Skip to content

Add credential scrubbing to LLM context pipeline #743

New issue
New issue
Closed
#751
Closed
Add credential scrubbing to LLM context pipeline#743
#751
Labels
coreenhancementNew feature or requestllmLLM provider relatedsecuritySecurity hardeningsize/S
@bug-ops

Description

@bug-ops
bug-ops
opened on Feb 22, 2026

Parent: #740 (P0)

Problem

Tool outputs containing secrets (API keys, tokens, passwords) enter LLM context and summarization input unfiltered. Existing SecurityPatterns in zeph-tools only filter agent output, not context input.

Solution

  • Apply regex-based credential scrubbing to tool output content before context injection
  • Apply same scrubbing before summarization/compaction input
  • Reuse existing SecurityPatterns from zeph-tools (DRY)
  • Preserve first 4 chars of scrubbed values for context

Affected crates

  • zeph-core (context builder, compaction)
  • zeph-tools (expose SecurityPatterns for reuse)

Acceptance criteria

  • Tool outputs with API keys/tokens/passwords are scrubbed before entering LLM messages
  • Compaction input is scrubbed
  • No duplication of regex patterns
  • Test coverage for scrubbing

Metadata

Metadata

Assignees

No one assigned

    Labels

    coreenhancementNew feature or requestllmLLM provider relatedsecuritySecurity hardeningsize/S

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions