@sun-asterisk/sunlint 1.3.48 → 1.3.49

package/skill-assets/sunlint-code-quality/rules/go-gin/GN005-route-groups-middleware.md

@@ -0,0 +1,71 @@
+---
+title: "GN005 – Group Routes and Apply Middleware at Group Level"
+impact: medium
+impactDescription: "Registering middleware per-route duplicates code and makes it easy to miss a route; group-level middleware is exhaustive by design."
+tags: [go, gin, routing, middleware]
+---
+
+# GN005 – Group Routes and Apply Middleware at Group Level
+
+## Rule
+
+Use `router.Group()` to organise routes by prefix and protection level. Apply authentication, logging, and rate-limiting middleware to the group — not individual routes.
+
+## Why
+
+Per-route middleware registration (`r.GET("/users", authMiddleware, handler)`) requires the developer to remember to add middleware to every new route. A missed route is a security hole. Group-level middleware is applied to all current and future routes in the group automatically.
+
+## Wrong
+
+```go
+r := gin.Default()
+
+// ❌ Auth repeated on every route — easy to miss
+r.GET("/users",         authMiddleware, userHandler.List)
+r.POST("/users",        authMiddleware, userHandler.Create)
+r.PUT("/users/:id",     authMiddleware, userHandler.Update)
+r.DELETE("/users/:id",  authMiddleware, userHandler.Delete)   // ❌ forgot auth on DELETE
+
+// ❌ Mixed public and protected routes without groups — hard to audit
+r.GET("/products", productHandler.List)
+r.POST("/products", authMiddleware, adminMiddleware, productHandler.Create)
+```
+
+## Correct
+
+```go
+r := gin.New()
+r.Use(gin.Recovery(), requestLogger())   // global middleware
+
+// Public routes — no auth
+public := r.Group("/api/v1")
+{
+    public.POST("/auth/login", authHandler.Login)
+    public.POST("/auth/register", authHandler.Register)
+    public.GET("/products", productHandler.List)
+}
+
+// Authenticated routes
+authenticated := r.Group("/api/v1")
+authenticated.Use(authMiddleware())
+{
+    authenticated.GET("/users/me", userHandler.Profile)
+    authenticated.PUT("/users/me", userHandler.Update)
+    authenticated.GET("/orders", orderHandler.List)
+    authenticated.POST("/orders", orderHandler.Create)
+}
+
+// Admin-only routes
+admin := r.Group("/api/v1/admin")
+admin.Use(authMiddleware(), adminMiddleware())
+{
+    admin.GET("/users", adminUserHandler.List)
+    admin.DELETE("/users/:id", adminUserHandler.Delete)
+}
+```
+
+## Notes
+
+- Use curly braces `{}` inside `Group()` to make the scope visually clear (they're just Go blocks, not syntactically required).
+- Apply rate limiting at the group level for public endpoints to prevent brute force on `/auth/login`.
+- Version your API with a group: `r.Group("/api/v1")` makes future versioning (`/api/v2`) straightforward.

package/skill-assets/sunlint-code-quality/rules/go-gin/GN006-http-status-codes.md

