fix: harden go-processor logging and tokenURL validation

## Summary

Two hardening suggestions from @huang195's review of #171 that are deferred to a follow-up.

## 1. Reduce log verbosity for sensitive identifiers

`clientID` (SPIFFE URI), `audience`, and `scopes` are currently logged at info level in the go-processor's outbound token acquisition paths (`[Token Exchange]` and `[Client Credentials]` log lines). In production, this could leak internal service names and SPIFFE URIs.

**Proposed fix:** Move these to debug level, or only log them on failure paths where the extra context helps troubleshooting.

**Files:** `AuthBridge/AuthProxy/go-processor/main.go` (lines ~335-338, ~506-509)

## 2. Validate tokenURL scheme

The `TOKEN_URL` environment variable is used without scheme validation. If misconfigured with `http://`, client credentials would be sent in plaintext. While in-cluster traffic is typically protected by Istio mTLS, defense-in-depth is good practice.

**Proposed fix:** Log a warning on startup if `TOKEN_URL` uses `http://` instead of `https://`, or reject it outright with a configuration error.

**Files:** `AuthBridge/AuthProxy/go-processor/main.go` (config loading section)

## Context

- Review comment: https://github.com/kagenti/kagenti-extensions/pull/171
- Reviewer: @huang195


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: harden go-processor logging and tokenURL validation #175

Summary

1. Reduce log verbosity for sensitive identifiers

2. Validate tokenURL scheme

Context

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

fix: harden go-processor logging and tokenURL validation #175

Description

Summary

1. Reduce log verbosity for sensitive identifiers

2. Validate tokenURL scheme

Context

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions