rtb-redact v0.1¶
Strips secrets out of free-form strings before they reach telemetry, distributed logs, or any third-party observability surface. The rule set runs in a fixed order and is deliberately conservative — it errs toward over-redaction.
Public API¶
use rtb_redact::string;
let scrubbed = string("connect to postgres://app:hunter2@db/mydb");
assert!(scrubbed.contains("[redacted]"));
assert!(!scrubbed.contains("hunter2"));
| Item | Purpose |
|---|---|
[string] |
Redact a &str, returning Cow — Borrowed when nothing matched (no allocation on the common case), Owned otherwise. |
[string_into] |
Same rules, appending into a caller-supplied String to reuse a buffer. |
[SENSITIVE_HEADERS] |
phf::Set of header names whose values must be redacted at DEBUG/TRACE. O(1) lookup. |
[is_sensitive_header] |
Case-insensitive membership test against SENSITIVE_HEADERS. |
[redact_header_value] |
Redact a single header value. |
What gets redacted¶
string strips URL userinfo, common credential query parameters,
Authorization headers, well-known provider prefixes (sk-,
ghp_, AIza, AKIA, Slack tokens, Anthropic sk-ant-…), and
very long opaque tokens. A fast pre-check (fast_has_sensitive_anchor)
bails out before allocating when no anchor character or keyword is
present, so the hot path on clean strings is cheap.
Where it's wired¶
rtb-telemetryappliesredact::stringautomatically toargsanderr_msgon every event.rtb-cli's HTTP middleware usesSENSITIVE_HEADERSto redact headers at DEBUG.- Any code emitting free-form strings to an external surface should
route through
stringfirst — see structured JSON logging.
This crate complements secrecy::SecretString (which prevents
typed secrets from being formatted): rtb-redact is the safety net
for strings that were assembled and might contain a secret no type
system caught.
Spec¶
Authoritative contract (incl. the full ordered rule set):
docs/development/specs/2026-04-23-rtb-redact-v0.1.md.