unworked validation sweep: close task-057 minor findings

Address 18 of 25 minor findings on the credential-redaction operator<<
work (TASK-057); 7 acknowledged-no-action per reviewer guidance:

http_request.cpp cleanups
- Hoist iequal_ascii out of is_authorization_header_key into a file-scope
  helper reusing http::http_header_toupper, so the case-fold matches the
  rule header_view_map orders keys by.
- Unify dump_header_map_redacted and dump_cookie_map_redacted onto a
  shared dump_map_redacted template parameterised by a ValueFor predicate.
- Hoist pass_out into std::string_view to drop the redact-path std::string
  temporary.
- Document the HAVE_BAUTH-off / HAVE_DAUTH-off shape in dump_cookie_map_redacted.

Tests (http_request_operator_stream_test.cpp)
- Add operator_stream_no_credentials edge-case test.
- Pin "query args are never redacted" with .arg("page","2") + assertion.
- Pin Footer redaction with .footer("Authorization","Bearer footertoken").
- Split the brittle nested-quote Proxy-Authorization assertion into two
  observable-property checks.

Docs and specs
- Add @warning block to operator<< Doxygen repeating the query-arg
  verbatim-emission caveat.
- Add WARNING comment above the DEBUG-only body emit in
  webserver_body_pipeline.cpp calling out the form-body credential risk.
- Reinforce development-only intent on create_test_request setter.
- Remove digested_pass from RELEASE_NOTES and v2-deferred-backlog-plan
  (there was never such a field on the operator<< stream).
- Add §5.2.1 Diagnostic redaction to 05-cross-cutting.md and an
  expose_credentials_in_logs paragraph to the create-webserver
  component spec, mirroring expose_exception_messages.

Tested
- http_request_operator_stream: 3 tests / 24 checks pass.
- http_request_arena: 8 tests / 21 checks pass.
- libhttpserver.la rebuilds clean.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: etr

RELEASE_NOTES.md

@@ -211,14 +211,15 @@ and see the v2 replacement.
   they want.
 - **`http_request::operator<<` redacts credentials by default.**
   v1 (and earlier v2 builds) emitted `pass:"<plaintext>"`,
-  `digested_pass:"<plaintext>"`, `Authorization`/`Proxy-Authorization`
-  header values, and cookie values verbatim into diagnostic output,
-  leaking every credential into any log aggregation pipeline that
-  captures operator-stream dumps (CWE-312, CWE-532, OWASP A09:2021).
-  v2.0 replaces those fields with the fixed token `<redacted>` in the
-  default stream output. To restore the v1 verbose form for local
-  development, call `.expose_credentials_in_logs(true)` on the
-  `create_webserver` builder — this flag is intended for development
+  `Authorization`/`Proxy-Authorization` header values, and cookie values
+  verbatim into diagnostic output, leaking every credential into any
+  log aggregation pipeline that captures operator-stream dumps
+  (CWE-312, CWE-532, OWASP A09:2021). Digest credentials are protected
+  through the same Authorization-header path (there was never a separate
+  `digested_pass` emit field). v2.0 replaces those fields with the fixed
+  token `<redacted>` in the default stream output. To restore the v1
+  verbose form for local development, call `.expose_credentials_in_logs(true)`
+  on the `create_webserver` builder — this flag is intended for development
   only and must not be set in production deployments.
 
 ## Threading

specs/architecture/04-components/create-webserver.md

@@ -22,6 +22,16 @@ removed after the next release. Rationale: completes the
 PRD-RSP-REQ-007 value-typed response cutover (DR-009) onto the auth
 path, removing the per-authenticated-request control-block allocation.
 
+**`expose_credentials_in_logs` (TASK-057).** Security-opt-in builder
+setter that propagates to every `http_request` the webserver dispatches.
+Default `false` suppresses credential surfaces in `http_request::operator<<`
+(Basic-auth `pass`, `Authorization`/`Proxy-Authorization` headers and
+footers, cookie values) by emitting the fixed token `<redacted>`
+(CWE-312 / CWE-532). Setting `true` restores the v1 verbose form for
+local development; the flag must not be set in production. Shape
+mirrors `expose_exception_messages` (see §5.2.1 for the cross-cutting
+contract).
+
 **Related requirements:** PRD-CFG-REQ-001..004, PRD-RSP-REQ-007.
 
 ---

specs/architecture/05-cross-cutting.md

@@ -24,6 +24,10 @@
 5. `feature_unavailable` is a normal `std::runtime_error`; no special status mapping. Users who care translate it explicitly.
 6. There is no throw-as-status idiom. Users wanting 404/400/etc. construct the response by value: `return http_response::empty().with_status(404);`.
 
