Description

Adds a global --debug flag that enables HTTP request/response logging for REST API calls. The debug output redacts sensitive headers (Authorization tokens) to prevent accidental credential exposure.

Changes

New files:

• pkg/cmd/factory/factory_test.go - Unit tests for header redaction

Modified files:

• All files in cmd/ which use go-buildkite for API calls now allow for a --debug flag to be set
• Adds --debug as a GlobalFlag option
• Adds a test for testing redaction works

Testing

• Tests have run locally (with go test ./...)
• Code is formatted (with go fmt ./...)

Usage

bk --debug agent list
bk --debug build view 123

Caveats

• Debug output goes to stderr
• Only applies to REST API calls (GraphQL client doesn't have equivalent debug support)
• Authorization header is redacted as Bearer [REDACTED] to prevent token leakage
  • if our output for the header changes then this lookup may fail/use --debug with caution

Disclosures / Credits

I had AI assist with the token redaction functionality; this wasn't something built in to go-buildkite and so a custom redaction function was needed. In the interest of getting this over the line I got Claude to write that; it's a 1 point ticket and spending the day or so on the sanitization could be better spent elsewhere.