@@ -0,0 +1,91 @@
+---
+title: "GN006 – Return Correct HTTP Status Codes"
+impact: medium
+impactDescription: "Returning 200 for all responses breaks API clients, hides errors in monitoring, and makes retry logic impossible."
+tags: [go, gin, api, http]
+---
+
+# GN006 – Return Correct HTTP Status Codes
+
+## Rule
+
+Always pass the correct HTTP status code to `c.JSON()`, `c.AbortWithStatusJSON()`, and `c.Status()`. Never return `200 OK` for errors, resource creation, or empty responses.
+
+## Why
+
+HTTP semantics are the contract between your API and its clients. A `200` with `{"error": "not found"}` is invisible to load balancers, monitoring tools, and client SDKs. Correct status codes enable automatic retry logic, circuit breakers, and accurate error dashboards.
+
+## Wrong
+
+```go
+func (h *UserHandler) Create(c *gin.Context) {
+    // ...
+    user, err := h.service.CreateUser(ctx, req)
+    if err != nil {
+        c.JSON(200, gin.H{"error": err.Error()})   // ❌ success code + error body
+        return
+    }
+    c.JSON(200, user)   // ❌ should be 201 for newly created resource
+}
+
+func (h *UserHandler) Delete(c *gin.Context) {
+    h.service.DeleteUser(ctx, id)
+    c.JSON(200, gin.H{"message": "deleted"})   // ❌ should be 204 with no body
+}
+```
+
+## Correct
+
+```go
+import "net/http"
+
+func (h *UserHandler) Create(c *gin.Context) {
+    var req CreateUserRequest
+    if err := c.ShouldBindJSON(&req); err != nil {
+        c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"error": err.Error()})  // 400
+        return
+    }
+    user, err := h.service.CreateUser(c.Request.Context(), req)
+    if err != nil {
+        c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"error": "creation failed"})  // 500
+        return
+    }
+    c.JSON(http.StatusCreated, user)   // 201 ✅
+}
+
+func (h *UserHandler) GetUser(c *gin.Context) {
+    user, err := h.service.FindUserByID(c.Request.Context(), c.Param("id"))
+    if errors.Is(err, ErrNotFound) {
+        c.AbortWithStatusJSON(http.StatusNotFound, gin.H{"error": "user not found"})  // 404
+        return
+    }
+    c.JSON(http.StatusOK, user)   // 200
+}
+
+func (h *UserHandler) Delete(c *gin.Context) {
+    if err := h.service.DeleteUser(c.Request.Context(), c.Param("id")); err != nil {
+        c.AbortWithStatusJSON(http.StatusNotFound, gin.H{"error": "not found"})  // 404
+        return
+    }
+    c.Status(http.StatusNoContent)   // 204, no body ✅
+}
+```
+
+## Status code reference
+
+| Scenario | Code | Constant |
+|---|---|---|
+| Read success | 200 | `http.StatusOK` |
+| Create success | 201 | `http.StatusCreated` |
+| Delete / no body | 204 | `http.StatusNoContent` |
+| Validation failed | 400 | `http.StatusBadRequest` |
+| Not authenticated | 401 | `http.StatusUnauthorized` |
+| Not authorized | 403 | `http.StatusForbidden` |
+| Not found | 404 | `http.StatusNotFound` |
+| Business rule violation | 422 | `http.StatusUnprocessableEntity` |
+| Rate limited | 429 | `http.StatusTooManyRequests` |
+
+## Notes
+
+- Use `net/http` constants — never magic numbers like `c.JSON(201, ...)`.
+- Map service-layer sentinel errors (e.g. `ErrNotFound`, `ErrConflict`) to status codes in a central error-mapping function.

package/skill-assets/sunlint-code-quality/rules/go-gin/GN007-release-mode.md

@@ -0,0 +1,64 @@
+---
+title: "GN007 – Set gin.ReleaseMode in Production"
+impact: medium
+impactDescription: "The default gin.DebugMode prints every registered route and request detail to stdout, leaking your API surface and increasing log noise in production."
+tags: [go, gin, security, configuration]
+---
+
+# GN007 – Set `gin.ReleaseMode` in Production
+
+## Rule
+
+Set `gin.SetMode(gin.ReleaseMode)` before calling `gin.New()` or `gin.Default()` in production builds. Read the mode from an environment variable so it can differ between environments.
+
+## Why
+
+Debug mode outputs all routes on startup and logs detailed request info. In production this:
+- Leaks your API surface to anyone with log access.
+- Adds unnecessary CPU cost for string formatting.
+- Makes it harder to find meaningful log entries.
+
+## Wrong
+
+```go
+// main.go — mode not set, defaults to DebugMode
+func main() {
+    r := gin.Default()          // ❌ runs in debug mode, dumps all routes to stdout
+    r.GET("/internal/admin", adminHandler)  // ❌ exposed in startup log
+    r.Run(":8080")
+}
+
+// Hardcoded mode
+gin.SetMode(gin.DebugMode)     // ❌ always debug, regardless of environment
+```
+
+## Correct
+
+```go
+func main() {
+    // Read from environment — "release", "debug", or "test"
+    ginMode := os.Getenv("GIN_MODE")
+    if ginMode == "" {
+        ginMode = gin.ReleaseMode  // safe default
+    }
+    gin.SetMode(ginMode)
+
+    r := gin.New()
+    r.Use(gin.Recovery())   // see GN009 for Recovery middleware
+    // ... register routes
+    r.Run(":" + os.Getenv("PORT"))
+}
+```
+
+Or rely on Gin's built-in env var support: Gin automatically reads `GIN_MODE` — set it to `release` in your container/systemd environment and `gin.SetMode` is not even needed explicitly.
+
+```bash
+# Production container / systemd
+GIN_MODE=release
+```
+
+## Notes
+
+- `gin.Default()` adds `gin.Logger()` and `gin.Recovery()` automatically in debug mode — in production, use `gin.New()` and add your structured logger and Recovery explicitly (see GN009).
+- Never call `gin.SetMode` after `gin.New()` — the mode must be set before the engine is created.
+- In tests, set `gin.SetMode(gin.TestMode)` in `TestMain` to silence route debug output.