+#### 5.2.1 Diagnostic redaction (TASK-057)
+
+`http_request::operator<<` redacts credential material by default (CWE-312 / CWE-532): the Basic-auth `pass` field, `Authorization` and `Proxy-Authorization` header/footer values (case-insensitive), and every cookie value are replaced with the fixed token `<redacted>`. The username (REMOTE_USER) and query-string arguments are emitted verbatim. The v1 verbose-everything behaviour is opt-in for development via `create_webserver::expose_credentials_in_logs(true)` — the same security opt-in shape as `expose_exception_messages` above.
+
 ### 5.3 Memory and allocation hot paths
 
 | Object | Allocations per instance | Notes |

specs/tasks/v2-deferred-backlog-plan.md

@@ -305,8 +305,10 @@ aggregation pipeline.
 
 **Action Items:**
 - [x] Replace the literal password emission with a fixed redaction token
-  (`pass:"<redacted>"`). Same treatment for `digested_pass` and any
-  other authentication secret on the stream.
+  (`pass:"<redacted>"`). Digest credentials are protected via
+  case-insensitive redaction of `Authorization` / `Proxy-Authorization`
+  header values (and footers) — there is no separate `digested_pass`
+  emit field in the operator stream.
 - [x] Add an opt-in `webserver_builder.expose_credentials_in_logs(true)`
   flag for the rare developer who needs the verbose form locally.
 - [x] Update Doxygen on the operator to call out the redaction policy.

specs/unworked_review_issues/2026-05-30_235001_task-057.md

@@ -197,6 +197,13 @@ MHD_Result webserver_impl::requests_answer_second_step(MHD_Connection* connectio
     }
 
 #ifdef DEBUG
+    // WARNING (TASK-057): this emits the raw request body to stdout.
+    // If a client posts credentials in a form body
+    // (`application/x-www-form-urlencoded` with a `password=` field) or
+    // raw Basic-auth bytes, those values will appear verbatim in the
+    // debug stream. Must remain guarded by `#ifdef DEBUG` and must not
+    // be widened to release builds; the operator<< redaction policy
+    // does NOT cover this code path.
     std::cout << "Writing content: " << std::string(upload_data, *upload_data_size) << std::endl;
 #endif  // DEBUG
     // The post iterator is only created from the libmicrohttpd for content of type

src/detail/webserver_body_pipeline.cpp

@@ -368,61 +368,69 @@ void http_request::set_expose_credentials_in_logs(bool v) {
 
 namespace {
 
+constexpr std::string_view kRedacted = "<redacted>";
+
+// Case-insensitive equality on ASCII bytes, reusing http_header_toupper
+// so the casing rule stays in lock-step with http::header_comparator
+// (which is what header_view_map orders keys by).
+bool iequal_ascii(std::string_view a, std::string_view b) noexcept {
+    if (a.size() != b.size()) return false;
+    return std::equal(a.begin(), a.end(), b.begin(),
+        [](char x, char y) {
+            return http::http_header_toupper(x) == http::http_header_toupper(y);
+        });
+}
+
 // TASK-057: Authorization-class header names whose values carry
 // credential material (Basic / Digest / Bearer payloads). Matched
 // case-insensitively against the keys in the Headers / Footers maps
 // so that the redaction policy is robust to header-case variation.
 bool is_authorization_header_key(std::string_view key) noexcept {
     constexpr std::string_view kAuth = "Authorization";
     constexpr std::string_view kProxyAuth = "Proxy-Authorization";
-    if (key.size() != kAuth.size() && key.size() != kProxyAuth.size()) {
-        return false;
+    return iequal_ascii(key, kAuth) || iequal_ascii(key, kProxyAuth);
+}
+
+// TASK-057: shared redaction-aware dumper for the Headers, Footers, and
+// Cookies maps. ValueFor lets the caller decide per-entry whether to emit
+// the original value or the fixed redaction token, so the stream-output
+// boilerplate (empty-guard, prefix line, key/quote framing) lives in
+// exactly one place and cannot drift between sections. The prefix type
+// matches http::dump_header_map so all three helpers share one function-
+// pointer signature in operator<<.
+template <typename ValueFor>
+void dump_map_redacted(std::ostream& os, const std::string& prefix,
+                       const http::header_view_map& map,
+                       ValueFor value_for) {
+    if (map.empty()) return;
+    os << "    " << prefix << " [";
+    for (const auto& kv : map) {
+        os << kv.first << ":\"" << value_for(kv) << "\" ";
     }
-    auto ieq = [](std::string_view a, std::string_view b) noexcept {
-        if (a.size() != b.size()) return false;
-        for (std::size_t i = 0; i < a.size(); ++i) {
-            const unsigned char ca = static_cast<unsigned char>(a[i]);
-            const unsigned char cb = static_cast<unsigned char>(b[i]);
-            if (std::tolower(ca) != std::tolower(cb)) return false;
-        }
-        return true;
-    };
-    return ieq(key, kAuth) || ieq(key, kProxyAuth);
+    os << "]" << std::endl;
 }
 
