Skip to main content
A flight recorder that captures arguments, locals, and HTTP traffic must take secrets seriously. slomo’s answer is structural: redaction happens at capture time, inside your process, before serialization — so secret values never reach the queue, the writer thread, or the disk. There is no “scrub it later” step that can be forgotten.

What is redacted by default

Two independent detectors run on every captured value:

1. Key-based redaction

Any value whose key looks secret is replaced, regardless of the value’s content. The full default key list is: password, passwd, secret, token, api_key, apikey, api-key, authorization, auth, cookie, set-cookie, session_key, sessionid, private_key, access_key, jwt, bearer, credential, ssn, x-api-key All matches are case-insensitive and apply wherever the key appears: function kwargs, snapshot variables, HTTP headers, nested dict keys.

2. Value-shape redaction

Values that look like secrets are replaced even under innocent keys:
  • JWTs (eyJ… three-segment tokens)
  • Bearer tokens in header-shaped strings
  • AWS access keys (AKIA… / ASIA…)
  • Long hex strings — 40 or more consecutive hex characters (e.g. SHA-1 digests used as tokens)
  • Luhn-valid card numbers — a 16-digit string under a key called note still gets caught

Adding your own rules

Extend redaction in .slomo/config.toml:
defaults = false turns off all built-in key and shape detection. Only do this if you’re replacing it with a complete extra_keys/extra_patterns policy of your own.

Belt and suspenders

Redaction composes with capture controls when a whole value should never be recorded at all:
  • @track(capture_args=False) on functions that take sensitive parameters — see Manual instrumentation
  • capture_args = false / capture_results = false under [hooks.autotrace] — see Auto-tracing
  • [hooks.sql] capture_params = false (the default) — SQL statement text is recorded, bound parameters are not, unless you opt in

Verifying it yourself

The repository ships a runnable proof: examples/redaction_demo.py records passwords, JWTs, AWS keys, and card numbers, then greps the raw JSONL to show none of them are present:
Since timelines are plain JSONL, you can always audit exactly what was written:

The broader privacy posture

  • No telemetry. slomo phones home to nothing. There is no account, no upload, no analytics.
  • Local-first. All data lives in .slomo/ in your project. Sharing is explicit — via slomo export — and exports pass through the same already-redacted data.
  • Bounded capture. max_value_repr, max_collection_items, and max_depth limits mean even non-secret data is truncated, not exhaustively serialized.
Add .slomo/ to .gitignore. Recordings are debugging artifacts, not source.