tracing-sanitize 0.1.1

# tracing-sanitize

[![CI](https://github.com/gastongouron/tracing-sanitize/actions/workflows/ci.yml/badge.svg)](https://github.com/gastongouron/tracing-sanitize/actions/workflows/ci.yml)
[![codecov](https://codecov.io/gh/gastongouron/tracing-sanitize/branch/main/graph/badge.svg)](https://codecov.io/gh/gastongouron/tracing-sanitize)
[![Crates.io](https://img.shields.io/crates/v/tracing-sanitize.svg)](https://crates.io/crates/tracing-sanitize)
[![docs.rs](https://docs.rs/tracing-sanitize/badge.svg)](https://docs.rs/tracing-sanitize)

A [`tracing`](https://crates.io/crates/tracing) layer that automatically strips PII from log output using [`sanitize-pii`](https://crates.io/crates/sanitize-pii).

## The problem

You add structured logging to your app. Somewhere, an email, IP address, or API key ends up in your logs. Now you have a GDPR issue, a security incident, or both. `tracing-sanitize` catches it automatically.

## Usage

Add to your `Cargo.toml`:

```toml
[dependencies]
tracing-sanitize = "0.1"
tracing = "0.1"
tracing-subscriber = "0.3"
```

### Basic setup (all PII detectors)

```rust,no_run
use tracing_subscriber::prelude::*;
use tracing_sanitize::SanitizeLayer;

tracing_subscriber::registry()
    .with(SanitizeLayer::default())
    .with(tracing_subscriber::fmt::layer())
    .init();

// PII in span and event fields is automatically masked
tracing::info!(email = "joe@gmail.com", "user logged in");
// Output: email=j***@***.com "user logged in"
```

### Custom configuration (pick detectors)

```rust,no_run
use tracing_subscriber::prelude::*;
use tracing_sanitize::SanitizeLayer;
use sanitize_pii::Sanitizer;

let sanitizer = Sanitizer::builder()
    .email()
    .credit_card()
    .build();

tracing_subscriber::registry()
    .with(SanitizeLayer::new(sanitizer))
    .with(tracing_subscriber::fmt::layer())
    .init();
```

## What gets sanitized

All built-in detectors from `sanitize-pii` are supported:

| Type | Example | Masked |
|------|---------|--------|
| Email | `joe@gmail.com` | `j***@***.com` |
| Credit card | `4111 1111 1111 1111` | `4111-****-****-1111` |
| Phone | `+33 612 345 678` | `+** *** *** 78` |
| IPv4 | `192.168.1.42` | `192.***.***.42` |
| IPv6 | `2001:0db8:...` | `***:***:***:***` |
| API keys | `sk_live_abc123...` | `sk_l****...` |

Custom patterns are also supported via `Sanitizer::builder().custom(name, regex)`.

## How it works

`tracing-sanitize` implements a [`tracing_subscriber::Layer`](https://docs.rs/tracing-subscriber/latest/tracing_subscriber/layer/trait.Layer.html) that intercepts span and event fields. String and debug fields are passed through `sanitize-pii` before reaching downstream layers (like `fmt`). Numeric and boolean fields pass through untouched.

## License

MIT