feat(http): env-gated debug logging with hashed access tokens

[cdot65]

Closes #179.

What

Opt-in debug logging of every SDK API call, gated by the PANW_AI_SEC_DEBUG env var. Access tokens are hashed so logs are safe to share.

• New internal module src/http/debug.ts: isDebugEnabled, hashToken (sha256:<12 hex>), sanitizeHeaders, logRequest/logResponse.
• Hooked into the single request() chokepoint → covers scan, management, model security, and red teaming uniformly.
• Logs once per attempt (retries / 401 refreshes visible). res.clone() so the real body isn't consumed. formData bodies log as [multipart/form-data].

Security

Authorization and x-pan-token values are replaced with a non-reversible sha256:<prefix> hash — logRequest sanitizes internally so a caller can't leak a raw token. Verified live: real OAuth bearer logged as Authorization":"sha256:6ba877dddebe". Zero output / zero overhead when the var is unset.

Sample

[airs-sdk] → GET https://api.sase.../v1/custom-attack/list-custom-prompt-sets?limit=1
[airs-sdk]   headers {"User-Agent":"PAN-AIRS/0.12.0-typescript-sdk","service-name":"api","Authorization":"sha256:6ba877dddebe"}
[airs-sdk] ← 200 (1397ms) {"pagination":{"total_items":1},"data":[...]}

Tests

• test/http/debug.spec.ts — hashToken format/determinism, sanitizeHeaders redaction + case-insensitivity + no-mutation, isDebugEnabled truthy parsing.
• test/http/request.spec.ts — integration: enabled logs sanitized req/resp (raw token absent, hash present, status logged); disabled = silent; one log pair per retry attempt.
• Full suite: 1303 passing. Live E2E confirmed. Docs build clean.

Docs

docs/getting-started/environment-variables.md — new Debugging section with sample output + prompt-content warning.

Changeset

minor — additive feature.