-
Notifications
You must be signed in to change notification settings - Fork 394
Expand file tree
/
Copy pathredact_secrets.yaml
More file actions
47 lines (46 loc) · 2.05 KB
/
Copy pathredact_secrets.yaml
File metadata and controls
47 lines (46 loc) · 2.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# Demonstrates the redact_secrets feature.
#
# `redact_secrets` is enabled by default for every agent. This
# example sets it explicitly for documentation purposes; you would
# normally omit the field entirely. To opt out, set
# `redact_secrets: false`.
#
# The single agent-level switch wires up all THREE defenses against
# accidentally leaking credentials, tokens, or private keys:
#
# 1. A pre_tool_use builtin hook that scrubs detected secrets from
# the arguments of every tool call, before the tool sees them.
#
# 2. A before_llm_call hook that scrubs the same patterns from
# outgoing chat messages — Content, MultiContent text parts, and
# the JSON-encoded arguments of any prior tool call still in the
# conversation — before the model provider sees them.
#
# 3. A tool_response_transform hook that scrubs the tool's own
# OUTPUT before the rewrite reaches event consumers, the
# persisted session file, the post_tool_use hook input, or the
# next LLM call.
#
# Detection uses the portcullis ruleset (GitHub PATs,
# AWS access keys, Stripe / Slack / GitLab tokens, JWTs, private keys,
# Docker Hub PATs, …). Each detected span is replaced with the
# literal `[REDACTED]`; the surrounding text is preserved so a
# redacted argument still looks like a legitimate flag (e.g.
# `--token=[REDACTED]`).
#
# False positives are extremely rare: every rule pairs a regex with a
# discriminating keyword, so plain English never trips detection.
# False negatives are possible — only patterns the ruleset recognises
# are scrubbed; this is a defense-in-depth feature, not a substitute
# for keeping secrets out of the conversation in the first place.
agents:
root:
model: openai/gpt-5-mini
description: A helpful AI assistant that scrubs secrets before they leak
instruction: |
You are a helpful assistant. If the user accidentally pastes a token,
do your best work without echoing the secret back.
# On by default; shown explicitly here. Set to `false` to opt out.
redact_secrets: true
toolsets:
- type: shell