A new writeup lays out a layered plan to keep secrets out of logs, no silver bullets here, just ten solid "lead bullets" that actually stack. Think of it as defense in depth for log hygiene.
Highlights include:
Type-safe domain primitives for secrets,
Taint-based static analysis,
Read-once secret wrappers,
and smart log preprocessors (like Vector) that redact and sample before anything hits disk.
