diff --git a/ingestion/cmd/server/main.go b/ingestion/cmd/server/main.go
index 79f4927..fda853f 100644
--- a/ingestion/cmd/server/main.go
+++ b/ingestion/cmd/server/main.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"log/slog"
 	"net/http"
+	"net/url"
 	"os"
 	"strconv"
 	"strings"
@@ -24,6 +25,17 @@ import (
 	"github.com/mathiasbq/hyperguild/ingestion/internal/watcher"
 )
 
+// redactDSN parses a Postgres URL and replaces its password with `***`
+// for safe inclusion in logs. Falls back to a non-leaking placeholder
+// if parsing fails — we never log a raw DSN.
+func redactDSN(dsn string) string {
+	u, err := url.Parse(dsn)
+	if err != nil || u.User == nil {
+		return "postgres://***"
+	}
+	return u.Redacted()
+}
+
 // vectorAdapter bridges *vectorstore.PGStore (returns []vectorstore.Hit)
 // to the search.VectorSearcher interface (which uses []search.VectorHit).
 // Kept here, not in either package, so neither has to import the other.
@@ -126,7 +138,7 @@ func main() {
 		mcpSrv = mcpSrv.WithHybridRetrieval(vectorAdapter{s: store}, embedder)
 		h.WithEmbedSync(store, embedder)
 		logger.Info("brain hybrid retrieval enabled",
-			"pg", pgDSN[:strings.IndexByte(pgDSN+"@", '@')], // crude redaction
+			"pg", redactDSN(pgDSN),
 			"embed_url", embedURL, "embed_model", embedModel)
 	case pgDSN == "" && embedURL == "":
 		// disabled — fine