ContentKey at crypto.rs:42 derives Debug, which prints raw 32-byte AES key material to stderr on unwrap_err(), assert failures, or any {:#?} formatting. Replace with a manual impl that prints ContentKey([REDACTED]). Same treatment needed for KeyringDownloadResult at documents/download_keyring.rs:19 which derives Debug and contains a ContentKey field — that derive is fine as long as ContentKey itself redacts. Consider a redact_debug!() macro if more secret types appear (e.g. future seed phrase types).
ContentKey at crypto.rs:42 derives Debug, which prints raw 32-byte AES key material to stderr on unwrap_err(), assert failures, or any {:#?} formatting. Replace with a manual impl that prints ContentKey([REDACTED]). Same treatment needed for KeyringDownloadResult at documents/download_keyring.rs:19 which derives Debug and contains a ContentKey field — that derive is fine as long as ContentKey itself redacts. Consider a redact_debug!() macro if more secret types appear (e.g. future seed phrase types).