Skip to content

[Wave 6 16/17] Redact secrets from coordinator and resolver logs #52

Description

@karagozemin

Stellar Wave #6 - Apply via the Stellar Wave Program on Drips. Use the Wave application flow. Maintainers review applicants on the Drips maintainer dashboard.
Wave window: 2026-06-23 09:00 UTC -> 2026-06-30 09:00 UTC.

Summary

Coordinator and resolver logs should never print raw secrets, preimages, private keys, bearer tokens, or full signed payloads. Add a small shared redaction helper and apply it to structured logs around order, quote, secret, and resolver paths.

Context

Relevant areas:

  • coordinator logging and secret reveal routes
  • resolver order handling logs
  • relayer/resolver env/config error paths
  • existing tests for coordinator and resolver behavior

Scope

  • Add a shared redaction helper for log-safe objects and strings.
  • Redact common sensitive keys such as secret, preimage, privateKey, token, authorization, signedXdr, and mnemonic.
  • Preserve safe debugging context like order IDs, chain names, addresses, status, and failure codes.
  • Apply the helper to coordinator/resolver log paths that include request bodies or config-derived data.
  • Add focused tests for nested object redaction and safe field preservation.
  • Document the redaction rules briefly in docs or README.

Acceptance criteria

  • Logs never include raw preimages, tokens, private keys, or signed payloads in the covered paths.
  • Safe identifiers remain visible for debugging.
  • Tests cover nested objects, arrays, mixed safe/sensitive fields, and unknown casing such as Authorization/authorization.
  • Existing coordinator/resolver tests still pass.
  • PR links to this issue.

Notes

Keep this small. Do not introduce a logging framework migration.

Wave complexity (maintainer)

High - 200 points

Metadata

Metadata

Labels

Stellar WaveIssues in the Stellar wave program

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions