Make x-sensitive data marshal return raw (#27)

Author: cubahno

AGENTS.md

@@ -107,6 +107,7 @@ When debugging complex issues, create a minimal reproducible example:
 ### File organization
 - `testdata/specs` - Specs being tested (if missing: run `make fetch-specs` to download)
 - Never put generated files in project root - use `/tmp` for testing
+- Never build binaries in project root - use `go run ./cmd/oapi-codegen` instead of `go build`
 
 ## Code Generation Architecture
 

docs/extensions/x-sensitive-data.md

@@ -1,10 +1,21 @@
 # `x-sensitive-data`
 
-Automatically mask sensitive data in JSON output.
+Automatically mask sensitive data in structured logs.
 
 ## Overview
 
-The `x-sensitive-data` extension allows you to mark fields as containing sensitive information that should be automatically masked when marshaling to JSON. This is useful for preventing accidental logging or exposure of sensitive data like passwords, API keys, credit card numbers, etc.
+The `x-sensitive-data` extension allows you to mark fields as containing sensitive information that should be automatically masked when logging. This is useful for preventing accidental exposure of sensitive data like passwords, API keys, credit card numbers, etc. in logs.
+
+The extension generates two methods:
+
+- **`Masked()`** - Returns a copy of the struct with sensitive fields masked
+- **`LogValue()`** - Implements Go's [`slog.LogValuer`](https://pkg.go.dev/log/slog#LogValuer) interface (calls `Masked()` internally)
+
+This means:
+
+- **JSON serialization stays raw** - `json.Marshal(user)` returns the actual values (needed for API calls)
+- **Masked JSON** - `json.Marshal(user.Masked())` returns masked values
+- **Structured logging is masked** - `slog.Info("user", "user", user)` automatically masks sensitive fields
 
 ## Masking Strategies
 
@@ -23,20 +34,44 @@ The extension supports several masking strategies:
 
 ## Generated Code
 
-This generates:
+This generates a struct with `Masked()` and `LogValue()` methods:
 
 ```go
---8<-- "extensions/xsensitivedata/basic/gen.go:16:23"
+--8<-- "extensions/xsensitivedata/basic/gen.go:14:77"
 ```
 
 ## Behavior
 
-When marshaling to JSON:
+When logging with slog:
 
-- `email: "user@example.com"` becomes `email: "********"` (fixed length, hides original length)
-- `ssn: "123-45-6789"` becomes `ssn: "***-**-****"` (digits masked, structure visible)
-- `creditCard: "1234-5678-9012-3456"` becomes `creditCard: "********3456"` (last 4 visible)
-- `apiKey: "my-secret-key"` becomes `apiKey: "325ededd6c3b9988f623c7f964abb9b016b76b0f8b3474df0f7d7c23b941381f"` (SHA256 hash)
+```go
+user := User{
+    ID:         1,
+    Username:   "johndoe",
+    Email:      Ptr("user@example.com"),
+    Ssn:        Ptr("123-45-6789"),
+    CreditCard: Ptr("1234-5678-9012-3456"),
+    APIKey:     Ptr("my-secret-key"),
+}
+
+// Masked in logs
+slog.Info("user created", "user", user)
+// Output: user={id=1 username=johndoe email=******** ssn=***-**-**** creditCard=********3456 apiKey=325ededd...}
+
+// Raw in JSON (for API calls)
+json.Marshal(user)
+// Output: {"id":1,"username":"johndoe","email":"user@example.com","ssn":"123-45-6789",...}
+```
+
+## Masked JSON Output
+
+If you need masked JSON (e.g., for API responses that should hide sensitive data), use the `Masked()` method:
+
+```go
+// Get masked JSON
+maskedJSON, _ := json.Marshal(user.Masked())
+// Output: {"id":1,"username":"johndoe","email":"********","ssn":"***-**-****",...}
+```
 
 ## Partial Masking Options
 

examples/extensions/xsensitivedata/basic/gen.go

@@ -2,11 +2,13 @@ package xsensitivedata
 
 import (
 	"encoding/json"
-	"strings"
 	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
-func TestUserMarshalJSON_SensitiveData(t *testing.T) {
+func TestUserMarshalJSON_RawData(t *testing.T) {
 	email := "user@example.com"
 	ssn := "123-45-6789"
 	creditCard := "1234-5678-9012-3456"
@@ -21,66 +23,64 @@ func TestUserMarshalJSON_SensitiveData(t *testing.T) {
 		APIKey:     &apiKey,
 	}
 
+	// json.Marshal returns raw data (for API calls)
 	data, err := json.Marshal(user)
-	if err != nil {
-		t.Fatalf("Failed to marshal user: %v", err)
-	}
+	require.NoError(t, err)
 
 	jsonStr := string(data)
-	t.Logf("Marshaled JSON: %s", jsonStr)
 
