Secrets Handling

Problem

Once a plaintext secret enters the model's context window, it is no longer recoverable: it sits in the chat log, in the trace export, in the eval dataset, and on the third-party model provider's infrastructure. Rotating the credential helps for the next call but does nothing for the copies already scattered across systems. Asking the model to please not reveal secrets it has seen is unreliable. Without a way to keep credentials out of the model's context entirely, every tool call that needs auth is a potential leak with permanent consequences.

Solution

Tool runtime resolves credentials from typed references the agent emits (e.g., `{auth: 'github_token_for_user_42'}`). Credential values are injected outside the model context. Input/output guards reject any payload matching credential signatures. Provenance ledger and traces are scrubbed at write time.

When to use

• Tools require credentials and any leak would propagate to logs and providers.
• A tool runtime can resolve typed credential references outside the model context.
• Compliance or security policy forbids plaintext secrets in prompts.