Merge pull request '[agent/codex:gpt-5.4-mini] Read ~/spec/code/core/go/cli/RFC.md fully. Find ONE feature ...' (#42) from agent/read---spec-code-core-go-cli-rfc-md-full into dev

docs/pkg/cli/output.md

@@ -280,4 +280,5 @@ cli.LogInfo("server started", "port", 8080)
 cli.LogWarn("slow query", "duration", "3.2s")
 cli.LogError("connection failed", "err", err)
 cli.LogSecurity("login attempt", "user", "admin")
+cli.LogSecurityf("login attempt from %s", username)
 ```

pkg/cli/log.go

@@ -1,6 +1,8 @@
 package cli
 
 import (
+	"fmt"
+
 	"forge.lthn.ai/core/go-log"
 )
 
@@ -31,3 +33,10 @@ func LogError(msg string, keyvals ...any) { log.Error(msg, keyvals...) }
 //
 //	cli.LogSecurity("login attempt", "user", "admin")
 func LogSecurity(msg string, keyvals ...any) { log.Security(msg, keyvals...) }
+
+// LogSecurityf logs a formatted security-sensitive message.
+//
+//	cli.LogSecurityf("login attempt from %s", username)
+func LogSecurityf(format string, args ...any) {
+	log.Security(fmt.Sprintf(format, args...))
+}

pkg/cli/log_test.go

@@ -28,3 +28,21 @@ func TestLogSecurity_Good(t *testing.T) {
 		t.Fatalf("expected structured key/value output, got %q", out)
 	}
 }
+
+func TestLogSecurityf_Good(t *testing.T) {
+	var buf bytes.Buffer
+	original := log.Default()
+	t.Cleanup(func() {
+		log.SetDefault(original)
+	})
+
+	logger := log.New(log.Options{Level: log.LevelDebug, Output: &buf})
+	log.SetDefault(logger)
+
+	LogSecurityf("login attempt from %s", "admin")
+
+	out := buf.String()
+	if !strings.Contains(out, "login attempt from admin") {
+		t.Fatalf("expected formatted security log message, got %q", out)
+	}
+}