fix(security): prevent credential exposure in logs (#167)

- Truncate access key to first/last 4 chars in DEBUG logs (P2-001)
- Add _sanitize_headers() to redact Authorization, x-amz-security-token,
  and x-amz-date values in debug logs (P2-002)
- Add comprehensive unit tests for header sanitization

Security: Prevents credential leakage in log files, monitoring systems,
and log aggregation where DEBUG level may be enabled for troubleshooting.

Author: DennisTraub

mcp_proxy_for_aws/sigv4_helper.py

@@ -27,6 +27,21 @@
 
 logger = logging.getLogger(__name__)
 
+# Headers that should be redacted when logging to prevent credential exposure
+SENSITIVE_HEADERS = frozenset({'authorization', 'x-amz-security-token', 'x-amz-date'})
+
+
+def _sanitize_headers(headers: Dict[str, str]) -> Dict[str, str]:
+    """Redact sensitive header values for safe logging.
+
+    Args:
+        headers: Dictionary of HTTP headers
+
+    Returns:
+        Dictionary with sensitive values replaced by '[REDACTED]'
+    """
+    return {k: '[REDACTED]' if k.lower() in SENSITIVE_HEADERS else v for k, v in headers.items()}
+
 
 class SigV4HTTPXAuth(httpx.Auth):
     """HTTPX Auth class that signs requests with AWS SigV4."""
@@ -236,7 +251,11 @@ async def _sign_request_hook(
 
     # Get AWS credentials from the session
     credentials = session.get_credentials()
-    logger.info('Signing request with credentials for access key: %s', credentials.access_key)
+    logger.debug(
+        'Signing request with credentials for access key: %s...%s',
+        credentials.access_key[:4],
+        credentials.access_key[-4:],
+    )
 
     # Create SigV4 auth and use its signing logic
     auth = SigV4HTTPXAuth(credentials, service, region)
@@ -245,7 +264,7 @@ async def _sign_request_hook(
     auth_flow = auth.auth_flow(request)
     next(auth_flow)  # Execute the generator to perform signing
 
-    logger.debug('Request headers after signing: %s', request.headers)
+    logger.debug('Request headers after signing: %s', _sanitize_headers(dict(request.headers)))
 
 
 async def _inject_metadata_hook(metadata: Dict[str, Any], request: httpx.Request) -> None:

tests/unit/test_sigv4_helper.py

@@ -17,7 +17,9 @@
 import httpx
 import pytest
 from mcp_proxy_for_aws.sigv4_helper import (
+    SENSITIVE_HEADERS,
     SigV4HTTPXAuth,
+    _sanitize_headers,
     create_aws_session,
     create_sigv4_client,
 )
@@ -254,3 +256,77 @@ def test_create_sigv4_client_with_prompt_context(self, mock_client_class, mock_c
         assert len(call_args[1]['event_hooks']['response']) == 1
 
         assert result == mock_client
+
+
+class TestSanitizeHeaders:
+    """Test cases for the _sanitize_headers function."""
+
+    def test_sanitize_headers_redacts_authorization(self):
+        """Test that Authorization header is redacted."""
+        headers = {
+            'Authorization': 'AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/...',
+            'Content-Type': 'application/json',
+        }
+        result = _sanitize_headers(headers)
+
+        assert result['Authorization'] == '[REDACTED]'
+        assert result['Content-Type'] == 'application/json'
+
+    def test_sanitize_headers_redacts_security_token(self):
+        """Test that x-amz-security-token header is redacted."""
+        headers = {
+            'x-amz-security-token': 'FwoGZXIvYXdzEBYaDK...',
+            'Host': 'example.com',
+        }
+        result = _sanitize_headers(headers)
+
+        assert result['x-amz-security-token'] == '[REDACTED]'
+        assert result['Host'] == 'example.com'
+
+    def test_sanitize_headers_redacts_amz_date(self):
+        """Test that x-amz-date header is redacted."""
+        headers = {
+            'X-Amz-Date': '20260206T120000Z',
+            'Accept': 'application/json',
+        }
+        result = _sanitize_headers(headers)
+
+        assert result['X-Amz-Date'] == '[REDACTED]'
+        assert result['Accept'] == 'application/json'
+
+    def test_sanitize_headers_case_insensitive(self):
+        """Test that header matching is case-insensitive."""
+        headers = {
+            'AUTHORIZATION': 'secret',
+            'X-AMZ-SECURITY-TOKEN': 'secret',
+            'x-amz-date': 'secret',
+        }
+        result = _sanitize_headers(headers)
+
+        assert result['AUTHORIZATION'] == '[REDACTED]'
+        assert result['X-AMZ-SECURITY-TOKEN'] == '[REDACTED]'
+        assert result['x-amz-date'] == '[REDACTED]'
+
+    def test_sanitize_headers_preserves_non_sensitive(self):
+        """Test that non-sensitive headers are preserved."""
+        headers = {
+            'Content-Type': 'application/json',
+            'Content-Length': '123',
+            'Host': 'example.amazonaws.com',
+            'User-Agent': 'test-client/1.0',
+        }
+        result = _sanitize_headers(headers)
+
+        assert result == headers
+
+    def test_sanitize_headers_empty_dict(self):
+        """Test handling of empty headers dictionary."""
+        result = _sanitize_headers({})
+        assert result == {}
+
+    def test_sensitive_headers_constant_is_frozen(self):
+        """Test that SENSITIVE_HEADERS is immutable."""
+        assert isinstance(SENSITIVE_HEADERS, frozenset)
+        assert 'authorization' in SENSITIVE_HEADERS
+        assert 'x-amz-security-token' in SENSITIVE_HEADERS
+        assert 'x-amz-date' in SENSITIVE_HEADERS