Fuse
Scenarios

Keep secrets out of the output

Fuse applies best-effort secret redaction (regex and entropy heuristics) before any source reaches the payload, lowering the chance credentials appear in context you share with an agent or paste into a chat.

Goal: lower the chance that context sent to an agent or pasted into a chat carries an AWS key, a connection string, or a token.

It Is on by Default

Redaction runs automatically as Fuse renders, before any source reaches the payload and before token counting. It scans content for known secret shapes and high-entropy literals and replaces each match in place:

var connection = "[REDACTED:connection-string]";

The surrounding code keeps its shape, only the secret value is replaced, and the reported token count reflects the redacted output. Every context call applies it: fuse context, fuse review, and fuse reduce all redact before they emit. You do not need a flag to get this.

fuse review ./src --changed-since origin/main --max-tokens 25000
# any matched secret in the changed files or their blast radius is redacted in the output

What It Detects

AWS access and secret keys, JSON Web Tokens, whole PEM private key blocks, GitHub tokens, Google API keys, Slack tokens, Stripe keys, connection strings, API tokens, and high-entropy string literals. Detection is best-effort, using pattern and entropy heuristics rather than a definitive parse: it can flag a non-secret value and it can miss a secret in an unusual shape. Treat it as a strong default that lowers exposure, not a guarantee, and review output before sharing where a leak would be costly. Do not rely on it for compliance or secret scanning.

Check Before Sharing

Run the intended fuse context, fuse review, or fuse reduce command and inspect the rendered payload. Search it with your organization's secret scanner before sending it outside the machine. Treat [REDACTED:...] markers as evidence that a pattern matched, not proof that no other credential remains.

On this page