Documentation
¶
Overview ¶
Package secret holds the canonical secret-env-key predicate shared by every site that filters or redacts environment variables before they reach a child process or an exported config. Keeping ONE list prevents the divergence that let a bare *_KEY (e.g. PRIVATE_KEY) be redacted on one path and leak on another (audit finding B-09).
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ContainsCredentialURL ¶ added in v1.0.0
ContainsCredentialURL reports whether s contains a URL/DSN authority with an explicit user:password component, for example postgres://user:pass@host/db.
func IsSecretEnvKey ¶
IsSecretEnvKey reports whether an environment variable name looks sensitive (case-insensitive substring match against secretEnvMarkers). It is a best-effort hygiene denylist, not a security boundary: callers strip or mask matching keys before a child process or an exported profile can observe them.
func IsSecretEnvVar ¶ added in v1.0.0
IsSecretEnvVar reports whether a key/value pair should be withheld from a child process. It keeps IsSecretEnvKey's broad compatibility behavior while avoiding over-redaction of harmless URL config such as PUBLIC_URL. Credential- bearing URL values are always secret, even when the key name is innocuous.
Types ¶
This section is empty.