🔒️ Redact sensitive values from debug logging output

- Add `OAuth2.config[:filtered_label]` to configure the placeholder used for filtered sensitive values in inspected objects and debug logging output.
- Add `OAuth2.config[:filtered_debug_keys]` to configure which key names have their values redacted from debug logging output.
- Add `OAuth2::ThingFilter` as the shared filtering primitive used by inspect-time and debug-log filtering.
- Make inspect-time and debug-log filters snapshot their configuration at initialization time rather than tracking later config changes.
- Automatically redacted values include:
  - Authorization headers
  - common token/secret fields in headers
  - query strings
  - form bodies
  - JSON payloads
- NOTE: debug logging has always been, and remains, opt-in. It is turned off by default.

Co-authored-by: autobolt <autobots@9thbit.net>

Author: pboling

.rubocop.yml

@@ -19,6 +19,7 @@ inherit_mode:
 AllCops:
   DisplayCopNames: true # Display the name of the failing cops
   Exclude:
+    - 'bin/*'
     - 'gemfiles/vendor/**/*'
     - 'vendor/**/*'
     - '**/.irbrc'

.rubocop_gradual.lock

@@ -20,8 +20,14 @@ Please file a bug if you notice a violation of semantic versioning.
 
 ### Added
 
+- [gh!707][gh!707] Add `OAuth2.config[:filtered_label]` to configure the placeholder used for filtered sensitive values in inspected objects and debug logging output by @pboling
+- [gh!707][gh!707] Add `OAuth2.config[:filtered_debug_keys]` to configure which key names have their values redacted from debug logging output by @pboling
+- [gh!707][gh!707] Add `OAuth2::ThingFilter` as the shared filtering primitive used by inspect-time and debug-log filtering by @pboling
+
 ### Changed
 
+- [gh!707][gh!707] Make inspect-time and debug-log filters snapshot their configuration at initialization time rather than tracking later config changes by @pboling
+
 ### Deprecated
 
 ### Removed
@@ -30,6 +36,11 @@ Please file a bug if you notice a violation of semantic versioning.
 
 ### Security
 
+- [gh!707][gh!707] Redact sensitive values from debug logging output, including Authorization headers and common token/secret fields in headers, query strings, form bodies, and JSON payloads by @pboling
+  - NOTE: debug logging has always been, and remains, opt-in. It is turned off by defualt.
+
+[gh!707]: https://github.com/ruby-oauth/oauth2/pull/707
+
 ## [2.0.18] - 2025-11-08
 
 - TAG: [v2.0.18][2.0.18t]
@@ -54,8 +65,6 @@ Please file a bug if you notice a violation of semantic versioning.
 - [gh!690][gh!690], [gh!691][gh!691], [gh!692][gh!692] - Add yard-fence
   - handle braces within code fences in markdown properly by @pboling
 
-### Security
-
 [gh!683]: https://github.com/ruby-oauth/oauth2/pull/683
 [gh!684]: https://github.com/ruby-oauth/oauth2/pull/684
 [gh!685]: https://github.com/ruby-oauth/oauth2/pull/685
@@ -196,8 +205,6 @@ Please file a bug if you notice a violation of semantic versioning.
 
 - [gh!660][gh!660] - Links in README (including link to HEAD documentation) by @pboling
 
-### Security
-
 [gh!660]: https://github.com/ruby-oauth/oauth2/pull/660
 [gh!657]: https://github.com/ruby-oauth/oauth2/pull/657
 [gh!656]: https://github.com/ruby-oauth/oauth2/pull/656

CHANGELOG.md

@@ -330,6 +330,19 @@ OAuth2.configure do |config|
 end
 ```
 
+Filtering-related settings:
+
+```ruby
+OAuth2.configure do |config|
+  config.filtered_label = "[REDACTED]" # default: "[FILTERED]"
+  config.filtered_debug_keys += ["client_assertion"]
+end
+```
+
+- `filtered_label` controls the placeholder used when sensitive values are filtered from inspected objects and debug logging output.
+- `filtered_debug_keys` controls which key names have their values redacted from debug logging output when `OAUTH_DEBUG=true`.
+- Debug logging remains opt-in and should still be used cautiously in production environments.
+
 ## 🔧 Basic Usage
 
 ### Client Initialization Options