Apply redactions to snapshot metadata (#813)

## Summary

This PR implements consistent redaction behavior for both snapshot
content and metadata, addressing a long-standing inconsistency where
`Settings.add_redaction()` worked for snapshot content but not for
metadata set via `Settings.set_info()`.

## Problem

Previously, redactions were only applied to snapshot content during
serialization, not to metadata. This created surprising behavior for
users of libraries like `insta-cmd` that capture sensitive data (API
keys, credentials, etc.) in snapshot metadata.

**Before this change:**
```yaml
---
info:
  env:
    API_KEY: sk_live_abc123def456  # ⚠️ Secret exposed!
---
content here
```

**After this change:**
```yaml
---
info:
  env:
    API_KEY: "[REDACTED]"  # ✅ Redacted
---
content here
```

## Implementation

### Core Changes

1. **Created shared redaction helper**
(`Redactions::apply_to_content()`)
   - Eliminates code duplication between metadata and content redaction
   - Both paths now use identical redaction logic

2. **Modified `ActualSettings::info()`** to apply redactions to metadata
- Metadata is redacted eagerly when set (prevents sensitive data in
memory)
   - Content is still redacted lazily during serialization

3. **Updated documentation**
   - `set_info()`: Documents that redactions are automatically applied
- `set_raw_info()`: Documents that it does NOT apply redactions
(low-level API)

### Test Coverage

Added two tests documenting the behavior:
- `test_metadata_redaction`: Validates `set_info()` applies redactions
- `test_metadata_raw_info_no_redaction`: Validates `set_raw_info()` does
not

Snapshots clearly show the difference:
```diff
--- set_info() snapshot
+++ set_raw_info() snapshot
 info:
-  secret: "[REDACTED]"
+  secret: sensitive_value
```

## Benefits

1. **Security**: Easier to prevent secrets in snapshots
2. **Consistency**: Redactions work the same everywhere
3. **User expectations**: `add_redaction()` now applies to all
serialized data
4. **Minimal change**: ~30 lines of implementation code

## Breaking Changes

**Low impact**: Existing snapshots with sensitive data in metadata will
change (values will become redacted). This is the intended behavior and
improves security.

**Migration**: Users can either:
- Update snapshots (recommended - secrets should be redacted)
- Remove specific redactions if certain metadata values must be
preserved
- Use `set_raw_info()` for the low-level API that bypasses redactions

## Testing

- ✅ All 164 tests pass (added 2 new tests)
- ✅ All lints pass (pre-commit)
- ✅ No compiler warnings
- ✅ Snapshot tests validate both redaction and non-redaction behavior

## Related

Addresses the use case described in the proposal where libraries like
`insta-cmd` need to redact environment variables captured in metadata.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude <noreply@anthropic.com>

Author: max-sixty

insta/src/serialization.rs

@@ -29,9 +29,7 @@ pub fn serialize_content(mut content: Content, format: SerializationFormat) -> S
         }
         #[cfg(feature = "redactions")]
         {
-            for (selector, redaction) in settings.iter_redactions() {
-                content = selector.redact(content, redaction);
-            }
+            content = settings.apply_redactions(content);
         }
         content
     });

insta/src/settings.rs

@@ -56,6 +56,17 @@ impl<'a> From<Vec<(&'a str, Redaction)>> for Redactions {
     }
 }
 
+#[cfg(feature = "redactions")]
+impl Redactions {
+    /// Applies all redactions to the given content.
+    pub(crate) fn apply_to_content(&self, mut content: Content) -> Content {
+        for (selector, redaction) in self.0.iter() {
+            content = selector.redact(content, redaction);
+        }
+        content
+    }
+}
+
 #[derive(Clone)]
 #[doc(hidden)]
 pub struct ActualSettings {
@@ -100,6 +111,15 @@ impl ActualSettings {
     pub fn info<S: Serialize>(&mut self, s: &S) {
         let serializer = ContentSerializer::<ValueError>::new();
         let content = Serialize::serialize(s, serializer).unwrap();
+
+        // Apply redactions to metadata immediately when set. Unlike snapshot
+        // content (which is redacted lazily during serialization), metadata is
+        // redacted eagerly to ensure sensitive data never reaches the stored
+        // settings. The redacted content is then written to the snapshot file
+        // as-is without further redaction.
+        #[cfg(feature = "redactions")]
+        let content = self.redactions.apply_to_content(content);
+
         self.info = Some(content);
     }
 
