feat(sdk-core): add custom logger with sensitive data sanitization

Implements custom logger to prevent token exposure in test/staging environments.
Replaced 111 console statements across 52 files with logger that redacts sensitive
keys (token, bearer, prv, privatekey, password, otp) and v2x bearer tokens.

Technical changes:
- Created sanitizeLog.ts with recursive sanitization (O(1) Set lookups)
- Created logger.ts with conditional sanitization (test/staging only)
- Exported logger from sdk-core for SDK-wide access
- Updated 52 files across express, sdk-core, sdk-api, abstract, coin, and utility modules

Ticket: WP-7503

Author: rishikeshdadam136

modules/abstract-eth/src/abstractEthLikeNewCoins.ts

@@ -18,6 +18,7 @@ import {
   InvalidAddressVerificationObjectPropertyError,
   IWallet,
   KeyPair,
+  logger,
   MPCSweepRecoveryOptions,
   MPCSweepTxs,
   MPCTx,
@@ -1332,7 +1333,7 @@ export abstract class AbstractEthLikeNewCoins extends AbstractEthLikeCoin {
         );
         possibleConsolidationAddresses.push(forwarderAddress);
       } catch (e) {
-        console.log(`Failed to generate forwarder address: ${e.message}`);
+        logger.info(`Failed to generate forwarder address: ${e.message}`);
       }
     }
 
@@ -1341,7 +1342,7 @@ export abstract class AbstractEthLikeNewCoins extends AbstractEthLikeCoin {
         const derivedAddress = this.deriveAddressFromPublicKey(params.userKey, index);
         possibleConsolidationAddresses.push(derivedAddress);
       } catch (e) {
-        console.log(`Failed to generate derived address: ${e}`);
+        logger.info(`Failed to generate derived address: ${e}`);
       }
     }
 
@@ -3442,7 +3443,7 @@ export abstract class AbstractEthLikeNewCoins extends AbstractEthLikeCoin {
         apiKey
       );
       const gasPrice = new BN(res.result.slice(2), 16);
-      console.log(` Got gas price: ${gasPrice}`);
+      logger.info(` Got gas price: ${gasPrice}`);
       return gasPrice;
     } catch (e) {
       throw new Error(`Failed to get gas price. Please make sure to use the api key of ${wrongChainCoin}`);
@@ -3477,7 +3478,7 @@ export abstract class AbstractEthLikeNewCoins extends AbstractEthLikeCoin {
         apiKey
       );
       const gasLimit = new BN(res.result.slice(2), 16);
-      console.log(`Got gas limit: ${gasLimit}`);
+      logger.info(`Got gas limit: ${gasLimit}`);
       return gasLimit;
     } catch (e) {
       throw new Error(

modules/abstract-utxo/src/abstractUtxoCoin.ts

@@ -20,6 +20,7 @@ import {
   IWallet,
   KeychainsTriplet,
   KeyIndices,
+  logger,
   MismatchedRecipient,
   MultisigType,
   multisigTypes,
@@ -556,7 +557,7 @@ export abstract class AbstractUtxoCoin
       return decodePsbtWith(input, this.name, decodeWith);
     } else {
       if (decodeWith !== 'utxolib') {
-        console.error('received decodeWith hint %s, ignoring for legacy transaction', decodeWith);
+        logger.error('received decodeWith hint %s, ignoring for legacy transaction', decodeWith);
       }
       return utxolib.bitgo.createTransactionFromBuffer(input, this.network, {
         amountType: this.amountType,
@@ -584,7 +585,7 @@ export abstract class AbstractUtxoCoin
     let { decodeWith } = prebuild;
     if (decodeWith !== undefined) {
       if (typeof decodeWith !== 'string' || !isSdkBackend(decodeWith)) {
-        console.error('decodeWith %s is not a valid value, using default', decodeWith);
+        logger.error('decodeWith %s is not a valid value, using default', decodeWith);
         decodeWith = undefined;
       }
     }

modules/abstract-utxo/src/recovery/backupKeyRecovery.ts

@@ -9,6 +9,7 @@ import {
   getIsUnsignedSweep,
   isTriple,
   krsProviders,
+  logger,
 } from '@bitgo/sdk-core';
 import { getMainnet, networks } from '@bitgo/utxo-lib';
 import { fixedScriptWallet } from '@bitgo/wasm-utxo';
@@ -164,7 +165,7 @@ async function queryBlockchainUnspentsPath(
       numSequentialAddressesWithoutTxs = 0;
 
       if (addrInfo.balance > 0) {
-        console.log(`Found an address with balance: ${formattedAddress} with balance ${addrInfo.balance}`);
+        logger.info(`Found an address with balance: ${formattedAddress} with balance ${addrInfo.balance}`);
         const addressUnspents = await recoveryProvider.getUnspentsForAddresses([formattedAddress]);
         const processedUnspents = await Promise.all(
           addressUnspents.map(async (u): Promise<WalletUnspent<bigint>> => {

modules/abstract-utxo/src/recovery/crossChainRecovery.ts

@@ -2,7 +2,7 @@ import * as utxolib from '@bitgo/utxo-lib';
 import { BIP32Interface, bip32 } from '@bitgo/secp256k1';
 import { Dimensions } from '@bitgo/unspents';
 import { CoinName, fixedScriptWallet } from '@bitgo/wasm-utxo';
-import { BitGoBase, IWallet, Keychain, Triple, Wallet } from '@bitgo/sdk-core';
+import { BitGoBase, IWallet, Keychain, logger, Triple, Wallet } from '@bitgo/sdk-core';
 import { decrypt } from '@bitgo/sdk-api';
 
