title: Redaction description: Default-on redaction with built-in patterns for AWS, GitHub, OpenAI, Stripe, and env assignments.

Redaction

dkod strips secrets from transcripts before storing them as git objects. Redaction runs at capture time — once a blob is written, the secrets are gone.

Default: on

Redaction is enabled by default. The failure mode of leaking a credential into git history is irreversible; the failure mode of over-eager redaction is annoying but fixable.

Built-in patterns

dkod ships with five built-in redaction patterns:

Pattern	What it matches
`builtin:aws`	AWS access key IDs and secret keys
`builtin:github_token`	GitHub personal access tokens and fine-grained tokens
`builtin:openai_key`	OpenAI API keys
`builtin:stripe`	Stripe secret and publishable keys
`builtin:env_assignment`	Generic `KEY=value` environment variable assignments

Configuration

Redaction is configured in .dkod/config.toml:

[redact]
enabled = true                                   # default
patterns = ["builtin:aws", "builtin:github_token",
            "builtin:openai_key", "builtin:stripe",
            "builtin:env_assignment"]
custom = []

Custom patterns

Add regex patterns to the custom array:

[redact]
custom = [
  "INTERNAL_API_KEY_[A-Za-z0-9]{32}",
  "my-company-secret-\\w+",
]

Custom patterns are applied alongside the built-in ones.

Disabling redaction

You can disable redaction entirely (not recommended):

[redact]
enabled = false

Or disable specific built-in patterns:

[redact]
patterns = ["builtin:aws", "builtin:github_token"]
# OpenAI, Stripe, and env patterns are disabled