fix(kas): Ensure root key is not logged. (#2918)

### Proposed Changes

1.) Modify the `KasConfig` object to redact the `root_key`
2.) Modify the `ServiceConfig` object to check for the existence of
`root_key`, if present redact it.


Logs redacted:

1.) At startup:
<img width="2437" height="82" alt="Screenshot 2025-11-19 at 8 28 18 AM"
src="https://github.com/user-attachments/assets/abe29f91-a84c-43ca-86a1-1832175fa0e2"
/>

2.) Update hook
<img width="2447" height="104" alt="Screenshot 2025-11-19 at 8 26 13 AM"
src="https://github.com/user-attachments/assets/7aff9a9e-38b5-48b6-a562-0ee3ca5c230e"
/>

3.) Startup - Invalid Config
<img width="2435" height="105" alt="Screenshot 2025-11-19 at 8 24 30 AM"
src="https://github.com/user-attachments/assets/634c227c-3d01-4908-b3d3-05759a9cf756"
/>


### Checklist

- [ ] I have added or updated unit tests
- [ ] I have added or updated integration tests (if appropriate)
- [ ] I have added or updated documentation

### Testing Instructions

Author: c-r33d

service/kas/access/provider.go

@@ -2,6 +2,7 @@ package access
 
 import (
 	"context"
+	"fmt"
 	"log/slog"
 	"net/url"
 	"time"
@@ -135,6 +136,43 @@ func (kasCfg *KASConfig) UpgradeMapToKeyring(c *security.StandardCrypto) {
 	}
 }
 
+func (kasCfg KASConfig) String() string {
+	rootKeySummary := ""
+	if kasCfg.RootKey != "" {
+		rootKeySummary = fmt.Sprintf("[REDACTED len=%d]", len(kasCfg.RootKey))
+	}
+
+	return fmt.Sprintf(
+		"KASConfig{Keyring:%v, ECCertID:%q, RSACertID:%q, RootKey:%s, KeyCacheExpiration:%s, ECTDFEnabled:%t, Preview:%+v, RegisteredKASURI:%q}",
+		kasCfg.Keyring,
+		kasCfg.ECCertID,
+		kasCfg.RSACertID,
+		rootKeySummary,
+		kasCfg.KeyCacheExpiration,
+		kasCfg.ECTDFEnabled,
+		kasCfg.Preview,
+		kasCfg.RegisteredKASURI,
+	)
+}
+
+func (kasCfg KASConfig) LogValue() slog.Value {
+	rootKeyVal := ""
+	if kasCfg.RootKey != "" {
+		rootKeyVal = fmt.Sprintf("[REDACTED len=%d]", len(kasCfg.RootKey))
+	}
+
+	return slog.GroupValue(
+		slog.Any("keyring", kasCfg.Keyring),
+		slog.String("eccertid", kasCfg.ECCertID),
+		slog.String("rsacertid", kasCfg.RSACertID),
+		slog.String("root_key", rootKeyVal),
+		slog.Duration("key_cache_expiration", kasCfg.KeyCacheExpiration),
+		slog.Bool("ec_tdf_enabled", kasCfg.ECTDFEnabled),
+		slog.Any("preview", kasCfg.Preview),
+		slog.String("registered_kas_uri", kasCfg.RegisteredKASURI),
+	)
+}
+
 // If there exists *any* legacy keys, returns empty list.
 // Otherwise, create a copy with legacy=true for all values
 func inferLegacyKeys(keys []CurrentKeyFor) []CurrentKeyFor {

service/pkg/config/config.go

@@ -15,6 +15,8 @@ import (
 	"github.com/spf13/viper"
 )
 
+const rootKeyField = "root_key"
+
 // ChangeHook is a function invoked when the configuration changes.
 type ChangeHook func(configServices ServicesMap) error
 
@@ -24,6 +26,43 @@ type ServicesMap map[string]ServiceConfig
 // Config structure holding a single service.
 type ServiceConfig map[string]any
 
+func (cfg ServiceConfig) String() string {
+	// Create a shallow copy so we don't mutate the original map.
+	redacted := make(map[string]any, len(cfg))
+
+	for k, v := range cfg {
+		if k == rootKeyField {
+			redacted[k] = redactRootKeyValue(v)
+			continue
+		}
+		redacted[k] = v
+	}
+
+	return fmt.Sprintf("%v", redacted)
+}
+
+func (cfg ServiceConfig) LogValue() slog.Value {
+	attrs := make([]slog.Attr, 0, len(cfg))
+
+	for k, v := range cfg {
+		if k == rootKeyField {
+			attrs = append(attrs, slog.String(k, redactRootKeyValue(v)))
+			continue
+		}
+
+		attrs = append(attrs, slog.Any(k, v))
+	}
+
+	return slog.GroupValue(attrs...)
+}
+
+func redactRootKeyValue(v any) string {
+	if s, ok := v.(string); ok && s != "" {
+		return fmt.Sprintf("REDACTED: len=%d", len(s))
+	}
+	return "REDACTED"
+}
+
 // Config represents the configuration settings for the service.
 type Config struct {
 	// DevMode specifies whether the service is running in development mode.