Secrets Block
Outbound secret protection for MCP and API responses.
How It Works
Veriova applies secret scanning in two places: MCP outbound tool responses and API-level context/memory responses. Secrets are replaced before content reaches provider APIs.
Tool response -> wrapToolResponse() -> redact/block/warn/off -> return to model API response -> RedactSecrets() -> return redacted payload
Modes
| Mode | Behavior |
|---|---|
| redact | Replace matches with [REDACTED:type]. |
| block | Return blocked error when any secret is detected. |
| warn | Return content with a warning prefix. |
| off | Bypass secret scanning. |
Supported Patterns
AWS access keys, JWTs, private keys, database URLs, OpenAI/GitHub/Stripe/Slack tokens, bearer tokens, and env-style secret assignments.
Configuration
mcp.json
{
"env": {
"VERIOVA_SECRETS_MODE": "redact"
}
}Checking Status
Call veriova_security_status in your MCP client to see mode, total session redactions, and recent redaction previews.