refactor(csrf): replace error_log with debugLog for structured logging

Replace raw error_log() calls with framework's debugLog() method for:
- Consistent structured logging with context data
- Sensitive data hashing (tokens, session IDs)
- Debug-mode awareness (only logs when debug enabled)

src/Framework/Http/Session/CsrfProtection.php

@@ -203,7 +203,10 @@ final readonly class CsrfProtection
                 $otherTokenData = $csrfData->getFormData($otherFormId);
                 if ($otherTokenData !== null && $otherTokenData->matches($tokenString)) {
                     $foundInOtherForm = $otherFormId;
-                    error_log("CsrfProtection::validateToken - Token found in different form ID: $otherFormId (requested: $formId)");
+                    $this->debugLog('CsrfProtection::validateToken - Token found in different form ID', [
+                        'found_in_form_id' => $otherFormId,
+                        'requested_form_id' => $formId
+                    ]);
                     break;
                 }
             }
@@ -224,10 +227,13 @@ final readonly class CsrfProtection
         // Debug: Log token comparison
         $storedTokenString = $tokenData->token->toString();
         $requestTokenString = $token->toString();
-        error_log("CsrfProtection::validateToken - Comparing tokens:");
+        $this->debugLog('CsrfProtection::validateToken - Comparing tokens', [
-        error_log("  Stored: " . substr($storedTokenString, 0, 20) . "... (length: " . strlen($storedTokenString) . ")");
+            'stored_token' => $storedTokenString,
-        error_log("  Request: " . substr($requestTokenString, 0, 20) . "... (length: " . strlen($requestTokenString) . ")");
+            'request_token' => $requestTokenString,
-        error_log("  Match: " . ($tokenData->matches($token->toString()) ? 'YES' : 'NO'));
+            'stored_length' => strlen($storedTokenString),
+            'request_length' => strlen($requestTokenString),
+            'match' => $tokenData->matches($token->toString()) ? 'YES' : 'NO'
+        ]);
 
         if ($tokenData->matches($token->toString())) {
             // Check if token is expired
@@ -247,7 +253,7 @@ final readonly class CsrfProtection
 
             // Token validated - rotate to new token
             $newToken = $this->tokenGenerator->generate();
-            error_log("CsrfProtection::validateToken - Token validated, rotating to new token for formId: $formId");
+            $this->debugLog('CsrfProtection::validateToken - Token validated, rotating to new token', ['form_id' => $formId]);
             
             if ($this->sessionManager !== null) {
                 $this->sessionManager->updateSessionDataAtomically(
@@ -269,10 +275,12 @@ final readonly class CsrfProtection
 
             return ['valid' => true, 'new_token' => $newToken];
         }
-        
+
         // No matching token found - add more debug info
-        error_log("CsrfProtection::validateToken - No matching token found. Stored token: " . substr($tokenData->token->toString(), 0, 20) . "...");
+        $this->debugLog('CsrfProtection::validateToken - No matching token found', [
-        
+            'stored_token' => $tokenData->token->toString()
+        ]);
+
         // Check if token exists for another form ID (common mistake)
         $tokenString = $token->toString();
         $foundInOtherForm = null;
@@ -283,7 +291,10 @@ final readonly class CsrfProtection
             $otherTokenData = $csrfData->getFormData($otherFormId);
             if ($otherTokenData !== null && $otherTokenData->matches($tokenString)) {
                 $foundInOtherForm = $otherFormId;
-                error_log("CsrfProtection::validateToken - Token found in different form ID: $otherFormId (requested: $formId)");
+                $this->debugLog('CsrfProtection::validateToken - Token found in different form ID', [
+                    'found_in_form_id' => $otherFormId,
+                    'requested_form_id' => $formId
+                ]);
                 break;
             }
         }