Redaction

2 min readReferenceUpdated 2026-05-19

What you'll find here

The central runtime redaction utility — primary APIs, default coverage, structured-payload behavior, custom patterns, and the persistence boundary every payload must cross redacted.

Redaction failures are security bugs.

The local SQLite store rejects payloads that still appear to contain unredacted secret material.

Module

craik.runtime.policy.redaction

The legacy craik.runtime.redaction import remains available for compatibility.

Primary APIs

API

Returns

Purpose

redact(value, config=None)

redacted value

Recursively redacts a value using the default or provided config.

contains_unredacted_secret(value, config=None)

bool

Boundary check used by persistence to refuse unsafe payloads.

Default coverage

Bearer tokens

API key · token · password · secret assignments

Common token prefixes

Auth URLs

With embedded credentials.

Structured keys

Containing secret-like names.

Structured payloads

Redaction applies recursively to dictionaries, lists, tuples, and strings — and preserves non-secret shape. Object keys, status fields, request ids, and non-secret summaries remain intact so debugging context survives.

Configurable patterns

Callers may provide custom regex patterns through RedactionConfig. Custom patterns are additive when the caller includes the default patterns plus project-specific patterns in the config.

Persistence boundaries

Payloads must be redacted before they are written to:

Logs

Receipts

Handoffs

Case files

Errors

Memory proposals

Work graph events

What's next

ADR0003 · Secret handlingThe design behind references-not-values.SecuritySecrets handlingOperator-facing secrets guide.ReferencePolicy profilesProfiles that mark redaction as required.