TASK-057: housekeeping — check off action items, mark Done, add RELEASE_NOTES entry

etr · claude · etr · commit 03efd6cbce43 · 2026-05-30T23:47:00.000-07:00
Mark all four TASK-057 action items as [x] and set task status to Done now that commit 47c7e01 fully implements credential redaction in http_request::operator<<. Add a semantic-change entry to RELEASE_NOTES.md documenting the default <redacted> behaviour, the expose_credentials_in_logs opt-in, and the CWE-312/CWE-532/OWASP A09:2021 rationale — following the style of the existing expose_exception_messages entry. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
@@ -209,6 +209,17 @@ and see the v2 replacement.
   on the builder. Configured `internal_error_handler` callbacks are
   unaffected — they still receive the message and can build any body
   they want.
+- **`http_request::operator<<` redacts credentials by default.**
+  v1 (and earlier v2 builds) emitted `pass:"<plaintext>"`,
+  `digested_pass:"<plaintext>"`, `Authorization`/`Proxy-Authorization`
+  header values, and cookie values verbatim into diagnostic output,
+  leaking every credential into any log aggregation pipeline that
+  captures operator-stream dumps (CWE-312, CWE-532, OWASP A09:2021).
+  v2.0 replaces those fields with the fixed token `<redacted>` in the
+  default stream output. To restore the v1 verbose form for local
+  development, call `.expose_credentials_in_logs(true)` on the
+  `create_webserver` builder — this flag is intended for development
+  only and must not be set in production deployments.
 
 ## Threading
 
diff --git a/specs/tasks/v2-deferred-backlog-plan.md b/specs/tasks/v2-deferred-backlog-plan.md
@@ -285,13 +285,13 @@ production deploy leaks every Basic-auth password into their log
 aggregation pipeline.
 
 **Action Items:**
-- [ ] Replace the literal password emission with a fixed redaction token
+- [x] Replace the literal password emission with a fixed redaction token
   (`pass:"<redacted>"`). Same treatment for `digested_pass` and any
   other authentication secret on the stream.
-- [ ] Add an opt-in `webserver_builder.expose_credentials_in_logs(true)`
+- [x] Add an opt-in `webserver_builder.expose_credentials_in_logs(true)`
   flag for the rare developer who needs the verbose form locally.
-- [ ] Update Doxygen on the operator to call out the redaction policy.
-- [ ] Add a unit test
+- [x] Update Doxygen on the operator to call out the redaction policy.
+- [x] Add a unit test
   `http_request_test::operator_stream_redacts_credentials`.
 
 **Dependencies:**
@@ -308,6 +308,8 @@ aggregation pipeline.
 **Related Findings:** task-019 #22
 **Related Decisions:** none new; A09:2021
 
+**Status:** Done
+
 ---
 
 ## TASK-058 — Hot-path allocation pass
