 Add handler security documentation
@@ -39,7 +40,8 @@
 
 ### Definition of Done
 - [ ] Tokens/secrets redacted from logs
-- [ ] Debug mode working
+- [ ] Debug mode working (ASAP_DEBUG env var)
+- [ ] Integration tests validate sanitization in E2E scenarios (auth fail, nonce replay, connection errors)
 - [ ] Path traversal detection working
 - [ ] Test coverage >95%
 - [ ] Issue #12 closed
diff --git a/.cursor/dev-planning/tasks/v1.0.0/tasks-v1.0.0-security-detailed.md b/.cursor/dev-planning/tasks/v1.0.0/tasks-v1.0.0-security-detailed.md
@@ -56,7 +56,18 @@
   - Test: Non-sensitive preserved
   - Test: Debug mode shows all
 
-- [ ] 1.1.6 Commit
+- [ ] 1.1.6 Add integration tests for sanitization in production-like scenarios
+  - **Context**: v0.5.0 implemented basic sanitization (sanitize_token, sanitize_nonce, sanitize_url) with comprehensive unit tests (19 tests, 100% coverage). This task adds E2E validation in realistic scenarios.
+  - File: `tests/observability/test_logging_integration.py` (NEW)
+  - Test: Auth failure logs show `Bearer sk_live_...` not full token
+  - Test: Nonce replay logs show `01HXA...` not full nonce
+  - Test: Client connection failure logs show `https://user:***@...` not password
+  - Test: Debug mode logs full data, production mode sanitizes
+  - Setup: Real server with structlog, capture logs, assert on log strings
+  - Rationale: Validates sanitization works in full request/response cycle, catches edge cases missed by unit tests
+  - **Note**: v0.5.0 unit tests sufficient for release; integration tests justify effort when observability is complete
+
+- [ ] 1.1.7 Commit
   - Command: `git commit -m "feat(observability): add log sanitization for sensitive data"`
   - Close issue #12
 
