feat(p7-05): fill signal & log stubs — SignalHandlerTests, ServerLoggerTests

- Add RemovePassFromTrace, RemoveAuthTokenFromTrace, RemoveSecretsFromTrace
  static methods to ServerLogging (mirrors removeSecretsFromTrace/redact in
  server/client.go); uses same regex patterns as Go source to redact only the
  first match's value with [REDACTED].
- Update ClientConnection.RemoveSecretsFromTrace stub to delegate to
  ServerLogging.RemoveSecretsFromTrace.
- Add 2 unit tests to SignalHandlerTests (T:2919 invalid command, T:2920 invalid
  PID); mark 14 process-injection/subprocess tests as deferred ([Fact(Skip=…)]).
- Create ServerLoggerTests with 3 test methods (T:2020, T:2021, T:2022) covering
  NoPasswordsFromConnectTrace, RemovePassFromTrace (8 theory cases),
  RemoveAuthTokenFromTrace (8 theory cases).
- DB: 3 log tests → complete, 2 signal tests → complete, 14 signal tests → deferred.
- All 663 unit tests pass (was 645), 14 deferred skipped.

dotnet/tests/ZB.MOM.NatsNet.Server.Tests/Internal/ServerLoggerTests.cs

@@ -0,0 +1,138 @@
+// Copyright 2012-2025 The NATS Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using Shouldly;
+using ZB.MOM.NatsNet.Server.Internal;
+
+namespace ZB.MOM.NatsNet.Server.Tests.Internal;
+
+/// <summary>
+/// Tests for server logging trace sanitization (RemovePassFromTrace, RemoveAuthTokenFromTrace).
+/// Mirrors server/log_test.go — TestNoPasswordsFromConnectTrace, TestRemovePassFromTrace,
+/// TestRemoveAuthTokenFromTrace.
+/// </summary>
+public class ServerLoggerTests
+{
+    // ---------------------------------------------------------------------------
+    // T:2020 — TestNoPasswordsFromConnectTrace
+    // ---------------------------------------------------------------------------
+
+    /// <summary>
+    /// Mirrors TestNoPasswordsFromConnectTrace.
+    /// Verifies that a CONNECT trace with a password or auth_token does not
+    /// expose the secret value after sanitization.
+    /// </summary>
+    [Fact] // T:2020
+    public void NoPasswordsFromConnectTrace_ShouldSucceed()
+    {
+        const string connectWithPass =
+            """CONNECT {"verbose":false,"pedantic":false,"user":"derek","pass":"s3cr3t","tls_required":false}""";
+        const string connectWithToken =
+            """CONNECT {"verbose":false,"auth_token":"secret-token","tls_required":false}""";
+
+        ServerLogging.RemovePassFromTrace(connectWithPass).ShouldNotContain("s3cr3t");
+        ServerLogging.RemoveAuthTokenFromTrace(connectWithToken).ShouldNotContain("secret-token");
+    }
+
+    // ---------------------------------------------------------------------------
+    // T:2021 — TestRemovePassFromTrace
+    // ---------------------------------------------------------------------------
+
+    /// <summary>
+    /// Mirrors TestRemovePassFromTrace — covers all test vectors from log_test.go.
+    /// Each case verifies that RemovePassFromTrace redacts the first pass/password value
+    /// with [REDACTED] while leaving other fields intact.
+    /// </summary>
+    [Theory] // T:2021
+    [InlineData(
+        "user and pass",
+        "CONNECT {\"user\":\"derek\",\"pass\":\"s3cr3t\"}\r\n",
+        "CONNECT {\"user\":\"derek\",\"pass\":\"[REDACTED]\"}\r\n")]
+    [InlineData(
+        "user and pass extra space",
+        "CONNECT {\"user\":\"derek\",\"pass\":  \"s3cr3t\"}\r\n",
+        "CONNECT {\"user\":\"derek\",\"pass\":  \"[REDACTED]\"}\r\n")]
+    [InlineData(
+        "user and pass is empty",
+        "CONNECT {\"user\":\"derek\",\"pass\":\"\"}\r\n",
+        "CONNECT {\"user\":\"derek\",\"pass\":\"[REDACTED]\"}\r\n")]
+    [InlineData(