-constexpr std::string_view kRedacted = "<redacted>";
-
 // TASK-057: emit a Headers/Footers map with Authorization-class header
 // values replaced by the fixed redaction token. Mirrors the wire shape
 // of http::dump_header_map(header_view_map) for non-authorization
 // entries so the on-the-wire diagnostic format is unchanged.
 void dump_header_map_redacted(std::ostream& os, const std::string& prefix,
                               const http::header_view_map& map) {
-    if (map.empty()) return;
-    os << "    " << prefix << " [";
-    for (const auto& kv : map) {
-        os << kv.first << ":\"";
-        if (is_authorization_header_key(kv.first)) {
-            os << kRedacted;
-        } else {
-            os << kv.second;
-        }
-        os << "\" ";
-    }
-    os << "]" << std::endl;
+    dump_map_redacted(os, prefix, map, [](const auto& kv) -> std::string_view {
+        return is_authorization_header_key(kv.first) ? kRedacted : kv.second;
+    });
 }
 
 // TASK-057: cookie values are credential material by default (session
 // IDs, CSRF tokens, JWTs); redaction is unconditional on the keys
-// (which remain visible for log triage).
+// (which remain visible for log triage). On HAVE_BAUTH-off / HAVE_DAUTH-off
+// builds the pass and digested-user surfaces are absent by construction,
+// so the redaction policy only meaningfully acts on Authorization headers
+// and cookies on those configurations.
 void dump_cookie_map_redacted(std::ostream& os, const std::string& prefix,
                               const http::header_view_map& map) {
-    if (map.empty()) return;
-    os << "    " << prefix << " [";
-    for (const auto& kv : map) {
-        os << kv.first << ":\"" << kRedacted << "\" ";
-    }
-    os << "]" << std::endl;
+    dump_map_redacted(os, prefix, map,
+                      [](const auto&) -> std::string_view { return kRedacted; });
 }
 
 }  // namespace
@@ -437,9 +445,12 @@ std::ostream& operator<< (std::ostream& os, const http_request& r) {
         ? static_cast<header_dumper>(&http::dump_header_map)
         : &dump_cookie_map_redacted;
 
+    const std::string_view pass_out = expose
+        ? std::string_view(r.get_pass())
+        : kRedacted;
     os << r.get_method() << " Request ["
        << "user:\"" << r.get_user() << "\" "
-       << "pass:\"" << (expose ? r.get_pass() : std::string(kRedacted)) << "\""
+       << "pass:\"" << pass_out << "\""
        << "] path:\"" << r.get_path() << "\"" << std::endl;
 
     dump_headers(os, "Headers", r.get_headers());

src/http_request.cpp

@@ -123,7 +123,11 @@ class create_test_request {
     // TASK-057: opt out of the default credential-redaction policy in
     // http_request::operator<<. Mirrors the webserver-side builder
     // setter @ref create_webserver::expose_credentials_in_logs for the
-    // unit-test scope (no webserver construction).
+    // unit-test scope (no webserver construction). The no-argument form
+    // (`expose_credentials_in_logs()`) is shorthand for `enable=true`
+    // and must not appear outside test scope — it reinforces the
+    // development-only intent without forcing callers to type the
+    // boolean argument.
     create_test_request& expose_credentials_in_logs(bool enable = true) {
         _expose_credentials_in_logs = enable;
         return *this;

src/httpserver/create_test_request.hpp

@@ -570,6 +570,13 @@ class http_request {
  *          header, and every cookie/session token in plaintext to
  *          anyone with read access to the log store. Guard with
  *          `#ifndef NDEBUG` or an explicit environment check.
+ *
+ * @warning Query-string arguments — including any `?token=...`,
+ *          `?api_key=...`, or other credential-bearing parameters —
+ *          are emitted verbatim regardless of the
+ *          `expose_credentials_in_logs` flag. Avoid routing credential
+ *          material through query strings, or strip the offending
+ *          parameters before the request reaches any logging path.
  */
 std::ostream &operator<< (std::ostream &os, const http_request &r);
 

