Skip to main content

Secure-by-default redaction

Secrets never leave the agent.

Every task args, kwargs, return value, and exception passes through a redaction engine before leaving the agent process. Defense-in-depth: the brain re-scrubs on ingest. Add per-task overrides via @z4j_meta.

Preview
z4j dashboard — Secure-by-default redaction
Redaction at capture RAW (never leaves agent) task = charge_customer( customer_id="cus_abc123", amount=2495, api_key="sk_live_51H...", authorization="Bearer eyJhbG...", card="4242 4242 4242 4242", user_email="jane@acme.com", ssn="123-45-6789" ) REDACTED (what brain sees) task = charge_customer( customer_id="cus_abc123", amount=2495, api_key="<redacted:api_key>", authorization="<redacted:header>", card="<redacted:card>", user_email="<redacted:email>", ssn="<redacted:ssn>" ) # Pattern matches applied: # ✓ Stripe key format # ✓ Bearer token header # ✓ Credit card (Luhn) # ✓ Email / SSN / custom

Mockup of the dashboard view for this feature. Live-reloading and themed to match your dashboard.

Ships with

  • Recursive scrubber for nested dicts / lists / custom classes
  • Pattern matching: API keys, tokens, AWS creds, private keys, ~40 common patterns
  • Per-task overrides via @z4j_meta(redact_kwargs=[...])
  • Brain-side re-scrub (defense in depth, does not trust agent)
Related

More capabilities

Unified action surface

One button set. Every engine.

Learn more

Stuck-task reconciliation

Tasks started forever. Fixed, automatically.

Learn more

Historical trends

Success rate, failure rate, throughput over time.

Learn more

Ready to try z4j?

Install z4j Feature docs