feat(debug): add detailed HTTP request logging for failed API calls

Enhance debugApiResponse function to log comprehensive request details
for failed API requests (status >= 400 or errors):
- HTTP method (GET, POST, etc.)
- Full URL
- Response status code
- Request duration in milliseconds
- Sanitized headers (Authorization redacted for security)

Update API functions (queryApiSafeText, sendApiRequest) to track timing
and pass request details to debugApiResponse. This improves debugging
of API failures by providing complete context for failed requests.

Security: Sensitive headers are automatically redacted before logging.

Author: jdalton

packages/cli/src/utils/debug.mts

@@ -28,22 +28,88 @@ import {
   isDebugNs,
 } from '@socketsecurity/lib/debug'
 
+export type ApiRequestDebugInfo = {
+  method?: string | undefined
+  url?: string | undefined
+  headers?: Record<string, string> | undefined
+  durationMs?: number | undefined
+}
+
 /**
- * Debug an API response.
+ * Sanitize headers to remove sensitive information.
+ * Redacts Authorization and API key headers.
+ */
+function sanitizeHeaders(
+  headers?: Record<string, string> | undefined,
+): Record<string, string> | undefined {
+  if (!headers) {
+    return undefined
+  }
+
+  const sanitized: Record<string, string> = Object.create(null)
+  for (const [key, value] of Object.entries(headers)) {
+    const lowerKey = key.toLowerCase()
+    if (lowerKey === 'authorization' || lowerKey.includes('api-key')) {
+      sanitized[key] = '[REDACTED]'
+    } else {
+      sanitized[key] = value
+    }
+  }
+  return sanitized
+}
+
+/**
+ * Debug an API response with detailed request information.
  * Logs essential info without exposing sensitive data.
+ *
+ * For failed requests (status >= 400 or error), logs:
+ * - HTTP method (GET, POST, etc.)
+ * - Full URL
+ * - Response status code
+ * - Sanitized headers (Authorization redacted)
+ * - Request duration in milliseconds
  */
 export function debugApiResponse(
   endpoint: string,
   status?: number | undefined,
   error?: unknown | undefined,
+  requestInfo?: ApiRequestDebugInfo | undefined,
 ): void {
   if (error) {
-    debugDir({
+    const errorDetails = {
+      __proto__: null,
       endpoint,
       error: error instanceof Error ? error.message : UNKNOWN_ERROR,
-    })
+      ...(requestInfo?.method ? { method: requestInfo.method } : {}),
+      ...(requestInfo?.url ? { url: requestInfo.url } : {}),
+      ...(requestInfo?.durationMs !== undefined
+        ? { durationMs: requestInfo.durationMs }
+        : {}),
+      ...(requestInfo?.headers
+        ? { headers: sanitizeHeaders(requestInfo.headers) }
+        : {}),
+    }
+    debugDir(errorDetails)
   } else if (status && status >= 400) {
-    debug(`API ${endpoint}: HTTP ${status}`)
+    // For failed requests, log detailed information.
+    if (requestInfo) {
+      const failureDetails = {
+        __proto__: null,
+        endpoint,
+        status,
+        ...(requestInfo.method ? { method: requestInfo.method } : {}),
+        ...(requestInfo.url ? { url: requestInfo.url } : {}),
+        ...(requestInfo.durationMs !== undefined
+          ? { durationMs: requestInfo.durationMs }
+          : {}),
+        ...(requestInfo.headers
+          ? { headers: sanitizeHeaders(requestInfo.headers) }
+          : {}),
+      }
+      debugDir(failureDetails)
+    } else {
+      debug(`API ${endpoint}: HTTP ${status}`)
+    }
     /* c8 ignore next 3 */
   } else if (isDebugNs('notice')) {
     debugNs('notice', `API ${endpoint}: ${status || 'pending'}`)

packages/cli/src/utils/socket/api.mts

@@ -360,23 +360,41 @@ export async function queryApiSafeText(
     spinner?.start(`Requesting ${description} from API...`)
   }
 