package/skill-assets/sunlint-code-quality/rules/go-gin/GN008-struct-validation-tags.md

@@ -0,0 +1,90 @@
+---
+title: "GN008 – Use Struct Validation Binding Tags"
+impact: medium
+impactDescription: "Manual if/else validation in handler code is incomplete, inconsistent, and untested; binding tags enforce validation at the deserialization boundary."
+tags: [go, gin, validation, correctness]
+---
+
+# GN008 – Use Struct Validation Binding Tags
+
+## Rule
+
+Define all input validation rules using `binding:` struct tags on request structs. Do not write manual validation logic in handler functions. Handle binding errors as described in GN003.
+
+## Why
+
+Gin uses the `go-playground/validator` library under the hood for `ShouldBind*`. Struct tags declare constraints once, close to the field, and are validated automatically when binding. Scattered `if req.Age < 18` checks in handlers are often incomplete and inconsistent.
+
+## Wrong
+
+```go
+type CreateUserRequest struct {
+    Name  string `json:"name"`
+    Email string `json:"email"`
+    Age   int    `json:"age"`
+    Role  string `json:"role"`
+}
+
+// Handler with manual validation — verbose, incomplete, inconsistent
+func (h *UserHandler) Create(c *gin.Context) {
+    var req CreateUserRequest
+    c.ShouldBindJSON(&req)
+
+    if req.Name == "" {
+        c.JSON(400, gin.H{"error": "name required"})    // ❌ still runs if bind errored
+        return
+    }
+    if !strings.Contains(req.Email, "@") {               // ❌ incomplete email check
+        c.JSON(400, gin.H{"error": "invalid email"})
+        return
+    }
+    // ❌ forgot to validate Age and Role
+}
+```
+
+## Correct
+
+```go
+type CreateUserRequest struct {
+    Name     string `json:"name"     binding:"required,min=2,max=100"`
+    Email    string `json:"email"    binding:"required,email"`
+    Age      int    `json:"age"      binding:"required,min=18,max=120"`
+    Role     string `json:"role"     binding:"required,oneof=user admin moderator"`
+    Phone    string `json:"phone"    binding:"omitempty,e164"`           // optional but validated if present
+    Website  string `json:"website"  binding:"omitempty,url"`
+}
+
+func (h *UserHandler) Create(c *gin.Context) {
+    var req CreateUserRequest
+    if err := c.ShouldBindJSON(&req); err != nil {
+        c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{
+            "error":   "validation failed",
+            "details": formatValidationErrors(err),   // see note below
+        })
+        return
+    }
+    // req is fully validated here — safe to use
+    user, err := h.service.CreateUser(c.Request.Context(), req)
+    // ...
+}
+```
+
+## Common binding tags
+
+| Tag | Meaning |
+|---|---|
+| `required` | Field must be present and non-zero |
+| `omitempty` | Skip validation if field is absent/zero |
+| `min=N,max=M` | Min/max length for strings, min/max value for numbers |
+| `email` | Valid email address format |
+| `url` | Valid URL |
+| `oneof=a b c` | Value must be one of the listed options |
+| `uuid4` | Valid UUID v4 |
+| `e164` | Valid international phone number |
+| `gt=0` | Greater than 0 (useful for IDs) |
+
+## Notes
+
+- To return human-readable errors, type-assert `err` to `validator.ValidationErrors` and format field names.
+- Custom validators: `binding.Validator.RegisterValidation("custom_rule", myFunc)`.
+- For query parameters: `c.ShouldBindQuery(&req)` with `form:"field" binding:"required"` tags.

