S — Secret detection

13 regex families + entropy fallback on every tool output. On by default; turning off is an explicit statement.

What it detects

API keys (OpenAI, Anthropic, Stripe, Slack, GitHub, GitLab, npm, AWS, GCP, HuggingFace), bearer tokens, JWTs, SSH private keys, .env-style KEY=value patterns for known-sensitive keys, and high-entropy strings in suspicious contexts. Each hit is replaced with [REDACTED:<family>] before the agent sees it.

Performance

The detector short-circuits with firstMatch so no-match inputs don't pay the full regex cost (1 MB benign input: ~25 ms).

Env var

SENKANI_SECRETS=on|off — default on. Don't turn this off unless you're running a test fixture that intentionally produces secret-shaped strings.