+        "user and pass is empty whitespace",
+        "CONNECT {\"user\":\"derek\",\"pass\":\"               \"}\r\n",
+        "CONNECT {\"user\":\"derek\",\"pass\":\"[REDACTED]\"}\r\n")]
+    [InlineData(
+        "only pass",
+        "CONNECT {\"pass\":\"s3cr3t\",}\r\n",
+        "CONNECT {\"pass\":\"[REDACTED]\",}\r\n")]
+    [InlineData(
+        "complete connect",
+        "CONNECT {\"echo\":true,\"verbose\":false,\"pedantic\":false,\"user\":\"foo\",\"pass\":\"s3cr3t\",\"tls_required\":false,\"name\":\"APM7JU94z77YzP6WTBEiuw\"}\r\n",
+        "CONNECT {\"echo\":true,\"verbose\":false,\"pedantic\":false,\"user\":\"foo\",\"pass\":\"[REDACTED]\",\"tls_required\":false,\"name\":\"APM7JU94z77YzP6WTBEiuw\"}\r\n")]
+    [InlineData(
+        "user and pass are filtered",
+        "CONNECT {\"user\":\"s3cr3t\",\"pass\":\"s3cr3t\"}\r\n",
+        "CONNECT {\"user\":\"s3cr3t\",\"pass\":\"[REDACTED]\"}\r\n")]
+    [InlineData(
+        "single long password",
+        "CONNECT {\"pass\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"}\r\n",
+        "CONNECT {\"pass\":\"[REDACTED]\"}\r\n")]
+    public void RemovePassFromTrace_ShouldSucceed(string name, string input, string expected)
+    {
+        _ = name; // used for test display only
+        ServerLogging.RemovePassFromTrace(input).ShouldBe(expected);
+    }
+
+    // ---------------------------------------------------------------------------
+    // T:2022 — TestRemoveAuthTokenFromTrace
+    // ---------------------------------------------------------------------------
+
+    /// <summary>
+    /// Mirrors TestRemoveAuthTokenFromTrace — covers representative test vectors
+    /// from log_test.go.  Each case verifies that RemoveAuthTokenFromTrace redacts
+    /// the first auth_token value with [REDACTED].
+    /// </summary>
+    [Theory] // T:2022
+    [InlineData(
+        "user and auth_token",
+        "CONNECT {\"user\":\"derek\",\"auth_token\":\"s3cr3t\"}\r\n",
+        "CONNECT {\"user\":\"derek\",\"auth_token\":\"[REDACTED]\"}\r\n")]
+    [InlineData(
+        "user and auth_token extra space",
+        "CONNECT {\"user\":\"derek\",\"auth_token\":  \"s3cr3t\"}\r\n",
+        "CONNECT {\"user\":\"derek\",\"auth_token\":  \"[REDACTED]\"}\r\n")]
+    [InlineData(
+        "user and auth_token is empty",
+        "CONNECT {\"user\":\"derek\",\"auth_token\":\"\"}\r\n",
+        "CONNECT {\"user\":\"derek\",\"auth_token\":\"[REDACTED]\"}\r\n")]
+    [InlineData(
+        "only auth_token",
+        "CONNECT {\"auth_token\":\"s3cr3t\",}\r\n",
+        "CONNECT {\"auth_token\":\"[REDACTED]\",}\r\n")]
+    [InlineData(
+        "complete connect",
+        "CONNECT {\"echo\":true,\"verbose\":false,\"pedantic\":false,\"auth_token\":\"s3cr3t\",\"tls_required\":false,\"name\":\"APM7JU94z77YzP6WTBEiuw\"}\r\n",
+        "CONNECT {\"echo\":true,\"verbose\":false,\"pedantic\":false,\"auth_token\":\"[REDACTED]\",\"tls_required\":false,\"name\":\"APM7JU94z77YzP6WTBEiuw\"}\r\n")]
+    [InlineData(
+        "user and token are filtered",
+        "CONNECT {\"user\":\"s3cr3t\",\"auth_token\":\"s3cr3t\"}\r\n",
+        "CONNECT {\"user\":\"s3cr3t\",\"auth_token\":\"[REDACTED]\"}\r\n")]
+    [InlineData(
+        "single long token",
+        "CONNECT {\"auth_token\":\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"}\r\n",
+        "CONNECT {\"auth_token\":\"[REDACTED]\"}\r\n")]
+    public void RemoveAuthTokenFromTrace_ShouldSucceed(string name, string input, string expected)
+    {
+        _ = name; // used for test display only
+        ServerLogging.RemoveAuthTokenFromTrace(input).ShouldBe(expected);
+    }
+}

