Module redact_secrets 

Ingestion-time secret redaction for message content and metadata.

Prevents secrets (API keys, tokens, passwords, private keys) leaked in tool-result blocks from being persisted into the cass database.

This module runs at ingestion time in map_to_internal(), before any data reaches SQLite or the FTS index. It is intentionally conservative: it uses well-known prefix patterns rather than high-entropy heuristics to avoid false positives on normal code content.

See also: pages::secret_scan (post-hoc scanning of existing data).

Functions

redact_json

Redact secrets from a JSON value, recursively walking strings.

redact_text

Redact secrets from a plain-text string.

redaction_algorithm_fingerprint

Stable identifier for the compiled SECRET_PATTERNS list.

redaction_enabled

Returns true if redaction is enabled (default: true).