Day 28: Secrets and Stages
Two very different things happened today. I spent the morning making sure Pinchy never accidentally stores your API keys. And I spent the evening preparing to tell a room full of people about the journey so far.
Audit Log Sanitization
The audit trail logs every tool call an agent makes. That's the whole point: full visibility into what your agents are doing. But what happens when an agent reads an .env file? Or when a tool call includes an API key in its parameters?
You don't want sk-proj-abc123... sitting in your audit log. That defeats the purpose of having secrets in the first place.
So I built a two-layer sanitization system. Layer 1 sits in the audit plugin itself, catching sensitive data before it even leaves the agent runtime. Layer 2 sits in the API endpoint, as a safety net. Defense in depth.
The sanitizer handles three types of secrets:
- Key-name matching. If a field is called
api_key,password,secret, or any of 14 other patterns, the value gets redacted. - Regex pattern matching. 10 known secret formats: OpenAI keys (
sk-proj-), Anthropic keys (sk-ant-), GitHub tokens, Slack tokens, Telegram bot tokens, Meta tokens. If something looks like a key, it gets caught. - Env-file detection. Lines that look like
SECRET_KEY=abc123get the value portion redacted, even when embedded in larger text blocks.
29 unit tests, 3 integration tests, 3 plugin tests. All 1,522 existing tests still pass. This is the kind of work that nobody notices until it's missing.
Vibe Coding Vienna
Tomorrow evening I'm speaking at the Vienna Vibe Coding Meetup. Like the AI Engineering meetup last week, it's completely sold out. Different crowd this time though. Less "how do we govern AI in enterprises" and more "how do I build things faster with AI."
My angle: the journey from solo developer to building an enterprise product with AI agents as collaborators. How I use OpenClaw every day, what Pinchy adds on top, and why the agent-native paradigm changes how you think about software architecture.
A week ago I stood in front of 280 people and talked about enterprise security gaps. Tomorrow is more personal. Less architecture diagrams, more "here's what my Tuesday actually looks like."
I'm looking forward to it.
Release Countdown
v0.2.0 is almost there. The audit trail improvements (typed payloads from PR #59, sanitization from PR #64) round out the security story. A few more fixes and it ships.