feat(p7-05): fill signal & log stubs — SignalHandlerTests, ServerLoggerTests

- Add RemovePassFromTrace, RemoveAuthTokenFromTrace, RemoveSecretsFromTrace
  static methods to ServerLogging (mirrors removeSecretsFromTrace/redact in
  server/client.go); uses same regex patterns as Go source to redact only the
  first match's value with [REDACTED].
- Update ClientConnection.RemoveSecretsFromTrace stub to delegate to
  ServerLogging.RemoveSecretsFromTrace.
- Add 2 unit tests to SignalHandlerTests (T:2919 invalid command, T:2920 invalid
  PID); mark 14 process-injection/subprocess tests as deferred ([Fact(Skip=…)]).
- Create ServerLoggerTests with 3 test methods (T:2020, T:2021, T:2022) covering
  NoPasswordsFromConnectTrace, RemovePassFromTrace (8 theory cases),
  RemoveAuthTokenFromTrace (8 theory cases).
- DB: 3 log tests → complete, 2 signal tests → complete, 14 signal tests → deferred.
- All 663 unit tests pass (was 645), 14 deferred skipped.

dotnet/src/ZB.MOM.NatsNet.Server/Internal/NatsLogger.cs

@@ -14,6 +14,7 @@
 // Adapted from server/log.go in the NATS server Go source.
 
 using System.Collections.Concurrent;
+using System.Text.RegularExpressions;
 using Microsoft.Extensions.Logging;
 
 namespace ZB.MOM.NatsNet.Server.Internal;
@@ -156,6 +157,53 @@ public sealed class ServerLogging
         var statement = string.Format(format, args);
         Warnf("{0}", statement);
     }
+
+    // ---- Trace sanitization ----
+    // Mirrors removeSecretsFromTrace / redact in server/client.go.
+    // passPat  = `"?\s*pass\S*?"?\s*[:=]\s*"?(([^",\r\n}])*)` — captures the value of any pass/password field.
+    // tokenPat = `"?\s*auth_token\S*?"?\s*[:=]\s*"?(([^",\r\n}])*)` — captures auth_token value.
+    // Only the FIRST match is redacted (mirrors the Go break-after-first-match behaviour).
+
+    // Go: "?\s*pass\S*?"?\s*[:=]\s*"?(([^",\r\n}])*)
+    private static readonly Regex s_passPattern = new(
+        @"""?\s*pass\S*?""?\s*[:=]\s*""?(([^"",\r\n}])*)",
+        RegexOptions.Compiled);
+
+    // Go: "?\s*auth_token\S*?"?\s*[:=]\s*"?(([^",\r\n}])*)
+    private static readonly Regex s_authTokenPattern = new(
+        @"""?\s*auth_token\S*?""?\s*[:=]\s*""?(([^"",\r\n}])*)",
+        RegexOptions.Compiled);
+
+    /// <summary>
+    /// Removes passwords from a protocol trace string.
+    /// Mirrors <c>removeSecretsFromTrace</c> in client.go (pass step).
+    /// Only the first occurrence is redacted.
+    /// </summary>
+    public static string RemovePassFromTrace(string s)
+        => RedactFirst(s_passPattern, s);
+
+    /// <summary>
+    /// Removes auth_token from a protocol trace string.
+    /// Mirrors <c>removeSecretsFromTrace</c> in client.go (auth_token step).
+    /// Only the first occurrence is redacted.
+    /// </summary>
+    public static string RemoveAuthTokenFromTrace(string s)
+        => RedactFirst(s_authTokenPattern, s);
+
+    /// <summary>
+    /// Removes both passwords and auth tokens from a protocol trace string.
+    /// Mirrors <c>removeSecretsFromTrace</c> in client.go.
+    /// </summary>
+    public static string RemoveSecretsFromTrace(string s)
+        => RemoveAuthTokenFromTrace(RemovePassFromTrace(s));
+
+    private static string RedactFirst(Regex pattern, string s)
+    {
+        var m = pattern.Match(s);
+        if (!m.Success) return s;
+        var cap = m.Groups[1]; // captured value substring
+        return string.Concat(s.AsSpan(0, cap.Index), "[REDACTED]", s.AsSpan(cap.Index + cap.Length));
+    }
 }
 
 /// <summary>