Skip to main content

Module observability

cellos_core

Module observability 

Source
Expand description

Operator-facing tracing-subscriber primitives.

§HIGH-B5 — redact bearer/Authorization in tracing output

reqwest (and the surrounding hyper / h2 / rustls stack) emit verbose, byte-level diagnostics at TRACE. Those diagnostics include the raw outbound request — and that means Authorization: Bearer <secret>, Cookie:, Proxy-Authorization: and friends land in any log stream whose RUST_LOG pulls those targets in at trace.

reqwest does not provide a redaction hook because the offending log calls happen inside the crate. The right fix is to attach a filter to the fmt layer at the workspace’s tracing-init sites so the dangerous events never reach a writer.

This module ships that filter. Binaries that initialize the global subscriber compose it onto their existing fmt layer:

use tracing_subscriber::layer::SubscriberExt;
use tracing_subscriber::util::SubscriberInitExt;

let fmt_layer = tracing_subscriber::fmt::layer()
    .with_filter(cellos_core::observability::redacted_filter());

tracing_subscriber::registry()
    .with(tracing_subscriber::EnvFilter::from_default_env())
    .with(fmt_layer)
    .init();

§What the filter drops

  1. HTTP-stack TRACE events. Any event whose target starts with one of HTTP_STACK_TARGETS at Level::TRACE is suppressed unconditionally. reqwest’s TRACE log lines are not structured — the bearer token is embedded in a Debug-formatted HeaderMap, so field-name redaction cannot reach it. Suppression is the only reliable mitigation.

  2. Sensitive field names anywhere. Any event whose recorded fields include a name in SENSITIVE_HEADER_NAMES (case-insensitive) is suppressed regardless of target or level. Catches our own code paths that might accidentally info!(authorization = %h, ...).

Operators still see reqwest=debug (status codes, request URLs without headers) and every workspace-emitted event at INFO/DEBUG. The escape hatch — RUST_LOG=reqwest=trace in production — is closed.

Approach C from the wave-1 audit. ADR-0018 (FIX-B4 — credential redaction posture) cross-references this module.

Structs§

SensitiveFieldVisitor
Tracing Visit impl that sets found_sensitive if any recorded field name appears in SENSITIVE_HEADER_NAMES (case-insensitive).

Constants§

HTTP_STACK_TARGETS
Targets whose TRACE-level events are suppressed wholesale.
SENSITIVE_HEADER_NAMES
Header / field names whose presence in any event causes the event to be dropped. Case-insensitive match on the field name reported by tracing::field::Field::name.

Functions§

is_sensitive_field_name
Case-insensitive membership check against SENSITIVE_HEADER_NAMES.