Keep secrets out of the output
Fuse applies best-effort secret redaction (regex and entropy heuristics) before any source reaches the payload, lowering the chance credentials appear in context you share with an agent or paste into a chat.
Goal: lower the chance that context sent to an agent or pasted into a chat carries an AWS key, a connection string, or a token.
It Is on by Default
Redaction runs automatically as Fuse renders, before any source reaches the payload and before token counting. It scans content for known secret shapes and high-entropy literals and replaces each match in place:
var connection = "[REDACTED:connection-string]";The surrounding code keeps its shape, only the secret value is replaced, and the reported
token count reflects the redacted output. Every context call applies it: fuse context,
fuse review, and fuse reduce all redact before they emit. You do not need a flag to get
this.
fuse review ./src --changed-since origin/main --max-tokens 25000
# any matched secret in the changed files or their blast radius is redacted in the outputWhat It Detects
AWS access and secret keys, JSON Web Tokens, whole PEM private key blocks, GitHub tokens, Google API keys, Slack tokens, Stripe keys, connection strings, API tokens, and high-entropy string literals. Detection is best-effort, using pattern and entropy heuristics rather than a definitive parse: it can flag a non-secret value and it can miss a secret in an unusual shape. Treat it as a strong default that lowers exposure, not a guarantee, and review output before sharing where a leak would be costly. Do not rely on it for compliance or secret scanning.
Check Before Sharing
Run the intended fuse context, fuse review, or fuse reduce command and inspect the
rendered payload. Search it with your organization's secret scanner before sending it
outside the machine. Treat [REDACTED:...] markers as evidence that a pattern matched,
not proof that no other credential remains.