RAprogramm · RAprogramm · Sep 23, 2025 · Sep 23, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,24 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+## [0.17.0] - 2025-09-27
+
+### Added
+- Per-field redaction metadata via a new [`FieldRedaction`] enum, default
+  heuristics for common secret keys (passwords, tokens, card numbers) and the
+  `Context::redact_field` / `AppError::redact_field` helpers.
+- `#[masterror(redact(fields(...)))]` support in the derive macro to configure
+  metadata policies alongside message redaction.
+- Opt-in internal formatters for [`ErrorResponse`] and [`ProblemJson`] that are
+  safe to use in diagnostic logs without additional serialization boilerplate.
+
+### Changed
+- Problem JSON and legacy `ErrorResponse` serialization now hash, mask or drop
+  metadata according to per-field policies while honoring the global redaction
+  flag.
+- Redaction-aware conversions ensure redactable messages fall back to the error
+  kind across HTTP and gRPC mappings.
+
 ## [0.16.0] - 2025-09-26
 
 ### Changed

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "masterror"
-version = "0.16.0"
+version = "0.17.0"
 rust-version = "1.90"
 edition = "2024"
 license = "MIT OR Apache-2.0"
@@ -75,11 +75,11 @@ tonic = ["dep:tonic"]
 openapi = ["dep:utoipa"]
 
 [workspace.dependencies]
-masterror-derive = { version = "0.7.1" }
+masterror-derive = { version = "0.8.0" }
 masterror-template = { version = "0.3.6" }
 
 [dependencies]
-masterror-derive = { version = "0.7" }
+masterror-derive = { version = "0.8" }
 masterror-template = { workspace = true }
 tracing = { version = "0.1", optional = true }
 log = { version = "0.4", optional = true }
@@ -89,6 +89,7 @@ metrics = { version = "0.24", optional = true }
 serde = { version = "1", features = ["derive"] }
 serde_json = { version = "1", optional = true }
 http = "1"
+sha2 = "0.10"
 
 # optional integrations
 axum = { version = "0.8", optional = true, default-features = false, features = [

diff --git a/README.md b/README.md
@@ -38,9 +38,9 @@ guides, comparisons with `thiserror`/`anyhow`, and troubleshooting recipes.
 
 ~~~toml
 [dependencies]
-masterror = { version = "0.16.0", default-features = false }
+masterror = { version = "0.17.0", default-features = false }
 # or with features:
-# masterror = { version = "0.16.0", features = [
+# masterror = { version = "0.17.0", features = [
 #   "axum", "actix", "openapi", "serde_json",
 #   "tracing", "metrics", "backtrace", "sqlx",
 #   "sqlx-migrate", "reqwest", "redis", "validator",
@@ -78,10 +78,10 @@ masterror = { version = "0.16.0", default-features = false }
 ~~~toml
 [dependencies]
 # lean core
-masterror = { version = "0.16.0", default-features = false }
+masterror = { version = "0.17.0", default-features = false }
 
 # with Axum/Actix + JSON + integrations
-# masterror = { version = "0.16.0", features = [
+# masterror = { version = "0.17.0", features = [
 #   "axum", "actix", "openapi", "serde_json",
 #   "tracing", "metrics", "backtrace", "sqlx",
 #   "sqlx-migrate", "reqwest", "redis", "validator",
@@ -201,7 +201,7 @@ use masterror::{
     code = AppCode::NotFound,
     category = AppErrorKind::NotFound,
     message,
-    redact(message),
+    redact(message, fields("user_id" = hash)),
     telemetry(
         Some(masterror::field::str("user_id", user_id.clone())),
         attempt.map(|value| masterror::field::u64("attempt", value))
@@ -240,7 +240,8 @@ assert_eq!(
 - `message` forwards the formatted [`Display`] output as the safe public
   message. Omit it to keep the message private.
 - `redact(message)` flips [`MessageEditPolicy`] to redactable at the transport
-  boundary.
+  boundary, `fields("name" = hash, "card" = last4)` overrides metadata
+  policies (`hash`, `last4`, `redact`, `none`).
 - `telemetry(...)` accepts expressions that evaluate to
   `Option<masterror::Field>`. Each populated field is inserted into the
   resulting [`Metadata`]; use `telemetry()` when no fields are attached.
@@ -719,13 +720,13 @@ assert_eq!(problem.grpc.expect("grpc").name, "UNAUTHENTICATED");
 Minimal core:
 
 ~~~toml
-masterror = { version = "0.16.0", default-features = false }
+masterror = { version = "0.17.0", default-features = false }
 ~~~
 
