PMM-14962 Avoid printing sensitive info into log stream

[maxkondr]

PMM-14962

Link to the Feature Build: Percona-Lab/pmm-submodules#4290

1. New Protobuf extension is introduced sensitive that contains several values:

• REDACT_TYPE_FULL - fully replace string value with redact mask
• REDACT_TYPE_MASK - partially replace string value with redact mask
• REDACT_TYPE_DSN - replace credentials only in DSN with redact mask

2. Our protobuf message fields were annotated accordingly like the following:

message BuiltinAgent {
    inventory.v1.AgentType type = 1;
    string dsn = 2 [(extensions.v1.sensitive) = REDACT_TYPE_DSN];
    ....
}

3. New logger helper function is introduced: logger.RedactMessage that shall be used in case proto message shall be printing into log stream. It does:

• lookups sensitive annotation for fields in proto message
• applies value redaction accordingly to define sensitivity (REDACT_TYPE_FULL, REDACT_TYPE_MASK, REDACT_TYPE_DSN)
• returns a copy of the original message with redacted values - so that it Is safe to use it without risk to change original message.
• it uses the internal cache in order to speedup reflection process - the first message processing builds the cache for this message type, the rest messages with the same message type will be processed much faster.
• this function shall be used like the following :

c.l.Debugf("Sending message (%d bytes): %s.", size, logger.RedactMessage(msg))
or
c.l.Debugf("Sending message (%d bytes):\n%s\n", size, prototext.Format(logger.RedactMessage(msg)))

4. The log output will look like the following:

time="2026-04-02T11:00:17.048+00:00" level=debug msg="Starting: 
/usr/local/percona/pmm/exporters/postgres_exporter ... (environment: 
DATA_SOURCE_NAME=postgres://***REDACTED***:***REDACTED***@127.0.0.1:5432/postgres?
connect_timeout=1&sslmode=disable)." ...

[codecov]

Codecov Report

❌ Patch coverage is 0% with 14 lines in your changes missing coverage. Please review.
✅ Project coverage is 47.01%. Comparing base (94a8535) to head (7db0cf4).

Files with missing lines	Patch %	Lines
agent/agents/process/process.go	0.00%	4 Missing ⚠️
agent/client/channel/channel.go	0.00%	4 Missing ⚠️
managed/services/agents/channel/channel.go	0.00%	4 Missing ⚠️
managed/services/agents/state.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##               v3    #5205      +/-   ##
==========================================
- Coverage   47.70%   47.01%   -0.69%     
==========================================
  Files         410      410              
  Lines       41967    41972       +5     
==========================================
- Hits        20022    19735     -287     
- Misses      19964    20239     +275     
- Partials     1981     1998      +17     

Flag	Coverage Δ
admin	35.80% <ø> (ø)
agent	50.21% <0.00%> (-2.80%)	⬇️
managed	47.69% <0.00%> (-0.02%)	⬇️
vmproxy	72.09% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.