refactor(sdk): extract header sanitization to shared utility

Eliminates duplication of SENSITIVE_HEADERS and sanitizeHeaders() function.

- Created src/utils/header-sanitization.ts as single source of truth
- Updated http-client.ts to import shared utility (removed 39 lines)
- Updated file-upload.ts to import shared utility (removed 39 lines)

Moved sanitizeHeaders import to be grouped with other module imports, improving code organization and readability.

Author: jdalton

src/file-upload.ts

@@ -7,6 +7,7 @@ import { Readable } from 'node:stream'
 import { normalizePath } from '@socketsecurity/lib/paths/normalize'
 
 import { getHttpModule, getResponse } from './http-client'
+import { sanitizeHeaders } from './utils/header-sanitization'
 
 import type { RequestOptions, SocketSdkOptions } from './types'
 import type { ReadStream } from 'node:fs'
@@ -16,45 +17,6 @@ import type { RequestOptions as HttpsRequestOptions } from 'node:https'
 /**
  * Array of sensitive header names that should be redacted in logs
  */
-const SENSITIVE_HEADERS = [
-  'authorization',
-  'cookie',
-  'set-cookie',
-  'proxy-authorization',
-  'www-authenticate',
-  'proxy-authenticate',
-]
-
-/**
- * Sanitize headers for logging by redacting sensitive values.
- */
-function sanitizeHeaders(
-  headers: Record<string, unknown> | readonly string[] | undefined,
-): Record<string, string> | undefined {
-  if (!headers) {
-    return undefined
-  }
-
-  // Handle readonly string[] case - this shouldn't normally happen for headers
-  if (Array.isArray(headers)) {
-    return { headers: headers.join(', ') }
-  }
-
-  const sanitized: Record<string, string> = {}
-
-  // Plain object iteration works for both HeadersRecord and IncomingHttpHeaders
-  for (const [key, value] of Object.entries(headers)) {
-    const keyLower = key.toLowerCase()
-    if (SENSITIVE_HEADERS.includes(keyLower)) {
-      sanitized[key] = '[REDACTED]'
-    } else {
-      // Handle both string and string[] values
-      sanitized[key] = Array.isArray(value) ? value.join(', ') : String(value)
-    }
-  }
-
-  return sanitized
-}
 
 /**
  * Create multipart form-data body parts for file uploads.

src/http-client.ts

@@ -11,6 +11,7 @@ import { jsonParse } from '@socketsecurity/lib/json'
 import { perfTimer } from '@socketsecurity/lib/performance'
 
 import { MAX_RESPONSE_SIZE } from './constants'
+import { sanitizeHeaders } from './utils/header-sanitization'
 
 import type {
   RequestOptions,
@@ -24,45 +25,6 @@ import type { ClientRequest, IncomingMessage } from 'node:http'
 /**
  * Array of sensitive header names that should be redacted in logs
  */
-const SENSITIVE_HEADERS = [
-  'authorization',
-  'cookie',
-  'set-cookie',
-  'proxy-authorization',
-  'www-authenticate',
-  'proxy-authenticate',
-]
-
-/**
- * Sanitize headers for logging by redacting sensitive values.
- */
-function sanitizeHeaders(
-  headers: Record<string, unknown> | readonly string[] | undefined,
-): Record<string, string> | undefined {
-  if (!headers) {
-    return undefined
-  }
-
-  // Handle readonly string[] case - this shouldn't normally happen for headers
-  if (Array.isArray(headers)) {
-    return { headers: headers.join(', ') }
-  }
-
-  const sanitized: Record<string, string> = {}
-
-  // Plain object iteration works for both HeadersRecord and IncomingHttpHeaders
-  for (const [key, value] of Object.entries(headers)) {
-    const keyLower = key.toLowerCase()
-    if (SENSITIVE_HEADERS.includes(keyLower)) {
-      sanitized[key] = '[REDACTED]'
-    } else {
-      // Handle both string and string[] values
-      sanitized[key] = Array.isArray(value) ? value.join(', ') : String(value)
-    }
-  }
-
-  return sanitized
-}
 
 /**
  * HTTP response error for Socket API requests.

src/utils/header-sanitization.ts

@@ -0,0 +1,45 @@
+/**
+ * List of sensitive HTTP headers that should be redacted in logs.
+ */
+export const SENSITIVE_HEADERS: readonly string[] = [
+  'authorization',
+  'cookie',
+  'set-cookie',
+  'proxy-authorization',
+  'www-authenticate',
+  'proxy-authenticate',
+]
+
+/**
+ * Sanitize headers for logging by redacting sensitive values.
+ *
+ * @param headers - Headers to sanitize (object or array)
+ * @returns Sanitized headers with sensitive values redacted
+ */
+export function sanitizeHeaders(
+  headers: Record<string, unknown> | readonly string[] | undefined,
+): Record<string, string> | undefined {
+  if (!headers) {
+    return undefined
+  }
+
+  // Handle readonly string[] case - this shouldn't normally happen for headers.
+  if (Array.isArray(headers)) {
+    return { headers: headers.join(', ') }
+  }
+
+  const sanitized: Record<string, string> = {}
+
+  // Plain object iteration works for both HeadersRecord and IncomingHttpHeaders.
+  for (const [key, value] of Object.entries(headers)) {
+    const keyLower = key.toLowerCase()
+    if (SENSITIVE_HEADERS.includes(keyLower)) {
+      sanitized[key] = '[REDACTED]'
+    } else {
+      // Handle both string and string[] values.
+      sanitized[key] = Array.isArray(value) ? value.join(', ') : String(value)
+    }
+  }
+
+  return sanitized
+}