← Crafts
Redact preview

Redact

Platform tooling Solo engineer

A TypeScript wrapper that keeps secrets out of logs, JSON, and `util.inspect` output without pretending to be encryption.

Problem

Secrets leak through the paths you do not audit: console.log, string coercion, JSON.stringify, and Node inspection. Masking at the call site does not scale. A dropped API key in a debug trace is still a credential in a log aggregator.

@svene/redact stores values in a WeakMap behind a branded Redacted type so serialization surfaces stay safe by default. Explicit revealRedacted() is required to read the raw value. The package is public on GitHub.

Safety surfaces

  • console.log, String(), and JSON.stringify all emit <redacted> without custom serializers
  • Branded types with createRedacted prevent mixing secrets across domain boundaries at compile time
  • disposeRedacted drops this package’s reference when a secret’s lifetime ends
  • Equality helpers that compare redacted values without accidental revelation
  • Small runtime with no dependency on a specific framework or logger
raw secret redact() WeakMap store Redacted handle console / JSON / inspect <redacted> revealRedacted() authorized code path
Redaction boundary
export interface Redacted<A> extends Brand<"Redacted"> {
  /** Compile-time only. Not present at runtime. */
  readonly Type: A;
}

const redactedString = "<redacted>" as const;

/**
 * The value is stored in an internal WeakMap, not on the object, so it will
 * not show up in logs, JSON, spreading, or property inspection.
 */
Redact usage placeholder
Screenshot placeholder — swap for a REPL or test output showing redacted serialization.