Status: implemented
Version: latest
Review: source-backed
Last scanned: 2026-06-25T00:00:00Z
Review required: false
Secrets redaction
How Trinity keeps secrets out of logs, LiveView assigns, model context, and public docs.
Redaction contract
Public docs and proof surfaces display IDs, hashes, statuses, timestamps, provider labels, decision summaries, and safe source paths. They do not display credential values, raw model context, raw replies, or hidden reasoning.
| Surface | Safe content | Blocked content |
|---|---|---|
| LiveView assigns | Status labels, IDs, readiness summaries | Secret values, OAuth tokens, private payloads |
| ToolCall rows | Provider, operation, idempotency key, status | Bearer tokens, refresh tokens, full credential payloads |
| ModelDecision rows | Route, schema, summary, hashes | Hidden reasoning, private prompts, private source text |
| Public docs | Source paths, official links, status labels | Customer data, secrets, unreleased content |
| Logs/errors | Error class, safe reason, record ID | Credential values, private request/response bodies |
Tests assert secret-like values do not appear in rendered proof output.
Official references
| System | Use in Trinity | Official docs |
|---|---|---|
| Hermes | Hosted agent runtime and skills context | Hermes Agent docs |
| Jido | Narrow policy/firewall action seam | Jido Actions and Workflows |
| NVIDIA | Nemotron scoring, safety, and QA decisions | NIM LLM API reference |
| Stripe | Checkout, webhooks, revenue proof, guarded spend | Checkout Sessions API |
| Gmail | Drafts, sends, aliases, scopes, inbound replies | Gmail API scopes |
| Phoenix/Oban/Postgres | Control plane, durable jobs, source-of-truth data | Phoenix LiveView |
Source paths
lib/autonomous_agency/audit.extest/autonomous_agency/ai/model_decision_test.exs