Skip to content

rtb-redact v0.1

Strips secrets out of free-form strings before they reach telemetry, distributed logs, or any third-party observability surface. The rule set runs in a fixed order and is deliberately conservative — it errs toward over-redaction.

Public API

use rtb_redact::string;

let scrubbed = string("connect to postgres://app:hunter2@db/mydb");
assert!(scrubbed.contains("[redacted]"));
assert!(!scrubbed.contains("hunter2"));
Item Purpose
[string] Redact a &str, returning CowBorrowed when nothing matched (no allocation on the common case), Owned otherwise.
[string_into] Same rules, appending into a caller-supplied String to reuse a buffer.
[SENSITIVE_HEADERS] phf::Set of header names whose values must be redacted at DEBUG/TRACE. O(1) lookup.
[is_sensitive_header] Case-insensitive membership test against SENSITIVE_HEADERS.
[redact_header_value] Redact a single header value.

What gets redacted

string strips URL userinfo, common credential query parameters, Authorization headers, well-known provider prefixes (sk-, ghp_, AIza, AKIA, Slack tokens, Anthropic sk-ant-…), and very long opaque tokens. A fast pre-check (fast_has_sensitive_anchor) bails out before allocating when no anchor character or keyword is present, so the hot path on clean strings is cheap.

Where it's wired

  • rtb-telemetry applies redact::string automatically to args and err_msg on every event.
  • rtb-cli's HTTP middleware uses SENSITIVE_HEADERS to redact headers at DEBUG.
  • Any code emitting free-form strings to an external surface should route through string first — see structured JSON logging.

This crate complements secrecy::SecretString (which prevents typed secrets from being formatted): rtb-redact is the safety net for strings that were assembled and might contain a secret no type system caught.

Spec

Authoritative contract (incl. the full ordered rule set): docs/development/specs/2026-04-23-rtb-redact-v0.1.md.