 import { AbstractUtxoCoin, TransactionInfo } from '../abstractUtxoCoin';
@@ -262,7 +262,7 @@ async function toWalletUnspents<TNumber extends number | bigint = number>(
     try {
       scriptId = await getScriptId(recoveryCoin, wallet, utxolib.address.toOutputScript(address, sourceCoin.network));
     } catch (e) {
-      console.error(`error getting scriptId for ${address}:`, e);
+      logger.error(`error getting scriptId for ${address}:`, e);
       continue;
     }
     const filteredUnspents = unspents

modules/abstract-utxo/src/transaction/fixedScript/explainTransaction.ts

@@ -2,7 +2,7 @@ import * as utxolib from '@bitgo/utxo-lib';
 import { bip322 } from '@bitgo/utxo-core';
 import { BIP32Interface, bip32 } from '@bitgo/secp256k1';
 import { bitgo } from '@bitgo/utxo-lib';
-import { ITransactionExplanation as BaseTransactionExplanation, Triple } from '@bitgo/sdk-core';
+import { ITransactionExplanation as BaseTransactionExplanation, logger, Triple } from '@bitgo/sdk-core';
 import * as utxocore from '@bitgo/utxo-core';
 
 import type { Bip322Message } from '../../abstractUtxoCoin';
@@ -398,7 +398,7 @@ export function explainPsbt(
       if (strict) {
         throw e;
       }
-      console.error(e);
+      logger.error(e);
     }
   }
 

modules/abstract-utxo/src/transaction/fixedScript/parseOutput.ts

@@ -5,6 +5,7 @@ import {
   IRequestTracer,
   InvalidAddressDerivationPropertyError,
   IWallet,
+  logger,
   TransactionPrebuild,
   UnexpectedAddressError,
   VerificationOptions,
@@ -154,8 +155,8 @@ async function handleVerifyAddressError({
     return { external: false };
   }
 
-  console.error('Address classification failed for address', currentAddress);
-  console.trace(e);
+  logger.error('Address classification failed for address', currentAddress);
+  logger.error(e);
   /**
    * It might be a completely invalid address or a bad validation attempt or something else completely, in
    * which case we do not proceed and rather rethrow the error, which is safer than assuming that the address

modules/abstract-utxo/src/transaction/fixedScript/verifyTransaction.ts

@@ -1,7 +1,7 @@
 import buildDebug from 'debug';
 import _ from 'lodash';
 import BigNumber from 'bignumber.js';
-import { BitGoBase, TxIntentMismatchError, IBaseCoin } from '@bitgo/sdk-core';
+import { BitGoBase, logger, TxIntentMismatchError, IBaseCoin } from '@bitgo/sdk-core';
 import * as utxolib from '@bitgo/utxo-lib';
 
 import { AbstractUtxoCoin, VerifyTransactionOptions } from '../../abstractUtxoCoin';
@@ -106,7 +106,7 @@ export async function verifyTransaction<TNumber extends bigint | number>(
   } else if (!disableNetworking) {
     // these keys were obtained online and their signatures were not verified
     // this could be dangerous
-    console.log('unsigned keys obtained online are being used for address verification');
+    logger.info('unsigned keys obtained online are being used for address verification');
   }
 
   if (parsedTransaction.needsCustomChangeKeySignatureVerification) {

modules/abstract-utxo/src/verifyKey.ts

@@ -9,7 +9,7 @@ import buildDebug from 'debug';
 import * as utxolib from '@bitgo/utxo-lib';
 import { bip32 } from '@bitgo/secp256k1';
 import * as bitcoinMessage from 'bitcoinjs-message';
-import { BitGoBase, decryptKeychainPrivateKey, KeyIndices } from '@bitgo/sdk-core';
+import { BitGoBase, decryptKeychainPrivateKey, KeyIndices, logger } from '@bitgo/sdk-core';
 
 import { VerifyKeySignaturesOptions, VerifyUserPublicKeyOptions } from './abstractUtxoCoin';
 import { ParsedTransaction } from './transaction/types';
@@ -126,7 +126,7 @@ export function verifyUserPublicKey(bitgo: BitGoBase, params: VerifyUserPublicKe
   if (!userPrv) {
     const errorMessage = 'user private key unavailable for verification';
     if (disableNetworking) {
-      console.log(errorMessage);
+      logger.info(errorMessage);
       return false;
     } else {
       throw new Error(errorMessage);

modules/account-lib/src/index.ts

@@ -10,6 +10,7 @@ import {
   BaseMessageBuilderFactory,
   BuildMessageError,
   MessageStandardType,
+  logger,
 } from '@bitgo/sdk-core';
 import { BaseCoin as CoinConfig, CoinFeature, coins } from '@bitgo/statics';
 export { Ed25519BIP32, Eddsa };
@@ -456,7 +457,7 @@ export async function verifyMessage(
     const message = await messageBuilder.build();
     return await message.verifyEncodedPayload(messageEncoded, metadata);
   } catch (e) {
-    console.error(`Error verifying message for coin ${coinName}:`, e);
+    logger.error(`Error verifying message for coin ${coinName}:`, e);
     return false;
   }
 }

modules/blockapis/src/BaseHttpClient.ts

@@ -1,3 +1,4 @@
+import { logger } from '@bitgo/sdk-core';
 import * as superagent from 'superagent';
 
 export class ApiRequestError extends Error {
@@ -64,7 +65,7 @@ export class BaseHttpClient implements HttpClient {
     try {
       response = await superagent(method, url).send(requestBody as Record<string, unknown>);
     } catch (e) {
-      console.error(e);
+      logger.error(e);
       throw new ApiRequestError(url, e as Error);
     }
     if (!response.ok) {