Skills
Redact secrets at the structured-logger, not in a downstream log pipeline — sink-side redaction is permanently best-effort
Configure your logging library to drop sensitive fields by default and opt them back in only after review, rather than scrubbing logs in a later processing stage; any redaction that happens after the log leaves the process is best-effort forever because one new field or one bypassed sink leaks the secret. This matters acutely for agents, whose tool inputs/outputs routinely carry tokens and PII. For builders: move the redaction allow-list into the logger config that every emit passes through, so 'log everything then clean up' can never race a breach.
↳ Follow the thread