feat: Add detailed IndieAuth logging with security-aware token redaction

- Add logging helper functions with automatic token redaction
- Implement comprehensive logging throughout auth flow
- Add production warning for DEBUG logging
- Add 14 new tests for logging functionality
- Update version to v0.7.0

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

CHANGELOG.md

@@ -7,6 +7,51 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.7.0] - 2025-11-19
+
+### Added
+- **IndieAuth Detailed Logging**: Comprehensive logging for authentication flows
+- Logging helper functions with automatic token redaction (_redact_token, _log_http_request, _log_http_response)
+- DEBUG-level HTTP request/response logging for IndieLogin.com interactions
+- Configurable logging via LOG_LEVEL environment variable (DEBUG, INFO, WARNING, ERROR)
+- Security-aware logging with automatic redaction of sensitive data (tokens, codes, secrets)
+- Production warning when DEBUG logging is enabled in non-development environments
+- Comprehensive test suite for logging functions (14 new tests)
+
+### Changed
+- Enhanced authentication flow visibility with structured logging
+- initiate_login(), handle_callback(), create_session(), and verify_session() now include detailed logging
+- Flask logger configuration now based on LOG_LEVEL environment variable
+- Log format varies by level: detailed for DEBUG, concise for INFO/WARNING/ERROR
+
+### Security
+- All sensitive tokens automatically redacted in logs (show only first 6-8 and last 4 characters)
+- Authorization codes, state tokens, and access tokens never logged in full
+- Sensitive HTTP headers (Authorization, Cookie, Set-Cookie) excluded from logs
+- Production warning prevents accidental DEBUG logging in production
+
+### Features
+- Token redaction shows pattern like "abc123...********...xyz9" for debugging while protecting secrets
+- HTTP request logging includes method, URL, and redacted parameters
+- HTTP response logging includes status code, safe headers, and redacted body
+- Session verification and creation logging for audit trails
+- Admin authorization logging for security monitoring
+
+### Testing
+- 51 authentication tests passing (100% pass rate)
+- Tests verify token redaction at all levels
+- Tests confirm no sensitive data appears in logs
+- Tests verify logging behavior at different log levels (DEBUG vs INFO)
+
+### Standards Compliance
+- OWASP Logging Cheat Sheet: Sensitive data redaction
+- Python logging best practices
+- IndieAuth specification compatibility (logging doesn't interfere with auth flow)
+
+### Related Documentation
+- ADR-018: IndieAuth Detailed Logging Strategy
+- Implementation includes complete specification from ADR-018
+
 ## [0.6.2] - 2025-11-19
 
 ### Fixed