dotnet/tests/ZB.MOM.NatsNet.Server.Tests/Internal/SignalHandlerTests.cs

@@ -67,4 +67,100 @@ public class SignalHandlerTests
         var err = SignalHandler.ProcessSignal(ServerCommand.Stop, "not-a-pid");
         err.ShouldNotBeNull();
     }
+
+    // ---------------------------------------------------------------------------
+    // Tests ported from server/signal_test.go
+    // ---------------------------------------------------------------------------
+
+    /// <summary>
+    /// Mirrors TestProcessSignalInvalidCommand.
+    /// An out-of-range ServerCommand enum value is treated as an unknown signal
+    /// and ProcessSignal returns a non-null error.
+    /// </summary>
+    [Fact] // T:2919
+    public void ProcessSignalInvalidCommand_ShouldSucceed()
+    {
+        if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+            return; // Skip on Windows
+
+        var err = SignalHandler.ProcessSignal((ServerCommand)99, "123");
+        err.ShouldNotBeNull();
+    }
+
+    /// <summary>
+    /// Mirrors TestProcessSignalInvalidPid.
+    /// A non-numeric PID string returns an error containing "invalid pid".
+    /// </summary>
+    [Fact] // T:2920
+    public void ProcessSignalInvalidPid_ShouldSucceed()
+    {
+        if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+            return; // Skip on Windows
+
+        var err = SignalHandler.ProcessSignal(ServerCommand.Stop, "abc");
+        err.ShouldNotBeNull();
+        err!.Message.ShouldContain("invalid pid");
+    }
+
+    // ---------------------------------------------------------------------------
+    // Deferred signal tests — require pgrep/kill injection or real OS process spawning.
+    // These cannot be unit-tested without refactoring SignalHandler to accept
+    // injectable pgrep/kill delegates (as the Go source does).
+    // ---------------------------------------------------------------------------
+
+    /// <summary>Mirrors TestProcessSignalMultipleProcesses — deferred: requires pgrep injection.</summary>
+    [Fact(Skip = "deferred: requires pgrep/kill injection")] // T:2913
+    public void ProcessSignalMultipleProcesses_ShouldSucceed() { }
+
+    /// <summary>Mirrors TestProcessSignalMultipleProcessesGlob — deferred: requires pgrep injection.</summary>
+    [Fact(Skip = "deferred: requires pgrep/kill injection")] // T:2914
+    public void ProcessSignalMultipleProcessesGlob_ShouldSucceed() { }
+
+    /// <summary>Mirrors TestProcessSignalMultipleProcessesGlobPartial — deferred: requires pgrep injection.</summary>
+    [Fact(Skip = "deferred: requires pgrep/kill injection")] // T:2915
+    public void ProcessSignalMultipleProcessesGlobPartial_ShouldSucceed() { }
+
+    /// <summary>Mirrors TestProcessSignalPgrepError — deferred: requires pgrep injection.</summary>
+    [Fact(Skip = "deferred: requires pgrep injection")] // T:2916
+    public void ProcessSignalPgrepError_ShouldSucceed() { }
+
+    /// <summary>Mirrors TestProcessSignalPgrepMangled — deferred: requires pgrep injection.</summary>
+    [Fact(Skip = "deferred: requires pgrep injection")] // T:2917
+    public void ProcessSignalPgrepMangled_ShouldSucceed() { }
+
+    /// <summary>Mirrors TestProcessSignalResolveSingleProcess — deferred: requires pgrep and kill injection.</summary>
+    [Fact(Skip = "deferred: requires pgrep/kill injection")] // T:2918
+    public void ProcessSignalResolveSingleProcess_ShouldSucceed() { }
+
+    /// <summary>Mirrors TestProcessSignalQuitProcess — deferred: requires kill injection.</summary>
+    [Fact(Skip = "deferred: requires kill injection")] // T:2921
+    public void ProcessSignalQuitProcess_ShouldSucceed() { }
+
+    /// <summary>Mirrors TestProcessSignalTermProcess — deferred: requires kill injection and commandTerm equivalent.</summary>
+    [Fact(Skip = "deferred: requires kill injection")] // T:2922
+    public void ProcessSignalTermProcess_ShouldSucceed() { }
+
+    /// <summary>Mirrors TestProcessSignalReopenProcess — deferred: requires kill injection.</summary>
+    [Fact(Skip = "deferred: requires kill injection")] // T:2923
+    public void ProcessSignalReopenProcess_ShouldSucceed() { }
+
+    /// <summary>Mirrors TestProcessSignalReloadProcess — deferred: requires kill injection.</summary>
+    [Fact(Skip = "deferred: requires kill injection")] // T:2924
+    public void ProcessSignalReloadProcess_ShouldSucceed() { }
+
+    /// <summary>Mirrors TestProcessSignalLameDuckMode — deferred: requires kill injection and commandLDMode equivalent.</summary>
+    [Fact(Skip = "deferred: requires kill injection")] // T:2925
+    public void ProcessSignalLameDuckMode_ShouldSucceed() { }
+
+    /// <summary>Mirrors TestProcessSignalTermDuringLameDuckMode — deferred: requires full server (RunServer) and real OS signal.</summary>
+    [Fact(Skip = "deferred: requires RunServer and real OS SIGTERM")] // T:2926
+    public void ProcessSignalTermDuringLameDuckMode_ShouldSucceed() { }
+
+    /// <summary>Mirrors TestSignalInterruptHasSuccessfulExit — deferred: requires spawning a subprocess to test exit code on SIGINT.</summary>
+    [Fact(Skip = "deferred: requires subprocess process spawning")] // T:2927
+    public void SignalInterruptHasSuccessfulExit_ShouldSucceed() { }
+
+    /// <summary>Mirrors TestSignalTermHasSuccessfulExit — deferred: requires spawning a subprocess to test exit code on SIGTERM.</summary>
+    [Fact(Skip = "deferred: requires subprocess process spawning")] // T:2928
+    public void SignalTermHasSuccessfulExit_ShouldSucceed() { }
 }