 API (Axum + JSON + deps):
 
 ~~~toml
-masterror = { version = "0.16.0", features = [
+masterror = { version = "0.17.0", features = [
   "axum", "serde_json", "openapi",
   "sqlx", "reqwest", "redis", "validator", "config", "tokio"
 ] }
@@ -734,7 +735,7 @@ masterror = { version = "0.16.0", features = [
 API (Actix + JSON + deps):
 
 ~~~toml
-masterror = { version = "0.16.0", features = [
+masterror = { version = "0.17.0", features = [
   "actix", "serde_json", "openapi",
   "sqlx", "reqwest", "redis", "validator", "config", "tokio"
 ] }

diff --git a/README.ru.md b/README.ru.md
@@ -212,7 +212,7 @@ use masterror::{
     code = AppCode::NotFound,
     category = AppErrorKind::NotFound,
     message,
-    redact(message),
+    redact(message, fields("user_id" = hash)),
     telemetry(
         Some(masterror::field::str("user_id", user_id.clone())),
         attempt.map(|value| masterror::field::u64("attempt", value))
@@ -250,7 +250,8 @@ assert_eq!(
   [`AppErrorKind`].
 - `message` включает текст, возвращаемый [`Display`], в публичное сообщение.
 - `redact(message)` выставляет [`MessageEditPolicy`] в режим редактирования на
-  транспортной границе.
+  транспортной границе, `fields("name" = hash, "card" = last4)` переопределяет
+  обработку метаданных (`hash`, `last4`, `redact`, `none`).
 - `telemetry(...)` принимает выражения, возвращающие
   `Option<masterror::Field>`. Каждое присутствующее поле добавляется в
   [`Metadata`]; пустые выражения пропускаются.

diff --git a/README.template.md b/README.template.md
@@ -193,7 +193,7 @@ use masterror::{
     code = AppCode::NotFound,
     category = AppErrorKind::NotFound,
     message,
-    redact(message),
+    redact(message, fields("user_id" = hash)),
     telemetry(
         Some(masterror::field::str("user_id", user_id.clone())),
         attempt.map(|value| masterror::field::u64("attempt", value))
@@ -232,7 +232,8 @@ assert_eq!(
 - `message` forwards the formatted [`Display`] output as the safe public
   message. Omit it to keep the message private.
 - `redact(message)` flips [`MessageEditPolicy`] to redactable at the transport
-  boundary.
+  boundary, `fields("name" = hash, "card" = last4)` overrides metadata
+  policies (`hash`, `last4`, `redact`, `none`).
 - `telemetry(...)` accepts expressions that evaluate to
   `Option<masterror::Field>`. Each populated field is inserted into the
   resulting [`Metadata`]; use `telemetry()` when no fields are attached.

diff --git a/masterror-derive/Cargo.toml b/masterror-derive/Cargo.toml
@@ -1,7 +1,7 @@
 [package]
 name = "masterror-derive"
 rust-version = "1.90"
-version = "0.7.1"
+version = "0.8.0"
 edition = "2024"
 license = "MIT OR Apache-2.0"
 repository = "https://github.com/RAprogramm/masterror"

diff --git a/masterror-derive/src/input.rs b/masterror-derive/src/input.rs
@@ -6,7 +6,7 @@ use syn::{
     Expr, ExprPath, Field as SynField, Fields as SynFields, GenericArgument, Ident, LitBool,
     LitInt, LitStr, Token, TypePath,
     ext::IdentExt,
-    parse::{Parse, ParseStream},
+    parse::{Parse, ParseBuffer, ParseStream},
     punctuated::Punctuated,
     spanned::Spanned,
     token::Paren
@@ -62,14 +62,34 @@ pub struct MasterrorSpec {
     pub code:           Expr,
     pub category:       ExprPath,
     pub expose_message: bool,
-    pub redact_message: bool,
+    pub redact:         RedactSpec,
     pub telemetry:      Vec<Expr>,
     pub map_grpc:       Option<Expr>,
     pub map_problem:    Option<Expr>,
     #[allow(dead_code)]
     pub attribute_span: Span
 }
 
