AFS_AETHER_LOG_REDACT_SALT

Deep-dive reference for:

• AFS_AETHER_LOG_REDACT_SALT

Status

• active

Audience

• production/user

Type and Default

• Type: string.
• Default: unset (None).

What It Does

Provides optional salt input for hash-based log redaction (AFS_AETHER_LOG_REDACT=hash).

When hashing is active, redacted field values are transformed as:

• sha256(value + salt) when salt is set
• sha256(value) when salt is unset

Input Surface

• Env: AFS_AETHER_LOG_REDACT_SALT=<string>

Interaction With AFS_AETHER_LOG_REDACT

• If mode is hash, this sets/overrides the hash salt.
• If mode is off, setting this variable switches effective mode to hash with the salt.
• If mode is unset, default redaction mode is already hash, so salt is applied.

Resolution Behavior

Because env config application processes AFS_AETHER_LOG_REDACT before AFS_AETHER_LOG_REDACT_SALT, a salt value always wins as the final mode input (resulting in hash mode with salt).

What It Does Not Do

• Does not expand the set of fields considered sensitive.
• Does not redact arbitrary message text.
• Does not change log level, format, or destination.

Validation

• No strict parsing beyond string capture.
• Empty string is accepted (effectively same hash behavior as no salt).

Reload Behavior (SIGHUP)

Redaction config changes are detected on reload, but not hot-applied; restart is required.

Examples

• Salted hashed redaction:
  • AFS_AETHER_LOG_REDACT=hash AFS_AETHER_LOG_REDACT_SALT=team-secret aether mount --session-id s1 --mount-dir /mnt/aether
• Salt alone (still enables hash mode):
  • AFS_AETHER_LOG_REDACT_SALT=team-secret aether mount --session-id s1 --mount-dir /mnt/aether

Related Variables

• AFS_AETHER_LOG_REDACT
• AFS_AETHER_LOG_FORMAT

Primary Implementation Sources

• packages/aether/src/config/types/model_defaults.rs
• packages/aether/src/config/types/apply_env.rs
• packages/aether/src/observability/logging.rs
• packages/aether/src/config/reload.rs