docker-agent/examples/redact_secrets_hooks.yaml at main · docker/docker-agent · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
# Demonstrates wiring the redact_secrets builtin from YAML hooks
# directly, instead of through the agent-level `redact_secrets` flag
# (which is enabled by default and auto-injects the same entries).
#
# Auto-injection is idempotent against manually-written entries that
# name the same builtin, so spelling them out by hand is safe and is
# useful when you want to:
#
#   * scope the rewrite to a subset of tools (set `matcher:` to a
#     regex instead of `*`),
#   * stack additional rewriters in a specific order (e.g. truncate
#     long outputs before scrubbing them),
#   * or inspect at a glance which leak vectors a given agent covers.
#
# All three legs of the feature share the SAME builtin name
# (`redact_secrets`); the implementation dispatches on the hook event
# so a single registered builtin handles every leg.
#
#   * pre_tool_use            → scrub tool ARGUMENTS before the tool
#                               process sees them.
#   * before_llm_call         → scrub outgoing CHAT CONTENT before the
#                               model provider sees it.
#   * tool_response_transform → scrub tool OUTPUT before it reaches
#                               event consumers, the persisted
#                               session file, post_tool_use, or the
#                               next LLM call.
#
# Detection uses the portcullis ruleset (GitHub PATs,
# AWS access keys, Stripe / Slack / GitLab tokens, JWTs, private keys,
# Docker Hub PATs, …); each detected span is replaced with the
# literal `[REDACTED]`.

agents:
  root:
    model: openai/gpt-5-mini
    description: Same scrubbing surface as redact_secrets, wired manually
    instruction: |
      You are a helpful assistant. If the user accidentally pastes a token,
      do your best work without echoing the secret back.
    toolsets:
      - type: shell
    hooks:
      pre_tool_use:
        - matcher: "*"
          hooks:
            - type: builtin
              command: redact_secrets
      before_llm_call:
        - type: builtin
          command: redact_secrets
      tool_response_transform:
        - matcher: "*"
          hooks:
            - type: builtin
              command: redact_secrets