Secret Redaction

The rn CLI strips secrets from sessions before they leave your machine.

Redaction rules

The CLI applies redaction rules from ~/.rn/config.toml. Each rule is a named regular expression:

[[redact]]
name = "My internal token"
pattern = "myco_[A-Za-z0-9]{32}"

The example config ships with 20 rules covering common secret formats (API keys, tokens, connection strings, PEM keys, etc.). See Configuration for the full list.

Ad-hoc redaction

Use the -R flag for one-off literal string redaction:

rn session push -R "my-actual-api-key" -R "another-secret"

This is useful for secrets that don't match any regex pattern.

Verbose mode

Use --verbose / -v to see which rules matched and how many replacements were made:

rn session push -v

Important: client-side only

All redaction happens on your machine before data is sent to the server. The server intentionally does not apply its own redaction rules, because enforced patterns could interfere with how sessions are displayed. What you upload is what gets stored. If you're building a tool against the API, you are responsible for stripping secrets from session data before pushing it.

Replacement

Matched secrets are replaced with [REDACTED]. The original value is never stored in the database.

What gets redacted

Redaction is applied to the content of session messages. It runs on:

  • User prompts
  • Assistant responses
  • Tool call arguments and results

Metadata (titles) is not redacted — avoid putting secrets in session titles.

← Profiles
rockstar.ninja · docs · privacy