+#[derive(Clone, Debug, Default)]
+pub struct RedactSpec {
+    pub message: bool,
+    pub fields:  Vec<FieldRedactionSpec>
+}
+
+#[derive(Clone, Debug)]
+pub struct FieldRedactionSpec {
+    pub name:   LitStr,
+    pub policy: FieldRedactionKind
+}
+
+#[derive(Clone, Copy, Debug, PartialEq, Eq)]
+pub enum FieldRedactionKind {
+    None,
+    Redact,
+    Hash,
+    Last4
+}
+
 #[derive(Debug)]
 pub enum Fields {
     Unit,
@@ -791,7 +811,8 @@ fn parse_masterror_attribute(attr: &Attribute) -> Result<MasterrorSpec, Error> {
         let mut code = None;
         let mut category = None;
         let mut expose_message = false;
-        let mut redact_message = false;
+        let mut redact = RedactSpec::default();
+        let mut seen_redact = false;
         let mut telemetry = None;
         let mut map_grpc = None;
         let mut map_problem = None;
@@ -822,10 +843,11 @@ fn parse_masterror_attribute(attr: &Attribute) -> Result<MasterrorSpec, Error> {
                     expose_message = parse_flag_value(input)?;
                 }
                 "redact" => {
-                    if redact_message {
+                    if seen_redact {
                         return Err(Error::new(ident.span(), "duplicate redact(...) block"));
                     }
-                    redact_message = parse_redact_block(input, ident.span())?;
+                    redact = parse_redact_block(input, ident.span())?;
+                    seen_redact = true;
                 }
                 "telemetry" => {
                     if telemetry.is_some() {
@@ -909,7 +931,7 @@ fn parse_masterror_attribute(attr: &Attribute) -> Result<MasterrorSpec, Error> {
             code,
             category,
             expose_message,
-            redact_message,
+            redact,
             telemetry: telemetry.unwrap_or_default(),
             map_grpc,
             map_problem,
@@ -928,30 +950,39 @@ fn parse_flag_value(input: ParseStream) -> Result<bool, Error> {
     }
 }
 
-fn parse_redact_block(input: ParseStream, span: Span) -> Result<bool, Error> {
+fn parse_redact_block(input: ParseStream, span: Span) -> Result<RedactSpec, Error> {
     let content;
     syn::parenthesized!(content in input);
 
     if content.is_empty() {
         return Err(Error::new(span, "redact(...) requires at least one option"));
     }
 
-    let mut redact_message = false;
+    let mut spec = RedactSpec::default();
 
     while !content.is_empty() {
         let ident: Ident = content.call(Ident::parse_any)?;
         match ident.to_string().as_str() {
             "message" => {
-                if redact_message {
+                if spec.message {
                     return Err(Error::new(ident.span(), "duplicate redact(message) option"));
                 }
                 if content.peek(Token![=]) {
                     content.parse::<Token![=]>()?;
                     let value: LitBool = content.parse()?;
-                    redact_message = value.value;
+                    spec.message = value.value;
                 } else {
-                    redact_message = true;
+                    spec.message = true;
+                }
+            }
+            "fields" => {
+                if !spec.fields.is_empty() {
+                    return Err(Error::new(
+                        ident.span(),
+                        "duplicate redact(fields(...)) option"
+                    ));
                 }
+                spec.fields = parse_redact_fields(&content, ident.span())?;
             }
             other => {
                 return Err(Error::new(
@@ -971,7 +1002,60 @@ fn parse_redact_block(input: ParseStream, span: Span) -> Result<bool, Error> {
         }
     }
 
-    Ok(redact_message)
+    Ok(spec)
+}
+
+fn parse_redact_fields(
+    content: &ParseBuffer<'_>,
+    span: Span
+) -> Result<Vec<FieldRedactionSpec>, Error> {
+    let inner;
+    syn::parenthesized!(inner in *content);
+
+    if inner.is_empty() {
+        return Err(Error::new(
+            span,
+            "redact(fields(...)) requires at least one field"
+        ));
+    }
+
+    let mut fields = Vec::new();
+    while !inner.is_empty() {
+        let name: LitStr = inner.parse()?;
+        let policy = if inner.peek(Token![=]) {
+            inner.parse::<Token![=]>()?;
+            let ident: Ident = inner.call(Ident::parse_any)?;
+            match ident.to_string().to_ascii_lowercase().as_str() {
+                "none" => FieldRedactionKind::None,
+                "redact" => FieldRedactionKind::Redact,
+                "hash" => FieldRedactionKind::Hash,
+                "last4" | "last_four" => FieldRedactionKind::Last4,
+                other => {
+                    return Err(Error::new(
+                        ident.span(),
+                        format!("unknown redact policy `{other}` in fields(...)")
+                    ));
+                }
+            }
+        } else {
+            FieldRedactionKind::Redact
+        };
+        fields.push(FieldRedactionSpec {
+            name,
+            policy
+        });
+
+        if inner.peek(Token![,]) {
+            inner.parse::<Token![,]>()?;
+        } else if !inner.is_empty() {
+            return Err(Error::new(
+                inner.span(),
+                "expected `,` or end of input in redact(fields(...))"
+            ));
+        }
+    }
+
+    Ok(fields)
 }
 
 fn parse_telemetry_block(input: ParseStream, span: Span) -> Result<Vec<Expr>, Error> {