feat: add log hooks

internal/netutil/http.go

@@ -3,7 +3,10 @@ package netutil
 import (
 	"crypto/tls"
 	"net/http"
+	"net/url"
 	"time"
+
+	"streamrip-go/internal/verbose"
 )
 
 const defaultMaxConnsPerHost = 16
@@ -40,6 +43,63 @@ func NewHTTPClient(timeout time.Duration, verifySSL bool, maxConnsPerHost int) *
 
 	return &http.Client{
 		Timeout:   timeout,
-		Transport: transport,
+		Transport: &loggingTransport{base: transport},
 	}
 }
+
+// loggingTransport emits one verbose line per HTTP request when verbose
+// level >= VV. The check is per-call so toggling the level at runtime
+// affects subsequent requests without rebuilding clients.
+type loggingTransport struct {
+	base http.RoundTripper
+}
+
+func (t *loggingTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	if !verbose.Enabled(verbose.VV) {
+		return t.base.RoundTrip(req)
+	}
+	start := time.Now()
+	resp, err := t.base.RoundTrip(req)
+	elapsed := time.Since(start).Round(time.Millisecond)
+	target := redactURL(req.URL)
+	if err != nil {
+		verbose.Printf(verbose.VV, "http %s %s -> error %v (%s)\n", req.Method, target, err, elapsed)
+		return resp, err
+	}
+	verbose.Printf(verbose.VV, "http %s %s -> %d (%s)\n", req.Method, target, resp.StatusCode, elapsed)
+	return resp, err
+}
+
+// redactURL hides values for query parameters that commonly carry
+// credentials so -vv output is safe to paste in an issue.
+func redactURL(u *url.URL) string {
+	if u == nil {
+		return ""
+	}
+	if u.RawQuery == "" {
+		return u.String()
+	}
+	q := u.Query()
+	redacted := false
+	for k := range q {
+		if isSensitiveParam(k) {
+			q.Set(k, "REDACTED")
+			redacted = true
+		}
+	}
+	if !redacted {
+		return u.String()
+	}
+	cp := *u
+	cp.RawQuery = q.Encode()
+	return cp.String()
+}
+
+func isSensitiveParam(name string) bool {
+	switch name {
+	case "user_auth_token", "api_token", "access_token", "refresh_token",
+		"request_sig", "signature", "password", "secret", "token", "code", "auth", "key":
+		return true
+	}
+	return false
+}