package/skill-assets/sunlint-code-quality/rules/go-gin/GN009-recovery-middleware.md

@@ -0,0 +1,68 @@
+---
+title: "GN009 – Add gin.Recovery() Middleware in Production"
+impact: high
+impactDescription: "Without Recovery(), an unhandled panic terminates the goroutine and returns a broken TCP connection or empty response to the client; with it, the server stays up and returns 500."
+tags: [go, gin, reliability, middleware]
+---
+
+# GN009 – Add `gin.Recovery()` Middleware in Production
+
+## Rule
+
+Always include `gin.Recovery()` (or a custom recovery middleware) in the production middleware stack. Use `gin.New()` rather than `gin.Default()` and add middleware explicitly so you control what runs.
+
+## Why
+
+Go panics propagate up the call stack and terminate the goroutine. In a Gin HTTP handler, an unrecovered panic kills the request-handling goroutine and the server returns a broken connection. `gin.Recovery()` catches the panic, logs a stack trace, and returns `500 Internal Server Error`, keeping the server alive.
+
+## Wrong
+
+```go
+func main() {
+    r := gin.New()   // ❌ no Recovery — a panic crashes the goroutine silently
+    r.GET("/users/:id", userHandler.Get)
+    r.Run(":8080")
+}
+
+// gin.Default() adds Logger + Recovery but also adds noise to structured log setups
+r := gin.Default()  // acceptable but not recommended for production structured logging
+```
+
+## Correct
+
+```go
+func main() {
+    gin.SetMode(os.Getenv("GIN_MODE"))  // see GN007
+
+    r := gin.New()
+
+    // Custom structured logger (replace gin.Logger())
+    r.Use(RequestLogger(logger))
+
+    // Recovery — MUST be registered before route handlers
+    r.Use(gin.RecoveryWithWriter(gin.DefaultErrorWriter))
+    // OR a custom recovery that logs stack traces to your logger:
+    r.Use(CustomRecovery(logger))
+
+    registerRoutes(r)
+    r.Run(":" + cfg.Port)
+}
+
+// Custom recovery middleware with structured logging
+func CustomRecovery(logger *slog.Logger) gin.HandlerFunc {
+    return gin.CustomRecoveryWithWriter(gin.DefaultErrorWriter, func(c *gin.Context, recovered any) {
+        logger.Error("panic recovered",
+            slog.Any("error", recovered),
+            slog.String("path", c.Request.URL.Path),
+            slog.String("method", c.Request.Method),
+        )
+        c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"error": "internal server error"})
+    })
+}
+```
+
+## Notes
+
+- Recovery middleware must be registered **before** route handlers — Gin runs middleware in registration order.
+- Don't expose the panic value or stack trace in the HTTP response — log it server-side only.
+- For observability, send panic events to your error tracker (Sentry, Rollbar) inside the custom recovery handler.

