Implement something like "SafeLogging" for Arti
Tor has a "safelogging" feature that causes it to not log any sensitive material at Notice or higher. We should implement something similar for Arti.
To clarify, when the
SafeLogging option is enabled, then instead of logging stuff like
Error while connecting to 10.2.3.5:9001, Tor will log messages like
Error while connecting to [scrubbed]. In Tor, it works by having a
safe_str(s) function that returns either its input, or the string
"[scrubbed]", depending on whether a global option is set.
That's a bit harder to do in Rust, where we'd rather avoid global variables, and where we can log lots of types that aren't string. Perhaps instead we can do something that tags certain arguments as
Sensitive, and then configure tracing providers or filters to expose them or not. I don't know if that's possible within the
tracing framework, though. We might have to get creative here.