-	// Verify that sensitive data is masked
-	if strings.Contains(jsonStr, "user@example.com") {
-		t.Error("Email should be masked but found in JSON")
-	}
+	// Verify that sensitive data is NOT masked in raw JSON
+	assert.Contains(t, jsonStr, "user@example.com", "Email should be present in raw JSON")
+	assert.Contains(t, jsonStr, "123-45-6789", "SSN should be present in raw JSON")
+	assert.Contains(t, jsonStr, "1234-5678-9012-3456", "Credit card should be present in raw JSON")
+	assert.Contains(t, jsonStr, "my-secret-api-key", "API key should be present in raw JSON")
+}
 
-	if strings.Contains(jsonStr, "123-45-6789") {
-		t.Error("SSN should be masked but found in JSON")
-	}
+func TestUserMasked_SensitiveData(t *testing.T) {
+	email := "user@example.com"
+	ssn := "123-45-6789"
+	creditCard := "1234-5678-9012-3456"
+	apiKey := "my-secret-api-key"
 
-	if strings.Contains(jsonStr, "1234-5678-9012-3456") {
-		t.Error("Credit card should be partially masked but found in JSON")
+	user := User{
+		ID:         1,
+		Username:   "testuser",
+		Email:      &email,
+		Ssn:        &ssn,
+		CreditCard: &creditCard,
+		APIKey:     &apiKey,
 	}
 
-	// Verify credit card shows last 4 digits
-	if !strings.Contains(jsonStr, "3456") {
-		t.Error("Credit card should show last 4 digits")
-	}
+	// json.Marshal(user.Masked()) returns masked data
+	data, err := json.Marshal(user.Masked())
+	require.NoError(t, err)
 
-	if strings.Contains(jsonStr, "my-secret-api-key") {
-		t.Error("API key should be hashed but found in JSON")
-	}
+	jsonStr := string(data)
 
-	// Verify that non-sensitive data is present
-	if !strings.Contains(jsonStr, `"id":1`) {
-		t.Error("ID should be present in JSON")
-	}
+	// Verify that sensitive data is masked
+	assert.NotContains(t, jsonStr, "user@example.com", "Email should be masked")
+	assert.NotContains(t, jsonStr, "123-45-6789", "SSN should be masked")
+	assert.NotContains(t, jsonStr, "1234-5678-9012-3456", "Credit card should be partially masked")
+	assert.NotContains(t, jsonStr, "my-secret-api-key", "API key should be hashed")
 
-	if !strings.Contains(jsonStr, `"username":"testuser"`) {
-		t.Error("Username should be present in JSON")
-	}
+	// Verify credit card shows last 4 digits
+	assert.Contains(t, jsonStr, "3456", "Credit card should show last 4 digits")
+
+	// Verify that non-sensitive data is present
+	assert.Contains(t, jsonStr, `"id":1`, "ID should be present")
+	assert.Contains(t, jsonStr, `"username":"testuser"`, "Username should be present")
 
 	// Verify that email is masked (should be fixed-length asterisks)
 	var result map[string]interface{}
-	if err := json.Unmarshal(data, &result); err != nil {
-		t.Fatalf("Failed to unmarshal JSON: %v", err)
-	}
+	require.NoError(t, json.Unmarshal(data, &result))
 
-	// Use the same constant as the runtime for consistency
-	expectedMask := "********" // runtime.maskReplacement is not exported
-
-	if email, ok := result["email"].(string); ok {
-		if email != expectedMask {
-			t.Errorf("Email should be masked as '%s', got: %s", expectedMask, email)
-		}
-	}
+	expectedMask := "********"
+	assert.Equal(t, expectedMask, result["email"], "Email should be masked as asterisks")
 
 	// Verify that API key is hashed (should be a hex string)
-	if apiKey, ok := result["apiKey"].(string); ok {
-		if len(apiKey) != 64 { // SHA256 produces 64 hex characters
-			t.Errorf("API key should be a SHA256 hash (64 chars), got length: %d", len(apiKey))
-		}
-	}
+	apiKeyVal, ok := result["apiKey"].(string)
+	require.True(t, ok, "apiKey should be a string")
+	assert.Len(t, apiKeyVal, 64, "API key should be a SHA256 hash (64 chars)")
 }
 
 func TestUserUnmarshalJSON(t *testing.T) {
@@ -94,19 +94,10 @@ func TestUserUnmarshalJSON(t *testing.T) {
 	}`
 
 	var user User
-	if err := json.Unmarshal([]byte(jsonStr), &user); err != nil {
-		t.Fatalf("Failed to unmarshal user: %v", err)
-	}
+	require.NoError(t, json.Unmarshal([]byte(jsonStr), &user))
 
-	if user.ID != 1 {
-		t.Errorf("Expected ID 1, got %d", user.ID)
-	}
-
-	if user.Username != "testuser" {
-		t.Errorf("Expected username 'testuser', got '%s'", user.Username)
-	}
-
-	if user.Email == nil || *user.Email != "user@example.com" {
-		t.Errorf("Expected email 'user@example.com', got %v", user.Email)
-	}
+	assert.Equal(t, int64(1), user.ID)
+	assert.Equal(t, "testuser", user.Username)
+	require.NotNil(t, user.Email)
+	assert.Equal(t, "user@example.com", *user.Email)
 }