reliakit-secret 0.1.2

Secret-safe wrappers for Rust values that should not leak through formatting or diagnostics.
Documentation
  • Coverage
  • 93.33%
    14 out of 15 items documented2 out of 13 items with examples
  • Size
  • Source code size: 14.27 kB This is the summed size of all the files inside the crates.io package for this release.
  • Documentation size: 404.82 kB This is the summed size of all files generated by rustdoc for all configured targets
  • Ø build duration
  • this release: 4s Average build duration of successful builds.
  • all releases: 3s Average build duration of successful builds in releases after 2024-10-23.
  • Links
  • Homepage
  • satyakwok/reliakit
    4 2 5
  • crates.io
  • Dependencies
  • Versions
  • Owners
  • satyakwok

reliakit-secret

Secret-safe wrappers for Rust values that should not leak through formatting or diagnostics.

Crates.io Crates.io Downloads Docs.rs CI codecov License: MIT

reliakit-secret provides Secret<T>, a small wrapper that redacts its inner value in Debug and Display output. Access to the wrapped value is explicit through ExposeSecret.

The crate has no dependencies and forbids unsafe code.

What This Crate Does

This crate helps prevent accidental secret leaks in logs, error messages, debug output, and diagnostic reports.

Instead of passing a raw password, token, or API key through a public API, wrap it as a Secret<T>:

use reliakit_secret::{ExposeSecret, Secret};

fn connect(token: Secret<String>) {
    assert_eq!(format!("{token:?}"), "Secret([REDACTED])");
    let raw_token = token.expose_secret();
    assert!(!raw_token.is_empty());
}

What This Crate Does Not Do

This crate does not provide memory zeroization, encryption, process isolation, or protection against memory inspection. It is a formatting and diagnostics safety primitive.

Installation

[dependencies]
reliakit-secret = "0.1"

For no_std without allocation:

[dependencies]
reliakit-secret = { version = "0.1", default-features = false }

For no_std with string-backed secrets:

[dependencies]
reliakit-secret = { version = "0.1", default-features = false, features = ["alloc"] }

Examples

Generic secret

use reliakit_secret::{ExposeSecret, Secret};

let token = Secret::new("ghp_example_token");

assert_eq!(format!("{token:?}"), "Secret([REDACTED])");
assert_eq!(format!("{token}"), "[REDACTED]");
assert_eq!(token.expose_secret(), &"ghp_example_token");

String-backed secret

use reliakit_secret::{ExposeSecret, SecretString};

let password = SecretString::from_string("correct horse battery staple");

assert_eq!(password.expose_secret(), "correct horse battery staple");
assert_eq!(password.expose_str(), "correct horse battery staple");
assert_eq!(password.to_string(), "[REDACTED]");

Consuming a secret

use reliakit_secret::Secret;

let secret = Secret::new(String::from("token"));
let token = secret.into_inner();

assert_eq!(token, "token");

Available Types

Type Description
Secret<T> Generic wrapper that redacts Debug and Display
SecretString String-backed secret, available with std or alloc
ExposeSecret<T> Trait for explicit shared access
ExposeSecretMut<T> Trait for explicit mutable access

Feature Flags

Flag Default Description
std yes Enables the standard library
alloc no Enables SecretString without std

no_std

The crate supports no_std.

Generic Secret<T> works without allocation. SecretString requires alloc or std.

Safety

This crate is #![forbid(unsafe_code)].

Minimum Supported Rust Version

Rust 1.85 and newer. No nightly features are used.

Status

Active. The crate is intentionally small and focused on formatting-safe secret wrappers.

License

Licensed under the MIT License.