Module sanitize 

Output sanitization — the margin defense of §5.1.

After a child runs, the Wrapper may mask any verbatim occurrence of an injected secret value in the child’s stdout/stderr before returning it to the caller (and thence, possibly, to the agent). This catches naive exfiltration — print(os.environ['DB_PASSWORD']) — and nothing more.

This is a net, never a boundary. It does not catch obfuscated exfiltration (base64, reversal, splitting, encryption) and must never be presented as security. The real containment for high/prod is the executor allowlist (§5.1, I15) plus the attended prompt that shows the resolved command — not this masking.

Constants

MASK

The replacement written in place of a matched secret value.

Functions

mask_secrets

Return a copy of data with every verbatim occurrence of each value in secrets replaced by MASK. Empty secrets are skipped (they would match everywhere).