Expand description
Layer: Cross-cutting helper (credential redaction invariant, v0.7.2 P0.3)
Single chokepoint for stripping plaintext credential material out of
strings that are about to land in operator-visible artifacts: logs,
summary.json / summary.md, the run journal, Slack/webhook payloads,
and hard-failure error messages bubbling out of any subcommand.
The invariant this module backs:
A credential that the operator passed through
password,*_env,*_file,credentials_file, or as an embeddeduser:password@hostURL MUST NOT round-trip into any persisted or emitted artifact. When in doubt, redact.
Scope:
- Embedded-URL passwords:
scheme://user:password@host…→scheme://REDACTED@host…. This is the only pattern Rivet round-trips through driver/error context, so it is the single high-value rewrite. Patches expand here. - Known token-shape secrets (AWS access keys etc.) are not
matched on shape today — they shouldn’t be in stringified error
context unless the operator passed
--source 'aws_access_key_id=AKIA…'by mistake. If a leak vector is discovered, add it here, write a regression test, and roll a patch release.
What this module does NOT guarantee (documented in [SECURITY.md]):
- Third-party driver/library output that bypasses our error wrappers.
- In-memory secrets —
Zeroizing<String>is used at the source-config boundary, but anything copied into aStringalong the way may linger in process memory until allocator reuse. - Secrets the operator captured outside Rivet (shell history, env
var dumps,
pssnapshots) — out of scope.
Functions§
- redact_
error - Convenience: format an
anyhow::Errorwith{:#}and redact the result in one call. Use at the boundary of every error-to-artifact path (summary.error_message = ...,log::error!(... e ...)). - redact_
secrets - Compose every redactor. Use this at every boundary that turns a driver/library error (or any operator-untrusted string) into a persisted or emitted artifact.
- redact_
url_ passwords - Replace
user:password@hostuserinfo segments in any URL-like substring withREDACTED@host. - redacted_
log_ line - Render one log record into a redacted, operator-visible line.