@@ -319,6 +339,9 @@ impl Settings {
     /// As an example the input parameters to the function that creates the snapshot
     /// can be persisted here.
     ///
+    /// **Note:** Redactions configured via [`Self::add_redaction`] are automatically
+    /// applied to the info metadata when it is set.
+    ///
     /// Alternatively you can use [`Self::set_raw_info`] instead.
     #[cfg(feature = "serde")]
     #[cfg_attr(docsrs, doc(cfg(feature = "serde")))]
@@ -329,6 +352,10 @@ impl Settings {
     /// Sets the info from a content object.
     ///
     /// This works like [`Self::set_info`] but does not require [`serde`].
+    ///
+    /// **Note:** Unlike [`Self::set_info`], this method does NOT automatically apply
+    /// redactions. If you need redactions applied to metadata, use [`Self::set_info`]
+    /// instead (which requires the `serde` feature).
     pub fn set_raw_info(&mut self, content: &Content) {
         self._private_inner_mut().raw_info(content);
     }
@@ -421,11 +448,11 @@ impl Settings {
         self._private_inner_mut().redactions.0.clear();
     }
 
-    /// Iterate over the redactions.
+    /// Apply redactions to content.
     #[cfg(feature = "redactions")]
     #[cfg_attr(docsrs, doc(cfg(feature = "redactions")))]
-    pub(crate) fn iter_redactions(&self) -> impl Iterator<Item = (&Selector<'_>, &Redaction)> {
-        self.inner.redactions.0.iter().map(|(a, b)| (a, &**b))
+    pub(crate) fn apply_redactions(&self, content: Content) -> Content {
+        self.inner.redactions.apply_to_content(content)
     }
 
     /// Adds a new filter.

insta/tests/snapshots/test_redaction__metadata_raw_info_no_redaction.snap

@@ -0,0 +1,10 @@
+---
+source: insta/tests/test_redaction.rs
+expression: "&vec![1, 2, 3]"
+info:
+  secret: sensitive_value
+  public: visible
+---
+- 1
+- 2
+- 3

insta/tests/snapshots/test_redaction__metadata_redaction_test.snap

@@ -0,0 +1,10 @@
+---
+source: insta/tests/test_redaction.rs
+expression: "&vec![1, 2, 3]"
+info:
+  secret: "[REDACTED]"
+  public: visible
+---
+- 1
+- 2
+- 3

insta/tests/test_redaction.rs

@@ -608,3 +608,45 @@ fn test_named_redacted_supported_form() {
         }
     );
 }
+
+#[cfg(all(feature = "yaml", feature = "redactions"))]
+#[test]
+fn test_metadata_redaction() {
+    #[derive(Serialize)]
+    struct Info {
+        secret: String,
+        public: String,
+    }
+
+    let mut settings = insta::Settings::new();
+    settings.add_redaction(".secret", "[REDACTED]");
+    settings.set_info(&Info {
+        secret: "sensitive_value".into(),
+        public: "visible".into(),
+    });
+
+    settings.bind(|| {
+        assert_yaml_snapshot!("metadata_redaction_test", &vec![1, 2, 3]);
+    });
+}
+
+#[cfg(all(feature = "yaml", feature = "redactions"))]
+#[test]
+fn test_metadata_raw_info_no_redaction() {
+    use insta::internals::Content;
+
+    let mut settings = insta::Settings::new();
+    settings.add_redaction(".secret", "[REDACTED]");
+
+    // Create content that would be redacted if redactions were applied
+    let content = Content::Map(vec![
+        (Content::from("secret"), Content::from("sensitive_value")),
+        (Content::from("public"), Content::from("visible")),
+    ]);
+
+    settings.set_raw_info(&content);
+
+    settings.bind(|| {
+        assert_yaml_snapshot!("metadata_raw_info_no_redaction", &vec![1, 2, 3]);
+    });
+}