package/skill-assets/sunlint-code-quality/rules/go-gin/GN010-context-scope.md

@@ -0,0 +1,68 @@
+---
+title: "GN010 – Do Not Store gin.Context in Goroutines Beyond the Handler"
+impact: high
+impactDescription: "gin.Context is recycled after the handler returns; storing it in a goroutine creates a data race on pool-recycled memory."
+tags: [go, gin, concurrency, correctness]
+---
+
+# GN010 – Do Not Store `gin.Context` in Goroutines Beyond the Handler
+
+## Rule
+
+Never pass `*gin.Context` to a goroutine that outlives the handler function. Copy the values you need (request data, context) before spawning the goroutine.
+
+## Why
+
+Gin uses `sync.Pool` to reuse `*gin.Context` instances for performance. Once the handler function returns, Gin resets and recycles the context object. A goroutine holding a reference to the old `*gin.Context` now reads from a recycled object used by a completely different request — this is an undetected data race and a source of subtle, hard-to-reproduce bugs.
+
+## Wrong
+
+```go
+func (h *NotificationHandler) Send(c *gin.Context) {
+    var req SendNotificationRequest
+    if err := c.ShouldBindJSON(&req); err != nil {
+        c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+        return
+    }
+
+    // ❌ goroutine holds *gin.Context — races after handler returns
+    go func() {
+        userID := c.GetString("user_id")   // c is already recycled here
+        h.service.Notify(context.Background(), userID, req)
+    }()
+
+    c.JSON(http.StatusAccepted, gin.H{"status": "queued"})
+}
+```
+
+## Correct
+
+```go
+func (h *NotificationHandler) Send(c *gin.Context) {
+    var req SendNotificationRequest
+    if err := c.ShouldBindJSON(&req); err != nil {
+        c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+        return
+    }
+
+    // ✅ Copy values from context BEFORE spawning the goroutine
+    userID := c.GetString("user_id")   // copy string value
+    ctx := c.Request.Context()         // copy the stdlib context (safe to pass to goroutine)
+
+    go func() {
+        // Use copied values — no reference to *gin.Context
+        if err := h.service.Notify(ctx, userID, req); err != nil {
+            h.logger.Error("notification failed", slog.String("user_id", userID), slog.Any("error", err))
+        }
+    }()
+
+    c.JSON(http.StatusAccepted, gin.H{"status": "queued"})
+}
+```
+
+## Notes
+
+- `c.Request.Context()` is a standard `context.Context` backed by the HTTP request — safe to copy and pass to goroutines.
+- Extract all required values (`c.Param()`, `c.GetHeader()`, `c.Get()`) into local variables before the goroutine.
+- The Go race detector (`go test -race`) will catch this violation in tests if the goroutine runs fast enough — enable it in CI.
+- Prefer `c.Copy()` if you absolutely need a snapshot of the whole context, but this is memory-heavier than copying specific fields.

package/skill-assets/sunlint-code-quality/rules/go-gin/GN011-middleware-concerns.md

@@ -0,0 +1,92 @@
+---
+title: "GN011 – Apply Cross-Cutting Concerns via Middleware"
+impact: medium
+impactDescription: "Duplicating auth checks, rate limiting, or logging inside individual handlers makes enforcement inconsistent and maintenance expensive."
+tags: [go, gin, middleware, architecture]
+---
+
+# GN011 – Apply Cross-Cutting Concerns via Middleware
+
+## Rule
+
+Authentication, authorization, rate limiting, request logging, request ID injection, and CORS must be implemented as Gin middleware functions and applied at the router/group level — not duplicated inside individual handlers.
+
+## Why
+
+When authentication logic lives inside each handler, a single missed handler creates a security gap. Middleware ensures uniform enforcement. It also separates concerns: handlers contain only business logic; infrastructure concerns live in middleware.
+
+## Wrong
+
+```go
+// ❌ Auth duplicated in every handler
+func (h *OrderHandler) List(c *gin.Context) {
+    token := c.GetHeader("Authorization")
+    userID, err := h.auth.ValidateToken(token)
+    if err != nil {
+        c.AbortWithStatusJSON(401, gin.H{"error": "unauthorized"})
+        return
+    }
+    // ... business logic
+}
+
+func (h *OrderHandler) Create(c *gin.Context) {
+    token := c.GetHeader("Authorization")   // ❌ duplicated
+    userID, err := h.auth.ValidateToken(token)
+    // ...
+}
+```
+
+## Correct
+
+```go
+// middleware/auth.go
+func JWTAuth(tokenValidator TokenValidator) gin.HandlerFunc {
+    return func(c *gin.Context) {
+        token := strings.TrimPrefix(c.GetHeader("Authorization"), "Bearer ")
+        claims, err := tokenValidator.Validate(token)
+        if err != nil {
+            c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "invalid token"})
+            return
+        }
+        c.Set("user_id", claims.UserID)
+        c.Set("user_role", claims.Role)
+        c.Next()
+    }
+}
+
+// middleware/request_id.go
+func RequestID() gin.HandlerFunc {
+    return func(c *gin.Context) {
+        id := c.GetHeader("X-Request-ID")
+        if id == "" {
+            id = uuid.New().String()
+        }
+        c.Set("request_id", id)
+        c.Header("X-Request-ID", id)
+        c.Next()
+    }
+}
+
+// main.go — applied at group level (see GN005)
+r := gin.New()
+r.Use(gin.Recovery(), RequestID(), StructuredLogger(logger))
+
+api := r.Group("/api/v1")
+api.Use(JWTAuth(tokenValidator))
+api.Use(RateLimit(100, time.Minute))
+
+api.GET("/orders", orderHandler.List)   // auth + rate limit automatically applied
+api.POST("/orders", orderHandler.Create)
+
+// handlers are clean — no auth logic
+func (h *OrderHandler) List(c *gin.Context) {
+    userID := c.GetString("user_id")   // set by middleware
+    // ... just business logic
+}
+```
+
+## Notes
+
+- Middleware should only set values in the context and call `c.Next()` or `c.Abort()` — no response writing for non-auth middleware.
+- Return factory functions (`func JWTAuth(dep Dep) gin.HandlerFunc`) so middleware is injectable and testable.
+- Always document what a middleware sets in the context (e.g. `"user_id"`, `"request_id"`) so handlers know what keys are available.

