From 8b97c833ff1d54767f32290b0436d4fa65f78271 Mon Sep 17 00:00:00 2001
From: Virgil <virgil@lethean.io>
Date: Wed, 1 Apr 2026 05:08:41 +0000
Subject: [PATCH] fix(log): make redaction key matching exact

Co-Authored-By: Virgil <virgil@lethean.io>
---
 log.go      | 2 +-
 log_test.go | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/log.go b/log.go
index 60de5e6..78880dc 100644
--- a/log.go
+++ b/log.go
@@ -489,7 +489,7 @@ func Security(msg string, keyvals ...any) {
 func shouldRedact(key any, redactKeys []string) bool {
 	keyStr := fmt.Sprintf("%v", key)
 	for _, redactKey := range redactKeys {
-		if strings.EqualFold(redactKey, keyStr) {
+		if redactKey == keyStr {
 			return true
 		}
 	}
diff --git a/log_test.go b/log_test.go
index 278d695..cd3b4d8 100644
--- a/log_test.go
+++ b/log_test.go
@@ -170,7 +170,7 @@ func TestLogger_Redaction_Good(t *testing.T) {
 	}
 }
 
-func TestLogger_Redaction_Good_CaseInsensitiveKeys(t *testing.T) {
+func TestLogger_Redaction_Bad_CaseMismatchNotRedacted(t *testing.T) {
 	var buf bytes.Buffer
 	l := New(Options{
 		Level:      LevelInfo,
@@ -181,8 +181,8 @@ func TestLogger_Redaction_Good_CaseInsensitiveKeys(t *testing.T) {
 	l.Info("login", "PASSWORD", "secret123")
 
 	output := buf.String()
-	if !strings.Contains(output, "PASSWORD=\"[REDACTED]\"") {
-		t.Errorf("expected case-insensitive redaction, got %q", output)
+	if !strings.Contains(output, "PASSWORD=\"secret123\"") {
+		t.Errorf("expected case-mismatched key to remain visible, got %q", output)
 	}
 }
 
-- 
2.45.3