pub fn redact_credentials(s: &str) -> StringExpand description
Strip user:pass@ userinfo from any URL embedded in s.
Elasticsearch connection strings frequently embed basic-auth credentials
(https://user:pass@host). Every error this module produces is routed
through this function so credentials are never leaked in error messages or
logs. Pure — unit-testable offline. UTF-8 safe (operates on &str slices,
which are always char boundaries; the delimiters scanned are all ASCII).
Userinfo is everything before the last @ within the URL authority
(matching the WHATWG URL spec), so a password that itself contains @
(https://u:p@ss@host) is fully redacted rather than leaking the tail.