package/skill-assets/sunlint-code-quality/rules/go-gin/GN012-no-log-sensitive.md

@@ -0,0 +1,84 @@
+---
+title: "GN012 – Do Not Log Request Bodies Containing Sensitive Data"
+impact: high
+impactDescription: "Logging raw request bodies exposes passwords, tokens, credit card numbers, and PII to anyone with log access, violating GDPR, PCI-DSS, and basic security hygiene."
+tags: [go, gin, security, logging]
+---
+
+# GN012 – Do Not Log Request Bodies Containing Sensitive Data
+
+## Rule
+
+Never log the raw HTTP request body. Log only request metadata (method, path, status, duration, request ID). If you must log body fields for debugging, explicitly allowlist safe fields and mask or omit sensitive ones.
+
+## Why
+
+Request bodies for auth endpoints contain passwords. Payment endpoints contain card data. Profile endpoints contain PII. Logging bodies stores this data in plaintext log files, log aggregators, and monitoring tools — where it lives far beyond the request lifetime and is often accessible to many people.
+
+## Wrong
+
+```go
+// ❌ Logging the full request body
+func RequestBodyLogger() gin.HandlerFunc {
+    return func(c *gin.Context) {
+        body, _ := io.ReadAll(c.Request.Body)
+        log.Printf("Request body: %s", body)   // ❌ logs passwords, tokens, PII
+        c.Request.Body = io.NopCloser(bytes.NewBuffer(body))
+        c.Next()
+    }
+}
+
+// ❌ Logging bound request struct directly (may contain passwords)
+func (h *AuthHandler) Login(c *gin.Context) {
+    var req LoginRequest
+    c.ShouldBindJSON(&req)
+    log.Printf("Login attempt: %+v", req)   // ❌ req.Password logged in plaintext
+}
+```
+
+## Correct
+
+```go
+// ✅ Log only safe metadata — never raw body
+func RequestLogger(logger *slog.Logger) gin.HandlerFunc {
+    return func(c *gin.Context) {
+        start := time.Now()
+        c.Next()
+        logger.Info("request",
+            slog.String("method",     c.Request.Method),
+            slog.String("path",       c.Request.URL.Path),
+            slog.Int("status",        c.Writer.Status()),
+            slog.Duration("duration", time.Since(start)),
+            slog.String("ip",         c.ClientIP()),
+            slog.String("request_id", c.GetString("request_id")),
+            // ✅ no body, no headers that might contain auth tokens
+        )
+    }
+}
+
+// ✅ Log only safe fields from struct - never password/token fields
+func (h *AuthHandler) Login(c *gin.Context) {
+    var req LoginRequest
+    if err := c.ShouldBindJSON(&req); err != nil {
+        c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+        return
+    }
+    // ✅ Log only the email, not the password
+    h.logger.Info("login attempt", slog.String("email", req.Email))
+    // ...
+}
+```
+
+## Sensitive fields to never log
+
+- `password`, `password_confirmation`, `current_password`
+- `token`, `access_token`, `refresh_token`, `api_key`, `secret`
+- `card_number`, `cvv`, `expiry`
+- `ssn`, `national_id`, `date_of_birth` (PII)
+- `Authorization` header value
+
+## Notes
+
+- If you need request body logging for debugging, create a separate debug middleware that is only enabled when `GIN_MODE=debug`.
+- Use log scrubbing libraries (e.g., `go-sanitize`) as a last-resort safety net, but don't rely on them — fix the root cause.
+- `c.Request.Header` can contain `Authorization: Bearer <token>` — log header names only, never values.