Skip to content

security: leak-proof RedactedSecret newtype for all in-memory secrets #51

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
muchiny wants to merge 19 commits into from
Closed

security: leak-proof RedactedSecret newtype for all in-memory secrets #51

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
272febf
chore(deps): update semver-compatible dependencies
muchiny May 30, 2026
7a8b554
chore(deps): bump winrm-rs 1.0 -> 1.1.2, drop git-fork patch (FIND-018)
muchiny May 30, 2026
e2cbbf6
chore(deps): bump opentelemetry stack 0.31 -> 0.32
muchiny May 30, 2026
caaf3a7
chore(deps): bump similar 2 -> 3
muchiny May 30, 2026
c1fd16c
chore(deps): bump sha2 0.10 -> 0.11
muchiny May 30, 2026
a9cf331
chore(deps): bump jsonwebtoken 9 -> 10
muchiny May 30, 2026
fc9e79d
chore(deps): bump russh 0.60 -> 0.61
muchiny May 30, 2026
6f3e08d
chore(deps): bump serde-saphyr 0.0.21 -> 0.0.27
muchiny May 30, 2026
d6b6548
docs(deps): refresh Known Advisories + fix import order after dep upd…
muchiny May 30, 2026
065474f
feat(config): add RedactedSecret newtype (leak-proof zeroizing secret)
muchiny May 30, 2026
f7128fc
docs(config): document RedactedSecret escape hatch + intentional no-P…
muchiny May 30, 2026
61b0c98
refactor(config): use RedactedSecret for SSH/SOCKS/sudo credentials (…
muchiny May 30, 2026
65ee244
fix(config): migrate remaining test construction sites to RedactedSec…
muchiny May 30, 2026
c828a24
style(config): import RedactedSecret in integration tests + drop stra…
muchiny May 30, 2026
e5036a6
fix(config): wrap AwxConfig token in RedactedSecret (fixes F3 — zeroi…
muchiny May 30, 2026
b129dcd
feat(security): redact opaque Authorization: Bearer tokens (fixes F4)
muchiny May 30, 2026
3d3d279
test(security): lock JWT-over-Bearer redaction precedence
muchiny May 30, 2026
1364543
style(security): rustfmt JWT-precedence test
muchiny May 30, 2026
cc0beb9
fix(security): migrate DB/vault handler-arg secrets to RedactedSecret…
muchiny May 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 4 additions & 5 deletions CLAUDE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -170,13 +170,12 @@ Key sections: `hosts`, `security`, `limits`, `audit`, `tool_groups`, `recording`

## Known Advisories

6 advisories ignored in `deny.toml` — all transitive, no upstream fix available:
1 advisory actively ignored in `deny.toml` (transitive, no upstream fix):

- RUSTSEC-2023-0071 — Marvin Attack on RSA (russh)
- RUSTSEC-2026-0044 — aws-lc-sys X.509 bypass (aws-sdk)
- RUSTSEC-2026-0048 — aws-lc-sys CRL logic error (aws-sdk)
- RUSTSEC-2026-0049 — rustls-webpki CRL matching (russh/aws-sdk)
- RUSTSEC-2025-0134 — rustls-pemfile unmaintained (kube)

Previously ignored (now resolved — no longer triggered after dep-updates-2026-05-30):
RUSTSEC-2025-0134, RUSTSEC-2026-0049, RUSTSEC-2026-0074, RUSTSEC-2026-0098, RUSTSEC-2026-0099, RUSTSEC-2026-0104

## Path-Scoped Rules

Expand Down
Loading
Loading