The engine
For each call, applicable rules run in two passes:Blocks, against the original text
Block rules are checked first, on the unmodified content, so an earlier redaction cannot hide a match from a later block. A match refuses the call and raises an alert.
Built-in secret detection
Every workspace has a built-in secrets rule that catches credentials before they cross the wire in either direction. It detects, among others:- AWS access keys
- GitHub tokens
- Slack tokens
- OpenAI keys
- Stripe keys
- PEM private keys
- Passport’s own session, access, refresh, and agent-key tokens
- password assignments
Actions
Block
Refuse the call when a match is found, and raise an alert.
Redact
Replace matches with a redaction marker and let the (now clean) call through.
Alert
Let the call through, but log that the rule matched.