# Secrets redaction

How Trinity keeps secrets out of logs, LiveView assigns, model context, and public docs.

Status: implemented
Version: latest
Review: source-backed

## Redaction contract

Public docs and proof surfaces display IDs, hashes, statuses, timestamps, provider labels, decision summaries, and safe source paths. They do not display credential values, raw model context, raw replies, or hidden reasoning.

| Surface | Safe content | Blocked content |
| --- | --- | --- |
| LiveView assigns | Status labels, IDs, readiness summaries | Secret values, OAuth tokens, private payloads |
| ToolCall rows | Provider, operation, idempotency key, status | Bearer tokens, refresh tokens, full credential payloads |
| ModelDecision rows | Route, schema, summary, hashes | Hidden reasoning, private prompts, private source text |
| Public docs | Source paths, official links, status labels | Customer data, secrets, unreleased content |
| Logs/errors | Error class, safe reason, record ID | Credential values, private request/response bodies |

Tests assert secret-like values do not appear in rendered proof output.


Source paths:
- `lib/autonomous_agency/audit.ex`
- `test/autonomous_agency/ai/model_decision_test.exs`