Skip to main content

Crate cloud_sdk_sanitization

Crate cloud_sdk_sanitization 

Source
Expand description

optional provider-neutral sanitization boundary for cloud-sdk.
Provider crates, explicit API domains, security-first release gates, and transport-free core types.


cloud-sdk Rust crate overview

§cloud-sdk-sanitization

Optional provider-neutral secret-handling boundary for the main cloud-sdk workspace and cloud-sdk crate.

This crate provides reusable caller-owned buffer sanitization outside the default no_std SDK and provider crates. It delegates volatile clearing to the independently reviewed sanitization crate with default features disabled.

§Install

[dependencies]
cloud-sdk = "0.31.0"
cloud-sdk-sanitization = "0.14.0"

§Example

use cloud_sdk_sanitization::SecretBuffer;

let mut output = [0_u8; 128];
{
    let mut guarded = SecretBuffer::new(&mut output);
    guarded.as_mut_slice()[..6].copy_from_slice(b"secret");
    assert_eq!(&guarded.as_slice()[..6], b"secret");
}
assert_eq!(output, [0_u8; 128]);

With the optional alloc feature, the reviewed sanitization::SecretString is re-exported. It consumes an owned String without copying its plaintext bytes, restricts access to checked closures, and volatile-clears the full allocation capacity on drop:

extern crate alloc;

use alloc::string::String;
use cloud_sdk_sanitization::SecretString;

let secret = SecretString::from_string(String::from("temporary secret"));
assert_eq!(
    secret.try_with_secret(|value| value == "temporary secret"),
    Ok(true)
);
assert!(!alloc::format!("{secret:?}").contains("temporary secret"));

§Features

FeatureDefaultEffect
defaultyesEmpty; keeps the boundary no_std.
allocnoAdds owned volatile-clearing UTF-8 secret storage.
stdnoEnables alloc and standard-library integration in cloud-sdk; clearing behavior is unchanged.

Docs.rs builds with all features. The underlying sanitization dependency keeps its default features disabled in every configuration.

§Security Notes

SecretBuffer volatile-clears its entire borrowed slice on drop, including after early returns and unwind where unwind exists. SecretString clears its full owned allocation capacity on drop and clears old allocations before growth. sanitize_bytes provides the same reviewed primitive for explicit cleanup.

These helpers do not clear immutable source strings or copies made by transports, operating systems, crash handlers, swap, remote services, or other processes. They also do not replace review of token ownership, logging, environment variables, paging, compiler behavior, or process boundaries.

Structs§

SecretBuffer
Caller-owned byte buffer that is volatile-cleared when dropped.
SecretString
Heap-allocated secret UTF-8 text with clear-on-drop behavior.

Functions§

sanitize_bytes
Volatile-clears an ordinary caller-owned byte buffer.