src/httpserver/http_request.hpp

@@ -52,8 +52,10 @@ LT_BEGIN_AUTO_TEST(http_request_operator_stream_suite, operator_stream_redacts_c
         .pass("hunter2")
         .header("Authorization", "Basic YWRtaW46aHVudGVyMg==")
         .header("Proxy-Authorization", "Digest username=\"admin\", response=\"deadbeef\"")
+        .footer("Authorization", "Bearer footertoken")
         .cookie("session", "session-token-cafef00d")
         .cookie("csrf", "csrf-token-abad1dea")
+        .arg("page", "2")
         .build();
 
     std::ostringstream oss;
@@ -74,11 +76,19 @@ LT_BEGIN_AUTO_TEST(http_request_operator_stream_suite, operator_stream_redacts_c
     LT_CHECK(out.find("YWRtaW46aHVudGVyMg==") == std::string::npos);
     LT_CHECK(out.find("deadbeef") == std::string::npos);
 
+    // Footer Authorization values share the header redaction path.
+    LT_CHECK(out.find("footertoken") == std::string::npos);
+
     // Every cookie value must be redacted; cookie keys remain visible.
     LT_CHECK(out.find("session:\"<redacted>\"") != std::string::npos);
     LT_CHECK(out.find("csrf:\"<redacted>\"") != std::string::npos);
     LT_CHECK(out.find("session-token-cafef00d") == std::string::npos);
     LT_CHECK(out.find("csrf-token-abad1dea") == std::string::npos);
+
+    // Query-string arguments are streamed verbatim regardless of the
+    // expose flag — guards against accidental over-redaction in the
+    // Args section if the operator<< body is ever refactored.
+    LT_CHECK(out.find("page") != std::string::npos);
 LT_END_AUTO_TEST(operator_stream_redacts_credentials)
 
 // TASK-057 — Acceptance: opt-in flag (development-only) restores the
@@ -102,7 +112,12 @@ LT_BEGIN_AUTO_TEST(http_request_operator_stream_suite, operator_stream_exposes_c
     // Verbose v1 form: every credential surface is streamed plaintext.
     LT_CHECK(out.find("pass:\"hunter2\"") != std::string::npos);
     LT_CHECK(out.find("Authorization:\"Basic YWRtaW46aHVudGVyMg==\"") != std::string::npos);
-    LT_CHECK(out.find("Proxy-Authorization:\"Digest username=\"admin\", response=\"deadbeef\"\"") != std::string::npos);
+    // Asserting on the exact nested-quote serialisation would couple
+    // the test to the quoting strategy. Check the observable security
+    // property instead: the key is present and the credential payload
+    // is streamed verbatim.
+    LT_CHECK(out.find("Proxy-Authorization:") != std::string::npos);
+    LT_CHECK(out.find("deadbeef") != std::string::npos);
     LT_CHECK(out.find("session:\"session-token-cafef00d\"") != std::string::npos);
     LT_CHECK(out.find("csrf:\"csrf-token-abad1dea\"") != std::string::npos);
 
@@ -111,6 +126,34 @@ LT_BEGIN_AUTO_TEST(http_request_operator_stream_suite, operator_stream_exposes_c
     LT_CHECK(out.find("<redacted>") == std::string::npos);
 LT_END_AUTO_TEST(operator_stream_exposes_credentials_when_opted_in)
 
+// TASK-057 — Edge case: the no-credentials request still emits the
+// `pass:"<redacted>"` token (because the field is unconditional), but
+// no Cookies section appears (the redacted dumper short-circuits on
+// empty maps) and no header value collides with the redaction token.
+LT_BEGIN_AUTO_TEST(http_request_operator_stream_suite, operator_stream_no_credentials)
+    auto req = create_test_request()
+        .method("GET")
+        .path("/health")
+        .build();
+
+    std::ostringstream oss;
+    oss << req;
+    const std::string out = oss.str();
+
+    // The pass field always emits, even when no Basic-auth password was
+    // set, so callers can rely on a uniform shape.
+    LT_CHECK(out.find("pass:\"<redacted>\"") != std::string::npos);
+
+    // Empty cookie and footer maps must NOT cause a stray `<redacted>`
+    // entry to appear in any section.
+    LT_CHECK(out.find("Cookies") == std::string::npos);
+    LT_CHECK(out.find("Footers") == std::string::npos);
+
+    // Placeholder secrets from the populated-request tests must not
+    // leak in via shared state or test-runner residue.
+    LT_CHECK(out.find("hunter2") == std::string::npos);
+LT_END_AUTO_TEST(operator_stream_no_credentials)
+
 LT_BEGIN_AUTO_TEST_ENV()
     AUTORUN_TESTS()
 LT_END_AUTO_TEST_ENV()