{
"id": "secret-handling:redact-in-logs",
"_kind": "SecretHandlingPolicy",
"_file": "security/secret-handling/secret-handling-policies.yaml",
"_cluster": "security",
"attributes": {
"displayName": "Redact secret values in logs",
"rule": "Run journal sinks MUST redact known secret env-var values before persistence.",
"scope": "observability",
"enforcement": "journal-writer",
"rationale": "Defense in depth — even if a secret leaks into output, logs do not retain it."
},
"outgoingEdges": [],
"incomingEdges": [
{
"from": "workflow:linear-default",
"to": "secret-handling:redact-in-logs",
"kind": "applies_secret_policy",
"attributes": {}
}
]
}