Skip to main content

Module redact

Module redact 

Source
Expand description

Layer: Cross-cutting helper (credential redaction invariant, v0.7.2 P0.3)

Single chokepoint for stripping plaintext credential material out of strings that are about to land in operator-visible artifacts: logs, summary.json / summary.md, the run journal, Slack/webhook payloads, and hard-failure error messages bubbling out of any subcommand.

The invariant this module backs:

A credential that the operator passed through password, *_env, *_file, credentials_file, or as an embedded user:password@host URL MUST NOT round-trip into any persisted or emitted artifact. When in doubt, redact.

Scope:

  • Embedded-URL passwords: scheme://user:password@host…scheme://REDACTED@host…. This is the only pattern Rivet round-trips through driver/error context, so it is the single high-value rewrite. Patches expand here.
  • Known token-shape secrets (AWS access keys etc.) are not matched on shape today — they shouldn’t be in stringified error context unless the operator passed --source 'aws_access_key_id=AKIA…' by mistake. If a leak vector is discovered, add it here, write a regression test, and roll a patch release.

What this module does NOT guarantee (documented in [SECURITY.md]):

  • Third-party driver/library output that bypasses our error wrappers.
  • In-memory secrets — Zeroizing<String> is used at the source-config boundary, but anything copied into a String along the way may linger in process memory until allocator reuse.
  • Secrets the operator captured outside Rivet (shell history, env var dumps, ps snapshots) — out of scope.

Functions§

redact_error
Convenience: format an anyhow::Error with {:#} and redact the result in one call. Use at the boundary of every error-to-artifact path (summary.error_message = ..., log::error!(... e ...)).
redact_secrets
Compose every redactor. Use this at every boundary that turns a driver/library error (or any operator-untrusted string) into a persisted or emitted artifact.
redact_url_passwords
Replace user:password@host userinfo segments in any URL-like substring with REDACTED@host.