+  const baseUrl = getDefaultApiBaseUrl()
+  const fullUrl = `${baseUrl}${baseUrl?.endsWith('/') ? '' : '/'}${path}`
+  const startTime = Date.now()
+
   let result: any
   try {
     result = await queryApi(path, apiToken)
+    const durationMs = Date.now() - startTime
     if (description) {
       spinner?.successAndStop(
         `Received Socket API response (after requesting ${description}).`,
       )
     }
+    // Log success for debugging.
+    debugApiResponse(description || 'Query API', result.status, undefined, {
+      method: 'GET',
+      url: fullUrl,
+      durationMs,
+      headers: { Authorization: '[REDACTED]' },
+    })
   } catch (e) {
+    const durationMs = Date.now() - startTime
     if (description) {
       spinner?.failAndStop(
         `An error was thrown while requesting ${description}.`,
       )
     }
 
     debug('Query API request failed')
-    debugDir(e)
+    debugApiResponse(description || 'Query API', undefined, e, {
+      method: 'GET',
+      url: fullUrl,
+      durationMs,
+      headers: { Authorization: '[REDACTED]' },
+    })
 
     const errStr = e ? String(e).trim() : ''
     const message = 'API request failed'
@@ -392,6 +410,14 @@ export async function queryApiSafeText(
 
   if (!result.ok) {
     const { status } = result
+    const durationMs = Date.now() - startTime
+    // Log detailed error information.
+    debugApiResponse(description || 'Query API', status, undefined, {
+      method: 'GET',
+      url: fullUrl,
+      durationMs,
+      headers: { Authorization: '[REDACTED]' },
+    })
     // Log required permissions for 403 errors when in a command context.
     if (commandPath && status === 403) {
       logPermissionsFor403(commandPath)
@@ -495,6 +521,9 @@ export async function sendApiRequest<T>(
     spinner?.start(`Requesting ${description} from API...`)
   }
 
+  const fullUrl = `${baseUrl}${baseUrl.endsWith('/') ? '' : '/'}${path}`
+  const startTime = Date.now()
+
   let result: any
   try {
     const fetchOptions = {
@@ -506,24 +535,35 @@ export async function sendApiRequest<T>(
       ...(body ? { body: JSON.stringify(body) } : {}),
     }
 
-    result = await fetch(
-      `${baseUrl}${baseUrl.endsWith('/') ? '' : '/'}${path}`,
-      fetchOptions,
-    )
+    result = await fetch(fullUrl, fetchOptions)
+    const durationMs = Date.now() - startTime
     if (description) {
       spinner?.successAndStop(
         `Received Socket API response (after requesting ${description}).`,
       )
     }
+    // Log success for debugging.
+    debugApiResponse(description || 'Send API Request', result.status, undefined, {
+      method,
+      url: fullUrl,
+      durationMs,
+      headers: { Authorization: '[REDACTED]', 'Content-Type': 'application/json' },
+    })
   } catch (e) {
+    const durationMs = Date.now() - startTime
     if (description) {
       spinner?.failAndStop(
         `An error was thrown while requesting ${description}.`,
       )
     }
 
     debug(`API ${method} request failed`)
-    debugDir(e)
+    debugApiResponse(description || 'Send API Request', undefined, e, {
+      method,
+      url: fullUrl,
+      durationMs,
+      headers: { Authorization: '[REDACTED]', 'Content-Type': 'application/json' },
+    })
 
     const errStr = e ? String(e).trim() : ''
     const message = 'API request failed'
@@ -539,6 +579,14 @@ export async function sendApiRequest<T>(
 
   if (!result.ok) {
     const { status } = result
+    const durationMs = Date.now() - startTime
+    // Log detailed error information.
+    debugApiResponse(description || 'Send API Request', status, undefined, {
+      method,
+      url: fullUrl,
+      durationMs,
+      headers: { Authorization: '[REDACTED]', 'Content-Type': 'application/json' },
+    })
     // Log required permissions for 403 errors when in a command context.
     if (commandPath && status === 403) {
       logPermissionsFor403(commandPath)